commit 13603a8399cd50bdc476cf46ac8c81244aadbad9
author Brian Smith <brian@briansmith.org> Wed Jun 15 14:03:32 2016 -1000
committer David Benjamin <davidben@google.com> Thu Jun 16 17:05:55 2016 +0000
tree 4f2b2adf8d5d4dac420a7e3e9de025ae7acc0750
parent 7975056ac1ca5917dff1943415864f12dc913657

Move "no inverse" test earlier in |BN_mod_inverse_no_branch|.

There's no use doing the remaining work if we're going to fail due to
there being no inverse.

Change-Id: Ic6d7c92cbbc2f7c40c51e6be2de3802980d32543
Reviewed-on: https://boringssl-review.googlesource.com/8310
Reviewed-by: David Benjamin <davidben@google.com>

crypto/bn/gcd.c

diff --git a/crypto/bn/gcd.c b/crypto/bn/gcd.c
index 41ca6d2..c9a7123 100644
--- a/crypto/bn/gcd.c
+++ b/crypto/bn/gcd.c
@@ -668,6 +668,12 @@
     sign = -sign;
   }
 
+  if (!BN_is_one(A)) {
+    *out_no_inverse = 1;
+    OPENSSL_PUT_ERROR(BN, BN_R_NO_INVERSE);
+    goto err;
+  }
+
   /*
    * The while loop (Euclid's algorithm) ends when
    *      A == gcd(a,n);
@@ -683,22 +689,17 @@
   }
   /* Now  Y*a  ==  A  (mod |n|).  */
 
-  if (BN_is_one(A)) {
-    /* Y*a == 1  (mod |n|) */
-    if (!Y->neg && BN_ucmp(Y, n) < 0) {
-      if (!BN_copy(R, Y)) {
-        goto err;
-      }
-    } else {
-      if (!BN_nnmod(R, Y, n, ctx)) {
-        goto err;
-      }
+  /* Y*a == 1  (mod |n|) */
+  if (!Y->neg && BN_ucmp(Y, n) < 0) {
+    if (!BN_copy(R, Y)) {
+      goto err;
     }
   } else {
-    *out_no_inverse = 1;
-    OPENSSL_PUT_ERROR(BN, BN_R_NO_INVERSE);
-    goto err;
+    if (!BN_nnmod(R, Y, n, ctx)) {
+      goto err;
+    }
   }
+
   ret = R;
 
 err: