kris
/
boringssl
1
0
Çatalla 0
Kod Konular 0 Değişiklik İstekleri 0 Sürümler 0 Wiki Aktivite
25'ten fazla konu seçemezsiniz Konular bir harf veya rakamla başlamalı, kısa çizgiler ('-') içerebilir ve en fazla 35 karakter uzunluğunda olabilir.
528 İşleme
12 Dallar
38 MiB
 
 
 
 
 
 
Ağaç: f4b4952719
Dallar Biçim İmleri
${ item.name }
${ searchTerm } dalı oluştur
'f4b4952719'den
${ noResults }
boringssl/crypto/bn/gcd.c

705 satır
19 KiB
Ham Suçlama Geçmiş 

  1. /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)

  2.  * All rights reserved.

  3.  *

  4.  * This package is an SSL implementation written

  5.  * by Eric Young (eay@cryptsoft.com).

  6.  * The implementation was written so as to conform with Netscapes SSL.

  7.  *

  8.  * This library is free for commercial and non-commercial use as long as

  9.  * the following conditions are aheared to.  The following conditions

  10.  * apply to all code found in this distribution, be it the RC4, RSA,

  11.  * lhash, DES, etc., code; not just the SSL code.  The SSL documentation

  12.  * included with this distribution is covered by the same copyright terms

  13.  * except that the holder is Tim Hudson (tjh@cryptsoft.com).

  14.  *

  15.  * Copyright remains Eric Young's, and as such any Copyright notices in

  16.  * the code are not to be removed.

  17.  * If this package is used in a product, Eric Young should be given attribution

  18.  * as the author of the parts of the library used.

  19.  * This can be in the form of a textual message at program startup or

  20.  * in documentation (online or textual) provided with the package.

  21.  *

  22.  * Redistribution and use in source and binary forms, with or without

  23.  * modification, are permitted provided that the following conditions

  24.  * are met:

  25.  * 1. Redistributions of source code must retain the copyright

  26.  *    notice, this list of conditions and the following disclaimer.

  27.  * 2. Redistributions in binary form must reproduce the above copyright

  28.  *    notice, this list of conditions and the following disclaimer in the

  29.  *    documentation and/or other materials provided with the distribution.

  30.  * 3. All advertising materials mentioning features or use of this software

  31.  *    must display the following acknowledgement:

  32.  *    "This product includes cryptographic software written by

  33.  *     Eric Young (eay@cryptsoft.com)"

  34.  *    The word 'cryptographic' can be left out if the rouines from the library

  35.  *    being used are not cryptographic related :-).

  36.  * 4. If you include any Windows specific code (or a derivative thereof) from

  37.  *    the apps directory (application code) you must include an acknowledgement:

  38.  *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"

  39.  *

  40.  * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND

  41.  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE

  42.  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE

  43.  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE

  44.  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL

  45.  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS

  46.  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)

  47.  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT

  48.  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY

  49.  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF

  50.  * SUCH DAMAGE.

  51.  *

  52.  * The licence and distribution terms for any publically available version or

  53.  * derivative of this code cannot be changed.  i.e. this code cannot simply be

  54.  * copied and put under another distribution licence

  55.  * [including the GNU Public Licence.]

  56.  */

  57. /* ====================================================================

  58.  * Copyright (c) 1998-2001 The OpenSSL Project.  All rights reserved.

  59.  *

  60.  * Redistribution and use in source and binary forms, with or without

  61.  * modification, are permitted provided that the following conditions

  62.  * are met:

  63.  *

  64.  * 1. Redistributions of source code must retain the above copyright

  65.  *    notice, this list of conditions and the following disclaimer.

  66.  *

  67.  * 2. Redistributions in binary form must reproduce the above copyright

  68.  *    notice, this list of conditions and the following disclaimer in

  69.  *    the documentation and/or other materials provided with the

  70.  *    distribution.

  71.  *

  72.  * 3. All advertising materials mentioning features or use of this

  73.  *    software must display the following acknowledgment:

  74.  *    "This product includes software developed by the OpenSSL Project

  75.  *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"

  76.  *

  77.  * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to

  78.  *    endorse or promote products derived from this software without

  79.  *    prior written permission. For written permission, please contact

  80.  *    openssl-core@openssl.org.

  81.  *

  82.  * 5. Products derived from this software may not be called "OpenSSL"

  83.  *    nor may "OpenSSL" appear in their names without prior written

  84.  *    permission of the OpenSSL Project.

  85.  *

  86.  * 6. Redistributions of any form whatsoever must retain the following

  87.  *    acknowledgment:

  88.  *    "This product includes software developed by the OpenSSL Project

  89.  *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"

  90.  *

  91.  * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY

  92.  * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE

  93.  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR

  94.  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR

  95.  * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,

  96.  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT

  97.  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;

  98.  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)

  99.  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,

  100.  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)

  101.  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED

  102.  * OF THE POSSIBILITY OF SUCH DAMAGE.

  103.  * ====================================================================

  104.  *

  105.  * This product includes cryptographic software written by Eric Young

  106.  * (eay@cryptsoft.com).  This product includes software written by Tim

  107.  * Hudson (tjh@cryptsoft.com). */

  108. 

  109. #include <openssl/bn.h>

  110. 

  111. #include <openssl/err.h>

  112. 

  113. #include "internal.h"

  114. 

  115. static BIGNUM *euclid(BIGNUM *a, BIGNUM *b) {

  116.   BIGNUM *t;

  117.   int shifts = 0;

  118. 

  119.   /* 0 <= b <= a */

  120.   while (!BN_is_zero(b)) {

  121.     /* 0 < b <= a */

  122. 

  123.     if (BN_is_odd(a)) {

  124.       if (BN_is_odd(b)) {

  125.         if (!BN_sub(a, a, b)) {

  126.           goto err;

  127.         }

  128.         if (!BN_rshift1(a, a)) {

  129.           goto err;

  130.         }

  131.         if (BN_cmp(a, b) < 0) {

  132.           t = a;

  133.           a = b;

  134.           b = t;

  135.         }

  136.       } else {

  137.         /* a odd - b even */

  138.         if (!BN_rshift1(b, b)) {

  139.           goto err;

  140.         }

  141.         if (BN_cmp(a, b) < 0) {

  142.           t = a;

  143.           a = b;

  144.           b = t;

  145.         }

  146.       }

  147.     } else {

  148.       /* a is even */

  149.       if (BN_is_odd(b)) {

  150.         if (!BN_rshift1(a, a)) {

  151.           goto err;

  152.         }

  153.         if (BN_cmp(a, b) < 0) {

  154.           t = a;

  155.           a = b;

  156.           b = t;

  157.         }

  158.       } else {

  159.         /* a even - b even */

  160.         if (!BN_rshift1(a, a)) {

  161.           goto err;

  162.         }

  163.         if (!BN_rshift1(b, b)) {

  164.           goto err;

  165.         }

  166.         shifts++;

  167.       }

  168.     }

  169.     /* 0 <= b <= a */

  170.   }

  171. 

  172.   if (shifts) {

  173.     if (!BN_lshift(a, a, shifts)) {

  174.       goto err;

  175.     }

  176.   }

  177. 

  178.   return a;

  179. 

  180. err:

  181.   return NULL;

  182. }

  183. 

  184. int BN_gcd(BIGNUM *r, const BIGNUM *in_a, const BIGNUM *in_b, BN_CTX *ctx) {

  185.   BIGNUM *a, *b, *t;

  186.   int ret = 0;

  187. 

  188.   BN_CTX_start(ctx);

  189.   a = BN_CTX_get(ctx);

  190.   b = BN_CTX_get(ctx);

  191. 

