ring-native 0.0.0 → 0.1.0

data/vendor/ring/crypto/bn/gcd.c

@@ -1,711 +0,0 @@
-/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
- * All rights reserved.
- *
- * This package is an SSL implementation written
- * by Eric Young (eay@cryptsoft.com).
- * The implementation was written so as to conform with Netscapes SSL.
- *
- * This library is free for commercial and non-commercial use as long as
- * the following conditions are aheared to.  The following conditions
- * apply to all code found in this distribution, be it the RC4, RSA,
- * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
- * included with this distribution is covered by the same copyright terms
- * except that the holder is Tim Hudson (tjh@cryptsoft.com).
- *
- * Copyright remains Eric Young's, and as such any Copyright notices in
- * the code are not to be removed.
- * If this package is used in a product, Eric Young should be given attribution
- * as the author of the parts of the library used.
- * This can be in the form of a textual message at program startup or
- * in documentation (online or textual) provided with the package.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- *    "This product includes cryptographic software written by
- *     Eric Young (eay@cryptsoft.com)"
- *    The word 'cryptographic' can be left out if the rouines from the library
- *    being used are not cryptographic related :-).
- * 4. If you include any Windows specific code (or a derivative thereof) from
- *    the apps directory (application code) you must include an acknowledgement:
- *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
- *
- * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- *
- * The licence and distribution terms for any publically available version or
- * derivative of this code cannot be changed.  i.e. this code cannot simply be
- * copied and put under another distribution licence
- * [including the GNU Public Licence.]
- */
-/* ====================================================================
- * Copyright (c) 1998-2001 The OpenSSL Project.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- *
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in
- *    the documentation and/or other materials provided with the
- *    distribution.
- *
- * 3. All advertising materials mentioning features or use of this
- *    software must display the following acknowledgment:
- *    "This product includes software developed by the OpenSSL Project
- *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
- *
- * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
- *    endorse or promote products derived from this software without
- *    prior written permission. For written permission, please contact
- *    openssl-core@openssl.org.
- *
- * 5. Products derived from this software may not be called "OpenSSL"
- *    nor may "OpenSSL" appear in their names without prior written
- *    permission of the OpenSSL Project.
- *
- * 6. Redistributions of any form whatsoever must retain the following
- *    acknowledgment:
- *    "This product includes software developed by the OpenSSL Project
- *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
- *
- * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
- * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
- * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
- * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
- * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
- * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
- * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
- * OF THE POSSIBILITY OF SUCH DAMAGE.
- * ====================================================================
- *
- * This product includes cryptographic software written by Eric Young
- * (eay@cryptsoft.com).  This product includes software written by Tim
- * Hudson (tjh@cryptsoft.com). */
-
-#include <openssl/bn.h>
-
-#include <openssl/err.h>
-
-#include "internal.h"
