Use BN_nnmod instead of BN_mod in BN_mod_exp_mont_consttime.

|BN_mod_exp_mont| uses |BN_nnmod| so it seems like |BN_mod_exp_mont_consttime| should too. Further, I created these test vectors by doing the math by hand, and the tests passed for |BN_mod_exp_mont| but failed for |BN_mod_exp_mont_consttime| without this change. Change-Id: I7cffa1375e94dd8eaee87ada78285cd67fff1bac Reviewed-on: https://boringssl-review.googlesource.com/9032 Reviewed-by: Adam Langley <agl@google.com> Commit-Queue: Adam Langley <agl@google.com> CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2016-07-30 20:53:52 -10:00 · 2016-07-30 20:53:52 -10:00 · dc7a786d31
commit dc7a786d31
parent da2630c190
2 changed files with 36 additions and 1 deletions
--- a/crypto/bn/bn_tests.txt
+++ b/crypto/bn/bn_tests.txt
@ -9880,6 +9880,41 @@ M = 7eacffe21f88413af94155a2a8e37f70a431a59653738afda04a1bec72d0d9ed
 #
 # These test vectors satisfy A ^ E = ModExp (mod M) and 0 <= ModExp < M.

+ModExp = 00
+A = -01
+E = 01
+M = 01
+
+ModExp = 01
+A = -02
+E = 01
+M = 03
+
+ModExp = 01
+A = -01
+E = 02
+M = 03
+
+ModExp = 01
+A = -02
+E = 02
+M = 03
+
+ModExp = 00
+A = -03
+E = 02
+M = 03
+
+ModExp = 02
+A = -04
+E = 01
+M = 03
+
+ModExp = 01
+A = -04
+E = 02
+M = 03
+
 # Regression test for carry propagation bug in sqr8x_reduction.
 ModExp = 19324b647d967d644b3219
 A = 050505050505
--- a/crypto/bn/exponentiation.c
+++ b/crypto/bn/exponentiation.c
@ -992,7 +992,7 @@ int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p,

  /* prepare a^1 in Montgomery domain */
  if (a->neg || BN_ucmp(a, m) >= 0) {
-    if (!BN_mod(&am, a, m, ctx) ||
+    if (!BN_nnmod(&am, a, m, ctx) ||
        !BN_to_montgomery(&am, &am, mont, ctx)) {
      goto err;
    }