  192.   if (a == NULL || b == NULL) {

  193.     goto err;

  194.   }

  195.   if (BN_copy(a, in_a) == NULL) {

  196.     goto err;

  197.   }

  198.   if (BN_copy(b, in_b) == NULL) {

  199.     goto err;

  200.   }

  201. 

  202.   a->neg = 0;

  203.   b->neg = 0;

  204. 

  205.   if (BN_cmp(a, b) < 0) {

  206.     t = a;

  207.     a = b;

  208.     b = t;

  209.   }

  210.   t = euclid(a, b);

  211.   if (t == NULL) {

  212.     goto err;

  213.   }

  214. 

  215.   if (BN_copy(r, t) == NULL) {

  216.     goto err;

  217.   }

  218.   ret = 1;

  219. 

  220. err:

  221.   BN_CTX_end(ctx);

  222.   return ret;

  223. }

  224. 

  225. /* solves ax == 1 (mod n) */

  226. static BIGNUM *BN_mod_inverse_no_branch(BIGNUM *out, const BIGNUM *a,

  227.                                         const BIGNUM *n, BN_CTX *ctx);

  228. 

  229. BIGNUM *BN_mod_inverse(BIGNUM *out, const BIGNUM *a, const BIGNUM *n,

  230.                        BN_CTX *ctx) {

  231.   BIGNUM *A, *B, *X, *Y, *M, *D, *T, *R = NULL;

  232.   BIGNUM *ret = NULL;

  233.   int sign;

  234. 

  235.   if ((a->flags & BN_FLG_CONSTTIME) != 0 ||

  236.       (n->flags & BN_FLG_CONSTTIME) != 0) {

  237.     return BN_mod_inverse_no_branch(out, a, n, ctx);

  238.   }

  239. 

  240.   BN_CTX_start(ctx);

  241.   A = BN_CTX_get(ctx);

  242.   B = BN_CTX_get(ctx);

  243.   X = BN_CTX_get(ctx);

  244.   D = BN_CTX_get(ctx);

  245.   M = BN_CTX_get(ctx);

  246.   Y = BN_CTX_get(ctx);

  247.   T = BN_CTX_get(ctx);

  248.   if (T == NULL) {

  249.     goto err;

  250.   }

  251. 

  252.   if (out == NULL) {

  253.     R = BN_new();

  254.   } else {

  255.     R = out;

  256.   }

  257.   if (R == NULL) {

  258.     goto err;

  259.   }

  260. 

  261.   BN_one(X);

  262.   BN_zero(Y);

  263.   if (BN_copy(B, a) == NULL) {

  264.     goto err;

  265.   }

  266.   if (BN_copy(A, n) == NULL) {

  267.     goto err;

  268.   }

  269.   A->neg = 0;

  270.   if (B->neg || (BN_ucmp(B, A) >= 0)) {

  271.     if (!BN_nnmod(B, B, A, ctx)) {

  272.       goto err;

  273.     }

  274.   }

  275.   sign = -1;

  276.   /* From  B = a mod |n|,  A = |n|  it follows that

  277.    *

  278.    *      0 <= B < A,

  279.    *     -sign*X*a  ==  B   (mod |n|),

  280.    *      sign*Y*a  ==  A   (mod |n|).

  281.    */

  282. 

  283.   if (BN_is_odd(n) && (BN_num_bits(n) <= (BN_BITS <= 32 ? 450 : 2048))) {

  284.     /* Binary inversion algorithm; requires odd modulus.

  285.      * This is faster than the general algorithm if the modulus

  286.      * is sufficiently small (about 400 .. 500 bits on 32-bit

  287.      * sytems, but much more on 64-bit systems) */

  288.     int shift;

  289. 

  290.     while (!BN_is_zero(B)) {

  291.       /*      0 < B < |n|,

  292.        *      0 < A <= |n|,

  293.        * (1) -sign*X*a  ==  B   (mod |n|),

  294.        * (2)  sign*Y*a  ==  A   (mod |n|) */

  295. 