-
-static BIGNUM *euclid(BIGNUM *a, BIGNUM *b) {
-  BIGNUM *t;
-  int shifts = 0;
-
-  /* 0 <= b <= a */
-  while (!BN_is_zero(b)) {
-    /* 0 < b <= a */
-
-    if (BN_is_odd(a)) {
-      if (BN_is_odd(b)) {
-        if (!BN_sub(a, a, b)) {
-          goto err;
-        }
-        if (!BN_rshift1(a, a)) {
-          goto err;
-        }
-        if (BN_cmp(a, b) < 0) {
-          t = a;
-          a = b;
-          b = t;
-        }
-      } else {
-        /* a odd - b even */
-        if (!BN_rshift1(b, b)) {
-          goto err;
-        }
-        if (BN_cmp(a, b) < 0) {
-          t = a;
-          a = b;
-          b = t;
-        }
-      }
-    } else {
-      /* a is even */
-      if (BN_is_odd(b)) {
-        if (!BN_rshift1(a, a)) {
-          goto err;
-        }
-        if (BN_cmp(a, b) < 0) {
-          t = a;
-          a = b;
-          b = t;
-        }
-      } else {
-        /* a even - b even */
-        if (!BN_rshift1(a, a)) {
-          goto err;
-        }
-        if (!BN_rshift1(b, b)) {
-          goto err;
-        }
-        shifts++;
-      }
-    }
-    /* 0 <= b <= a */
-  }
-
-  if (shifts) {
-    if (!BN_lshift(a, a, shifts)) {
-      goto err;
-    }
-  }
-
-  return a;
-
-err:
-  return NULL;
-}
-
-int BN_gcd(BIGNUM *r, const BIGNUM *in_a, const BIGNUM *in_b, BN_CTX *ctx) {
-  BIGNUM *a, *b, *t;
-  int ret = 0;
-
-  BN_CTX_start(ctx);
-  a = BN_CTX_get(ctx);
-  b = BN_CTX_get(ctx);
-
-  if (a == NULL || b == NULL) {
-    goto err;
-  }
-  if (BN_copy(a, in_a) == NULL) {
-    goto err;
-  }
-  if (BN_copy(b, in_b) == NULL) {
-    goto err;
-  }
-
-  a->neg = 0;
-  b->neg = 0;
-
-  if (BN_cmp(a, b) < 0) {
-    t = a;
-    a = b;
-    b = t;
-  }
-  t = euclid(a, b);
-  if (t == NULL) {
-    goto err;
-  }
-
-  if (BN_copy(r, t) == NULL) {
-    goto err;
-  }
-  ret = 1;
-
-err:
-  BN_CTX_end(ctx);
-  return ret;
-}
-
-/* solves ax == 1 (mod n) */
-static BIGNUM *BN_mod_inverse_no_branch(BIGNUM *out, int *out_no_inverse,
-                                        const BIGNUM *a, const BIGNUM *n,
-                                        BN_CTX *ctx);
-
-BIGNUM *BN_mod_inverse_ex(BIGNUM *out, int *out_no_inverse, const BIGNUM *a,
-                          const BIGNUM *n, BN_CTX *ctx) {
-  BIGNUM *A, *B, *X, *Y, *M, *D, *T, *R = NULL;
-  BIGNUM *ret = NULL;
-  int sign;
-
-  if ((a->flags & BN_FLG_CONSTTIME) != 0 ||
-      (n->flags & BN_FLG_CONSTTIME) != 0) {
-    return BN_mod_inverse_no_branch(out, out_no_inverse, a, n, ctx);
-  }
-
-  *out_no_inverse = 0;
-
-  BN_CTX_start(ctx);
-  A = BN_CTX_get(ctx);
-  B = BN_CTX_get(ctx);
-  X = BN_CTX_get(ctx);
-  D = BN_CTX_get(ctx);
-  M = BN_CTX_get(ctx);
-  Y = BN_CTX_get(ctx);
-  T = BN_CTX_get(ctx);
-  if (T == NULL) {
-    goto err;
-  }
-
-  if (out == NULL) {
-    R = BN_new();
-  } else {
-    R = out;
-  }
-  if (R == NULL) {
-    goto err;
-  }
-
-  BN_zero(Y);
-  if (!BN_one(X) || BN_copy(B, a) == NULL || BN_copy(A, n) == NULL) {
-    goto err;
-  }
-  A->neg = 0;
-  if (B->neg || (BN_ucmp(B, A) >= 0)) {
-    if (!BN_nnmod(B, B, A, ctx)) {
-      goto err;
-    }
-  }
-  sign = -1;
-  /* From  B = a mod |n|,  A = |n|  it follows that
-   *
-   *      0 <= B < A,
-   *     -sign*X*a  ==  B   (mod |n|),
-   *      sign*Y*a  ==  A   (mod |n|).
-   */
-
-  if (BN_is_odd(n) && (BN_num_bits(n) <= (BN_BITS2 <= 32 ? 450 : 2048))) {
-    /* Binary inversion algorithm; requires odd modulus.
-     * This is faster than the general algorithm if the modulus
-     * is sufficiently small (about 400 .. 500 bits on 32-bit
-     * sytems, but much more on 64-bit systems) */
-    int shift;
-
-    while (!BN_is_zero(B)) {
-      /*      0 < B < |n|,
-       *      0 < A <= |n|,
-       * (1) -sign*X*a  ==  B   (mod |n|),
-       * (2)  sign*Y*a  ==  A   (mod |n|) */
-
-      /* Now divide  B  by the maximum possible power of two in the integers,
-       * and divide  X  by the same value mod |n|.
