On Sat, Apr 12, 2025 at 12:15:16PM +0900, Kenjiro Nakayama wrote:
> Shifting a signed int64_t into the sign bit is undefined behavior in C.
> 
>   /dev/portable/crypto/curve25519/curve25519.c:3900:18: runtime error:
>   left shift of negative value -222076011
>   SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior /dev/portable
> 
> To avoid this, import int64_lshift21() from BoringSSL ␛$B!=␛(B a helper function
> that casts the input to uint64_t before shifting and back to int64_t afterward.
> This ensures defined behavior when shifting left by 21 bits, avoiding
> undefined behavior in expressions like `carry << 21`.
> 
> This change addresses potential runtime issues detected by sanitizers
> when shifting signed values with high bits set.

Thanks. Rather than cherry-picking this fix, we should probably update
to the last C version of this file before BoringSSL switched to C++. I
will take a look.