  296.       /* Now divide  B  by the maximum possible power of two in the integers,

  297.        * and divide  X  by the same value mod |n|.

  298.        * When we're done, (1) still holds. */

  299.       shift = 0;

  300.       while (!BN_is_bit_set(B, shift)) {

  301.         /* note that 0 < B */

  302.         shift++;

  303. 

  304.         if (BN_is_odd(X)) {

  305.           if (!BN_uadd(X, X, n)) {

  306.             goto err;

  307.           }

  308.         }

  309.         /* now X is even, so we can easily divide it by two */

  310.         if (!BN_rshift1(X, X)) {

  311.           goto err;

  312.         }

  313.       }

  314.       if (shift > 0) {

  315.         if (!BN_rshift(B, B, shift)) {

  316.           goto err;

  317.         }

  318.       }

  319. 

  320.       /* Same for A and Y. Afterwards, (2) still holds. */

  321.       shift = 0;

  322.       while (!BN_is_bit_set(A, shift)) {

  323.         /* note that 0 < A */

  324.         shift++;

  325. 

  326.         if (BN_is_odd(Y)) {

  327.           if (!BN_uadd(Y, Y, n)) {

  328.             goto err;

  329.           }

  330.         }

  331.         /* now Y is even */

  332.         if (!BN_rshift1(Y, Y)) {

  333.           goto err;

  334.         }

  335.       }

  336.       if (shift > 0) {

  337.         if (!BN_rshift(A, A, shift)) {

  338.           goto err;

  339.         }

  340.       }

  341. 

  342.       /* We still have (1) and (2).

  343.        * Both  A  and  B  are odd.

  344.        * The following computations ensure that

  345.        *

  346.        *     0 <= B < |n|,

  347.        *      0 < A < |n|,

  348.        * (1) -sign*X*a  ==  B   (mod |n|),

  349.        * (2)  sign*Y*a  ==  A   (mod |n|),

  350.        *

  351.        * and that either  A  or  B  is even in the next iteration. */

  352.       if (BN_ucmp(B, A) >= 0) {

  353.         /* -sign*(X + Y)*a == B - A  (mod |n|) */

  354.         if (!BN_uadd(X, X, Y)) {

  355.           goto err;

  356.         }

  357.         /* NB: we could use BN_mod_add_quick(X, X, Y, n), but that

  358.          * actually makes the algorithm slower */

  359.         if (!BN_usub(B, B, A)) {

  360.           goto err;

  361.         }

  362.       } else {

  363.         /*  sign*(X + Y)*a == A - B  (mod |n|) */

  364.         if (!BN_uadd(Y, Y, X)) {

  365.           goto err;

  366.         }

  367.         /* as above, BN_mod_add_quick(Y, Y, X, n) would slow things down */

  368.         if (!BN_usub(A, A, B)) {

  369.           goto err;

  370.         }

  371.       }

  372.     }

  373.   } else {

  374.     /* general inversion algorithm */

  375. 

  376.     while (!BN_is_zero(B)) {

  377.       BIGNUM *tmp;

  378. 

  379.       /*

  380.        *      0 < B < A,

  381.        * (*) -sign*X*a  ==  B   (mod |n|),

  382.        *      sign*Y*a  ==  A   (mod |n|) */

  383. 

  384.       /* (D, M) := (A/B, A%B) ... */

  385.       if (BN_num_bits(A) == BN_num_bits(B)) {

  386.         if (!BN_one(D)) {

  387.           goto err;

  388.         }

  389.         if (!BN_sub(M, A, B)) {

  390.           goto err;

  391.         }

  392.       } else if (BN_num_bits(A) == BN_num_bits(B) + 1) {

  393.         /* A/B is 1, 2, or 3 */

  394.         if (!BN_lshift1(T, B)) {

  395.           goto err;

  396.         }

  397.         if (BN_ucmp(A, T) < 0) {

  398.           /* A < 2*B, so D=1 */

  399.           if (!BN_one(D)) {

  400.             goto err;

