Require base in |BN_mod_exp_mont_consttime| to be reduced.

crypto/bn/bn_test.cc

@@ -843,6 +843,75 @@ static bool TestExpModZero(RAND *rng) {
   return true;
 }
 
+static bool TestExpModRejectUnreduced(BN_CTX *ctx) {
+  ScopedBIGNUM r(BN_new());
+  if (!r) {
+    return false;
+  }
+
+  static const BN_ULONG kBases[] = { 1, 3 };
+  static const BN_ULONG kExponents[] = { 1, 2, 3 };
+  static const BN_ULONG kModuli[] = { 1, 3 };
+
+  for (BN_ULONG mod_value : kModuli) {
+    ScopedBIGNUM mod(BN_new());
+    ScopedBN_MONT_CTX mont(BN_MONT_CTX_new());
+    if (!mod ||
+        !BN_set_word(mod.get(), mod_value) ||
+        !mont ||
+        !BN_MONT_CTX_set(mont.get(), mod.get(), ctx)) {
+      return false;
+    }
+    for (BN_ULONG exp_value : kExponents) {
+      ScopedBIGNUM exp(BN_new());
+      if (!exp ||
+          !BN_set_word(exp.get(), exp_value)) {
+        return false;
+      }
+      for (BN_ULONG base_value : kBases) {
+        ScopedBIGNUM base(BN_new());
+        if (!base ||
+            !BN_set_word(base.get(), base_value)) {
+          return false;
+        }
+
+        if (base_value >= mod_value &&
+            BN_mod_exp_mont(r.get(), base.get(), exp.get(), mod.get(), ctx,
+                            mont.get())) {
+          fprintf(stderr, "BN_mod_exp_mont(%d, %d, %d) succeeded!\n",
+                  (int)base_value, (int)exp_value, (int)mod_value);
+          return false;
+        }
+
+        if (base_value >= mod_value &&
+            BN_mod_exp_mont_consttime(r.get(), base.get(), exp.get(), mod.get(),
+                                      ctx, mont.get())) {
+          fprintf(stderr, "BN_mod_exp_mont_consttime(%d, %d, %d) succeeded!\n",
+                  (int)base_value, (int)exp_value, (int)mod_value);
+          return false;
+        }
+
+        BN_set_negative(base.get(), 1);
+
+        if (BN_mod_exp_mont(r.get(), base.get(), exp.get(), mod.get(), ctx,
+                            mont.get())) {
+          fprintf(stderr, "BN_mod_exp_mont(%d, %d, %d) succeeded!\n",
+                  -(int)base_value, (int)exp_value, (int)mod_value);
+          return false;
+        }
+        if (BN_mod_exp_mont_consttime(r.get(), base.get(), exp.get(),
+                                      mod.get(), ctx, mont.get())) {
+          fprintf(stderr, "BN_mod_exp_mont_consttime(%d, %d, %d) succeeded!\n",
+                  -(int)base_value, (int)exp_value, (int)mod_value);
+          return false;
+        }
+      }
+    }
+  }
+
+  return true;
+}
+
 static bool TestCmpWord() {
   static const BN_ULONG kMaxWord = (BN_ULONG)-1;
 
@@ -926,6 +995,7 @@ extern "C" int bssl_bn_test_main(RAND *rng) {
       !TestNegativeZero(ctx.get()) ||
       !TestBadModulus(ctx.get()) ||
       !TestExpModZero(rng) ||
+      !TestExpModRejectUnreduced(ctx.get()) ||
       !TestCmpWord()) {
     return 1;
   }

crypto/bn/bn_tests.txt

@@ -9901,15 +9901,17 @@ A = 21292626
 E = d
 M = 30d26ecb
 
-ModExp = 11317167
-A = 4a655df24
-E = 10
-M = 30d26ecb
-
-ModExp = 2e1b88e
-A = da6b761a86
-E = 35
-M = 30d26ecb
+# Unreduced inputs are not supported in *ring*.
+# ModExp = 11317167
+# A = 4a655df24
+# E = 10
+# M = 30d26ecb
+
+# Unreduced inputs are not supported in *ring*.
+# ModExp = 2e1b88e
+# A = da6b761a86
+# E = 35
+# M = 30d26ecb
 
