1 |
|
|
/* $OpenBSD: bn_gcd.c,v 1.15 2017/01/29 17:49:22 beck Exp $ */ |
2 |
|
|
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
3 |
|
|
* All rights reserved. |
4 |
|
|
* |
5 |
|
|
* This package is an SSL implementation written |
6 |
|
|
* by Eric Young (eay@cryptsoft.com). |
7 |
|
|
* The implementation was written so as to conform with Netscapes SSL. |
8 |
|
|
* |
9 |
|
|
* This library is free for commercial and non-commercial use as long as |
10 |
|
|
* the following conditions are aheared to. The following conditions |
11 |
|
|
* apply to all code found in this distribution, be it the RC4, RSA, |
12 |
|
|
* lhash, DES, etc., code; not just the SSL code. The SSL documentation |
13 |
|
|
* included with this distribution is covered by the same copyright terms |
14 |
|
|
* except that the holder is Tim Hudson (tjh@cryptsoft.com). |
15 |
|
|
* |
16 |
|
|
* Copyright remains Eric Young's, and as such any Copyright notices in |
17 |
|
|
* the code are not to be removed. |
18 |
|
|
* If this package is used in a product, Eric Young should be given attribution |
19 |
|
|
* as the author of the parts of the library used. |
20 |
|
|
* This can be in the form of a textual message at program startup or |
21 |
|
|
* in documentation (online or textual) provided with the package. |
22 |
|
|
* |
23 |
|
|
* Redistribution and use in source and binary forms, with or without |
24 |
|
|
* modification, are permitted provided that the following conditions |
25 |
|
|
* are met: |
26 |
|
|
* 1. Redistributions of source code must retain the copyright |
27 |
|
|
* notice, this list of conditions and the following disclaimer. |
28 |
|
|
* 2. Redistributions in binary form must reproduce the above copyright |
29 |
|
|
* notice, this list of conditions and the following disclaimer in the |
30 |
|
|
* documentation and/or other materials provided with the distribution. |
31 |
|
|
* 3. All advertising materials mentioning features or use of this software |
32 |
|
|
* must display the following acknowledgement: |
33 |
|
|
* "This product includes cryptographic software written by |
34 |
|
|
* Eric Young (eay@cryptsoft.com)" |
35 |
|
|
* The word 'cryptographic' can be left out if the rouines from the library |
36 |
|
|
* being used are not cryptographic related :-). |
37 |
|
|
* 4. If you include any Windows specific code (or a derivative thereof) from |
38 |
|
|
* the apps directory (application code) you must include an acknowledgement: |
39 |
|
|
* "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" |
40 |
|
|
* |
41 |
|
|
* THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND |
42 |
|
|
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE |
43 |
|
|
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE |
44 |
|
|
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE |
45 |
|
|
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL |
46 |
|
|
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS |
47 |
|
|
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) |
48 |
|
|
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT |
49 |
|
|
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY |
50 |
|
|
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF |
51 |
|
|
* SUCH DAMAGE. |
52 |
|
|
* |
53 |
|
|
* The licence and distribution terms for any publically available version or |
54 |
|
|
* derivative of this code cannot be changed. i.e. this code cannot simply be |
55 |
|
|
* copied and put under another distribution licence |
56 |
|
|
* [including the GNU Public Licence.] |
57 |
|
|
*/ |
58 |
|
|
/* ==================================================================== |
59 |
|
|
* Copyright (c) 1998-2001 The OpenSSL Project. All rights reserved. |
60 |
|
|
* |
61 |
