kris
/
boringssl
1
0
Vork 0
Code Kwesties 0 Pull-aanvragen 0 Publicaties 0 Wiki Activiteit
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
3446 Commits
12 Branches
38 MiB
 
 
 
 
 
 
Tree: 9b63f2964d
Branches Labels
${ item.name }
Maak branch ${ searchTerm }
van '9b63f2964d'
${ noResults }
boringssl/crypto/bn/gcd.c

629 regels
17 KiB
Ruw Blame Geschiedenis 

  1. /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)

  2.  * All rights reserved.

  3.  *

  4.  * This package is an SSL implementation written

  5.  * by Eric Young (eay@cryptsoft.com).

  6.  * The implementation was written so as to conform with Netscapes SSL.

  7.  *

  8.  * This library is free for commercial and non-commercial use as long as

  9.  * the following conditions are aheared to.  The following conditions

  10.  * apply to all code found in this distribution, be it the RC4, RSA,

  11.  * lhash, DES, etc., code; not just the SSL code.  The SSL documentation

  12.  * included with this distribution is covered by the same copyright terms

  13.  * except that the holder is Tim Hudson (tjh@cryptsoft.com).

  14.  *

  15.  * Copyright remains Eric Young's, and as such any Copyright notices in

  16.  * the code are not to be removed.

  17.  * If this package is used in a product, Eric Young should be given attribution

  18.  * as the author of the parts of the library used.

  19.  * This can be in the form of a textual message at program startup or

  20.  * in documentation (online or textual) provided with the package.

  21.  *

  22.  * Redistribution and use in source and binary forms, with or without

  23.  * modification, are permitted provided that the following conditions

  24.  * are met:

  25.  * 1. Redistributions of source code must retain the copyright

  26.  *    notice, this list of conditions and the following disclaimer.

  27.  * 2. Redistributions in binary form must reproduce the above copyright

  28.  *    notice, this list of conditions and the following disclaimer in the

  29.  *    documentation and/or other materials provided with the distribution.

  30.  * 3. All advertising materials mentioning features or use of this software

  31.  *    must display the following acknowledgement:

  32.  *    "This product includes cryptographic software written by

  33.  *     Eric Young (eay@cryptsoft.com)"

  34.  *    The word 'cryptographic' can be left out if the rouines from the library

  35.  *    being used are not cryptographic related :-).

  36.  * 4. If you include any Windows specific code (or a derivative thereof) from

  37.  *    the apps directory (application code) you must include an acknowledgement:

  38.  *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"

  39.  *

  40.  * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND

  41.  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE

  42.  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE

  43.  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE

  44.  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL

  45.  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS

  46.  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)

  47.  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT

  48.  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY

  49.  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF

  50.  * SUCH DAMAGE.

  51.  *

  52.  * The licence and distribution terms for any publically available version or

  53.  * derivative of this code cannot be changed.  i.e. this code cannot simply be

  54.  * copied and put under another distribution licence

  55.  * [including the GNU Public Licence.]

  56.  */

  57. /* ====================================================================

  58.  * Copyright (c) 1998-2001 The OpenSSL Project.  All rights reserved.

  59.  *

  60.  * Redistribution and use in source and binary forms, with or without

  61.  * modification, are permitted provided that the following conditions

  62.  * are met:

  63.  *

  64.  * 1. Redistributions of source code must retain the above copyright

  65.  *    notice, this list of conditions and the following disclaimer.

  66.  *

  67.  * 2. Redistributions in binary form must reproduce the above copyright

  68.  *    notice, this list of conditions and the following disclaimer in

  69.  *    the documentation and/or other materials provided with the

  70.  *    distribution.

  71.  *

  72.  * 3. All advertising materials mentioning features or use of this

  73.  *    software must display the following acknowledgment:

  74.  *    "This product includes software developed by the OpenSSL Project

  75.  *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"

  76.  *

  77.  * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to

  78.  *    endorse or promote products derived from this software without

  79.  *    prior written permission. For written permission, please contact

  80.  *    openssl-core@openssl.org.

