Add error handling to the remaining calls to bn_wexpand().

Noticed by pascal-cuoq from Github: https://github.com/libressl-portable/openbsd/issues/56 ok beck@
author: bcook <> 2016-03-12 21:44:11 +0000
committer: bcook <> 2016-03-12 21:44:11 +0000
commit: 84ad4abc945651758ccaec50eaeafff9ffe582ee (patch)
tree: c202c7ef43ff015fb66c468e4c977405d5d0cc88 /src
parent: d692c27f466b0683d4f7dd5f72058e64e04f0cd4 (diff)
download: openbsd-84ad4abc945651758ccaec50eaeafff9ffe582ee.tar.gz
openbsd-84ad4abc945651758ccaec50eaeafff9ffe582ee.tar.bz2
openbsd-84ad4abc945651758ccaec50eaeafff9ffe582ee.zip
4 files changed, 46 insertions, 32 deletions
diff --git a/src/lib/libcrypto/bn/bn_gf2m.c b/src/lib/libcrypto/bn/bn_gf2m.c
index 40c1a94220..d83ae291ec 100644
--- a/src/lib/libcrypto/bn/bn_gf2m.c
+++ b/src/lib/libcrypto/bn/bn_gf2m.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: bn_gf2m.c,v 1.20 2015/06/11 15:55:28 jsing Exp $ */
+/* $OpenBSD: bn_gf2m.c,v 1.21 2016/03/12 21:44:11 bcook Exp $ */
 /* ====================================================================
 * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
 *
@@ -702,18 +702,21 @@ BN_GF2m_mod_inv(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx)
                top = p->top;
                BN_ULONG *udp, *bdp, *vdp, *cdp;
-                bn_wexpand(u, top);
+                if (!bn_wexpand(u, top))
+                        goto err;
                udp = u->d;
                for (i = u->top; i < top; i++)
                        udp[i] = 0;
                u->top = top;
-                bn_wexpand(b, top);
+                if (!bn_wexpand(b, top))
+                        goto err;
                bdp = b->d;
                bdp[0] = 1;
                for (i = 1; i < top; i++)
                        bdp[i] = 0;
                b->top = top;
-                bn_wexpand(c, top);
+                if (!bn_wexpand(c, top))
+                        goto err;
                cdp = c->d;
                for (i = 0; i < top; i++)
                        cdp[i] = 0;
diff --git a/src/lib/libcrypto/ec/ec2_mult.c b/src/lib/libcrypto/ec/ec2_mult.c
index 8f0091efe1..3812611702 100644
--- a/src/lib/libcrypto/ec/ec2_mult.c
+++ b/src/lib/libcrypto/ec/ec2_mult.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ec2_mult.c,v 1.7 2015/02/09 15:49:22 jsing Exp $ */
+/* $OpenBSD: ec2_mult.c,v 1.8 2016/03/12 21:44:11 bcook Exp $ */
 /* ====================================================================
 * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
 *
@@ -83,7 +83,7 @@
 *     GF(2^m) without precomputation" (CHES '99, LNCS 1717).
 * modified to not require precomputation of c=b^{2^{m-1}}.
 */
-static int 
+static int
 gf2m_Mdouble(const EC_GROUP *group, BIGNUM *x, BIGNUM *z, BN_CTX *ctx)
 {
        BIGNUM *t1;
@@ -122,7 +122,7 @@ err:
 *     Lopez, J. and Dahab, R.  "Fast multiplication on elliptic curves over
 *     GF(2^m) without precomputation" (CHES '99, LNCS 1717).
 */
-static int 
+static int
 gf2m_Madd(const EC_GROUP *group, const BIGNUM *x, BIGNUM *x1, BIGNUM *z1,
    const BIGNUM *x2, const BIGNUM *z2, BN_CTX *ctx)
 {
@@ -169,7 +169,7 @@ err:
 *     1 if return value should be the point at infinity
 *     2 otherwise
 */
-static int 
+static int
 gf2m_Mxy(const EC_GROUP *group, const BIGNUM *x, const BIGNUM *y, BIGNUM *x1,
    BIGNUM *z1, BIGNUM *x2, BIGNUM *z2, BN_CTX *ctx)
 {
@@ -258,7 +258,7 @@ err:
 * To protect against side-channel attack the function uses constant time swap,
 * avoiding conditional branches.
 */
-static int 
+static int
 ec_GF2m_montgomery_point_multiply(const EC_GROUP *group, EC_POINT *r,
    const BIGNUM *scalar, const EC_POINT *point, BN_CTX *ctx)
 {
@@ -289,10 +289,14 @@ ec_GF2m_montgomery_point_multiply(const EC_GROUP *group, EC_POINT *r,
        x2 = &r->X;
        z2 = &r->Y;
-        bn_wexpand(x1, group->field.top);
+        if (!bn_wexpand(x1, group->field.top))
-        bn_wexpand(z1, group->field.top);
+                goto err;
-        bn_wexpand(x2, group->field.top);
+        if (!bn_wexpand(z1, group->field.top))
-        bn_wexpand(z2, group->field.top);
+                goto err;
+        if (!bn_wexpand(x2, group->field.top))
+                goto err;
+        if (!bn_wexpand(z2, group->field.top))
+                goto err;
        if (!BN_GF2m_mod_arr(x1, &point->X, group->poly))
                goto err;       /* x1 = x */
@@ -362,7 +366,7 @@ err:
 *     scalar*group->generator + scalars[0]*points[0] + ... + scalars[num-1]*points[num-1]
 * gracefully ignoring NULL scalar values.
 */
-int 
+int
 ec_GF2m_simple_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *scalar,
    size_t num, const EC_POINT *points[], const BIGNUM *scalars[], BN_CTX *ctx)
 {
@@ -431,13 +435,13 @@ err:
 /* Precomputation for point multiplication: fall back to wNAF methods
 * because ec_GF2m_simple_mul() uses ec_wNAF_mul() if appropriate */
-int 
+int
 ec_GF2m_precompute_mult(EC_GROUP * group, BN_CTX * ctx)
 {
        return ec_wNAF_precompute_mult(group, ctx);
 }
-int 
+int
 ec_GF2m_have_precompute_mult(const EC_GROUP * group)
 {
        return ec_wNAF_have_precompute_mult(group);
diff --git a/src/lib/libssl/src/crypto/bn/bn_gf2m.c b/src/lib/libssl/src/crypto/bn/bn_gf2m.c
index 40c1a94220..d83ae291ec 100644
--- a/src/lib/libssl/src/crypto/bn/bn_gf2m.c
+++ b/src/lib/libssl/src/crypto/bn/bn_gf2m.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: bn_gf2m.c,v 1.20 2015/06/11 15:55:28 jsing Exp $ */
+/* $OpenBSD: bn_gf2m.c,v 1.21 2016/03/12 21:44:11 bcook Exp $ */
 /* ====================================================================
 * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
 *
@@ -702,18 +702,21 @@ BN_GF2m_mod_inv(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx)
                top = p->top;
                BN_ULONG *udp, *bdp, *vdp, *cdp;
-                bn_wexpand(u, top);
+                if (!bn_wexpand(u, top))
+                        goto err;
                udp = u->d;
                for (i = u->top; i < top; i++)
                        udp[i] = 0;
                u->top = top;
-                bn_wexpand(b, top);
+                if (!bn_wexpand(b, top))
+                        goto err;
                bdp = b->d;
                bdp[0] = 1;
                for (i = 1; i < top; i++)
                        bdp[i] = 0;
                b->top = top;
-                bn_wexpand(c, top);
+                if (!bn_wexpand(c, top))
+                        goto err;
                cdp = c->d;
                for (i = 0; i < top; i++)
                        cdp[i] = 0;
diff --git a/src/lib/libssl/src/crypto/ec/ec2_mult.c b/src/lib/libssl/src/crypto/ec/ec2_mult.c
index 8f0091efe1..3812611702 100644
--- a/src/lib/libssl/src/crypto/ec/ec2_mult.c
+++ b/src/lib/libssl/src/crypto/ec/ec2_mult.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ec2_mult.c,v 1.7 2015/02/09 15:49:22 jsing Exp $ */
+/* $OpenBSD: ec2_mult.c,v 1.8 2016/03/12 21:44:11 bcook Exp $ */
 /* ====================================================================
 * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
 *
@@ -83,7 +83,7 @@
 *     GF(2^m) without precomputation" (CHES '99, LNCS 1717).