|
|
* Redistribution and use in source and binary forms, with or without |
62 |
|
|
* modification, are permitted provided that the following conditions |
63 |
|
|
* are met: |
64 |
|
|
* |
65 |
|
|
* 1. Redistributions of source code must retain the above copyright |
66 |
|
|
* notice, this list of conditions and the following disclaimer. |
67 |
|
|
* |
68 |
|
|
* 2. Redistributions in binary form must reproduce the above copyright |
69 |
|
|
* notice, this list of conditions and the following disclaimer in |
70 |
|
|
* the documentation and/or other materials provided with the |
71 |
|
|
* distribution. |
72 |
|
|
* |
73 |
|
|
* 3. All advertising materials mentioning features or use of this |
74 |
|
|
* software must display the following acknowledgment: |
75 |
|
|
* "This product includes software developed by the OpenSSL Project |
76 |
|
|
* for use in the OpenSSL Toolkit. (http://www.openssl.org/)" |
77 |
|
|
* |
78 |
|
|
* 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to |
79 |
|
|
* endorse or promote products derived from this software without |
80 |
|
|
* prior written permission. For written permission, please contact |
81 |
|
|
* openssl-core@openssl.org. |
82 |
|
|
* |
83 |
|
|
* 5. Products derived from this software may not be called "OpenSSL" |
84 |
|
|
* nor may "OpenSSL" appear in their names without prior written |
85 |
|
|
* permission of the OpenSSL Project. |
86 |
|
|
* |
87 |
|
|
* 6. Redistributions of any form whatsoever must retain the following |
88 |
|
|
* acknowledgment: |
89 |
|
|
* "This product includes software developed by the OpenSSL Project |
90 |
|
|
* for use in the OpenSSL Toolkit (http://www.openssl.org/)" |
91 |
|
|
* |
92 |
|
|
* THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY |
93 |
|
|
* EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE |
94 |
|
|
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR |
95 |
|
|
* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR |
96 |
|
|
* ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, |
97 |
|
|
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT |
98 |
|
|
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; |
99 |
|
|
* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) |
100 |
|
|
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, |
101 |
|
|
* STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) |
102 |
|
|
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED |
103 |
|
|
* OF THE POSSIBILITY OF SUCH DAMAGE. |
104 |
|
|
* ==================================================================== |
105 |
|
|
* |
106 |
|
|
* This product includes cryptographic software written by Eric Young |
107 |
|
|
* (eay@cryptsoft.com). This product includes software written by Tim |
108 |
|
|
* Hudson (tjh@cryptsoft.com). |
109 |
|
|
* |
110 |
|
|
*/ |
111 |
|
|
|
112 |
|
|
#include <openssl/err.h> |
113 |
|
|
|
114 |
|
|
#include "bn_lcl.h" |
115 |
|
|
|
116 |
|
|
static BIGNUM *euclid(BIGNUM *a, BIGNUM *b); |
117 |
|
|
static BIGNUM *BN_gcd_no_branch(BIGNUM *in, const BIGNUM *a, const BIGNUM *n, |
118 |
|
|
BN_CTX *ctx); |
119 |
|
|
|
120 |
|
|
int |
121 |
|
|
BN_gcd(BIGNUM *r, const BIGNUM *in_a, const BIGNUM *in_b, BN_CTX *ctx) |
122 |
|
|
{ |
123 |
|
|
BIGNUM *a, *b, *t; |
124 |
|
|
int ret = 0; |
125 |
|
|
|
126 |
|
|
bn_check_top(in_a); |
127 |
|
|
bn_check_top(in_b); |
128 |
|
|
|
129 |
|
|
BN_CTX_start(ctx); |
130 |
|
|
if ((a = BN_CTX_get(ctx)) == NULL) |
131 |
|
|
goto err; |
132 |
|
|
if ((b = BN_CTX_get(ctx)) == NULL) |
133 |
|
|
goto err; |
134 |
|
|
|
135 |
|
|
if (BN_copy(a, in_a) == NULL) |
136 |
|
|
goto err; |
137 |
|
|
if (BN_copy(b, in_b) == NULL) |
138 |
|
|
goto err; |
139 |
|
|
a->neg = 0; |
140 |
|
|
b->neg = 0; |
141 |
|
|
|