  81.  *

  82.  * 5. Products derived from this software may not be called "OpenSSL"

  83.  *    nor may "OpenSSL" appear in their names without prior written

  84.  *    permission of the OpenSSL Project.

  85.  *

  86.  * 6. Redistributions of any form whatsoever must retain the following

  87.  *    acknowledgment:

  88.  *    "This product includes software developed by the OpenSSL Project

  89.  *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"

  90.  *

  91.  * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY

  92.  * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE

  93.  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR

  94.  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR

  95.  * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,

  96.  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT

  97.  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;

  98.  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)

  99.  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,

  100.  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)

  101.  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED

  102.  * OF THE POSSIBILITY OF SUCH DAMAGE.

  103.  * ====================================================================

  104.  *

  105.  * This product includes cryptographic software written by Eric Young

  106.  * (eay@cryptsoft.com).  This product includes software written by Tim

  107.  * Hudson (tjh@cryptsoft.com). */

  108. 

  109. #include <openssl/bn.h>

  110. 

  111. #include <assert.h>

  112. 

  113. #include <openssl/err.h>

  114. 

  115. #include "internal.h"

  116. 

  117. static BIGNUM *euclid(BIGNUM *a, BIGNUM *b) {

  118.   BIGNUM *t;

  119.   int shifts = 0;

  120. 

  121.   /* 0 <= b <= a */

  122.   while (!BN_is_zero(b)) {

  123.     /* 0 < b <= a */

  124. 

  125.     if (BN_is_odd(a)) {

  126.       if (BN_is_odd(b)) {

  127.         if (!BN_sub(a, a, b)) {

  128.           goto err;

  129.         }

  130.         if (!BN_rshift1(a, a)) {

  131.           goto err;

  132.         }

  133.         if (BN_cmp(a, b) < 0) {

  134.           t = a;

  135.           a = b;

  136.           b = t;

  137.         }

  138.       } else {

  139.         /* a odd - b even */

  140.         if (!BN_rshift1(b, b)) {

  141.           goto err;

  142.         }

  143.         if (BN_cmp(a, b) < 0) {

  144.           t = a;

  145.           a = b;

  146.           b = t;

  147.         }

  148.       }

  149.     } else {

  150.       /* a is even */

  151.       if (BN_is_odd(b)) {

  152.         if (!BN_rshift1(a, a)) {

  153.           goto err;

  154.         }

  155.         if (BN_cmp(a, b) < 0) {

  156.           t = a;

  157.           a = b;

  158.           b = t;

  159.         }

  160.       } else {

  161.         /* a even - b even */

  162.         if (!BN_rshift1(a, a)) {

  163.           goto err;

  164.         }

  165.         if (!BN_rshift1(b, b)) {

  166.           goto err;

  167.         }

  168.         shifts++;

  169.       }

  170.     }

  171.     /* 0 <= b <= a */

  172.   }

  173. 

  174.   if (shifts) {

  175.     if (!BN_lshift(a, a, shifts)) {

  176.       goto err;

  177.     }

  178.   }

  179. 

  180.   return a;

  181. 

  182. err:

  183.   return NULL;

  184. }

  185. 

  186. int BN_gcd(BIGNUM *r, const BIGNUM *in_a, const BIGNUM *in_b, BN_CTX *ctx) {

  187.   BIGNUM *a, *b, *t;

  188.   int ret = 0;

  189. 

  190.   BN_CTX_start(ctx);

  191.   a = BN_CTX_get(ctx);

  192.   b = BN_CTX_get(ctx);

  193. 

  194.   if (a == NULL || b == NULL) {

  195.     goto err;

  196.   }

  197.   if (BN_copy(a, in_a) == NULL) {

  198.     goto err;

  199.   }

  200.   if (BN_copy(b, in_b) == NULL) {

  201.     goto err;

  202.   }

  203. 

  204.   a->neg = 0;

  205.   b->neg = 0;

  206. 

  207.   if (BN_cmp(a, b) < 0) {

  208.     t = a;

  209.     a = b;

  210.     b = t;

  211.   }

  212.   t = euclid(a, b);

  213.   if (t == NULL) {

  214.     goto err;

  215.   }

  216. 

