1 |
|
|
/* $OpenBSD: bn_gcd.c,v 1.10 2015/02/09 15:49:22 jsing Exp $ */ |
2 |
|
|
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
3 |
|
|
* All rights reserved. |
4 |
|
|
* |
5 |
|
|
* This package is an SSL implementation written |
6 |
|
|
* by Eric Young (eay@cryptsoft.com). |
7 |
|
|
* The implementation was written so as to conform with Netscapes SSL. |
8 |
|
|
* |
9 |
|
|
* This library is free for commercial and non-commercial use as long as |
10 |
|
|
* the following conditions are aheared to. The following conditions |
11 |
|
|
* apply to all code found in this distribution, be it the RC4, RSA, |
12 |
|
|
* lhash, DES, etc., code; not just the SSL code. The SSL documentation |
13 |
|
|
* included with this distribution is covered by the same copyright terms |
14 |
|
|
* except that the holder is Tim Hudson (tjh@cryptsoft.com). |
15 |
|
|
* |
16 |
|
|
* Copyright remains Eric Young's, and as such any Copyright notices in |
17 |
|
|
* the code are not to be removed. |
18 |
|
|
* If this package is used in a product, Eric Young should be given attribution |
19 |
|
|
* as the author of the parts of the library used. |
20 |
|
|
* This can be in the form of a textual message at program startup or |
21 |
|
|
* in documentation (online or textual) provided with the package. |
22 |
|
|
* |
23 |
|
|
* Redistribution and use in source and binary forms, with or without |
24 |
|
|
* modification, are permitted provided that the following conditions |
25 |
|
|
* are met: |
26 |
|
|
* 1. Redistributions of source code must retain the copyright |
27 |
|
|
* notice, this list of conditions and the following disclaimer. |
28 |
|
|
* 2. Redistributions in binary form must reproduce the above copyright |
29 |
|
|
* notice, this list of conditions and the following disclaimer in the |
30 |
|
|
* documentation and/or other materials provided with the distribution. |
31 |
|
|
* 3. All advertising materials mentioning features or use of this software |
32 |
|
|
* must display the following acknowledgement: |
33 |
|
|
* "This product includes cryptographic software written by |
34 |
|
|
* Eric Young (eay@cryptsoft.com)" |
35 |
|
|
* The word 'cryptographic' can be left out if the rouines from the library |
36 |
|
|
* being used are not cryptographic related :-). |
37 |
|
|
* 4. If you include any Windows specific code (or a derivative thereof) from |
38 |
|
|
* the apps directory (application code) you must include an acknowledgement: |
39 |
|
|
* "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" |
40 |
|
|
* |
41 |
|
|
* THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND |
42 |
|
|
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE |
43 |
|
|
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE |
44 |
|
|
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE |
45 |
|
|
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL |
46 |
|
|
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS |
47 |
|
|
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) |
48 |
|
|
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT |
49 |
|
|
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY |
50 |
|
|
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF |
51 |
|
|
* SUCH DAMAGE. |
52 |
|
|
* |
53 |
|
|
* The licence and distribution terms for any publically available version or |
54 |
|
|
* derivative of this code cannot be changed. i.e. this code cannot simply be |
55 |
|
|
* copied and put under another distribution licence |
56 |
|
|
* [including the GNU Public Licence.] |
57 |
|
|
*/ |
58 |
|
|
/* ==================================================================== |
59 |
|
|
* Copyright (c) 1998-2001 The OpenSSL Project. All rights reserved. |
60 |
|
|
* |
61 |
|
|
* Redistribution and use in source and binary forms, with or without |
62 |
|
|
* modification, are permitted provided that the following conditions |
63 |
|
|
* are met: |
64 |
|
|
* |
65 |
|
|
* 1. Redistributions of source code must retain the above copyright |
66 |
|
|
* notice, this list of conditions and the following disclaimer. |
67 |
|
|
* |
68 |
|
|
* 2. Redistributions in binary form must reproduce the above copyright |
69 |
|
|
* notice, this list of conditions and the following disclaimer in |
70 |
|
|
* the documentation and/or other materials provided with the |
71 |
|
|
* distribution. |
72 |
|
|
* |
73 |
|
|
* 3. All advertising materials mentioning features or use of this |
74 |
|
|
* software must display the following acknowledgment: |
75 |
|
|
* "This product includes software developed by the OpenSSL Project |
76 |
|
|
* for use in the OpenSSL Toolkit. (http://www.openssl.org/)" |
77 |
|
|
* |
78 |
|
|
* 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to |
79 |
|
|
* endorse or promote products derived from this software without |
80 |
|
|
* prior written permission. For written permission, please contact |
81 |
|
|
* openssl-core@openssl.org. |
82 |
|
|
* |
83 |
|
|
* 5. Products derived from this software may not be called "OpenSSL" |
84 |
|
|
* nor may "OpenSSL" appear in their names without prior written |
85 |
|
|
* permission of the OpenSSL Project. |
86 |
|
|
* |
87 |
|
|
* 6. Redistributions of any form whatsoever must retain the following |
88 |
|
|
* acknowledgment: |
89 |
|
|
* "This product includes software developed by the OpenSSL Project |
90 |
|
|
* for use in the OpenSSL Toolkit (http://www.openssl.org/)" |
91 |
|
|
* |
92 |
|
|
* THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY |
93 |
|
|
* EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE |
94 |
|
|
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR |
95 |
|
|
* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR |
96 |
|
|
* ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, |
97 |
|
|
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT |
98 |
|
|
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; |
99 |
|
|
* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) |
100 |
|
|
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, |
101 |
|
|
* STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) |
102 |
|
|
