24 files changed, 519 insertions, 161 deletions
diff --git a/src/lib/libcrypto/bn/arch/amd64/bn_arch.c b/src/lib/libcrypto/bn/arch/amd64/bn_arch.c
index a377a05681..8eb3670def 100644
--- a/src/lib/libcrypto/bn/arch/amd64/bn_arch.c
+++ b/src/lib/libcrypto/bn/arch/amd64/bn_arch.c
@@ -1,4 +1,4 @@
-/*      $OpenBSD: bn_arch.c,v 1.7 2023/06/24 16:01:44 jsing Exp $ */
+/*      $OpenBSD: bn_arch.c,v 1.8 2025/08/05 15:01:13 jsing Exp $ */
 /*
 * Copyright (c) 2023 Joel Sing <jsing@openbsd.org>
 *
@@ -78,7 +78,7 @@ bn_mul_words(BN_ULONG *rd, const BN_ULONG *ad, int num, BN_ULONG w)
 #ifdef HAVE_BN_MUL_COMBA4
 void
-bn_mul_comba4(BN_ULONG *rd, BN_ULONG *ad, BN_ULONG *bd)
+bn_mul_comba4(BN_ULONG *rd, const BN_ULONG *ad, const BN_ULONG *bd)
 {
        /* XXX - consider using non-alt on CPUs that have the ADX extension. */
        bignum_mul_4_8_alt((uint64_t *)rd, (uint64_t *)ad, (uint64_t *)bd);
@@ -87,7 +87,7 @@ bn_mul_comba4(BN_ULONG *rd, BN_ULONG *ad, BN_ULONG *bd)
 #ifdef HAVE_BN_MUL_COMBA8
 void
-bn_mul_comba8(BN_ULONG *rd, BN_ULONG *ad, BN_ULONG *bd)
+bn_mul_comba8(BN_ULONG *rd, const BN_ULONG *ad, const BN_ULONG *bd)
 {
        /* XXX - consider using non-alt on CPUs that have the ADX extension. */
        bignum_mul_8_16_alt((uint64_t *)rd, (uint64_t *)ad, (uint64_t *)bd);
diff --git a/src/lib/libcrypto/bn/asm/bn-586.pl b/src/lib/libcrypto/bn/asm/bn-586.pl
index 71b775af8d..19a1afdbbe 100644
--- a/src/lib/libcrypto/bn/asm/bn-586.pl
+++ b/src/lib/libcrypto/bn/asm/bn-586.pl
@@ -6,8 +6,7 @@ require "x86asm.pl";
 &asm_init($ARGV[0],$0);
-$sse2=0;
+$sse2=1;
-for (@ARGV) { $sse2=1 if (/-DOPENSSL_IA32_SSE2/); }
 &external_label("OPENSSL_ia32cap_P") if ($sse2);
diff --git a/src/lib/libcrypto/bn/asm/x86-mont.pl b/src/lib/libcrypto/bn/asm/x86-mont.pl
index 6524651748..3be440f11f 100755
--- a/src/lib/libcrypto/bn/asm/x86-mont.pl
+++ b/src/lib/libcrypto/bn/asm/x86-mont.pl
@@ -32,8 +32,7 @@ require "x86asm.pl";
 &asm_init($ARGV[0],$0);
-$sse2=0;
+$sse2=1;
-for (@ARGV) { $sse2=1 if (/-DOPENSSL_IA32_SSE2/); }
 &external_label("OPENSSL_ia32cap_P") if ($sse2);
diff --git a/src/lib/libcrypto/bn/bn_add.c b/src/lib/libcrypto/bn/bn_add.c
index 86768a312a..81fa60e429 100644
--- a/src/lib/libcrypto/bn/bn_add.c
+++ b/src/lib/libcrypto/bn/bn_add.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: bn_add.c,v 1.26 2023/07/08 12:21:58 beck Exp $ */
+/* $OpenBSD: bn_add.c,v 1.29 2025/05/25 04:53:05 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -60,44 +60,10 @@
 #include <limits.h>
 #include <stdio.h>
-#include <openssl/err.h>
 #include "bn_arch.h"
 #include "bn_local.h"
 #include "bn_internal.h"
+#include "err_local.h"
-/*
- * bn_add_words() computes (carry:r[i]) = a[i] + b[i] + carry, where a and b
- * are both arrays of words. Any carry resulting from the addition is returned.
- */
-#ifndef HAVE_BN_ADD_WORDS
-BN_ULONG
-bn_add_words(BN_ULONG *r, const BN_ULONG *a, const BN_ULONG *b, int n)
-{
-        BN_ULONG carry = 0;
-        assert(n >= 0);
-        if (n <= 0)
-                return 0;
-        while (n & ~3) {
-                bn_qwaddqw(a[3], a[2], a[1], a[0], b[3], b[2], b[1], b[0],
-                    carry, &carry, &r[3], &r[2], &r[1], &r[0]);
-                a += 4;
-                b += 4;
-                r += 4;
-                n -= 4;
-        }
-        while (n) {
-                bn_addw_addw(a[0], b[0], carry, &carry, &r[0]);
-                a++;
-                b++;
-                r++;
-                n--;
-        }
-        return carry;
-}
-#endif
 /*
 * bn_add() computes (carry:r[i]) = a[i] + b[i] + carry, where a and b are both
@@ -147,40 +113,6 @@ bn_add(BN_ULONG *r, int r_len, const BN_ULONG *a, int a_len, const BN_ULONG *b,
 #endif
 /*
- * bn_sub_words() computes (borrow:r[i]) = a[i] - b[i] - borrow, where a and b
- * are both arrays of words. Any borrow resulting from the subtraction is
- * returned.