-       * When we're done, (1) still holds. */
-      shift = 0;
-      while (!BN_is_bit_set(B, shift)) {
-        /* note that 0 < B */
-        shift++;
-
-        if (BN_is_odd(X)) {
-          if (!BN_uadd(X, X, n)) {
-            goto err;
-          }
-        }
-        /* now X is even, so we can easily divide it by two */
-        if (!BN_rshift1(X, X)) {
-          goto err;
-        }
-      }
-      if (shift > 0) {
-        if (!BN_rshift(B, B, shift)) {
-          goto err;
-        }
-      }
-
-      /* Same for A and Y. Afterwards, (2) still holds. */
-      shift = 0;
-      while (!BN_is_bit_set(A, shift)) {
-        /* note that 0 < A */
-        shift++;
-
-        if (BN_is_odd(Y)) {
-          if (!BN_uadd(Y, Y, n)) {
-            goto err;
-          }
-        }
-        /* now Y is even */
-        if (!BN_rshift1(Y, Y)) {
-          goto err;
-        }
-      }
-      if (shift > 0) {
-        if (!BN_rshift(A, A, shift)) {
-          goto err;
-        }
-      }
-
-      /* We still have (1) and (2).
-       * Both  A  and  B  are odd.
-       * The following computations ensure that
-       *
-       *     0 <= B < |n|,
-       *      0 < A < |n|,
-       * (1) -sign*X*a  ==  B   (mod |n|),
-       * (2)  sign*Y*a  ==  A   (mod |n|),
-       *
-       * and that either  A  or  B  is even in the next iteration. */
-      if (BN_ucmp(B, A) >= 0) {
-        /* -sign*(X + Y)*a == B - A  (mod |n|) */
-        if (!BN_uadd(X, X, Y)) {
-          goto err;
-        }
-        /* NB: we could use BN_mod_add_quick(X, X, Y, n), but that
-         * actually makes the algorithm slower */
-        if (!BN_usub(B, B, A)) {
-          goto err;
-        }
-      } else {
-        /*  sign*(X + Y)*a == A - B  (mod |n|) */
-        if (!BN_uadd(Y, Y, X)) {
-          goto err;
-        }
-        /* as above, BN_mod_add_quick(Y, Y, X, n) would slow things down */
-        if (!BN_usub(A, A, B)) {
-          goto err;
-        }
-      }
-    }
-  } else {
-    /* general inversion algorithm */
-
-    while (!BN_is_zero(B)) {
-      BIGNUM *tmp;
-
-      /*
-       *      0 < B < A,
-       * (*) -sign*X*a  ==  B   (mod |n|),
-       *      sign*Y*a  ==  A   (mod |n|) */
-
-      /* (D, M) := (A/B, A%B) ... */
-      if (BN_num_bits(A) == BN_num_bits(B)) {
-        if (!BN_one(D)) {
-          goto err;
-        }
-        if (!BN_sub(M, A, B)) {
-          goto err;
-        }
-      } else if (BN_num_bits(A) == BN_num_bits(B) + 1) {
-        /* A/B is 1, 2, or 3 */
-        if (!BN_lshift1(T, B)) {
-          goto err;
-        }
-        if (BN_ucmp(A, T) < 0) {
-          /* A < 2*B, so D=1 */
-          if (!BN_one(D)) {
-            goto err;
-          }
-          if (!BN_sub(M, A, B)) {
-            goto err;
-          }
-        } else {
-          /* A >= 2*B, so D=2 or D=3 */
-          if (!BN_sub(M, A, T)) {
-            goto err;
-          }
-          if (!BN_add(D, T, B)) {
-            goto err; /* use D (:= 3*B) as temp */
-          }
-          if (BN_ucmp(A, D) < 0) {
-            /* A < 3*B, so D=2 */
-            if (!BN_set_word(D, 2)) {
-              goto err;
-            }
-            /* M (= A - 2*B) already has the correct value */
-          } else {
-            /* only D=3 remains */
-            if (!BN_set_word(D, 3)) {
-              goto err;
-            }
-            /* currently  M = A - 2*B,  but we need  M = A - 3*B */
-            if (!BN_sub(M, M, B)) {
-              goto err;
-            }
-          }
-        }
-      } else {
-        if (!BN_div(D, M, A, B, ctx)) {
-          goto err;
-        }
-      }
-
-      /* Now
-       *      A = D*B + M;
-       * thus we have
-       * (**)  sign*Y*a  ==  D*B + M   (mod |n|). */
-
-      tmp = A; /* keep the BIGNUM object, the value does not matter */
-
-      /* (A, B) := (B, A mod B) ... */
-      A = B;
-      B = M;
-      /* ... so we have  0 <= B < A  again */
-
-      /* Since the former  M  is now  B  and the former  B  is now  A,
-       * (**) translates into
-       *       sign*Y*a  ==  D*A + B    (mod |n|),
-       * i.e.
