bn_gcd.c 19 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647
  1. /*
  2. * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
  3. *
  4. * Licensed under the OpenSSL license (the "License"). You may not use
  5. * this file except in compliance with the License. You can obtain a copy
  6. * in the file LICENSE in the source distribution or at
  7. * https://www.openssl.org/source/license.html
  8. */
  9. #include "internal/cryptlib.h"
  10. #include "bn_local.h"
  11. /*
  12. * bn_mod_inverse_no_branch is a special version of BN_mod_inverse. It does
  13. * not contain branches that may leak sensitive information.
  14. *
  15. * This is a static function, we ensure all callers in this file pass valid
  16. * arguments: all passed pointers here are non-NULL.
  17. */
  18. static ossl_inline
  19. BIGNUM *bn_mod_inverse_no_branch(BIGNUM *in,
  20. const BIGNUM *a, const BIGNUM *n,
  21. BN_CTX *ctx, int *pnoinv)
  22. {
  23. BIGNUM *A, *B, *X, *Y, *M, *D, *T, *R = NULL;
  24. BIGNUM *ret = NULL;
  25. int sign;
  26. bn_check_top(a);
  27. bn_check_top(n);
  28. BN_CTX_start(ctx);
  29. A = BN_CTX_get(ctx);
  30. B = BN_CTX_get(ctx);
  31. X = BN_CTX_get(ctx);
  32. D = BN_CTX_get(ctx);
  33. M = BN_CTX_get(ctx);
  34. Y = BN_CTX_get(ctx);
  35. T = BN_CTX_get(ctx);
  36. if (T == NULL)
  37. goto err;
  38. if (in == NULL)
  39. R = BN_new();
  40. else
  41. R = in;
  42. if (R == NULL)
  43. goto err;
  44. if (!BN_one(X))
  45. goto err;
  46. BN_zero(Y);
  47. if (BN_copy(B, a) == NULL)
  48. goto err;
  49. if (BN_copy(A, n) == NULL)
  50. goto err;
  51. A->neg = 0;
  52. if (B->neg || (BN_ucmp(B, A) >= 0)) {
  53. /*
  54. * Turn BN_FLG_CONSTTIME flag on, so that when BN_div is invoked,
  55. * BN_div_no_branch will be called eventually.
  56. */
  57. {
  58. BIGNUM local_B;
  59. bn_init(&local_B);
  60. BN_with_flags(&local_B, B, BN_FLG_CONSTTIME);
  61. if (!BN_nnmod(B, &local_B, A, ctx))
  62. goto err;
  63. /* Ensure local_B goes out of scope before any further use of B */
  64. }
  65. }
  66. sign = -1;
  67. /*-
  68. * From B = a mod |n|, A = |n| it follows that
  69. *
  70. * 0 <= B < A,
  71. * -sign*X*a == B (mod |n|),
  72. * sign*Y*a == A (mod |n|).
  73. */
  74. while (!BN_is_zero(B)) {
  75. BIGNUM *tmp;
  76. /*-
  77. * 0 < B < A,
  78. * (*) -sign*X*a == B (mod |n|),
  79. * sign*Y*a == A (mod |n|)
  80. */
  81. /*
  82. * Turn BN_FLG_CONSTTIME flag on, so that when BN_div is invoked,
  83. * BN_div_no_branch will be called eventually.
  84. */
  85. {
  86. BIGNUM local_A;
  87. bn_init(&local_A);
  88. BN_with_flags(&local_A, A, BN_FLG_CONSTTIME);
  89. /* (D, M) := (A/B, A%B) ... */
  90. if (!BN_div(D, M, &local_A, B, ctx))
  91. goto err;
  92. /* Ensure local_A goes out of scope before any further use of A */
  93. }
  94. /*-
  95. * Now
  96. * A = D*B + M;
  97. * thus we have
  98. * (**) sign*Y*a == D*B + M (mod |n|).
  99. */
  100. tmp = A; /* keep the BIGNUM object, the value does not
  101. * matter */
  102. /* (A, B) := (B, A mod B) ... */
  103. A = B;
  104. B = M;
  105. /* ... so we have 0 <= B < A again */
  106. /*-
  107. * Since the former M is now B and the former B is now A,
  108. * (**) translates into
  109. * sign*Y*a == D*A + B (mod |n|),
  110. * i.e.
  111. * sign*Y*a - D*A == B (mod |n|).
  112. * Similarly, (*) translates into
  113. * -sign*X*a == A (mod |n|).
  114. *
  115. * Thus,
  116. * sign*Y*a + D*sign*X*a == B (mod |n|),
  117. * i.e.
  118. * sign*(Y + D*X)*a == B (mod |n|).
  119. *
  120. * So if we set (X, Y, sign) := (Y + D*X, X, -sign), we arrive back at
  121. * -sign*X*a == B (mod |n|),
  122. * sign*Y*a == A (mod |n|).
  123. * Note that X and Y stay non-negative all the time.
  124. */
  125. if (!BN_mul(tmp, D, X, ctx))
  126. goto err;
  127. if (!BN_add(tmp, tmp, Y))
  128. goto err;
  129. M = Y; /* keep the BIGNUM object, the value does not
  130. * matter */
  131. Y = X;
  132. X = tmp;
  133. sign = -sign;
  134. }
  135. /*-
  136. * The while loop (Euclid's algorithm) ends when
  137. * A == gcd(a,n);
  138. * we have
  139. * sign*Y*a == A (mod |n|),
  140. * where Y is non-negative.
  141. */
  142. if (sign < 0) {
  143. if (!BN_sub(Y, n, Y))
  144. goto err;
  145. }
  146. /* Now Y*a == A (mod |n|). */
  147. if (BN_is_one(A)) {
  148. /* Y*a == 1 (mod |n|) */
  149. if (!Y->neg && BN_ucmp(Y, n) < 0) {
  150. if (!BN_copy(R, Y))
  151. goto err;
  152. } else {
  153. if (!BN_nnmod(R, Y, n, ctx))
  154. goto err;
  155. }
  156. } else {
  157. *pnoinv = 1;
  158. /* caller sets the BN_R_NO_INVERSE error */
  159. goto err;
  160. }
  161. ret = R;
  162. *pnoinv = 0;
  163. err:
  164. if ((ret == NULL) && (in == NULL))
  165. BN_free(R);
  166. BN_CTX_end(ctx);
  167. bn_check_top(ret);
  168. return ret;
  169. }
  170. /*
  171. * This is an internal function, we assume all callers pass valid arguments:
  172. * all pointers passed here are assumed non-NULL.
  173. */
  174. BIGNUM *int_bn_mod_inverse(BIGNUM *in,
  175. const BIGNUM *a, const BIGNUM *n, BN_CTX *ctx,
  176. int *pnoinv)
  177. {
  178. BIGNUM *A, *B, *X, *Y, *M, *D, *T, *R = NULL;
  179. BIGNUM *ret = NULL;
  180. int sign;
  181. /* This is invalid input so we don't worry about constant time here */
  182. if (BN_abs_is_word(n, 1) || BN_is_zero(n)) {
  183. *pnoinv = 1;
  184. return NULL;
  185. }
  186. *pnoinv = 0;
  187. if ((BN_get_flags(a, BN_FLG_CONSTTIME) != 0)
  188. || (BN_get_flags(n, BN_FLG_CONSTTIME) != 0)) {
  189. return bn_mod_inverse_no_branch(in, a, n, ctx, pnoinv);
  190. }
  191. bn_check_top(a);
  192. bn_check_top(n);
  193. BN_CTX_start(ctx);
  194. A = BN_CTX_get(ctx);
  195. B = BN_CTX_get(ctx);
  196. X = BN_CTX_get(ctx);
  197. D = BN_CTX_get(ctx);
  198. M = BN_CTX_get(ctx);
  199. Y = BN_CTX_get(ctx);
  200. T = BN_CTX_get(ctx);
  201. if (T == NULL)
  202. goto err;
  203. if (in == NULL)
  204. R = BN_new();
  205. else
  206. R = in;
  207. if (R == NULL)
  208. goto err;
  209. if (!BN_one(X))
  210. goto err;
  211. BN_zero(Y);
  212. if (BN_copy(B, a) == NULL)
  213. goto err;
  214. if (BN_copy(A, n) == NULL)
  215. goto err;
  216. A->neg = 0;
  217. if (B->neg || (BN_ucmp(B, A) >= 0)) {
  218. if (!BN_nnmod(B, B, A, ctx))
  219. goto err;
  220. }
  221. sign = -1;
  222. /*-
  223. * From B = a mod |n|, A = |n| it follows that
  224. *
  225. * 0 <= B < A,
  226. * -sign*X*a == B (mod |n|),
  227. * sign*Y*a == A (mod |n|).
