32  * On output, all accumulator words fit on 26 bits, except acc[1], which
36 poly1305_inner(uint32_t *acc, const uint32_t *r, const void *data, size_t len)  in poly1305_inner()  argument
65 	a0 = acc[0];  in poly1305_inner()
66 	a1 = acc[1];  in poly1305_inner()
67 	a2 = acc[2];  in poly1305_inner()
68 	a3 = acc[3];  in poly1305_inner()
69 	a4 = acc[4];  in poly1305_inner()
139 	acc[0] = a0;  in poly1305_inner()
140 	acc[1] = a1;  in poly1305_inner()
141 	acc[2] = a2;  in poly1305_inner()
142 	acc[3] = a3;  in poly1305_inner()
143 	acc[4] = a4;  in poly1305_inner()
153 	uint32_t r[5], acc[5], cc, ctl, hi;  in br_poly1305_ctmul_run()  local
192 	memset(acc, 0, sizeof acc);  in br_poly1305_ctmul_run()
200 	poly1305_inner(acc, r, aad, aad_len);  in br_poly1305_ctmul_run()
201 	poly1305_inner(acc, r, data, len);  in br_poly1305_ctmul_run()
202 	poly1305_inner(acc, r, foot, sizeof foot);  in br_poly1305_ctmul_run()
208 	 * acc[1] may be (very slightly) above 2^26. A single loop back  in br_poly1305_ctmul_run()
209 	 * to acc[1] will be enough to make the value fit in 130 bits.  in br_poly1305_ctmul_run()
216 		acc[j] += cc;  in br_poly1305_ctmul_run()
217 		cc = acc[j] >> 26;  in br_poly1305_ctmul_run()
218 		acc[j] &= 0x03FFFFFF;  in br_poly1305_ctmul_run()
224 	 * in constant-time, between 'acc' and 'acc-p',  in br_poly1305_ctmul_run()
226 	ctl = GT(acc[0], 0x03FFFFFA);  in br_poly1305_ctmul_run()
228 		ctl &= EQ(acc[i], 0x03FFFFFF);  in br_poly1305_ctmul_run()
234 		t = (acc[i] + cc);  in br_poly1305_ctmul_run()
237 		acc[i] = MUX(ctl, t, acc[i]);  in br_poly1305_ctmul_run()
245 	w = (uint64_t)acc[0] + ((uint64_t)acc[1] << 26) + br_dec32le(pkey + 16);  in br_poly1305_ctmul_run()
247 	w = (w >> 32) + ((uint64_t)acc[2] << 20) + br_dec32le(pkey + 20);  in br_poly1305_ctmul_run()
249 	w = (w >> 32) + ((uint64_t)acc[3] << 14) + br_dec32le(pkey + 24);  in br_poly1305_ctmul_run()
251 	hi = (uint32_t)(w >> 32) + (acc[4] << 8) + br_dec32le(pkey + 28);  in br_poly1305_ctmul_run()