 ModExp = 20a12ec3
 A = ea811
@@ -9921,20 +9923,23 @@ A = 1011a6a
 E = 4
 M = 23bc042f
 
-ModExp = 4637d79
-A = 28d9a601
-E = 8
-M = 23bc042f
+# Unreduced inputs are not supported in *ring*.
+# ModExp = 4637d79
+# A = 28d9a601
+# E = 8
+# M = 23bc042f
 
-ModExp = 20e5669b
-A = 72fe6bc20
-E = 11
-M = 23bc042f
+# Unreduced inputs are not supported in *ring*.
+# ModExp = 20e5669b
+# A = 72fe6bc20
+# E = 11
+# M = 23bc042f
 
-ModExp = 142ab9e3
-A = 9a07b9363c
-E = 29
-M = 23bc042f
+# Unreduced inputs are not supported in *ring*.
+# ModExp = 142ab9e3
+# A = 9a07b9363c
+# E = 29
+# M = 23bc042f
 
 ModExp = 14c64646
 A = 822df
@@ -9946,20 +9951,23 @@ A = 15ea542
 E = 5
 M = 30915765
 
-ModExp = 2f23a488
-A = 34d2e02e
-E = e
-M = 30915765
+# Unreduced inputs are not supported in *ring*.
+# ModExp = 2f23a488
+# A = 34d2e02e
+# E = e
+# M = 30915765
 
-ModExp = 28e67f93
-A = 636a32703
-E = 14
-M = 30915765
+# Unreduced inputs are not supported in *ring*.
+# ModExp = 28e67f93
+# A = 636a32703
+# E = 14
+# M = 30915765
 
-ModExp = 29bfeaa5
-A = c8646998e6
-E = 2c
-M = 30915765
+# Unreduced inputs are not supported in *ring*.
+# ModExp = 29bfeaa5
+# A = c8646998e6
+# E = 2c
+# M = 30915765
 
 ModExp = 30959e22
 A = 81dad
@@ -9976,15 +9984,17 @@ A = 2d21ef08
 E = 8
 M = 326dd68d
 
-ModExp = 29f5054b
-A = 76989850a
-E = 16
-M = 326dd68d
+# Unreduced inputs are not supported in *ring*.
+# ModExp = 29f5054b
+# A = 76989850a
+# E = 16
+# M = 326dd68d
 
-ModExp = e6c7b77
-A = b88ee70d2a
-E = 3e
-M = 326dd68d
+# Unreduced inputs are not supported in *ring*.
+# ModExp = e6c7b77
+# A = b88ee70d2a
+# E = 3e
+# M = 326dd68d
 
 ModExp = 369605e1
 A = cf26f
@@ -10001,15 +10011,17 @@ A = 2e9c4c07
 E = 9
 M = 3ce082eb
 
-ModExp = 1c5fe761
-A = 523ab37f1
-E = 14
-M = 3ce082eb
+# Unreduced inputs are not supported in *ring*.
+# ModExp = 1c5fe761
+# A = 523ab37f1
+# E = 14
+# M = 3ce082eb
 
-ModExp = 21703009
-A = dc832165e8
-E = 20
-M = 3ce082eb
+# Unreduced inputs are not supported in *ring*.
+# ModExp = 21703009
+# A = dc832165e8
+# E = 20
+# M = 3ce082eb
 
 ModExp = 1228d1e
 A = a5555
@@ -10021,20 +10033,23 @@ A = 1077bd6
 E = 4
 M = 24665b27
 
-ModExp = 1b14eac1
-A = 2db3a834
-E = f
-M = 24665b27
+# Unreduced inputs are not supported in *ring*.
+# ModExp = 1b14eac1
+# A = 2db3a834
+# E = f
+# M = 24665b27
 
-ModExp = 161727bc
-A = 6bd962cb6
-E = 19
-M = 24665b27
+# Unreduced inputs are not supported in *ring*.
+# ModExp = 161727bc
+# A = 6bd962cb6
+# E = 19
+# M = 24665b27
 
-ModExp = 10d61d0d
-A = c10caed407
-E = 28
-M = 24665b27
+# Unreduced inputs are not supported in *ring*.
+# ModExp = 10d61d0d
+# A = c10caed407
+# E = 28
+# M = 24665b27
 
