Merge pull request #9372 from SparkiDev/curve25519_no_lshift_neg_val

Curve25519: lshift of a negative value is undefined in C
2026-01-29 00:39:54 +01:00 · 2025-11-06 15:22:38 -07:00
parent 9780137962 e4d47fb5c7
commit ca51fda3bb
5 changed files with 530 additions and 394 deletions
--- a/wolfcrypt/src/fe_448.c
+++ b/wolfcrypt/src/fe_448.c
@@ -504,62 +504,70 @@ void fe448_init(void)
 */
 void fe448_from_bytes(sword64* r, const unsigned char* b)
 {
-    r[ 0] =  ((sword64) (b[ 0]) <<  0)
-          |  ((sword64) (b[ 1]) <<  8)
-          |  ((sword64) (b[ 2]) << 16)
-          |  ((sword64) (b[ 3]) << 24)
-          |  ((sword64) (b[ 4]) << 32)
-          |  ((sword64) (b[ 5]) << 40)
-          |  ((sword64) (b[ 6]) << 48);
-    r[ 1] =  ((sword64) (b[ 7]) <<  0)
-          |  ((sword64) (b[ 8]) <<  8)
-          |  ((sword64) (b[ 9]) << 16)
-          |  ((sword64) (b[10]) << 24)
-          |  ((sword64) (b[11]) << 32)
-          |  ((sword64) (b[12]) << 40)
-          |  ((sword64) (b[13]) << 48);
-    r[ 2] =  ((sword64) (b[14]) <<  0)
-          |  ((sword64) (b[15]) <<  8)
-          |  ((sword64) (b[16]) << 16)
-          |  ((sword64) (b[17]) << 24)
-          |  ((sword64) (b[18]) << 32)
-          |  ((sword64) (b[19]) << 40)
-          |  ((sword64) (b[20]) << 48);
-    r[ 3] =  ((sword64) (b[21]) <<  0)
-          |  ((sword64) (b[22]) <<  8)
-          |  ((sword64) (b[23]) << 16)
-          |  ((sword64) (b[24]) << 24)
-          |  ((sword64) (b[25]) << 32)
-          |  ((sword64) (b[26]) << 40)
-          |  ((sword64) (b[27]) << 48);
-    r[ 4] =  ((sword64) (b[28]) <<  0)
-          |  ((sword64) (b[29]) <<  8)
-          |  ((sword64) (b[30]) << 16)
-          |  ((sword64) (b[31]) << 24)
-          |  ((sword64) (b[32]) << 32)
-          |  ((sword64) (b[33]) << 40)
-          |  ((sword64) (b[34]) << 48);
-    r[ 5] =  ((sword64) (b[35]) <<  0)
-          |  ((sword64) (b[36]) <<  8)
-          |  ((sword64) (b[37]) << 16)
-          |  ((sword64) (b[38]) << 24)
-          |  ((sword64) (b[39]) << 32)
-          |  ((sword64) (b[40]) << 40)
-          |  ((sword64) (b[41]) << 48);
-    r[ 6] =  ((sword64) (b[42]) <<  0)
-          |  ((sword64) (b[43]) <<  8)
-          |  ((sword64) (b[44]) << 16)
-          |  ((sword64) (b[45]) << 24)
-          |  ((sword64) (b[46]) << 32)
-          |  ((sword64) (b[47]) << 40)
-          |  ((sword64) (b[48]) << 48);
-    r[ 7] =  ((sword64) (b[49]) <<  0)
-          |  ((sword64) (b[50]) <<  8)
-          |  ((sword64) (b[51]) << 16)
-          |  ((sword64) (b[52]) << 24)
-          |  ((sword64) (b[53]) << 32)
-          |  ((sword64) (b[54]) << 40)
-          |  ((sword64) (b[55]) << 48);
+    r[ 0] = (sword64)(
+             (((word64)b[ 0]) <<  0)
+          |  (((word64)b[ 1]) <<  8)
+          |  (((word64)b[ 2]) << 16)
+          |  (((word64)b[ 3]) << 24)
+          |  (((word64)b[ 4]) << 32)
+          |  (((word64)b[ 5]) << 40)
+          |  (((word64)b[ 6]) << 48));
+    r[ 1] = (sword64)(
+             (((word64)b[ 7]) <<  0)
+          |  (((word64)b[ 8]) <<  8)
+          |  (((word64)b[ 9]) << 16)
+          |  (((word64)b[10]) << 24)
+          |  (((word64)b[11]) << 32)
+          |  (((word64)b[12]) << 40)
+          |  (((word64)b[13]) << 48));
+    r[ 2] = (sword64)(
+             (((word64)b[14]) <<  0)
+          |  (((word64)b[15]) <<  8)
+          |  (((word64)b[16]) << 16)
+          |  (((word64)b[17]) << 24)
+          |  (((word64)b[18]) << 32)
+          |  (((word64)b[19]) << 40)
+          |  (((word64)b[20]) << 48));
+    r[ 3] = (sword64)(
+             (((word64)b[21]) <<  0)
+          |  (((word64)b[22]) <<  8)
+          |  (((word64)b[23]) << 16)
+          |  (((word64)b[24]) << 24)
+          |  (((word64)b[25]) << 32)
+          |  (((word64)b[26]) << 40)
+          |  (((word64)b[27]) << 48));
+    r[ 4] = (sword64)(
+             (((word64)b[28]) <<  0)
+          |  (((word64)b[29]) <<  8)
+          |  (((word64)b[30]) << 16)
+          |  (((word64)b[31]) << 24)
+          |  (((word64)b[32]) << 32)
+          |  (((word64)b[33]) << 40)
+          |  (((word64)b[34]) << 48));
+    r[ 5] = (sword64)(
+             (((word64)b[35]) <<  0)
+          |  (((word64)b[36]) <<  8)
+          |  (((word64)b[37]) << 16)
+          |  (((word64)b[38]) << 24)
+          |  (((word64)b[39]) << 32)
+          |  (((word64)b[40]) << 40)
+          |  (((word64)b[41]) << 48));
+    r[ 6] = (sword64)(
+             (((word64)b[42]) <<  0)
+          |  (((word64)b[43]) <<  8)
+          |  (((word64)b[44]) << 16)
+          |  (((word64)b[45]) << 24)
+          |  (((word64)b[46]) << 32)
+          |  (((word64)b[47]) << 40)
+          |  (((word64)b[48]) << 48));
+    r[ 7] = (sword64)(
+             (((word64)b[49]) <<  0)
+          |  (((word64)b[50]) <<  8)
+          |  (((word64)b[51]) << 16)
+          |  (((word64)b[52]) << 24)
+          |  (((word64)b[53]) << 32)
+          |  (((word64)b[54]) << 40)
+          |  (((word64)b[55]) << 48));
 }

 /* Convert the field element to a byte array from an array of 56-bits.
@@ -580,7 +588,7 @@ void fe448_to_bytes(unsigned char* b, const sword64* a)
    sword64 in6 = a[6];
    sword64 in7 = a[7];
    sword64 o = in7 >> 56;
-    in7 -= o << 56;
+    in7 -= (sword64)((word64)o << 56);
    in0 += o;
    in4 += o;
    o = (in0 + 1) >> 56;
@@ -593,16 +601,24 @@ void fe448_to_bytes(unsigned char* b, const sword64* a)
    o = (o + in7) >> 56;
    in0 += o;
    in4 += o;
-    in7 -= o << 56;
-    o = (in0  >> 56); in1  += o; t = o << 56; in0  -= t;
-    o = (in1  >> 56); in2  += o; t = o << 56; in1  -= t;
-    o = (in2  >> 56); in3  += o; t = o << 56; in2  -= t;
-    o = (in3  >> 56); in4  += o; t = o << 56; in3  -= t;
-    o = (in4  >> 56); in5  += o; t = o << 56; in4  -= t;
-    o = (in5  >> 56); in6  += o; t = o << 56; in5  -= t;
-    o = (in6  >> 56); in7  += o; t = o << 56; in6  -= t;
-    o = (in7  >> 56); in0  += o;
-                      in4  += o; t = o << 56; in7  -= t;
+    in7 -= (sword64)((word64)o << 56);
+    o = (sword64)(in0  >> 56); in1  += o;
+    t = (sword64)((word64)o << 56); in0  -= t;
+    o = (sword64)(in1  >> 56); in2  += o;
+    t = (sword64)((word64)o << 56); in1  -= t;
+    o = (sword64)(in2  >> 56); in3  += o;
+    t = (sword64)((word64)o << 56); in2  -= t;
+    o = (sword64)(in3  >> 56); in4  += o;
+    t = (sword64)((word64)o << 56); in3  -= t;
+    o = (sword64)(in4  >> 56); in5  += o;
+    t = (sword64)((word64)o << 56); in4  -= t;
+    o = (sword64)(in5  >> 56); in6  += o;
+    t = (sword64)((word64)o << 56); in5  -= t;
+    o = (sword64)(in6  >> 56); in7  += o;
+    t = (sword64)((word64)o << 56); in6  -= t;
+    o = (sword64)(in7  >> 56); in0  += o;
+                               in4  += o;
+    t = (sword64)((word64)o << 56); in7  -= t;

    /* Output as bytes */
    b[ 0] = (byte)(in0  >>  0);
@@ -801,15 +817,23 @@ void fe448_mul39081(sword64* r, const sword64* a)
    sword128 t5 = a[5] * (sword128)39081;
    sword128 t6 = a[6] * (sword128)39081;
    sword128 t7 = a[7] * (sword128)39081;
-    o = (sword64)(t0  >> 56); t1  += o; t = (sword128)o << 56; t0  -= t;
-    o = (sword64)(t1  >> 56); t2  += o; t = (sword128)o << 56; t1  -= t;
-    o = (sword64)(t2  >> 56); t3  += o; t = (sword128)o << 56; t2  -= t;
-    o = (sword64)(t3  >> 56); t4  += o; t = (sword128)o << 56; t3  -= t;
-    o = (sword64)(t4  >> 56); t5  += o; t = (sword128)o << 56; t4  -= t;
-    o = (sword64)(t5  >> 56); t6  += o; t = (sword128)o << 56; t5  -= t;
-    o = (sword64)(t6  >> 56); t7  += o; t = (sword128)o << 56; t6  -= t;
+    o = (sword64)(t0  >> 56); t1  += o;
+    t = (sword128)((word128)o << 56); t0  -= t;
+    o = (sword64)(t1  >> 56); t2  += o;
+    t = (sword128)((word128)o << 56); t1  -= t;
+    o = (sword64)(t2  >> 56); t3  += o;
+    t = (sword128)((word128)o << 56); t2  -= t;
+    o = (sword64)(t3  >> 56); t4  += o;
+    t = (sword128)((word128)o << 56); t3  -= t;
+    o = (sword64)(t4  >> 56); t5  += o;
+    t = (sword128)((word128)o << 56); t4  -= t;
+    o = (sword64)(t5  >> 56); t6  += o;
+    t = (sword128)((word128)o << 56); t5  -= t;
+    o = (sword64)(t6  >> 56); t7  += o;
+    t = (sword128)((word128)o << 56); t6  -= t;
    o = (sword64)(t7  >> 56); t0  += o;
-                              t4  += o; t = (sword128)o << 56; t7  -= t;
+                              t4  += o;
+    t = (sword128)((word128)o << 56); t7  -= t;

