Correctly reduce negative inpot to BN_mod_exp2_mont()

Negative bases could result in a negative modulus being returned. This is
not strictly speaking incorrect but slightly surprising. This is all a
consequence of the shortcut of defining BN_mod() as a macro using BN_div().

Fixes ossfuzz #55997

ok jsing

1 files changed, 3 insertions, 3 deletions

diff --git a/src/lib/libcrypto/bn/bn_exp.c b/src/lib/libcrypto/bn/bn_exp.c
index 9abf574b57..ba9b2700f1 100644
--- a/src/lib/libcrypto/bn/bn_exp.c
+++ b/src/lib/libcrypto/bn/bn_exp.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: bn_exp.c,v 1.38 2023/03/15 04:30:20 jsing Exp $ */
+/* $OpenBSD: bn_exp.c,v 1.39 2023/03/26 18:49:48 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -1206,7 +1206,7 @@ BN_mod_exp2_mont(BIGNUM *rr, const BIGNUM *a1, const BIGNUM *p1,
          * Build table for a1:   val1[i] := a1^(2*i + 1) mod m  for i = 0 .. 2^(window1-1)
          */
         if (a1->neg || BN_ucmp(a1, m) >= 0) {
-                if (!BN_mod_ct(val1[0], a1, m, ctx))
+                if (!BN_nnmod(val1[0], a1, m, ctx))
                         goto err;
                 a_mod_m = val1[0];
         } else
@@ -1237,7 +1237,7 @@ BN_mod_exp2_mont(BIGNUM *rr, const BIGNUM *a1, const BIGNUM *p1,
          * Build table for a2:   val2[i] := a2^(2*i + 1) mod m  for i = 0 .. 2^(window2-1)
          */
         if (a2->neg || BN_ucmp(a2, m) >= 0) {
-                if (!BN_mod_ct(val2[0], a2, m, ctx))
+                if (!BN_nnmod(val2[0], a2, m, ctx))
                         goto err;
                 a_mod_m = val2[0];
         } else