Check return value of some BN functions.

Factorise multiple bn_get_top(group->field) calls
Add missing checks on some conditional BN_copy return value
Add missing checks on some BN_copy return value
Add missing checks on a few bn_wexpand return value

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1626)

diff --git a/crypto/bn/bn_exp.c b/crypto/bn/bn_exp.c
index 61ab56d0df6ce5bd509c18edc23e3ae41a581d4d..feeb7649a5dc5af3ebf665710805637dc9329867 100644 (file)
--- a/crypto/bn/bn_exp.c
+++ b/crypto/bn/bn_exp.c
@@ -78,8 +78,9 @@ int BN_exp(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx)
                 goto err;
         }
     }
-    if (r != rr)
-        BN_copy(r, rr);
+    if (r != rr && BN_copy(r, rr) == NULL)
+        goto err;
+
     ret = 1;
  err:
     BN_CTX_end(ctx);

diff --git a/crypto/bn/bn_mul.c b/crypto/bn/bn_mul.c
index 1ff8efe39ca96d3be60646710f12a17bc87a049f..4c39d404b5b03d0b22dfd2015a9cfb07b5166399 100644 (file)
--- a/crypto/bn/bn_mul.c
+++ b/crypto/bn/bn_mul.c
@@ -970,8 +970,9 @@ int BN_mul(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx)
  end:
 #endif
     bn_correct_top(rr);
-    if (r != rr)
-        BN_copy(r, rr);
+    if (r != rr && BN_copy(r, rr) == NULL)
+        goto err;
+
     ret = 1;
  err:
     bn_check_top(r);

diff --git a/crypto/bn/bn_prime.c b/crypto/bn/bn_prime.c
index 51969583e7d91b2a2215097bd4d62c2301f16cc1..7103acfe0bace910ebacc3f7501151c756ba9002 100644 (file)
--- a/crypto/bn/bn_prime.c
+++ b/crypto/bn/bn_prime.c
@@ -240,7 +240,8 @@ int BN_is_prime_fasttest_ex(const BIGNUM *a, int checks, BN_CTX *ctx_passed,
         BIGNUM *t;
         if ((t = BN_CTX_get(ctx)) == NULL)
             goto err;
-        BN_copy(t, a);
+        if (BN_copy(t, a) == NULL)
+            goto err;
         t->neg = 0;
         A = t;
     } else

diff --git a/crypto/bn/bn_sqr.c b/crypto/bn/bn_sqr.c
index a62bb1a584805d25e72a4fcb3dc2feb3157e6712..44e7332acf1a9bcbabd057faf3d2892ca10c1a96 100644 (file)
--- a/crypto/bn/bn_sqr.c
+++ b/crypto/bn/bn_sqr.c
@@ -90,8 +90,9 @@ int BN_sqr(BIGNUM *r, const BIGNUM *a, BN_CTX *ctx)
         rr->top = max - 1;
     else
         rr->top = max;
-    if (rr != r)
-        BN_copy(r, rr);
+    if (r != rr && BN_copy(r, rr) == NULL)
+        goto err;
+
     ret = 1;
  err:
     bn_check_top(rr);

diff --git a/crypto/ec/ec2_mult.c b/crypto/ec/ec2_mult.c
index d253eba51b5a16d34a1e68a4e669951a219b3abf..e4a1ec5737ff63e872b4926e6289f325cc1f18bc 100644 (file)
--- a/crypto/ec/ec2_mult.c
+++ b/crypto/ec/ec2_mult.c
@@ -223,7 +223,7 @@ static int ec_GF2m_montgomery_point_multiply(const EC_GROUP *group,
                                              BN_CTX *ctx)
 {
     BIGNUM *x1, *x2, *z1, *z2;
-    int ret = 0, i;
+    int ret = 0, i, group_top;
     BN_ULONG mask, word;
 
     if (r == point) {
@@ -253,10 +253,12 @@ static int ec_GF2m_montgomery_point_multiply(const EC_GROUP *group,
     x2 = r->X;
     z2 = r->Y;
 
-    bn_wexpand(x1, bn_get_top(group->field));
-    bn_wexpand(z1, bn_get_top(group->field));
-    bn_wexpand(x2, bn_get_top(group->field));
-    bn_wexpand(z2, bn_get_top(group->field));
+    group_top = bn_get_top(group->field);
+    if (bn_wexpand(x1, group_top) == NULL
+        || bn_wexpand(z1, group_top) == NULL
+        || bn_wexpand(x2, group_top) == NULL
+        || bn_wexpand(z2, group_top) == NULL)
+        goto err;
 
     if (!BN_GF2m_mod_arr(x1, point->X, group->poly))
         goto err;               /* x1 = x */
@@ -285,14 +287,14 @@ static int ec_GF2m_montgomery_point_multiply(const EC_GROUP *group,
     for (; i >= 0; i--) {
         word = bn_get_words(scalar)[i];
         while (mask) {
-            BN_consttime_swap(word & mask, x1, x2, bn_get_top(group->field));
-            BN_consttime_swap(word & mask, z1, z2, bn_get_top(group->field));
+            BN_consttime_swap(word & mask, x1, x2, group_top);
+            BN_consttime_swap(word & mask, z1, z2, group_top);
             if (!gf2m_Madd(group, point->X, x2, z2, x1, z1, ctx))
                 goto err;
             if (!gf2m_Mdouble(group, x1, z1, ctx))
                 goto err;
-            BN_consttime_swap(word & mask, x1, x2, bn_get_top(group->field));
-            BN_consttime_swap(word & mask, z1, z2, bn_get_top(group->field));
+            BN_consttime_swap(word & mask, x1, x2, group_top);
+            BN_consttime_swap(word & mask, z1, z2, group_top);
             mask >>= 1;
         }
         mask = BN_TBIT;

diff --git a/crypto/rsa/rsa_gen.c b/crypto/rsa/rsa_gen.c
index 5c6b6192e6ac11c0dd806134f6f354a78b9f55e4..0d1d56bfe75fae77ef76c66f6f24d5627663e9c9 100644 (file)
--- a/crypto/rsa/rsa_gen.c
+++ b/crypto/rsa/rsa_gen.c
@@ -75,7 +75,8 @@ static int rsa_builtin_keygen(RSA *rsa, int bits, BIGNUM *e_value,
     if (!rsa->iqmp && ((rsa->iqmp = BN_secure_new()) == NULL))
         goto err;
 
-    BN_copy(rsa->e, e_value);
+    if (BN_copy(rsa->e, e_value) == NULL)
+        goto err;
 
     /* generate p and q */
     for (;;) {