142 |
|
|
if (BN_cmp(a, b) < 0) { |
143 |
|
|
t = a; |
144 |
|
|
a = b; |
145 |
|
|
b = t; |
146 |
|
|
} |
147 |
|
|
t = euclid(a, b); |
148 |
|
|
if (t == NULL) |
149 |
|
|
goto err; |
150 |
|
|
|
151 |
|
|
if (BN_copy(r, t) == NULL) |
152 |
|
|
goto err; |
153 |
|
|
ret = 1; |
154 |
|
|
|
155 |
|
|
err: |
156 |
|
|
BN_CTX_end(ctx); |
157 |
|
|
bn_check_top(r); |
158 |
|
|
return (ret); |
159 |
|
|
} |
160 |
|
|
|
161 |
|
|
int |
162 |
|
|
BN_gcd_ct(BIGNUM *r, const BIGNUM *in_a, const BIGNUM *in_b, BN_CTX *ctx) |
163 |
|
|
{ |
164 |
✗✓ |
164 |
if (BN_gcd_no_branch(r, in_a, in_b, ctx) == NULL) |
165 |
|
|
return 0; |
166 |
|
82 |
return 1; |
167 |
|
82 |
} |
168 |
|
|
|
169 |
|
|
int |
170 |
|
|
BN_gcd_nonct(BIGNUM *r, const BIGNUM *in_a, const BIGNUM *in_b, BN_CTX *ctx) |
171 |
|
|
{ |
172 |
|
|
return BN_gcd(r, in_a, in_b, ctx); |
173 |
|
|
} |
174 |
|
|
|
175 |
|
|
|
176 |
|
|
static BIGNUM * |
177 |
|
|
euclid(BIGNUM *a, BIGNUM *b) |
178 |
|
|
{ |
179 |
|
|
BIGNUM *t; |
180 |
|
|
int shifts = 0; |
181 |
|
|
|
182 |
|
|
bn_check_top(a); |
183 |
|
|
bn_check_top(b); |
184 |
|
|
|
185 |
|
|
/* 0 <= b <= a */ |
186 |
|
|
while (!BN_is_zero(b)) { |
187 |
|
|
/* 0 < b <= a */ |
188 |
|
|
|
189 |
|
|
if (BN_is_odd(a)) { |
190 |
|
|
if (BN_is_odd(b)) { |
191 |
|
|
if (!BN_sub(a, a, b)) |
192 |
|
|
goto err; |
193 |
|
|
if (!BN_rshift1(a, a)) |
194 |
|
|
goto err; |
195 |
|
|
if (BN_cmp(a, b) < 0) { |
196 |
|
|
t = a; |
197 |
|
|
a = b; |
198 |
|
|
b = t; |
199 |
|
|
} |
200 |
|
|
} |
201 |
|
|
else /* a odd - b even */ |
202 |
|
|
{ |
203 |
|
|
if (!BN_rshift1(b, b)) |
204 |
|
|
goto err; |
205 |
|
|
if (BN_cmp(a, b) < 0) { |
206 |
|
|
t = a; |
207 |
|
|
a = b; |
208 |
|
|
b = t; |
209 |
|
|
} |
210 |
|
|
} |
211 |
|
|
} |
212 |
|
|
else /* a is even */ |
213 |
|
|
{ |
214 |
|
|
if (BN_is_odd(b)) { |
215 |
|
|
if (!BN_rshift1(a, a)) |
216 |
|
|
goto err; |
217 |
|
|
if (BN_cmp(a, b) < 0) { |
218 |
|
|
t = a; |
219 |
|
|
a = b; |
220 |
|
|
b = t; |
221 |
|
|
} |
222 |
|
|
} |
223 |
|
|
else /* a even - b even */ |
224 |
|
|
{ |
225 |
|
|
if (!BN_rshift1(a, a)) |
226 |
|
|
goto err; |
227 |
|
|
if (!BN_rshift1(b, b)) |
228 |
|
|
goto err; |
229 |
|
|
shifts++; |
230 |
|
|
} |
231 |
|
|
} |
232 |
|
|
/* 0 <= b <= a */ |
233 |
|
|
} |
234 |
|
|
|
235 |
|
|
if (shifts) { |
236 |
|
|
if (!BN_lshift(a, a, shifts)) |
237 |
|
|
goto err; |
238 |
|
|
} |
239 |
|
|
bn_check_top(a); |
240 |
|
|
return (a); |
241 |
|
|
|
242 |
|
|
err: |
243 |
|
|
return (NULL); |
244 |
|
|
} |
245 |
|
|
|
246 |
|
|
|
247 |
|
|
/* solves ax == 1 (mod n) */ |
248 |
|
|
static BIGNUM *BN_mod_inverse_no_branch(BIGNUM *in, const BIGNUM *a, |
249 |
|
|
const BIGNUM *n, BN_CTX *ctx); |
250 |
|
|
|
251 |
|
|
static BIGNUM * |
252 |
|
|
BN_mod_inverse_internal(BIGNUM *in, const BIGNUM *a, const BIGNUM *n, BN_CTX *ctx, |
253 |
|
|
int ct) |
254 |
|
|
{ |
255 |
|
|
BIGNUM *A, *B, *X, *Y, *M, *D, *T, *R = NULL; |
256 |
|
|
BIGNUM *ret = NULL; |
257 |
|
|
int sign; |
258 |
|
|
|
259 |
✓✗ |
110324 |
if (ct) |
260 |
|
55162 |
return BN_mod_inverse_no_branch(in, a, n, ctx); |
261 |
|
|
|
262 |
|
|
bn_check_top(a); |
263 |
|
|
bn_check_top(n); |
264 |
|
|
|
265 |
|
|
BN_CTX_start(ctx); |
266 |
|
|
if ((A = BN_CTX_get(ctx)) == NULL) |
267 |
|
|
goto err; |
268 |
|
|
if ((B = BN_CTX_get(ctx)) == NULL) |
269 |
|
|
goto err; |
270 |
|
|
if ((X = BN_CTX_get(ctx)) == NULL) |
271 |
|
|
goto err; |
272 |
|
|
if ((D = BN_CTX_get(ctx)) == NULL) |
273 |
|
|
goto err; |
274 |
|
|
if ((M = BN_CTX_get(ctx)) == NULL) |
275 |
|
|
goto err; |
276 |
|
|
if ((Y = BN_CTX_get(ctx)) == NULL) |
277 |
|
|
goto err; |
278 |
|
|
if ((T = BN_CTX_get(ctx)) == NULL) |
279 |
|
|
goto err; |
280 |
|
|
|
281 |
|
|
if (in == NULL) |
282 |
|
|