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED |
103 |
|
|
* OF THE POSSIBILITY OF SUCH DAMAGE. |
104 |
|
|
* ==================================================================== |
105 |
|
|
* |
106 |
|
|
* This product includes cryptographic software written by Eric Young |
107 |
|
|
* (eay@cryptsoft.com). This product includes software written by Tim |
108 |
|
|
* Hudson (tjh@cryptsoft.com). |
109 |
|
|
* |
110 |
|
|
*/ |
111 |
|
|
|
112 |
|
|
#include <openssl/err.h> |
113 |
|
|
|
114 |
|
|
#include "bn_lcl.h" |
115 |
|
|
|
116 |
|
|
static BIGNUM *euclid(BIGNUM *a, BIGNUM *b); |
117 |
|
|
|
118 |
|
|
int |
119 |
|
|
BN_gcd(BIGNUM *r, const BIGNUM *in_a, const BIGNUM *in_b, BN_CTX *ctx) |
120 |
|
|
{ |
121 |
|
|
BIGNUM *a, *b, *t; |
122 |
|
|
int ret = 0; |
123 |
|
|
|
124 |
|
|
bn_check_top(in_a); |
125 |
|
|
bn_check_top(in_b); |
126 |
|
|
|
127 |
|
|
BN_CTX_start(ctx); |
128 |
|
|
if ((a = BN_CTX_get(ctx)) == NULL) |
129 |
|
|
goto err; |
130 |
|
|
if ((b = BN_CTX_get(ctx)) == NULL) |
131 |
|
|
goto err; |
132 |
|
|
|
133 |
|
|
if (BN_copy(a, in_a) == NULL) |
134 |
|
|
goto err; |
135 |
|
|
if (BN_copy(b, in_b) == NULL) |
136 |
|
|
goto err; |
137 |
|
|
a->neg = 0; |
138 |
|
|
b->neg = 0; |
139 |
|
|
|
140 |
|
|
if (BN_cmp(a, b) < 0) { |
141 |
|
|
t = a; |
142 |
|
|
a = b; |
143 |
|
|
b = t; |
144 |
|
|
} |
145 |
|
|
t = euclid(a, b); |
146 |
|
|
if (t == NULL) |
147 |
|
|
goto err; |
148 |
|
|
|
149 |
|
|
if (BN_copy(r, t) == NULL) |
150 |
|
|
goto err; |
151 |
|
|
ret = 1; |
152 |
|
|
|
153 |
|
|
err: |
154 |
|
|
BN_CTX_end(ctx); |
155 |
|
|
bn_check_top(r); |
156 |
|
|
return (ret); |
157 |
|
|
} |
158 |
|
|
|
159 |
|
|
static BIGNUM * |
160 |
|
|
euclid(BIGNUM *a, BIGNUM *b) |
161 |
|
|
{ |
162 |
|
|
BIGNUM *t; |
163 |
|
|
int shifts = 0; |
164 |
|
|
|
165 |
|
|
bn_check_top(a); |
166 |
|
|
bn_check_top(b); |
167 |
|
|
|
168 |
|
|
/* 0 <= b <= a */ |
169 |
|
|
while (!BN_is_zero(b)) { |
170 |
|
|
/* 0 < b <= a */ |
171 |
|
|
|
172 |
|
|
if (BN_is_odd(a)) { |
173 |
|
|
if (BN_is_odd(b)) { |
174 |
|
|
if (!BN_sub(a, a, b)) |
175 |
|
|
goto err; |
176 |
|
|
if (!BN_rshift1(a, a)) |
177 |
|
|
goto err; |
178 |
|
|
if (BN_cmp(a, b) < 0) { |
179 |
|
|
t = a; |
180 |
|
|
a = b; |
181 |
|
|
b = t; |
182 |
|
|
} |
183 |
|
|
} |
184 |
|
|
else /* a odd - b even */ |
185 |
|
|
{ |
186 |
|
|
if (!BN_rshift1(b, b)) |
187 |
|
|
goto err; |
188 |
|
|
if (BN_cmp(a, b) < 0) { |
189 |
|
|
t = a; |
190 |
|
|
a = b; |
191 |
|
|
b = t; |
192 |
|
|
} |
193 |
|
|
} |
194 |
|
|
} |
195 |
|
|
else /* a is even */ |
196 |
|
|
{ |
197 |
|
|
if (BN_is_odd(b)) { |
198 |
|
|
if (!BN_rshift1(a, a)) |
199 |
|
|
goto err; |
200 |
|
|
if (BN_cmp(a, b) < 0) { |
201 |
|
|
t = a; |
202 |
|
|
a = b; |
203 |
|
|
b = t; |
204 |
|
|
} |
205 |
|
|
} |
206 |
|
|
else /* a even - b even */ |
207 |
|
|
{ |
208 |
|
|
if (!BN_rshift1(a, a)) |
209 |
|
|
goto err; |
210 |
|
|
if (!BN_rshift1(b, b)) |
211 |
|
|
goto err; |
212 |
|
|
shifts++; |
213 |
|
|
} |
214 |
|
|
} |
215 |
|
|
/* 0 <= b <= a */ |
216 |
|
|
} |
217 |
|
|
|
218 |
|
|