- */
-#ifndef HAVE_BN_SUB_WORDS
-BN_ULONG
-bn_sub_words(BN_ULONG *r, const BN_ULONG *a, const BN_ULONG *b, int n)
-{
-        BN_ULONG borrow = 0;
-        assert(n >= 0);
-        if (n <= 0)
-                return 0;
-        while (n & ~3) {
-                bn_qwsubqw(a[3], a[2], a[1], a[0], b[3], b[2], b[1], b[0],
-                    borrow, &borrow, &r[3], &r[2], &r[1], &r[0]);
-                a += 4;
-                b += 4;
-                r += 4;
-                n -= 4;
-        }
-        while (n) {
-                bn_subw_subw(a[0], b[0], borrow, &borrow, &r[0]);
-                a++;
-                b++;
-                r++;
-                n--;
-        }
-        return borrow;
-}
-#endif
-/*
 * bn_sub() computes (borrow:r[i]) = a[i] - b[i] - borrow, where a and b are both
 * arrays of words (r may be the same as a or b). The length of a and b may
 * differ, while r must be at least max(a_len, b_len) in length. Any borrow
@@ -208,7 +140,7 @@ bn_sub(BN_ULONG *r, int r_len, const BN_ULONG *a, int a_len, const BN_ULONG *b,
        /* XXX - consider doing four at a time to match bn_sub_words. */
        while (diff_len < 0) {
                /* Compute r[0] = 0 - b[0] - borrow. */
-                bn_subw(0 - b[0], borrow, &borrow, &r[0]);
+                bn_subw_subw(0, b[0], borrow, &borrow, &r[0]);
                diff_len++;
                b++;
                r++;
@@ -217,7 +149,7 @@ bn_sub(BN_ULONG *r, int r_len, const BN_ULONG *a, int a_len, const BN_ULONG *b,
        /* XXX - consider doing four at a time to match bn_sub_words. */
        while (diff_len > 0) {
                /* Compute r[0] = a[0] - 0 - borrow. */
-                bn_subw(a[0], borrow, &borrow, &r[0]);
+                bn_subw_subw(a[0], 0, borrow, &borrow, &r[0]);
                diff_len--;
                a++;
                r++;
diff --git a/src/lib/libcrypto/bn/bn_add_sub.c b/src/lib/libcrypto/bn/bn_add_sub.c
new file mode 100644
index 0000000000..5c9d5a2b1a
--- /dev/null
+++ b/src/lib/libcrypto/bn/bn_add_sub.c
@@ -0,0 +1,178 @@
+/* $OpenBSD: bn_add_sub.c,v 1.1 2025/05/25 04:30:55 jsing Exp $ */
+/*
+ * Copyright (c) 2023,2024,2025 Joel Sing <jsing@openbsd.org>
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+#include <openssl/bn.h>
+#include "bn_internal.h"
+/*
+ * bn_add_words() computes (carry:r[i]) = a[i] + b[i] + carry, where a and b
+ * are both arrays of words. Any carry resulting from the addition is returned.
+ */
+#ifndef HAVE_BN_ADD_WORDS
+BN_ULONG
+bn_add_words(BN_ULONG *r, const BN_ULONG *a, const BN_ULONG *b, int n)
+{
+        BN_ULONG carry = 0;
+        while (n >= 4) {
+                bn_qwaddqw(a[3], a[2], a[1], a[0], b[3], b[2], b[1], b[0],
+                    carry, &carry, &r[3], &r[2], &r[1], &r[0]);
+                a += 4;
+                b += 4;
+                r += 4;
+                n -= 4;
+        }
+        while (n > 0) {
+                bn_addw_addw(a[0], b[0], carry, &carry, &r[0]);
+                a++;
+                b++;
+                r++;
+                n--;
+        }
+        return carry;
+}
+#endif
+/*
+ * bn_sub_words() computes (borrow:r[i]) = a[i] - b[i] - borrow, where a and b
+ * are both arrays of words. Any borrow resulting from the subtraction is
+ * returned.
+ */
+#ifndef HAVE_BN_SUB_WORDS
+BN_ULONG
+bn_sub_words(BN_ULONG *r, const BN_ULONG *a, const BN_ULONG *b, int n)
+{
+        BN_ULONG borrow = 0;
+        while (n >= 4) {
+                bn_qwsubqw(a[3], a[2], a[1], a[0], b[3], b[2], b[1], b[0],
+                    borrow, &borrow, &r[3], &r[2], &r[1], &r[0]);
+                a += 4;
+                b += 4;
+                r += 4;
+                n -= 4;
+        }
+        while (n > 0) {
+                bn_subw_subw(a[0], b[0], borrow, &borrow, &r[0]);
+                a++;
+                b++;
+                r++;
+                n--;
+        }
+        return borrow;
+}
+#endif
+/*
+ * bn_sub_borrow() computes a[i] - b[i], returning the resulting borrow only.
+ */
+#ifndef HAVE_BN_SUB_WORDS_BORROW
+BN_ULONG
+bn_sub_words_borrow(const BN_ULONG *a, const BN_ULONG *b, size_t n)
+{
+        BN_ULONG borrow = 0;
+        BN_ULONG r;
+        while (n >= 4) {
+                bn_qwsubqw(a[3], a[2], a[1], a[0], b[3], b[2], b[1], b[0],
+                    borrow, &borrow, &r, &r, &r, &r);
+                a += 4;
+                b += 4;
+                n -= 4;
+        }
+        while (n > 0) {
+                bn_subw_subw(a[0], b[0], borrow, &borrow, &r);
+                a++;
+                b++;
+                n--;
+        }
+        return borrow;
+}
+#endif
+/*
+ * bn_add_words_masked() computes r[] = a[] + (b[] & mask), where a, b and r are
+ * arrays of words with length n (r may be the same as a or b).
+ */
+#ifndef HAVE_BN_ADD_WORDS_MASKED
+BN_ULONG
+bn_add_words_masked(BN_ULONG *r, const BN_ULONG *a, const BN_ULONG *b,
+    BN_ULONG mask, size_t n)
+{
+        BN_ULONG carry = 0;
+        /* XXX - consider conditional/masked versions of bn_addw_addw/bn_qwaddqw. */
+        while (n >= 4) {
+                bn_qwaddqw(a[3], a[2], a[1], a[0], b[3] & mask, b[2] & mask,
+                    b[1] & mask, b[0] & mask, carry, &carry, &r[3], &r[2],
+                    &r[1], &r[0]);
+                a += 4;
+                b += 4;
+                r += 4;
+                n -= 4;
+        }
+        while (n > 0) {
+                bn_addw_addw(a[0], b[0] & mask, carry, &carry, &r[0]);
+                a++;
+                b++;
+                r++;
+                n--;
+        }
+        return carry;
+}
+#endif
+/*
+ * bn_sub_words_masked() computes r[] = a[] - (b[] & mask), where a, b and r are
+ * arrays of words with length n (r may be the same as a or b).