  217.   if (BN_copy(r, t) == NULL) {

  218.     goto err;

  219.   }

  220.   ret = 1;

  221. 

  222. err:

  223.   BN_CTX_end(ctx);

  224.   return ret;

  225. }

  226. 

  227. /* solves ax == 1 (mod n) */

  228. static int bn_mod_inverse_general(BIGNUM *out, int *out_no_inverse,

  229.                                   const BIGNUM *a, const BIGNUM *n,

  230.                                   BN_CTX *ctx);

  231. 

  232. int BN_mod_inverse_odd(BIGNUM *out, int *out_no_inverse, const BIGNUM *a,

  233.                        const BIGNUM *n, BN_CTX *ctx) {

  234.   *out_no_inverse = 0;

  235. 

  236.   if (!BN_is_odd(n)) {

  237.     OPENSSL_PUT_ERROR(BN, BN_R_CALLED_WITH_EVEN_MODULUS);

  238.     return 0;

  239.   }

  240. 

  241.   if (BN_is_negative(a) || BN_cmp(a, n) >= 0) {

  242.     OPENSSL_PUT_ERROR(BN, BN_R_INPUT_NOT_REDUCED);

  243.     return 0;

  244.   }

  245. 

  246.   BIGNUM *A, *B, *X, *Y;

  247.   int ret = 0;

  248.   int sign;

  249. 

  250.   BN_CTX_start(ctx);

  251.   A = BN_CTX_get(ctx);

  252.   B = BN_CTX_get(ctx);

  253.   X = BN_CTX_get(ctx);

  254.   Y = BN_CTX_get(ctx);

  255.   if (Y == NULL) {

  256.     goto err;

  257.   }

  258. 

  259.   BIGNUM *R = out;

  260. 

  261.   BN_zero(Y);

  262.   if (!BN_one(X) || BN_copy(B, a) == NULL || BN_copy(A, n) == NULL) {

  263.     goto err;

  264.   }

  265.   A->neg = 0;

  266.   sign = -1;

  267.   /* From  B = a mod |n|,  A = |n|  it follows that

  268.    *

  269.    *      0 <= B < A,

  270.    *     -sign*X*a  ==  B   (mod |n|),

  271.    *      sign*Y*a  ==  A   (mod |n|).

  272.    */

  273. 

  274.   /* Binary inversion algorithm; requires odd modulus. This is faster than the

  275.    * general algorithm if the modulus is sufficiently small (about 400 .. 500

  276.    * bits on 32-bit systems, but much more on 64-bit systems) */

  277.   int shift;

  278. 

  279.   while (!BN_is_zero(B)) {

  280.     /*      0 < B < |n|,

  281.      *      0 < A <= |n|,

  282.      * (1) -sign*X*a  ==  B   (mod |n|),

  283.      * (2)  sign*Y*a  ==  A   (mod |n|) */

  284. 

  285.     /* Now divide  B  by the maximum possible power of two in the integers,

  286.      * and divide  X  by the same value mod |n|.

  287.      * When we're done, (1) still holds. */

  288.     shift = 0;

  289.     while (!BN_is_bit_set(B, shift)) {

  290.       /* note that 0 < B */

  291.       shift++;

  292. 

  293.       if (BN_is_odd(X)) {

  294.         if (!BN_uadd(X, X, n)) {

  295.           goto err;

  296.         }

  297.       }

  298.       /* now X is even, so we can easily divide it by two */

  299.       if (!BN_rshift1(X, X)) {

  300.         goto err;

  301.       }

  302.     }

  303.     if (shift > 0) {

  304.       if (!BN_rshift(B, B, shift)) {

  305.         goto err;

  306.       }

  307.     }

  308. 

  309.     /* Same for A and Y. Afterwards, (2) still holds. */

  310.     shift = 0;

  311.     while (!BN_is_bit_set(A, shift)) {

  312.       /* note that 0 < A */

  313.       shift++;

  314. 