if (shifts) { |
219 |
|
|
if (!BN_lshift(a, a, shifts)) |
220 |
|
|
goto err; |
221 |
|
|
} |
222 |
|
|
bn_check_top(a); |
223 |
|
|
return (a); |
224 |
|
|
|
225 |
|
|
err: |
226 |
|
|
return (NULL); |
227 |
|
|
} |
228 |
|
|
|
229 |
|
|
|
230 |
|
|
/* solves ax == 1 (mod n) */ |
231 |
|
|
static BIGNUM *BN_mod_inverse_no_branch(BIGNUM *in, const BIGNUM *a, |
232 |
|
|
const BIGNUM *n, BN_CTX *ctx); |
233 |
|
|
|
234 |
|
|
BIGNUM * |
235 |
|
|
BN_mod_inverse(BIGNUM *in, const BIGNUM *a, const BIGNUM *n, BN_CTX *ctx) |
236 |
|
3289 |
{ |
237 |
|
3289 |
BIGNUM *A, *B, *X, *Y, *M, *D, *T, *R = NULL; |
238 |
|
3289 |
BIGNUM *ret = NULL; |
239 |
|
|
int sign; |
240 |
|
|
|
241 |
✓✓✓✓
|
3289 |
if ((BN_get_flags(a, BN_FLG_CONSTTIME) != 0) || |
242 |
|
|
(BN_get_flags(n, BN_FLG_CONSTTIME) != 0)) { |
243 |
|
3 |
return BN_mod_inverse_no_branch(in, a, n, ctx); |
244 |
|
|
} |
245 |
|
|
|
246 |
|
|
bn_check_top(a); |
247 |
|
|
bn_check_top(n); |
248 |
|
|
|
249 |
|
3286 |
BN_CTX_start(ctx); |
250 |
✗✓ |
3286 |
if ((A = BN_CTX_get(ctx)) == NULL) |
251 |
|
|
goto err; |
252 |
✗✓ |
3286 |
if ((B = BN_CTX_get(ctx)) == NULL) |
253 |
|
|
goto err; |
254 |
✗✓ |
3286 |
if ((X = BN_CTX_get(ctx)) == NULL) |
255 |
|
|
goto err; |
256 |
✗✓ |
3286 |
if ((D = BN_CTX_get(ctx)) == NULL) |
257 |
|
|
goto err; |
258 |
✗✓ |
3286 |
if ((M = BN_CTX_get(ctx)) == NULL) |
259 |
|
|
goto err; |
260 |
✗✓ |
3286 |
if ((Y = BN_CTX_get(ctx)) == NULL) |
261 |
|
|
goto err; |
262 |
✗✓ |
3286 |
if ((T = BN_CTX_get(ctx)) == NULL) |
263 |
|
|
goto err; |
264 |
|
|
|
265 |
✗✓ |
3286 |
if (in == NULL) |
266 |
|
|
R = BN_new(); |
267 |
|
|
else |
268 |
|
3286 |
R = in; |
269 |
✗✓ |
3286 |
if (R == NULL) |
270 |
|
|
goto err; |
271 |
|
|
|
272 |
|
3286 |
BN_one(X); |
273 |
|
3286 |
BN_zero(Y); |
274 |
✗✓ |
3286 |
if (BN_copy(B, a) == NULL) |
275 |
|
|
goto err; |
276 |
✗✓ |
3286 |
if (BN_copy(A, n) == NULL) |
277 |
|
|
goto err; |
278 |
|
3286 |
A->neg = 0; |
279 |
✓✗✓✓
|
3286 |
if (B->neg || (BN_ucmp(B, A) >= 0)) { |
280 |
✗✓ |
2093 |
if (!BN_nnmod(B, B, A, ctx)) |
281 |
|
|
goto err; |
282 |
|
|
} |
283 |
|
3286 |
sign = -1; |
284 |
|
|
/* From B = a mod |n|, A = |n| it follows that |
285 |
|
|
* |
286 |
|
|
* 0 <= B < A, |
287 |
|
|
* -sign*X*a == B (mod |n|), |
288 |
|
|
* sign*Y*a == A (mod |n|). |
289 |
|
|
*/ |
290 |
|
|
|
291 |
✓✗✓✗
✓✗ |
3286 |
if (BN_is_odd(n) && (BN_num_bits(n) <= (BN_BITS <= 32 ? 450 : 2048))) { |
292 |
|
|
/* Binary inversion algorithm; requires odd modulus. |
293 |
|
|
* This is faster than the general algorithm if the modulus |
294 |
|
|
* is sufficiently small (about 400 .. 500 bits on 32-bit |
295 |
|
|
* sytems, but much more on 64-bit systems) */ |
296 |
|
|
int shift; |
297 |
|
|
|
298 |
✓✓ |
324263 |
while (!BN_is_zero(B)) { |
299 |
|
|
/* |
300 |
|
|
* 0 < B < |n|, |
301 |
|
|
* 0 < A <= |n|, |
302 |
|
|
* (1) -sign*X*a == B (mod |n|), |
303 |
|
|
* (2) sign*Y*a == A (mod |n|) |
304 |
|
|
*/ |
305 |
|
|
|
306 |
|
|
/* Now divide B by the maximum possible power of two in the integers, |
307 |
|
|
* and divide X by the same value mod |n|. |
