From 00076b4907f67c3e6eb60ab89994fa5125319296 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Thu, 7 Aug 2025 12:44:11 +0200 Subject: [PATCH 1/7] Expand testing for mbedtls_mpi_inv_mod() again MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit In the next refactoring we'll have: - pretty different paths for N odd or even, - possibly different paths for A <= 0, in [0, N) or above, - possibly special cases when A % N is 0 or 1. Pick two small moduli of different parities (3 and 4) and go over the range [-(N+1), 2N-1] with A. This should ensure we naturally run into all special cases. Signed-off-by: Manuel Pégourié-Gonnard --- tests/suites/test_suite_bignum.misc.data | 69 ++++++++++++++++++++++++ 1 file changed, 69 insertions(+) diff --git a/tests/suites/test_suite_bignum.misc.data b/tests/suites/test_suite_bignum.misc.data index 7b0c1e7323..4d8f2509e3 100644 --- a/tests/suites/test_suite_bignum.misc.data +++ b/tests/suites/test_suite_bignum.misc.data @@ -1525,6 +1525,75 @@ mpi_gcd:"-9986dabb54d13cd9fe0d9da594a97e8372ab26ed98ff622b31b1ea42e3a265019039ac Base test mbedtls_mpi_inv_mod #1 mpi_inv_mod:"3":"b":"4":0 +Base test mbedtls_mpi_inv_mod: 0 mod 3 +mpi_inv_mod:"0":"3":"":MBEDTLS_ERR_MPI_NOT_ACCEPTABLE + +Base test mbedtls_mpi_inv_mod: 1 mod 3 +mpi_inv_mod:"1":"3":"1":0 + +Base test mbedtls_mpi_inv_mod: 2 mod 3 +mpi_inv_mod:"2":"3":"2":0 + +Base test mbedtls_mpi_inv_mod: 3 mod 3 +mpi_inv_mod:"0":"3":"":MBEDTLS_ERR_MPI_NOT_ACCEPTABLE + +Base test mbedtls_mpi_inv_mod: 4 mod 3 +mpi_inv_mod:"4":"3":"1":0 + +Base test mbedtls_mpi_inv_mod: 5 mod 3 +mpi_inv_mod:"5":"3":"2":0 + +Base test mbedtls_mpi_inv_mod: -1 mod 3 +mpi_inv_mod:"-1":"3":"2":0 + +Base test mbedtls_mpi_inv_mod: -2 mod 3 +mpi_inv_mod:"-2":"3":"1":0 + +Base test mbedtls_mpi_inv_mod: -3 mod 3 +mpi_inv_mod:"-3":"3":"":MBEDTLS_ERR_MPI_NOT_ACCEPTABLE + +Base test mbedtls_mpi_inv_mod: -4 mod 3 +mpi_inv_mod:"-4":"3":"2":0 + +Base test mbedtls_mpi_inv_mod: 0 mod 4 +mpi_inv_mod:"0":"4":"":MBEDTLS_ERR_MPI_NOT_ACCEPTABLE + +Base test mbedtls_mpi_inv_mod: 1 mod 4 +mpi_inv_mod:"1":"4":"1":0 + +Base test mbedtls_mpi_inv_mod: 2 mod 4 +mpi_inv_mod:"2":"4":"":MBEDTLS_ERR_MPI_NOT_ACCEPTABLE + +Base test mbedtls_mpi_inv_mod: 3 mod 4 +mpi_inv_mod:"3":"4":"3":0 + +Base test mbedtls_mpi_inv_mod: 4 mod 4 +mpi_inv_mod:"4":"4":"":MBEDTLS_ERR_MPI_NOT_ACCEPTABLE + +Base test mbedtls_mpi_inv_mod: 5 mod 4 +mpi_inv_mod:"5":"4":"1":0 + +Base test mbedtls_mpi_inv_mod: 6 mod 4 +mpi_inv_mod:"6":"4":"":MBEDTLS_ERR_MPI_NOT_ACCEPTABLE + +Base test mbedtls_mpi_inv_mod: 7 mod 4 +mpi_inv_mod:"7":"4":"3":0 + +Base test mbedtls_mpi_inv_mod: -1 mod 4 +mpi_inv_mod:"-1":"4":"3":0 + +Base test mbedtls_mpi_inv_mod: -2 mod 4 +mpi_inv_mod:"-2":"4":"":MBEDTLS_ERR_MPI_NOT_ACCEPTABLE + +Base test mbedtls_mpi_inv_mod: -3 mod 4 +mpi_inv_mod:"-3":"4":"1":0 + +Base test mbedtls_mpi_inv_mod: -4 mod 4 +mpi_inv_mod:"-4":"4":"":MBEDTLS_ERR_MPI_NOT_ACCEPTABLE + +Base test mbedtls_mpi_inv_mod: -5 mod 4 +mpi_inv_mod:"-5":"4":"3":0 + Test mbedtls_mpi_inv_mod: mod 0 (null) mpi_inv_mod:"3":"":"0":MBEDTLS_ERR_MPI_BAD_INPUT_DATA From cdfd1c9c7d35309d43b0ccc122b96ee0d861b7b4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Fri, 8 Aug 2025 09:21:23 +0200 Subject: [PATCH 2/7] bignum: use CT modinv when N is odd MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Manuel Pégourié-Gonnard --- library/bignum.c | 33 +++++++++++++++++++++++++++++++++ 1 file changed, 33 insertions(+) diff --git a/library/bignum.c b/library/bignum.c index 4f7ca16cda..617a7abf3c 100644 --- a/library/bignum.c +++ b/library/bignum.c @@ -1968,6 +1968,35 @@ int mbedtls_mpi_random(mbedtls_mpi *X, return mbedtls_mpi_core_random(X->p, min, N->p, X->n, f_rng, p_rng); } +/* + * Modular inverse: X = A^-1 mod N with N odd (and A any range) + */ +static int mbedtls_mpi_inv_mod_odd(mbedtls_mpi *X, + const mbedtls_mpi *A, + const mbedtls_mpi *N) +{ + int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; + mbedtls_mpi T, G; + + mbedtls_mpi_init(&T); + mbedtls_mpi_init(&G); + + MBEDTLS_MPI_CHK(mbedtls_mpi_mod_mpi(&T, A, N)); + MBEDTLS_MPI_CHK(mbedtls_mpi_gcd_modinv_odd(&G, &T, &T, N)); + if (mbedtls_mpi_cmp_int(&G, 1) != 0) { + ret = MBEDTLS_ERR_MPI_NOT_ACCEPTABLE; + goto cleanup; + } + + MBEDTLS_MPI_CHK(mbedtls_mpi_copy(X, &T)); + +cleanup: + mbedtls_mpi_free(&T); + mbedtls_mpi_free(&G); + + return ret; +} + /* * Modular inverse: X = A^-1 mod N (HAC 14.61 / 14.64) */ @@ -1980,6 +2009,10 @@ int mbedtls_mpi_inv_mod(mbedtls_mpi *X, const mbedtls_mpi *A, const mbedtls_mpi return MBEDTLS_ERR_MPI_BAD_INPUT_DATA; } + if (mbedtls_mpi_get_bit(N, 0) == 1) { + return mbedtls_mpi_inv_mod_odd(X, A, N); + } + mbedtls_mpi_init(&TA); mbedtls_mpi_init(&TU); mbedtls_mpi_init(&U1); mbedtls_mpi_init(&U2); mbedtls_mpi_init(&G); mbedtls_mpi_init(&TB); mbedtls_mpi_init(&TV); mbedtls_mpi_init(&V1); mbedtls_mpi_init(&V2); From e41709c17eb4be2cacbf77262f6746aa8c499958 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Fri, 8 Aug 2025 09:23:43 +0200 Subject: [PATCH 3/7] bignum: use CT modinv when A is odd and in [2, N) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Manuel Pégourié-Gonnard --- library/bignum.c | 54 ++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 54 insertions(+) diff --git a/library/bignum.c b/library/bignum.c index 617a7abf3c..c742fc9cb5 100644 --- a/library/bignum.c +++ b/library/bignum.c @@ -1997,6 +1997,54 @@ cleanup: return ret; } +/* + * Compute