396 			uint128_t product;  in vli_mult()  local
398 			product = mul_64_64(left[i], right[k - i]);  in vli_mult()
400 			r01 = add_128_128(r01, product);  in vli_mult()
401 			r2 += (r01.m_high < product.m_high);  in vli_mult()
413 /* Compute product = left * right, for a small right value. */
421 		uint128_t product;  in vli_umult()  local
423 		product = mul_64_64(left[k], right);  in vli_umult()
424 		r01 = add_128_128(r01, product);  in vli_umult()
450 			uint128_t product;  in vli_square()  local
452 			product = mul_64_64(left[i], left[k - i]);  in vli_square()
455 				r2 += product.m_high >> 63;  in vli_square()
456 				product.m_high = (product.m_high << 1) |  in vli_square()
457 						 (product.m_low >> 63);  in vli_square()
458 				product.m_low <<= 1;  in vli_square()
461 			r01 = add_128_128(r01, product);  in vli_square()
462 			r2 += (r01.m_high < product.m_high);  in vli_square()
508  * Computes result = product % mod
516 static void vli_mmod_special(u64 *result, const u64 *product,  in vli_mmod_special()  argument
523 	vli_set(r, product, ndigits * 2);  in vli_mmod_special()
537  * Computes result = product % mod
550 static void vli_mmod_special2(u64 *result, const u64 *product,  in vli_mmod_special2()  argument
563 	vli_set(r, product, ndigits);  in vli_mmod_special2()
565 	vli_set(q, product + ndigits, ndigits);  in vli_mmod_special2()
595  * Computes result = product % mod, where product is 2N words long.
599 static void vli_mmod_slow(u64 *result, u64 *product, const u64 *mod,  in vli_mmod_slow()  argument
604 	u64 *v[2] = { tmp, product };  in vli_mmod_slow()
640 /* Computes result = product % mod using Barrett's reduction with precomputed
649 static void vli_mmod_barrett(u64 *result, u64 *product, const u64 *mod,  in vli_mmod_barrett()  argument
656 	vli_mult(q, product + ndigits, mu, ndigits);  in vli_mmod_barrett()
658 		vli_add(q + ndigits, q + ndigits, product + ndigits, ndigits);  in vli_mmod_barrett()
660 	vli_sub(r, product, r, ndigits * 2);  in vli_mmod_barrett()
675 static void vli_mmod_fast_192(u64 *result, const u64 *product,  in vli_mmod_fast_192()  argument
681 	vli_set(result, product, ndigits);  in vli_mmod_fast_192()
683 	vli_set(tmp, &product[3], ndigits);  in vli_mmod_fast_192()
687 	tmp[1] = product[3];  in vli_mmod_fast_192()
688 	tmp[2] = product[4];  in vli_mmod_fast_192()
691 	tmp[0] = tmp[1] = product[5];  in vli_mmod_fast_192()
699 /* Computes result = product % curve_prime
702 static void vli_mmod_fast_256(u64 *result, const u64 *product,  in vli_mmod_fast_256()  argument
709 	vli_set(result, product, ndigits);  in vli_mmod_fast_256()
713 	tmp[1] = product[5] & 0xffffffff00000000ull;  in vli_mmod_fast_256()
714 	tmp[2] = product[6];  in vli_mmod_fast_256()
715 	tmp[3] = product[7];  in vli_mmod_fast_256()
720 	tmp[1] = product[6] << 32;  in vli_mmod_fast_256()
721 	tmp[2] = (product[6] >> 32) | (product[7] << 32);  in vli_mmod_fast_256()
722 	tmp[3] = product[7] >> 32;  in vli_mmod_fast_256()
727 	tmp[0] = product[4];  in vli_mmod_fast_256()
728 	tmp[1] = product[5] & 0xffffffff;  in vli_mmod_fast_256()
730 	tmp[3] = product[7];  in vli_mmod_fast_256()
734 	tmp[0] = (product[4] >> 32) | (product[5] << 32);  in vli_mmod_fast_256()
735 	tmp[1] = (product[5] >> 32) | (product[6] & 0xffffffff00000000ull);  in vli_mmod_fast_256()
736 	tmp[2] = product[7];  in vli_mmod_fast_256()
737 	tmp[3] = (product[6] >> 32) | (product[4] << 32);  in vli_mmod_fast_256()
741 	tmp[0] = (product[5] >> 32) | (product[6] << 32);  in vli_mmod_fast_256()
742 	tmp[1] = (product[6] >> 32);  in vli_mmod_fast_256()
744 	tmp[3] = (product[4] & 0xffffffff) | (product[5] << 32);  in vli_mmod_fast_256()
748 	tmp[0] = product[6];  in vli_mmod_fast_256()
749 	tmp[1] = product[7];  in vli_mmod_fast_256()
751 	tmp[3] = (product[4] >> 32) | (product[5] & 0xffffffff00000000ull);  in vli_mmod_fast_256()
755 	tmp[0] = (product[6] >> 32) | (product[7] << 32);  in vli_mmod_fast_256()
756 	tmp[1] = (product[7] >> 32) | (product[4] << 32);  in vli_mmod_fast_256()
757 	tmp[2] = (product[4] >> 32) | (product[5] << 32);  in vli_mmod_fast_256()
758 	tmp[3] = (product[6] << 32);  in vli_mmod_fast_256()
762 	tmp[0] = product[7];  in vli_mmod_fast_256()
763 	tmp[1] = product[4] & 0xffffffff00000000ull;  in vli_mmod_fast_256()
764 	tmp[2] = product[5];  in vli_mmod_fast_256()
765 	tmp[3] = product[6] & 0xffffffff00000000ull;  in vli_mmod_fast_256()
778 /* Computes result = product % curve_prime for different curve_primes.
783 static bool vli_mmod_fast(u64 *result, u64 *product,  in vli_mmod_fast()  argument
792 			vli_mmod_special(result, product, curve_prime,  in vli_mmod_fast()
797 			vli_mmod_special2(result, product, curve_prime,  in vli_mmod_fast()
801 		vli_mmod_barrett(result, product, curve_prime, ndigits);  in vli_mmod_fast()
807 		vli_mmod_fast_192(result, product, curve_prime, tmp);  in vli_mmod_fast()
810 		vli_mmod_fast_256(result, product, curve_prime, tmp);  in vli_mmod_fast()
826 	u64 product[ECC_MAX_DIGITS * 2];  in vli_mod_mult_slow()  local
828 	vli_mult(product, left, right, ndigits);  in vli_mod_mult_slow()
829 	vli_mmod_slow(result, product, mod, ndigits);  in vli_mod_mult_slow()
837 	u64 product[2 * ECC_MAX_DIGITS];  in vli_mod_mult_fast()  local
839 	vli_mult(product, left, right, ndigits);  in vli_mod_mult_fast()
840 	vli_mmod_fast(result, product, curve_prime, ndigits);  in vli_mod_mult_fast()
847 	u64 product[2 * ECC_MAX_DIGITS];  in vli_mod_square_fast()  local
849 	vli_square(product, left, ndigits);  in vli_mod_square_fast()
850 	vli_mmod_fast(result, product, curve_prime, ndigits);  in vli_mod_square_fast()
1489 	struct ecc_point *product, *pk;  in crypto_ecdh_shared_secret()  local
1519 	product = ecc_alloc_point(ndigits);  in crypto_ecdh_shared_secret()
1520 	if (!product) {  in crypto_ecdh_shared_secret()
1525 	ecc_point_mult(product, pk, priv, rand_z, curve, ndigits);  in crypto_ecdh_shared_secret()
1527 	if (ecc_point_is_zero(product)) {  in crypto_ecdh_shared_secret()
1532 	ecc_swap_digits(product->x, secret, ndigits);  in crypto_ecdh_shared_secret()
1537 	ecc_free_point(product);  in crypto_ecdh_shared_secret()