308 |
|
|
* When we're done, (1) still holds. */ |
309 |
|
320977 |
shift = 0; |
310 |
✓✓ |
931005 |
while (!BN_is_bit_set(B, shift)) /* note that 0 < B */ |
311 |
|
|
{ |
312 |
|
289051 |
shift++; |
313 |
|
|
|
314 |
✓✗✓✓
|
289051 |
if (BN_is_odd(X)) { |
315 |
✗✓ |
138386 |
if (!BN_uadd(X, X, n)) |
316 |
|
|
goto err; |
317 |
|
|
} |
318 |
|
|
/* now X is even, so we can easily divide it by two */ |
319 |
✗✓ |
289051 |
if (!BN_rshift1(X, X)) |
320 |
|
|
goto err; |
321 |
|
|
} |
322 |
✓✓ |
320977 |
if (shift > 0) { |
323 |
✗✓ |
156956 |
if (!BN_rshift(B, B, shift)) |
324 |
|
|
goto err; |
325 |
|
|
} |
326 |
|
|
|
327 |
|
|
|
328 |
|
|
/* Same for A and Y. Afterwards, (2) still holds. */ |
329 |
|
320977 |
shift = 0; |
330 |
✓✓ |
936597 |
while (!BN_is_bit_set(A, shift)) /* note that 0 < A */ |
331 |
|
|
{ |
332 |
|
294643 |
shift++; |
333 |
|
|
|
334 |
✓✗✓✓
|
294643 |
if (BN_is_odd(Y)) { |
335 |
✗✓ |
143352 |
if (!BN_uadd(Y, Y, n)) |
336 |
|
|
goto err; |
337 |
|
|
} |
338 |
|
|
/* now Y is even */ |
339 |
✗✓ |
294643 |
if (!BN_rshift1(Y, Y)) |
340 |
|
|
goto err; |
341 |
|
|
} |
342 |
✓✓ |
320977 |
if (shift > 0) { |
343 |
✗✓ |
162138 |
if (!BN_rshift(A, A, shift)) |
344 |
|
|
goto err; |
345 |
|
|
} |
346 |
|
|
|
347 |
|
|
|
348 |
|
|
/* We still have (1) and (2). |
349 |
|
|
* Both A and B are odd. |
350 |
|
|
* The following computations ensure that |
351 |
|
|
* |
352 |
|
|
* 0 <= B < |n|, |
353 |
|
|
* 0 < A < |n|, |
354 |
|
|
* (1) -sign*X*a == B (mod |n|), |
355 |
|
|
* (2) sign*Y*a == A (mod |n|), |
356 |
|
|
* |
357 |
|
|
* and that either A or B is even in the next iteration. |
358 |
|
|
*/ |
359 |
✓✓ |
320977 |
if (BN_ucmp(B, A) >= 0) { |
360 |
|
|
/* -sign*(X + Y)*a == B - A (mod |n|) */ |
361 |
✗✓ |
158839 |
if (!BN_uadd(X, X, Y)) |
362 |
|
|
goto err; |
363 |
|
|
/* NB: we could use BN_mod_add_quick(X, X, Y, n), but that |
364 |
|
|
* actually makes the algorithm slower */ |
365 |
✗✓ |
158839 |
if (!BN_usub(B, B, A)) |
366 |
|
|
goto err; |
367 |
|
|
} else { |
368 |
|
|
/* sign*(X + Y)*a == A - B (mod |n|) */ |
369 |
✗✓ |
162138 |
if (!BN_uadd(Y, Y, X)) |
370 |
|
|
goto err; |
371 |
|
|
/* as above, BN_mod_add_quick(Y, Y, X, n) would slow things down */ |
372 |
✗✓ |
162138 |
if (!BN_usub(A, A, B)) |
373 |
|
|
goto err; |
374 |
|
|
} |
375 |
|
|
} |
376 |
|
|
} else { |
377 |
|
|
/* general inversion algorithm */ |
378 |
|
|
|
379 |
|
|
while (!BN_is_zero(B)) { |
380 |
|
|
BIGNUM *tmp; |
381 |
|
|
|
382 |
|
|
/* |
383 |
|
|
* 0 < B < A, |
384 |
|
|
* (*) -sign*X*a == B (mod |n|), |
385 |
|
|
* sign*Y*a == A (mod |n|) |
386 |
|
|
*/ |
387 |
|
|
|
388 |
|
|
/* (D, M) := (A/B, A%B) ... */ |
389 |
|
|
if (BN_num_bits(A) == BN_num_bits(B)) { |
390 |
|
|
if (!BN_one(D)) |
391 |
|
|
goto err; |
392 |
|
|
if (!BN_sub(M, A, B)) |
393 |
|
|
goto err; |
394 |
|
|
} else if (BN_num_bits(A) == BN_num_bits(B) + 1) { |
395 |
|
|
/* A/B is 1, 2, or 3 */ |
396 |
|
|
if (!BN_lshift1(T, B)) |
397 |
|
|
goto err; |
398 |
|
|
if (BN_ucmp(A, T) < 0) { |
399 |
|
|
/* A < 2*B, so D=1 */ |
400 |
|
|
if (!BN_one(D)) |
401 |
|
|
goto err; |
402 |
|
|
if (!BN_sub(M, A, B)) |
403 |
|
|
goto err; |
404 |
|
|
} else { |
405 |
|
|
/* A >= 2*B, so D=2 or D=3 */ |
406 |
|
|
if (!BN_sub(M, A, T)) |
407 |
|
|
goto err; |
408 |
|
|
if (!BN_add(D,T,B)) goto err; /* use D (:= 3*B) as temp */ |
409 |
|
|
if (BN_ucmp(A, D) < 0) { |
410 |
|
|
/* A < 3*B, so D=2 */ |
411 |
|
|
if (!BN_set_word(D, 2)) |
412 |
|
|
goto err; |
413 |
|
|
/* M (= A - 2*B) already has the correct value */ |
414 |
|
|
} else { |
415 |
|
|
/* only D=3 remains */ |
416 |
|
|
if (!BN_set_word(D, 3)) |
417 |
|
|
goto err; |
418 |
|
|
/* currently M = A - 2*B, but we need M = A - 3*B */ |
419 |
|
|
if (!BN_sub(M, M, B)) |
420 |
|
|
goto err; |
421 |
|
|
} |
422 |
|
|
} |
423 |
|
|
} else { |
424 |
|
|
if (!BN_div(D, M, A, B, ctx)) |
425 |
|
|
goto err; |
426 |
|
|
} |
427 |
|
|
|
428 |
|
|
/* Now |
429 |
|
|
* A = D*B + M; |
430 |
|
|
* thus we have |
431 |
|
|
* (**) sign*Y*a == D*B + M (mod |n|). |
432 |
|
|
*/ |
433 |
|
|
tmp = A; /* keep the BIGNUM object, the value does not matter */ |
434 |
|
|
|
435 |
|
|
/* (A, B) := (B, A mod B) ... */ |
436 |
|
|
A = B; |
437 |
|
|
B = M; |
438 |
|
|
/* ... so we have 0 <= B < A again */ |
439 |
|
|
|
440 |
|
|
/* Since the former M is now B and the former B is now A, |
441 |
|
|
* (**) translates into |
442 |
|
|
* sign*Y*a == D*A + B (mod |n|), |
443 |
|
|
* i.e. |
444 |
|
|
* sign*Y*a - D*A == B (mod |n|). |
445 |
|
|
* Similarly, (*) translates into |
446 |
|
|
* -sign*X*a == A (mod |n|). |
447 |
|
|
* |
448 |
|
|
* Thus, |
449 |
|
|
* sign*Y*a + D*sign*X*a == B (mod |n|), |
450 |
|
|
* i.e. |
451 |
|
|
* sign*(Y + D*X)*a == B (mod |n|). |
452 |
|
|
* |
453 |
|
|
* So if we set (X, Y, sign) := (Y + D*X, X, -sign), we arrive back at |
454 |
|
|
* -sign*X*a == B (mod |n|), |
455 |
|
|
* sign*Y*a == A (mod |n|). |
456 |
|
|
* Note that X and Y stay non-negative all the time. |
457 |
|
|
*/ |
458 |
|
|
|
459 |
|
|
/* most of the time D is very small, so we can optimize tmp := D*X+Y */ |
460 |
|
|
if (BN_is_one(D)) { |
461 |
|
|
if (!BN_add(tmp, X, Y)) |
462 |
|
|
goto err; |
463 |
|
|
} else { |
464 |
|
|
if (BN_is_word(D, 2)) { |
465 |
|
|
if (!BN_lshift1(tmp, X)) |
466 |
|
|
goto err; |
467 |
|
|
} else if (BN_is_word(D, 4)) { |
468 |
|
|
if (!BN_lshift(tmp, X, 2)) |
469 |
|
|
goto err; |
470 |
|
|
} else if (D->top == 1) { |
471 |
|
|
if (!BN_copy(tmp, X)) |
472 |
|
|
goto err; |
473 |
|
|
if (!BN_mul_word(tmp, D->d[0])) |
474 |
|
|
goto err; |
475 |
|
|
} else { |
476 |
|
|
if (!BN_mul(tmp, D,X, ctx)) |
477 |
|
|
goto err; |
478 |
|
|
} |
479 |
|
|
if (!BN_add(tmp, tmp, Y)) |
480 |
|
|
goto err; |
481 |
|
|
} |
482 |
|
|
|
483 |
|
|
M = Y; /* keep the BIGNUM object, the value does not matter */ |
484 |
|
|
Y = X; |
485 |
|
|
X = tmp; |
486 |
|
|
sign = -sign; |
487 |
|
|
} |
488 |
|
|
} |
489 |
|
|
|
490 |
|
|
/* |
491 |
|
|
* The while loop (Euclid's algorithm) ends when |
492 |
|
|
* A == gcd(a,n); |
493 |
|
|
* we have |
494 |
|
|
* sign*Y*a == A (mod |n|), |
495 |
|
|
* where Y is non-negative. |