 ModExp = 233da406
 A = b125f
@@ -10051,15 +10066,17 @@ A = 2e671504
 E = a
 M = 33509981
 
-ModExp = 20c20bac
-A = 4d7a2de44
-E = 1f
-M = 33509981
+# Unreduced inputs are not supported in *ring*.
+# ModExp = 20c20bac
+# A = 4d7a2de44
+# E = 1f
+# M = 33509981
 
-ModExp = 2e3ce9d3
-A = c53b3def4d
-E = 31
-M = 33509981
+# Unreduced inputs are not supported in *ring*.
+# ModExp = 2e3ce9d3
+# A = c53b3def4d
+# E = 31
+# M = 33509981
 
 ModExp = 12fadfd6
 A = b4cf8
@@ -10146,10 +10163,11 @@ A = 0
 E = 8de689aef79eba6b20d7debb8d146541348df2f259dff6c3bfabf5517c8caf0473866a03ddbd03fc354bb00beda35e67f342d684896bf8dbb79238a6929692b1a87f58a2dcba596fe1a0514e3019baffe1b580fc810bd9774c00ab0f37af78619b30f273e3bfb95daac34e74566f84bb8809be7650dec75a20be61b4f904ed4e
 M = c95943186c7567fe8cd1bb4f07e7c659475fd9f38217571af20dfe7e4666d86286bc5b2bb013197f9b1c452c69a95bb7e450cf6e45d46e452282d5d2826978e06c52c7ca204869e8d1b1fac4911e3aef92c7b2d7551ebd8c6fe0365fad49e275cc2949a124385cadc4ace24671c4fe86a849de07c6fafacb312f55e9f3c79dcb
 
-ModExp = 5150fb769d5c5d341aaf56639a7bcc77c415fe46439938a2190283409692f29cd080bfe3433005d98d24718a03a3553c8560c5e9c8ed0f53b8945eb18290e1c1a83d919302510f66dd89b58acc2de79ad54b8a30d3e1019d4d222556beefca0821b094ecf104b5e4cfce69d2d520d2abf54f3e393d25ed3d27e8c2e3ca2e5ff9
-A = ead8c5a451541c50cab74de530c89376d9a55c723e0cac3c84b25f0093c08a2961e49ab48966361c42c9f99111587252d98395b76788400d75c66ef208ea2767a28d6f8dc3a859f39c95765d57f139e7fc14f47c908c62df051e7216d379f52028843b4d82ef49133cce8fe671ae179423ac8da5be43b01caaf425cd969300cd
-E = 8de689aef79eba6b20d7debb8d146541348df2f259dff6c3bfabf5517c8caf0473866a03ddbd03fc354bb00beda35e67f342d684896bf8dbb79238a6929692b1a87f58a2dcba596fe1a0514e3019baffe1b580fc810bd9774c00ab0f37af78619b30f273e3bfb95daac34e74566f84bb8809be7650dec75a20be61b4f904ed4e
-M = c95943186c7567fe8cd1bb4f07e7c659475fd9f38217571af20dfe7e4666d86286bc5b2bb013197f9b1c452c69a95bb7e450cf6e45d46e452282d5d2826978e06c52c7ca204869e8d1b1fac4911e3aef92c7b2d7551ebd8c6fe0365fad49e275cc2949a124385cadc4ace24671c4fe86a849de07c6fafacb312f55e9f3c79dcb
+# Unreduced inputs are not supported in *ring*.
+# ModExp = 5150fb769d5c5d341aaf56639a7bcc77c415fe46439938a2190283409692f29cd080bfe3433005d98d24718a03a3553c8560c5e9c8ed0f53b8945eb18290e1c1a83d919302510f66dd89b58acc2de79ad54b8a30d3e1019d4d222556beefca0821b094ecf104b5e4cfce69d2d520d2abf54f3e393d25ed3d27e8c2e3ca2e5ff9
+# A = ead8c5a451541c50cab74de530c89376d9a55c723e0cac3c84b25f0093c08a2961e49ab48966361c42c9f99111587252d98395b76788400d75c66ef208ea2767a28d6f8dc3a859f39c95765d57f139e7fc14f47c908c62df051e7216d379f52028843b4d82ef49133cce8fe671ae179423ac8da5be43b01caaf425cd969300cd
+# E = 8de689aef79eba6b20d7debb8d146541348df2f259dff6c3bfabf5517c8caf0473866a03ddbd03fc354bb00beda35e67f342d684896bf8dbb79238a6929692b1a87f58a2dcba596fe1a0514e3019baffe1b580fc810bd9774c00ab0f37af78619b30f273e3bfb95daac34e74566f84bb8809be7650dec75a20be61b4f904ed4e
+# M = c95943186c7567fe8cd1bb4f07e7c659475fd9f38217571af20dfe7e4666d86286bc5b2bb013197f9b1c452c69a95bb7e450cf6e45d46e452282d5d2826978e06c52c7ca204869e8d1b1fac4911e3aef92c7b2d7551ebd8c6fe0365fad49e275cc2949a124385cadc4ace24671c4fe86a849de07c6fafacb312f55e9f3c79dcb
 