  315.       if (BN_is_odd(Y)) {

  316.         if (!BN_uadd(Y, Y, n)) {

  317.           goto err;

  318.         }

  319.       }

  320.       /* now Y is even */

  321.       if (!BN_rshift1(Y, Y)) {

  322.         goto err;

  323.       }

  324.     }

  325.     if (shift > 0) {

  326.       if (!BN_rshift(A, A, shift)) {

  327.         goto err;

  328.       }

  329.     }

  330. 

  331.     /* We still have (1) and (2).

  332.      * Both  A  and  B  are odd.

  333.      * The following computations ensure that

  334.      *

  335.      *     0 <= B < |n|,

  336.      *      0 < A < |n|,

  337.      * (1) -sign*X*a  ==  B   (mod |n|),

  338.      * (2)  sign*Y*a  ==  A   (mod |n|),

  339.      *

  340.      * and that either  A  or  B  is even in the next iteration. */

  341.     if (BN_ucmp(B, A) >= 0) {

  342.       /* -sign*(X + Y)*a == B - A  (mod |n|) */

  343.       if (!BN_uadd(X, X, Y)) {

  344.         goto err;

  345.       }

  346.       /* NB: we could use BN_mod_add_quick(X, X, Y, n), but that

  347.        * actually makes the algorithm slower */

  348.       if (!BN_usub(B, B, A)) {

  349.         goto err;

  350.       }

  351.     } else {

  352.       /*  sign*(X + Y)*a == A - B  (mod |n|) */

  353.       if (!BN_uadd(Y, Y, X)) {

  354.         goto err;

  355.       }

  356.       /* as above, BN_mod_add_quick(Y, Y, X, n) would slow things down */

  357.       if (!BN_usub(A, A, B)) {

  358.         goto err;

  359.       }

  360.     }

  361.   }

  362. 

  363.   if (!BN_is_one(A)) {

  364.     *out_no_inverse = 1;

  365.     OPENSSL_PUT_ERROR(BN, BN_R_NO_INVERSE);

  366.     goto err;

  367.   }

  368. 

  369.   /* The while loop (Euclid's algorithm) ends when

  370.    *      A == gcd(a,n);

  371.    * we have

  372.    *       sign*Y*a  ==  A  (mod |n|),

  373.    * where  Y  is non-negative. */

  374. 

  375.   if (sign < 0) {

  376.     if (!BN_sub(Y, n, Y)) {

  377.       goto err;

  378.     }

  379.   }

  380.   /* Now  Y*a  ==  A  (mod |n|).  */

  381. 

  382.   /* Y*a == 1  (mod |n|) */

  383.   if (!Y->neg && BN_ucmp(Y, n) < 0) {

  384.     if (!BN_copy(R, Y)) {

  385.       goto err;

  386.     }

  387.   } else {

  388.     if (!BN_nnmod(R, Y, n, ctx)) {

  389.       goto err;

  390.     }

  391.   }

  392. 

  393.   ret = 1;

  394. 

  395. err:

  396.   BN_CTX_end(ctx);

  397.   return ret;

  398. }

  399. 

  400. BIGNUM *BN_mod_inverse(BIGNUM *out, const BIGNUM *a, const BIGNUM *n,

  401.                        BN_CTX *ctx) {

  402.   int no_inverse;

  403. 

  404.   BIGNUM *a_reduced = NULL;

  405. 

  406.   BIGNUM *new_out = NULL;

  407.   if (out == NULL) {

  408.     new_out = BN_new();

  409.     if (new_out == NULL) {

  410.       OPENSSL_PUT_ERROR(BN, ERR_R_MALLOC_FAILURE);

  411.       return NULL;

  412.     }

  413.     out = new_out;

  414.   }

  415. 

  416.   int ok = 0;

  417. 

  418.   int no_branch =

  419.       (a->flags & BN_FLG_CONSTTIME) != 0 || (n->flags & BN_FLG_CONSTTIME) != 0;

  420. 