X = A^-1 mod N with N even, A odd and 1 < A < N. + * + * This is not obvious because our constant-time modinv function only works with + * an odd modulus, and here the modulus is even. The idea is that computing a + * a^-1 mod b is really just computing the u coefficient in the Bézout relation + * a*u + b*v = 1 (assuming gcd(a,b) = 1, ie the inverse exists). But if we know + * one of u, v in this relation then the other is easy to find. So we can + * actually start by computing N^-1 mod A with gives us "the wrong half" of the + * Bézout relation, from which we'll deduce the interesting half A^-1 mod N. + * + * Return MBEDTLS_ERR_MPI_NOT_ACCEPTABLE if the inverse doesn't exist. + */ +static int mbedtls_mpi_inv_mod_even_in_range(mbedtls_mpi *X, + mbedtls_mpi const *A, + mbedtls_mpi const *N) +{ + int ret; + mbedtls_mpi I, G; + + mbedtls_mpi_init(&I); + mbedtls_mpi_init(&G); + + /* Set I = N^-1 mod A */ + MBEDTLS_MPI_CHK(mbedtls_mpi_mod_mpi(&I, N, A)); + MBEDTLS_MPI_CHK(mbedtls_mpi_gcd_modinv_odd(&G, &I, &I, A)); + if (mbedtls_mpi_cmp_int(&G, 1) != 0) { + ret = MBEDTLS_ERR_MPI_NOT_ACCEPTABLE; + goto cleanup; + } + + /* We know N * I = 1 + k * A for some k, which we can easily compute + * as k = (N*I - 1) / A (we know there will be no remainder). */ + MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&I, &I, N)); + MBEDTLS_MPI_CHK(mbedtls_mpi_sub_int(&I, &I, 1)); + MBEDTLS_MPI_CHK(mbedtls_mpi_div_mpi(&G, NULL, &I, A)); + + /* Now we have a Bézout relation N * (previous value of I) - G * A = 1, + * so A^-1 mod N is -G mod N, which is N - G. + * Note that 0 < k < N since 0 < I < A, so G (k) is already in range. */ + MBEDTLS_MPI_CHK(mbedtls_mpi_sub_mpi(X, N, &G)); + +cleanup: + mbedtls_mpi_free(&I); + mbedtls_mpi_free(&G); + return ret; +} + /* * Modular inverse: X = A^-1 mod N (HAC 14.61 / 14.64) */ @@ -2013,6 +2061,12 @@ int mbedtls_mpi_inv_mod(mbedtls_mpi *X, const mbedtls_mpi *A, const mbedtls_mpi return mbedtls_mpi_inv_mod_odd(X, A, N); } + if (mbedtls_mpi_get_bit(A, 0) == 1 && + mbedtls_mpi_cmp_int(A, 1) > 0 && + mbedtls_mpi_cmp_mpi(A, N) < 0) { + return mbedtls_mpi_inv_mod_even_in_range(X, A, N); + } + mbedtls_mpi_init(&TA); mbedtls_mpi_init(&TU); mbedtls_mpi_init(&U1); mbedtls_mpi_init(&U2); mbedtls_mpi_init(&G); mbedtls_mpi_init(&TB); mbedtls_mpi_init(&TV); mbedtls_mpi_init(&V1); mbedtls_mpi_init(&V2); From 1ac0a1e0714683a9dc2c87c2944d8e82d9bc87f9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Fri, 8 Aug 2025 09:25:28 +0200 Subject: [PATCH 4/7] bignum: use CT modinv when A is odd (any range) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Manuel Pégourié-Gonnard --- library/bignum.c | 42 ++++++++++++++++++++++++++++++++++++++---- 1 file changed, 