R = BN_new(); |
283 |
|
|
else |
284 |
|
|
R = in; |
285 |
|
|
if (R == NULL) |
286 |
|
|
goto err; |
287 |
|
|
|
288 |
|
|
BN_one(X); |
289 |
|
|
BN_zero(Y); |
290 |
|
|
if (BN_copy(B, a) == NULL) |
291 |
|
|
goto err; |
292 |
|
|
if (BN_copy(A, n) == NULL) |
293 |
|
|
goto err; |
294 |
|
|
A->neg = 0; |
295 |
|
|
if (B->neg || (BN_ucmp(B, A) >= 0)) { |
296 |
|
|
if (!BN_nnmod(B, B, A, ctx)) |
297 |
|
|
goto err; |
298 |
|
|
} |
299 |
|
|
sign = -1; |
300 |
|
|
/* From B = a mod |n|, A = |n| it follows that |
301 |
|
|
* |
302 |
|
|
* 0 <= B < A, |
303 |
|
|
* -sign*X*a == B (mod |n|), |
304 |
|
|
* sign*Y*a == A (mod |n|). |
305 |
|
|
*/ |
306 |
|
|
|
307 |
|
|
if (BN_is_odd(n) && (BN_num_bits(n) <= (BN_BITS <= 32 ? 450 : 2048))) { |
308 |
|
|
/* Binary inversion algorithm; requires odd modulus. |
309 |
|
|
* This is faster than the general algorithm if the modulus |
310 |
|
|
* is sufficiently small (about 400 .. 500 bits on 32-bit |
311 |
|
|
* sytems, but much more on 64-bit systems) */ |
312 |
|
|
int shift; |
313 |
|
|
|
314 |
|
|
while (!BN_is_zero(B)) { |
315 |
|
|
/* |
316 |
|
|
* 0 < B < |n|, |
317 |
|
|
* 0 < A <= |n|, |
318 |
|
|
* (1) -sign*X*a == B (mod |n|), |
319 |
|
|
* (2) sign*Y*a == A (mod |n|) |
320 |
|
|
*/ |
321 |
|
|
|
322 |
|
|
/* Now divide B by the maximum possible power of two in the integers, |
323 |
|
|
* and divide X by the same value mod |n|. |
324 |
|
|
* When we're done, (1) still holds. */ |
325 |
|
|
shift = 0; |
326 |
|
|
while (!BN_is_bit_set(B, shift)) /* note that 0 < B */ |
327 |
|
|
{ |
328 |
|
|
shift++; |
329 |
|
|
|
330 |
|
|
if (BN_is_odd(X)) { |
331 |
|
|
if (!BN_uadd(X, X, n)) |
332 |
|
|
goto err; |
333 |
|
|
} |
334 |
|
|
/* now X is even, so we can easily divide it by two */ |
335 |
|
|
if (!BN_rshift1(X, X)) |
336 |
|
|
goto err; |
337 |
|
|
} |
338 |
|
|
if (shift > 0) { |
339 |
|
|
if (!BN_rshift(B, B, shift)) |
340 |
|
|
goto err; |
341 |
|
|
} |
342 |
|
|
|
343 |
|
|
|
344 |
|
|
/* Same for A and Y. Afterwards, (2) still holds. */ |
345 |
|
|
shift = 0; |
346 |
|
|
while (!BN_is_bit_set(A, shift)) /* note that 0 < A */ |
347 |
|
|
{ |
348 |
|
|
shift++; |
349 |
|
|
|
350 |
|
|
if (BN_is_odd(Y)) { |
351 |
|
|
if (!BN_uadd(Y, Y, n)) |
352 |
|
|
goto err; |
353 |
|
|
} |
354 |
|
|
/* now Y is even */ |
355 |
|
|
if (!BN_rshift1(Y, Y)) |
356 |
|
|
goto err; |
357 |
|
|
} |
358 |
|
|
if (shift > 0) { |
359 |
|
|
if (!BN_rshift(A, A, shift)) |
360 |
|
|
goto err; |
361 |
|
|
} |
362 |
|
|
|
363 |
|
|
|
364 |
|
|
/* We still have (1) and (2). |
365 |
|
|
* Both A and B are odd. |
366 |
|
|
* The following computations ensure that |
367 |
|
|
* |
368 |
|
|
* 0 <= B < |n|, |
369 |
|
|
* 0 < A < |n|, |
370 |
|
|
* (1) -sign*X*a == B (mod |n|), |
371 |
|
|
* (2) sign*Y*a == A (mod |n|), |
372 |
|
|
* |
373 |
|
|
* and that either A or B is even in the next iteration. |
374 |
|
|
*/ |
375 |
|
|
if (BN_ucmp(B, A) >= 0) { |
376 |
|
|
/* -sign*(X + Y)*a == B - A (mod |n|) */ |
377 |
|
|
if (!BN_uadd(X, X, Y)) |
378 |
|
|
goto err; |
379 |
|
|
/* NB: we could use BN_mod_add_quick(X, X, Y, n), but that |
380 |
|
|
* actually makes the algorithm slower */ |
381 |
|
|
if (!BN_usub(B, B, A)) |
382 |
|
|
goto err; |
383 |
|
|
} else { |
384 |
|
|
/* sign*(X + Y)*a == A - B (mod |n|) */ |
385 |
|
|
if (!BN_uadd(Y, Y, X)) |
386 |
|
|
goto err; |
387 |
|
|
/* as above, BN_mod_add_quick(Y, Y, X, n) would slow things down */ |
388 |
|
|
if (!BN_usub(A, A, B)) |
389 |
|
|
goto err; |
390 |
|
|
} |
391 |
|
|
} |
392 |
|
|
} else { |
393 |
|
|
/* general inversion algorithm */ |
394 |
|
|
|
395 |
|
|
while (!BN_is_zero(B)) { |
396 |
|
|
BIGNUM *tmp; |
397 |
|
|
|
398 |
|
|
/* |
399 |
|
|
* 0 < B < A, |
400 |
|
|
* (*) -sign*X*a == B (mod |n|), |
