rsaz_exp_x2.c: Avoid potential undefined behavior with strict aliasing

Fixes #19584

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19597)

(cherry picked from commit 9506a2e274c643b94a2c265019ea9288f99a521a)

1 files changed, 12 insertions, 4 deletions

diff --git a/crypto/bn/rsaz_exp_x2.c b/crypto/bn/rsaz_exp_x2.c
index 95a1380f8f..fb96d67743 100644
--- a/crypto/bn/rsaz_exp_x2.c
+++ b/crypto/bn/rsaz_exp_x2.c
@@ -556,9 +556,13 @@ static void to_words52(BN_ULONG *out, int out_len,
     in_str = (uint8_t *)in;
 
     for (; in_bitsize >= (2 * DIGIT_SIZE); in_bitsize -= (2 * DIGIT_SIZE), out += 2) {
-        out[0] = (*(uint64_t *)in_str) & DIGIT_MASK;
+        uint64_t digit;
+
+        memcpy(&digit, in_str, sizeof(digit));
+        out[0] = digit & DIGIT_MASK;
         in_str += 6;
-        out[1] = ((*(uint64_t *)in_str) >> 4) & DIGIT_MASK;
+        memcpy(&digit, in_str, sizeof(digit));
+        out[1] = (digit >> 4) & DIGIT_MASK;
         in_str += 7;
         out_len -= 2;
     }
@@ -617,9 +621,13 @@ static void from_words52(BN_ULONG *out, int out_bitsize, const BN_ULONG *in)
 
         for (; out_bitsize >= (2 * DIGIT_SIZE);
                out_bitsize -= (2 * DIGIT_SIZE), in += 2) {
-            (*(uint64_t *)out_str) = in[0];
+            uint64_t digit;
+
+            digit = in[0];
+            memcpy(out_str, &digit, sizeof(digit));
             out_str += 6;
-            (*(uint64_t *)out_str) ^= in[1] << 4;
+            digit = digit >> 48 | in[1] << 4;
+            memcpy(out_str, &digit, sizeof(digit));
             out_str += 7;
         }