+ */
+#ifndef HAVE_BN_SUB_WORDS_MASKED
+BN_ULONG
+bn_sub_words_masked(BN_ULONG *r, const BN_ULONG *a, const BN_ULONG *b,
+    BN_ULONG mask, size_t n)
+{
+        BN_ULONG borrow = 0;
+        /* XXX - consider conditional/masked versions of bn_subw_subw/bn_qwsubqw. */
+        /* Compute conditional r[i] = a[i] - b[i]. */
+        while (n >= 4) {
+                bn_qwsubqw(a[3], a[2], a[1], a[0], b[3] & mask, b[2] & mask,
+                    b[1] & mask, b[0] & mask, borrow, &borrow, &r[3], &r[2],
+                    &r[1], &r[0]);
+                a += 4;
+                b += 4;
+                r += 4;
+                n -= 4;
+        }
+        while (n > 0) {
+                bn_subw_subw(a[0], b[0] & mask, borrow, &borrow, &r[0]);
+                a++;
+                b++;
+                r++;
+                n--;
+        }
+        return borrow;
+}
+#endif
diff --git a/src/lib/libcrypto/bn/bn_convert.c b/src/lib/libcrypto/bn/bn_convert.c
index 6a6354f44e..ca5c7d7865 100644
--- a/src/lib/libcrypto/bn/bn_convert.c
+++ b/src/lib/libcrypto/bn/bn_convert.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: bn_convert.c,v 1.23 2024/11/08 14:18:44 jsing Exp $ */
+/* $OpenBSD: bn_convert.c,v 1.24 2025/05/10 05:54:38 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -65,11 +65,11 @@
 #include <openssl/bio.h>
 #include <openssl/buffer.h>
-#include <openssl/err.h>
 #include "bn_local.h"
 #include "bytestring.h"
 #include "crypto_internal.h"
+#include "err_local.h"
 static int bn_dec2bn_cbs(BIGNUM **bnp, CBS *cbs);
 static int bn_hex2bn_cbs(BIGNUM **bnp, CBS *cbs);
diff --git a/src/lib/libcrypto/bn/bn_ctx.c b/src/lib/libcrypto/bn/bn_ctx.c
index 129b9c9781..eda93dcaa4 100644
--- a/src/lib/libcrypto/bn/bn_ctx.c
+++ b/src/lib/libcrypto/bn/bn_ctx.c
@@ -1,4 +1,4 @@
-/*      $OpenBSD: bn_ctx.c,v 1.22 2023/07/08 12:21:58 beck Exp $ */
+/*      $OpenBSD: bn_ctx.c,v 1.23 2025/05/10 05:54:38 tb Exp $ */
 /*
 * Copyright (c) 2023 Joel Sing <jsing@openbsd.org>
 *
@@ -19,9 +19,9 @@
 #include <string.h>
 #include <openssl/opensslconf.h>
-#include <openssl/err.h>
 #include "bn_local.h"
+#include "err_local.h"
 #define BN_CTX_INITIAL_LEN      8
diff --git a/src/lib/libcrypto/bn/bn_div.c b/src/lib/libcrypto/bn/bn_div.c
index 09a8a364df..1026b43add 100644
--- a/src/lib/libcrypto/bn/bn_div.c
+++ b/src/lib/libcrypto/bn/bn_div.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: bn_div.c,v 1.41 2024/04/10 14:58:06 beck Exp $ */
+/* $OpenBSD: bn_div.c,v 1.42 2025/05/10 05:54:38 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -62,11 +62,11 @@
 #include <openssl/opensslconf.h>
 #include <openssl/bn.h>
-#include <openssl/err.h>
 #include "bn_arch.h"
 #include "bn_local.h"
 #include "bn_internal.h"
+#include "err_local.h"
 BN_ULONG bn_div_3_words(const BN_ULONG *m, BN_ULONG d1, BN_ULONG d0);
diff --git a/src/lib/libcrypto/bn/bn_exp.c b/src/lib/libcrypto/bn/bn_exp.c
index e925d325d2..6a5c1c857a 100644
--- a/src/lib/libcrypto/bn/bn_exp.c
+++ b/src/lib/libcrypto/bn/bn_exp.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: bn_exp.c,v 1.58 2025/02/13 11:15:09 tb Exp $ */
+/* $OpenBSD: bn_exp.c,v 1.59 2025/05/10 05:54:38 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -112,10 +112,9 @@
 #include <stdlib.h>
 #include <string.h>
-#include <openssl/err.h>
 #include "bn_local.h"
 #include "constant_time.h"
+#include "err_local.h"
 /* maximum precomputation table size for *variable* sliding windows */
 #define TABLE_SIZE      32
diff --git a/src/lib/libcrypto/bn/bn_gcd.c b/src/lib/libcrypto/bn/bn_gcd.c
index fa5d71a7f3..319d9ca390 100644
--- a/src/lib/libcrypto/bn/bn_gcd.c
+++ b/src/lib/libcrypto/bn/bn_gcd.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: bn_gcd.c,v 1.29 2024/04/10 14:58:06 beck Exp $ */
+/* $OpenBSD: bn_gcd.c,v 1.31 2025/06/02 12:40:10 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -109,9 +109,8 @@
 *
 */
-#include <openssl/err.h>
 #include "bn_local.h"
+#include "err_local.h"
 static BIGNUM *
 euclid(BIGNUM *a, BIGNUM *b)
@@ -681,8 +680,10 @@ BN_mod_inverse_internal(BIGNUM *in, const BIGNUM *a, const BIGNUM *n, BN_CTX *ct
                                        /* A >= 2*B, so D=2 or D=3 */
                                        if (!BN_sub(M, A, T))
                                                goto err;
-                                        if (!BN_add(D,T,B)) goto err; /* use D (:= 3*B) as temp */
+                                        /* use D (:= 3*B) as temp */
-                                                if (BN_ucmp(A, D) < 0) {
+                                        if (!BN_add(D, T, B))
+                                                goto err;
+                                        if (BN_ucmp(A, D) < 0) {
                                                /* A < 3*B, so D=2 */
                                                if (!BN_set_word(D, 2))
                                                        goto err;
diff --git a/src/lib/libcrypto/bn/bn_internal.h b/src/lib/libcrypto/bn/bn_internal.h
index fd04bc9f8a..8b5145e225 100644
--- a/src/lib/libcrypto/bn/bn_internal.h
+++ b/src/lib/libcrypto/bn/bn_internal.h
