Old bug in gcry_mpi_invm producing wrong result

Guido Vranken guidovranken at gmail.com
Tue May 10 12:51:00 CEST 2022


Thank you. I have confirmed that your patch resolves the issue.

However I tried again with 1.8.0 and at that version, the reproducer prints
"Inverse exists".

On Tue, May 10, 2022 at 9:05 AM NIIBE Yutaka <gniibe at fsij.org> wrote:

> Guido Vranken wrote:
> > It says that InvMod(18446744073709551615,
> > 340282366762482138434845932244680310781) is
> > 170141183381241069226646338154899963903 but that's not true, because
> > 170141183381241069226646338154899963903 * 18446744073709551615 %
> > 340282366762482138434845932244680310781 is 4294967297, not 1.
>
> Thank you for your report.  With libgcrypt 1.8, it works correctly.
>
> It is tracked by: https://dev.gnupg.org/T5970
>
> The fix I pushed is:
>
> diff --git a/mpi/mpih-const-time.c b/mpi/mpih-const-time.c
> index b527ad79..9d74d190 100644
> --- a/mpi/mpih-const-time.c
> +++ b/mpi/mpih-const-time.c
> @@ -204,6 +204,13 @@ _gcry_mpih_cmp_ui (mpi_ptr_t up, mpi_size_t usize,
> unsigned long v)
>      is_all_zero &= (up[i] == 0);
>
>    if (is_all_zero)
> -    return up[0] - v;
> +    {
> +      if (up[0] < v)
> +        return -1;
> +      else if (up[0] > v)
> +        return 1;
> +      else
> +        return 0;
> +    }
>    return 1;
>  }
>
>
>
> The expression of up[0] - v is only correct on 32-bit architecture.
> It may return wrong result on 64-bit architecture.
> --
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gcrypt-devel/attachments/20220510/0ccb6669/attachment.html>


More information about the Gcrypt-devel mailing list