commit 591f251bf3c9473f8f630a06f2c31278f2c153ff
author David Benjamin <davidben@google.com> Mon Feb 27 20:27:58 2017 -0500
committer Adam Langley <agl@google.com> Tue Feb 28 18:00:02 2017 +0000
tree 8d314345fa8ade59e69cef9a849da6075e32ef86
parent ba9557d0efeba40a40fd2007dd118524ab3f02fe

Remove direct calls to BN_mod_exp.

Within the library, we never need to exponentiate modulo an even number.
In fact, all the remaining BN_mod_exp calls are modulo an odd prime.
This extends 617804adc5cd6760a3febcd9d4408fbfc6ebcd0c to the rest of the
library.

Change-Id: I4273439faa6a516c99673b28f8ae38ddfff7e42d
Reviewed-on: https://boringssl-review.googlesource.com/14024
Commit-Queue: David Benjamin <davidben@google.com>
Reviewed-by: Adam Langley <agl@google.com>

crypto/dh/check.c

diff --git a/crypto/dh/check.c b/crypto/dh/check.c
index f40e034..e3c111b 100644
--- a/crypto/dh/check.c
+++ b/crypto/dh/check.c
@@ -93,7 +93,7 @@
     /* Check |pub_key|^|dh->q| is 1 mod |dh->p|. This is necessary for RFC 5114
      * groups which are not safe primes but pick a generator on a prime-order
      * subgroup of size |dh->q|. */
-    if (!BN_mod_exp(tmp, pub_key, dh->q, dh->p, ctx)) {
+    if (!BN_mod_exp_mont(tmp, pub_key, dh->q, dh->p, ctx, NULL)) {
       goto err;
     }
     if (!BN_is_one(tmp)) {
@@ -145,7 +145,7 @@
       *ret |= DH_CHECK_NOT_SUITABLE_GENERATOR;
     } else {
       /* Check g^q == 1 mod p */
-      if (!BN_mod_exp(t1, dh->g, dh->q, dh->p, ctx)) {
+      if (!BN_mod_exp_mont(t1, dh->g, dh->q, dh->p, ctx, NULL)) {
         goto err;
       }
       if (!BN_is_one(t1)) {