@@ -1,4 +1,4 @@
-/*      $OpenBSD: bn_internal.h,v 1.15 2023/06/25 11:42:26 jsing Exp $ */
+/*      $OpenBSD: bn_internal.h,v 1.20 2025/08/02 16:20:00 jsing Exp $ */
 /*
 * Copyright (c) 2023 Joel Sing <jsing@openbsd.org>
 *
@@ -26,6 +26,30 @@ int bn_word_clz(BN_ULONG w);
 int bn_bitsize(const BIGNUM *bn);
+BN_ULONG bn_add_words(BN_ULONG *r, const BN_ULONG *a, const BN_ULONG *b,
+    int num);
+BN_ULONG bn_sub_words(BN_ULONG *r, const BN_ULONG *a, const BN_ULONG *b,
+    int num);
+BN_ULONG bn_sub_words_borrow(const BN_ULONG *a, const BN_ULONG *b, size_t n);
+BN_ULONG bn_add_words_masked(BN_ULONG *r, const BN_ULONG *a, const BN_ULONG *b,
+    BN_ULONG mask, size_t n);
+BN_ULONG bn_sub_words_masked(BN_ULONG *r, const BN_ULONG *a, const BN_ULONG *b,
+    BN_ULONG mask, size_t n);
+void bn_mod_add_words(BN_ULONG *r, const BN_ULONG *a, const BN_ULONG *b,
+    const BN_ULONG *m, size_t n);
+void bn_mod_sub_words(BN_ULONG *r, const BN_ULONG *a, const BN_ULONG *b,
+    const BN_ULONG *m, size_t n);
+void bn_mod_mul_words(BN_ULONG *r, const BN_ULONG *a, const BN_ULONG *b,
+    const BN_ULONG *m, BN_ULONG *t, BN_ULONG m0, size_t n);
+void bn_mod_sqr_words(BN_ULONG *r, const BN_ULONG *a, const BN_ULONG *m,
+    BN_ULONG *t, BN_ULONG m0, size_t n);
+void bn_montgomery_multiply_words(BN_ULONG *rp, const BN_ULONG *ap,
+    const BN_ULONG *bp, const BN_ULONG *np, BN_ULONG *tp, BN_ULONG n0,
+    int n_len);
+void bn_montgomery_reduce_words(BN_ULONG *r, BN_ULONG *a, const BN_ULONG *n,
+    BN_ULONG n0, int n_len);
 #ifndef HAVE_BN_CT_NE_ZERO
 static inline int
 bn_ct_ne_zero(BN_ULONG w)
diff --git a/src/lib/libcrypto/bn/bn_isqrt.c b/src/lib/libcrypto/bn/bn_isqrt.c
index 018d5f34bd..b725519e1a 100644
--- a/src/lib/libcrypto/bn/bn_isqrt.c
+++ b/src/lib/libcrypto/bn/bn_isqrt.c
@@ -1,4 +1,4 @@
-/*      $OpenBSD: bn_isqrt.c,v 1.10 2023/06/04 17:28:35 tb Exp $ */
+/*      $OpenBSD: bn_isqrt.c,v 1.11 2025/05/10 05:54:38 tb Exp $ */
 /*
 * Copyright (c) 2022 Theo Buehler <tb@openbsd.org>
 *
@@ -19,10 +19,10 @@
 #include <stdint.h>
 #include <openssl/bn.h>
-#include <openssl/err.h>
 #include "bn_local.h"
 #include "crypto_internal.h"
+#include "err_local.h"
 /*
 * Calculate integer square root of |n| using a variant of Newton's method.
diff --git a/src/lib/libcrypto/bn/bn_lib.c b/src/lib/libcrypto/bn/bn_lib.c
index 72b988650c..3e451a6191 100644
--- a/src/lib/libcrypto/bn/bn_lib.c
+++ b/src/lib/libcrypto/bn/bn_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: bn_lib.c,v 1.93 2024/04/16 13:07:14 jsing Exp $ */
+/* $OpenBSD: bn_lib.c,v 1.94 2025/05/10 05:54:38 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -63,10 +63,9 @@
 #include <openssl/opensslconf.h>
-#include <openssl/err.h>
 #include "bn_local.h"
 #include "bn_internal.h"
+#include "err_local.h"
 BIGNUM *
 BN_new(void)
diff --git a/src/lib/libcrypto/bn/bn_local.h b/src/lib/libcrypto/bn/bn_local.h
index 067ffab3d9..1bd4c16baf 100644
--- a/src/lib/libcrypto/bn/bn_local.h
+++ b/src/lib/libcrypto/bn/bn_local.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: bn_local.h,v 1.50 2025/02/13 11:04:20 tb Exp $ */
+/* $OpenBSD: bn_local.h,v 1.54 2025/08/05 15:08:13 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -240,10 +240,12 @@ BN_ULONG bn_sub(BN_ULONG *r, int r_len, const BN_ULONG *a, int a_len,
    const BN_ULONG *b, int b_len);
 void bn_mul_normal(BN_ULONG *r, BN_ULONG *a, int na, BN_ULONG *b, int nb);
-void bn_mul_comba4(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b);
+void bn_mul_comba4(BN_ULONG *r, const BN_ULONG *a, const BN_ULONG *b);
-void bn_mul_comba8(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b);
+void bn_mul_comba6(BN_ULONG *r, const BN_ULONG *a, const BN_ULONG *b);
+void bn_mul_comba8(BN_ULONG *r, const BN_ULONG *a, const BN_ULONG *b);
 void bn_sqr_comba4(BN_ULONG *r, const BN_ULONG *a);
+void bn_sqr_comba6(BN_ULONG *r, const BN_ULONG *a);
 void bn_sqr_comba8(BN_ULONG *r, const BN_ULONG *a);
 int bn_mul_mont(BN_ULONG *rp, const BN_ULONG *ap, const BN_ULONG *bp,
@@ -254,10 +256,6 @@ int bn_expand_bits(BIGNUM *a, size_t bits);
 int bn_expand_bytes(BIGNUM *a, size_t bytes);
 int bn_wexpand(BIGNUM *a, int words);
-BN_ULONG bn_add_words(BN_ULONG *rp, const BN_ULONG *ap, const BN_ULONG *bp,
-    int num);
-BN_ULONG bn_sub_words(BN_ULONG *rp, const BN_ULONG *ap, const BN_ULONG *bp,
-    int num);
 BN_ULONG bn_mul_add_words(BN_ULONG *rp, const BN_ULONG *ap, int num, BN_ULONG w);
 BN_ULONG bn_mul_words(BN_ULONG *rp, const BN_ULONG *ap, int num, BN_ULONG w);
 void     bn_sqr_words(BN_ULONG *rp, const BN_ULONG *ap, int num);
diff --git a/src/lib/libcrypto/bn/bn_mod.c b/src/lib/libcrypto/bn/bn_mod.c
index 365f6fcf03..7198c02e3b 100644
--- a/src/lib/libcrypto/bn/bn_mod.c
+++ b/src/lib/libcrypto/bn/bn_mod.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: bn_mod.c,v 1.22 2023/07/08 12:21:58 beck Exp $ */
+/* $OpenBSD: bn_mod.c,v 1.23 2025/05/10 05:54:38 tb Exp $ */
 /* Includes code written by Lenka Fibikova <fibikova@exp-math.uni-essen.de>
 * for the OpenSSL project. */
 /* ====================================================================
@@ -111,9 +111,8 @@
 * [including the GNU Public Licence.]