  228. */
  229. if (BN_is_odd(n) && (BN_num_bits(n) <= 2048)) {
  230. /*
  231. * Binary inversion algorithm; requires odd modulus. This is faster
  232. * than the general algorithm if the modulus is sufficiently small
  233. * (about 400 .. 500 bits on 32-bit systems, but much more on 64-bit
  234. * systems)
  235. */
  236. int shift;
  237. while (!BN_is_zero(B)) {
  238. /*-
  239. * 0 < B < |n|,
  240. * 0 < A <= |n|,
  241. * (1) -sign*X*a == B (mod |n|),
  242. * (2) sign*Y*a == A (mod |n|)
  243. */
  244. /*
  245. * Now divide B by the maximum possible power of two in the
  246. * integers, and divide X by the same value mod |n|. When we're
  247. * done, (1) still holds.
  248. */
  249. shift = 0;
  250. while (!BN_is_bit_set(B, shift)) { /* note that 0 < B */
  251. shift++;
  252. if (BN_is_odd(X)) {
  253. if (!BN_uadd(X, X, n))
  254. goto err;
  255. }
  256. /*
  257. * now X is even, so we can easily divide it by two
  258. */
  259. if (!BN_rshift1(X, X))
  260. goto err;
  261. }
  262. if (shift > 0) {
  263. if (!BN_rshift(B, B, shift))
  264. goto err;
  265. }
  266. /*
  267. * Same for A and Y. Afterwards, (2) still holds.
  268. */
  269. shift = 0;
  270. while (!BN_is_bit_set(A, shift)) { /* note that 0 < A */
  271. shift++;
  272. if (BN_is_odd(Y)) {
  273. if (!BN_uadd(Y, Y, n))
  274. goto err;
  275. }
  276. /* now Y is even */
  277. if (!BN_rshift1(Y, Y))
  278. goto err;
  279. }
  280. if (shift > 0) {
  281. if (!BN_rshift(A, A, shift))
  282. goto err;
  283. }
  284. /*-
  285. * We still have (1) and (2).
  286. * Both A and B are odd.
  287. * The following computations ensure that
  288. *
  289. * 0 <= B < |n|,
  290. * 0 < A < |n|,
  291. * (1) -sign*X*a == B (mod |n|),
  292. * (2) sign*Y*a == A (mod |n|),
  293. *
  294. * and that either A or B is even in the next iteration.
  295. */
  296. if (BN_ucmp(B, A) >= 0) {
  297. /* -sign*(X + Y)*a == B - A (mod |n|) */
  298. if (!BN_uadd(X, X, Y))
  299. goto err;
  300. /*
  301. * NB: we could use BN_mod_add_quick(X, X, Y, n), but that
  302. * actually makes the algorithm slower
  303. */
  304. if (!BN_usub(B, B, A))
  305. goto err;
  306. } else {
  307. /* sign*(X + Y)*a == A - B (mod |n|) */
  308. if (!BN_uadd(Y, Y, X))
  309. goto err;
  310. /*
  311. * as above, BN_mod_add_quick(Y, Y, X, n) would slow things down
  312. */
  313. if (!BN_usub(A, A, B))
  314. goto err;
  315. }
  316. }
  317. } else {
  318. /* general inversion algorithm */
  319. while (!BN_is_zero(B)) {
  320. BIGNUM *tmp;
  321. /*-
  322. * 0 < B < A,
  323. * (*) -sign*X*a == B (mod |n|),
  324. * sign*Y*a == A (mod |n|)
  325. */
  326. /* (D, M) := (A/B, A%B) ... */
  327. if (BN_num_bits(A) == BN_num_bits(B)) {
  328. if (!BN_one(D))
  329. goto err;
  330. if (!BN_sub(M, A, B))
  331. goto err;
  332. } else if (BN_num_bits(A) == BN_num_bits(B) + 1) {
  333. /* A/B is 1, 2, or 3 */
  334. if (!BN_lshift1(T, B))
  335. goto err;
  336. if (BN_ucmp(A, T) < 0) {
  337. /* A < 2*B, so D=1 */
  338. if (!BN_one(D))
  339. goto err;
  340. if (!BN_sub(M, A, B))
  341. goto err;
  342. } else {
  343. /* A >= 2*B, so D=2 or D=3 */
  344. if (!BN_sub(M, A, T))
  345. goto err;
  346. if (!BN_add(D, T, B))
  347. goto err; /* use D (:= 3*B) as temp */
  348. if (BN_ucmp(A, D) < 0) {
  349. /* A < 3*B, so D=2 */
  350. if (!BN_set_word(D, 2))
  351. goto err;
  352. /*
  353. * M (= A - 2*B) already has the correct value
  354. */
  355. } else {
  356. /* only D=3 remains */
  357. if (!BN_set_word(D, 3))
  358. goto err;
  359. /*
  360. * currently M = A - 2*B, but we need M = A - 3*B
  361. */
  362. if (!BN_sub(M, M, B))
  363. goto err;
  364. }
  365. }
  366. } else {
  367. if (!BN_div(D, M, A, B, ctx))
  368. goto err;
  369. }
  370. /*-
  371. * Now
  372. * A = D*B + M;
  373. * thus we have
  374. * (**) sign*Y*a == D*B + M (mod |n|).