496 |
|
|
*/ |
497 |
|
|
|
498 |
✓✗ |
3286 |
if (sign < 0) { |
499 |
✗✓ |
3286 |
if (!BN_sub(Y, n, Y)) |
500 |
|
|
goto err; |
501 |
|
|
} |
502 |
|
|
/* Now Y*a == A (mod |n|). */ |
503 |
|
|
|
504 |
✓✗✓✗
✓✗ |
3286 |
if (BN_is_one(A)) { |
505 |
|
|
/* Y*a == 1 (mod |n|) */ |
506 |
✓✓✓✓
|
3286 |
if (!Y->neg && BN_ucmp(Y, n) < 0) { |
507 |
✗✓ |
1497 |
if (!BN_copy(R, Y)) |
508 |
|
|
goto err; |
509 |
|
|
} else { |
510 |
✗✓ |
1789 |
if (!BN_nnmod(R, Y,n, ctx)) |
511 |
|
|
goto err; |
512 |
|
|
} |
513 |
|
|
} else { |
514 |
|
|
BNerr(BN_F_BN_MOD_INVERSE, BN_R_NO_INVERSE); |
515 |
|
|
goto err; |
516 |
|
|
} |
517 |
|
3286 |
ret = R; |
518 |
|
|
|
519 |
|
3286 |
err: |
520 |
✗✓ |
3286 |
if ((ret == NULL) && (in == NULL)) |
521 |
|
|
BN_free(R); |
522 |
|
3286 |
BN_CTX_end(ctx); |
523 |
|
|
bn_check_top(ret); |
524 |
|
3286 |
return (ret); |
525 |
|
|
} |
526 |
|
|
|
527 |
|
|
|
528 |
|
|
/* BN_mod_inverse_no_branch is a special version of BN_mod_inverse. |
529 |
|
|
* It does not contain branches that may leak sensitive information. |
530 |
|
|
*/ |
531 |
|
|
static BIGNUM * |
532 |
|
|
BN_mod_inverse_no_branch(BIGNUM *in, const BIGNUM *a, const BIGNUM *n, |
533 |
|
|
BN_CTX *ctx) |
534 |
|
3 |
{ |
535 |
|
3 |
BIGNUM *A, *B, *X, *Y, *M, *D, *T, *R = NULL; |
536 |
|
|
BIGNUM local_A, local_B; |
537 |
|
|
BIGNUM *pA, *pB; |
538 |
|
3 |
BIGNUM *ret = NULL; |
539 |
|
|
int sign; |
540 |
|
|
|
541 |
|
|
bn_check_top(a); |
542 |
|
|
bn_check_top(n); |
543 |
|
|
|
544 |
|
3 |
BN_CTX_start(ctx); |
545 |
✗✓ |
3 |
if ((A = BN_CTX_get(ctx)) == NULL) |
546 |
|
|
goto err; |
547 |
✗✓ |
3 |
if ((B = BN_CTX_get(ctx)) == NULL) |
548 |
|
|
goto err; |
549 |
✗✓ |
3 |
if ((X = BN_CTX_get(ctx)) == NULL) |
550 |
|
|
goto err; |
551 |
✗✓ |
3 |
if ((D = BN_CTX_get(ctx)) == NULL) |
552 |
|
|
goto err; |
553 |
✗✓ |
3 |
if ((M = BN_CTX_get(ctx)) == NULL) |
554 |
|
|
goto err; |
555 |
✗✓ |
3 |
if ((Y = BN_CTX_get(ctx)) == NULL) |
556 |
|
|
goto err; |
557 |
✗✓ |
3 |
if ((T = BN_CTX_get(ctx)) == NULL) |
558 |
|
|
goto err; |
559 |
|
|
|
560 |
✓✓ |
3 |
if (in == NULL) |
561 |
|
2 |
R = BN_new(); |
562 |
|
|
else |
563 |
|
1 |
R = in; |
564 |
✗✓ |
3 |
if (R == NULL) |
565 |
|
|
goto err; |
566 |
|
|
|
567 |
|
3 |
BN_one(X); |
568 |
|
3 |
BN_zero(Y); |
569 |
✗✓ |
3 |
if (BN_copy(B, a) == NULL) |
570 |
|
|
goto err; |
571 |
✗✓ |
3 |
if (BN_copy(A, n) == NULL) |
572 |
|
|
goto err; |
573 |
|
3 |
A->neg = 0; |
574 |
|
|
|
575 |
✓✗✓✓
|
3 |
if (B->neg || (BN_ucmp(B, A) >= 0)) { |
576 |
|
|
/* Turn BN_FLG_CONSTTIME flag on, so that when BN_div is invoked, |
577 |
|
|
* BN_div_no_branch will be called eventually. |
578 |
|
|
*/ |
579 |
|
2 |
pB = &local_B; |
580 |
|
2 |
BN_with_flags(pB, B, BN_FLG_CONSTTIME); |
581 |
✗✓ |
2 |
if (!BN_nnmod(B, pB, A, ctx)) |
582 |
|
|
goto err; |
583 |
|
|
} |
584 |
|
3 |
sign = -1; |
585 |
|
|
/* From B = a mod |n|, A = |n| it follows that |
586 |
|
|
* |
587 |
|
|
* 0 <= B < A, |
588 |
|
|
* -sign*X*a == B (mod |n|), |
589 |
|
|
* sign*Y*a == A (mod |n|). |
590 |
|
|
*/ |
591 |
|
|
|
592 |
✓✓ |
1387 |