 * modified to not require precomputation of c=b^{2^{m-1}}.
 */
-static int 
+static int
 gf2m_Mdouble(const EC_GROUP *group, BIGNUM *x, BIGNUM *z, BN_CTX *ctx)
 {
        BIGNUM *t1;
@@ -122,7 +122,7 @@ err:
 *     Lopez, J. and Dahab, R.  "Fast multiplication on elliptic curves over
 *     GF(2^m) without precomputation" (CHES '99, LNCS 1717).
 */
-static int 
+static int
 gf2m_Madd(const EC_GROUP *group, const BIGNUM *x, BIGNUM *x1, BIGNUM *z1,
    const BIGNUM *x2, const BIGNUM *z2, BN_CTX *ctx)
 {
@@ -169,7 +169,7 @@ err:
 *     1 if return value should be the point at infinity
 *     2 otherwise
 */
-static int 
+static int
 gf2m_Mxy(const EC_GROUP *group, const BIGNUM *x, const BIGNUM *y, BIGNUM *x1,
    BIGNUM *z1, BIGNUM *x2, BIGNUM *z2, BN_CTX *ctx)
 {
@@ -258,7 +258,7 @@ err:
 * To protect against side-channel attack the function uses constant time swap,
 * avoiding conditional branches.
 */
-static int 
+static int
 ec_GF2m_montgomery_point_multiply(const EC_GROUP *group, EC_POINT *r,
    const BIGNUM *scalar, const EC_POINT *point, BN_CTX *ctx)
 {
@@ -289,10 +289,14 @@ ec_GF2m_montgomery_point_multiply(const EC_GROUP *group, EC_POINT *r,
        x2 = &r->X;
        z2 = &r->Y;
-        bn_wexpand(x1, group->field.top);
+        if (!bn_wexpand(x1, group->field.top))
-        bn_wexpand(z1, group->field.top);
+                goto err;
-        bn_wexpand(x2, group->field.top);
+        if (!bn_wexpand(z1, group->field.top))
-        bn_wexpand(z2, group->field.top);
+                goto err;
+        if (!bn_wexpand(x2, group->field.top))
+                goto err;
+        if (!bn_wexpand(z2, group->field.top))
+                goto err;
        if (!BN_GF2m_mod_arr(x1, &point->X, group->poly))
                goto err;       /* x1 = x */
@@ -362,7 +366,7 @@ err:
 *     scalar*group->generator + scalars[0]*points[0] + ... + scalars[num-1]*points[num-1]
 * gracefully ignoring NULL scalar values.
 */
-int 
+int
 ec_GF2m_simple_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *scalar,
    size_t num, const EC_POINT *points[], const BIGNUM *scalars[], BN_CTX *ctx)
 {
@@ -431,13 +435,13 @@ err:
 /* Precomputation for point multiplication: fall back to wNAF methods
 * because ec_GF2m_simple_mul() uses ec_wNAF_mul() if appropriate */
-int 
+int
 ec_GF2m_precompute_mult(EC_GROUP * group, BN_CTX * ctx)
 {
        return ec_wNAF_precompute_mult(group, ctx);
 }
-int 
+int
 ec_GF2m_have_precompute_mult(const EC_GROUP * group)
 {
        return ec_wNAF_have_precompute_mult(group);
author	bcook <>	2016-03-12 21:44:11 +0000
committer	bcook <>	2016-03-12 21:44:11 +0000
commit	84ad4abc945651758ccaec50eaeafff9ffe582ee (patch)
tree	c202c7ef43ff015fb66c468e4c977405d5d0cc88 /src
parent	d692c27f466b0683d4f7dd5f72058e64e04f0cd4 (diff)
download	openbsd-84ad4abc945651758ccaec50eaeafff9ffe582ee.tar.gz openbsd-84ad4abc945651758ccaec50eaeafff9ffe582ee.tar.bz2 openbsd-84ad4abc945651758ccaec50eaeafff9ffe582ee.zip