Merge pull request #648 from Kr0emer/fix/bug-004-modinverse-dos

kjur · web-flow · commit ca5b02724028 · 2026-02-20T21:44:00.000+09:00
fix(jsbn2): prevent modInverse hangs on zero and negative inputs
diff --git a/ext/jsbn2.js b/ext/jsbn2.js
@@ -508,15 +508,17 @@ function bnpModInt(n) {
 
 // (public) 1/this % m (HAC 14.61)
 function bnModInverse(m) {
+  if(m.signum() == 0) return BigInteger.ZERO;
+  var x = this.mod(m);
   var ac = m.isEven();
-  if((this.isEven() && ac) || m.signum() == 0) return BigInteger.ZERO;
-  var u = m.clone(), v = this.clone();
+  if((x.isEven() && ac) || x.signum() == 0) return BigInteger.ZERO;
+  var u = m.clone(), v = x.clone();
   var a = nbv(1), b = nbv(0), c = nbv(0), d = nbv(1);
   while(u.signum() != 0) {
     while(u.isEven()) {
       u.rShiftTo(1,u);
       if(ac) {
-        if(!a.isEven() || !b.isEven()) { a.addTo(this,a); b.subTo(m,b); }
+        if(!a.isEven() || !b.isEven()) { a.addTo(x,a); b.subTo(m,b); }
         a.rShiftTo(1,a);
       }
       else if(!b.isEven()) b.subTo(m,b);
@@ -525,7 +527,7 @@ function bnModInverse(m) {
     while(v.isEven()) {
       v.rShiftTo(1,v);
       if(ac) {
-        if(!c.isEven() || !d.isEven()) { c.addTo(this,c); d.subTo(m,d); }
+        if(!c.isEven() || !d.isEven()) { c.addTo(x,c); d.subTo(m,d); }
         c.rShiftTo(1,c);
       }
       else if(!d.isEven()) d.subTo(m,d);
diff --git a/test/qunit-do-crypto.html b/test/qunit-do-crypto.html
@@ -257,6 +257,19 @@
   "reject mod(0)");
 });
 
+test("BigInteger.modInverse returns quickly for zero input", function() {
+  var biM = new BigInteger("97", 10);
+  var biR = new BigInteger("0", 10).modInverse(biM);
+  equal(biR.compareTo(BigInteger.ZERO), 0, "0 has no inverse");
+});
+
+test("BigInteger.modInverse normalizes negative input", function() {
+  var biM1 = new BigInteger("7", 10);
+  var biM2 = new BigInteger("97", 10);
+  equal(new BigInteger("-1", 10).modInverse(biM1).toString(10), "6", "-1 mod 7");
+  equal(new BigInteger("-13", 10).modInverse(biM2).toString(10), "82", "-13 mod 97");
+});
+
 test("MessageDigest test", function() {
   expect(10);
   var md1 = new KJUR.crypto.MessageDigest({"alg": "sha1", "prov": "cryptojs"});