 */
-#include <openssl/err.h>
 #include "bn_local.h"
+#include "err_local.h"
 int
 BN_mod_ct(BIGNUM *r, const BIGNUM *a, const BIGNUM *m, BN_CTX *ctx)
diff --git a/src/lib/libcrypto/bn/bn_mod_sqrt.c b/src/lib/libcrypto/bn/bn_mod_sqrt.c
index 280002cc48..fc55f84317 100644
--- a/src/lib/libcrypto/bn/bn_mod_sqrt.c
+++ b/src/lib/libcrypto/bn/bn_mod_sqrt.c
@@ -1,4 +1,4 @@
-/*      $OpenBSD: bn_mod_sqrt.c,v 1.3 2023/08/03 18:53:55 tb Exp $ */
+/*      $OpenBSD: bn_mod_sqrt.c,v 1.4 2025/05/10 05:54:38 tb Exp $ */
 /*
 * Copyright (c) 2022 Theo Buehler <tb@openbsd.org>
@@ -16,9 +16,8 @@
 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 */
-#include <openssl/err.h>
 #include "bn_local.h"
+#include "err_local.h"
 /*
 * Tonelli-Shanks according to H. Cohen "A Course in Computational Algebraic
diff --git a/src/lib/libcrypto/bn/bn_mod_words.c b/src/lib/libcrypto/bn/bn_mod_words.c
new file mode 100644
index 0000000000..d9aee8701a
--- /dev/null
+++ b/src/lib/libcrypto/bn/bn_mod_words.c
@@ -0,0 +1,114 @@
+/*      $OpenBSD: bn_mod_words.c,v 1.3 2025/08/05 15:15:54 jsing Exp $  */
+/*
+ * Copyright (c) 2024 Joel Sing <jsing@openbsd.org>
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+#include "bn_local.h"
+#include "bn_internal.h"
+/*
+ * bn_mod_add_words() computes r[] = (a[] + b[]) mod m[], where a, b, r and
+ * m are arrays of words with length n (r may be the same as a or b).
+ */
+#ifndef HAVE_BN_MOD_ADD_WORDS
+void
+bn_mod_add_words(BN_ULONG *r, const BN_ULONG *a, const BN_ULONG *b,
+    const BN_ULONG *m, size_t n)
+{
+        BN_ULONG carry, mask;
+        /*
+         * Compute a + b, then compute r - m to determine if r >= m, considering
+         * any carry that resulted from the addition. Finally complete a
+         * conditional subtraction of r - m.
+         */
+        /* XXX - change bn_add_words to use size_t. */
+        carry = bn_add_words(r, a, b, n);
+        mask = ~(carry - bn_sub_words_borrow(r, m, n));
+        bn_sub_words_masked(r, r, m, mask, n);
+}
+#endif
+/*
+ * bn_mod_sub_words() computes r[] = (a[] - b[]) mod m[], where a, b, r and
+ * m are arrays of words with length n (r may be the same as a or b).
+ */
+#ifndef HAVE_BN_MOD_SUB_WORDS
+void
+bn_mod_sub_words(BN_ULONG *r, const BN_ULONG *a, const BN_ULONG *b,
+    const BN_ULONG *m, size_t n)
+{
+        BN_ULONG borrow, mask;
+        /*
+         * Compute a - b, then complete a conditional addition of r + m
+         * based on the resulting borrow.
+         */
+        /* XXX - change bn_sub_words to use size_t. */
+        borrow = bn_sub_words(r, a, b, n);
+        mask = (0 - borrow);
+        bn_add_words_masked(r, r, m, mask, n);
+}
+#endif
+/*
+ * bn_mod_mul_words() computes r[] = (a[] * b[]) mod m[], where a, b, r and
+ * m are arrays of words with length n (r may be the same as a or b) in the
+ * Montgomery domain. The result remains in the Montgomery domain.
+ */
+#ifndef HAVE_BN_MOD_MUL_WORDS
+void
+bn_mod_mul_words(BN_ULONG *r, const BN_ULONG *a, const BN_ULONG *b,
+    const BN_ULONG *m, BN_ULONG *t, BN_ULONG m0, size_t n)
+{
+        if (n == 4) {
+                bn_mul_comba4(t, a, b);
+                bn_montgomery_reduce_words(r, t, m, m0, n);
+        } else if (n == 6) {
+                bn_mul_comba6(t, a, b);
+                bn_montgomery_reduce_words(r, t, m, m0, n);
+        } else if (n == 8) {
+                bn_mul_comba8(t, a, b);
+                bn_montgomery_reduce_words(r, t, m, m0, n);
+        } else {
+                bn_montgomery_multiply_words(r, a, b, m, t, m0, n);
+        }
+}
+#endif
+/*
+ * bn_mod_sqr_words() computes r[] = (a[] * a[]) mod m[], where a, r and
+ * m are arrays of words with length n (r may be the same as a) in the
+ * Montgomery domain. The result remains in the Montgomery domain.
