Ensure negative input to BN_mod_exp_mont_consttime() is correctly reduced.

A negative input to BN_mod_exp_mont_consttime() is not correctly reduced,
remaining negative (when it should be in the range [0, m)). Fix this by
unconditionally calling BN_nnmod() on the input.

Fixes ossfuzz #55997.

ok tb@

1 files changed, 4 insertions, 7 deletions

diff --git a/src/lib/libcrypto/bn/bn_exp.c b/src/lib/libcrypto/bn/bn_exp.c
index 4011bb4890..9abf574b57 100644
--- a/src/lib/libcrypto/bn/bn_exp.c
+++ b/src/lib/libcrypto/bn/bn_exp.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: bn_exp.c,v 1.37 2023/02/03 05:30:49 jsing Exp $ */
+/* $OpenBSD: bn_exp.c,v 1.38 2023/03/15 04:30:20 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -459,12 +459,9 @@ BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p,
 #endif
 
         /* prepare a^1 in Montgomery domain */
-        if (a->neg || BN_ucmp(a, m) >= 0) {
-                if (!BN_mod_ct(&am, a,m, ctx))
-                        goto err;
-                if (!BN_to_montgomery(&am, &am, mont, ctx))
-                        goto err;
-        } else if (!BN_to_montgomery(&am, a,mont, ctx))
+        if (!BN_nnmod(&am, a, m, ctx))
+                goto err;
+        if (!BN_to_montgomery(&am, &am, mont, ctx))
                 goto err;
 
 #if defined(OPENSSL_BN_ASM_MONT5)