38 insertions(+), 4 deletions(-) diff --git a/library/bignum.c b/library/bignum.c index c742fc9cb5..137afb07bc 100644 --- a/library/bignum.c +++ b/library/bignum.c @@ -2045,6 +2045,42 @@ cleanup: return ret; } +/* + * Compute X = A^-1 mod N with N even and A odd (but in any range). + * + * Return MBEDTLS_ERR_MPI_NOT_ACCEPTABLE if the inverse doesn't exist. + */ +static int mbedtls_mpi_inv_mod_even(mbedtls_mpi *X, + mbedtls_mpi const *A, + mbedtls_mpi const *N) +{ + int ret; + mbedtls_mpi AA; + + mbedtls_mpi_init(&AA); + + /* Bring A in the range [0, N). */ + MBEDTLS_MPI_CHK(mbedtls_mpi_mod_mpi(&AA, A, N)); + + /* We know A >= 0 but the next functions wants A > 1 */ + int cmp = mbedtls_mpi_cmp_int(&AA, 1); + if (cmp < 0) { // AA == 0 + ret = MBEDTLS_ERR_MPI_NOT_ACCEPTABLE; + goto cleanup; + } + if (cmp == 0) { // AA = 1 + MBEDTLS_MPI_CHK(mbedtls_mpi_lset(X, 1)); + goto cleanup; + } + + /* Now we know 1 < A < N, N is even and AA is still odd */ + MBEDTLS_MPI_CHK(mbedtls_mpi_inv_mod_even_in_range(X, &AA, N)); + +cleanup: + mbedtls_mpi_free(&AA); + return ret; +} + /* * Modular inverse: X = A^-1 mod N (HAC 14.61 / 14.64) */ @@ -2061,10 +2097,8 @@ int mbedtls_mpi_inv_mod(mbedtls_mpi *X, const mbedtls_mpi *A, const mbedtls_mpi return mbedtls_mpi_inv_mod_odd(X, A, N); } - if (mbedtls_mpi_get_bit(A, 0) == 1 && - mbedtls_mpi_cmp_int(A, 1) > 0 && - mbedtls_mpi_cmp_mpi(A, N) < 0) { - return mbedtls_mpi_inv_mod_even_in_range(X, A, N); + if (mbedtls_mpi_get_bit(A, 0) == 1) { + return mbedtls_mpi_inv_mod_even(X, A, N); } mbedtls_mpi_init(&TA); mbedtls_mpi_init(&TU); mbedtls_mpi_init(&U1); mbedtls_mpi_init(&U2); From 40dfc811efe4c10b77333b4edcfc6805bb49beac Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Fri, 8 Aug 2025 09:27:29 +0200 Subject: [PATCH 5/7] bignum: remove dead variable-time inv_mod code MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Manuel Pégourié-Gonnard --- library/bignum.c | 83 +++--------------------------------------------- 1 file changed, 5 insertions(+), 78 deletions(-) diff --git a/library/bignum.c b/library/bignum.c index 137afb07bc..bd09710ba4 100644 --- a/library/bignum.c +++ b/library/bignum.c @@ -2082,13 +2082,12 @@ cleanup: } /* - * Modular inverse: X = A^-1 mod N (HAC 14.61 / 14.64) + * Modular inverse: X = A^-1 mod N + * + * Wrapper around mbedtls_mpi_gcd_modinv_odd() that lifts its limitations. */ int mbedtls_mpi_inv_mod(mbedtls_mpi *X, const mbedtls_mpi *A, const mbedtls_mpi *N) { - int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; - mbedtls_mpi G, TA, TU, U1, U2, TB, TV, V1, V2; - if (mbedtls_mpi_cmp_int(N, 1) <= 0) { return MBEDTLS_ERR_MPI_BAD_INPUT_DATA; } @@ -2101,80 +2100,8 @@ int mbedtls_mpi_inv_mod(mbedtls_mpi *X, const