+ */
+#ifndef HAVE_BN_MOD_SQR_WORDS
+void
+bn_mod_sqr_words(BN_ULONG *r, const BN_ULONG *a, const BN_ULONG *m,
+    BN_ULONG *t, BN_ULONG m0, size_t n)
+{
+        if (n == 4) {
+                bn_sqr_comba4(t, a);
+                bn_montgomery_reduce_words(r, t, m, m0, n);
+        } else if (n == 6) {
+                bn_sqr_comba6(t, a);
+                bn_montgomery_reduce_words(r, t, m, m0, n);
+        } else if (n == 8) {
+                bn_sqr_comba8(t, a);
+                bn_montgomery_reduce_words(r, t, m, m0, n);
+        } else {
+                bn_montgomery_multiply_words(r, a, a, m, t, m0, n);
+        }
+}
+#endif
diff --git a/src/lib/libcrypto/bn/bn_mont.c b/src/lib/libcrypto/bn/bn_mont.c
index edd7bcd0c8..8280a8db27 100644
--- a/src/lib/libcrypto/bn/bn_mont.c
+++ b/src/lib/libcrypto/bn/bn_mont.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: bn_mont.c,v 1.66 2025/03/09 15:22:40 tb Exp $ */
+/* $OpenBSD: bn_mont.c,v 1.69 2025/08/03 10:33:46 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -116,6 +116,7 @@
 * sections 3.8 and 4.2 in http://security.ece.orst.edu/koc/papers/r01rsasw.pdf
 */
+#include <limits.h>
 #include <stdio.h>
 #include <stdint.h>
 #include <string.h>
@@ -214,7 +215,7 @@ BN_MONT_CTX_set(BN_MONT_CTX *mont, const BIGNUM *mod, BN_CTX *ctx)
                 goto err;
        mont->N.neg = 0;
        mont->ri = ((BN_num_bits(mod) + BN_BITS2 - 1) / BN_BITS2) * BN_BITS2;
-        if (mont->ri * 2 < mont->ri)
+        if (mont->ri > INT_MAX / 2)
                goto err;
        /*
@@ -316,6 +317,44 @@ BN_MONT_CTX_set_locked(BN_MONT_CTX **pmctx, int lock, const BIGNUM *mod,
 LCRYPTO_ALIAS(BN_MONT_CTX_set_locked);
 /*
+ * bn_montgomery_reduce_words() performs Montgomery reduction, reducing the input
+ * from its Montgomery form aR to a, returning the result in r. a must be twice
+ * the length of the modulus. Note that the input is mutated in the process of
+ * performing the reduction.
+ */
+void
+bn_montgomery_reduce_words(BN_ULONG *r, BN_ULONG *a, const BN_ULONG *n,
+    BN_ULONG n0, int n_len)
+{
+        BN_ULONG v, mask;
+        BN_ULONG carry = 0;
+        int i;
+        /* Add multiples of the modulus, so that it becomes divisible by R. */
+        for (i = 0; i < n_len; i++) {
+                v = bn_mul_add_words(&a[i], n, n_len, a[i] * n0);
+                bn_addw_addw(v, a[i + n_len], carry, &carry, &a[i + n_len]);
+        }
+        /* Divide by R (this is the equivalent of right shifting by n_len). */
+        a = &a[n_len];
+        /*
+         * The output is now in the range of [0, 2N). Attempt to reduce once by
+         * subtracting the modulus. If the reduction was necessary then the
+         * result is already in r, otherwise copy the value prior to reduction
+         * from the top half of a.
+         */
+        mask = carry - bn_sub_words(r, a, n, n_len);
+        for (i = 0; i < n_len; i++) {
+                *r = (*r & ~mask) | (*a & mask);
+                r++;
+                a++;
+        }
+}
+/*
 * bn_montgomery_reduce() performs Montgomery reduction, reducing the input
 * from its Montgomery form aR to a, returning the result in r. Note that the
 * input is mutated in the process of performing the reduction, destroying its
@@ -325,7 +364,6 @@ static int
 bn_montgomery_reduce(BIGNUM *r, BIGNUM *a, BN_MONT_CTX *mctx)
 {
        BIGNUM *n;
-        BN_ULONG *ap, *rp, n0, v, carry, mask;
        int i, max, n_len;
        n = &mctx->N;
@@ -341,7 +379,8 @@ bn_montgomery_reduce(BIGNUM *r, BIGNUM *a, BN_MONT_CTX *mctx)
        /*
         * Expand a to twice the length of the modulus, zero if necessary.
-         * XXX - make this a requirement of the caller.
+         * XXX - make this a requirement of the caller or use a temporary
+         * allocation.
         */
        if ((max = 2 * n_len) < n_len)
                return 0;
@@ -350,33 +389,8 @@ bn_montgomery_reduce(BIGNUM *r, BIGNUM *a, BN_MONT_CTX *mctx)
        for (i = a->top; i < max; i++)
                a->d[i] = 0;
-        carry = 0;
+        bn_montgomery_reduce_words(r->d, a->d, n->d, mctx->n0[0], n_len);
-        n0 = mctx->n0[0];
-        /* Add multiples of the modulus, so that it becomes divisible by R. */
-        for (i = 0; i < n_len; i++) {
-                v = bn_mul_add_words(&a->d[i], n->d, n_len, a->d[i] * n0);
-                bn_addw_addw(v, a->d[i + n_len], carry, &carry,
-                    &a->d[i + n_len]);
-        }
-        /* Divide by R (this is the equivalent of right shifting by n_len). */
-        ap = &a->d[n_len];
-        /*
-         * The output is now in the range of [0, 2N). Attempt to reduce once by
-         * subtracting the modulus. If the reduction was necessary then the
-         * result is already in r, otherwise copy the value prior to reduction
-         * from the top half of a.
-         */
-        mask = carry - bn_sub_words(r->d, ap, n->d, n_len);
-        rp = r->d;
-        for (i = 0; i < n_len; i++) {
-                *rp = (*rp & ~mask) | (*ap & mask);
-                rp++;
-                ap++;
-        }
        r->top = n_len;
        bn_correct_top(r);
@@ -417,7 +431,7 @@ bn_mod_mul_montgomery_simple(BIGNUM *r, const BIGNUM *a, const BIGNUM *b,
        return ret;
 }
-static void
+static inline void
 bn_montgomery_multiply_word(const BN_ULONG *ap, BN_ULONG b, const BN_ULONG *np,
    BN_ULONG *tp, BN_ULONG w, BN_ULONG *carry_a, BN_ULONG *carry_n, int n_len)
 {
@@ -452,7 +466,7 @@ bn_montgomery_multiply_word(const BN_ULONG *ap, BN_ULONG b, const BN_ULONG *np,
 * given word arrays. The caller must ensure that rp, ap, bp and np are all
 * n_len words in length, while tp must be n_len * 2 + 2 words in length.