    /* Store */
    r[0] = (sword64)t0;
@@ -1297,70 +1321,86 @@ void fe448_init(void)
 */
 void fe448_from_bytes(sword32* r, const unsigned char* b)
 {
-    r[ 0] =  (((sword32)((b[ 0]        ) >>  0)) <<  0)
-          |  (((sword32)((b[ 1]        ) >>  0)) <<  8)
-          |  (((sword32)((b[ 2]        ) >>  0)) << 16)
-          | ((((sword32)((b[ 3] & 0xf )) >>  0)) << 24);
-    r[ 1] =  (((sword32)((b[ 3]        ) >>  4)) <<  0)
-          |  (((sword32)((b[ 4]        ) >>  0)) <<  4)
-          |  (((sword32)((b[ 5]        ) >>  0)) << 12)
-          |  (((sword32)((b[ 6]        ) >>  0)) << 20);
-    r[ 2] =  (((sword32)((b[ 7]        ) >>  0)) <<  0)
-          |  (((sword32)((b[ 8]        ) >>  0)) <<  8)
-          |  (((sword32)((b[ 9]        ) >>  0)) << 16)
-          | ((((sword32)((b[10] & 0xf )) >>  0)) << 24);
-    r[ 3] =  (((sword32)((b[10]        ) >>  4)) <<  0)
-          |  (((sword32)((b[11]        ) >>  0)) <<  4)
-          |  (((sword32)((b[12]        ) >>  0)) << 12)
-          |  (((sword32)((b[13]        ) >>  0)) << 20);
-    r[ 4] =  (((sword32)((b[14]        ) >>  0)) <<  0)
-          |  (((sword32)((b[15]        ) >>  0)) <<  8)
-          |  (((sword32)((b[16]        ) >>  0)) << 16)
-          | ((((sword32)((b[17] & 0xf )) >>  0)) << 24);
-    r[ 5] =  (((sword32)((b[17]        ) >>  4)) <<  0)
-          |  (((sword32)((b[18]        ) >>  0)) <<  4)
-          |  (((sword32)((b[19]        ) >>  0)) << 12)
-          |  (((sword32)((b[20]        ) >>  0)) << 20);
-    r[ 6] =  (((sword32)((b[21]        ) >>  0)) <<  0)
-          |  (((sword32)((b[22]        ) >>  0)) <<  8)
-          |  (((sword32)((b[23]        ) >>  0)) << 16)
-          | ((((sword32)((b[24] & 0xf )) >>  0)) << 24);
-    r[ 7] =  (((sword32)((b[24]        ) >>  4)) <<  0)
-          |  (((sword32)((b[25]        ) >>  0)) <<  4)
-          |  (((sword32)((b[26]        ) >>  0)) << 12)
-          |  (((sword32)((b[27]        ) >>  0)) << 20);
-    r[ 8] =  (((sword32)((b[28]        ) >>  0)) <<  0)
-          |  (((sword32)((b[29]        ) >>  0)) <<  8)
-          |  (((sword32)((b[30]        ) >>  0)) << 16)
-          | ((((sword32)((b[31] & 0xf )) >>  0)) << 24);
-    r[ 9] =  (((sword32)((b[31]        ) >>  4)) <<  0)
-          |  (((sword32)((b[32]        ) >>  0)) <<  4)
-          |  (((sword32)((b[33]        ) >>  0)) << 12)
-          |  (((sword32)((b[34]        ) >>  0)) << 20);
-    r[10] =  (((sword32)((b[35]        ) >>  0)) <<  0)
-          |  (((sword32)((b[36]        ) >>  0)) <<  8)
-          |  (((sword32)((b[37]        ) >>  0)) << 16)
-          | ((((sword32)((b[38] & 0xf )) >>  0)) << 24);
-    r[11] =  (((sword32)((b[38]        ) >>  4)) <<  0)
-          |  (((sword32)((b[39]        ) >>  0)) <<  4)
-          |  (((sword32)((b[40]        ) >>  0)) << 12)
-          |  (((sword32)((b[41]        ) >>  0)) << 20);
-    r[12] =  (((sword32)((b[42]        ) >>  0)) <<  0)
-          |  (((sword32)((b[43]        ) >>  0)) <<  8)
-          |  (((sword32)((b[44]        ) >>  0)) << 16)
-          | ((((sword32)((b[45] & 0xf )) >>  0)) << 24);
-    r[13] =  (((sword32)((b[45]        ) >>  4)) <<  0)
-          |  (((sword32)((b[46]        ) >>  0)) <<  4)
-          |  (((sword32)((b[47]        ) >>  0)) << 12)
-          |  (((sword32)((b[48]        ) >>  0)) << 20);
-    r[14] =  (((sword32)((b[49]        ) >>  0)) <<  0)
-          |  (((sword32)((b[50]        ) >>  0)) <<  8)
-          |  (((sword32)((b[51]        ) >>  0)) << 16)
-          | ((((sword32)((b[52] & 0xf )) >>  0)) << 24);
-    r[15] =  (((sword32)((b[52]        ) >>  4)) <<  0)
-          |  (((sword32)((b[53]        ) >>  0)) <<  4)
-          |  (((sword32)((b[54]        ) >>  0)) << 12)
-          |  (((sword32)((b[55]        ) >>  0)) << 20);
+    r[ 0] = (sword32)(
+             (((word32)((b[ 0]        ) >>  0)) <<  0)
+          |  (((word32)((b[ 1]        ) >>  0)) <<  8)
+          |  (((word32)((b[ 2]        ) >>  0)) << 16)
+          | ((((word32)((b[ 3] & 0xf )) >>  0)) << 24));
+    r[ 1] = (sword32)(
+             (((word32)((b[ 3]        ) >>  4)) <<  0)
+          |  (((word32)((b[ 4]        ) >>  0)) <<  4)
+          |  (((word32)((b[ 5]        ) >>  0)) << 12)
+          |  (((word32)((b[ 6]        ) >>  0)) << 20));
+    r[ 2] = (sword32)(
+             (((word32)((b[ 7]        ) >>  0)) <<  0)
+          |  (((word32)((b[ 8]        ) >>  0)) <<  8)
+          |  (((word32)((b[ 9]        ) >>  0)) << 16)
+          | ((((word32)((b[10] & 0xf )) >>  0)) << 24));
+    r[ 3] = (sword32)(
+             (((word32)((b[10]        ) >>  4)) <<  0)
+          |  (((word32)((b[11]        ) >>  0)) <<  4)
+          |  (((word32)((b[12]        ) >>  0)) << 12)
+          |  (((word32)((b[13]        ) >>  0)) << 20));
+    r[ 4] = (sword32)(
+             (((word32)((b[14]        ) >>  0)) <<  0)
+          |  (((word32)((b[15]        ) >>  0)) <<  8)
+          |  (((word32)((b[16]        ) >>  0)) << 16)
+          | ((((word32)((b[17] & 0xf )) >>  0)) << 24));
+    r[ 5] = (sword32)(
+             (((word32)((b[17]        ) >>  4)) <<  0)
+          |  (((word32)((b[18]        ) >>  0)) <<  4)
+          |  (((word32)((b[19]        ) >>  0)) << 12)
+          |  (((word32)((b[20]        ) >>  0)) << 20));
+    r[ 6] = (sword32)(
+             (((word32)((b[21]        ) >>  0)) <<  0)
+          |  (((word32)((b[22]        ) >>  0)) <<  8)
+          |  (((word32)((b[23]        ) >>  0)) << 16)
+          | ((((word32)((b[24] & 0xf )) >>  0)) << 24));
+    r[ 7] = (sword32)(
+             (((word32)((b[24]        ) >>  4)) <<  0)
+          |  (((word32)((b[25]        ) >>  0)) <<  4)
+          |  (((word32)((b[26]        ) >>  0)) << 12)
+          |  (((word32)((b[27]        ) >>  0)) << 20));
+    r[ 8] = (sword32)(
+             (((word32)((b[28]        ) >>  0)) <<  0)
+          |  (((word32)((b[29]        ) >>  0)) <<  8)
+          |  (((word32)((b[30]        ) >>  0)) << 16)
+          | ((((word32)((b[31] & 0xf )) >>  0)) << 24));
+    r[ 9] = (sword32)(
+             (((word32)((b[31]        ) >>  4)) <<  0)
+          |  (((word32)((b[32]        ) >>  0)) <<  4)
+          |  (((word32)((b[33]        ) >>  0)) << 12)
+          |  (((word32)((b[34]        ) >>  0)) << 20));
+    r[10] = (sword32)(
+             (((word32)((b[35]        ) >>  0)) <<  0)
+          |  (((word32)((b[36]        ) >>  0)) <<  8)
+          |  (((word32)((b[37]        ) >>  0)) << 16)
+          | ((((word32)((b[38] & 0xf )) >>  0)) << 24));
+    r[11] = (sword32)(
+             (((word32)((b[38]        ) >>  4)) <<  0)
+          |  (((word32)((b[39]        ) >>  0)) <<  4)
+          |  (((word32)((b[40]        ) >>  0)) << 12)
+          |  (((word32)((b[41]        ) >>  0)) << 20));
+    r[12] = (sword32)(
+             (((word32)((b[42]        ) >>  0)) <<  0)
+          |  (((word32)((b[43]        ) >>  0)) <<  8)
+          |  (((word32)((b[44]        ) >>  0)) << 16)
+          | ((((word32)((b[45] & 0xf )) >>  0)) << 24));
+    r[13] = (sword32)(
+             (((word32)((b[45]        ) >>  4)) <<  0)
+          |  (((word32)((b[46]        ) >>  0)) <<  4)
+          |  (((word32)((b[47]        ) >>  0)) << 12)
+          |  (((word32)((b[48]        ) >>  0)) << 20));
+    r[14] = (sword32)(
+             (((word32)((b[49]        ) >>  0)) <<  0)
+          |  (((word32)((b[50]        ) >>  0)) <<  8)
+          |  (((word32)((b[51]        ) >>  0)) << 16)
+          | ((((word32)((b[52] & 0xf )) >>  0)) << 24));
+    r[15] = (sword32)(
+             (((word32)((b[52]        ) >>  4)) <<  0)
+          |  (((word32)((b[53]        ) >>  0)) <<  4)
+          |  (((word32)((b[54]        ) >>  0)) << 12)
+          |  (((word32)((b[55]        ) >>  0)) << 20));
 }

