From 5842915a50f8217d841cdf480259d157ac95a0a2 Mon Sep 17 00:00:00 2001
From: tb <>
Date: Sun, 26 Mar 2023 18:52:29 +0000
Subject: Make several calls to BN_nnmod() unconditional

This removes a potential branch in a sensitive function and makes the
code a lot simpler. It is a really bad idea optimize here for what
davidben aptly calls "calculator" purposes.

ok jsing
---
 src/lib/libcrypto/bn/bn_exp.c | 29 ++++++++++-------------------
 1 file changed, 10 insertions(+), 19 deletions(-)

(limited to 'src')

diff --git a/src/lib/libcrypto/bn/bn_exp.c b/src/lib/libcrypto/bn/bn_exp.c
index ba9b2700f1..e2e4aa541c 100644
--- a/src/lib/libcrypto/bn/bn_exp.c
+++ b/src/lib/libcrypto/bn/bn_exp.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: bn_exp.c,v 1.39 2023/03/26 18:49:48 tb Exp $ */
+/* $OpenBSD: bn_exp.c,v 1.40 2023/03/26 18:52:29 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -682,12 +682,9 @@ BN_mod_exp_mont_internal(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p, const BIG
 			goto err;
 	}
 
-	if (a->neg || BN_ucmp(a, m) >= 0) {
-		if (!BN_nnmod(val[0], a,m, ctx))
-			goto err;
-		aa = val[0];
-	} else
-		aa = a;
+	if (!BN_nnmod(val[0], a,m, ctx))
+		goto err;
+	aa = val[0];
 	if (BN_is_zero(aa)) {
 		BN_zero(rr);
 		ret = 1;
@@ -1205,12 +1202,9 @@ BN_mod_exp2_mont(BIGNUM *rr, const BIGNUM *a1, const BIGNUM *p1,
 	/*
 	 * Build table for a1:   val1[i] := a1^(2*i + 1) mod m  for i = 0 .. 2^(window1-1)
 	 */
-	if (a1->neg || BN_ucmp(a1, m) >= 0) {
-		if (!BN_nnmod(val1[0], a1, m, ctx))
-			goto err;
-		a_mod_m = val1[0];
-	} else
-		a_mod_m = a1;
+	if (!BN_nnmod(val1[0], a1, m, ctx))
+		goto err;
+	a_mod_m = val1[0];
 	if (BN_is_zero(a_mod_m)) {
 		BN_zero(rr);
 		ret = 1;
@@ -1236,12 +1230,9 @@ BN_mod_exp2_mont(BIGNUM *rr, const BIGNUM *a1, const BIGNUM *p1,
 	/*
 	 * Build table for a2:   val2[i] := a2^(2*i + 1) mod m  for i = 0 .. 2^(window2-1)
 	 */
-	if (a2->neg || BN_ucmp(a2, m) >= 0) {
-		if (!BN_nnmod(val2[0], a2, m, ctx))
-			goto err;
-		a_mod_m = val2[0];
-	} else
-		a_mod_m = a2;
+	if (!BN_nnmod(val2[0], a2, m, ctx))
+		goto err;
+	a_mod_m = val2[0];
 	if (BN_is_zero(a_mod_m)) {
 		BN_zero(rr);
 		ret = 1;
-- 
cgit v1.2.3-55-g6feb