 */
-static void
+void
 bn_montgomery_multiply_words(BN_ULONG *rp, const BN_ULONG *ap, const BN_ULONG *bp,
    const BN_ULONG *np, BN_ULONG *tp, BN_ULONG n0, int n_len)
 {
diff --git a/src/lib/libcrypto/bn/bn_mul.c b/src/lib/libcrypto/bn/bn_mul.c
index bdeb9b0fe8..70f6534b8f 100644
--- a/src/lib/libcrypto/bn/bn_mul.c
+++ b/src/lib/libcrypto/bn/bn_mul.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: bn_mul.c,v 1.39 2023/07/08 12:21:58 beck Exp $ */
+/* $OpenBSD: bn_mul.c,v 1.42 2025/08/05 15:06:13 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -57,6 +57,7 @@
 */
 #include <assert.h>
+#include <limits.h>
 #include <stdio.h>
 #include <string.h>
@@ -73,7 +74,7 @@
 */
 #ifndef HAVE_BN_MUL_COMBA4
 void
-bn_mul_comba4(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b)
+bn_mul_comba4(BN_ULONG *r, const BN_ULONG *a, const BN_ULONG *b)
 {
        BN_ULONG c0, c1, c2;
@@ -103,13 +104,73 @@ bn_mul_comba4(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b)
 #endif
 /*
+ * bn_mul_comba6() computes r[] = a[] * b[] using Comba multiplication
+ * (https://everything2.com/title/Comba+multiplication), where a and b are both
+ * six word arrays, producing a 12 word array result.
+ */
+#ifndef HAVE_BN_MUL_COMBA6
+void
+bn_mul_comba6(BN_ULONG *r, const BN_ULONG *a, const BN_ULONG *b)
+{
+        BN_ULONG c0, c1, c2;
+        bn_mulw_addtw(a[0], b[0],  0,  0,  0, &c2, &c1, &r[0]);
+        bn_mulw_addtw(a[0], b[1],  0, c2, c1, &c2, &c1, &c0);
+        bn_mulw_addtw(a[1], b[0], c2, c1, c0, &c2, &c1, &r[1]);
+        bn_mulw_addtw(a[2], b[0],  0, c2, c1, &c2, &c1, &c0);
+        bn_mulw_addtw(a[1], b[1], c2, c1, c0, &c2, &c1, &c0);
+        bn_mulw_addtw(a[0], b[2], c2, c1, c0, &c2, &c1, &r[2]);
+        bn_mulw_addtw(a[0], b[3],  0, c2, c1, &c2, &c1, &c0);
+        bn_mulw_addtw(a[1], b[2], c2, c1, c0, &c2, &c1, &c0);
+        bn_mulw_addtw(a[2], b[1], c2, c1, c0, &c2, &c1, &c0);
+        bn_mulw_addtw(a[3], b[0], c2, c1, c0, &c2, &c1, &r[3]);
+        bn_mulw_addtw(a[4], b[0],  0, c2, c1, &c2, &c1, &c0);
+        bn_mulw_addtw(a[3], b[1], c2, c1, c0, &c2, &c1, &c0);
+        bn_mulw_addtw(a[2], b[2], c2, c1, c0, &c2, &c1, &c0);
+        bn_mulw_addtw(a[1], b[3], c2, c1, c0, &c2, &c1, &c0);
+        bn_mulw_addtw(a[0], b[4], c2, c1, c0, &c2, &c1, &r[4]);
+        bn_mulw_addtw(a[0], b[5],  0, c2, c1, &c2, &c1, &c0);
+        bn_mulw_addtw(a[1], b[4], c2, c1, c0, &c2, &c1, &c0);
+        bn_mulw_addtw(a[2], b[3], c2, c1, c0, &c2, &c1, &c0);
+        bn_mulw_addtw(a[3], b[2], c2, c1, c0, &c2, &c1, &c0);
+        bn_mulw_addtw(a[4], b[1], c2, c1, c0, &c2, &c1, &c0);
+        bn_mulw_addtw(a[5], b[0], c2, c1, c0, &c2, &c1, &r[5]);
+        bn_mulw_addtw(a[5], b[1],  0, c2, c1, &c2, &c1, &c0);
+        bn_mulw_addtw(a[4], b[2], c2, c1, c0, &c2, &c1, &c0);
+        bn_mulw_addtw(a[3], b[3], c2, c1, c0, &c2, &c1, &c0);
+        bn_mulw_addtw(a[2], b[4], c2, c1, c0, &c2, &c1, &c0);
+        bn_mulw_addtw(a[1], b[5], c2, c1, c0, &c2, &c1, &r[6]);
+        bn_mulw_addtw(a[2], b[5],  0, c2, c1, &c2, &c1, &c0);
+        bn_mulw_addtw(a[3], b[4], c2, c1, c0, &c2, &c1, &c0);
+        bn_mulw_addtw(a[4], b[3], c2, c1, c0, &c2, &c1, &c0);
+        bn_mulw_addtw(a[5], b[2], c2, c1, c0, &c2, &c1, &r[7]);
+        bn_mulw_addtw(a[5], b[3],  0, c2, c1, &c2, &c1, &c0);
+        bn_mulw_addtw(a[4], b[4], c2, c1, c0, &c2, &c1, &c0);
+        bn_mulw_addtw(a[3], b[5], c2, c1, c0, &c2, &c1, &r[8]);
+        bn_mulw_addtw(a[4], b[5],  0, c2, c1, &c2, &c1, &c0);
+        bn_mulw_addtw(a[5], b[4], c2, c1, c0, &c2, &c1, &r[9]);
+        bn_mulw_addtw(a[5], b[5],  0, c2, c1, &c2, &r[11], &r[10]);
+}
+#endif
+/*
 * bn_mul_comba8() computes r[] = a[] * b[] using Comba multiplication
 * (https://everything2.com/title/Comba+multiplication), where a and b are both
 * eight word arrays, producing a 16 word array result.
