From 2949d3ac1b37bd0cda8639d23e90431e1aed4f07 Mon Sep 17 00:00:00 2001
From: Gilles Peskine <Gilles.Peskine@arm.com>
Date: Tue, 15 Jun 2021 22:09:39 +0200
Subject: [PATCH] Explain how the code relates to the description in HAC

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
---
 library/bignum.c | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/library/bignum.c b/library/bignum.c
index dd4eb9ae6f..3b126e2bbf 100644
--- a/library/bignum.c
+++ b/library/bignum.c
@@ -2312,6 +2312,13 @@ int mbedtls_mpi_gcd( mbedtls_mpi *G, const mbedtls_mpi *A, const mbedtls_mpi *B
 
     TA.s = TB.s = 1;
 
+    /* We follow the procedure described in HAC 14.54, except that sequences
+     * of divisions by 2 are grouped into a single shift. The procedure in HAC
+     * assumes that the numbers are initially positive. The case B=0 was
+     * short-circuited above. If A=0, the loop goes through 0 iterations
+     * and the result is correctly B.
+     */
+
     while( mbedtls_mpi_cmp_int( &TA, 0 ) != 0 )
     {
         MBEDTLS_MPI_CHK( mbedtls_mpi_shift_r( &TA, mbedtls_mpi_lsb( &TA ) ) );