  401.           }

  402.           if (!BN_sub(M, A, B)) {

  403.             goto err;

  404.           }

  405.         } else {

  406.           /* A >= 2*B, so D=2 or D=3 */

  407.           if (!BN_sub(M, A, T)) {

  408.             goto err;

  409.           }

  410.           if (!BN_add(D, T, B)) {

  411.             goto err; /* use D (:= 3*B) as temp */

  412.           }

  413.           if (BN_ucmp(A, D) < 0) {

  414.             /* A < 3*B, so D=2 */

  415.             if (!BN_set_word(D, 2)) {

  416.               goto err;

  417.             }

  418.             /* M (= A - 2*B) already has the correct value */

  419.           } else {

  420.             /* only D=3 remains */

  421.             if (!BN_set_word(D, 3)) {

  422.               goto err;

  423.             }

  424.             /* currently  M = A - 2*B,  but we need  M = A - 3*B */

  425.             if (!BN_sub(M, M, B)) {

  426.               goto err;

  427.             }

  428.           }

  429.         }

  430.       } else {

  431.         if (!BN_div(D, M, A, B, ctx)) {

  432.           goto err;

  433.         }

  434.       }

  435. 

  436.       /* Now

  437.        *      A = D*B + M;

  438.        * thus we have

  439.        * (**)  sign*Y*a  ==  D*B + M   (mod |n|). */

  440. 

  441.       tmp = A; /* keep the BIGNUM object, the value does not matter */

  442. 

  443.       /* (A, B) := (B, A mod B) ... */

  444.       A = B;

  445.       B = M;

  446.       /* ... so we have  0 <= B < A  again */

  447. 

  448.       /* Since the former  M  is now  B  and the former  B  is now  A,

  449.        * (**) translates into

  450.        *       sign*Y*a  ==  D*A + B    (mod |n|),

  451.        * i.e.

  452.        *       sign*Y*a - D*A  ==  B    (mod |n|).

  453.        * Similarly, (*) translates into

  454.        *      -sign*X*a  ==  A          (mod |n|).

  455.        *

  456.        * Thus,

  457.        *   sign*Y*a + D*sign*X*a  ==  B  (mod |n|),

  458.        * i.e.

  459.        *        sign*(Y + D*X)*a  ==  B  (mod |n|).

  460.        *

  461.        * So if we set  (X, Y, sign) := (Y + D*X, X, -sign),  we arrive back at

  462.        *      -sign*X*a  ==  B   (mod |n|),

  463.        *       sign*Y*a  ==  A   (mod |n|).

  464.        * Note that  X  and  Y  stay non-negative all the time. */

  465. 

  466.       /* most of the time D is very small, so we can optimize tmp := D*X+Y */

  467.       if (BN_is_one(D)) {

  468.         if (!BN_add(tmp, X, Y)) {

  469.           goto err;

  470.         }

  471.       } else {

  472.         if (BN_is_word(D, 2)) {

  473.           if (!BN_lshift1(tmp, X)) {

  474.             goto err;

  475.           }

  476.         } else if (BN_is_word(D, 4)) {

  477.           if (!BN_lshift(tmp, X, 2)) {

  478.             goto err;

  479.           }

  480.         } else if (D->top == 1) {

  481.           if (!BN_copy(tmp, X)) {

  482.             goto err;

  483.           }

  484.           if (!BN_mul_word(tmp, D->d[0])) {

  485.             goto err;

  486.           }

  487.         } else {

  488.           if (!BN_mul(tmp, D, X, ctx)) {

  489.             goto err;

  490.           }

  491.         }

  492.         if (!BN_add(tmp, tmp, Y)) {

  493.           goto err;

  494.         }

  495.       }

  496. 

  497.       M = Y; /* keep the BIGNUM object, the value does not matter */

  498.       Y = X;

  499.       X = tmp;

  500.       sign = -sign;

  501.     }

  502.   }

  503. 