 */
 #ifndef HAVE_BN_MUL_COMBA8
 void
-bn_mul_comba8(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b)
+bn_mul_comba8(BN_ULONG *r, const BN_ULONG *a, const BN_ULONG *b)
 {
        BN_ULONG c0, c1, c2;
@@ -338,9 +399,9 @@ BN_mul(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx)
        if (rr == NULL)
                goto err;
-        rn = a->top + b->top;
+        if (a->top > INT_MAX - b->top)
-        if (rn < a->top)
                goto err;
+        rn = a->top + b->top;
        if (!bn_wexpand(rr, rn))
                goto err;
diff --git a/src/lib/libcrypto/bn/bn_prime.c b/src/lib/libcrypto/bn/bn_prime.c
index 5a4aa50bf1..d85595e0dd 100644
--- a/src/lib/libcrypto/bn/bn_prime.c
+++ b/src/lib/libcrypto/bn/bn_prime.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: bn_prime.c,v 1.34 2023/07/20 06:26:27 tb Exp $ */
+/* $OpenBSD: bn_prime.c,v 1.35 2025/05/10 05:54:38 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -112,9 +112,8 @@
 #include <stdio.h>
 #include <time.h>
-#include <openssl/err.h>
 #include "bn_local.h"
+#include "err_local.h"
 /* The quick sieve algorithm approach to weeding out primes is
 * Philip Zimmermann's, as implemented in PGP.  I have had a read of
diff --git a/src/lib/libcrypto/bn/bn_rand.c b/src/lib/libcrypto/bn/bn_rand.c
index 9cfcd8e2c0..d3b16f70a0 100644
--- a/src/lib/libcrypto/bn/bn_rand.c
+++ b/src/lib/libcrypto/bn/bn_rand.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: bn_rand.c,v 1.30 2024/03/16 20:42:33 tb Exp $ */
+/* $OpenBSD: bn_rand.c,v 1.31 2025/05/10 05:54:38 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -115,9 +115,8 @@
 #include <string.h>
 #include <time.h>
-#include <openssl/err.h>
 #include "bn_local.h"
+#include "err_local.h"
 static int
 bnrand(int pseudorand, BIGNUM *rnd, int bits, int top, int bottom)
diff --git a/src/lib/libcrypto/bn/bn_recp.c b/src/lib/libcrypto/bn/bn_recp.c
index e3f22c52a9..ed5049b772 100644
--- a/src/lib/libcrypto/bn/bn_recp.c
+++ b/src/lib/libcrypto/bn/bn_recp.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: bn_recp.c,v 1.33 2025/02/04 20:22:20 tb Exp $ */
+/* $OpenBSD: bn_recp.c,v 1.34 2025/05/10 05:54:38 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -58,9 +58,8 @@
 #include <stdio.h>
-#include <openssl/err.h>
 #include "bn_local.h"
+#include "err_local.h"
 struct bn_recp_ctx_st {
        BIGNUM *N;      /* the divisor */
diff --git a/src/lib/libcrypto/bn/bn_shift.c b/src/lib/libcrypto/bn/bn_shift.c
index 12edc7c0a0..b9f73cc322 100644
--- a/src/lib/libcrypto/bn/bn_shift.c
+++ b/src/lib/libcrypto/bn/bn_shift.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: bn_shift.c,v 1.22 2023/07/08 12:21:58 beck Exp $ */
+/* $OpenBSD: bn_shift.c,v 1.23 2025/05/10 05:54:38 tb Exp $ */
 /*
 * Copyright (c) 2022, 2023 Joel Sing <jsing@openbsd.org>
 *
@@ -16,9 +16,9 @@
 */
 #include <openssl/bn.h>
-#include <openssl/err.h>
 #include "bn_local.h"
+#include "err_local.h"
 static inline int
 bn_lshift(BIGNUM *r, const BIGNUM *a, int n)
diff --git a/src/lib/libcrypto/bn/bn_sqr.c b/src/lib/libcrypto/bn/bn_sqr.c
index 0dbccbf85d..ab1282e3b1 100644
--- a/src/lib/libcrypto/bn/bn_sqr.c
+++ b/src/lib/libcrypto/bn/bn_sqr.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: bn_sqr.c,v 1.36 2023/07/08 12:21:58 beck Exp $ */
+/* $OpenBSD: bn_sqr.c,v 1.37 2025/08/05 15:08:13 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -97,6 +97,51 @@ bn_sqr_comba4(BN_ULONG *r, const BN_ULONG *a)
 #endif
 /*
+ * bn_sqr_comba6() computes r[] = a[] * a[] using Comba multiplication
+ * (https://everything2.com/title/Comba+multiplication), where a is an
+ * six word array, producing an 12 word array result.
+ */
+#ifndef HAVE_BN_SQR_COMBA6
+void
+bn_sqr_comba6(BN_ULONG *r, const BN_ULONG *a)
+{
+        BN_ULONG c2, c1, c0;
+        bn_mulw_addtw(a[0], a[0], 0, 0, 0, &c2, &c1, &r[0]);
+        bn_mul2_mulw_addtw(a[1], a[0], 0, c2, c1, &c2, &c1, &r[1]);
+        bn_mulw_addtw(a[1], a[1], 0, c2, c1, &c2, &c1, &c0);
+        bn_mul2_mulw_addtw(a[2], a[0], c2, c1, c0, &c2, &c1, &r[2]);
+        bn_mul2_mulw_addtw(a[3], a[0], 0, c2, c1, &c2, &c1, &c0);
+        bn_mul2_mulw_addtw(a[2], a[1], c2, c1, c0, &c2, &c1, &r[3]);
+        bn_mulw_addtw(a[2], a[2], 0, c2, c1, &c2, &c1, &c0);
+        bn_mul2_mulw_addtw(a[3], a[1], c2, c1, c0, &c2, &c1, &c0);
+        bn_mul2_mulw_addtw(a[4], a[0], c2, c1, c0, &c2, &c1, &r[4]);
+        bn_mul2_mulw_addtw(a[5], a[0], 0, c2, c1, &c2, &c1, &c0);
+        bn_mul2_mulw_addtw(a[4], a[1], c2, c1, c0, &c2, &c1, &c0);
+        bn_mul2_mulw_addtw(a[3], a[2], c2, c1, c0, &c2, &c1, &r[5]);
+        bn_mulw_addtw(a[3], a[3], 0, c2, c1, &c2, &c1, &c0);
+        bn_mul2_mulw_addtw(a[4], a[2], c2, c1, c0, &c2, &c1, &c0);
+        bn_mul2_mulw_addtw(a[5], a[1], c2, c1, c0, &c2, &c1, &r[6]);
+        bn_mul2_mulw_addtw(a[5], a[2], 0, c2, c1, &c2, &c1, &c0);
+        bn_mul2_mulw_addtw(a[4], a[3], c2, c1, c0, &c2, &c1, &r[7]);
+        bn_mulw_addtw(a[4], a[4], 0, c2, c1, &c2, &c1, &c0);
+        bn_mul2_mulw_addtw(a[5], a[3], c2, c1, c0, &c2, &c1, &r[8]);
+        bn_mul2_mulw_addtw(a[5], a[4], 0, c2, c1, &c2, &c1, &r[9]);
+        bn_mulw_addtw(a[5], a[5], 0, c2, c1, &c2, &r[11], &r[10]);
+}
+#endif
+/*
 * bn_sqr_comba8() computes r[] = a[] * a[] using Comba multiplication
 * (https://everything2.com/title/Comba+multiplication), where a is an
 * eight word array, producing an 16 word array result.