Fix bn_mod_exp_mont_small when exponentiating to zero.

It's defined to return one in Montgomery form, not a normal one.

(Not that this matters. This function is only used to Fermat's Little
Theorem. Probably it should have been less general, though we'd need to
make new test vectors first.)

Change-Id: Ia8d7588e6a413b25f01280af9aacef0192283771
Reviewed-on: https://boringssl-review.googlesource.com/27285
Reviewed-by: Adam Langley <agl@google.com>

crypto/fipsmodule/bn/bn_tests.txt

@@ -10120,6 +10120,17 @@ A = 050505050505
 E = 02
 M = 414141414141414141414127414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141800000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001
 
+# Cover the E = 0 case for small numbers.
+ModExp = 01
+A = 86b49
+E = 00
+M = 30d26ecb
+
+ModExp = 00
+A = 00
+E = 00
+M = 01
+
 ModExp = 208f8aa0
 A = 86b49
 E = 2

crypto/fipsmodule/bn/exponentiation.c

@@ -739,11 +739,7 @@ int bn_mod_exp_mont_small(BN_ULONG *r, size_t num_r, const BN_ULONG *a,
     bits = BN_num_bits_word(p[num_p - 1]) + (num_p - 1) * BN_BITS2;
   }
   if (bits == 0) {
-    OPENSSL_memset(r, 0, num_r * sizeof(BN_ULONG));
-    if (!BN_is_one(&mont->N)) {
-      r[0] = 1;
-    }
-    return 1;
+    return bn_one_to_montgomery_small(r, num_r, mont);
   }
 
   // We exponentiate by looking at sliding windows of the exponent and