From d18afb5bf29dc3b81b5f7a9eda2abde35041a441 Mon Sep 17 00:00:00 2001
From: Rich Salz <rsalz@openssl.org>
Date: Tue, 15 Nov 2016 18:54:28 -0500
Subject: Check return value of some BN functions.

Factorise multiple bn_get_top(group->field) calls
Add missing checks on some conditional BN_copy return value
Add missing checks on some BN_copy return value
Add missing checks on a few bn_wexpand return value

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1626)

(cherry picked from commit 78e09b53a40729f5e99829ccc733b592bd22fea1)
---
 crypto/ec/ec2_mult.c | 20 +++++++++++---------
 1 file changed, 11 insertions(+), 9 deletions(-)

(limited to 'crypto/ec')

diff --git a/crypto/ec/ec2_mult.c b/crypto/ec/ec2_mult.c
index d253eba51b..e4a1ec5737 100644
--- a/crypto/ec/ec2_mult.c
+++ b/crypto/ec/ec2_mult.c
@@ -223,7 +223,7 @@ static int ec_GF2m_montgomery_point_multiply(const EC_GROUP *group,
                                              BN_CTX *ctx)
 {
     BIGNUM *x1, *x2, *z1, *z2;
-    int ret = 0, i;
+    int ret = 0, i, group_top;
     BN_ULONG mask, word;
 
     if (r == point) {
@@ -253,10 +253,12 @@ static int ec_GF2m_montgomery_point_multiply(const EC_GROUP *group,
     x2 = r->X;
     z2 = r->Y;
 
-    bn_wexpand(x1, bn_get_top(group->field));
-    bn_wexpand(z1, bn_get_top(group->field));
-    bn_wexpand(x2, bn_get_top(group->field));
-    bn_wexpand(z2, bn_get_top(group->field));
+    group_top = bn_get_top(group->field);
+    if (bn_wexpand(x1, group_top) == NULL
+        || bn_wexpand(z1, group_top) == NULL
+        || bn_wexpand(x2, group_top) == NULL
+        || bn_wexpand(z2, group_top) == NULL)
+        goto err;
 
     if (!BN_GF2m_mod_arr(x1, point->X, group->poly))
         goto err;               /* x1 = x */
@@ -285,14 +287,14 @@ static int ec_GF2m_montgomery_point_multiply(const EC_GROUP *group,
     for (; i >= 0; i--) {
         word = bn_get_words(scalar)[i];
         while (mask) {
-            BN_consttime_swap(word & mask, x1, x2, bn_get_top(group->field));
-            BN_consttime_swap(word & mask, z1, z2, bn_get_top(group->field));
+            BN_consttime_swap(word & mask, x1, x2, group_top);
+            BN_consttime_swap(word & mask, z1, z2, group_top);
             if (!gf2m_Madd(group, point->X, x2, z2, x1, z1, ctx))
                 goto err;
             if (!gf2m_Mdouble(group, x1, z1, ctx))
                 goto err;
-            BN_consttime_swap(word & mask, x1, x2, bn_get_top(group->field));
-            BN_consttime_swap(word & mask, z1, z2, bn_get_top(group->field));
+            BN_consttime_swap(word & mask, x1, x2, group_top);
+            BN_consttime_swap(word & mask, z1, z2, group_top);
             mask >>= 1;
         }
         mask = BN_TBIT;
-- 
cgit v1.2.3