 /* Convert the field element to a byte array from an array of 28-bits.
@@ -1389,7 +1429,7 @@ void fe448_to_bytes(unsigned char* b, const sword32* a)
    sword32 in14 = a[14];
    sword32 in15 = a[15];
    sword32 o = in15 >> 28;
-    in15 -= o << 28;
+    in15 -= (sword32)((word32)o << 28);
    in0 += o;
    in8 += o;
    o = (in0 + 1) >> 28;
@@ -1410,79 +1450,95 @@ void fe448_to_bytes(unsigned char* b, const sword32* a)
    o = (o + in15) >> 28;
    in0 += o;
    in8 += o;
-    in15 -= o << 28;
-    o = (in0  >> 28); in1  += o; t = o << 28; in0  -= t;
-    o = (in1  >> 28); in2  += o; t = o << 28; in1  -= t;
-    o = (in2  >> 28); in3  += o; t = o << 28; in2  -= t;
-    o = (in3  >> 28); in4  += o; t = o << 28; in3  -= t;
-    o = (in4  >> 28); in5  += o; t = o << 28; in4  -= t;
-    o = (in5  >> 28); in6  += o; t = o << 28; in5  -= t;
-    o = (in6  >> 28); in7  += o; t = o << 28; in6  -= t;
-    o = (in7  >> 28); in8  += o; t = o << 28; in7  -= t;
-    o = (in8  >> 28); in9  += o; t = o << 28; in8  -= t;
-    o = (in9  >> 28); in10 += o; t = o << 28; in9  -= t;
-    o = (in10 >> 28); in11 += o; t = o << 28; in10 -= t;
-    o = (in11 >> 28); in12 += o; t = o << 28; in11 -= t;
-    o = (in12 >> 28); in13 += o; t = o << 28; in12 -= t;
-    o = (in13 >> 28); in14 += o; t = o << 28; in13 -= t;
-    o = (in14 >> 28); in15 += o; t = o << 28; in14 -= t;
-    o = (in15 >> 28); in0  += o;
-                      in8  += o; t = o << 28; in15 -= t;
+    in15 -= (sword32)((word32)o << 28);
+    o = (sword32)(in0  >> 28); in1  += o;
+    t = (sword32)((word32)o << 28); in0  -= t;
+    o = (sword32)(in1  >> 28); in2  += o;
+    t = (sword32)((word32)o << 28); in1  -= t;
+    o = (sword32)(in2  >> 28); in3  += o;
+    t = (sword32)((word32)o << 28); in2  -= t;
+    o = (sword32)(in3  >> 28); in4  += o;
+    t = (sword32)((word32)o << 28); in3  -= t;
+    o = (sword32)(in4  >> 28); in5  += o;
+    t = (sword32)((word32)o << 28); in4  -= t;
+    o = (sword32)(in5  >> 28); in6  += o;
+    t = (sword32)((word32)o << 28); in5  -= t;
+    o = (sword32)(in6  >> 28); in7  += o;
+    t = (sword32)((word32)o << 28); in6  -= t;
+    o = (sword32)(in7  >> 28); in8  += o;
+    t = (sword32)((word32)o << 28); in7  -= t;
+    o = (sword32)(in8  >> 28); in9  += o;
+    t = (sword32)((word32)o << 28); in8  -= t;
+    o = (sword32)(in9  >> 28); in10 += o;
+    t = (sword32)((word32)o << 28); in9  -= t;
+    o = (sword32)(in10 >> 28); in11 += o;
+    t = (sword32)((word32)o << 28); in10 -= t;
+    o = (sword32)(in11 >> 28); in12 += o;
+    t = (sword32)((word32)o << 28); in11 -= t;
+    o = (sword32)(in12 >> 28); in13 += o;
+    t = (sword32)((word32)o << 28); in12 -= t;
+    o = (sword32)(in13 >> 28); in14 += o;
+    t = (sword32)((word32)o << 28); in13 -= t;
+    o = (sword32)(in14 >> 28); in15 += o;
+    t = (sword32)((word32)o << 28); in14 -= t;
+    o = (sword32)(in15 >> 28); in0  += o;
+                               in8  += o;
+    t = (sword32)((word32)o << 28); in15 -= t;

    /* Output as bytes */
    b[ 0] = (byte)(in0  >>  0);
    b[ 1] = (byte)(in0  >>  8);
    b[ 2] = (byte)(in0  >> 16);
-    b[ 3] = (byte)((byte)(in0  >> 24) + (byte)((in1  >>  0) <<  4));
+    b[ 3] = (byte)((byte)(in0  >> 24) + (byte)((byte)(in1  >>  0) <<  4));
    b[ 4] = (byte)(in1  >>  4);
    b[ 5] = (byte)(in1  >> 12);
    b[ 6] = (byte)(in1  >> 20);
    b[ 7] = (byte)(in2  >>  0);
    b[ 8] = (byte)(in2  >>  8);
    b[ 9] = (byte)(in2  >> 16);
-    b[10] = (byte)((byte)(in2  >> 24) + (byte)((in3  >>  0) <<  4));
+    b[10] = (byte)((byte)(in2  >> 24) + (byte)((byte)(in3  >>  0) <<  4));
    b[11] = (byte)(in3  >>  4);
    b[12] = (byte)(in3  >> 12);
    b[13] = (byte)(in3  >> 20);
    b[14] = (byte)(in4  >>  0);
    b[15] = (byte)(in4  >>  8);
    b[16] = (byte)(in4  >> 16);
-    b[17] = (byte)((byte)(in4  >> 24) + (byte)((in5  >>  0) <<  4));
+    b[17] = (byte)((byte)(in4  >> 24) + (byte)((byte)(in5  >>  0) <<  4));
    b[18] = (byte)(in5  >>  4);
    b[19] = (byte)(in5  >> 12);
    b[20] = (byte)(in5  >> 20);
    b[21] = (byte)(in6  >>  0);
    b[22] = (byte)(in6  >>  8);
    b[23] = (byte)(in6  >> 16);
-    b[24] = (byte)((byte)(in6  >> 24) + (byte)((in7  >>  0) <<  4));
+    b[24] = (byte)((byte)(in6  >> 24) + (byte)((byte)(in7  >>  0) <<  4));
    b[25] = (byte)(in7  >>  4);
    b[26] = (byte)(in7  >> 12);
    b[27] = (byte)(in7  >> 20);
    b[28] = (byte)(in8  >>  0);
    b[29] = (byte)(in8  >>  8);
    b[30] = (byte)(in8  >> 16);
-    b[31] = (byte)((byte)(in8  >> 24) + (byte)((in9  >>  0) <<  4));
+    b[31] = (byte)((byte)(in8  >> 24) + (byte)((byte)(in9  >>  0) <<  4));
    b[32] = (byte)(in9  >>  4);
    b[33] = (byte)(in9  >> 12);
    b[34] = (byte)(in9  >> 20);
    b[35] = (byte)(in10 >>  0);
    b[36] = (byte)(in10 >>  8);
    b[37] = (byte)(in10 >> 16);
-    b[38] = (byte)((byte)(in10 >> 24) + (byte)((in11 >>  0) <<  4));
+    b[38] = (byte)((byte)(in10 >> 24) + (byte)((byte)(in11 >>  0) <<  4));
    b[39] = (byte)(in11 >>  4);
    b[40] = (byte)(in11 >> 12);
    b[41] = (byte)(in11 >> 20);
    b[42] = (byte)(in12 >>  0);
    b[43] = (byte)(in12 >>  8);
    b[44] = (byte)(in12 >> 16);
-    b[45] = (byte)((byte)(in12 >> 24) + (byte)((in13 >>  0) <<  4));
+    b[45] = (byte)((byte)(in12 >> 24) + (byte)((byte)(in13 >>  0) <<  4));
    b[46] = (byte)(in13 >>  4);
    b[47] = (byte)(in13 >> 12);
    b[48] = (byte)(in13 >> 20);
    b[49] = (byte)(in14 >>  0);
    b[50] = (byte)(in14 >>  8);
    b[51] = (byte)(in14 >> 16);
-    b[52] = (byte)((byte)(in14 >> 24) + (byte)((in15 >>  0) <<  4));
+    b[52] = (byte)((byte)(in14 >> 24) + (byte)((byte)(in15 >>  0) <<  4));
    b[53] = (byte)(in15 >>  4);
    b[54] = (byte)(in15 >> 12);
    b[55] = (byte)(in15 >> 20);
@@ -1677,23 +1733,23 @@ void fe448_reduce(sword32* a)
 {
    sword64 o;