  504.   /* The while loop (Euclid's algorithm) ends when

  505.    *      A == gcd(a,n);

  506.    * we have

  507.    *       sign*Y*a  ==  A  (mod |n|),

  508.    * where  Y  is non-negative. */

  509. 

  510.   if (sign < 0) {

  511.     if (!BN_sub(Y, n, Y)) {

  512.       goto err;

  513.     }

  514.   }

  515.   /* Now  Y*a  ==  A  (mod |n|).  */

  516. 

  517.   if (BN_is_one(A)) {

  518.     /* Y*a == 1  (mod |n|) */

  519.     if (!Y->neg && BN_ucmp(Y, n) < 0) {

  520.       if (!BN_copy(R, Y)) {

  521.         goto err;

  522.       }

  523.     } else {

  524.       if (!BN_nnmod(R, Y, n, ctx)) {

  525.         goto err;

  526.       }

  527.     }

  528.   } else {

  529.     OPENSSL_PUT_ERROR(BN, BN_mod_inverse, BN_R_NO_INVERSE);

  530.     goto err;

  531.   }

  532.   ret = R;

  533. 

  534. err:

  535.   if (ret == NULL && out == NULL) {

  536.     BN_free(R);

  537.   }

  538.   BN_CTX_end(ctx);

  539.   return ret;

  540. }

  541. 

  542. /* BN_mod_inverse_no_branch is a special version of BN_mod_inverse.

  543.  * It does not contain branches that may leak sensitive information. */

  544. static BIGNUM *BN_mod_inverse_no_branch(BIGNUM *out, const BIGNUM *a,

  545.                                         const BIGNUM *n, BN_CTX *ctx) {

  546.   BIGNUM *A, *B, *X, *Y, *M, *D, *T, *R = NULL;

  547.   BIGNUM local_A, local_B;

  548.   BIGNUM *pA, *pB;

  549.   BIGNUM *ret = NULL;

  550.   int sign;

  551. 

  552.   BN_CTX_start(ctx);

  553.   A = BN_CTX_get(ctx);

  554.   B = BN_CTX_get(ctx);

  555.   X = BN_CTX_get(ctx);

  556.   D = BN_CTX_get(ctx);

  557.   M = BN_CTX_get(ctx);

  558.   Y = BN_CTX_get(ctx);

  559.   T = BN_CTX_get(ctx);

  560.   if (T == NULL) {

  561.     goto err;

  562.   }

  563. 

  564.   if (out == NULL) {

  565.     R = BN_new();

  566.   } else {

  567.     R = out;

  568.   }

  569.   if (R == NULL) {

  570.     goto err;

  571.   }

  572. 

  573.   BN_one(X);

  574.   BN_zero(Y);

  575.   if (BN_copy(B, a) == NULL) {

  576.     goto err;

  577.   }

  578.   if (BN_copy(A, n) == NULL) {

  579.     goto err;

  580.   }

  581.   A->neg = 0;

  582. 

  583.   if (B->neg || (BN_ucmp(B, A) >= 0)) {

  584.     /* Turn BN_FLG_CONSTTIME flag on, so that when BN_div is invoked,

  585.      * BN_div_no_branch will be called eventually.

  586.      */

  587.     pB = &local_B;

  588.     BN_with_flags(pB, B, BN_FLG_CONSTTIME);

  589.     if (!BN_nnmod(B, pB, A, ctx))

  590.       goto err;

  591.   }

  592.   sign = -1;

  593.   /* From  B = a mod |n|,  A = |n|  it follows that

  594.    *

  595.    *      0 <= B < A,

  596.    *     -sign*X*a  ==  B   (mod |n|),

  597.    *      sign*Y*a  ==  A   (mod |n|).

  598.    */

  599. 

  600.   while (!BN_is_zero(B)) {

  601.     BIGNUM *tmp;

  602. 

