257 /* Computes result = in << c, returning carry. Can modify in place
263 	u64 carry = 0;  in vli_lshift()  local
269 		result[i] = (temp << shift) | carry;  in vli_lshift()
270 		carry = temp >> (64 - shift);  in vli_lshift()
273 	return carry;  in vli_lshift()
280 	u64 carry = 0;  in vli_rshift1()  local
286 		*vli = (temp >> 1) | carry;  in vli_rshift1()
287 		carry = temp << 63;  in vli_rshift1()
291 /* Computes result = left + right, returning carry. Can modify in place. */
295 	u64 carry = 0;  in vli_add()  local
301 		sum = left[i] + right[i] + carry;  in vli_add()
303 			carry = (sum < left[i]);  in vli_add()
308 	return carry;  in vli_add()
311 /* Computes result = left + right, returning carry. Can modify in place. */
315 	u64 carry = right;  in vli_uadd()  local
321 		sum = left[i] + carry;  in vli_uadd()
323 			carry = (sum < left[i]);  in vli_uadd()
325 			carry = !!carry;  in vli_uadd()
330 	return carry;  in vli_uadd()
463 		/* no carry */  in vli_umult()
518 	u64 carry;  in vli_mod_add()  local
520 	carry = vli_add(result, left, right, ndigits);  in vli_mod_add()
525 	if (carry || vli_cmp(result, mod, ndigits) >= 0)  in vli_mod_add()
595 	int carry; /* last bit that doesn't fit into q */  in vli_mmod_special2()  local
602 	/* q and carry are top bits */  in vli_mmod_special2()
605 	carry = vli_is_negative(r, ndigits);  in vli_mmod_special2()
606 	if (carry)  in vli_mmod_special2()
608 	for (i = 1; carry || !vli_is_zero(q, ndigits); i++) {  in vli_mmod_special2()
612 		if (carry)  in vli_mmod_special2()
616 		carry = vli_is_negative(qc, ndigits);  in vli_mmod_special2()
617 		if (carry)  in vli_mmod_special2()
643 	u64 carry = 0;  in vli_mmod_slow()  local
653 			mod_m[word_shift + i] = (mod[i] << bit_shift) | carry;  in vli_mmod_slow()
654 			carry = mod[i] >> (64 - bit_shift);  in vli_mmod_slow()
701 		u64 carry;  in vli_mmod_barrett()  local
703 		carry = vli_sub(r, r, mod, ndigits);  in vli_mmod_barrett()
704 		vli_usub(r + ndigits, r + ndigits, carry, ndigits);  in vli_mmod_barrett()
717 	int carry;  in vli_mmod_fast_192()  local
722 	carry = vli_add(result, result, tmp, ndigits);  in vli_mmod_fast_192()
727 	carry += vli_add(result, result, tmp, ndigits);  in vli_mmod_fast_192()
731 	carry += vli_add(result, result, tmp, ndigits);  in vli_mmod_fast_192()
733 	while (carry || vli_cmp(curve_prime, result, ndigits) != 1)  in vli_mmod_fast_192()
734 		carry -= vli_sub(result, result, curve_prime, ndigits);  in vli_mmod_fast_192()
743 	int carry;  in vli_mmod_fast_256()  local
754 	carry = vli_lshift(tmp, tmp, 1, ndigits);  in vli_mmod_fast_256()
755 	carry += vli_add(result, result, tmp, ndigits);  in vli_mmod_fast_256()
761 	carry += vli_lshift(tmp, tmp, 1, ndigits);  in vli_mmod_fast_256()
762 	carry += vli_add(result, result, tmp, ndigits);  in vli_mmod_fast_256()
769 	carry += vli_add(result, result, tmp, ndigits);  in vli_mmod_fast_256()
776 	carry += vli_add(result, result, tmp, ndigits);  in vli_mmod_fast_256()
783 	carry -= vli_sub(result, result, tmp, ndigits);  in vli_mmod_fast_256()
790 	carry -= vli_sub(result, result, tmp, ndigits);  in vli_mmod_fast_256()
797 	carry -= vli_sub(result, result, tmp, ndigits);  in vli_mmod_fast_256()
804 	carry -= vli_sub(result, result, tmp, ndigits);  in vli_mmod_fast_256()
806 	if (carry < 0) {  in vli_mmod_fast_256()
808 			carry += vli_add(result, result, curve_prime, ndigits);  in vli_mmod_fast_256()
809 		} while (carry < 0);  in vli_mmod_fast_256()
811 		while (carry || vli_cmp(curve_prime, result, ndigits) != 1)  in vli_mmod_fast_256()
812 			carry -= vli_sub(result, result, curve_prime, ndigits);  in vli_mmod_fast_256()
826 	int carry;  in vli_mmod_fast_384()  local
839 	carry = vli_lshift(tmp, tmp, 1, ndigits);  in vli_mmod_fast_384()
840 	carry += vli_add(result, result, tmp, ndigits);  in vli_mmod_fast_384()
849 	carry += vli_add(result, result, tmp, ndigits);  in vli_mmod_fast_384()
858 	carry += vli_add(result, result, tmp, ndigits);  in vli_mmod_fast_384()
867 	carry += vli_add(result, result, tmp, ndigits);  in vli_mmod_fast_384()
876 	carry += vli_add(result, result, tmp, ndigits);  in vli_mmod_fast_384()
885 	carry += vli_add(result, result, tmp, ndigits);  in vli_mmod_fast_384()
894 	carry -= vli_sub(result, result, tmp, ndigits);  in vli_mmod_fast_384()
903 	carry -= vli_sub(result, result, tmp, ndigits);  in vli_mmod_fast_384()
912 	carry -= vli_sub(result, result, tmp, ndigits);  in vli_mmod_fast_384()
914 	if (carry < 0) {  in vli_mmod_fast_384()
916 			carry += vli_add(result, result, curve_prime, ndigits);  in vli_mmod_fast_384()
917 		} while (carry < 0);  in vli_mmod_fast_384()
919 		while (carry || vli_cmp(curve_prime, result, ndigits) != 1)  in vli_mmod_fast_384()
920 			carry -= vli_sub(result, result, curve_prime, ndigits);  in vli_mmod_fast_384()
1044 	u64 carry;  in vli_mod_inv()  local
1059 		carry = 0;  in vli_mod_inv()
1065 				carry = vli_add(u, u, mod, ndigits);  in vli_mod_inv()
1068 			if (carry)  in vli_mod_inv()
1074 				carry = vli_add(v, v, mod, ndigits);  in vli_mod_inv()
1077 			if (carry)  in vli_mod_inv()
1088 				carry = vli_add(u, u, mod, ndigits);  in vli_mod_inv()
1091 			if (carry)  in vli_mod_inv()
1102 				carry = vli_add(v, v, mod, ndigits);  in vli_mod_inv()
1105 			if (carry)  in vli_mod_inv()
1166 		u64 carry = vli_add(x1, x1, curve_prime, ndigits);  in ecc_point_double_jacobian()  local
1169 		x1[ndigits - 1] |= carry << 63;  in ecc_point_double_jacobian()
1342 	int carry;  in ecc_point_mult()  local
1344 	carry = vli_add(sk[0], scalar, curve->n, ndigits);  in ecc_point_mult()
1346 	scalar = sk[!carry];  in ecc_point_mult()