From d4ba6424a18f270cb8ef4fe4fad3fdc789b132d1 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Bodo=20M=C3=B6ller?= <bodo@openssl.org>
Date: Thu, 26 Aug 2010 12:10:25 +0000
Subject: [PATCH] ECC library bugfixes.

Submitted by: Emilia Kapser (Google)
---
 CHANGES              |  4 ++++
 crypto/ec/ec2_mult.c | 13 +++++++++----
 crypto/ec/ec_mult.c  |  6 ++++--
 3 files changed, 17 insertions(+), 6 deletions(-)

diff --git a/CHANGES b/CHANGES
index 95d0c375c4..75e49cc5ee 100644
--- a/CHANGES
+++ b/CHANGES
@@ -4,6 +4,10 @@
 
  Changes between 0.9.8o and 0.9.8p [xx XXX xxxx]
 
+  *) ec2_GF2m_simple_mul bugfix: compute correct result if the output EC_POINT
+     is also one of the inputs.
+     [Emilia Käsper <emilia.kasper@esat.kuleuven.be> (Google)]
+
   *) Don't repeatedly append PBE algorithms to table if they already exist.
      Sort table on each new add. This effectively makes the table read only
      after all algorithms are added and subsequent calls to PKCS12_pbe_add
diff --git a/crypto/ec/ec2_mult.c b/crypto/ec/ec2_mult.c
index ff368fd7d7..7dca5e4bcd 100644
--- a/crypto/ec/ec2_mult.c
+++ b/crypto/ec/ec2_mult.c
@@ -318,6 +318,7 @@ int ec_GF2m_simple_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *scalar,
 	int ret = 0;
 	size_t i;
 	EC_POINT *p=NULL;
+	EC_POINT *acc = NULL;
 
 	if (ctx == NULL)
 		{
@@ -337,15 +338,16 @@ int ec_GF2m_simple_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *scalar,
 		}
 
 	if ((p = EC_POINT_new(group)) == NULL) goto err;
+	if ((acc = EC_POINT_new(group)) == NULL) goto err;
 
-	if (!EC_POINT_set_to_infinity(group, r)) goto err;
+	if (!EC_POINT_set_to_infinity(group, acc)) goto err;
 
 	if (scalar)
 		{
 		if (!ec_GF2m_montgomery_point_multiply(group, p, scalar, group->generator, ctx)) goto err;
-		if (BN_is_negative(scalar)) 
+		if (BN_is_negative(scalar))
 			if (!group->meth->invert(group, p, ctx)) goto err;
-		if (!group->meth->add(group, r, r, p, ctx)) goto err;
+		if (!group->meth->add(group, acc, acc, p, ctx)) goto err;
 		}
 
 	for (i = 0; i < num; i++)
@@ -353,13 +355,16 @@ int ec_GF2m_simple_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *scalar,
 		if (!ec_GF2m_montgomery_point_multiply(group, p, scalars[i], points[i], ctx)) goto err;
 		if (BN_is_negative(scalars[i]))
 			if (!group->meth->invert(group, p, ctx)) goto err;
-		if (!group->meth->add(group, r, r, p, ctx)) goto err;
+		if (!group->meth->add(group, acc, acc, p, ctx)) goto err;
 		}
 
+	if (!EC_POINT_copy(r, acc)) goto err;
+
 	ret = 1;
 
   err:
 	if (p) EC_POINT_free(p);
+	if (acc) EC_POINT_free(acc);
 	if (new_ctx != NULL)
 		BN_CTX_free(new_ctx);
 	return ret;
diff --git a/crypto/ec/ec_mult.c b/crypto/ec/ec_mult.c
index 2ba173ef36..ee42269726 100644
--- a/crypto/ec/ec_mult.c
+++ b/crypto/ec/ec_mult.c
@@ -169,11 +169,13 @@ static void ec_pre_comp_clear_free(void *pre_)
 		EC_POINT **p;
 
 		for (p = pre->points; *p != NULL; p++)
+			{
 			EC_POINT_clear_free(*p);
-		OPENSSL_cleanse(pre->points, sizeof pre->points);
+			OPENSSL_cleanse(p, sizeof *p);
+			}
 		OPENSSL_free(pre->points);
 		}
-	OPENSSL_cleanse(pre, sizeof pre);
+	OPENSSL_cleanse(pre, sizeof *pre);
 	OPENSSL_free(pre);
 	}