  375. */
  376. tmp = A; /* keep the BIGNUM object, the value does not matter */
  377. /* (A, B) := (B, A mod B) ... */
  378. A = B;
  379. B = M;
  380. /* ... so we have 0 <= B < A again */
  381. /*-
  382. * Since the former M is now B and the former B is now A,
  383. * (**) translates into
  384. * sign*Y*a == D*A + B (mod |n|),
  385. * i.e.
  386. * sign*Y*a - D*A == B (mod |n|).
  387. * Similarly, (*) translates into
  388. * -sign*X*a == A (mod |n|).
  389. *
  390. * Thus,
  391. * sign*Y*a + D*sign*X*a == B (mod |n|),
  392. * i.e.
  393. * sign*(Y + D*X)*a == B (mod |n|).
  394. *
  395. * So if we set (X, Y, sign) := (Y + D*X, X, -sign), we arrive back at
  396. * -sign*X*a == B (mod |n|),
  397. * sign*Y*a == A (mod |n|).
  398. * Note that X and Y stay non-negative all the time.
  399. */
  400. /*
  401. * most of the time D is very small, so we can optimize tmp := D*X+Y
  402. */
  403. if (BN_is_one(D)) {
  404. if (!BN_add(tmp, X, Y))
  405. goto err;
  406. } else {
  407. if (BN_is_word(D, 2)) {
  408. if (!BN_lshift1(tmp, X))
  409. goto err;
  410. } else if (BN_is_word(D, 4)) {
  411. if (!BN_lshift(tmp, X, 2))
  412. goto err;
  413. } else if (D->top == 1) {
  414. if (!BN_copy(tmp, X))
  415. goto err;
  416. if (!BN_mul_word(tmp, D->d[0]))
  417. goto err;
  418. } else {
  419. if (!BN_mul(tmp, D, X, ctx))
  420. goto err;
  421. }
  422. if (!BN_add(tmp, tmp, Y))
  423. goto err;
  424. }
  425. M = Y; /* keep the BIGNUM object, the value does not matter */
  426. Y = X;
  427. X = tmp;
  428. sign = -sign;
  429. }
  430. }
  431. /*-
  432. * The while loop (Euclid's algorithm) ends when
  433. * A == gcd(a,n);
  434. * we have
  435. * sign*Y*a == A (mod |n|),
  436. * where Y is non-negative.
  437. */
  438. if (sign < 0) {
  439. if (!BN_sub(Y, n, Y))
  440. goto err;
  441. }
  442. /* Now Y*a == A (mod |n|). */
  443. if (BN_is_one(A)) {
  444. /* Y*a == 1 (mod |n|) */
  445. if (!Y->neg && BN_ucmp(Y, n) < 0) {
  446. if (!BN_copy(R, Y))
  447. goto err;
  448. } else {
  449. if (!BN_nnmod(R, Y, n, ctx))
  450. goto err;
  451. }
  452. } else {
  453. *pnoinv = 1;
  454. goto err;
  455. }
  456. ret = R;
  457. err:
  458. if ((ret == NULL) && (in == NULL))
  459. BN_free(R);
  460. BN_CTX_end(ctx);
  461. bn_check_top(ret);
  462. return ret;
  463. }
  464. /* solves ax == 1 (mod n) */
  465. BIGNUM *BN_mod_inverse(BIGNUM *in,
  466. const BIGNUM *a, const BIGNUM *n, BN_CTX *ctx)
  467. {
  468. BN_CTX *new_ctx = NULL;
  469. BIGNUM *rv;
  470. int noinv = 0;
  471. if (ctx == NULL) {
  472. ctx = new_ctx = BN_CTX_new();
  473. if (ctx == NULL) {
  474. BNerr(BN_F_BN_MOD_INVERSE, ERR_R_MALLOC_FAILURE);
  475. return NULL;
  476. }
  477. }
  478. rv = int_bn_mod_inverse(in, a, n, ctx, &noinv);
  479. if (noinv)
  480. BNerr(BN_F_BN_MOD_INVERSE, BN_R_NO_INVERSE);
  481. BN_CTX_free(new_ctx);
  482. return rv;
  483. }
  484. /*-
  485. * This function is based on the constant-time GCD work by Bernstein and Yang:
  486. * https://eprint.iacr.org/2019/266
  487. * Generalized fast GCD function to allow even inputs.