-    o = a[0 ] >> 28; a[1 ] += (sword32)o; a[0 ] -= (sword32)(o << 28);
-    o = a[1 ] >> 28; a[2 ] += (sword32)o; a[1 ] -= (sword32)(o << 28);
-    o = a[2 ] >> 28; a[3 ] += (sword32)o; a[2 ] -= (sword32)(o << 28);
-    o = a[3 ] >> 28; a[4 ] += (sword32)o; a[3 ] -= (sword32)(o << 28);
-    o = a[4 ] >> 28; a[5 ] += (sword32)o; a[4 ] -= (sword32)(o << 28);
-    o = a[5 ] >> 28; a[6 ] += (sword32)o; a[5 ] -= (sword32)(o << 28);
-    o = a[6 ] >> 28; a[7 ] += (sword32)o; a[6 ] -= (sword32)(o << 28);
-    o = a[7 ] >> 28; a[8 ] += (sword32)o; a[7 ] -= (sword32)(o << 28);
-    o = a[8 ] >> 28; a[9 ] += (sword32)o; a[8 ] -= (sword32)(o << 28);
-    o = a[9 ] >> 28; a[10] += (sword32)o; a[9 ] -= (sword32)(o << 28);
-    o = a[10] >> 28; a[11] += (sword32)o; a[10] -= (sword32)(o << 28);
-    o = a[11] >> 28; a[12] += (sword32)o; a[11] -= (sword32)(o << 28);
-    o = a[12] >> 28; a[13] += (sword32)o; a[12] -= (sword32)(o << 28);
-    o = a[13] >> 28; a[14] += (sword32)o; a[13] -= (sword32)(o << 28);
-    o = a[14] >> 28; a[15] += (sword32)o; a[14] -= (sword32)(o << 28);
+    o = a[0 ] >> 28; a[1 ] += (sword32)o; a[0 ] -= (sword32)((word32)o << 28);
+    o = a[1 ] >> 28; a[2 ] += (sword32)o; a[1 ] -= (sword32)((word32)o << 28);
+    o = a[2 ] >> 28; a[3 ] += (sword32)o; a[2 ] -= (sword32)((word32)o << 28);
+    o = a[3 ] >> 28; a[4 ] += (sword32)o; a[3 ] -= (sword32)((word32)o << 28);
+    o = a[4 ] >> 28; a[5 ] += (sword32)o; a[4 ] -= (sword32)((word32)o << 28);
+    o = a[5 ] >> 28; a[6 ] += (sword32)o; a[5 ] -= (sword32)((word32)o << 28);
+    o = a[6 ] >> 28; a[7 ] += (sword32)o; a[6 ] -= (sword32)((word32)o << 28);
+    o = a[7 ] >> 28; a[8 ] += (sword32)o; a[7 ] -= (sword32)((word32)o << 28);
+    o = a[8 ] >> 28; a[9 ] += (sword32)o; a[8 ] -= (sword32)((word32)o << 28);
+    o = a[9 ] >> 28; a[10] += (sword32)o; a[9 ] -= (sword32)((word32)o << 28);
+    o = a[10] >> 28; a[11] += (sword32)o; a[10] -= (sword32)((word32)o << 28);
+    o = a[11] >> 28; a[12] += (sword32)o; a[11] -= (sword32)((word32)o << 28);
+    o = a[12] >> 28; a[13] += (sword32)o; a[12] -= (sword32)((word32)o << 28);
+    o = a[13] >> 28; a[14] += (sword32)o; a[13] -= (sword32)((word32)o << 28);
+    o = a[14] >> 28; a[15] += (sword32)o; a[14] -= (sword32)((word32)o << 28);
    o = a[15] >> 28; a[0]  += (sword32)o;
-                     a[8]  += (sword32)o; a[15] -= (sword32)(o << 28);
+                     a[8]  += (sword32)o; a[15] -= (sword32)((word32)o << 28);
 }
 /* Multiply a field element by 39081. r = (39081 * a) mod (2^448 - 2^224 - 1)
 *
@@ -1720,23 +1776,39 @@ void fe448_mul39081(sword32* r, const sword32* a)
    sword64 t13 = a[13] * (sword64)39081;
    sword64 t14 = a[14] * (sword64)39081;
    sword64 t15 = a[15] * (sword64)39081;
-    o = (sword32)(t0  >> 28); t1  += o; t = (sword64)o << 28; t0  -= t;
-    o = (sword32)(t1  >> 28); t2  += o; t = (sword64)o << 28; t1  -= t;
-    o = (sword32)(t2  >> 28); t3  += o; t = (sword64)o << 28; t2  -= t;
-    o = (sword32)(t3  >> 28); t4  += o; t = (sword64)o << 28; t3  -= t;
-    o = (sword32)(t4  >> 28); t5  += o; t = (sword64)o << 28; t4  -= t;
-    o = (sword32)(t5  >> 28); t6  += o; t = (sword64)o << 28; t5  -= t;
-    o = (sword32)(t6  >> 28); t7  += o; t = (sword64)o << 28; t6  -= t;
-    o = (sword32)(t7  >> 28); t8  += o; t = (sword64)o << 28; t7  -= t;
-    o = (sword32)(t8  >> 28); t9  += o; t = (sword64)o << 28; t8  -= t;
-    o = (sword32)(t9  >> 28); t10 += o; t = (sword64)o << 28; t9  -= t;
-    o = (sword32)(t10 >> 28); t11 += o; t = (sword64)o << 28; t10 -= t;
-    o = (sword32)(t11 >> 28); t12 += o; t = (sword64)o << 28; t11 -= t;
-    o = (sword32)(t12 >> 28); t13 += o; t = (sword64)o << 28; t12 -= t;
-    o = (sword32)(t13 >> 28); t14 += o; t = (sword64)o << 28; t13 -= t;
-    o = (sword32)(t14 >> 28); t15 += o; t = (sword64)o << 28; t14 -= t;
+    o = (sword32)(t0  >> 28); t1  += o;
+    t = (sword64)((word64)o << 28); t0  -= t;
+    o = (sword32)(t1  >> 28); t2  += o;
+    t = (sword64)((word64)o << 28); t1  -= t;
+    o = (sword32)(t2  >> 28); t3  += o;
+    t = (sword64)((word64)o << 28); t2  -= t;
+    o = (sword32)(t3  >> 28); t4  += o;
+    t = (sword64)((word64)o << 28); t3  -= t;
+    o = (sword32)(t4  >> 28); t5  += o;
+    t = (sword64)((word64)o << 28); t4  -= t;
+    o = (sword32)(t5  >> 28); t6  += o;
+    t = (sword64)((word64)o << 28); t5  -= t;
+    o = (sword32)(t6  >> 28); t7  += o;
+    t = (sword64)((word64)o << 28); t6  -= t;
+    o = (sword32)(t7  >> 28); t8  += o;
+    t = (sword64)((word64)o << 28); t7  -= t;
+    o = (sword32)(t8  >> 28); t9  += o;
+    t = (sword64)((word64)o << 28); t8  -= t;
+    o = (sword32)(t9  >> 28); t10 += o;
+    t = (sword64)((word64)o << 28); t9  -= t;
+    o = (sword32)(t10 >> 28); t11 += o;
+    t = (sword64)((word64)o << 28); t10 -= t;
+    o = (sword32)(t11 >> 28); t12 += o;
+    t = (sword64)((word64)o << 28); t11 -= t;
+    o = (sword32)(t12 >> 28); t13 += o;
+    t = (sword64)((word64)o << 28); t12 -= t;
+    o = (sword32)(t13 >> 28); t14 += o;
+    t = (sword64)((word64)o << 28); t13 -= t;
+    o = (sword32)(t14 >> 28); t15 += o;
+    t = (sword64)((word64)o << 28); t14 -= t;
    o = (sword32)(t15 >> 28); t0  += o;
-                              t8  += o; t = (sword64)o << 28; t15 -= t;
+                              t8  += o;
+    t = (sword64)((word64)o << 28); t15 -= t;

    /* Store */
    r[0] = (sword32)t0;
@@ -1763,7 +1835,8 @@ void fe448_mul39081(sword32* r, const sword32* a)
 * a  [in]  Field element to multiply.
 * b  [in]  Field element to multiply.
 */
-static WC_INLINE void fe448_mul_8(sword32* r, const sword32* a, const sword32* b)
+static WC_INLINE void fe448_mul_8(sword32* r, const sword32* a,
+    const sword32* b)
 {
    sword64 t;
    sword64 o;
@@ -1850,25 +1923,42 @@ static WC_INLINE void fe448_mul_8(sword32* r, const sword32* a, const sword32* b
    t13 += t113;
    o = t14 >> 28;
    t15 = o;
-    t14 -= o << 28;
-    o = (t0  >> 28); t1  += o; t = o << 28; t0  -= t;
-    o = (t1  >> 28); t2  += o; t = o << 28; t1  -= t;
-    o = (t2  >> 28); t3  += o; t = o << 28; t2  -= t;
-    o = (t3  >> 28); t4  += o; t = o << 28; t3  -= t;
-    o = (t4  >> 28); t5  += o; t = o << 28; t4  -= t;
-    o = (t5  >> 28); t6  += o; t = o << 28; t5  -= t;
-    o = (t6  >> 28); t7  += o; t = o << 28; t6  -= t;
-    o = (t707>> 28); t8  += o; t = o << 28; t707-= t; t7 += t707;
-    o = (t7  >> 28); t8  += o; t = o << 28; t7  -= t;
-    o = (t8  >> 28); t9  += o; t = o << 28; t8  -= t;
-    o = (t9  >> 28); t10 += o; t = o << 28; t9  -= t;
-    o = (t10 >> 28); t11 += o; t = o << 28; t10 -= t;
-    o = (t11 >> 28); t12 += o; t = o << 28; t11 -= t;
-    o = (t12 >> 28); t13 += o; t = o << 28; t12 -= t;
-    o = (t13 >> 28); t14 += o; t = o << 28; t13 -= t;
-    o = (t14 >> 28); t15 += o; t = o << 28; t14 -= t;
+    t14 -= (sword64)((word64)o << 28);
+    o = (t0  >> 28); t1  += o;
+    t = (sword64)((word64)o << 28); t0  -= t;
+    o = (t1  >> 28); t2  += o;
+    t = (sword64)((word64)o << 28); t1  -= t;
+    o = (t2  >> 28); t3  += o;
+    t = (sword64)((word64)o << 28); t2  -= t;
+    o = (t3  >> 28); t4  += o;
+    t = (sword64)((word64)o << 28); t3  -= t;
+    o = (t4  >> 28); t5  += o;
+    t = (sword64)((word64)o << 28); t4  -= t;
+    o = (t5  >> 28); t6  += o;
+    t = (sword64)((word64)o << 28); t5  -= t;
+    o = (t6  >> 28); t7  += o;
+    t = (sword64)((word64)o << 28); t6  -= t;
+    o = (t707>> 28); t8  += o;
+    t = (sword64)((word64)o << 28); t707-= t; t7 += t707;
+    o = (t7  >> 28); t8  += o;
+    t = (sword64)((word64)o << 28); t7  -= t;
+    o = (t8  >> 28); t9  += o;
+    t = (sword64)((word64)o << 28); t8  -= t;
+    o = (t9  >> 28); t10 += o;
+    t = (sword64)((word64)o << 28); t9  -= t;
+    o = (t10 >> 28); t11 += o;
+    t = (sword64)((word64)o << 28); t10 -= t;
+    o = (t11 >> 28); t12 += o;
+    t = (sword64)((word64)o << 28); t11 -= t;
+    o = (t12 >> 28); t13 += o;
+    t = (sword64)((word64)o << 28); t12 -= t;
+    o = (t13 >> 28); t14 += o;
+    t = (sword64)((word64)o << 28); t13 -= t;
+    o = (t14 >> 28); t15 += o;
+    t = (sword64)((word64)o << 28); t14 -= t;
    o = (t15 >> 28); t0  += o;
-                     t8  += o; t = o << 28; t15 -= t;
+                     t8  += o;
+    t = (sword64)((word64)o << 28); t15 -= t;

    /* Store */
    r[0] = (sword32)t0;
@@ -1998,25 +2088,42 @@ static WC_INLINE void fe448_sqr_8(sword32* r, const sword32* a)
    t12 += t112;
    o = t14 >> 28;
    t15 = o;
-    t14 -= o << 28;
-    o = (t0  >> 28); t1  += o; t = o << 28; t0  -= t;
-    o = (t1  >> 28); t2  += o; t = o << 28; t1  -= t;
-    o = (t2  >> 28); t3  += o; t = o << 28; t2  -= t;
-    o = (t3  >> 28); t4  += o; t = o << 28; t3  -= t;
-    o = (t4  >> 28); t5  += o; t = o << 28; t4  -= t;
-    o = (t5  >> 28); t6  += o; t = o << 28; t5  -= t;
-    o = (t6  >> 28); t7  += o; t = o << 28; t6  -= t;
-    o = (t307>> 28); t8  += o; t = o << 28; t307-= t; t7 += t307;
-    o = (t7  >> 28); t8  += o; t = o << 28; t7  -= t;
-    o = (t8  >> 28); t9  += o; t = o << 28; t8  -= t;
-    o = (t9  >> 28); t10 += o; t = o << 28; t9  -= t;
-    o = (t10 >> 28); t11 += o; t = o << 28; t10 -= t;
-    o = (t11 >> 28); t12 += o; t = o << 28; t11 -= t;
-    o = (t12 >> 28); t13 += o; t = o << 28; t12 -= t;
-    o = (t13 >> 28); t14 += o; t = o << 28; t13 -= t;
-    o = (t14 >> 28); t15 += o; t = o << 28; t14 -= t;
+    t14 -= (sword64)((word64)o << 28);
+    o = (t0  >> 28); t1  += o;
+    t = (sword64)((word64)o << 28); t0  -= t;
+    o = (t1  >> 28); t2  += o;
+    t = (sword64)((word64)o << 28); t1  -= t;
+    o = (t2  >> 28); t3  += o;
+    t = (sword64)((word64)o << 28); t2  -= t;
+    o = (t3  >> 28); t4  += o;
+    t = (sword64)((word64)o << 28); t3  -= t;
+    o = (t4  >> 28); t5  += o;
+    t = (sword64)((word64)o << 28); t4  -= t;
+    o = (t5  >> 28); t6  += o;
+    t = (sword64)((word64)o << 28); t5  -= t;
+    o = (t6  >> 28); t7  += o;
+    t = (sword64)((word64)o << 28); t6  -= t;
+    o = (t307>> 28); t8  += o;
+    t = (sword64)((word64)o << 28); t307-= t; t7 += t307;
+    o = (t7  >> 28); t8  += o;
+    t = (sword64)((word64)o << 28); t7  -= t;
+    o = (t8  >> 28); t9  += o;
+    t = (sword64)((word64)o << 28); t8  -= t;
+    o = (t9  >> 28); t10 += o;
+    t = (sword64)((word64)o << 28); t9  -= t;
+    o = (t10 >> 28); t11 += o;
+    t = (sword64)((word64)o << 28); t10 -= t;
+    o = (t11 >> 28); t12 += o;
+    t = (sword64)((word64)o << 28); t11 -= t;
+    o = (t12 >> 28); t13 += o;
+    t = (sword64)((word64)o << 28); t12 -= t;
+    o = (t13 >> 28); t14 += o;
+    t = (sword64)((word64)o << 28); t13 -= t;
+    o = (t14 >> 28); t15 += o;
+    t = (sword64)((word64)o << 28); t14 -= t;
    o = (t15 >> 28); t0  += o;
-                     t8  += o; t = o << 28; t15 -= t;
+                     t8  += o;
+    t = (sword64)((word64)o << 28); t15 -= t;

    /* Store */
    r[0] = (sword32)t0;
--- a/wolfcrypt/src/fe_operations.c
+++ b/wolfcrypt/src/fe_operations.c
@@ -251,6 +251,26 @@ int curve25519_blind(byte* q, const byte* n, const byte* mask, const byte* p,
 #endif
 #endif /* HAVE_CURVE25519 && !CURVE25519_SMALL && !FREESCALE_LTC_ECC */

+/* Reduce a0 back down to 26-bits. c is the overflow and a1 takes it. */
+#define TO_26(a0, a1, c)                                            \
+    c = ((a0) + (sword64)(1UL << 25)) >> 26; a1 += (c);             \
+    a0 -= (sword64)(((word64)(c)) << 26)
+/* Reduce a0 back down to 25-bits. c is the overflow and a1 takes it. */
+#define TO_25(a0, a1, c)                                            \
+    c = ((a0) + (sword64)(1UL << 24)) >> 25; a1 += (c);             \
+    a0 -= (sword64)(((word64)(c)) << 25)
+/* Reduce a0 back down to 25-bits. c is the overflow and a1 takes 19 times it
+ * as this is mod 2^255 - 19. */
+#define TO_25_RED(a0, a1, c)                                        \
+    c = ((a0) + (sword64)(1UL << 24)) >> 25; a1 += (c) * 19;        \
+    a0 -= (sword64)(((word64)(c)) << 25)
+
+#define GET_26_FROM_32(a0, a1, c)                                   \
+    c = (a0) >> 26; a1 += c; a0 -= (sword32)(((word32)(c)) << 26)
+#define GET_25_FROM_32(a0, a1, c)                                   \
+    c = (a0) >> 25; a1 += c; a0 -= (sword32)(((word32)(c)) << 25)
+#define TOP_25_FROM_32(a, c)                                       \
+    c = (a)  >> 25;           a -= (sword32)(((word32)(c)) << 25)

 /*
 h = f * f
@@ -368,24 +388,24 @@ void fe_sq(fe h,const fe f)
  sword64 carry8;
  sword64 carry9;

-  carry0 = (h0 + (sword64) (1UL<<25)) >> 26; h1 += carry0; h0 -= carry0 << 26;
-  carry4 = (h4 + (sword64) (1UL<<25)) >> 26; h5 += carry4; h4 -= carry4 << 26;
+  TO_26(h0, h1, carry0);
+  TO_26(h4, h5, carry4);

-  carry1 = (h1 + (sword64) (1UL<<24)) >> 25; h2 += carry1; h1 -= carry1 << 25;
-  carry5 = (h5 + (sword64) (1UL<<24)) >> 25; h6 += carry5; h5 -= carry5 << 25;
+  TO_25(h1, h2, carry1);
+  TO_25(h5, h6, carry5);

-  carry2 = (h2 + (sword64) (1UL<<25)) >> 26; h3 += carry2; h2 -= carry2 << 26;
-  carry6 = (h6 + (sword64) (1UL<<25)) >> 26; h7 += carry6; h6 -= carry6 << 26;
+  TO_26(h2, h3, carry2);
+  TO_26(h6, h7, carry6);

-  carry3 = (h3 + (sword64) (1UL<<24)) >> 25; h4 += carry3; h3 -= carry3 << 25;
-  carry7 = (h7 + (sword64) (1UL<<24)) >> 25; h8 += carry7; h7 -= carry7 << 25;
+  TO_25(h3, h4, carry3);
+  TO_25(h7, h8, carry7);

-  carry4 = (h4 + (sword64) (1UL<<25)) >> 26; h5 += carry4; h4 -= carry4 << 26;
-  carry8 = (h8 + (sword64) (1UL<<25)) >> 26; h9 += carry8; h8 -= carry8 << 26;
+  TO_26(h4, h5, carry4);
+  TO_26(h8, h9, carry8);

-  carry9 = (h9 + (sword64) (1UL<<24)) >> 25; h0 += carry9 * 19; h9 -= carry9 << 25;
+  TO_25_RED(h9, h0, carry9);

-  carry0 = (h0 + (sword64) (1UL<<25)) >> 26; h1 += carry0; h0 -= carry0 << 26;
+  TO_26(h0, h1, carry0);

  h[0] = (sword32)h0;
  h[1] = (sword32)h1;
@@ -506,7 +526,7 @@ void fe_tobytes(unsigned char *s,const fe h)
  sword32 carry8;
  sword32 carry9;

-  q = (19 * h9 + (((sword32) 1) << 24)) >> 25;
+  q = (19 * h9 + (sword32)(((word32) 1) << 24)) >> 25;
  q = (h0 + q) >> 26;
  q = (h1 + q) >> 25;
  q = (h2 + q) >> 26;
@@ -522,16 +542,16 @@ void fe_tobytes(unsigned char *s,const fe h)
  h0 += 19 * q;
  /* Goal: Output h-2^255 q, which is between 0 and 2^255-20. */

-  carry0 = h0 >> 26; h1 += carry0; h0 -= carry0 << 26;
-  carry1 = h1 >> 25; h2 += carry1; h1 -= carry1 << 25;
-  carry2 = h2 >> 26; h3 += carry2; h2 -= carry2 << 26;
-  carry3 = h3 >> 25; h4 += carry3; h3 -= carry3 << 25;
-  carry4 = h4 >> 26; h5 += carry4; h4 -= carry4 << 26;
-  carry5 = h5 >> 25; h6 += carry5; h5 -= carry5 << 25;
-  carry6 = h6 >> 26; h7 += carry6; h6 -= carry6 << 26;
-  carry7 = h7 >> 25; h8 += carry7; h7 -= carry7 << 25;
-  carry8 = h8 >> 26; h9 += carry8; h8 -= carry8 << 26;
-  carry9 = h9 >> 25;               h9 -= carry9 << 25;
+  GET_26_FROM_32(h0, h1, carry0);
+  GET_25_FROM_32(h1, h2, carry1);
+  GET_26_FROM_32(h2, h3, carry2);
+  GET_25_FROM_32(h3, h4, carry3);
+  GET_26_FROM_32(h4, h5, carry4);
+  GET_25_FROM_32(h5, h6, carry5);
+  GET_26_FROM_32(h6, h7, carry6);
+  GET_25_FROM_32(h7, h8, carry7);
+  GET_26_FROM_32(h8, h9, carry8);
+  TOP_25_FROM_32(h9, carry9);
                  /* h10 = carry9 */

  /*
@@ -544,32 +564,32 @@ void fe_tobytes(unsigned char *s,const fe h)
  s[0] = (byte)(h0 >> 0);
  s[1] = (byte)(h0 >> 8);
  s[2] = (byte)(h0 >> 16);
-  s[3] = (byte)((h0 >> 24) | (h1 << 2));
+  s[3] = (byte)((h0 >> 24) | (sword32)((word32)h1 << 2));
  s[4] = (byte)(h1 >> 6);
  s[5] = (byte)(h1 >> 14);
-  s[6] = (byte)((h1 >> 22) | (h2 << 3));
+  s[6] = (byte)((h1 >> 22) | (sword32)((word32)h2 << 3));
  s[7] = (byte)(h2 >> 5);
  s[8] = (byte)(h2 >> 13);
-  s[9] = (byte)((h2 >> 21) | (h3 << 5));
+  s[9] = (byte)((h2 >> 21) | (sword32)((word32)h3 << 5));
  s[10] = (byte)(h3 >> 3);
  s[11] = (byte)(h3 >> 11);
-  s[12] = (byte)((h3 >> 19) | (h4 << 6));
+  s[12] = (byte)((h3 >> 19) | (sword32)((word32)h4 << 6));
  s[13] = (byte)(h4 >> 2);
  s[14] = (byte)(h4 >> 10);
  s[15] = (byte)(h4 >> 18);
  s[16] = (byte)(h5 >> 0);
  s[17] = (byte)(h5 >> 8);
  s[18] = (byte)(h5 >> 16);
-  s[19] = (byte)((h5 >> 24) | (h6 << 1));
+  s[19] = (byte)((h5 >> 24) | (sword32)((word32)h6 << 1));
  s[20] = (byte)(h6 >> 7);
  s[21] = (byte)(h6 >> 15);
-  s[22] = (byte)((h6 >> 23) | (h7 << 3));
+  s[22] = (byte)((h6 >> 23) | (sword32)((word32)h7 << 3));
  s[23] = (byte)(h7 >> 5);
  s[24] = (byte)(h7 >> 13);
-  s[25] = (byte)((h7 >> 21) | (h8 << 4));
+  s[25] = (byte)((h7 >> 21) | (sword32)((word32)h8 << 4));
  s[26] = (byte)(h8 >> 4);
  s[27] = (byte)(h8 >> 12);
-  s[28] = (byte)((h8 >> 20) | (h9 << 6));
+  s[28] = (byte)((h8 >> 20) | (sword32)((word32)h9 << 6));
  s[29] = (byte)(h9 >> 2);
  s[30] = (byte)(h9 >> 10);
  s[31] = (byte)(h9 >> 18);
@@ -642,15 +662,15 @@ Ignores top bit of h.
 void fe_frombytes(fe h,const unsigned char *s)
 {
  sword64 h0 = load_4(s);
-  sword64 h1 = load_3(s + 4) << 6;
-  sword64 h2 = load_3(s + 7) << 5;
-  sword64 h3 = load_3(s + 10) << 3;
-  sword64 h4 = load_3(s + 13) << 2;
+  sword64 h1 = (sword64)(((word64)load_3(s +  4)) << 6);
+  sword64 h2 = (sword64)(((word64)load_3(s +  7)) << 5);
+  sword64 h3 = (sword64)(((word64)load_3(s + 10)) << 3);
+  sword64 h4 = (sword64)(((word64)load_3(s + 13)) << 2);
  sword64 h5 = load_4(s + 16);
-  sword64 h6 = load_3(s + 20) << 7;
-  sword64 h7 = load_3(s + 23) << 5;
-  sword64 h8 = load_3(s + 26) << 4;
-  sword64 h9 = (load_3(s + 29) & 8388607) << 2;
+  sword64 h6 = (sword64)(((word64)load_3(s + 20)) << 7);
+  sword64 h7 = (sword64)(((word64)load_3(s + 23)) << 5);
+  sword64 h8 = (sword64)(((word64)load_3(s + 26)) << 4);
+  sword64 h9 = (sword64)(((word64)load_3(s + 29) & 8388607UL) << 2);
  sword64 carry0;
  sword64 carry1;
  sword64 carry2;
@@ -662,17 +682,17 @@ void fe_frombytes(fe h,const unsigned char *s)
  sword64 carry8;
  sword64 carry9;

-  carry9 = (h9 + (sword64) (1UL<<24)) >> 25; h0 += carry9 * 19; h9 -= carry9 << 25;
-  carry1 = (h1 + (sword64) (1UL<<24)) >> 25; h2 += carry1; h1 -= carry1 << 25;
-  carry3 = (h3 + (sword64) (1UL<<24)) >> 25; h4 += carry3; h3 -= carry3 << 25;
-  carry5 = (h5 + (sword64) (1UL<<24)) >> 25; h6 += carry5; h5 -= carry5 << 25;
-  carry7 = (h7 + (sword64) (1UL<<24)) >> 25; h8 += carry7; h7 -= carry7 << 25;
+  TO_25_RED(h9, h0, carry9);
+  TO_25(h1, h2, carry1);
+  TO_25(h3, h4, carry3);
+  TO_25(h5, h6, carry5);
+  TO_25(h7, h8, carry7);

-  carry0 = (h0 + (sword64) (1UL<<25)) >> 26; h1 += carry0; h0 -= carry0 << 26;
-  carry2 = (h2 + (sword64) (1UL<<25)) >> 26; h3 += carry2; h2 -= carry2 << 26;
-  carry4 = (h4 + (sword64) (1UL<<25)) >> 26; h5 += carry4; h4 -= carry4 << 26;
-  carry6 = (h6 + (sword64) (1UL<<25)) >> 26; h7 += carry6; h6 -= carry6 << 26;
-  carry8 = (h8 + (sword64) (1UL<<25)) >> 26; h9 += carry8; h8 -= carry8 << 26;
+  TO_26(h0, h1, carry0);
+  TO_26(h2, h3, carry2);
+  TO_26(h4, h5, carry4);
+  TO_26(h6, h7, carry6);
+  TO_26(h8, h9, carry8);

  h[0] = (sword32)h0;
  h[1] = (sword32)h1;
@@ -949,46 +969,46 @@ void fe_mul(fe h,const fe f,const fe g)
    i.e. |h1| <= 1.7*2^59; narrower ranges for h3, h5, h7, h9
  */

-  carry0 = (h0 + (sword64) (1UL<<25)) >> 26; h1 += carry0; h0 -= carry0 << 26;
-  carry4 = (h4 + (sword64) (1UL<<25)) >> 26; h5 += carry4; h4 -= carry4 << 26;
+  TO_26(h0, h1, carry0);
+  TO_26(h4, h5, carry4);
  /* |h0| <= 2^25 */
  /* |h4| <= 2^25 */
  /* |h1| <= 1.71*2^59 */
  /* |h5| <= 1.71*2^59 */

-  carry1 = (h1 + (sword64) (1UL<<24)) >> 25; h2 += carry1; h1 -= carry1 << 25;
-  carry5 = (h5 + (sword64) (1UL<<24)) >> 25; h6 += carry5; h5 -= carry5 << 25;
+  TO_25(h1, h2, carry1);
+  TO_25(h5, h6, carry5);
  /* |h1| <= 2^24; from now on fits into int32 */
  /* |h5| <= 2^24; from now on fits into int32 */
  /* |h2| <= 1.41*2^60 */
  /* |h6| <= 1.41*2^60 */

-  carry2 = (h2 + (sword64) (1UL<<25)) >> 26; h3 += carry2; h2 -= carry2 << 26;
-  carry6 = (h6 + (sword64) (1UL<<25)) >> 26; h7 += carry6; h6 -= carry6 << 26;
+  TO_26(h2, h3, carry2);
+  TO_26(h6, h7, carry6);
  /* |h2| <= 2^25; from now on fits into int32 unchanged */
  /* |h6| <= 2^25; from now on fits into int32 unchanged */
  /* |h3| <= 1.71*2^59 */
  /* |h7| <= 1.71*2^59 */

-  carry3 = (h3 + (sword64) (1UL<<24)) >> 25; h4 += carry3; h3 -= carry3 << 25;
-  carry7 = (h7 + (sword64) (1UL<<24)) >> 25; h8 += carry7; h7 -= carry7 << 25;
+  TO_25(h3, h4, carry3);
+  TO_25(h7, h8, carry7);
  /* |h3| <= 2^24; from now on fits into int32 unchanged */
  /* |h7| <= 2^24; from now on fits into int32 unchanged */
  /* |h4| <= 1.72*2^34 */
  /* |h8| <= 1.41*2^60 */

-  carry4 = (h4 + (sword64) (1UL<<25)) >> 26; h5 += carry4; h4 -= carry4 << 26;
-  carry8 = (h8 + (sword64) (1UL<<25)) >> 26; h9 += carry8; h8 -= carry8 << 26;
+  TO_26(h4, h5, carry4);
+  TO_26(h8, h9, carry8);
  /* |h4| <= 2^25; from now on fits into int32 unchanged */
  /* |h8| <= 2^25; from now on fits into int32 unchanged */
  /* |h5| <= 1.01*2^24 */
  /* |h9| <= 1.71*2^59 */

-  carry9 = (h9 + (sword64) (1UL<<24)) >> 25; h0 += carry9 * 19; h9 -= carry9 << 25;
+  TO_25_RED(h9, h0, carry9);
  /* |h9| <= 2^24; from now on fits into int32 unchanged */
  /* |h0| <= 1.1*2^39 */

-  carry0 = (h0 + (sword64) (1UL<<25)) >> 26; h1 += carry0; h0 -= carry0 << 26;
+  TO_26(h0, h1, carry0);
  /* |h0| <= 2^25; from now on fits into int32 unchanged */
  /* |h1| <= 1.01*2^24 */

@@ -1122,17 +1142,17 @@ void fe_mul121666(fe h,fe f)
  sword64 carry8;
  sword64 carry9;

-  carry9 = (h9 + (sword64) (1UL<<24)) >> 25; h0 += carry9 * 19; h9 -= carry9 << 25;
-  carry1 = (h1 + (sword64) (1UL<<24)) >> 25; h2 += carry1; h1 -= carry1 << 25;
-  carry3 = (h3 + (sword64) (1UL<<24)) >> 25; h4 += carry3; h3 -= carry3 << 25;
-  carry5 = (h5 + (sword64) (1UL<<24)) >> 25; h6 += carry5; h5 -= carry5 << 25;
-  carry7 = (h7 + (sword64) (1UL<<24)) >> 25; h8 += carry7; h7 -= carry7 << 25;
+  TO_25_RED(h9, h0, carry9);
+  TO_25(h1, h2, carry1);
+  TO_25(h3, h4, carry3);
+  TO_25(h5, h6, carry5);
+  TO_25(h7, h8, carry7);

-  carry0 = (h0 + (sword64) (1UL<<25)) >> 26; h1 += carry0; h0 -= carry0 << 26;
-  carry2 = (h2 + (sword64) (1UL<<25)) >> 26; h3 += carry2; h2 -= carry2 << 26;
-  carry4 = (h4 + (sword64) (1UL<<25)) >> 26; h5 += carry4; h4 -= carry4 << 26;
-  carry6 = (h6 + (sword64) (1UL<<25)) >> 26; h7 += carry6; h6 -= carry6 << 26;
-  carry8 = (h8 + (sword64) (1UL<<25)) >> 26; h9 += carry8; h8 -= carry8 << 26;
+  TO_26(h0, h1, carry0);
+  TO_26(h2, h3, carry2);
+  TO_26(h4, h5, carry4);
+  TO_26(h6, h7, carry6);
+  TO_26(h8, h9, carry8);

  h[0] = (sword32)h0;
  h[1] = (sword32)h1;
@@ -1274,24 +1294,24 @@ void fe_sq2(fe h,const fe f)
  h8 += h8;
  h9 += h9;

-  carry0 = (h0 + (sword64) (1UL<<25)) >> 26; h1 += carry0; h0 -= carry0 << 26;
-  carry4 = (h4 + (sword64) (1UL<<25)) >> 26; h5 += carry4; h4 -= carry4 << 26;
+  TO_26(h0, h1, carry0);
+  TO_26(h4, h5, carry4);

-  carry1 = (h1 + (sword64) (1UL<<24)) >> 25; h2 += carry1; h1 -= carry1 << 25;
-  carry5 = (h5 + (sword64) (1UL<<24)) >> 25; h6 += carry5; h5 -= carry5 << 25;
+  TO_25(h1, h2, carry1);
+  TO_25(h5, h6, carry5);

-  carry2 = (h2 + (sword64) (1UL<<25)) >> 26; h3 += carry2; h2 -= carry2 << 26;
-  carry6 = (h6 + (sword64) (1UL<<25)) >> 26; h7 += carry6; h6 -= carry6 << 26;
+  TO_26(h2, h3, carry2);
+  TO_26(h6, h7, carry6);

