Merge branch 'master' into IPECC

README.md

@@ -1,8 +1,8 @@
-[![compilation](https://github.com/ANSSI-FR/libecc/actions/workflows/libecc_compilation_tests.yml/badge.svg?branch=master)](https://github.com/ANSSI-FR/libecc/actions/workflows/libecc_compilation_tests.yml)
-[![runtime](https://github.com/ANSSI-FR/libecc/actions/workflows/libecc_runtime_tests.yml/badge.svg?branch=master)](https://github.com/ANSSI-FR/libecc/actions/workflows/libecc_runtime_tests.yml)
-[![crossarch](https://github.com/ANSSI-FR/libecc/actions/workflows/libecc_crossarch_tests.yml/badge.svg?branch=master)](https://github.com/ANSSI-FR/libecc/actions/workflows/libecc_crossarch_tests.yml)
-[![python](https://github.com/ANSSI-FR/libecc/actions/workflows/libecc_python_tests.yml/badge.svg?branch=master)](https://github.com/ANSSI-FR/libecc/actions/workflows/libecc_python_tests.yml)
-[![examples](https://github.com/ANSSI-FR/libecc/actions/workflows/libecc_examples.yml/badge.svg?branch=master)](https://github.com/ANSSI-FR/libecc/actions/workflows/libecc_examples.yml)
+[![compilation](https://github.com/libecc/libecc/actions/workflows/libecc_compilation_tests.yml/badge.svg?branch=master)](https://github.com/libecc/libecc/actions/workflows/libecc_compilation_tests.yml)
+[![runtime](https://github.com/libecc/libecc/actions/workflows/libecc_runtime_tests.yml/badge.svg?branch=master)](https://github.com/libecc/libecc/actions/workflows/libecc_runtime_tests.yml)
+[![crossarch](https://github.com/libecc/libecc/actions/workflows/libecc_crossarch_tests.yml/badge.svg?branch=master)](https://github.com/libecc/libecc/actions/workflows/libecc_crossarch_tests.yml)
+[![python](https://github.com/libecc/libecc/actions/workflows/libecc_python_tests.yml/badge.svg?branch=master)](https://github.com/libecc/libecc/actions/workflows/libecc_python_tests.yml)
+[![examples](https://github.com/libecc/libecc/actions/workflows/libecc_examples.yml/badge.svg?branch=master)](https://github.com/libecc/libecc/actions/workflows/libecc_examples.yml)
 
 
 # libecc project

common.mk

@@ -57,12 +57,12 @@ WARNING_CFLAGS += -Wpedantic -Wformat=2 -Wformat-overflow=2 -Wformat-truncation=
 endif
 endif
 
-# In case of clang version >= 17, the new -Wunsafe-buffer-usage
+# In case of clang version >= 16, the new -Wunsafe-buffer-usage
 # flag is really picky for many false positives, remove it
 ifneq ($(CLANG),)
-CLANG_VERSION_GTE_17_EXPRESSION := $(shell echo `$(CROSS_COMPILE)$(CC) -dumpversion | cut -f1-2 -d.` \>= 17.0 | sed -e 's/\./*100+/g')
-CLANG_VERSION_GTE_17 := $(shell awk "BEGIN{printf \"%d\n\", $(CLANG_VERSION_GTE_17_EXPRESSION)}")
-  ifeq ($(CLANG_VERSION_GTE_17), 1)
+CLANG_VERSION_GTE_16_EXPRESSION := $(shell echo `$(CROSS_COMPILE)$(CC) -dumpversion | cut -f1-2 -d.` \>= 16.0 | sed -e 's/\./*100+/g')
+CLANG_VERSION_GTE_16 := $(shell awk "BEGIN{printf \"%d\n\", $(CLANG_VERSION_GTE_16_EXPRESSION)}")
+  ifeq ($(CLANG_VERSION_GTE_16), 1)
   # NOTE: XXX: this is really a shame to remove this, but
   # we have to wait until this is less sensitive and false positive
   # prone to use it!

