Improve error checking of some |BN_CTX_get| callers.

The documentation for |BN_CTX_get| states: "Once |BN_CTX_get| has
returned NULL, all future calls will also return NULL until
|BN_CTX_end| is called." Some code takes advantage of that guarantee
by only checking the return value of the last call to |BN_CTX_get| in a
series of calls. That is correct and the most efficient way of doing
it. However, that pattern is inconsistent with most of the other uses
of |BN_CTX_get|. Also, static analysis tools like Coverity cannot
understand that pattern. This commit removes the instances of that
pattern that Coverity complained about when scanning *ring*.

Change-Id: Ie36d0223ea1caee460c7979547cf5bfd5fb16f93
Reviewed-on: https://boringssl-review.googlesource.com/5611
Reviewed-by: Adam Langley <agl@google.com>

crypto/ec/oct.c

@@ -231,7 +231,7 @@ static int ec_GFp_simple_oct2point(const EC_GROUP *group, EC_POINT *point,
   BN_CTX_start(ctx);
   x = BN_CTX_get(ctx);
   y = BN_CTX_get(ctx);
-  if (y == NULL) {
+  if (x == NULL || y == NULL) {
     goto err;
   }
 

crypto/ec/simple.c

@@ -524,7 +524,7 @@ int ec_GFp_simple_point_get_affine_coordinates(const EC_GROUP *group,
   Z_1 = BN_CTX_get(ctx);
   Z_2 = BN_CTX_get(ctx);
   Z_3 = BN_CTX_get(ctx);
-  if (Z_3 == NULL) {
+  if (Z == NULL || Z_1 == NULL || Z_2 == NULL || Z_3 == NULL) {
     goto err;
   }
 

crypto/ecdsa/ecdsa.c

@@ -172,7 +172,7 @@ int ECDSA_do_verify(const uint8_t *digest, size_t digest_len,
   u2 = BN_CTX_get(ctx);
   m = BN_CTX_get(ctx);
   X = BN_CTX_get(ctx);
-  if (!X) {
+  if (order == NULL || u1 == NULL || u2 == NULL || m == NULL || X == NULL) {
     OPENSSL_PUT_ERROR(ECDSA, ERR_R_BN_LIB);
     goto err;
   }

crypto/rsa/rsa_impl.c

@@ -840,7 +840,7 @@ static int keygen_multiprime(RSA *rsa, int bits, int num_primes,
   r1 = BN_CTX_get(ctx);
   r2 = BN_CTX_get(ctx);
   r3 = BN_CTX_get(ctx);
-  if (r3 == NULL) {
+  if (r0 == NULL || r1 == NULL || r2 == NULL || r3 == NULL) {
     goto err;
   }