 ModExp = 1
 A = 935561297d1d90255aef891e2e30aa09935409de3d4a5abc340ac9a9b7dce33e9f5ce407f3a67ec30e0dc30481070823f8542463e46828d9cafb672a506d6753688cbad3d2761079f770c726c0b957071a30876c4d448e884b647833befbcd6b582787bf769d63cf55e68c7b869a0b86374f8920516cf5d528f348b6057450a1
@@ -10191,10 +10209,11 @@ A = 0
 E = a5524b41dfc6b570df1d8f6633ac7777c1131abe3a99c6166b0d29d3b8883c41b00a0c53cdd6f42820bf05c810b6ec53e77a8c1b9344ea0c91d4f410a2f204c369f3db33bf8c88217fc2cf802a9d9bce8119242d8e781875b85431be170076498c0963574ee423551aec9557e2fc672ab1ab5d0cbb1c400535df9481e7934d8f
 M = 88f3c87ac5e3272a21b8a858da640d6939fb8113a95412c38663a0f352686d69a5d7927e60b484b9fcb8ef12978fe25ff2ebc9b61c5450e04222ef20ba3cbbdc5ec45581ce0f58e10be7bb9de7fa08752303a7a1db23b2ac9c6692ec63bf09ecd6639e06c5491ba568ea886620d71da32d329615f0e1443a75d09ae35b8a2d7f
 
-ModExp = 292f0b39ca0f1c850b1a00cffd2d54924fcd5fc7e7504c9d593e6c0ff74760b1f4bdd81679fe06c50248336f3108c593fa111072ee87d0fcc89a63243a1dc89044503663eee9bc18f51c3e0193d9108303e12ac90ff78f6ec752a4386af09c42db524a7cbe9a3d4fcccd56c34d283bcc9debc17158b5fe8df0c1888a9841bf8f
-A = b4fde2908745ff92cc5826a27dcfdda09e8fffee681844fa4c7f1354d946d5d84e0e0c7a4a4cb20943d9c73dd707ca47d796945d6f6b55933b615e2c522f5dfc33e0652917b4809bab86f4fa56b32b746c177764895492d0a6a699812b2827fe701d40ef7effd78ea8efe1cac15ff74a295a09614bf04cae1a5017872ba22efe
-E = a5524b41dfc6b570df1d8f6633ac7777c1131abe3a99c6166b0d29d3b8883c41b00a0c53cdd6f42820bf05c810b6ec53e77a8c1b9344ea0c91d4f410a2f204c369f3db33bf8c88217fc2cf802a9d9bce8119242d8e781875b85431be170076498c0963574ee423551aec9557e2fc672ab1ab5d0cbb1c400535df9481e7934d8f
-M = 88f3c87ac5e3272a21b8a858da640d6939fb8113a95412c38663a0f352686d69a5d7927e60b484b9fcb8ef12978fe25ff2ebc9b61c5450e04222ef20ba3cbbdc5ec45581ce0f58e10be7bb9de7fa08752303a7a1db23b2ac9c6692ec63bf09ecd6639e06c5491ba568ea886620d71da32d329615f0e1443a75d09ae35b8a2d7f
+# Unreduced inputs are not supported in *ring*.
+# ModExp = 292f0b39ca0f1c850b1a00cffd2d54924fcd5fc7e7504c9d593e6c0ff74760b1f4bdd81679fe06c50248336f3108c593fa111072ee87d0fcc89a63243a1dc89044503663eee9bc18f51c3e0193d9108303e12ac90ff78f6ec752a4386af09c42db524a7cbe9a3d4fcccd56c34d283bcc9debc17158b5fe8df0c1888a9841bf8f
+# A = b4fde2908745ff92cc5826a27dcfdda09e8fffee681844fa4c7f1354d946d5d84e0e0c7a4a4cb20943d9c73dd707ca47d796945d6f6b55933b615e2c522f5dfc33e0652917b4809bab86f4fa56b32b746c177764895492d0a6a699812b2827fe701d40ef7effd78ea8efe1cac15ff74a295a09614bf04cae1a5017872ba22efe
+# E = a5524b41dfc6b570df1d8f6633ac7777c1131abe3a99c6166b0d29d3b8883c41b00a0c53cdd6f42820bf05c810b6ec53e77a8c1b9344ea0c91d4f410a2f204c369f3db33bf8c88217fc2cf802a9d9bce8119242d8e781875b85431be170076498c0963574ee423551aec9557e2fc672ab1ab5d0cbb1c400535df9481e7934d8f
+# M = 88f3c87ac5e3272a21b8a858da640d6939fb8113a95412c38663a0f352686d69a5d7927e60b484b9fcb8ef12978fe25ff2ebc9b61c5450e04222ef20ba3cbbdc5ec45581ce0f58e10be7bb9de7fa08752303a7a1db23b2ac9c6692ec63bf09ecd6639e06c5491ba568ea886620d71da32d329615f0e1443a75d09ae35b8a2d7f
 