  421.   if (a->neg || BN_ucmp(a, n) >= 0) {

  422.     a_reduced = BN_dup(a);

  423.     if (a_reduced == NULL) {

  424.       goto err;

  425.     }

  426.     if (no_branch) {

  427.       BN_set_flags(a_reduced, BN_FLG_CONSTTIME);

  428.     }

  429.     if (!BN_nnmod(a_reduced, a_reduced, n, ctx)) {

  430.       goto err;

  431.     }

  432.     a = a_reduced;

  433.   }

  434. 

  435.   if (no_branch || !BN_is_odd(n)) {

  436.     if (!bn_mod_inverse_general(out, &no_inverse, a, n, ctx)) {

  437.       goto err;

  438.     }

  439.   } else if (!BN_mod_inverse_odd(out, &no_inverse, a, n, ctx)) {

  440.     goto err;

  441.   }

  442. 

  443.   ok = 1;

  444. 

  445. err:

  446.   if (!ok) {

  447.     BN_free(new_out);

  448.     out = NULL;

  449.   }

  450.   BN_free(a_reduced);

  451.   return out;

  452. }

  453. 

  454. int BN_mod_inverse_blinded(BIGNUM *out, int *out_no_inverse, const BIGNUM *a,

  455.                            const BN_MONT_CTX *mont, BN_CTX *ctx) {

  456.   *out_no_inverse = 0;

  457. 

  458.   if (BN_is_negative(a) || BN_cmp(a, &mont->N) >= 0) {

  459.     OPENSSL_PUT_ERROR(BN, BN_R_INPUT_NOT_REDUCED);

  460.     return 0;

  461.   }

  462. 

  463.   int ret = 0;

  464.   BIGNUM blinding_factor;

  465.   BN_init(&blinding_factor);

  466. 

  467.   if (!BN_rand_range_ex(&blinding_factor, 1, &mont->N) ||

  468.       !BN_mod_mul_montgomery(out, &blinding_factor, a, mont, ctx) ||

  469.       !BN_mod_inverse_odd(out, out_no_inverse, out, &mont->N, ctx) ||

  470.       !BN_mod_mul_montgomery(out, &blinding_factor, out, mont, ctx)) {

  471.     OPENSSL_PUT_ERROR(BN, ERR_R_BN_LIB);

  472.     goto err;

  473.   }

  474. 

  475.   ret = 1;

  476. 

  477. err:

  478.   BN_free(&blinding_factor);

  479.   return ret;

  480. }

  481. 

  482. /* bn_mod_inverse_general is the general inversion algorithm that works for

  483.  * both even and odd |n|. It was specifically designed to contain fewer

  484.  * branches that may leak sensitive information. See "New Branch Prediction

  485.  * Vulnerabilities in OpenSSL and Necessary Software Countermeasures" by

  486.  * Onur Acıçmez, Shay Gueron, and Jean-Pierre Seifert. */

  487. static int bn_mod_inverse_general(BIGNUM *out, int *out_no_inverse,

  488.                                   const BIGNUM *a, const BIGNUM *n,

  489.                                   BN_CTX *ctx) {

  490.   BIGNUM *A, *B, *X, *Y, *M, *D, *T;

  491.   BIGNUM local_A;

  492.   BIGNUM *pA;

  493.   int ret = 0;

  494.   int sign;

  495. 

  496.   *out_no_inverse = 0;

  497. 

  498.   BN_CTX_start(ctx);

  499.   A = BN_CTX_get(ctx);

  500.   B = BN_CTX_get(ctx);

  501.   X = BN_CTX_get(ctx);

  502.   D = BN_CTX_get(ctx);

  503.   M = BN_CTX_get(ctx);

  504.   Y = BN_CTX_get(ctx);

  505.   T = BN_CTX_get(ctx);

  506.   if (T == NULL) {

  507.     goto err;

  508.   }

  509. 

  510.   BIGNUM *R = out;

  511. 

  512.   BN_zero(Y);

  513.   if (!BN_one(X) || BN_copy(B, a) == NULL || BN_copy(A, n) == NULL) {

  514.     goto err;

  515.   }

  516.   A->neg = 0;

  517. 

  518.   sign = -1;

  519.   /* From  B = a mod |n|,  A = |n|  it follows that

  520.    *

  521.    *      0 <= B < A,

  522.    *     -sign*X*a  ==  B   (mod |n|),

  523.    *      sign*Y*a  ==  A   (mod |n|).