mbedtls_mpi *A, const mbedtls_mpi return mbedtls_mpi_inv_mod_even(X, A, N); } - mbedtls_mpi_init(&TA); mbedtls_mpi_init(&TU); mbedtls_mpi_init(&U1); mbedtls_mpi_init(&U2); - mbedtls_mpi_init(&G); mbedtls_mpi_init(&TB); mbedtls_mpi_init(&TV); - mbedtls_mpi_init(&V1); mbedtls_mpi_init(&V2); - - MBEDTLS_MPI_CHK(mbedtls_mpi_gcd(&G, A, N)); - - if (mbedtls_mpi_cmp_int(&G, 1) != 0) { - ret = MBEDTLS_ERR_MPI_NOT_ACCEPTABLE; - goto cleanup; - } - - MBEDTLS_MPI_CHK(mbedtls_mpi_mod_mpi(&TA, A, N)); - MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&TU, &TA)); - MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&TB, N)); - MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&TV, N)); - - MBEDTLS_MPI_CHK(mbedtls_mpi_lset(&U1, 1)); - MBEDTLS_MPI_CHK(mbedtls_mpi_lset(&U2, 0)); - MBEDTLS_MPI_CHK(mbedtls_mpi_lset(&V1, 0)); - MBEDTLS_MPI_CHK(mbedtls_mpi_lset(&V2, 1)); - - do { - while ((TU.p[0] & 1) == 0) { - MBEDTLS_MPI_CHK(mbedtls_mpi_shift_r(&TU, 1)); - - if ((U1.p[0] & 1) != 0 || (U2.p[0] & 1) != 0) { - MBEDTLS_MPI_CHK(mbedtls_mpi_add_mpi(&U1, &U1, &TB)); - MBEDTLS_MPI_CHK(mbedtls_mpi_sub_mpi(&U2, &U2, &TA)); - } - - MBEDTLS_MPI_CHK(mbedtls_mpi_shift_r(&U1, 1)); - MBEDTLS_MPI_CHK(mbedtls_mpi_shift_r(&U2, 1)); - } - - while ((TV.p[0] & 1) == 0) { - MBEDTLS_MPI_CHK(mbedtls_mpi_shift_r(&TV, 1)); - - if ((V1.p[0] & 1) != 0 || (V2.p[0] & 1) != 0) { - MBEDTLS_MPI_CHK(mbedtls_mpi_add_mpi(&V1, &V1, &TB)); - MBEDTLS_MPI_CHK(mbedtls_mpi_sub_mpi(&V2, &V2, &TA)); - } - - MBEDTLS_MPI_CHK(mbedtls_mpi_shift_r(&V1, 1)); - MBEDTLS_MPI_CHK(mbedtls_mpi_shift_r(&V2, 1)); - } - - if (mbedtls_mpi_cmp_mpi(&TU, &TV) >= 0) { - MBEDTLS_MPI_CHK(mbedtls_mpi_sub_mpi(&TU, &TU, &TV)); - MBEDTLS_MPI_CHK(mbedtls_mpi_sub_mpi(&U1, &U1, &V1)); - MBEDTLS_MPI_CHK(mbedtls_mpi_sub_mpi(&U2, &U2, &V2)); - } else { - MBEDTLS_MPI_CHK(mbedtls_mpi_sub_mpi(&TV, &TV, &TU)); - MBEDTLS_MPI_CHK(mbedtls_mpi_sub_mpi(&V1, &V1, &U1)); - MBEDTLS_MPI_CHK(mbedtls_mpi_sub_mpi(&V2, &V2, &U2)); - } - } while (mbedtls_mpi_cmp_int(&TU, 0) != 0); - - while (mbedtls_mpi_cmp_int(&V1, 0) < 0) { - MBEDTLS_MPI_CHK(mbedtls_mpi_add_mpi(&V1, &V1, N)); - } - - while (mbedtls_mpi_cmp_mpi(&V1, N) >= 0) { - MBEDTLS_MPI_CHK(mbedtls_mpi_sub_mpi(&V1, &V1, N)); - } - - MBEDTLS_MPI_CHK(mbedtls_mpi_copy(X, &V1)); - -cleanup: - - mbedtls_mpi_free(&TA); mbedtls_mpi_free(&TU); mbedtls_mpi_free(&U1); mbedtls_mpi_free(&U2); - mbedtls_mpi_free(&G); mbedtls_mpi_free(&TB); mbedtls_mpi_free(&TV); - mbedtls_mpi_free(&V1); mbedtls_mpi_free(&V2); - - return ret; + /* If A and N are both even, 2 divides they GCD, so no inverse. */ + return MBEDTLS_ERR_MPI_NOT_ACCEPTABLE; } #if defined(MBEDTLS_GENPRIME) From 7a5447ff65bb5d0092ca73bfc953c0e7445f1795 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Tue, 12 Aug 2025 09:18:28 +0200 Subject: [PATCH 6/7] Fix a few typos MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: Felix Conway Signed-off-by: Manuel Pégourié-Gonnard --- library/bignum.