401 |
|
|
* sign*Y*a == A (mod |n|) |
402 |
|
|
*/ |
403 |
|
|
|
404 |
|
|
/* (D, M) := (A/B, A%B) ... */ |
405 |
|
|
if (BN_num_bits(A) == BN_num_bits(B)) { |
406 |
|
|
if (!BN_one(D)) |
407 |
|
|
goto err; |
408 |
|
|
if (!BN_sub(M, A, B)) |
409 |
|
|
goto err; |
410 |
|
|
} else if (BN_num_bits(A) == BN_num_bits(B) + 1) { |
411 |
|
|
/* A/B is 1, 2, or 3 */ |
412 |
|
|
if (!BN_lshift1(T, B)) |
413 |
|
|
goto err; |
414 |
|
|
if (BN_ucmp(A, T) < 0) { |
415 |
|
|
/* A < 2*B, so D=1 */ |
416 |
|
|
if (!BN_one(D)) |
417 |
|
|
goto err; |
418 |
|
|
if (!BN_sub(M, A, B)) |
419 |
|
|
goto err; |
420 |
|
|
} else { |
421 |
|
|
/* A >= 2*B, so D=2 or D=3 */ |
422 |
|
|
if (!BN_sub(M, A, T)) |
423 |
|
|
goto err; |
424 |
|
|
if (!BN_add(D,T,B)) goto err; /* use D (:= 3*B) as temp */ |
425 |
|
|
if (BN_ucmp(A, D) < 0) { |
426 |
|
|
/* A < 3*B, so D=2 */ |
427 |
|
|
if (!BN_set_word(D, 2)) |
428 |
|
|
goto err; |
429 |
|
|
/* M (= A - 2*B) already has the correct value */ |
430 |
|
|
} else { |
431 |
|
|
/* only D=3 remains */ |
432 |
|
|
if (!BN_set_word(D, 3)) |
433 |
|
|
goto err; |
434 |
|
|
/* currently M = A - 2*B, but we need M = A - 3*B */ |
435 |
|
|
if (!BN_sub(M, M, B)) |
436 |
|
|
goto err; |
437 |
|
|
} |
438 |
|
|
} |
439 |
|
|
} else { |
440 |
|
|
if (!BN_div_nonct(D, M, A, B, ctx)) |
441 |
|
|
goto err; |
442 |
|
|
} |
443 |
|
|
|
444 |
|
|
/* Now |
445 |
|
|
* A = D*B + M; |
446 |
|
|
* thus we have |
447 |
|
|
* (**) sign*Y*a == D*B + M (mod |n|). |
448 |
|
|
*/ |
449 |
|
|
tmp = A; /* keep the BIGNUM object, the value does not matter */ |
450 |
|
|
|
451 |
|
|
/* (A, B) := (B, A mod B) ... */ |
452 |
|
|
A = B; |
453 |
|
|
B = M; |
454 |
|
|
/* ... so we have 0 <= B < A again */ |
455 |
|
|
|
456 |
|
|
/* Since the former M is now B and the former B is now A, |
457 |
|
|
* (**) translates into |
458 |
|
|
* sign*Y*a == D*A + B (mod |n|), |
459 |
|
|
* i.e. |
460 |
|
|
* sign*Y*a - D*A == B (mod |n|). |
461 |
|
|
* Similarly, (*) translates into |
462 |
|
|
* -sign*X*a == A (mod |n|). |
463 |
|
|
* |
464 |
|
|
* Thus, |
465 |
|
|
* sign*Y*a + D*sign*X*a == B (mod |n|), |
466 |
|
|
* i.e. |
467 |
|
|
* sign*(Y + D*X)*a == B (mod |n|). |
468 |
|
|
* |
469 |
|
|
* So if we set (X, Y, sign) := (Y + D*X, X, -sign), we arrive back at |
470 |
|
|
* -sign*X*a == B (mod |n|), |
471 |
|
|
* sign*Y*a == A (mod |n|). |
472 |
|
|
* Note that X and Y stay non-negative all the time. |
473 |
|
|
*/ |
474 |
|
|
|
475 |
|
|
/* most of the time D is very small, so we can optimize tmp := D*X+Y */ |
476 |
|
|
if (BN_is_one(D)) { |
477 |
|
|
if (!BN_add(tmp, X, Y)) |
478 |
|
|
goto err; |
479 |
|
|
} else { |
480 |
|
|
if (BN_is_word(D, 2)) { |
481 |
|
|
if (!BN_lshift1(tmp, X)) |
482 |
|
|
goto err; |
483 |
|
|
} else if (BN_is_word(D, 4)) { |
484 |
|
|
if (!BN_lshift(tmp, X, 2)) |
485 |
|
|
goto err; |
486 |
|
|
} else if (D->top == 1) { |
487 |
|
|
if (!BN_copy(tmp, X)) |
488 |
|
|
goto err; |
489 |
|
|
if (!BN_mul_word(tmp, D->d[0])) |
490 |
|
|
goto err; |
491 |
|
|
} else { |
492 |
|
|
if (!BN_mul(tmp, D,X, ctx)) |
493 |
|
|
goto err; |
494 |
|
|
} |
495 |
|
|
if (!BN_add(tmp, tmp, Y)) |
496 |
|
|
goto err; |
497 |
|
|
} |
498 |
|
|
|
499 |
|
|
M = Y; /* keep the BIGNUM object, the value does not matter */ |
500 |
|
|
Y = X; |
501 |
|
|
X = tmp; |
502 |
|
|
sign = -sign; |
503 |
|
|
} |
504 |
|
|
} |
505 |
|
|
|
506 |
|
|
/* |
507 |
|
|
* The while loop (Euclid's algorithm) ends when |
508 |
|
|
* A == gcd(a,n); |
509 |
|
|
* we have |
510 |
|
|
* sign*Y*a == A (mod |n|), |
511 |
|
|
* where Y is non-negative. |
512 |
|
|
*/ |
513 |
|
|
|
514 |
|
|
if (sign < 0) { |
515 |
|
|
if (!BN_sub(Y, n, Y)) |
516 |
|
|
goto err; |
517 |
|
|
} |
518 |
|
|
/* Now Y*a == A (mod |n|). */ |
