From 3bde737cd185709f4e3f80f4b881a7795d62ad24 Mon Sep 17 00:00:00 2001 From: jsing Date: Sat, 7 May 2022 07:47:24 +0000 Subject: [PATCH] Avoid strict aliasing violations in BN_nist_mod_*() The optimised code path switches from processing data via unsigned long to processing data via unsigned int, which requires type punning. This is currently attempted via a union (for one case), however this fails since a pointer to a union member is passed to another function (these unions were added to "fix strict-aliasing compiler warning" - it would seem the warnings stopped but the undefined behaviour remained). The second case does not use a union and simply casts from one type to another. Undefined behaviour is currently triggered when compiling with clang 14 using -03 and -fstrict-aliasing, while disabling assembly (in order to use this C code). The resulting binary produces incorrect results. Avoid strict aliasing violations by copying from an unsigned long array to an unsigned int array, then copying back the result. Any sensible compiler will omit the copies, while avoiding undefined behaviour that would result from unsafe type punning via pointer type casting. Thanks to Guido Vranken for reporting the issue and testing the fix. ok tb@ --- lib/libcrypto/bn/bn_nist.c | 223 +++++++++++++++++++++++-------------- 1 file changed, 137 insertions(+), 86 deletions(-) diff --git a/lib/libcrypto/bn/bn_nist.c b/lib/libcrypto/bn/bn_nist.c index 3a04c471c41..871b37cf893 100644 --- a/lib/libcrypto/bn/bn_nist.c +++ b/lib/libcrypto/bn/bn_nist.c @@ -1,4 +1,4 @@ -/* $OpenBSD: bn_nist.c,v 1.19 2021/11/09 18:40:20 bcook Exp $ */ +/* $OpenBSD: bn_nist.c,v 1.20 2022/05/07 07:47:24 jsing Exp $ */ /* * Written by Nils Larsch for the OpenSSL project */ @@ -62,6 +62,9 @@ #include "bn_lcl.h" +#define CTASSERT(x) extern char _ctassert[(x) ? 1 : -1 ] \ + __attribute__((__unused__)) + #define BN_NIST_192_TOP (192+BN_BITS2-1)/BN_BITS2 #define BN_NIST_224_TOP (224+BN_BITS2-1)/BN_BITS2 #define BN_NIST_256_TOP (256+BN_BITS2-1)/BN_BITS2 @@ -425,11 +428,7 @@ BN_nist_mod_192(BIGNUM *r, const BIGNUM *a, const BIGNUM *field, BN_CTX *ctx) int top = a->top, i; int carry; BN_ULONG *r_d, *a_d = a->d; - union { - BN_ULONG bn[BN_NIST_192_TOP]; - unsigned int ui[BN_NIST_192_TOP * - sizeof(BN_ULONG) / sizeof(unsigned int)]; - } buf; + BN_ULONG bnbuf[BN_NIST_192_TOP] = { 0 }; BN_ULONG c_d[BN_NIST_192_TOP], *res; uintptr_t mask; static const BIGNUM _bignum_nist_p_192_sqr = { @@ -460,14 +459,31 @@ BN_nist_mod_192(BIGNUM *r, const