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/library/bignum.c b/library/bignum.c index bd09710ba4..16b1449dd3 100644 --- a/library/bignum.c +++ b/library/bignum.c @@ -2003,7 +2003,7 @@ cleanup: * This is not obvious because our constant-time modinv function only works with * an odd modulus, and here the modulus is even. The idea is that computing a * a^-1 mod b is really just computing the u coefficient in the Bézout relation - * a*u + b*v = 1 (assuming gcd(a,b) = 1, ie the inverse exists). But if we know + * a*u + b*v = 1 (assuming gcd(a,b) = 1, i.e. the inverse exists). But if we know * one of u, v in this relation then the other is easy to find. So we can * actually start by computing N^-1 mod A with gives us "the wrong half" of the * Bézout relation, from which we'll deduce the interesting half A^-1 mod N. @@ -2062,7 +2062,7 @@ static int mbedtls_mpi_inv_mod_even(mbedtls_mpi *X, /* Bring A in the range [0, N). */ MBEDTLS_MPI_CHK(mbedtls_mpi_mod_mpi(&AA, A, N)); - /* We know A >= 0 but the next functions wants A > 1 */ + /* We know A >= 0 but the next function wants A > 1 */ int cmp = mbedtls_mpi_cmp_int(&AA, 1); if (cmp < 0) { // AA == 0 ret = MBEDTLS_ERR_MPI_NOT_ACCEPTABLE; @@ -2100,7 +2100,7 @@ int mbedtls_mpi_inv_mod(mbedtls_mpi *X, const mbedtls_mpi *A, const mbedtls_mpi return mbedtls_mpi_inv_mod_even(X, A, N); } - /* If A and N are both even, 2 divides they GCD, so no inverse. */ + /* If A and N are both even, 2 divides their GCD, so no inverse. */ return MBEDTLS_ERR_MPI_NOT_ACCEPTABLE; } From a08faf90700e46f6aa2a6e3fee8a6a71ddb816ce Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Tue, 12 Aug 2025 09:24:15 +0200 Subject: [PATCH 7/7] bignum: follow customs for ret initialisation MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Manuel Pégourié-Gonnard --- library/bignum.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/library/bignum.c b/library/bignum.c index 16b1449dd3..ccccff51b6 100644 --- a/library/bignum.c +++ b/library/bignum.c @@ -2014,7 +2014,7 @@ static int mbedtls_mpi_inv_mod_even_in_range(mbedtls_mpi *X, mbedtls_mpi const *A, mbedtls_mpi const *N) { - int ret; + int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; mbedtls_mpi I, G; mbedtls_mpi_init(&I); @@ -2054,7 +2054,7 @@ static int mbedtls_mpi_inv_mod_even(mbedtls_mpi *X, mbedtls_mpi const *A, mbedtls_mpi const *N) { - int ret; + int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; mbedtls_mpi AA; mbedtls_mpi_init(&AA);