519 |
|
|
|
520 |
|
|
if (BN_is_one(A)) { |
521 |
|
|
/* Y*a == 1 (mod |n|) */ |
522 |
|
|
if (!Y->neg && BN_ucmp(Y, n) < 0) { |
523 |
|
|
if (!BN_copy(R, Y)) |
524 |
|
|
goto err; |
525 |
|
|
} else { |
526 |
|
|
if (!BN_nnmod(R, Y,n, ctx)) |
527 |
|
|
goto err; |
528 |
|
|
} |
529 |
|
|
} else { |
530 |
|
|
BNerror(BN_R_NO_INVERSE); |
531 |
|
|
goto err; |
532 |
|
|
} |
533 |
|
|
ret = R; |
534 |
|
|
|
535 |
|
|
err: |
536 |
|
|
if ((ret == NULL) && (in == NULL)) |
537 |
|
|
BN_free(R); |
538 |
|
|
BN_CTX_end(ctx); |
539 |
|
|
bn_check_top(ret); |
540 |
|
|
return (ret); |
541 |
|
55162 |
} |
542 |
|
|
|
543 |
|
|
BIGNUM * |
544 |
|
|
BN_mod_inverse(BIGNUM *in, const BIGNUM *a, const BIGNUM *n, BN_CTX *ctx) |
545 |
|
|
{ |
546 |
|
|
int ct = ((BN_get_flags(a, BN_FLG_CONSTTIME) != 0) || |
547 |
|
|
(BN_get_flags(n, BN_FLG_CONSTTIME) != 0)); |
548 |
|
|
return BN_mod_inverse_internal(in, a, n, ctx, ct); |
549 |
|
|
} |
550 |
|
|
|
551 |
|
|
BIGNUM * |
552 |
|
|
BN_mod_inverse_nonct(BIGNUM *in, const BIGNUM *a, const BIGNUM *n, BN_CTX *ctx) |
553 |
|
|
{ |
554 |
|
|
return BN_mod_inverse_internal(in, a, n, ctx, 0); |
555 |
|
|
} |
556 |
|
|
|
557 |
|
|
BIGNUM * |
558 |
|
|
BN_mod_inverse_ct(BIGNUM *in, const BIGNUM *a, const BIGNUM *n, BN_CTX *ctx) |
559 |
|
|
{ |
560 |
|
110324 |
return BN_mod_inverse_internal(in, a, n, ctx, 1); |
561 |
|
|
} |
562 |
|
|
|
563 |
|
|
/* BN_mod_inverse_no_branch is a special version of BN_mod_inverse. |
564 |
|
|
* It does not contain branches that may leak sensitive information. |
565 |
|
|
*/ |
566 |
|
|
static BIGNUM * |
567 |
|
|
BN_mod_inverse_no_branch(BIGNUM *in, const BIGNUM *a, const BIGNUM *n, |
568 |
|
|
BN_CTX *ctx) |
569 |
|
|
{ |
570 |
|
|
BIGNUM *A, *B, *X, *Y, *M, *D, *T, *R = NULL; |
571 |
|
110324 |
BIGNUM local_A, local_B; |
572 |
|
|
BIGNUM *pA, *pB; |
573 |
|
|
BIGNUM *ret = NULL; |
574 |
|
|
int sign; |
575 |
|
|
|
576 |
|
|
bn_check_top(a); |
577 |
|
|
bn_check_top(n); |
578 |
|
|
|
579 |
|
55162 |
BN_CTX_start(ctx); |
580 |
✓✗ |
55162 |
if ((A = BN_CTX_get(ctx)) == NULL) |
581 |
|
|
goto err; |
582 |
✓✗ |
55162 |
if ((B = BN_CTX_get(ctx)) == NULL) |
583 |
|
|
goto err; |
584 |
✓✗ |
55162 |
if ((X = BN_CTX_get(ctx)) == NULL) |
585 |
|
|
goto err; |
586 |
✓✗ |
55162 |
if ((D = BN_CTX_get(ctx)) == NULL) |
587 |
|
|
goto err; |
588 |
✓✗ |
55162 |
if ((M = BN_CTX_get(ctx)) == NULL) |
589 |
|
|
goto err; |
590 |
✓✗ |
55162 |
if ((Y = BN_CTX_get(ctx)) == NULL) |
591 |
|
|
goto err; |
592 |
✓✗ |
55162 |
if ((T = BN_CTX_get(ctx)) == NULL) |
593 |
|
|
goto err; |
594 |
|
|
|
595 |
✓✓ |
55162 |
if (in == NULL) |
596 |
|
16 |
R = BN_new(); |
597 |
|
|
else |
598 |
|
|
R = in; |
599 |
✓✗ |
55162 |
if (R == NULL) |
600 |
|
|
goto err; |
601 |
|
|
|
602 |
|
55162 |
BN_one(X); |
603 |
|
55162 |
BN_zero(Y); |
604 |
✓✗ |
55162 |
if (BN_copy(B, a) == NULL) |
605 |
|
|
goto err; |
606 |
✓✗ |
55162 |
if (BN_copy(A, n) == NULL) |
607 |
|
|
goto err; |
608 |
|
55162 |
A->neg = 0; |
609 |
|
|
|
610 |
✓✗✓✓
|
110324 |
if (B->neg || (BN_ucmp(B, A) >= 0)) { |
611 |
|
|
/* Turn BN_FLG_CONSTTIME flag on, so that when BN_div is invoked, |
612 |
|
|
* BN_div_no_branch will be called eventually. |
613 |
|
|
*/ |
614 |
|
|
pB = &local_B; |
615 |
|
41620 |
BN_with_flags(pB, B, BN_FLG_CONSTTIME); |
616 |
✓✓ |
41620 |
if (!BN_nnmod(B, pB, A, ctx)) |
617 |
|
|
goto err; |
618 |
|
|
} |
619 |
|
|
sign = -1; |
620 |
|
|
/* From B = a mod |n|, A = |n| it follows that |
621 |
|
|
* |
622 |
|
|
* 0 <= B < A, |
623 |
|
|
* -sign*X*a == B (mod |n|), |
624 |
|
|
* sign*Y*a == A (mod |n|). |
625 |
|
|
*/ |
626 |
|
|
|
627 |
✓✓ |
4683184 |
while (!BN_is_zero(B)) { |
628 |
|
|
BIGNUM *tmp; |
629 |
|
|
|
630 |
|
|
/* |
631 |
|
|
* 0 < B < A, |
632 |
|
|