BIGNUM *a, const BIGNUM *field, BN_CTX *ctx) } else r_d = a_d; - nist_cp_bn_0(buf.bn, a_d + BN_NIST_192_TOP, top - BN_NIST_192_TOP, + nist_cp_bn_0(bnbuf, a_d + BN_NIST_192_TOP, top - BN_NIST_192_TOP, BN_NIST_192_TOP); #if defined(NIST_INT64) { NIST_INT64 acc; /* accumulator */ - unsigned int *rp = (unsigned int *)r_d; - const unsigned int *bp = (const unsigned int *)buf.ui; + unsigned int bbuf[BN_NIST_192_TOP * + sizeof(BN_ULONG) / sizeof(unsigned int)]; + unsigned int rbuf[BN_NIST_192_TOP * + sizeof(BN_ULONG) / sizeof(unsigned int)]; + const unsigned int *bp = bbuf; + unsigned int *rp = rbuf; + + CTASSERT(sizeof(bbuf) == sizeof(bnbuf)); + CTASSERT(sizeof(rbuf) == sizeof(bnbuf)); + + /* + * Avoid strict aliasing violations by copying from an unsigned + * long array to an unsigned int array, then copying back the + * result. Any sensible compiler will omit the copies, while + * avoiding undefined behaviour that would result from unsafe + * type punning via pointer type casting. + */ + memcpy(bbuf, bnbuf, sizeof(bbuf)); + memcpy(rbuf, r_d, sizeof(rbuf)); acc = rp[0]; acc += bp[3 * 2 - 6]; @@ -506,17 +522,19 @@ BN_nist_mod_192(BIGNUM *r, const BIGNUM *a, const BIGNUM *field, BN_CTX *ctx) acc += bp[5 * 2 - 5]; rp[5] = (unsigned int)acc; + memcpy(r_d, rbuf, sizeof(rbuf)); + carry = (int)(acc >> 32); } #else { BN_ULONG t_d[BN_NIST_192_TOP] = {0}; - nist_set_192(t_d, buf.bn, 0, 3, 3); + nist_set_192(t_d, bnbuf, 0, 3, 3); carry = (int)bn_add_words(r_d, r_d, t_d, BN_NIST_192_TOP); - nist_set_192(t_d, buf.bn, 4, 4, 0); + nist_set_192(t_d, bnbuf, 4, 4, 0); carry += (int)bn_add_words(r_d, r_d, t_d, BN_NIST_192_TOP); - nist_set_192(t_d, buf.bn, 5, 5, 5) + nist_set_192(t_d, bnbuf, 5, 5, 5) carry += (int)bn_add_words(r_d, r_d, t_d, BN_NIST_192_TOP); } #endif @@ -564,17 +582,10 @@ BN_nist_mod_224(BIGNUM *r, const BIGNUM *a, const BIGNUM *field, BN_CTX *ctx) int top = a->top, i; int carry; BN_ULONG *r_d, *a_d = a->d; - union { - BN_ULONG bn[BN_NIST_224_TOP]; - unsigned int ui[BN_NIST_224_TOP * - sizeof(BN_ULONG) / sizeof(unsigned int)]; - } buf; + BN_ULONG bnbuf[BN_NIST_224_TOP] = { 0 }; BN_ULONG c_d[BN_NIST_224_TOP], *res; uintptr_t mask; - union { - bn_addsub_f f; - uintptr_t p; - } u; + bn_addsub_f addsubf; static const BIGNUM _bignum_nist_p_224_sqr = { (BN_ULONG *)_nist_p_224_sqr, sizeof(_nist_p_224_sqr) / sizeof(_nist_p_224_sqr[0]), @@ -603,26 +614,43 @@ BN_nist_mod_224(BIGNUM *r, const BIGNUM *a, const BIGNUM *field, BN_CTX *ctx) } else r_d = a_d; - memset(&buf, 0, sizeof(buf)); + memset(&bnbuf, 