  524.    */

  525. 

  526.   while (!BN_is_zero(B)) {

  527.     BIGNUM *tmp;

  528. 

  529.     /*

  530.      *      0 < B < A,

  531.      * (*) -sign*X*a  ==  B   (mod |n|),

  532.      *      sign*Y*a  ==  A   (mod |n|)

  533.      */

  534. 

  535.     /* Turn BN_FLG_CONSTTIME flag on, so that when BN_div is invoked,

  536.      * BN_div_no_branch will be called eventually.

  537.      */

  538.     pA = &local_A;

  539.     BN_with_flags(pA, A, BN_FLG_CONSTTIME);

  540. 

  541.     /* (D, M) := (A/B, A%B) ... */

  542.     if (!BN_div(D, M, pA, B, ctx)) {

  543.       goto err;

  544.     }

  545. 

  546.     /* Now

  547.      *      A = D*B + M;

  548.      * thus we have

  549.      * (**)  sign*Y*a  ==  D*B + M   (mod |n|).

  550.      */

  551. 

  552.     tmp = A; /* keep the BIGNUM object, the value does not matter */

  553. 

  554.     /* (A, B) := (B, A mod B) ... */

  555.     A = B;

  556.     B = M;

  557.     /* ... so we have  0 <= B < A  again */

  558. 

  559.     /* Since the former  M  is now  B  and the former  B  is now  A,

  560.      * (**) translates into

  561.      *       sign*Y*a  ==  D*A + B    (mod |n|),

  562.      * i.e.

  563.      *       sign*Y*a - D*A  ==  B    (mod |n|).

  564.      * Similarly, (*) translates into

  565.      *      -sign*X*a  ==  A          (mod |n|).

  566.      *

  567.      * Thus,

  568.      *   sign*Y*a + D*sign*X*a  ==  B  (mod |n|),

  569.      * i.e.

  570.      *        sign*(Y + D*X)*a  ==  B  (mod |n|).

  571.      *

  572.      * So if we set  (X, Y, sign) := (Y + D*X, X, -sign),  we arrive back at

  573.      *      -sign*X*a  ==  B   (mod |n|),

  574.      *       sign*Y*a  ==  A   (mod |n|).

  575.      * Note that  X  and  Y  stay non-negative all the time.

  576.      */

  577. 

  578.     if (!BN_mul(tmp, D, X, ctx)) {

  579.       goto err;

  580.     }

  581.     if (!BN_add(tmp, tmp, Y)) {

  582.       goto err;

  583.     }

  584. 

  585.     M = Y; /* keep the BIGNUM object, the value does not matter */

  586.     Y = X;

  587.     X = tmp;

  588.     sign = -sign;

  589.   }

  590. 

  591.   if (!BN_is_one(A)) {

  592.     *out_no_inverse = 1;

  593.     OPENSSL_PUT_ERROR(BN, BN_R_NO_INVERSE);

  594.     goto err;

  595.   }

  596. 

  597.   /*

  598.    * The while loop (Euclid's algorithm) ends when

  599.    *      A == gcd(a,n);

  600.    * we have

  601.    *       sign*Y*a  ==  A  (mod |n|),

  602.    * where  Y  is non-negative.

  603.    */

  604. 

  605.   if (sign < 0) {

  606.     if (!BN_sub(Y, n, Y)) {

  607.       goto err;

  608.     }

  609.   }

  610.   /* Now  Y*a  ==  A  (mod |n|).  */

  611. 

  612.   /* Y*a == 1  (mod |n|) */

  613.   if (!Y->neg && BN_ucmp(Y, n) < 0) {

  614.     if (!BN_copy(R, Y)) {

  615.       goto err;

  616.     }

  617.   } else {

  618.     if (!BN_nnmod(R, Y, n, ctx)) {

  619.       goto err;

  620.     }

  621.   }

  622. 

  623.   ret = 1;

  624. 

  625. err:

  626.   BN_CTX_end(ctx);

  627.   return ret;

  628. }