From 93321b808dc9a3e09dff7bbe48b324aa478154d9 Mon Sep 17 00:00:00 2001
From: jsing <jsing@openbsd.org>
Date: Thu, 16 Feb 2023 10:58:06 +0000
Subject: [PATCH] Use bn_addw() in bn_mulw(), rather than duplicating add with
 carry code.

---
 lib/libcrypto/bn/bn_internal.h | 19 +++++++------------
 1 file changed, 7 insertions(+), 12 deletions(-)

diff --git a/lib/libcrypto/bn/bn_internal.h b/lib/libcrypto/bn/bn_internal.h
index 2872e211854..acee2b4020d 100644
--- a/lib/libcrypto/bn/bn_internal.h
+++ b/lib/libcrypto/bn/bn_internal.h
@@ -1,4 +1,4 @@
-/*	$OpenBSD: bn_internal.h,v 1.7 2023/02/16 10:41:03 jsing Exp $ */
+/*	$OpenBSD: bn_internal.h,v 1.8 2023/02/16 10:58:06 jsing Exp $ */
 /*
  * Copyright (c) 2023 Joel Sing <jsing@openbsd.org>
  *
@@ -199,7 +199,8 @@ bn_mulw(BN_ULONG a, BN_ULONG b, BN_ULONG *out_r1, BN_ULONG *out_r0)
 static inline void
 bn_mulw(BN_ULONG a, BN_ULONG b, BN_ULONG *out_r1, BN_ULONG *out_r0)
 {
-	BN_ULONG a1, a0, b1, b0, r1, r0, c1, c2, x;
+	BN_ULONG a1, a0, b1, b0, r1, r0;
+	BN_ULONG carry, x;
 
 	a1 = a >> BN_BITS4;
 	a0 = a & BN_MASK2l;
@@ -212,20 +213,14 @@ bn_mulw(BN_ULONG a, BN_ULONG b, BN_ULONG *out_r1, BN_ULONG *out_r0)
 	/* (a1 * b0) << BN_BITS4, partition the result across r1:r0 with carry. */
 	x = a1 * b0;
 	r1 += x >> BN_BITS4;
-	x <<= BN_BITS4;
-	c1 = r0 | x;
-	c2 = r0 & x;
-	r0 += x;
-	r1 += ((c1 & ~r0) | c2) >> (BN_BITS2 - 1); /* carry */
+	bn_addw(r0, x << BN_BITS4, &carry, &r0);
+	r1 += carry;
 
 	/* (b1 * a0) << BN_BITS4, partition the result across r1:r0 with carry. */
 	x = b1 * a0;
 	r1 += x >> BN_BITS4;
-	x <<= BN_BITS4;
-	c1 = r0 | x;
-	c2 = r0 & x;
-	r0 += x;
-	r1 += ((c1 & ~r0) | c2) >> (BN_BITS2 - 1); /* carry */
+	bn_addw(r0, x << BN_BITS4, &carry, &r0);
+	r1 += carry;
 
 	*out_r1 = r1;
 	*out_r0 = r0;
-- 
2.20.1