233 /* Computes result = in << c, returning carry. Can modify in place
239 	u64 carry = 0;  in vli_lshift()  local
245 		result[i] = (temp << shift) | carry;  in vli_lshift()
246 		carry = temp >> (64 - shift);  in vli_lshift()
249 	return carry;  in vli_lshift()
256 	u64 carry = 0;  in vli_rshift1()  local
262 		*vli = (temp >> 1) | carry;  in vli_rshift1()
263 		carry = temp << 63;  in vli_rshift1()
267 /* Computes result = left + right, returning carry. Can modify in place. */
271 	u64 carry = 0;  in vli_add()  local
277 		sum = left[i] + right[i] + carry;  in vli_add()
279 			carry = (sum < left[i]);  in vli_add()
284 	return carry;  in vli_add()
287 /* Computes result = left + right, returning carry. Can modify in place. */
291 	u64 carry = right;  in vli_uadd()  local
297 		sum = left[i] + carry;  in vli_uadd()
299 			carry = (sum < left[i]);  in vli_uadd()
301 			carry = !!carry;  in vli_uadd()
306 	return carry;  in vli_uadd()
439 		/* no carry */  in vli_umult()
494 	u64 carry;  in vli_mod_add()  local
496 	carry = vli_add(result, left, right, ndigits);  in vli_mod_add()
501 	if (carry || vli_cmp(result, mod, ndigits) >= 0)  in vli_mod_add()
571 	int carry; /* last bit that doesn't fit into q */  in vli_mmod_special2()  local
578 	/* q and carry are top bits */  in vli_mmod_special2()
581 	carry = vli_is_negative(r, ndigits);  in vli_mmod_special2()
582 	if (carry)  in vli_mmod_special2()
584 	for (i = 1; carry || !vli_is_zero(q, ndigits); i++) {  in vli_mmod_special2()
588 		if (carry)  in vli_mmod_special2()
592 		carry = vli_is_negative(qc, ndigits);  in vli_mmod_special2()
593 		if (carry)  in vli_mmod_special2()
619 	u64 carry = 0;  in vli_mmod_slow()  local
629 			mod_m[word_shift + i] = (mod[i] << bit_shift) | carry;  in vli_mmod_slow()
630 			carry = mod[i] >> (64 - bit_shift);  in vli_mmod_slow()
677 		u64 carry;  in vli_mmod_barrett()  local
679 		carry = vli_sub(r, r, mod, ndigits);  in vli_mmod_barrett()
680 		vli_usub(r + ndigits, r + ndigits, carry, ndigits);  in vli_mmod_barrett()
693 	int carry;  in vli_mmod_fast_192()  local
698 	carry = vli_add(result, result, tmp, ndigits);  in vli_mmod_fast_192()
703 	carry += vli_add(result, result, tmp, ndigits);  in vli_mmod_fast_192()
707 	carry += vli_add(result, result, tmp, ndigits);  in vli_mmod_fast_192()
709 	while (carry || vli_cmp(curve_prime, result, ndigits) != 1)  in vli_mmod_fast_192()
710 		carry -= vli_sub(result, result, curve_prime, ndigits);  in vli_mmod_fast_192()
719 	int carry;  in vli_mmod_fast_256()  local
730 	carry = vli_lshift(tmp, tmp, 1, ndigits);  in vli_mmod_fast_256()
731 	carry += vli_add(result, result, tmp, ndigits);  in vli_mmod_fast_256()
737 	carry += vli_lshift(tmp, tmp, 1, ndigits);  in vli_mmod_fast_256()
738 	carry += vli_add(result, result, tmp, ndigits);  in vli_mmod_fast_256()
745 	carry += vli_add(result, result, tmp, ndigits);  in vli_mmod_fast_256()
752 	carry += vli_add(result, result, tmp, ndigits);  in vli_mmod_fast_256()
759 	carry -= vli_sub(result, result, tmp, ndigits);  in vli_mmod_fast_256()
766 	carry -= vli_sub(result, result, tmp, ndigits);  in vli_mmod_fast_256()
773 	carry -= vli_sub(result, result, tmp, ndigits);  in vli_mmod_fast_256()
780 	carry -= vli_sub(result, result, tmp, ndigits);  in vli_mmod_fast_256()
782 	if (carry < 0) {  in vli_mmod_fast_256()
784 			carry += vli_add(result, result, curve_prime, ndigits);  in vli_mmod_fast_256()
785 		} while (carry < 0);  in vli_mmod_fast_256()
787 		while (carry || vli_cmp(curve_prime, result, ndigits) != 1)  in vli_mmod_fast_256()
788 			carry -= vli_sub(result, result, curve_prime, ndigits);  in vli_mmod_fast_256()
802 	int carry;  in vli_mmod_fast_384()  local
815 	carry = vli_lshift(tmp, tmp, 1, ndigits);  in vli_mmod_fast_384()
816 	carry += vli_add(result, result, tmp, ndigits);  in vli_mmod_fast_384()
825 	carry += vli_add(result, result, tmp, ndigits);  in vli_mmod_fast_384()
834 	carry += vli_add(result, result, tmp, ndigits);  in vli_mmod_fast_384()
843 	carry += vli_add(result, result, tmp, ndigits);  in vli_mmod_fast_384()
852 	carry += vli_add(result, result, tmp, ndigits);  in vli_mmod_fast_384()
861 	carry += vli_add(result, result, tmp, ndigits);  in vli_mmod_fast_384()
870 	carry -= vli_sub(result, result, tmp, ndigits);  in vli_mmod_fast_384()
879 	carry -= vli_sub(result, result, tmp, ndigits);  in vli_mmod_fast_384()
888 	carry -= vli_sub(result, result, tmp, ndigits);  in vli_mmod_fast_384()
890 	if (carry < 0) {  in vli_mmod_fast_384()
892 			carry += vli_add(result, result, curve_prime, ndigits);  in vli_mmod_fast_384()
893 		} while (carry < 0);  in vli_mmod_fast_384()
895 		while (carry || vli_cmp(curve_prime, result, ndigits) != 1)  in vli_mmod_fast_384()
896 			carry -= vli_sub(result, result, curve_prime, ndigits);  in vli_mmod_fast_384()
995 	u64 carry;  in vli_mod_inv()  local
1010 		carry = 0;  in vli_mod_inv()
1016 				carry = vli_add(u, u, mod, ndigits);  in vli_mod_inv()
1019 			if (carry)  in vli_mod_inv()
1025 				carry = vli_add(v, v, mod, ndigits);  in vli_mod_inv()
1028 			if (carry)  in vli_mod_inv()
1039 				carry = vli_add(u, u, mod, ndigits);  in vli_mod_inv()
1042 			if (carry)  in vli_mod_inv()
1053 				carry = vli_add(v, v, mod, ndigits);  in vli_mod_inv()
1056 			if (carry)  in vli_mod_inv()
1117 		u64 carry = vli_add(x1, x1, curve_prime, ndigits);  in ecc_point_double_jacobian()  local
1120 		x1[ndigits - 1] |= carry << 63;  in ecc_point_double_jacobian()
1293 	int carry;  in ecc_point_mult()  local
1295 	carry = vli_add(sk[0], scalar, curve->n, ndigits);  in ecc_point_mult()
1297 	scalar = sk[!carry];  in ecc_point_mult()