Clear r->neg in bn_abs_sub_consttime

This has no practical consequences because this is only called
internally, in a context where we would never see negative numbers, but
still better to be tidy.

Change-Id: I63f4fbc9180b86dd2aa5566467ed6e51f86ce917
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/95167
Presubmit-BoringSSL-Verified: boringssl-scoped@luci-project-accounts.iam.gserviceaccount.com <boringssl-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Lily Chen <chlily@google.com>
Commit-Queue: Lily Chen <chlily@google.com>
Auto-Submit: David Benjamin <davidben@google.com>

crypto/fipsmodule/bn/bn_test.cc

diff --git a/crypto/fipsmodule/bn/bn_test.cc b/crypto/fipsmodule/bn/bn_test.cc
index d00199e..33527cc 100644
--- a/crypto/fipsmodule/bn/bn_test.cc
+++ b/crypto/fipsmodule/bn/bn_test.cc
@@ -223,6 +223,8 @@
     ASSERT_TRUE(BN_usub(ret.get(), sum.get(), ret.get()));
     EXPECT_BIGNUMS_EQUAL("Sum -u B (r is b)", a.get(), ret.get());
 
+    // bn_abs_sub_consttime should overwrite the output sign.
+    BN_set_negative(ret.get(), 1);
     ASSERT_TRUE(bn_abs_sub_consttime(ret.get(), sum.get(), a.get(), ctx));
     EXPECT_BIGNUMS_EQUAL("|Sum - A|", b.get(), ret.get());
     ASSERT_TRUE(bn_abs_sub_consttime(ret.get(), a.get(), sum.get(), ctx));

crypto/fipsmodule/bn/mul.cc.inc

diff --git a/crypto/fipsmodule/bn/mul.cc.inc b/crypto/fipsmodule/bn/mul.cc.inc
index 43348fe..82746ad 100644
--- a/crypto/fipsmodule/bn/mul.cc.inc
+++ b/crypto/fipsmodule/bn/mul.cc.inc
@@ -140,6 +140,7 @@
   }
   bn_abs_sub_part_words(r->d, a->d, b->d, cl, dl, tmp->d);
   r->width = r_len;
+  r->neg = 0;
   return 1;
 }