474   int64_t tmp[4], a;  in p224_felem_contract()  local
475   tmp[0] = in[0];  in p224_felem_contract()
476   tmp[1] = in[1];  in p224_felem_contract()
477   tmp[2] = in[2];  in p224_felem_contract()
478   tmp[3] = in[3];  in p224_felem_contract()
481   tmp[0] -= a;  in p224_felem_contract()
482   tmp[1] += a << 40;  in p224_felem_contract()
483   tmp[3] &= 0x00ffffffffffffff;  in p224_felem_contract()
492   tmp[3] &= a ^ 0xffffffffffffffff;  in p224_felem_contract()
493   tmp[2] &= a ^ 0xffffffffffffffff;  in p224_felem_contract()
494   tmp[1] &= (a ^ 0xffffffffffffffff) | 0x000000ffffffffff;  in p224_felem_contract()
495   tmp[0] -= 1 & a;  in p224_felem_contract()
499   a = tmp[0] >> 63;  in p224_felem_contract()
500   tmp[0] += two56 & a;  in p224_felem_contract()
501   tmp[1] -= 1 & a;  in p224_felem_contract()
504   tmp[2] += tmp[1] >> 56;  in p224_felem_contract()
505   tmp[1] &= 0x00ffffffffffffff;  in p224_felem_contract()
507   tmp[3] += tmp[2] >> 56;  in p224_felem_contract()
508   tmp[2] &= 0x00ffffffffffffff;  in p224_felem_contract()
511   out[0] = tmp[0];  in p224_felem_contract()
512   out[1] = tmp[1];  in p224_felem_contract()
513   out[2] = tmp[2];  in p224_felem_contract()
514   out[3] = tmp[3];  in p224_felem_contract()
539   p224_widefelem tmp;  in p224_felem_inv()  local
541   p224_felem_square(tmp, in);  in p224_felem_inv()
542   p224_felem_reduce(ftmp, tmp); /* 2 */  in p224_felem_inv()
543   p224_felem_mul(tmp, in, ftmp);  in p224_felem_inv()
544   p224_felem_reduce(ftmp, tmp); /* 2^2 - 1 */  in p224_felem_inv()
545   p224_felem_square(tmp, ftmp);  in p224_felem_inv()
546   p224_felem_reduce(ftmp, tmp); /* 2^3 - 2 */  in p224_felem_inv()
547   p224_felem_mul(tmp, in, ftmp);  in p224_felem_inv()
548   p224_felem_reduce(ftmp, tmp); /* 2^3 - 1 */  in p224_felem_inv()
549   p224_felem_square(tmp, ftmp);  in p224_felem_inv()
550   p224_felem_reduce(ftmp2, tmp); /* 2^4 - 2 */  in p224_felem_inv()
551   p224_felem_square(tmp, ftmp2);  in p224_felem_inv()
552   p224_felem_reduce(ftmp2, tmp); /* 2^5 - 4 */  in p224_felem_inv()
553   p224_felem_square(tmp, ftmp2);  in p224_felem_inv()
554   p224_felem_reduce(ftmp2, tmp); /* 2^6 - 8 */  in p224_felem_inv()
555   p224_felem_mul(tmp, ftmp2, ftmp);  in p224_felem_inv()
556   p224_felem_reduce(ftmp, tmp); /* 2^6 - 1 */  in p224_felem_inv()
557   p224_felem_square(tmp, ftmp);  in p224_felem_inv()
558   p224_felem_reduce(ftmp2, tmp); /* 2^7 - 2 */  in p224_felem_inv()
560     p224_felem_square(tmp, ftmp2);  in p224_felem_inv()
561     p224_felem_reduce(ftmp2, tmp);  in p224_felem_inv()
563   p224_felem_mul(tmp, ftmp2, ftmp);  in p224_felem_inv()
564   p224_felem_reduce(ftmp2, tmp); /* 2^12 - 1 */  in p224_felem_inv()
565   p224_felem_square(tmp, ftmp2);  in p224_felem_inv()
566   p224_felem_reduce(ftmp3, tmp); /* 2^13 - 2 */  in p224_felem_inv()
568     p224_felem_square(tmp, ftmp3);  in p224_felem_inv()
569     p224_felem_reduce(ftmp3, tmp);  in p224_felem_inv()
571   p224_felem_mul(tmp, ftmp3, ftmp2);  in p224_felem_inv()
572   p224_felem_reduce(ftmp2, tmp); /* 2^24 - 1 */  in p224_felem_inv()
573   p224_felem_square(tmp, ftmp2);  in p224_felem_inv()
574   p224_felem_reduce(ftmp3, tmp); /* 2^25 - 2 */  in p224_felem_inv()
576     p224_felem_square(tmp, ftmp3);  in p224_felem_inv()
577     p224_felem_reduce(ftmp3, tmp);  in p224_felem_inv()
579   p224_felem_mul(tmp, ftmp3, ftmp2);  in p224_felem_inv()
580   p224_felem_reduce(ftmp3, tmp); /* 2^48 - 1 */  in p224_felem_inv()
581   p224_felem_square(tmp, ftmp3);  in p224_felem_inv()
582   p224_felem_reduce(ftmp4, tmp); /* 2^49 - 2 */  in p224_felem_inv()
584     p224_felem_square(tmp, ftmp4);  in p224_felem_inv()
585     p224_felem_reduce(ftmp4, tmp);  in p224_felem_inv()
587   p224_felem_mul(tmp, ftmp3, ftmp4);  in p224_felem_inv()
588   p224_felem_reduce(ftmp3, tmp); /* 2^96 - 1 */  in p224_felem_inv()
589   p224_felem_square(tmp, ftmp3);  in p224_felem_inv()
590   p224_felem_reduce(ftmp4, tmp); /* 2^97 - 2 */  in p224_felem_inv()
592     p224_felem_square(tmp, ftmp4);  in p224_felem_inv()
593     p224_felem_reduce(ftmp4, tmp);  in p224_felem_inv()
595   p224_felem_mul(tmp, ftmp2, ftmp4);  in p224_felem_inv()
596   p224_felem_reduce(ftmp2, tmp); /* 2^120 - 1 */  in p224_felem_inv()
598     p224_felem_square(tmp, ftmp2);  in p224_felem_inv()
599     p224_felem_reduce(ftmp2, tmp);  in p224_felem_inv()
601   p224_felem_mul(tmp, ftmp2, ftmp);  in p224_felem_inv()
602   p224_felem_reduce(ftmp, tmp); /* 2^126 - 1 */  in p224_felem_inv()
603   p224_felem_square(tmp, ftmp);  in p224_felem_inv()
604   p224_felem_reduce(ftmp, tmp); /* 2^127 - 2 */  in p224_felem_inv()
605   p224_felem_mul(tmp, ftmp, in);  in p224_felem_inv()
606   p224_felem_reduce(ftmp, tmp); /* 2^127 - 1 */  in p224_felem_inv()
608     p224_felem_square(tmp, ftmp);  in p224_felem_inv()
609     p224_felem_reduce(ftmp, tmp);  in p224_felem_inv()
611   p224_felem_mul(tmp, ftmp, ftmp3);  in p224_felem_inv()
612   p224_felem_reduce(out, tmp); /* 2^224 - 2^96 - 1 */  in p224_felem_inv()
623     const p224_limb tmp = copy & (in[i] ^ out[i]);  in p224_copy_conditional()  local
624     out[i] ^= tmp;  in p224_copy_conditional()
644   p224_widefelem tmp, tmp2;  in p224_point_double()  local
651   p224_felem_square(tmp, z_in);  in p224_point_double()
652   p224_felem_reduce(delta, tmp);  in p224_point_double()
655   p224_felem_square(tmp, y_in);  in p224_point_double()
656   p224_felem_reduce(gamma, tmp);  in p224_point_double()
659   p224_felem_mul(tmp, x_in, gamma);  in p224_point_double()
660   p224_felem_reduce(beta, tmp);  in p224_point_double()
669   p224_felem_mul(tmp, ftmp, ftmp2);  in p224_point_double()
671   p224_felem_reduce(alpha, tmp);  in p224_point_double()
674   p224_felem_square(tmp, alpha);  in p224_point_double()
679   p224_felem_diff_128_64(tmp, ftmp);  in p224_point_double()
681   p224_felem_reduce(x_out, tmp);  in p224_point_double()
689   p224_felem_square(tmp, ftmp);  in p224_point_double()
691   p224_felem_diff_128_64(tmp, delta);  in p224_point_double()
693   p224_felem_reduce(z_out, tmp);  in p224_point_double()
700   p224_felem_mul(tmp, alpha, beta);  in p224_point_double()
706   p224_widefelem_diff(tmp, tmp2);  in p224_point_double()
708   p224_felem_reduce(y_out, tmp);  in p224_point_double()
732   p224_widefelem tmp, tmp2;  in p224_point_add()  local
737     p224_felem_square(tmp, z2);  in p224_point_add()
738     p224_felem_reduce(ftmp2, tmp);  in p224_point_add()
741     p224_felem_mul(tmp, ftmp2, z2);  in p224_point_add()
742     p224_felem_reduce(ftmp4, tmp);  in p224_point_add()
762   p224_felem_square(tmp, z1);  in p224_point_add()
763   p224_felem_reduce(ftmp, tmp);  in p224_point_add()
766   p224_felem_mul(tmp, ftmp, z1);  in p224_point_add()
767   p224_felem_reduce(ftmp3, tmp);  in p224_point_add()
770   p224_felem_mul(tmp, ftmp3, y2);  in p224_point_add()
774   p224_felem_diff_128_64(tmp, ftmp4);  in p224_point_add()
776   p224_felem_reduce(ftmp3, tmp);  in p224_point_add()
779   p224_felem_mul(tmp, ftmp, x2);  in p224_point_add()
783   p224_felem_diff_128_64(tmp, ftmp2);  in p224_point_add()
785   p224_felem_reduce(ftmp, tmp);  in p224_point_add()
801     p224_felem_mul(tmp, z1, z2);  in p224_point_add()
802     p224_felem_reduce(ftmp5, tmp);  in p224_point_add()
809   p224_felem_mul(tmp, ftmp, ftmp5);  in p224_point_add()
810   p224_felem_reduce(z_out, tmp);  in p224_point_add()
814   p224_felem_square(tmp, ftmp);  in p224_point_add()
815   p224_felem_reduce(ftmp, tmp);  in p224_point_add()
818   p224_felem_mul(tmp, ftmp, ftmp5);  in p224_point_add()
819   p224_felem_reduce(ftmp5, tmp);  in p224_point_add()
822   p224_felem_mul(tmp, ftmp2, ftmp);  in p224_point_add()
823   p224_felem_reduce(ftmp2, tmp);  in p224_point_add()
826   p224_felem_mul(tmp, ftmp4, ftmp5);  in p224_point_add()
858   p224_widefelem_diff(tmp2, tmp);  in p224_point_add()
915   p224_felem nq[3], tmp[4];  in p224_batch_mul()  local
941       p224_select_point(bits, 16, g_p224_pre_comp[1], tmp);  in p224_batch_mul()
945                   tmp[0], tmp[1], tmp[2]);  in p224_batch_mul()
947         OPENSSL_memcpy(nq, tmp, 3 * sizeof(p224_felem));  in p224_batch_mul()
957       p224_select_point(bits, 16, g_p224_pre_comp[0], tmp);  in p224_batch_mul()
959                      tmp[0], tmp[1], tmp[2]);  in p224_batch_mul()
973       p224_select_point(digit, 17, p_pre_comp, tmp);  in p224_batch_mul()
974       p224_felem_neg(tmp[3], tmp[1]); /* (X, -Y, Z) is the negative point */  in p224_batch_mul()
975       p224_copy_conditional(tmp[1], tmp[3], sign);  in p224_batch_mul()
979                   tmp[0], tmp[1], tmp[2]);  in p224_batch_mul()
981         OPENSSL_memcpy(nq, tmp, 3 * sizeof(p224_felem));  in p224_batch_mul()
1003   p224_widefelem tmp;  in ec_GFp_nistp224_point_get_affine_coordinates()  local
1017   p224_felem_square(tmp, z2);  in ec_GFp_nistp224_point_get_affine_coordinates()
1018   p224_felem_reduce(z1, tmp);  in ec_GFp_nistp224_point_get_affine_coordinates()
1019   p224_felem_mul(tmp, x_in, z1);  in ec_GFp_nistp224_point_get_affine_coordinates()
1020   p224_felem_reduce(x_in, tmp);  in ec_GFp_nistp224_point_get_affine_coordinates()
1027   p224_felem_mul(tmp, z1, z2);  in ec_GFp_nistp224_point_get_affine_coordinates()
1028   p224_felem_reduce(z1, tmp);  in ec_GFp_nistp224_point_get_affine_coordinates()
1029   p224_felem_mul(tmp, y_in, z1);  in ec_GFp_nistp224_point_get_affine_coordinates()
1030   p224_felem_reduce(y_in, tmp);  in ec_GFp_nistp224_point_get_affine_coordinates()
1048   p224_felem_bytearray tmp;  in ec_GFp_nistp224_points_mul()  local
1081       num_bytes = BN_bn2bin(tmp_scalar, tmp);  in ec_GFp_nistp224_points_mul()
1083       num_bytes = BN_bn2bin(p_scalar, tmp);  in ec_GFp_nistp224_points_mul()
1086     p224_flip_endian(p_secret, tmp, num_bytes);  in ec_GFp_nistp224_points_mul()
1122       num_bytes = BN_bn2bin(tmp_scalar, tmp);  in ec_GFp_nistp224_points_mul()
1124       num_bytes = BN_bn2bin(g_scalar, tmp);  in ec_GFp_nistp224_points_mul()
1127     p224_flip_endian(g_secret, tmp, num_bytes);  in ec_GFp_nistp224_points_mul()