-  carry3 = (h3 + (sword64) (1UL<<24)) >> 25; h4 += carry3; h3 -= carry3 << 25;
-  carry7 = (h7 + (sword64) (1UL<<24)) >> 25; h8 += carry7; h7 -= carry7 << 25;
+  TO_25(h3, h4, carry3);
+  TO_25(h7, h8, carry7);

-  carry4 = (h4 + (sword64) (1UL<<25)) >> 26; h5 += carry4; h4 -= carry4 << 26;
-  carry8 = (h8 + (sword64) (1UL<<25)) >> 26; h9 += carry8; h8 -= carry8 << 26;
+  TO_26(h4, h5, carry4);
+  TO_26(h8, h9, carry8);

-  carry9 = (h9 + (sword64) (1UL<<24)) >> 25; h0 += carry9 * 19; h9 -= carry9 << 25;
+  TO_25_RED(h9, h0, carry9);

-  carry0 = (h0 + (sword64) (1UL<<25)) >> 26; h1 += carry0; h0 -= carry0 << 26;
+  TO_26(h0, h1, carry0);

  h[0] = (sword32)h0;
  h[1] = (sword32)h1;
--- a/wolfcrypt/src/fe_x25519_128.h
+++ b/wolfcrypt/src/fe_x25519_128.h
@@ -36,42 +36,47 @@ void fe_init(void)
 */
 void fe_frombytes(fe out, const unsigned char *in)
 {
-    out[0] = (((sword64)((in[ 0]      )       ))      )
-           | (((sword64)((in[ 1]      )       )) <<  8)
-           | (((sword64)((in[ 2]      )       )) << 16)
-           | (((sword64)((in[ 3]      )       )) << 24)
-           | (((sword64)((in[ 4]      )       )) << 32)
-           | (((sword64)((in[ 5]      )       )) << 40)
-           | (((sword64)((in[ 6]      ) & 0x07)) << 48);
-    out[1] = (((sword64)((in[ 6] >>  3) & 0x1f))      )
-           | (((sword64)((in[ 7]      )       )) <<  5)
-           | (((sword64)((in[ 8]      )       )) << 13)
-           | (((sword64)((in[ 9]      )       )) << 21)
-           | (((sword64)((in[10]      )       )) << 29)
-           | (((sword64)((in[11]      )       )) << 37)
-           | (((sword64)((in[12]      ) & 0x3f)) << 45);
-    out[2] = (((sword64)((in[12] >>  6) & 0x03))      )
-           | (((sword64)((in[13]      )       )) <<  2)
-           | (((sword64)((in[14]      )       )) << 10)
-           | (((sword64)((in[15]      )       )) << 18)
-           | (((sword64)((in[16]      )       )) << 26)
-           | (((sword64)((in[17]      )       )) << 34)
-           | (((sword64)((in[18]      )       )) << 42)
-           | (((sword64)((in[19]      ) & 0x01)) << 50);
-    out[3] = (((sword64)((in[19] >>  1) & 0x7f))      )
-           | (((sword64)((in[20]      )       )) <<  7)
-           | (((sword64)((in[21]      )       )) << 15)
-           | (((sword64)((in[22]      )       )) << 23)
-           | (((sword64)((in[23]      )       )) << 31)
-           | (((sword64)((in[24]      )       )) << 39)
-           | (((sword64)((in[25]      ) & 0x0f)) << 47);
-    out[4] = (((sword64)((in[25] >>  4) & 0x0f))      )
-           | (((sword64)((in[26]      )       )) <<  4)
-           | (((sword64)((in[27]      )       )) << 12)
-           | (((sword64)((in[28]      )       )) << 20)
-           | (((sword64)((in[29]      )       )) << 28)
-           | (((sword64)((in[30]      )       )) << 36)
-           | (((sword64)((in[31]      ) & 0x7f)) << 44);
+    out[0] = (sword64)(
+             (((word64)((in[ 0]      )       ))      )
+           | (((word64)((in[ 1]      )       )) <<  8)
+           | (((word64)((in[ 2]      )       )) << 16)
+           | (((word64)((in[ 3]      )       )) << 24)
+           | (((word64)((in[ 4]      )       )) << 32)
+           | (((word64)((in[ 5]      )       )) << 40)
+           | (((word64)((in[ 6]      ) & 0x07)) << 48));
+    out[1] = (sword64)(
+             (((word64)((in[ 6] >>  3) & 0x1f))      )
+           | (((word64)((in[ 7]      )       )) <<  5)
+           | (((word64)((in[ 8]      )       )) << 13)
+           | (((word64)((in[ 9]      )       )) << 21)
+           | (((word64)((in[10]      )       )) << 29)
+           | (((word64)((in[11]      )       )) << 37)
+           | (((word64)((in[12]      ) & 0x3f)) << 45));
+    out[2] = (sword64)(
+             (((word64)((in[12] >>  6) & 0x03))      )
+           | (((word64)((in[13]      )       )) <<  2)
+           | (((word64)((in[14]      )       )) << 10)
+           | (((word64)((in[15]      )       )) << 18)
+           | (((word64)((in[16]      )       )) << 26)
+           | (((word64)((in[17]      )       )) << 34)
+           | (((word64)((in[18]      )       )) << 42)
+           | (((word64)((in[19]      ) & 0x01)) << 50));
+    out[3] = (sword64)(
+             (((word64)((in[19] >>  1) & 0x7f))      )
+           | (((word64)((in[20]      )       )) <<  7)
+           | (((word64)((in[21]      )       )) << 15)
+           | (((word64)((in[22]      )       )) << 23)
+           | (((word64)((in[23]      )       )) << 31)
+           | (((word64)((in[24]      )       )) << 39)
+           | (((word64)((in[25]      ) & 0x0f)) << 47));
+    out[4] = (sword64)(
+             (((word64)((in[25] >>  4) & 0x0f))      )
+           | (((word64)((in[26]      )       )) <<  4)
+           | (((word64)((in[27]      )       )) << 12)
+           | (((word64)((in[28]      )       )) << 20)
+           | (((word64)((in[29]      )       )) << 28)
+           | (((word64)((in[30]      )       )) << 36)
+           | (((word64)((in[31]      ) & 0x7f)) << 44));
 }

 /* Convert a number represented as an array of words to an array of bytes.
--- a/wolfcrypt/src/ge_448.c
+++ b/wolfcrypt/src/ge_448.c
@@ -307,7 +307,7 @@ void ge448_to_bytes(byte *s, const ge448_p2 *h)
    fe448_mul(s, h->Y, recip);
    fe448_norm(x);
    fe448_norm(s);
-    s[56] = (x[0] & 1) << 7;
+    s[56] = (byte)(x[0] & 1) << 7;
 }

 /* Compress the point to y-ordinate and negative bit.
@@ -324,7 +324,7 @@ int ge448_compress_key(byte* out, const byte* xIn, const byte* yIn)
    fe448_copy(out, yIn);
    fe448_norm(x);
    fe448_norm(out);
-    out[56] = (x[0] & 1) << 7;
+    out[56] = (byte)(x[0] & 1) << 7;

    return 0;
 }
@@ -11034,8 +11034,10 @@ int ge448_scalarmult_base(ge448_p2* r, const byte* a)
        ge448_madd(r, r, t);
    }

-    WC_FREE_VAR_EX(t, NULL, DYNAMIC_TYPE_TMP_BUFFER);
-    WC_FREE_VAR_EX(e, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+#ifdef WOLFSSL_SMALL_STACK
+    XFREE(t, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+    XFREE(e, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+#endif

    return 0;
 }
--- a/wolfcrypt/src/ge_operations.c
+++ b/wolfcrypt/src/ge_operations.c
@@ -264,33 +264,33 @@ void sc_reduce(byte* s)

    s[ 0] = (byte)(t[ 0] >>  0);
    s[ 1] = (byte)(t[ 0] >>  8);
-    s[ 2] = (byte)((t[ 0] >> 16) | (t[ 1] <<  5));
+    s[ 2] = (byte)(t[ 0] >> 16) | (byte)((byte)t[ 1] <<  5);
    s[ 3] = (byte)(t[ 1] >>  3);
    s[ 4] = (byte)(t[ 1] >> 11);
-    s[ 5] = (byte)((t[ 1] >> 19) | (t[ 2] <<  2));
+    s[ 5] = (byte)(t[ 1] >> 19) | (byte)((byte)t[ 2] <<  2);
    s[ 6] = (byte)(t[ 2] >>  6);
-    s[ 7] = (byte)((t[ 2] >> 14) | (t[ 3] <<  7));
+    s[ 7] = (byte)(t[ 2] >> 14) | (byte)((byte)t[ 3] <<  7);
    s[ 8] = (byte)(t[ 3] >>  1);
    s[ 9] = (byte)(t[ 3] >>  9);
-    s[10] = (byte)((t[ 3] >> 17) | (t[ 4] <<  4));
+    s[10] = (byte)(t[ 3] >> 17) | (byte)((byte)t[ 4] <<  4);
    s[11] = (byte)(t[ 4] >>  4);
    s[12] = (byte)(t[ 4] >> 12);
-    s[13] = (byte)((t[ 4] >> 20) | (t[ 5] <<  1));
+    s[13] = (byte)(t[ 4] >> 20) | (byte)((byte)t[ 5] <<  1);
    s[14] = (byte)(t[ 5] >>  7);
-    s[15] = (byte)((t[ 5] >> 15) | (t[ 6] <<  6));
+    s[15] = (byte)(t[ 5] >> 15) | (byte)((byte)t[ 6] <<  6);
    s[16] = (byte)(t[ 6] >>  2);
    s[17] = (byte)(t[ 6] >> 10);
-    s[18] = (byte)((t[ 6] >> 18) | (t[ 7] <<  3));
+    s[18] = (byte)(t[ 6] >> 18) | (byte)((byte)t[ 7] <<  3);
    s[19] = (byte)(t[ 7] >>  5);
    s[20] = (byte)(t[ 7] >> 13);
    s[21] = (byte)(t[ 8] >>  0);
    s[22] = (byte)(t[ 8] >>  8);
-    s[23] = (byte)((t[ 8] >> 16) | (t[ 9] <<  5));
+    s[23] = (byte)(t[ 8] >> 16) | (byte)((byte)t[ 9] <<  5);
    s[24] = (byte)(t[ 9] >>  3);
    s[25] = (byte)(t[ 9] >> 11);
-    s[26] = (byte)((t[ 9] >> 19) | (t[10] <<  2));
+    s[26] = (byte)(t[ 9] >> 19) | (byte)((byte)t[10] <<  2);
    s[27] = (byte)(t[10] >>  6);
-    s[28] = (byte)((t[10] >> 14) | (t[11] <<  7));
+    s[28] = (byte)(t[10] >> 14) | (byte)((byte)t[11] <<  7);
    s[29] = (byte)(t[11] >>  1);
    s[30] = (byte)(t[11] >>  9);
    s[31] = (byte)(t[11] >> 17);
@@ -584,33 +584,33 @@ void sc_muladd(byte* s, const byte* a, const byte* b, const byte* c)

