wolfcrypt/src/port/arm/armv8-32-curve25519.S and wolfcrypt/src/port/arm/armv8-32-curve25519_c.c: fix MPI overflow in L_curve25519_inv_8, similar to fix in #10536 (efabd1844a).

Author: douzzer

wolfcrypt/src/port/arm/armv8-32-curve25519.S

@@ -3677,6 +3677,33 @@ L_curve25519_inv_8:
 	ldr	r1, [sp, #160]
 	ldr	r0, [sp, #160]
 	bl	fe_mul_op
+	# Ensure result is less than modulus
+	ldr	r0, [sp, #160]
+	ldm	r0, {r4, r5, r6, r7, r8, r9, r10, r11}
+	adds	r2, r4, #19
+	adcs	r2, r5, #0
+	adcs	r2, r6, #0
+	adcs	r2, r7, #0
+	adcs	r2, r8, #0
+	adcs	r2, r9, #0
+	adcs	r2, r10, #0
+	adc	r2, r11, #0
+	asr	r2, r2, #31
+	and	r2, r2, #19
+	adds	r4, r4, r2
+	adcs	r5, r5, #0
+	adcs	r6, r6, #0
+	adcs	r7, r7, #0
+	adcs	r8, r8, #0
+	adcs	r9, r9, #0
+	adcs	r10, r10, #0
+	adc	r11, r11, #0
+#if defined(WOLFSSL_ARM_ARCH) && (WOLFSSL_ARM_ARCH < 7)
+	bic	r11, r11, #0x80000000
+#else
+	bfc	r11, #31, #1
+#endif
+	stm	r0, {r4, r5, r6, r7, r8, r9, r10, r11}
 	mov	r0, #0
 	add	sp, sp, #0xbc
 	pop	{r4, r5, r6, r7, r8, r9, r10, r11, pc}
@@ -3959,21 +3986,29 @@ L_curve25519_inv_8:
 	# Ensure result is less than modulus
 	ldr	r0, [sp, #176]
 	ldm	r0, {r4, r5, r6, r7, r8, r9, r10, r11}
-	mov	r2, #19
-	and	r2, r2, r11, asr #31
+	adds	r2, r4, #19
+	adcs	r2, r5, #0
+	adcs	r2, r6, #0
+	adcs	r2, r7, #0
+	adcs	r2, r8, #0
+	adcs	r2, r9, #0
+	adcs	r2, r10, #0
+	adc	r2, r11, #0
+	asr	r2, r2, #31
+	and	r2, r2, #19
 	adds	r4, r4, r2
 	adcs	r5, r5, #0
 	adcs	r6, r6, #0
 	adcs	r7, r7, #0
 	adcs	r8, r8, #0
 	adcs	r9, r9, #0
+	adcs	r10, r10, #0
+	adc	r11, r11, #0
 #if defined(WOLFSSL_ARM_ARCH) && (WOLFSSL_ARM_ARCH < 7)
 	bic	r11, r11, #0x80000000
 #else
 	bfc	r11, #31, #1
 #endif
-	adcs	r10, r10, #0
-	adc	r11, r11, #0
 	stm	r0, {r4, r5, r6, r7, r8, r9, r10, r11}
 	mov	r0, #0
 	add	sp, sp, #0xc0

wolfcrypt/src/port/arm/armv8-32-curve25519_c.c

@@ -4082,6 +4082,33 @@ WC_OMIT_FRAME_POINTER int curve25519(byte* r, const byte* n, const byte* a)
         "ldr	r1, [sp, #160]\n\t"
         "ldr	r0, [sp, #160]\n\t"
         "bl	fe_mul_op\n\t"
+        /* Ensure result is less than modulus */
+        "ldr	%[r], [sp, #160]\n\t"
+        "ldm	%[r], {r4, r5, r6, r7, r8, r9, r10, r11}\n\t"
+        "adds	%[a], r4, #19\n\t"
+        "adcs	%[a], r5, #0\n\t"
+        "adcs	%[a], r6, #0\n\t"
+        "adcs	%[a], r7, #0\n\t"
+        "adcs	%[a], r8, #0\n\t"
+        "adcs	%[a], r9, #0\n\t"
+        "adcs	%[a], r10, #0\n\t"
+        "adc	%[a], r11, #0\n\t"
+        "asr	%[a], %[a], #31\n\t"
+        "and	%[a], %[a], #19\n\t"
+        "adds	r4, r4, %[a]\n\t"
+        "adcs	r5, r5, #0\n\t"
+        "adcs	r6, r6, #0\n\t"
+        "adcs	r7, r7, #0\n\t"
+        "adcs	r8, r8, #0\n\t"
+        "adcs	r9, r9, #0\n\t"
+        "adcs	r10, r10, #0\n\t"
+        "adc	r11, r11, #0\n\t"
+#if defined(WOLFSSL_ARM_ARCH) && (WOLFSSL_ARM_ARCH < 7)
+        "bic	r11, r11, #0x80000000\n\t"
+#else
+        "bfc	r11, #31, #1\n\t"
+#endif
+        "stm	%[r], {r4, r5, r6, r7, r8, r9, r10, r11}\n\t"
         "mov	r0, #0\n\t"
         "add	sp, sp, #0xbc\n\t"
 #ifndef WOLFSSL_NO_VAR_ASSIGN_REG
@@ -4392,21 +4419,29 @@ WC_OMIT_FRAME_POINTER int curve25519(byte* r, const byte* n, const byte* a)
         /* Ensure result is less than modulus */
         "ldr	%[r], [sp, #176]\n\t"
         "ldm	%[r], {r4, r5, r6, r7, r8, r9, r10, r11}\n\t"
-        "mov	%[a], #19\n\t"
-        "and	%[a], %[a], r11, asr #31\n\t"
+        "adds	%[a], r4, #19\n\t"
+        "adcs	%[a], r5, #0\n\t"
+        "adcs	%[a], r6, #0\n\t"
+        "adcs	%[a], r7, #0\n\t"
+        "adcs	%[a], r8, #0\n\t"
+        "adcs	%[a], r9, #0\n\t"
+        "adcs	%[a], r10, #0\n\t"
+        "adc	%[a], r11, #0\n\t"
+        "asr	%[a], %[a], #31\n\t"
+        "and	%[a], %[a], #19\n\t"
         "adds	r4, r4, %[a]\n\t"
         "adcs	r5, r5, #0\n\t"
         "adcs	r6, r6, #0\n\t"
         "adcs	r7, r7, #0\n\t"
         "adcs	r8, r8, #0\n\t"
         "adcs	r9, r9, #0\n\t"
+        "adcs	r10, r10, #0\n\t"
+        "adc	r11, r11, #0\n\t"
 #if defined(WOLFSSL_ARM_ARCH) && (WOLFSSL_ARM_ARCH < 7)
         "bic	r11, r11, #0x80000000\n\t"
 #else
         "bfc	r11, #31, #1\n\t"
 #endif
-        "adcs	r10, r10, #0\n\t"
-        "adc	r11, r11, #0\n\t"
         "stm	%[r], {r4, r5, r6, r7, r8, r9, r10, r11}\n\t"
         "mov	r0, #0\n\t"
         "add	sp, sp, #0xc0\n\t"