More changes coming out of the bignum auditing. BN_CTX_get() should ideally

return a "zero" bignum as BN_new() does - so reset 'top'. During
BN_CTX_end(), released bignums should be consistent so enforce this in
debug builds. Also, reduce the number of wasted BN_clear_free() calls from
BN_CTX_end() (typically by 75% or so).

Submitted by: Nils Larsch
Reviewed by: Geoff Thorpe, Ulf Möller

crypto/bn/bn_ctx.c

@@ -123,6 +123,7 @@ void BN_CTX_free(BN_CTX *ctx)
 
 	for (i=0; i < BN_CTX_NUM; i++) {
 		bn_check_top(&(ctx->bn[i]));
+		if (ctx->bn[i].d)
 			BN_clear_free(&(ctx->bn[i]));
 	}
 	if (ctx->flags & BN_FLG_MALLOCED)
@@ -154,7 +155,8 @@ BIGNUM *BN_CTX_get(BN_CTX *ctx)
 			}
 		return NULL;
 		}
-	bn_check_top(&(ctx->bn[ctx->tos]));
+	/* always return a 'zeroed' bignum */
+	ctx->bn[ctx->tos].top = 0;
 	return (&(ctx->bn[ctx->tos++]));
 	}
 
@@ -170,19 +172,11 @@ void BN_CTX_end(BN_CTX *ctx)
 
 	ctx->too_many = 0;
 	ctx->depth--;
-	/* It appears some "scrapbook" uses of BN_CTX result in BIGNUMs being
-	 * left in an inconsistent state when they are released (eg. BN_div).
-	 * These can trip us up when they get reused, so the safest fix is to
-	 * make sure the BIGNUMs are made sane when the context usage is
-	 * releasing them. */
 	if (ctx->depth < BN_CTX_NUM_POS)
-#if 0
+#ifndef BN_DEBUG
 		ctx->tos = ctx->pos[ctx->depth];
 #else
-		{
 		while(ctx->tos > ctx->pos[ctx->depth])
-			/* This ensures the BIGNUM is sane(r) for reuse. */
+			bn_check_top(&ctx->bn[--(ctx->tos)]);
-			ctx->bn[--(ctx->tos)].top = 0;
-		}
 #endif
 	}