  603.     /*

  604.      *      0 < B < A,

  605.      * (*) -sign*X*a  ==  B   (mod |n|),

  606.      *      sign*Y*a  ==  A   (mod |n|)

  607.      */

  608. 

  609.     /* Turn BN_FLG_CONSTTIME flag on, so that when BN_div is invoked,

  610.      * BN_div_no_branch will be called eventually.

  611.      */

  612.     pA = &local_A;

  613.     BN_with_flags(pA, A, BN_FLG_CONSTTIME);

  614. 

  615.     /* (D, M) := (A/B, A%B) ... */

  616.     if (!BN_div(D, M, pA, B, ctx)) {

  617.       goto err;

  618.     }

  619. 

  620.     /* Now

  621.      *      A = D*B + M;

  622.      * thus we have

  623.      * (**)  sign*Y*a  ==  D*B + M   (mod |n|).

  624.      */

  625. 

  626.     tmp = A; /* keep the BIGNUM object, the value does not matter */

  627. 

  628.     /* (A, B) := (B, A mod B) ... */

  629.     A = B;

  630.     B = M;

  631.     /* ... so we have  0 <= B < A  again */

  632. 

  633.     /* Since the former  M  is now  B  and the former  B  is now  A,

  634.      * (**) translates into

  635.      *       sign*Y*a  ==  D*A + B    (mod |n|),

  636.      * i.e.

  637.      *       sign*Y*a - D*A  ==  B    (mod |n|).

  638.      * Similarly, (*) translates into

  639.      *      -sign*X*a  ==  A          (mod |n|).

  640.      *

  641.      * Thus,

  642.      *   sign*Y*a + D*sign*X*a  ==  B  (mod |n|),

  643.      * i.e.

  644.      *        sign*(Y + D*X)*a  ==  B  (mod |n|).

  645.      *

  646.      * So if we set  (X, Y, sign) := (Y + D*X, X, -sign),  we arrive back at

  647.      *      -sign*X*a  ==  B   (mod |n|),

  648.      *       sign*Y*a  ==  A   (mod |n|).

  649.      * Note that  X  and  Y  stay non-negative all the time.

  650.      */

  651. 

  652.     if (!BN_mul(tmp, D, X, ctx)) {

  653.       goto err;

  654.     }

  655.     if (!BN_add(tmp, tmp, Y)) {

  656.       goto err;

  657.     }

  658. 

  659.     M = Y; /* keep the BIGNUM object, the value does not matter */

  660.     Y = X;

  661.     X = tmp;

  662.     sign = -sign;

  663.   }

  664. 

  665.   /*

  666.    * The while loop (Euclid's algorithm) ends when

  667.    *      A == gcd(a,n);

  668.    * we have

  669.    *       sign*Y*a  ==  A  (mod |n|),

  670.    * where  Y  is non-negative.

  671.    */

  672. 

  673.   if (sign < 0) {

  674.     if (!BN_sub(Y, n, Y)) {

  675.       goto err;

  676.     }

  677.   }

  678.   /* Now  Y*a  ==  A  (mod |n|).  */

  679. 

  680.   if (BN_is_one(A)) {

  681.     /* Y*a == 1  (mod |n|) */

  682.     if (!Y->neg && BN_ucmp(Y, n) < 0) {

  683.       if (!BN_copy(R, Y)) {

  684.         goto err;

  685.       }

  686.     } else {

  687.       if (!BN_nnmod(R, Y, n, ctx)) {

  688.         goto err;

  689.       }

  690.     }

  691.   } else {

  692.     OPENSSL_PUT_ERROR(BN, BN_mod_inverse_no_branch, BN_R_NO_INVERSE);

  693.     goto err;

  694.   }

  695.   ret = R;

  696. 

  697. err:

  698.   if (ret == NULL && out == NULL) {

  699.     BN_free(R);

  700.   }

  701. 

  702.   BN_CTX_end(ctx);

  703.   return ret;

  704. }