-       *       sign*Y*a - D*A  ==  B    (mod |n|).
-       * Similarly, (*) translates into
-       *      -sign*X*a  ==  A          (mod |n|).
-       *
-       * Thus,
-       *   sign*Y*a + D*sign*X*a  ==  B  (mod |n|),
-       * i.e.
-       *        sign*(Y + D*X)*a  ==  B  (mod |n|).
-       *
-       * So if we set  (X, Y, sign) := (Y + D*X, X, -sign),  we arrive back at
-       *      -sign*X*a  ==  B   (mod |n|),
-       *       sign*Y*a  ==  A   (mod |n|).
-       * Note that  X  and  Y  stay non-negative all the time. */
-
-      /* most of the time D is very small, so we can optimize tmp := D*X+Y */
-      if (BN_is_one(D)) {
-        if (!BN_add(tmp, X, Y)) {
-          goto err;
-        }
-      } else {
-        if (BN_is_word(D, 2)) {
-          if (!BN_lshift1(tmp, X)) {
-            goto err;
-          }
-        } else if (BN_is_word(D, 4)) {
-          if (!BN_lshift(tmp, X, 2)) {
-            goto err;
-          }
-        } else if (D->top == 1) {
-          if (!BN_copy(tmp, X)) {
-            goto err;
-          }
-          if (!BN_mul_word(tmp, D->d[0])) {
-            goto err;
-          }
-        } else {
-          if (!BN_mul(tmp, D, X, ctx)) {
-            goto err;
-          }
-        }
-        if (!BN_add(tmp, tmp, Y)) {
-          goto err;
-        }
-      }
-
-      M = Y; /* keep the BIGNUM object, the value does not matter */
-      Y = X;
-      X = tmp;
-      sign = -sign;
-    }
-  }
-
-  /* The while loop (Euclid's algorithm) ends when
-   *      A == gcd(a,n);
-   * we have
-   *       sign*Y*a  ==  A  (mod |n|),
-   * where  Y  is non-negative. */
-
-  if (sign < 0) {
-    if (!BN_sub(Y, n, Y)) {
-      goto err;
-    }
-  }
-  /* Now  Y*a  ==  A  (mod |n|).  */
-
-  if (BN_is_one(A)) {
-    /* Y*a == 1  (mod |n|) */
-    if (!Y->neg && BN_ucmp(Y, n) < 0) {
-      if (!BN_copy(R, Y)) {
-        goto err;
-      }
-    } else {
-      if (!BN_nnmod(R, Y, n, ctx)) {
-        goto err;
-      }
-    }
-  } else {
-    *out_no_inverse = 1;
-    OPENSSL_PUT_ERROR(BN, BN_R_NO_INVERSE);
-    goto err;
-  }
-  ret = R;
-
-err:
-  if (ret == NULL && out == NULL) {
-    BN_free(R);
-  }
-  BN_CTX_end(ctx);
-  return ret;
-}
-
-BIGNUM *BN_mod_inverse(BIGNUM *out, const BIGNUM *a, const BIGNUM *n,
-                       BN_CTX *ctx) {
-  int no_inverse;
-  return BN_mod_inverse_ex(out, &no_inverse, a, n, ctx);
-}
-
-/* BN_mod_inverse_no_branch is a special version of BN_mod_inverse.
- * It does not contain branches that may leak sensitive information. */
-static BIGNUM *BN_mod_inverse_no_branch(BIGNUM *out, int *out_no_inverse,
-                                        const BIGNUM *a, const BIGNUM *n,
-                                        BN_CTX *ctx) {
-  BIGNUM *A, *B, *X, *Y, *M, *D, *T, *R = NULL;
-  BIGNUM local_A, local_B;
-  BIGNUM *pA, *pB;
-  BIGNUM *ret = NULL;
-  int sign;
-
-  *out_no_inverse = 0;
-
-  BN_CTX_start(ctx);
-  A = BN_CTX_get(ctx);
-  B = BN_CTX_get(ctx);
-  X = BN_CTX_get(ctx);
-  D = BN_CTX_get(ctx);
-  M = BN_CTX_get(ctx);
-  Y = BN_CTX_get(ctx);
-  T = BN_CTX_get(ctx);
-  if (T == NULL) {
-    goto err;
-  }
-
-  if (out == NULL) {
-    R = BN_new();
-  } else {
-    R = out;
-  }
-  if (R == NULL) {
-    goto err;
-  }
-
-  BN_zero(Y);
-  if (!BN_one(X) || BN_copy(B, a) == NULL || BN_copy(A, n) == NULL) {
-    goto err;
-  }
-  A->neg = 0;
-
-  if (B->neg || (BN_ucmp(B, A) >= 0)) {
-    /* Turn BN_FLG_CONSTTIME flag on, so that when BN_div is invoked,
-     * BN_div_no_branch will be called eventually.