0, sizeof(bnbuf)); #if BN_BITS2==64 /* copy upper 256 bits of 448 bit number ... */ nist_cp_bn_0(c_d, a_d + (BN_NIST_224_TOP - 1), top - (BN_NIST_224_TOP - 1), BN_NIST_224_TOP); /* ... and right shift by 32 to obtain upper 224 bits */ - nist_set_224(buf.bn, c_d, 14, 13, 12, 11, 10, 9, 8); + nist_set_224(bnbuf, c_d, 14, 13, 12, 11, 10, 9, 8); /* truncate lower part to 224 bits too */ r_d[BN_NIST_224_TOP - 1] &= BN_MASK2l; #else - nist_cp_bn_0(buf.bn, a_d + BN_NIST_224_TOP, + nist_cp_bn_0(bnbuf, a_d + BN_NIST_224_TOP, top - BN_NIST_224_TOP, BN_NIST_224_TOP); #endif #if defined(NIST_INT64) && BN_BITS2!=64 { NIST_INT64 acc; /* accumulator */ - unsigned int *rp = (unsigned int *)r_d; - const unsigned int *bp = (const unsigned int *)buf.ui; + unsigned int bbuf[BN_NIST_224_TOP * + sizeof(BN_ULONG) / sizeof(unsigned int)]; + unsigned int rbuf[BN_NIST_224_TOP * + sizeof(BN_ULONG) / sizeof(unsigned int)]; + const unsigned int *bp = bbuf; + unsigned int *rp = rbuf; + + CTASSERT(sizeof(bbuf) == sizeof(bnbuf)); + CTASSERT(sizeof(rbuf) == sizeof(bnbuf)); + + /* + * Avoid strict aliasing violations by copying from an unsigned + * long array to an unsigned int array, then copying back the + * result. Any sensible compiler will omit the copies, while + * avoiding undefined behaviour that would result from unsafe + * type punning via pointer type casting. + */ + memcpy(bbuf, bnbuf, sizeof(bbuf)); + memcpy(rbuf, r_d, sizeof(rbuf)); acc = rp[0]; acc -= bp[7 - 7]; @@ -668,6 +696,8 @@ BN_nist_mod_224(BIGNUM *r, const BIGNUM *a, const BIGNUM *field, BN_CTX *ctx) acc -= bp[13 - 7]; rp[6] = (unsigned int)acc; + memcpy(r_d, rbuf, sizeof(rbuf)); + carry = (int)(acc >> 32); # if BN_BITS2==64 rp[7] = carry; @@ -677,13 +707,13 @@ BN_nist_mod_224(BIGNUM *r, const BIGNUM *a, const BIGNUM *field, BN_CTX *ctx) { BN_ULONG t_d[BN_NIST_224_TOP] = {0}; - nist_set_224(t_d, buf.bn, 10, 9, 8, 7, 0, 0, 0); + nist_set_224(t_d, bnbuf, 10, 9, 8, 7, 0, 0, 0); carry = (int)bn_add_words(r_d, r_d, t_d, BN_NIST_224_TOP); - nist_set_224(t_d, buf.bn, 0, 13, 12, 11, 0, 0, 0); + nist_set_224(t_d, bnbuf, 0, 13, 12, 11, 0, 0, 0); carry += (int)bn_add_words(r_d, r_d, t_d, BN_NIST_224_TOP); - nist_set_224(t_d, buf.bn, 13, 12, 11, 10, 9, 8, 7); + nist_set_224(t_d, bnbuf, 13, 12, 11, 10, 9, 8, 7); carry -= (int)bn_sub_words(r_d, r_d, t_d, BN_NIST_224_TOP); - nist_set_224(t_d, buf.bn, 0, 0, 0, 0, 13, 12, 11); + nist_set_224(t_d, bnbuf, 0, 0, 0, 0, 13, 12, 11); carry -= (int)bn_sub_words(r_d, r_d, t_d, BN_NIST_224_TOP); #if BN_BITS2==64 @@ -691,7 +721,7 @@ BN_nist_mod_224(BIGNUM *r, const BIGNUM *a, const BIGNUM *field, BN_CTX *ctx) #endif } #endif - u.f = bn_sub_words; + addsubf = bn_sub_words; if (carry > 0) { carry = (int)bn_sub_words(r_d, r_d, _nist_p_224[carry - 1], BN_NIST_224_TOP); @@ -707,14 +737,13 @@ BN_nist_mod_224(BIGNUM *r, const BIGNUM *a, const BIGNUM *field, BN_CTX *ctx) * adjusted by *subtracting* the latter. */ carry = (int)bn_add_words(r_d, r_d, _nist_p_224[-carry - 1], BN_NIST_224_TOP); - mask = 0 - (uintptr_t)carry; - u.p = ((uintptr_t)bn_sub_words & mask) | - ((uintptr_t)bn_add_words & ~mask); + if (carry == 0) + addsubf = bn_add_words; } else carry = 1; /* otherwise it's effectively same as in BN_nist_mod_192... */ - mask = 0 - (uintptr_t)(*u.f)(c_d, r_d, _nist_p_224[0], BN_NIST_224_TOP); + mask = 0 - (uintptr_t)(*addsubf)(c_d, r_d, _nist_p_224[0], BN_NIST_224_TOP); mask &= 0 - (uintptr_t)carry; res = c_d; res = (BN_ULONG *)(((uintptr_t)res & ~mask) | ((uintptr_t)r_d & mask)); @@ -743,17 +772,10 @@ BN_nist_mod_256(BIGNUM *r, const BIGNUM *a, const BIGNUM *field, BN_CTX *ctx) int i, top = a->top; int carry = 0; BN_ULONG *a_d = a->d, *r_d; - union { - BN_ULONG bn[BN_NIST_256_TOP]; - unsigned int ui[BN_NIST_256_TOP * - sizeof(BN_ULONG) / sizeof(unsigned int)]; - } buf; + BN_ULONG bnbuf[BN_NIST_256_TOP] = { 0 }; BN_ULONG c_d[BN_NIST_256_TOP] = {0}, *res; uintptr_t mask; - union { - bn_addsub_f f; - uintptr_t p; - } u; + bn_addsub_f addsubf; static const BIGNUM _bignum_nist_p_256_sqr = { (BN_ULONG *)_nist_p_256_sqr, sizeof(_nist_p_256_sqr) / sizeof(_nist_p_256_sqr[0]), @@ -782,14 +804,31 @@ BN_nist_mod_256(BIGNUM *r, const BIGNUM *a, const BIGNUM *field, BN_CTX *ctx) } else r_d = a_d; - nist_cp_bn_0(buf.bn, a_d + BN_NIST_256_TOP, + nist_cp_bn_0(bnbuf, a_d + BN_NIST_256_TOP, top - BN_NIST_256_TOP, BN_NIST_256_TOP); #if defined(NIST_INT64) { NIST_INT64 acc; /* accumulator */ - unsigned int *rp = (unsigned int *)r_d; - const unsigned int *bp = (const unsigned int *)buf.ui; + unsigned int bbuf[BN_NIST_256_TOP * + sizeof(BN_ULONG) / sizeof(unsigned int)]; + unsigned int rbuf[BN_NIST_256_TOP * + sizeof(BN_ULONG) / sizeof(unsigned int)]; + const unsigned int *bp = bbuf; + unsigned int *rp = rbuf; + + CTASSERT(sizeof(bbuf) == sizeof(bnbuf)); + CTASSERT(sizeof(rbuf) == sizeof(bnbuf)); + + /* + * Avoid strict aliasing violations by copying from an unsigned + * long array to an unsigned int array, then copying back the + * result. Any sensible compiler will omit the copies, while + * avoiding