* (*) -sign*X*a == B (mod |n|), |
633 |
|
|
* sign*Y*a == A (mod |n|) |
634 |
|
|
*/ |
635 |
|
|
|
636 |
|
|
/* Turn BN_FLG_CONSTTIME flag on, so that when BN_div is invoked, |
637 |
|
|
* BN_div_no_branch will be called eventually. |
638 |
|
|
*/ |
639 |
|
|
pA = &local_A; |
640 |
|
4572872 |
BN_with_flags(pA, A, BN_FLG_CONSTTIME); |
641 |
|
|
|
642 |
|
|
/* (D, M) := (A/B, A%B) ... */ |
643 |
✗✓ |
4572872 |
if (!BN_div_ct(D, M, pA, B, ctx)) |
644 |
|
|
goto err; |
645 |
|
|
|
646 |
|
|
/* Now |
647 |
|
|
* A = D*B + M; |
648 |
|
|
* thus we have |
649 |
|
|
* (**) sign*Y*a == D*B + M (mod |n|). |
650 |
|
|
*/ |
651 |
|
|
tmp = A; /* keep the BIGNUM object, the value does not matter */ |
652 |
|
|
|
653 |
|
|
/* (A, B) := (B, A mod B) ... */ |
654 |
|
|
A = B; |
655 |
|
|
B = M; |
656 |
|
|
/* ... so we have 0 <= B < A again */ |
657 |
|
|
|
658 |
|
|
/* Since the former M is now B and the former B is now A, |
659 |
|
|
* (**) translates into |
660 |
|
|
* sign*Y*a == D*A + B (mod |n|), |
661 |
|
|
* i.e. |
662 |
|
|
* sign*Y*a - D*A == B (mod |n|). |
663 |
|
|
* Similarly, (*) translates into |
664 |
|
|
* -sign*X*a == A (mod |n|). |
665 |
|
|
* |
666 |
|
|
* Thus, |
667 |
|
|
* sign*Y*a + D*sign*X*a == B (mod |n|), |
668 |
|
|
* i.e. |
669 |
|
|
* sign*(Y + D*X)*a == B (mod |n|). |
670 |
|
|
* |
671 |
|
|
* So if we set (X, Y, sign) := (Y + D*X, X, -sign), we arrive back at |
672 |
|
|
* -sign*X*a == B (mod |n|), |
673 |
|
|
* sign*Y*a == A (mod |n|). |
674 |
|
|
* Note that X and Y stay non-negative all the time. |
675 |
|
|
*/ |
676 |
|
|
|
677 |
✗✓ |
4572872 |
if (!BN_mul(tmp, D, X, ctx)) |
678 |
|
|
goto err; |
679 |
✗✓ |
4572872 |
if (!BN_add(tmp, tmp, Y)) |
680 |
|
|
goto err; |
681 |
|
|
|
682 |
|
|
M = Y; /* keep the BIGNUM object, the value does not matter */ |
683 |
|
|
Y = X; |
684 |
|
|
X = tmp; |
685 |
|
4572872 |
sign = -sign; |
686 |
✓✓✓ |
4572872 |
} |
687 |
|
|
|
688 |
|
|
/* |
689 |
|
|
* The while loop (Euclid's algorithm) ends when |
690 |
|
|
* A == gcd(a,n); |
691 |
|
|
* we have |
692 |
|
|
* sign*Y*a == A (mod |n|), |
693 |
|
|
* where Y is non-negative. |
694 |
|
|
*/ |
695 |
|
|
|
696 |
✓✓ |
55156 |
if (sign < 0) { |
697 |
✓✗ |
26412 |
if (!BN_sub(Y, n, Y)) |
698 |
|
|
goto err; |
699 |
|
|
} |
700 |
|
|
/* Now Y*a == A (mod |n|). */ |
701 |
|
|
|
702 |
✓✗✓✓
✓✗ |
165462 |
if (BN_is_one(A)) { |
703 |
|
|
/* Y*a == 1 (mod |n|) */ |
704 |
✓✗✓✓
|
110300 |
if (!Y->neg && BN_ucmp(Y, n) < 0) { |
705 |
✓✗ |
55047 |
if (!BN_copy(R, Y)) |
706 |
|
|
goto err; |
707 |
|
|
} else { |
708 |
✓✗ |
103 |
if (!BN_nnmod(R, Y, n, ctx)) |
709 |
|
|
goto err; |
710 |
|
|
} |
711 |
|
|
} else { |
712 |
|
6 |
BNerror(BN_R_NO_INVERSE); |
713 |
|
6 |
goto err; |
714 |
|
|
} |
715 |
|
55150 |
ret = R; |
716 |
|
|
|
717 |
|
|
err: |
718 |
✗✓ |
55162 |
if ((ret == NULL) && (in == NULL)) |
719 |
|
|
BN_free(R); |
720 |
|
55162 |
BN_CTX_end(ctx); |
721 |
|
|
bn_check_top(ret); |
722 |
|
55162 |
return (ret); |
723 |
|
55162 |
} |
724 |
|
|
|
725 |
|
|
/* |
726 |
|
|
* BN_gcd_no_branch is a special version of BN_mod_inverse_no_branch. |
727 |
|
|
* that returns the GCD. |
728 |
|
|
*/ |
729 |
|
|
static BIGNUM * |
730 |
|
|
BN_gcd_no_branch(BIGNUM *in, const BIGNUM *a, const BIGNUM *n, |
731 |
|
|
BN_CTX *ctx) |
732 |
|
|
{ |
733 |
|
|
BIGNUM *A, *B, *X, *Y, *M, *D, *T, *R = NULL; |
734 |
|
164 |
BIGNUM local_A, local_B; |
735 |
|
|
BIGNUM *pA, *pB; |
736 |
|
|
BIGNUM *ret = NULL; |
737 |
|
|
int sign; |
738 |
|
|
|
739 |
✓✗ |
82 |
if (in == NULL) |
740 |
|
|
goto err; |
741 |
|
|
R = in; |
742 |
|
|
|
743 |
|
|
bn_check_top(a); |
744 |
|
|
bn_check_top(n); |
745 |
|
|
|
746 |
|
82 |
BN_CTX_start(ctx); |
747 |
✓✗ |
82 |
if ((A = BN_CTX_get(ctx)) == NULL) |
748 |
|
|
goto err; |
749 |
✓✗ |
82 |
if ((B = BN_CTX_get(ctx)) == NULL) |
750 |
|
|
goto err; |
751 |
✓✗ |
82 |
if ((X = BN_CTX_get(ctx)) == NULL) |
752 |
|
|
goto err; |
753 |
✓✗ |
82 |
if ((D = BN_CTX_get(ctx)) == NULL) |
754 |
|
|
goto err; |
755 |
✓✗ |
82 |
if ((M = BN_CTX_get(ctx)) == NULL) |
756 |
|
|
goto err; |
757 |
✓✗ |
82 |
if ((Y = BN_CTX_get(ctx)) == NULL) |
758 |
|
|
goto err; |
759 |
✓✗ |
82 |
if ((T = BN_CTX_get(ctx)) == NULL) |
760 |
|
|
goto err; |
761 |
|
|
|
762 |
|
82 |
BN_one(X); |
763 |
|
82 |
BN_zero(Y); |
764 |
✓✗ |
82 |
if (BN_copy(B, a) == NULL) |
765 |
|
|
goto err; |
766 |
✓✗ |
82 |
if (BN_copy(A, n) == NULL) |
767 |
|
|
goto err; |
768 |
|
82 |
A->neg = 0; |
769 |
|
|
|
770 |
✓✗✓✗
|
164 |
if (B->neg || (BN_ucmp(B, A) >= 0)) { |
771 |
|
|
/* Turn BN_FLG_CONSTTIME flag on, so that when BN_div is invoked, |
772 |
|
|
* BN_div_no_branch will be called eventually. |
773 |
|
|
*/ |
774 |
|
|
pB = &local_B; |
775 |
|
82 |
BN_with_flags(pB, B, BN_FLG_CONSTTIME); |
776 |
✓✗ |
82 |
if (!BN_nnmod(B, pB, A, ctx)) |
777 |
|
|
goto err; |
778 |
|
|
} |
779 |
|
|
sign = -1; |
780 |
|
|
/* From B = a mod |n|, A = |n| it follows that |
781 |
|
|
* |
782 |
|
|
* 0 <= B < A, |
783 |
|
|
* -sign*X*a == B (mod |n|), |
784 |
|
|
* sign*Y*a == A (mod |n|). |
785 |
|
|
*/ |
786 |
|
|
|
787 |
✓✓ |
2060 |
while (!BN_is_zero(B)) { |
788 |
|
|
BIGNUM *tmp; |
789 |
|
|
|
790 |
|
|
/* |
791 |
|
|
* 0 < B < A, |
792 |
|
|
* (*) -sign*X*a == B (mod |n|), |
793 |
|
|
* sign*Y*a == A (mod |n|) |
794 |
|
|
*/ |
795 |
|
|
|
796 |
|
|
/* Turn BN_FLG_CONSTTIME flag on, so that when BN_div is invoked, |
797 |
|
|
* BN_div_no_branch will be called eventually. |
798 |
|
|
*/ |
799 |
|
|
pA = &local_A; |
800 |
|
1896 |
BN_with_flags(pA, A, BN_FLG_CONSTTIME); |
801 |
|
|
|
802 |
|
|
/* (D, M) := (A/B, A%B) ... */ |
803 |
✗✓ |
1896 |
if (!BN_div_ct(D, M, pA, B, ctx)) |
804 |
|
|
goto err; |
805 |
|
|
|
806 |
|
|
/* Now |
807 |
|
|
* A = D*B + M; |
808 |
|
|
* thus we have |
809 |
|
|
* (**) sign*Y*a == D*B + M (mod |n|). |
810 |
|
|
*/ |
811 |
|
|
tmp = A; /* keep the BIGNUM object, the value does not matter */ |
812 |
|
|
|
813 |
|
|
/* (A, B) := (B, A mod B) ... */ |
814 |
|
|
A = B; |
815 |
|
|
B = M; |
816 |
|
|
/* ... so we have 0 <= B < A again */ |
817 |
|
|
|
818 |
|
|
/* Since the former M is now B and the former B is now A, |
819 |
|
|
* (**) translates into |
820 |
|
|
* sign*Y*a == D*A + B (mod |n|), |
821 |
|
|
* i.e. |
822 |
|
|
* sign*Y*a - D*A == B (mod |n|). |
823 |
|
|
* Similarly, (*) translates into |
824 |
|
|
* -sign*X*a == A (mod |n|). |
825 |
|
|
* |
826 |
|
|
* Thus, |
827 |
|
|
* sign*Y*a + D*sign*X*a == B (mod |n|), |
828 |
|
|
* i.e. |
829 |
|
|
* sign*(Y + D*X)*a == B (mod |n|). |
830 |
|
|
* |
831 |
|
|
* So if we set (X, Y, sign) := (Y + D*X, X, -sign), we arrive back at |
832 |
|
|
* -sign*X*a == B (mod |n|), |
833 |
|
|
* sign*Y*a == A (mod |n|). |
834 |
|
|
* Note that X and Y stay non-negative all the time. |
835 |
|
|
*/ |
836 |
|
|
|
837 |
✗✓ |
1896 |
if (!BN_mul(tmp, D, X, ctx)) |
838 |
|
|
goto err; |
839 |
✗✓ |
1896 |
if (!BN_add(tmp, tmp, Y)) |
840 |
|
|
goto err; |
841 |
|
|
|
842 |
|
|
M = Y; /* keep the BIGNUM object, the value does not matter */ |
843 |
|
|
Y = X; |
844 |
|
|
X = tmp; |
845 |
|
1896 |
sign = -sign; |
846 |
✓✓✓ |
1896 |
} |
847 |
|
|
|
848 |
|
|
/* |
849 |
|
|
* The while loop (Euclid's algorithm) ends when |
850 |
|
|
* A == gcd(a,n); |
851 |
|
|
*/ |
852 |
|
|
|
853 |
✓✗ |
82 |
if (!BN_copy(R, A)) |
854 |
|
|
goto err; |
855 |
|
82 |
ret = R; |
856 |
|
|
err: |
857 |
✗✓ |
82 |
if ((ret == NULL) && (in == NULL)) |
858 |
|
|
BN_free(R); |
859 |
|
82 |
BN_CTX_end(ctx); |
860 |
|
|
bn_check_top(ret); |
861 |
|
82 |
return (ret); |
862 |
|
82 |
} |