Commit c1ec4db3 authored by Andy Polyakov's avatar Andy Polyakov
Browse files

bn/bn_exp.c: harmonize BN_mod_exp_mont_consttime with negative input. 



All exponentiation subroutines but BN_mod_exp_mont_consttime produce
non-negative result for negative input, which is confusing for fuzzer.

Reviewed-by: default avatarPaul Dale <paul.dale@oracle.com>
Reviewed-by: default avatarKurt Roeckx <kurt@roeckx.be>
(Merged from https://github.com/openssl/openssl/pull/4676)
parent 899e62d1

crypto/bn/bn_exp.c

+27 −25
Original line number Diff line number Diff line
@@ -651,6 +651,7 @@ int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p, 
    }



#ifdef RSAZ_ENABLED

    if (!a->neg) {

        /*

         * If the size of the operands allow it, perform the optimized

         * RSAZ exponentiation. For further information see
@@ -677,6 +678,7 @@ int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p, 
            ret = 1;

            goto err;

        }

    }

#endif



    /* Get the window size to use with size of p. */
@@ -748,7 +750,7 @@ int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p, 


    /* prepare a^1 in Montgomery domain */

    if (a->neg || BN_ucmp(a, m) >= 0) {

        if (!BN_mod(&am, a, m, ctx))

        if (!BN_nnmod(&am, a, m, ctx))

            goto err;

        if (!BN_to_montgomery(&am, &am, mont, ctx))

            goto err;