while (!BN_is_zero(B)) { |
593 |
|
|
BIGNUM *tmp; |
594 |
|
|
|
595 |
|
|
/* |
596 |
|
|
* 0 < B < A, |
597 |
|
|
* (*) -sign*X*a == B (mod |n|), |
598 |
|
|
* sign*Y*a == A (mod |n|) |
599 |
|
|
*/ |
600 |
|
|
|
601 |
|
|
/* Turn BN_FLG_CONSTTIME flag on, so that when BN_div is invoked, |
602 |
|
|
* BN_div_no_branch will be called eventually. |
603 |
|
|
*/ |
604 |
|
1381 |
pA = &local_A; |
605 |
|
1381 |
BN_with_flags(pA, A, BN_FLG_CONSTTIME); |
606 |
|
|
|
607 |
|
|
/* (D, M) := (A/B, A%B) ... */ |
608 |
✗✓ |
1381 |
if (!BN_div(D, M, pA, B, ctx)) |
609 |
|
|
goto err; |
610 |
|
|
|
611 |
|
|
/* Now |
612 |
|
|
* A = D*B + M; |
613 |
|
|
* thus we have |
614 |
|
|
* (**) sign*Y*a == D*B + M (mod |n|). |
615 |
|
|
*/ |
616 |
|
1381 |
tmp = A; /* keep the BIGNUM object, the value does not matter */ |
617 |
|
|
|
618 |
|
|
/* (A, B) := (B, A mod B) ... */ |
619 |
|
1381 |
A = B; |
620 |
|
1381 |
B = M; |
621 |
|
|
/* ... so we have 0 <= B < A again */ |
622 |
|
|
|
623 |
|
|
/* Since the former M is now B and the former B is now A, |
624 |
|
|
* (**) translates into |
625 |
|
|
* sign*Y*a == D*A + B (mod |n|), |
626 |
|
|
* i.e. |
627 |
|
|
* sign*Y*a - D*A == B (mod |n|). |
628 |
|
|
* Similarly, (*) translates into |
629 |
|
|
* -sign*X*a == A (mod |n|). |
630 |
|
|
* |
631 |
|
|
* Thus, |
632 |
|
|
* sign*Y*a + D*sign*X*a == B (mod |n|), |
633 |
|
|
* i.e. |
634 |
|
|
* sign*(Y + D*X)*a == B (mod |n|). |
635 |
|
|
* |
636 |
|
|
* So if we set (X, Y, sign) := (Y + D*X, X, -sign), we arrive back at |
637 |
|
|
* -sign*X*a == B (mod |n|), |
638 |
|
|
* sign*Y*a == A (mod |n|). |
639 |
|
|
* Note that X and Y stay non-negative all the time. |
640 |
|
|
*/ |
641 |
|
|
|
642 |
✗✓ |
1381 |
if (!BN_mul(tmp, D, X, ctx)) |
643 |
|
|
goto err; |
644 |
✗✓ |
1381 |
if (!BN_add(tmp, tmp, Y)) |
645 |
|
|
goto err; |
646 |
|
|
|
647 |
|
1381 |
M = Y; /* keep the BIGNUM object, the value does not matter */ |
648 |
|
1381 |
Y = X; |
649 |
|
1381 |
X = tmp; |
650 |
|
1381 |
sign = -sign; |
651 |
|
|
} |
652 |
|
|
|
653 |
|
|
/* |
654 |
|
|
* The while loop (Euclid's algorithm) ends when |
655 |
|
|
* A == gcd(a,n); |
656 |
|
|
* we have |
657 |
|
|
* sign*Y*a == A (mod |n|), |
658 |
|
|
* where Y is non-negative. |
659 |
|
|
*/ |
660 |
|
|
|
661 |
✗✓ |
3 |
if (sign < 0) { |
662 |
|
|
if (!BN_sub(Y, n, Y)) |
663 |
|
|
goto err; |
664 |
|
|
} |
665 |
|
|
/* Now Y*a == A (mod |n|). */ |
666 |
|
|
|
667 |
✓✗✓✗
✓✗ |
3 |
if (BN_is_one(A)) { |
668 |
|
|
/* Y*a == 1 (mod |n|) */ |
669 |
✓✗✓✗
|
3 |
if (!Y->neg && BN_ucmp(Y, n) < 0) { |
670 |
✗✓ |
3 |
if (!BN_copy(R, Y)) |
671 |
|
|
goto err; |
672 |
|
|
} else { |
673 |
|
|
if (!BN_nnmod(R, Y, n, ctx)) |
674 |
|
|
goto err; |
675 |
|
|
} |
676 |
|
|
} else { |
677 |
|
|
BNerr(BN_F_BN_MOD_INVERSE_NO_BRANCH, BN_R_NO_INVERSE); |
678 |
|
|
goto err; |
679 |
|
|
} |
680 |
|
3 |
ret = R; |
681 |
|
|
|
682 |
|
3 |
err: |
683 |
✗✓ |
3 |
if ((ret == NULL) && (in == NULL)) |
684 |
|
|
BN_free(R); |
685 |
|
3 |
BN_CTX_end(ctx); |
686 |
|
|
bn_check_top(ret); |
687 |
|
3 |
return (ret); |
688 |
|
|
} |