undefined behaviour that would result from unsafe + * type punning via pointer type casting. + */ + memcpy(bbuf, bnbuf, sizeof(bbuf)); + memcpy(rbuf, r_d, sizeof(rbuf)); acc = rp[0]; acc += bp[8 - 8]; @@ -877,6 +916,8 @@ BN_nist_mod_256(BIGNUM *r, const BIGNUM *a, const BIGNUM *field, BN_CTX *ctx) acc -= bp[13 - 8]; rp[7] = (unsigned int)acc; + memcpy(r_d, rbuf, sizeof(rbuf)); + carry = (int)(acc >> 32); } #else @@ -884,9 +925,9 @@ BN_nist_mod_256(BIGNUM *r, const BIGNUM *a, const BIGNUM *field, BN_CTX *ctx) BN_ULONG t_d[BN_NIST_256_TOP] = {0}; /*S1*/ - nist_set_256(t_d, buf.bn, 15, 14, 13, 12, 11, 0, 0, 0); + nist_set_256(t_d, bnbuf, 15, 14, 13, 12, 11, 0, 0, 0); /*S2*/ - nist_set_256(c_d, buf.bn, 0, 15, 14, 13, 12, 0, 0, 0); + nist_set_256(c_d, bnbuf, 0, 15, 14, 13, 12, 0, 0, 0); carry = (int)bn_add_words(t_d, t_d, c_d, BN_NIST_256_TOP); /* left shift */ { @@ -903,41 +944,40 @@ BN_nist_mod_256(BIGNUM *r, const BIGNUM *a, const BIGNUM *field, BN_CTX *ctx) } carry += (int)bn_add_words(r_d, r_d, t_d, BN_NIST_256_TOP); /*S3*/ - nist_set_256(t_d, buf.bn, 15, 14, 0, 0, 0, 10, 9, 8); + nist_set_256(t_d, bnbuf, 15, 14, 0, 0, 0, 10, 9, 8); carry += (int)bn_add_words(r_d, r_d, t_d, BN_NIST_256_TOP); /*S4*/ - nist_set_256(t_d, buf.bn, 8, 13, 15, 14, 13, 11, 10, 9); + nist_set_256(t_d, bnbuf, 8, 13, 15, 14, 13, 11, 10, 9); carry += (int)bn_add_words(r_d, r_d, t_d, BN_NIST_256_TOP); /*D1*/ - nist_set_256(t_d, buf.bn, 10, 8, 0, 0, 0, 13, 12, 11); + nist_set_256(t_d, bnbuf, 10, 8, 0, 0, 0, 13, 12, 11); carry -= (int)bn_sub_words(r_d, r_d, t_d, BN_NIST_256_TOP); /*D2*/ - nist_set_256(t_d, buf.bn, 11, 9, 0, 0, 15, 14, 13, 12); + nist_set_256(t_d, bnbuf, 11, 9, 0, 0, 15, 14, 13, 12); carry -= (int)bn_sub_words(r_d, r_d, t_d, BN_NIST_256_TOP); /*D3*/ - nist_set_256(t_d, buf.bn, 12, 0, 10, 9, 8, 15, 14, 13); + nist_set_256(t_d, bnbuf, 12, 0, 10, 9, 8, 15, 14, 13); carry -= (int)bn_sub_words(r_d, r_d, t_d, BN_NIST_256_TOP); /*D4*/ - nist_set_256(t_d, buf.bn, 13, 0, 11, 10, 9, 0, 15, 14); + nist_set_256(t_d, bnbuf, 13, 0, 11, 10, 9, 0, 15, 14); carry -= (int)bn_sub_words(r_d, r_d, t_d, BN_NIST_256_TOP); } #endif /* see BN_nist_mod_224 for explanation */ - u.f = bn_sub_words; + addsubf = bn_sub_words; if (carry > 0) carry = (int)bn_sub_words(r_d, r_d, _nist_p_256[carry - 1], BN_NIST_256_TOP); else if (carry < 0) { carry = (int)bn_add_words(r_d, r_d, _nist_p_256[-carry - 1], BN_NIST_256_TOP); - mask = 0 - (uintptr_t)carry; - u.p = ((uintptr_t)bn_sub_words & mask) | - ((uintptr_t)bn_add_words & ~mask); + if (carry == 0) + addsubf = bn_add_words; } else carry = 1; - mask = 0 - (uintptr_t)(*u.f)(c_d, r_d, _nist_p_256[0], BN_NIST_256_TOP); + mask = 0 - (uintptr_t)(*addsubf)(c_d, r_d, _nist_p_256[0], BN_NIST_256_TOP); mask &= 0 - (uintptr_t)carry; res = c_d; res = (BN_ULONG *)(((uintptr_t)res & ~mask) | ((uintptr_t)r_d & mask)); @@ -970,17 +1010,10 @@ BN_nist_mod_384(BIGNUM *r, const BIGNUM *a, const BIGNUM *field, BN_CTX *ctx) int i, top = a->top; int carry = 0; BN_ULONG *r_d, *a_d = a->d; - union { - BN_ULONG bn[BN_NIST_384_TOP]; - unsigned int ui[BN_NIST_384_TOP * - sizeof(BN_ULONG) / sizeof(unsigned int)]; - } buf; + BN_ULONG bnbuf[BN_NIST_384_TOP] = { 0 }; BN_ULONG c_d[BN_NIST_384_TOP], *res; uintptr_t mask; - union { - bn_addsub_f f; - uintptr_t p; - } u; + bn_addsub_f addsubf; static const BIGNUM _bignum_nist_p_384_sqr = { (BN_ULONG *)_nist_p_384_sqr, sizeof(_nist_p_384_sqr) / sizeof(_nist_p_384_sqr[0]), @@ -1009,14 +1042,31 @@ BN_nist_mod_384(BIGNUM *r, const BIGNUM *a, const BIGNUM *field, BN_CTX *ctx) } else r_d = a_d; - nist_cp_bn_0(buf.bn, a_d + BN_NIST_384_TOP, + nist_cp_bn_0(bnbuf, a_d + BN_NIST_384_TOP, top - BN_NIST_384_TOP, BN_NIST_384_TOP); #if defined(NIST_INT64) { NIST_INT64 acc; /* accumulator */ - unsigned int *rp = (unsigned int *)r_d; - const unsigned int *bp = (const unsigned int *)buf.ui; + unsigned int bbuf[BN_NIST_384_TOP * + sizeof(BN_ULONG) / sizeof(unsigned int)]; + unsigned int rbuf[BN_NIST_384_TOP * + sizeof(BN_ULONG) / sizeof(unsigned int)]; + const unsigned int *bp = bbuf; + unsigned int *rp = rbuf; + + CTASSERT(sizeof(bbuf) == sizeof(bnbuf)); + CTASSERT(sizeof(rbuf) == sizeof(bnbuf)); + + /* + * Avoid strict aliasing violations by copying from an unsigned + * long array to an unsigned int array, then copying back the + * result. Any sensible compiler will omit the copies, while + * avoiding undefined behaviour that would result from unsafe + * type punning via pointer type casting. + */ + memcpy(bbuf, bnbuf, sizeof(bbuf)); + memcpy(rbuf, r_d, sizeof(rbuf)); acc = rp[0]; acc += bp[12 - 12]; @@ -1131,6 +1181,8 @@ BN_nist_mod_384(BIGNUM *r, const BIGNUM *a, const BIGNUM *field, BN_CTX *ctx) acc -= bp[22 - 12]; rp[11] = (unsigned int)acc; + memcpy(r_d, rbuf, sizeof(rbuf)); + carry = (int)(acc >> 32); } #else @@ -1138,7 +1190,7 @@ BN_nist_mod_384(BIGNUM *r, const BIGNUM *a, const BIGNUM *field, BN_CTX *ctx) BN_ULONG t_d[BN_NIST_384_TOP] = {0}; /*S1*/ - nist_set_256(t_d, buf.bn, 0, 0, 0, 0, 0, 23 - 4, 22 - 4, + nist_set_256(t_d, bnbuf, 0, 0, 0, 0, 0, 