Use CRYPTO_addc_w in bn_from_montgomery_in_place This is a bit more readable than the bit tricks, which compilers don't reliably detect anyway. Change-Id: I922976b5f5c3b0b8c3f02afd95f3d6783f6ffaf6 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/82047 Reviewed-by: Lily Chen <chlily@google.com> Auto-Submit: David Benjamin <davidben@google.com> Commit-Queue: Lily Chen <chlily@google.com>

commit: a34ea4da91402cb24e635da0b5d755fb0086fd97 [log] [tgz]
author: David Benjamin <davidben@google.com> Sun Sep 14 16:24:15 2025 -0400
committer: Boringssl LUCI CQ <boringssl-scoped@luci-project-accounts.iam.gserviceaccount.com> Tue Sep 23 14:27:39 2025 -0700
tree: a19874f26e9da1526f754573c2ba150a7991352a
parent: db41dc26f7265673b081bab5fad3cae6b48ac1f4 [diff]
diff --git a/crypto/fipsmodule/bn/montgomery.cc.inc b/crypto/fipsmodule/bn/montgomery.cc.inc
index 6281b29..b3d7107 100644
--- a/crypto/fipsmodule/bn/montgomery.cc.inc
+++ b/crypto/fipsmodule/bn/montgomery.cc.inc

@@ -203,10 +203,7 @@
   BN_ULONG carry = 0;
   for (size_t i = 0; i < num_n; i++) {
     BN_ULONG v = bn_mul_add_words(a + i, n, num_n, a[i] * n0);
-    v += carry + a[i + num_n];
-    carry |= (v != a[i + num_n]);
-    carry &= (v <= a[i + num_n]);
-    a[i + num_n] = v;
+    a[i + num_n] = CRYPTO_addc_w(a[i + num_n], v, carry, &carry);
   }
 
   // Shift |num_n| words to divide by R. We have |a| < 2 * |n|. Note that |a|
commit	a34ea4da91402cb24e635da0b5d755fb0086fd97	[log] [tgz]
author	David Benjamin <davidben@google.com>	Sun Sep 14 16:24:15 2025 -0400
committer	Boringssl LUCI CQ <boringssl-scoped@luci-project-accounts.iam.gserviceaccount.com>	Tue Sep 23 14:27:39 2025 -0700
tree	a19874f26e9da1526f754573c2ba150a7991352a
parent	db41dc26f7265673b081bab5fad3cae6b48ac1f4 [diff]