    s[ 0] = (byte)(t[ 0] >>  0);
    s[ 1] = (byte)(t[ 0] >>  8);
-    s[ 2] = (byte)((t[ 0] >> 16) | (t[ 1] <<  5));
+    s[ 2] = (byte)(t[ 0] >> 16) | (byte)((byte)t[ 1] <<  5);
    s[ 3] = (byte)(t[ 1] >>  3);
    s[ 4] = (byte)(t[ 1] >> 11);
-    s[ 5] = (byte)((t[ 1] >> 19) | (t[ 2] <<  2));
+    s[ 5] = (byte)(t[ 1] >> 19) | (byte)((byte)t[ 2] <<  2);
    s[ 6] = (byte)(t[ 2] >>  6);
-    s[ 7] = (byte)((t[ 2] >> 14) | (t[ 3] <<  7));
+    s[ 7] = (byte)(t[ 2] >> 14) | (byte)((byte)t[ 3] <<  7);
    s[ 8] = (byte)(t[ 3] >>  1);
    s[ 9] = (byte)(t[ 3] >>  9);
-    s[10] = (byte)((t[ 3] >> 17) | (t[ 4] <<  4));
+    s[10] = (byte)(t[ 3] >> 17) | (byte)((byte)t[ 4] <<  4);
    s[11] = (byte)(t[ 4] >>  4);
    s[12] = (byte)(t[ 4] >> 12);
-    s[13] = (byte)((t[ 4] >> 20) | (t[ 5] <<  1));
+    s[13] = (byte)(t[ 4] >> 20) | (byte)((byte)t[ 5] <<  1);
    s[14] = (byte)(t[ 5] >>  7);
-    s[15] = (byte)((t[ 5] >> 15) | (t[ 6] <<  6));
+    s[15] = (byte)(t[ 5] >> 15) | (byte)((byte)t[ 6] <<  6);
    s[16] = (byte)(t[ 6] >>  2);
    s[17] = (byte)(t[ 6] >> 10);
-    s[18] = (byte)((t[ 6] >> 18) | (t[ 7] <<  3));
+    s[18] = (byte)(t[ 6] >> 18) | (byte)((byte)t[ 7] <<  3);
    s[19] = (byte)(t[ 7] >>  5);
    s[20] = (byte)(t[ 7] >> 13);
    s[21] = (byte)(t[ 8] >>  0);
    s[22] = (byte)(t[ 8] >>  8);
-    s[23] = (byte)((t[ 8] >> 16) | (t[ 9] <<  5));
+    s[23] = (byte)(t[ 8] >> 16) | (byte)((byte)t[ 9] <<  5);
    s[24] = (byte)(t[ 9] >>  3);
    s[25] = (byte)(t[ 9] >> 11);
-    s[26] = (byte)((t[ 9] >> 19) | (t[10] <<  2));
+    s[26] = (byte)(t[ 9] >> 19) | (byte)((byte)t[10] <<  2);
    s[27] = (byte)(t[10] >>  6);
-    s[28] = (byte)((t[10] >> 14) | (t[11] <<  7));
+    s[28] = (byte)(t[10] >> 14) | (byte)((byte)t[11] <<  7);
    s[29] = (byte)(t[11] >>  1);
    s[30] = (byte)(t[11] >>  9);
    s[31] = (byte)(t[11] >> 17);
@@ -728,17 +728,17 @@ void sc_reduce(byte* s)
    s[ 2] = (byte)(t[ 0] >> 16);
    s[ 3] = (byte)(t[ 0] >> 24);
    s[ 4] = (byte)(t[ 0] >> 32);
-    s[ 5] = (byte)(t[ 0] >> 40) | (byte)(t[ 1] <<  2);
+    s[ 5] = (byte)(t[ 0] >> 40) | (byte)((byte)t[ 1] <<  2);
    s[ 6] = (byte)(t[ 1] >>  6);
    s[ 7] = (byte)(t[ 1] >> 14);
    s[ 8] = (byte)(t[ 1] >> 22);
    s[ 9] = (byte)(t[ 1] >> 30);
-    s[10] = (byte)(t[ 1] >> 38) | (byte)(t[ 2] <<  4);
+    s[10] = (byte)(t[ 1] >> 38) | (byte)((byte)t[ 2] <<  4);
    s[11] = (byte)(t[ 2] >>  4);
    s[12] = (byte)(t[ 2] >> 12);
    s[13] = (byte)(t[ 2] >> 20);
    s[14] = (byte)(t[ 2] >> 28);
-    s[15] = (byte)(t[ 2] >> 36) | (byte)(t[ 3] <<  6);
+    s[15] = (byte)(t[ 2] >> 36) | (byte)((byte)t[ 3] <<  6);
    s[16] = (byte)(t[ 3] >>  2);
    s[17] = (byte)(t[ 3] >> 10);
    s[18] = (byte)(t[ 3] >> 18);
@@ -749,7 +749,7 @@ void sc_reduce(byte* s)
    s[23] = (byte)(t[ 4] >> 16);
    s[24] = (byte)(t[ 4] >> 24);
    s[25] = (byte)(t[ 4] >> 32);
-    s[26] = (byte)(t[ 4] >> 40) | (byte)(t[ 5] <<  2);
+    s[26] = (byte)(t[ 4] >> 40) | (byte)((byte)t[ 5] <<  2);
    s[27] = (byte)(t[ 5] >>  6);
    s[28] = (byte)(t[ 5] >> 14);
    s[29] = (byte)(t[ 5] >> 22);
@@ -880,17 +880,17 @@ void sc_muladd(byte* s, const byte* a, const byte* b, const byte* c)
    s[ 2] = (byte)(t[ 0] >> 16);
    s[ 3] = (byte)(t[ 0] >> 24);
    s[ 4] = (byte)(t[ 0] >> 32);
-    s[ 5] = (byte)(t[ 0] >> 40) | (byte)(t[ 1] <<  2);
+    s[ 5] = (byte)(t[ 0] >> 40) | (byte)((byte)t[ 1] <<  2);
    s[ 6] = (byte)(t[ 1] >>  6);
    s[ 7] = (byte)(t[ 1] >> 14);
    s[ 8] = (byte)(t[ 1] >> 22);
    s[ 9] = (byte)(t[ 1] >> 30);
-    s[10] = (byte)(t[ 1] >> 38) | (byte)(t[ 2] <<  4);
+    s[10] = (byte)(t[ 1] >> 38) | (byte)((byte)t[ 2] <<  4);
    s[11] = (byte)(t[ 2] >>  4);
    s[12] = (byte)(t[ 2] >> 12);
    s[13] = (byte)(t[ 2] >> 20);
    s[14] = (byte)(t[ 2] >> 28);
-    s[15] = (byte)(t[ 2] >> 36) | (byte)(t[ 3] <<  6);
+    s[15] = (byte)(t[ 2] >> 36) | (byte)((byte)t[ 3] <<  6);
    s[16] = (byte)(t[ 3] >>  2);
    s[17] = (byte)(t[ 3] >> 10);
    s[18] = (byte)(t[ 3] >> 18);
@@ -901,7 +901,7 @@ void sc_muladd(byte* s, const byte* a, const byte* b, const byte* c)
    s[23] = (byte)(t[ 4] >> 16);
    s[24] = (byte)(t[ 4] >> 24);
    s[25] = (byte)(t[ 4] >> 32);
-    s[26] = (byte)(t[ 4] >> 40) | (byte)(t[ 5] <<  2);
+    s[26] = (byte)(t[ 4] >> 40) | (byte)((byte)t[ 5] <<  2);
    s[27] = (byte)(t[ 5] >>  6);
    s[28] = (byte)(t[ 5] >> 14);
    s[29] = (byte)(t[ 5] >> 22);
@@ -9072,7 +9072,8 @@ static void ge_select(ge_precomp *t,int pos,signed char b)
 #ifndef CURVED25519_ASM
  ge_precomp minust;
  unsigned char bnegative = negative(b);
-  unsigned char babs = (unsigned char)(b - (((-bnegative) & b) << 1));
+  unsigned char babs = (unsigned char)(b -
+    (signed char)((unsigned char)((-bnegative) & b) << 1));

  ge_precomp_0(t);
  cmov(t,&base[pos][0],babs,1);
@@ -9122,7 +9123,7 @@ void ge_scalarmult_base(ge_p3 *h,const unsigned char *a)
    e[i] = (signed char)(e[i] + carry);
    carry = (signed char)(e[i] + 8);
    carry = (signed char)(carry >> 4);
-    e[i] = (signed char)(e[i] - (carry << 4));
+    e[i] = (signed char)(e[i] - (signed char)((unsigned char)carry << 4));
  }
  e[63] = (signed char)(e[63] + carry);
  /* each e[i] is between -8 and 8 */
@@ -9183,11 +9184,12 @@ static void slide(signed char *r,const unsigned char *a)
    if (r[i]) {
      for (b = 1;b <= 6 && i + b < SLIDE_SIZE;++b) {
        if (r[i + b]) {
-          if (r[i] + (r[i + b] << b) <= 15) {
-              r[i] = (signed char)(r[i] + (r[i + b] << b));
+          signed char rb = (signed char)((unsigned char)r[i + b] << b);
+          if (r[i] + rb <= 15) {
+              r[i] = (signed char)(r[i] + rb);
              r[i + b] = 0;
-          } else if (r[i] - (r[i + b] << b) >= -15) {
-            r[i] = (signed char)(r[i] - (r[i + b] << b));
+          } else if (r[i] - rb >= -15) {
+            r[i] = (signed char)(r[i] - rb);
            for (k = i + b;k < SLIDE_SIZE;++k) {
              if (!r[k]) {
                r[k] = 1;
@@ -9761,7 +9763,7 @@ void ge_p3_tobytes(unsigned char *s,const ge_p3 *h)
  fe_mul(x,h->X,recip);
  fe_mul(y,h->Y,recip);
  fe_tobytes(s,y);
-  s[31] ^= (unsigned char)(fe_isnegative(x) << 7);
+  s[31] ^= (unsigned char)((unsigned char)fe_isnegative(x) << 7);
 }
 #endif

@@ -9813,7 +9815,7 @@ void ge_tobytes(unsigned char *s,const ge_p2 *h)
  fe_mul(x,h->X,recip);
  fe_mul(y,h->Y,recip);
  fe_tobytes(s,y);
-  s[31] ^= (unsigned char)(fe_isnegative(x) << 7);
+  s[31] ^= (unsigned char)((unsigned char)fe_isnegative(x) << 7);
 }

 #endif /* !ED25519_SMALL */