230 /* Computes result = in << c, returning carry. Can modify in place
236 	u64 carry = 0;  in vli_lshift()  local
242 		result[i] = (temp << shift) | carry;  in vli_lshift()
243 		carry = temp >> (64 - shift);  in vli_lshift()
246 	return carry;  in vli_lshift()
253 	u64 carry = 0;  in vli_rshift1()  local
259 		*vli = (temp >> 1) | carry;  in vli_rshift1()
260 		carry = temp << 63;  in vli_rshift1()
264 /* Computes result = left + right, returning carry. Can modify in place. */
268 	u64 carry = 0;  in vli_add()  local
274 		sum = left[i] + right[i] + carry;  in vli_add()
276 			carry = (sum < left[i]);  in vli_add()
281 	return carry;  in vli_add()
284 /* Computes result = left + right, returning carry. Can modify in place. */
288 	u64 carry = right;  in vli_uadd()  local
294 		sum = left[i] + carry;  in vli_uadd()
296 			carry = (sum < left[i]);  in vli_uadd()
298 			carry = !!carry;  in vli_uadd()
303 	return carry;  in vli_uadd()
436 		/* no carry */  in vli_umult()
491 	u64 carry;  in vli_mod_add()  local
493 	carry = vli_add(result, left, right, ndigits);  in vli_mod_add()
498 	if (carry || vli_cmp(result, mod, ndigits) >= 0)  in vli_mod_add()
568 	int carry; /* last bit that doesn't fit into q */  in vli_mmod_special2()  local
575 	/* q and carry are top bits */  in vli_mmod_special2()
578 	carry = vli_is_negative(r, ndigits);  in vli_mmod_special2()
579 	if (carry)  in vli_mmod_special2()
581 	for (i = 1; carry || !vli_is_zero(q, ndigits); i++) {  in vli_mmod_special2()
585 		if (carry)  in vli_mmod_special2()
589 		carry = vli_is_negative(qc, ndigits);  in vli_mmod_special2()
590 		if (carry)  in vli_mmod_special2()
616 	u64 carry = 0;  in vli_mmod_slow()  local
626 			mod_m[word_shift + i] = (mod[i] << bit_shift) | carry;  in vli_mmod_slow()
627 			carry = mod[i] >> (64 - bit_shift);  in vli_mmod_slow()
674 		u64 carry;  in vli_mmod_barrett()  local
676 		carry = vli_sub(r, r, mod, ndigits);  in vli_mmod_barrett()
677 		vli_usub(r + ndigits, r + ndigits, carry, ndigits);  in vli_mmod_barrett()
690 	int carry;  in vli_mmod_fast_192()  local
695 	carry = vli_add(result, result, tmp, ndigits);  in vli_mmod_fast_192()
700 	carry += vli_add(result, result, tmp, ndigits);  in vli_mmod_fast_192()
704 	carry += vli_add(result, result, tmp, ndigits);  in vli_mmod_fast_192()
706 	while (carry || vli_cmp(curve_prime, result, ndigits) != 1)  in vli_mmod_fast_192()
707 		carry -= vli_sub(result, result, curve_prime, ndigits);  in vli_mmod_fast_192()
716 	int carry;  in vli_mmod_fast_256()  local
727 	carry = vli_lshift(tmp, tmp, 1, ndigits);  in vli_mmod_fast_256()
728 	carry += vli_add(result, result, tmp, ndigits);  in vli_mmod_fast_256()
734 	carry += vli_lshift(tmp, tmp, 1, ndigits);  in vli_mmod_fast_256()
735 	carry += vli_add(result, result, tmp, ndigits);  in vli_mmod_fast_256()
742 	carry += vli_add(result, result, tmp, ndigits);  in vli_mmod_fast_256()
749 	carry += vli_add(result, result, tmp, ndigits);  in vli_mmod_fast_256()
756 	carry -= vli_sub(result, result, tmp, ndigits);  in vli_mmod_fast_256()
763 	carry -= vli_sub(result, result, tmp, ndigits);  in vli_mmod_fast_256()
770 	carry -= vli_sub(result, result, tmp, ndigits);  in vli_mmod_fast_256()
777 	carry -= vli_sub(result, result, tmp, ndigits);  in vli_mmod_fast_256()
779 	if (carry < 0) {  in vli_mmod_fast_256()
781 			carry += vli_add(result, result, curve_prime, ndigits);  in vli_mmod_fast_256()
782 		} while (carry < 0);  in vli_mmod_fast_256()
784 		while (carry || vli_cmp(curve_prime, result, ndigits) != 1)  in vli_mmod_fast_256()
785 			carry -= vli_sub(result, result, curve_prime, ndigits);  in vli_mmod_fast_256()
799 	int carry;  in vli_mmod_fast_384()  local
812 	carry = vli_lshift(tmp, tmp, 1, ndigits);  in vli_mmod_fast_384()
813 	carry += vli_add(result, result, tmp, ndigits);  in vli_mmod_fast_384()
822 	carry += vli_add(result, result, tmp, ndigits);  in vli_mmod_fast_384()
831 	carry += vli_add(result, result, tmp, ndigits);  in vli_mmod_fast_384()
840 	carry += vli_add(result, result, tmp, ndigits);  in vli_mmod_fast_384()
849 	carry += vli_add(result, result, tmp, ndigits);  in vli_mmod_fast_384()
858 	carry += vli_add(result, result, tmp, ndigits);  in vli_mmod_fast_384()
867 	carry -= vli_sub(result, result, tmp, ndigits);  in vli_mmod_fast_384()
876 	carry -= vli_sub(result, result, tmp, ndigits);  in vli_mmod_fast_384()
885 	carry -= vli_sub(result, result, tmp, ndigits);  in vli_mmod_fast_384()
887 	if (carry < 0) {  in vli_mmod_fast_384()
889 			carry += vli_add(result, result, curve_prime, ndigits);  in vli_mmod_fast_384()
890 		} while (carry < 0);  in vli_mmod_fast_384()
892 		while (carry || vli_cmp(curve_prime, result, ndigits) != 1)  in vli_mmod_fast_384()
893 			carry -= vli_sub(result, result, curve_prime, ndigits);  in vli_mmod_fast_384()
992 	u64 carry;  in vli_mod_inv()  local
1007 		carry = 0;  in vli_mod_inv()
1013 				carry = vli_add(u, u, mod, ndigits);  in vli_mod_inv()
1016 			if (carry)  in vli_mod_inv()
1022 				carry = vli_add(v, v, mod, ndigits);  in vli_mod_inv()
1025 			if (carry)  in vli_mod_inv()
1036 				carry = vli_add(u, u, mod, ndigits);  in vli_mod_inv()
1039 			if (carry)  in vli_mod_inv()
1050 				carry = vli_add(v, v, mod, ndigits);  in vli_mod_inv()
1053 			if (carry)  in vli_mod_inv()
1113 		u64 carry = vli_add(x1, x1, curve_prime, ndigits);  in ecc_point_double_jacobian()  local
1116 		x1[ndigits - 1] |= carry << 63;  in ecc_point_double_jacobian()
1289 	int carry;  in ecc_point_mult()  local
1291 	carry = vli_add(sk[0], scalar, curve->n, ndigits);  in ecc_point_mult()
1293 	scalar = sk[!carry];  in ecc_point_mult()