src/nn/nn_modinv.c

@@ -303,7 +303,12 @@ ATTRIBUTE_WARN_UNUSED_RET static inline int _nn_sub_mod_2exp(nn_t A, nn_src_t B)
 /*
  * Invert x modulo 2^exp using Hensel lifting. Returns 0 on success, -1 on
  * error. On success, x_isodd is 1 if x is odd, 0 if it is even.
- * Operations are done in *constant time*. The function supports aliasing.
+ * Please note that the result is correct (inverse of x) only when x is prime
+ * to 2^exp, i.e. x is odd (x_odd is 1).
+ *
+ * Operations are done in *constant time*.
+ *
+ * Aliasing is supported.
  */
 int nn_modinv_2exp(nn_t _out, nn_src_t x, bitcnt_t exp, int *x_isodd)
 {
@@ -325,6 +330,11 @@ int nn_modinv_2exp(nn_t _out, nn_src_t x, bitcnt_t exp, int *x_isodd)
 	ret = nn_init(&tmp_sqr, 0); EG(ret, err);
 	ret = nn_init(&tmp_mul, 0); EG(ret, err);
 	ret = nn_isodd(x, &isodd); EG(ret, err);
+	if (exp == (bitcnt_t)0){
+		/* Specific case of zero exponent, output 0 */
+		(*x_isodd) = isodd;
+		goto err;
+	}
 	if (!isodd) {
 		ret = nn_zero(_out); EG(ret, err);
 		(*x_isodd) = 0;
@@ -444,7 +454,13 @@ ATTRIBUTE_WARN_UNUSED_RET static int _nn_modinv_fermat_common(nn_t out, nn_src_t
 
 	/* 0 is not invertible in any case */
 	ret = nn_iszero(x, &cmp); EG(ret, err);
-	MUST_HAVE((!cmp), ret, err);
+	if(cmp){
+		/* Zero the output and return an error */
+		ret = nn_init(out, 0); EG(ret, err);
+		ret = nn_zero(out); EG(ret, err);
+		ret = -1;
+		goto err;
+	}
 
 	/* For p <= 2, p being prime either p = 1 or p = 2.
 	 * When p = 2, only 1 has an inverse, if p = 1 no one has an inverse.
@@ -461,20 +477,28 @@ ATTRIBUTE_WARN_UNUSED_RET static int _nn_modinv_fermat_common(nn_t out, nn_src_t
 			ret = 0;
 		}
 		else{
-			/* x is even, no inverse */
+			/* x is even, no inverse. Zero the output */
+			ret = nn_init(out, 0); EG(ret, err);
+			ret = nn_zero(out); EG(ret, err);
 			ret = -1;
 		}
 		(*lesstwo) = 1;
 		goto err;
         } else if (cmp < 0){
 		/* This is the p = 1 case, no inverse here: hence return an error */
+		/* Zero the output */
+		ret = nn_init(out, 0); EG(ret, err);
+		ret = nn_zero(out); EG(ret, err);
 		ret = -1;
 		(*lesstwo) = 1;
 		goto err;
 	}
 
 	/* Else we compute (p-2) for the upper layer */
-	ret = nn_init(p_minus_two, 0); EG(ret, err);
+	if(p != p_minus_two){
+		/* Handle aliasing of p and p_minus_two */
+		ret = nn_init(p_minus_two, 0); EG(ret, err);
+	}
 
 	ret = nn_init(&two, 0); EG(ret, err);
 	ret = nn_set_word_value(&two, WORD(2)); EG(ret, err);
@@ -498,8 +522,10 @@ ATTRIBUTE_WARN_UNUSED_RET static int _nn_modinv_fermat_common(nn_t out, nn_src_t
  * XXX WARNING: using this function with p not prime will produce wrong
  * results without triggering an error!
  *
- * The function supports aliasing. It returns 0 on success, -1 on error
+ * The function returns 0 on success, -1 on error
  * (e.g. if x has no inverse modulo p, i.e. x = 0).
+ *
+ * Aliasing is supported.
  */
 int nn_modinv_fermat(nn_t out, nn_src_t x, nn_src_t p)
 {
@@ -532,8 +558,10 @@ int nn_modinv_fermat(nn_t out, nn_src_t x, nn_src_t p)
  * XXX WARNING: using this function with p not prime will produce wrong
  * results without triggering an error!
  *
- * The function supports aliasing. It returns 0 on success, -1 on error
+ * The function returns 0 on success, -1 on error
  * (e.g. if x has no inverse modulo p, i.e. x = 0).
+ *
+ * Aliasing is supported.
  */
 int nn_modinv_fermat_redc(nn_t out, nn_src_t x, nn_src_t p, nn_src_t r, nn_src_t r_square, word_t mpinv)
 {