 ModExp = 1
 A = e2845c572b46496ac158a731f612fd40ef626fa7134755c25b1b7614f4d7b29164e6142ddb7985e4c7ebc575855ff901e95927fe98a5aea2ad3a4720c75782323bea1518b2c57790f44efd9411be4e95b3896bad1e73c59658290b309e5a7eb5ef8be08125063e57336b80f17eacee88966d12bbaaa15a25929c82e027cf696f
@@ -10221,10 +10240,11 @@ A = 0
 E = 95793fe33696f53e37498b2b65aaf27079e27acf1da97dda2c3e0803e8a02139f574e04ee03f7d1ddd029f528e3f3644515ad6f10f0beac2767f23d9cd8a8b9b6c6e376e36b64a0ae2711d7d31a5a75011641935b503110edbefe9f0ff2da27b5c5f6bb8cc151fdc86f67191bb99160c6cacc86ca368d5bdfafd3f3ff5161b1e
 M = 8315dacf124bd473c578946347e83d1b20c750a7d9533d6215591be40bc78bcca77821f8c8f95375bbd6372515ada63d22bed2fa49bd6fabb0040c538d08db25b09d2fda02a93ab086cd1c27df93c37ee9c6a0527d089179b8f92b5dc3acf5ef1c75906fb80b03f5c2442a7a4088640f66376575ecfa4c697c1a571397ee5a0d
 
-ModExp = 186c50ae259aa0fd31859cbcfea534e626a254de33956d5d719334bb32e7cf37cf199a21f079a5b90497228994d05efe19ccd8c769cd81f896286e8ae557cacd1630a928c629ecdfece29ab3697794aa707734e007318fa7029b050bb09ebbe6986187c6ca843f55266d275620b3f0fec0ad5f847ce8b314d929d128b33a249e
-A = 9d5e345793faddca9867f23eeddf6816c1e837f7a2cf96fa077212514acb6be87ac01a237d8f2f1d07d27a8ddd1b0ae0d97e1bda4f205a89435017284cdedea3e407b1b940d6f52112b6359b3e86e4c83074b17c210ae2c8856b42b169b4a7a6dfa65b368a7959496cf9bb1ee93d019dbd79101830e3f5ed08604ab90890b914
-E = 95793fe33696f53e37498b2b65aaf27079e27acf1da97dda2c3e0803e8a02139f574e04ee03f7d1ddd029f528e3f3644515ad6f10f0beac2767f23d9cd8a8b9b6c6e376e36b64a0ae2711d7d31a5a75011641935b503110edbefe9f0ff2da27b5c5f6bb8cc151fdc86f67191bb99160c6cacc86ca368d5bdfafd3f3ff5161b1e
-M = 8315dacf124bd473c578946347e83d1b20c750a7d9533d6215591be40bc78bcca77821f8c8f95375bbd6372515ada63d22bed2fa49bd6fabb0040c538d08db25b09d2fda02a93ab086cd1c27df93c37ee9c6a0527d089179b8f92b5dc3acf5ef1c75906fb80b03f5c2442a7a4088640f66376575ecfa4c697c1a571397ee5a0d
+# Unreduced inputs are not supported in *ring*.
+# ModExp = 186c50ae259aa0fd31859cbcfea534e626a254de33956d5d719334bb32e7cf37cf199a21f079a5b90497228994d05efe19ccd8c769cd81f896286e8ae557cacd1630a928c629ecdfece29ab3697794aa707734e007318fa7029b050bb09ebbe6986187c6ca843f55266d275620b3f0fec0ad5f847ce8b314d929d128b33a249e
+# A = 9d5e345793faddca9867f23eeddf6816c1e837f7a2cf96fa077212514acb6be87ac01a237d8f2f1d07d27a8ddd1b0ae0d97e1bda4f205a89435017284cdedea3e407b1b940d6f52112b6359b3e86e4c83074b17c210ae2c8856b42b169b4a7a6dfa65b368a7959496cf9bb1ee93d019dbd79101830e3f5ed08604ab90890b914
+# E = 95793fe33696f53e37498b2b65aaf27079e27acf1da97dda2c3e0803e8a02139f574e04ee03f7d1ddd029f528e3f3644515ad6f10f0beac2767f23d9cd8a8b9b6c6e376e36b64a0ae2711d7d31a5a75011641935b503110edbefe9f0ff2da27b5c5f6bb8cc151fdc86f67191bb99160c6cacc86ca368d5bdfafd3f3ff5161b1e
+# M = 8315dacf124bd473c578946347e83d1b20c750a7d9533d6215591be40bc78bcca77821f8c8f95375bbd6372515ada63d22bed2fa49bd6fabb0040c538d08db25b09d2fda02a93ab086cd1c27df93c37ee9c6a0527d089179b8f92b5dc3acf5ef1c75906fb80b03f5c2442a7a4088640f66376575ecfa4c697c1a571397ee5a0d
 
 ModExp = 1
 A = e6a079bdf7b0638d50b183475e9ddfd5cbdebfb29f5fae8e9be402a0bd36085737b556492ea7fb4b1000ae9ce59db66098129b757cfb29224275fdaa46b8b7eb18a93ca7d3e446dc38c734b683d7ba7927b008d993aab01f44239d3c76be76d1503908e9b5e73b36c43ae0771368b01f39c042693bd92c4fc50810f059e1b332
@@ -10236,10 +10256,11 @@ A = 0
 E = f0460c5ca9b3a5c2d1b93c201d020dc43e1c81d1daba432e2cd310902da23eb81a5172b0b357484eb8fa2c04c270893b8198c8ad35453405dadaf05195b3aeb5ec0ccacecb4b6227ca43b27b97e240a4148a472670ed60f304302f757495fd4a91af0fe09800db0c3043a6ae213bee6703ad80523ca433d99ca0eab1e0b7c929
 M = 81dd561d5d5327fc5ed7c9236b5fb21ef713c6d5e36264ba65ccc801b8eb107b714aad65bb503bb1f4721c0a6f97e5ab89300f049f42a4616ae43d29c089c286687484d18629c1be1b5befbdd0b3cfc86b1d28add89df4cc5e68dac3f56f2490a9068ca9c634ec258c030ec5023baa9133fd2af32fd1112895f9da549d410247
 
-ModExp = 60719701a2dc0bcde281a93ce0b8421d1a718adee43c1b5d9fe9e697a48ab3db4f9f33c73cff305ab6b6c300c149b05c6b289dce4580860dc56bc59de81ac074ecebdc65aa3ca040b44e5b3c80ddba1658d78b9abbc4c77e5f171f5582e70ab4438a8e1e2f062d618c4ad09c70c73b5b5fbc9f8f0bbdf1d530a933b705f85af8
-A = e1b400cd3b1f2f1c6b437adfdb970d2c8108f1b39bdbb13582179552011c6c97cba6bff2c463212b7f62776aa3e3aff9f175990e79395e819c144350b0a23d61638d500ecc97726b098e1af334aece23a851c718612442c04eb7b3805a24cc8f5b90042145eb5e5d6a408092832b6bbeb8a621419a9282fb5c075f41c7f1fdc1
-E = f0460c5ca9b3a5c2d1b93c201d020dc43e1c81d1daba432e2cd310902da23eb81a5172b0b357484eb8fa2c04c270893b8198c8ad35453405dadaf05195b3aeb5ec0ccacecb4b6227ca43b27b97e240a4148a472670ed60f304302f757495fd4a91af0fe09800db0c3043a6ae213bee6703ad80523ca433d99ca0eab1e0b7c929
-M = 81dd561d5d5327fc5ed7c9236b5fb21ef713c6d5e36264ba65ccc801b8eb107b714aad65bb503bb1f4721c0a6f97e5ab89300f049f42a4616ae43d29c089c286687484d18629c1be1b5befbdd0b3cfc86b1d28add89df4cc5e68dac3f56f2490a9068ca9c634ec258c030ec5023baa9133fd2af32fd1112895f9da549d410247
+# Unreduced inputs are not supported in *ring*.
+# ModExp = 60719701a2dc0bcde281a93ce0b8421d1a718adee43c1b5d9fe9e697a48ab3db4f9f33c73cff305ab6b6c300c149b05c6b289dce4580860dc56bc59de81ac074ecebdc65aa3ca040b44e5b3c80ddba1658d78b9abbc4c77e5f171f5582e70ab4438a8e1e2f062d618c4ad09c70c73b5b5fbc9f8f0bbdf1d530a933b705f85af8
+# A = e1b400cd3b1f2f1c6b437adfdb970d2c8108f1b39bdbb13582179552011c6c97cba6bff2c463212b7f62776aa3e3aff9f175990e79395e819c144350b0a23d61638d500ecc97726b098e1af334aece23a851c718612442c04eb7b3805a24cc8f5b90042145eb5e5d6a408092832b6bbeb8a621419a9282fb5c075f41c7f1fdc1
+# E = f0460c5ca9b3a5c2d1b93c201d020dc43e1c81d1daba432e2cd310902da23eb81a5172b0b357484eb8fa2c04c270893b8198c8ad35453405dadaf05195b3aeb5ec0ccacecb4b6227ca43b27b97e240a4148a472670ed60f304302f757495fd4a91af0fe09800db0c3043a6ae213bee6703ad80523ca433d99ca0eab1e0b7c929
+# M = 81dd561d5d5327fc5ed7c9236b5fb21ef713c6d5e36264ba65ccc801b8eb107b714aad65bb503bb1f4721c0a6f97e5ab89300f049f42a4616ae43d29c089c286687484d18629c1be1b5befbdd0b3cfc86b1d28add89df4cc5e68dac3f56f2490a9068ca9c634ec258c030ec5023baa9133fd2af32fd1112895f9da549d410247
 
 ModExp = 1
 A = 9dd1e6f2d3ff24096b54e0ebf0f10e283e484a1cbafc0431adda1296ed97692f3ba99440fd4f67c96dd8bab850e1123361c99362df9ea205ff8e90d1b329459f54730992d5a360e46fcc5f5a909e691abb9a06613d6991bd7c2aa609f0d7b441d7ded0c07b8c394327672d38a905efb2d76aa3be5bb14d0c002aa37e287aee79

crypto/bn/exponentiation.c

@@ -569,10 +569,8 @@ int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p,
 
   /* prepare a^1 in Montgomery domain */
   if (a->neg || BN_ucmp(a, m) >= 0) {
-    if (!BN_mod(&am, a, m, ctx) ||
-        !BN_to_montgomery(&am, &am, mont, ctx)) {
-      goto err;
-    }
+    OPENSSL_PUT_ERROR(BN, BN_R_INPUT_NOT_REDUCED);
+    goto err;
   } else if (!BN_to_montgomery(&am, a, mont, ctx)) {
     goto err;
   }