diff --git a/crypto/bn/bn_nist.c b/crypto/bn/bn_nist.c
index edd06a9a0..a5e07acd8 100644
--- a/crypto/bn/bn_nist.c
+++ b/crypto/bn/bn_nist.c
@@ -1108,9 +1108,20 @@ int BN_nist_mod_521(BIGNUM *r, const BIGNUM *a, const BIGNUM *field,
 	/* ... and right shift */
 	for (val=t_d[0],i=0; i<BN_NIST_521_TOP-1; i++)
 		{
+#if 0
+		/*
+		 * MSC ARM compiler [version 2013, presumably even earlier,
+		 * much earlier] miscompiles this code, but not one in
+		 * #else section. See RT#3541.
+		 */
+		tmp = val>>BN_NIST_521_RSHIFT;
+		val = t_d[i+1];
+		t_d[i] = (tmp | val<<BN_NIST_521_LSHIFT) & BN_MASK2;
+#else
 		t_d[i] = ( val>>BN_NIST_521_RSHIFT |
 			  (tmp=t_d[i+1])<<BN_NIST_521_LSHIFT ) & BN_MASK2;
 		val=tmp;
+#endif
 		}
 	t_d[i] = val>>BN_NIST_521_RSHIFT;
 	/* lower 521 bits */