From f7d534bcda8853a4d367d31cdbdce953b4230a19 Mon Sep 17 00:00:00 2001
From: jsing <jsing@openbsd.org>
Date: Thu, 16 Feb 2023 10:02:02 +0000
Subject: [PATCH] Add missing masks to accumulator version of bn_umul_hilo()

---
 lib/libcrypto/bn/bn_internal.h | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/lib/libcrypto/bn/bn_internal.h b/lib/libcrypto/bn/bn_internal.h
index 1b5ab9c42c1..64240555d1c 100644
--- a/lib/libcrypto/bn/bn_internal.h
+++ b/lib/libcrypto/bn/bn_internal.h
@@ -1,4 +1,4 @@
-/*	$OpenBSD: bn_internal.h,v 1.5 2023/02/16 04:42:20 jsing Exp $ */
+/*	$OpenBSD: bn_internal.h,v 1.6 2023/02/16 10:02:02 jsing Exp $ */
 /*
  * Copyright (c) 2023 Joel Sing <jsing@openbsd.org>
  *
@@ -258,13 +258,17 @@ bn_umul_hilo(BN_ULONG a, BN_ULONG b, BN_ULONG *out_h, BN_ULONG *out_l)
 	x = ah * bl;
 	acc1 += x & BN_MASK2l;
 	acc2 += (acc1 >> BN_BITS4) + (x >> BN_BITS4);
+	acc1 &= BN_MASK2l;
 	acc3 += acc2 >> BN_BITS4;
+	acc2 &= BN_MASK2l;
 
 	/* (bh * al) << BN_BITS4, partition the result across h:l. */
 	x = bh * al;
 	acc1 += x & BN_MASK2l;
 	acc2 += (acc1 >> BN_BITS4) + (x >> BN_BITS4);
+	acc1 &= BN_MASK2l;
 	acc3 += acc2 >> BN_BITS4;
+	acc2 &= BN_MASK2l;
 
 	*out_h = (acc3 << BN_BITS4) | acc2;
 	*out_l = (acc1 << BN_BITS4) | acc0;
-- 
2.20.1