222 /* Computes result = in << c, returning carry. Can modify in place
228 	u64 carry = 0;  in vli_lshift()  local
234 		result[i] = (temp << shift) | carry;  in vli_lshift()
235 		carry = temp >> (64 - shift);  in vli_lshift()
238 	return carry;  in vli_lshift()
245 	u64 carry = 0;  in vli_rshift1()  local
251 		*vli = (temp >> 1) | carry;  in vli_rshift1()
252 		carry = temp << 63;  in vli_rshift1()
256 /* Computes result = left + right, returning carry. Can modify in place. */
260 	u64 carry = 0;  in vli_add()  local
266 		sum = left[i] + right[i] + carry;  in vli_add()
268 			carry = (sum < left[i]);  in vli_add()
273 	return carry;  in vli_add()
276 /* Computes result = left + right, returning carry. Can modify in place. */
280 	u64 carry = right;  in vli_uadd()  local
286 		sum = left[i] + carry;  in vli_uadd()
288 			carry = (sum < left[i]);  in vli_uadd()
290 			carry = !!carry;  in vli_uadd()
295 	return carry;  in vli_uadd()
428 		/* no carry */  in vli_umult()
483 	u64 carry;  in vli_mod_add()  local
485 	carry = vli_add(result, left, right, ndigits);  in vli_mod_add()
490 	if (carry || vli_cmp(result, mod, ndigits) >= 0)  in vli_mod_add()
560 	int carry; /* last bit that doesn't fit into q */  in vli_mmod_special2()  local
567 	/* q and carry are top bits */  in vli_mmod_special2()
570 	carry = vli_is_negative(r, ndigits);  in vli_mmod_special2()
571 	if (carry)  in vli_mmod_special2()
573 	for (i = 1; carry || !vli_is_zero(q, ndigits); i++) {  in vli_mmod_special2()
577 		if (carry)  in vli_mmod_special2()
581 		carry = vli_is_negative(qc, ndigits);  in vli_mmod_special2()
582 		if (carry)  in vli_mmod_special2()
608 	u64 carry = 0;  in vli_mmod_slow()  local
618 			mod_m[word_shift + i] = (mod[i] << bit_shift) | carry;  in vli_mmod_slow()
619 			carry = mod[i] >> (64 - bit_shift);  in vli_mmod_slow()
666 		u64 carry;  in vli_mmod_barrett()  local
668 		carry = vli_sub(r, r, mod, ndigits);  in vli_mmod_barrett()
669 		vli_usub(r + ndigits, r + ndigits, carry, ndigits);  in vli_mmod_barrett()
682 	int carry;  in vli_mmod_fast_192()  local
687 	carry = vli_add(result, result, tmp, ndigits);  in vli_mmod_fast_192()
692 	carry += vli_add(result, result, tmp, ndigits);  in vli_mmod_fast_192()
696 	carry += vli_add(result, result, tmp, ndigits);  in vli_mmod_fast_192()
698 	while (carry || vli_cmp(curve_prime, result, ndigits) != 1)  in vli_mmod_fast_192()
699 		carry -= vli_sub(result, result, curve_prime, ndigits);  in vli_mmod_fast_192()
708 	int carry;  in vli_mmod_fast_256()  local
719 	carry = vli_lshift(tmp, tmp, 1, ndigits);  in vli_mmod_fast_256()
720 	carry += vli_add(result, result, tmp, ndigits);  in vli_mmod_fast_256()
726 	carry += vli_lshift(tmp, tmp, 1, ndigits);  in vli_mmod_fast_256()
727 	carry += vli_add(result, result, tmp, ndigits);  in vli_mmod_fast_256()
734 	carry += vli_add(result, result, tmp, ndigits);  in vli_mmod_fast_256()
741 	carry += vli_add(result, result, tmp, ndigits);  in vli_mmod_fast_256()
748 	carry -= vli_sub(result, result, tmp, ndigits);  in vli_mmod_fast_256()
755 	carry -= vli_sub(result, result, tmp, ndigits);  in vli_mmod_fast_256()
762 	carry -= vli_sub(result, result, tmp, ndigits);  in vli_mmod_fast_256()
769 	carry -= vli_sub(result, result, tmp, ndigits);  in vli_mmod_fast_256()
771 	if (carry < 0) {  in vli_mmod_fast_256()
773 			carry += vli_add(result, result, curve_prime, ndigits);  in vli_mmod_fast_256()
774 		} while (carry < 0);  in vli_mmod_fast_256()
776 		while (carry || vli_cmp(curve_prime, result, ndigits) != 1)  in vli_mmod_fast_256()
777 			carry -= vli_sub(result, result, curve_prime, ndigits);  in vli_mmod_fast_256()
791 	int carry;  in vli_mmod_fast_384()  local
804 	carry = vli_lshift(tmp, tmp, 1, ndigits);  in vli_mmod_fast_384()
805 	carry += vli_add(result, result, tmp, ndigits);  in vli_mmod_fast_384()
814 	carry += vli_add(result, result, tmp, ndigits);  in vli_mmod_fast_384()
823 	carry += vli_add(result, result, tmp, ndigits);  in vli_mmod_fast_384()
832 	carry += vli_add(result, result, tmp, ndigits);  in vli_mmod_fast_384()
841 	carry += vli_add(result, result, tmp, ndigits);  in vli_mmod_fast_384()
850 	carry += vli_add(result, result, tmp, ndigits);  in vli_mmod_fast_384()
859 	carry -= vli_sub(result, result, tmp, ndigits);  in vli_mmod_fast_384()
868 	carry -= vli_sub(result, result, tmp, ndigits);  in vli_mmod_fast_384()
877 	carry -= vli_sub(result, result, tmp, ndigits);  in vli_mmod_fast_384()
879 	if (carry < 0) {  in vli_mmod_fast_384()
881 			carry += vli_add(result, result, curve_prime, ndigits);  in vli_mmod_fast_384()
882 		} while (carry < 0);  in vli_mmod_fast_384()
884 		while (carry || vli_cmp(curve_prime, result, ndigits) != 1)  in vli_mmod_fast_384()
885 			carry -= vli_sub(result, result, curve_prime, ndigits);  in vli_mmod_fast_384()
984 	u64 carry;  in vli_mod_inv()  local
999 		carry = 0;  in vli_mod_inv()
1005 				carry = vli_add(u, u, mod, ndigits);  in vli_mod_inv()
1008 			if (carry)  in vli_mod_inv()
1014 				carry = vli_add(v, v, mod, ndigits);  in vli_mod_inv()
1017 			if (carry)  in vli_mod_inv()
1028 				carry = vli_add(u, u, mod, ndigits);  in vli_mod_inv()
1031 			if (carry)  in vli_mod_inv()
1042 				carry = vli_add(v, v, mod, ndigits);  in vli_mod_inv()
1045 			if (carry)  in vli_mod_inv()
1105 		u64 carry = vli_add(x1, x1, curve_prime, ndigits);  in ecc_point_double_jacobian()  local
1108 		x1[ndigits - 1] |= carry << 63;  in ecc_point_double_jacobian()
1281 	int carry;  in ecc_point_mult()  local
1283 	carry = vli_add(sk[0], scalar, curve->n, ndigits);  in ecc_point_mult()
1285 	scalar = sk[!carry];  in ecc_point_mult()