commit c5e372e6ef43d9883eadd255d1f987de2addab2e
author Brian Smith <brian@briansmith.org> Wed Jun 15 16:31:35 2016 -1000
committer David Benjamin <davidben@google.com> Thu Jun 16 18:32:35 2016 +0000
tree b38e67875b90f95e3fd2e743848a5a70b75e043c
parent 3cab5572b1fcf5a8f6018529dc30dc8d21b2a4bd

Return earlier if inverse is not found in |BN_mod_inverse_ex|.

Make |BN_mod_inverse_ex| symmetric with |BN_mod_inverse_no_branch| in
this respect.

Change-Id: I4a5cbe685edf50e13ee1014391bc4001f5371fec
Reviewed-on: https://boringssl-review.googlesource.com/8316
Reviewed-by: David Benjamin <davidben@google.com>

crypto/bn/gcd.c

diff --git a/crypto/bn/gcd.c b/crypto/bn/gcd.c
index c9a7123..52db569 100644
--- a/crypto/bn/gcd.c
+++ b/crypto/bn/gcd.c
@@ -500,6 +500,12 @@
     }
   }
 
+  if (!BN_is_one(A)) {
+    *out_no_inverse = 1;
+    OPENSSL_PUT_ERROR(BN, BN_R_NO_INVERSE);
+    goto err;
+  }
+
   /* The while loop (Euclid's algorithm) ends when
    *      A == gcd(a,n);
    * we have
@@ -513,22 +519,17 @@
   }
   /* Now  Y*a  ==  A  (mod |n|).  */
 
-  if (BN_is_one(A)) {
-    /* Y*a == 1  (mod |n|) */
-    if (!Y->neg && BN_ucmp(Y, n) < 0) {
-      if (!BN_copy(R, Y)) {
-        goto err;
-      }
-    } else {
-      if (!BN_nnmod(R, Y, n, ctx)) {
-        goto err;
-      }
+  /* Y*a == 1  (mod |n|) */
+  if (!Y->neg && BN_ucmp(Y, n) < 0) {
+    if (!BN_copy(R, Y)) {
+      goto err;
     }
   } else {
-    *out_no_inverse = 1;
-    OPENSSL_PUT_ERROR(BN, BN_R_NO_INVERSE);
-    goto err;
+    if (!BN_nnmod(R, Y, n, ctx)) {
+      goto err;
+    }
   }
+
   ret = R;
 
 err: