255 /* Computes result = in << c, returning carry. Can modify in place
261 	u64 carry = 0;  in vli_lshift()  local
267 		result[i] = (temp << shift) | carry;  in vli_lshift()
268 		carry = temp >> (64 - shift);  in vli_lshift()
271 	return carry;  in vli_lshift()
278 	u64 carry = 0;  in vli_rshift1()  local
284 		*vli = (temp >> 1) | carry;  in vli_rshift1()
285 		carry = temp << 63;  in vli_rshift1()
289 /* Computes result = left + right, returning carry. Can modify in place. */
293 	u64 carry = 0;  in vli_add()  local
299 		sum = left[i] + right[i] + carry;  in vli_add()
301 			carry = (sum < left[i]);  in vli_add()
306 	return carry;  in vli_add()
309 /* Computes result = left + right, returning carry. Can modify in place. */
313 	u64 carry = right;  in vli_uadd()  local
319 		sum = left[i] + carry;  in vli_uadd()
321 			carry = (sum < left[i]);  in vli_uadd()
323 			carry = !!carry;  in vli_uadd()
328 	return carry;  in vli_uadd()
461 		/* no carry */  in vli_umult()
516 	u64 carry;  in vli_mod_add()  local
518 	carry = vli_add(result, left, right, ndigits);  in vli_mod_add()
523 	if (carry || vli_cmp(result, mod, ndigits) >= 0)  in vli_mod_add()
593 	int carry; /* last bit that doesn't fit into q */  in vli_mmod_special2()  local
600 	/* q and carry are top bits */  in vli_mmod_special2()
603 	carry = vli_is_negative(r, ndigits);  in vli_mmod_special2()
604 	if (carry)  in vli_mmod_special2()
606 	for (i = 1; carry || !vli_is_zero(q, ndigits); i++) {  in vli_mmod_special2()
610 		if (carry)  in vli_mmod_special2()
614 		carry = vli_is_negative(qc, ndigits);  in vli_mmod_special2()
615 		if (carry)  in vli_mmod_special2()
641 	u64 carry = 0;  in vli_mmod_slow()  local
651 			mod_m[word_shift + i] = (mod[i] << bit_shift) | carry;  in vli_mmod_slow()
652 			carry = mod[i] >> (64 - bit_shift);  in vli_mmod_slow()
699 		u64 carry;  in vli_mmod_barrett()  local
701 		carry = vli_sub(r, r, mod, ndigits);  in vli_mmod_barrett()
702 		vli_usub(r + ndigits, r + ndigits, carry, ndigits);  in vli_mmod_barrett()
715 	int carry;  in vli_mmod_fast_192()  local
720 	carry = vli_add(result, result, tmp, ndigits);  in vli_mmod_fast_192()
725 	carry += vli_add(result, result, tmp, ndigits);  in vli_mmod_fast_192()
729 	carry += vli_add(result, result, tmp, ndigits);  in vli_mmod_fast_192()
731 	while (carry || vli_cmp(curve_prime, result, ndigits) != 1)  in vli_mmod_fast_192()
732 		carry -= vli_sub(result, result, curve_prime, ndigits);  in vli_mmod_fast_192()
741 	int carry;  in vli_mmod_fast_256()  local
752 	carry = vli_lshift(tmp, tmp, 1, ndigits);  in vli_mmod_fast_256()
753 	carry += vli_add(result, result, tmp, ndigits);  in vli_mmod_fast_256()
759 	carry += vli_lshift(tmp, tmp, 1, ndigits);  in vli_mmod_fast_256()
760 	carry += vli_add(result, result, tmp, ndigits);  in vli_mmod_fast_256()
767 	carry += vli_add(result, result, tmp, ndigits);  in vli_mmod_fast_256()
774 	carry += vli_add(result, result, tmp, ndigits);  in vli_mmod_fast_256()
781 	carry -= vli_sub(result, result, tmp, ndigits);  in vli_mmod_fast_256()
788 	carry -= vli_sub(result, result, tmp, ndigits);  in vli_mmod_fast_256()
795 	carry -= vli_sub(result, result, tmp, ndigits);  in vli_mmod_fast_256()
802 	carry -= vli_sub(result, result, tmp, ndigits);  in vli_mmod_fast_256()
804 	if (carry < 0) {  in vli_mmod_fast_256()
806 			carry += vli_add(result, result, curve_prime, ndigits);  in vli_mmod_fast_256()
807 		} while (carry < 0);  in vli_mmod_fast_256()
809 		while (carry || vli_cmp(curve_prime, result, ndigits) != 1)  in vli_mmod_fast_256()
810 			carry -= vli_sub(result, result, curve_prime, ndigits);  in vli_mmod_fast_256()
824 	int carry;  in vli_mmod_fast_384()  local
837 	carry = vli_lshift(tmp, tmp, 1, ndigits);  in vli_mmod_fast_384()
838 	carry += vli_add(result, result, tmp, ndigits);  in vli_mmod_fast_384()
847 	carry += vli_add(result, result, tmp, ndigits);  in vli_mmod_fast_384()
856 	carry += vli_add(result, result, tmp, ndigits);  in vli_mmod_fast_384()
865 	carry += vli_add(result, result, tmp, ndigits);  in vli_mmod_fast_384()
874 	carry += vli_add(result, result, tmp, ndigits);  in vli_mmod_fast_384()
883 	carry += vli_add(result, result, tmp, ndigits);  in vli_mmod_fast_384()
892 	carry -= vli_sub(result, result, tmp, ndigits);  in vli_mmod_fast_384()
901 	carry -= vli_sub(result, result, tmp, ndigits);  in vli_mmod_fast_384()
910 	carry -= vli_sub(result, result, tmp, ndigits);  in vli_mmod_fast_384()
912 	if (carry < 0) {  in vli_mmod_fast_384()
914 			carry += vli_add(result, result, curve_prime, ndigits);  in vli_mmod_fast_384()
915 		} while (carry < 0);  in vli_mmod_fast_384()
917 		while (carry || vli_cmp(curve_prime, result, ndigits) != 1)  in vli_mmod_fast_384()
918 			carry -= vli_sub(result, result, curve_prime, ndigits);  in vli_mmod_fast_384()
1017 	u64 carry;  in vli_mod_inv()  local
1032 		carry = 0;  in vli_mod_inv()
1038 				carry = vli_add(u, u, mod, ndigits);  in vli_mod_inv()
1041 			if (carry)  in vli_mod_inv()
1047 				carry = vli_add(v, v, mod, ndigits);  in vli_mod_inv()
1050 			if (carry)  in vli_mod_inv()
1061 				carry = vli_add(u, u, mod, ndigits);  in vli_mod_inv()
1064 			if (carry)  in vli_mod_inv()
1075 				carry = vli_add(v, v, mod, ndigits);  in vli_mod_inv()
1078 			if (carry)  in vli_mod_inv()
1139 		u64 carry = vli_add(x1, x1, curve_prime, ndigits);  in ecc_point_double_jacobian()  local
1142 		x1[ndigits - 1] |= carry << 63;  in ecc_point_double_jacobian()
1315 	int carry;  in ecc_point_mult()  local
1317 	carry = vli_add(sk[0], scalar, curve->n, ndigits);  in ecc_point_mult()
1319 	scalar = sk[!carry];  in ecc_point_mult()