23 - 4, 22 - 4, 21 - 4); /* left shift */ { @@ -1155,49 +1207,48 @@ BN_nist_mod_384(BIGNUM *r, const BIGNUM *a, const BIGNUM *field, BN_CTX *ctx) carry = (int)bn_add_words(r_d + (128 / BN_BITS2), r_d + (128 / BN_BITS2), t_d, BN_NIST_256_TOP); /*S2 */ - carry += (int)bn_add_words(r_d, r_d, buf.bn, BN_NIST_384_TOP); + carry += (int)bn_add_words(r_d, r_d, bnbuf, BN_NIST_384_TOP); /*S3*/ - nist_set_384(t_d, buf.bn, 20, 19, 18, 17, 16, 15, 14, 13, 12, + nist_set_384(t_d, bnbuf, 20, 19, 18, 17, 16, 15, 14, 13, 12, 23, 22, 21); carry += (int)bn_add_words(r_d, r_d, t_d, BN_NIST_384_TOP); /*S4*/ - nist_set_384(t_d, buf.bn, 19, 18, 17, 16, 15, 14, 13, 12, 20, + nist_set_384(t_d, bnbuf, 19, 18, 17, 16, 15, 14, 13, 12, 20, 0, 23, 0); carry += (int)bn_add_words(r_d, r_d, t_d, BN_NIST_384_TOP); /*S5*/ - nist_set_384(t_d, buf.bn, 0,0, 0,0, 23, 22, 21, 20, 0,0, 0, 0); + nist_set_384(t_d, bnbuf, 0,0, 0,0, 23, 22, 21, 20, 0,0, 0, 0); carry += (int)bn_add_words(r_d, r_d, t_d, BN_NIST_384_TOP); /*S6*/ - nist_set_384(t_d, buf.bn, 0,0, 0,0, 0,0, 23, 22, 21, 0,0, 20); + nist_set_384(t_d, bnbuf, 0,0, 0,0, 0,0, 23, 22, 21, 0,0, 20); carry += (int)bn_add_words(r_d, r_d, t_d, BN_NIST_384_TOP); /*D1*/ - nist_set_384(t_d, buf.bn, 22, 21, 20, 19, 18, 17, 16, 15, 14, + nist_set_384(t_d, bnbuf, 22, 21, 20, 19, 18, 17, 16, 15, 14, 13, 12, 23); carry -= (int)bn_sub_words(r_d, r_d, t_d, BN_NIST_384_TOP); /*D2*/ - nist_set_384(t_d, buf.bn, 0,0, 0,0, 0,0, 0,23, 22, 21, 20, 0); + nist_set_384(t_d, bnbuf, 0,0, 0,0, 0,0, 0,23, 22, 21, 20, 0); carry -= (int)bn_sub_words(r_d, r_d, t_d, BN_NIST_384_TOP); /*D3*/ - nist_set_384(t_d, buf.bn, 0,0, 0,0, 0,0, 0,23, 23, 0,0, 0); + nist_set_384(t_d, bnbuf, 0,0, 0,0, 0,0, 0,23, 23, 0,0, 0); carry -= (int)bn_sub_words(r_d, r_d, t_d, BN_NIST_384_TOP); } #endif /* see BN_nist_mod_224 for explanation */ - u.f = bn_sub_words; + addsubf = bn_sub_words; if (carry > 0) carry = (int)bn_sub_words(r_d, r_d, _nist_p_384[carry - 1], BN_NIST_384_TOP); else if (carry < 0) { carry = (int)bn_add_words(r_d, r_d, _nist_p_384[-carry - 1], BN_NIST_384_TOP); - mask = 0 - (uintptr_t)carry; - u.p = ((uintptr_t)bn_sub_words & mask) | - ((uintptr_t)bn_add_words & ~mask); + if (carry == 0) + addsubf = bn_add_words; } else carry = 1; - mask = 0 - (uintptr_t)(*u.f)(c_d, r_d, _nist_p_384[0], BN_NIST_384_TOP); + mask = 0 - (uintptr_t)(*addsubf)(c_d, r_d, _nist_p_384[0], BN_NIST_384_TOP); mask &= 0 - (uintptr_t)carry; res = c_d; res = (BN_ULONG *)(((uintptr_t)res & ~mask) | ((uintptr_t)r_d & mask)); -- 2.20.1