  488. * The algorithm first finds the shared powers of 2 between
  489. * the inputs, and removes them, reducing at least one of the
  490. * inputs to an odd value. Then it proceeds to calculate the GCD.
  491. * Before returning the resulting GCD, we take care of adding
  492. * back the powers of two removed at the beginning.
  493. * Note 1: we assume the bit length of both inputs is public information,
  494. * since access to top potentially leaks this information.
  495. */
  496. int BN_gcd(BIGNUM *r, const BIGNUM *in_a, const BIGNUM *in_b, BN_CTX *ctx)
  497. {
  498. BIGNUM *g, *temp = NULL;
  499. BN_ULONG mask = 0;
  500. int i, j, top, rlen, glen, m, bit = 1, delta = 1, cond = 0, shifts = 0, ret = 0;
  501. /* Note 2: zero input corner cases are not constant-time since they are
  502. * handled immediately. An attacker can run an attack under this
  503. * assumption without the need of side-channel information. */
  504. if (BN_is_zero(in_b)) {
  505. ret = BN_copy(r, in_a) != NULL;
  506. r->neg = 0;
  507. return ret;
  508. }
  509. if (BN_is_zero(in_a)) {
  510. ret = BN_copy(r, in_b) != NULL;
  511. r->neg = 0;
  512. return ret;
  513. }
  514. bn_check_top(in_a);
  515. bn_check_top(in_b);
  516. BN_CTX_start(ctx);
  517. temp = BN_CTX_get(ctx);
  518. g = BN_CTX_get(ctx);
  519. /* make r != 0, g != 0 even, so BN_rshift is not a potential nop */
  520. if (g == NULL
  521. || !BN_lshift1(g, in_b)
  522. || !BN_lshift1(r, in_a))
  523. goto err;
  524. /* find shared powers of two, i.e. "shifts" >= 1 */
  525. for (i = 0; i < r->dmax && i < g->dmax; i++) {
  526. mask = ~(r->d[i] | g->d[i]);
  527. for (j = 0; j < BN_BITS2; j++) {
  528. bit &= mask;
  529. shifts += bit;
  530. mask >>= 1;
  531. }
  532. }
  533. /* subtract shared powers of two; shifts >= 1 */
  534. if (!BN_rshift(r, r, shifts)
  535. || !BN_rshift(g, g, shifts))
  536. goto err;
  537. /* expand to biggest nword, with room for a possible extra word */
  538. top = 1 + ((r->top >= g->top) ? r->top : g->top);
  539. if (bn_wexpand(r, top) == NULL
  540. || bn_wexpand(g, top) == NULL
  541. || bn_wexpand(temp, top) == NULL)
  542. goto err;
  543. /* re arrange inputs s.t. r is odd */
  544. BN_consttime_swap((~r->d[0]) & 1, r, g, top);
  545. /* compute the number of iterations */
  546. rlen = BN_num_bits(r);
  547. glen = BN_num_bits(g);
  548. m = 4 + 3 * ((rlen >= glen) ? rlen : glen);
  549. for (i = 0; i < m; i++) {
  550. /* conditionally flip signs if delta is positive and g is odd */
  551. cond = (-delta >> (8 * sizeof(delta) - 1)) & g->d[0] & 1
  552. /* make sure g->top > 0 (i.e. if top == 0 then g == 0 always) */
  553. & (~((g->top - 1) >> (sizeof(g->top) * 8 - 1)));
  554. delta = (-cond & -delta) | ((cond - 1) & delta);
  555. r->neg ^= cond;
  556. /* swap */
  557. BN_consttime_swap(cond, r, g, top);
  558. /* elimination step */
  559. delta++;
  560. if (!BN_add(temp, g, r))
  561. goto err;
  562. BN_consttime_swap(g->d[0] & 1 /* g is odd */
  563. /* make sure g->top > 0 (i.e. if top == 0 then g == 0 always) */
  564. & (~((g->top - 1) >> (sizeof(g->top) * 8 - 1))),
  565. g, temp, top);
  566. if (!BN_rshift1(g, g))
  567. goto err;
  568. }
  569. /* remove possible negative sign */
  570. r->neg = 0;
  571. /* add powers of 2 removed, then correct the artificial shift */
  572. if (!BN_lshift(r, r, shifts)
  573. || !BN_rshift1(r, r))
  574. goto err;
  575. ret = 1;
  576. err:
  577. BN_CTX_end(ctx);
  578. bn_check_top(r);
  579. return ret;
  580. }