Fix output constraints for bn_umul_hilo().

When bn_umul_hilo() is implemented using an instruction pair, mark the
first output with a constraint that prevents the output from overlapping
with the inputs ("&"). Otherwise the first instruction can overwrite the
inputs, which then results in the second instruction producing incorrect
value.

4 files changed, 8 insertions, 8 deletions

diff --git a/src/lib/libcrypto/bn/arch/aarch64/bn_arch.h b/src/lib/libcrypto/bn/arch/aarch64/bn_arch.h
index 5cf25adc48..7592971dc0 100644
--- a/src/lib/libcrypto/bn/arch/aarch64/bn_arch.h
+++ b/src/lib/libcrypto/bn/arch/aarch64/bn_arch.h
@@ -1,4 +1,4 @@
-/*      $OpenBSD: bn_arch.h,v 1.2 2023/01/31 05:53:49 jsing Exp $ */
+/*      $OpenBSD: bn_arch.h,v 1.3 2023/02/04 11:48:55 jsing Exp $ */
 /*
  * Copyright (c) 2023 Joel Sing <jsing@openbsd.org>
  *
@@ -32,7 +32,7 @@ bn_umul_hilo(BN_ULONG a, BN_ULONG b, BN_ULONG *out_h, BN_ULONG *out_l)
 
         /* Unsigned multiplication using a umulh/mul pair. */
         __asm__ ("umulh %0, %2, %3; mul %1, %2, %3"
-            : "=r"(h), "=r"(l)
+            : "=&r"(h), "=r"(l)
             : "r"(a), "r"(b));
 
         *out_h = h;
diff --git a/src/lib/libcrypto/bn/arch/alpha/bn_arch.h b/src/lib/libcrypto/bn/arch/alpha/bn_arch.h
index 9bc00911ab..0f7c582fdf 100644
--- a/src/lib/libcrypto/bn/arch/alpha/bn_arch.h
+++ b/src/lib/libcrypto/bn/arch/alpha/bn_arch.h
@@ -1,4 +1,4 @@
-/*      $OpenBSD: bn_arch.h,v 1.2 2023/01/31 05:57:08 jsing Exp $ */
+/*      $OpenBSD: bn_arch.h,v 1.3 2023/02/04 11:48:55 jsing Exp $ */
 /*
  * Copyright (c) 2023 Joel Sing <jsing@openbsd.org>
  *
@@ -31,7 +31,7 @@ bn_umul_hilo(BN_ULONG a, BN_ULONG b, BN_ULONG *out_h, BN_ULONG *out_l)
 
         /* Unsigned multiplication using a umulh/mulq pair. */
         __asm__ ("umulh %2, %3, %0; mulq %2, %3, %1"
-            : "=r"(h), "=r"(l)
+            : "=&r"(h), "=r"(l)
             : "r"(a), "r"(b));
 
         *out_h = h;
diff --git a/src/lib/libcrypto/bn/arch/powerpc64/bn_arch.h b/src/lib/libcrypto/bn/arch/powerpc64/bn_arch.h
index 1b8bd61138..92e16e9f9c 100644
--- a/src/lib/libcrypto/bn/arch/powerpc64/bn_arch.h
+++ b/src/lib/libcrypto/bn/arch/powerpc64/bn_arch.h
@@ -1,4 +1,4 @@
-/*      $OpenBSD: bn_arch.h,v 1.2 2023/01/31 05:57:08 jsing Exp $ */
+/*      $OpenBSD: bn_arch.h,v 1.3 2023/02/04 11:48:55 jsing Exp $ */
 /*
  * Copyright (c) 2023 Joel Sing <jsing@openbsd.org>
  *
@@ -31,7 +31,7 @@ bn_umul_hilo(BN_ULONG a, BN_ULONG b, BN_ULONG *out_h, BN_ULONG *out_l)
 
         /* Unsigned multiplication using a mulhdu/mul pair. */
         __asm__ ("mulhdu %0, %2, %3; mul %1, %2, %3"
-            : "=r"(h), "=r"(l)
+            : "=&r"(h), "=r"(l)
             : "r"(a), "r"(b));
 
         *out_h = h;
diff --git a/src/lib/libcrypto/bn/arch/riscv64/bn_arch.h b/src/lib/libcrypto/bn/arch/riscv64/bn_arch.h
index 1b4267acc0..36cf3a4f66 100644
--- a/src/lib/libcrypto/bn/arch/riscv64/bn_arch.h
+++ b/src/lib/libcrypto/bn/arch/riscv64/bn_arch.h
@@ -1,4 +1,4 @@
-/*      $OpenBSD: bn_arch.h,v 1.2 2023/01/31 05:57:08 jsing Exp $ */
+/*      $OpenBSD: bn_arch.h,v 1.3 2023/02/04 11:48:55 jsing Exp $ */
 /*
  * Copyright (c) 2023 Joel Sing <jsing@openbsd.org>
  *
@@ -35,7 +35,7 @@ bn_umul_hilo(BN_ULONG a, BN_ULONG b, BN_ULONG *out_h, BN_ULONG *out_l)
          * into a single operation.
          */
         __asm__ ("mulh %0, %2, %3; mul %1, %2, %3"
-            : "=r"(h), "=r"(l)
+            : "=&r"(h), "=r"(l)
             : "r"(a), "r"(b));
 
         *out_h = h;