-     */
-    pB = &local_B;
-    BN_with_flags(pB, B, BN_FLG_CONSTTIME);
-    if (!BN_nnmod(B, pB, A, ctx)) {
-      goto err;
-    }
-  }
-  sign = -1;
-  /* From  B = a mod |n|,  A = |n|  it follows that
-   *
-   *      0 <= B < A,
-   *     -sign*X*a  ==  B   (mod |n|),
-   *      sign*Y*a  ==  A   (mod |n|).
-   */
-
-  while (!BN_is_zero(B)) {
-    BIGNUM *tmp;
-
-    /*
-     *      0 < B < A,
-     * (*) -sign*X*a  ==  B   (mod |n|),
-     *      sign*Y*a  ==  A   (mod |n|)
-     */
-
-    /* Turn BN_FLG_CONSTTIME flag on, so that when BN_div is invoked,
-     * BN_div_no_branch will be called eventually.
-     */
-    pA = &local_A;
-    BN_with_flags(pA, A, BN_FLG_CONSTTIME);
-
-    /* (D, M) := (A/B, A%B) ... */
-    if (!BN_div(D, M, pA, B, ctx)) {
-      goto err;
-    }
-
-    /* Now
-     *      A = D*B + M;
-     * thus we have
-     * (**)  sign*Y*a  ==  D*B + M   (mod |n|).
-     */
-
-    tmp = A; /* keep the BIGNUM object, the value does not matter */
-
-    /* (A, B) := (B, A mod B) ... */
-    A = B;
-    B = M;
-    /* ... so we have  0 <= B < A  again */
-
-    /* Since the former  M  is now  B  and the former  B  is now  A,
-     * (**) translates into
-     *       sign*Y*a  ==  D*A + B    (mod |n|),
-     * i.e.
-     *       sign*Y*a - D*A  ==  B    (mod |n|).
-     * Similarly, (*) translates into
-     *      -sign*X*a  ==  A          (mod |n|).
-     *
-     * Thus,
-     *   sign*Y*a + D*sign*X*a  ==  B  (mod |n|),
-     * i.e.
-     *        sign*(Y + D*X)*a  ==  B  (mod |n|).
-     *
-     * So if we set  (X, Y, sign) := (Y + D*X, X, -sign),  we arrive back at
-     *      -sign*X*a  ==  B   (mod |n|),
-     *       sign*Y*a  ==  A   (mod |n|).
-     * Note that  X  and  Y  stay non-negative all the time.
-     */
-
-    if (!BN_mul(tmp, D, X, ctx)) {
-      goto err;
-    }
-    if (!BN_add(tmp, tmp, Y)) {
-      goto err;
-    }
-
-    M = Y; /* keep the BIGNUM object, the value does not matter */
-    Y = X;
-    X = tmp;
-    sign = -sign;
-  }
-
-  /*
-   * The while loop (Euclid's algorithm) ends when
-   *      A == gcd(a,n);
-   * we have
-   *       sign*Y*a  ==  A  (mod |n|),
-   * where  Y  is non-negative.
-   */
-
-  if (sign < 0) {
-    if (!BN_sub(Y, n, Y)) {
-      goto err;
-    }
-  }
-  /* Now  Y*a  ==  A  (mod |n|).  */
-
-  if (BN_is_one(A)) {
-    /* Y*a == 1  (mod |n|) */
-    if (!Y->neg && BN_ucmp(Y, n) < 0) {
-      if (!BN_copy(R, Y)) {
-        goto err;
-      }
-    } else {
-      if (!BN_nnmod(R, Y, n, ctx)) {
-        goto err;
-      }
-    }
-  } else {
-    *out_no_inverse = 1;
-    OPENSSL_PUT_ERROR(BN, BN_R_NO_INVERSE);
-    goto err;
-  }
-  ret = R;
-
-err:
-  if (ret == NULL && out == NULL) {
-    BN_free(R);
-  }
-
-  BN_CTX_end(ctx);
-  return ret;
-}