171 	uint32_t z, r[19], acc[10], cc, ctl;  in br_poly1305_ctmul32_run()  local
226 	memset(acc, 0, sizeof acc);  in br_poly1305_ctmul32_run()
234 	poly1305_inner(acc, r, aad, aad_len);  in br_poly1305_ctmul32_run()
235 	poly1305_inner(acc, r, data, len);  in br_poly1305_ctmul32_run()
236 	poly1305_inner(acc, r, foot, sizeof foot);  in br_poly1305_ctmul32_run()
242 	 * acc[1] may be (very slightly) above 2^13. A single loop back  in br_poly1305_ctmul32_run()
243 	 * to acc[1] will be enough to make the value fit in 130 bits.  in br_poly1305_ctmul32_run()
247 		z = acc[i] + cc;  in br_poly1305_ctmul32_run()
248 		acc[i] = z & 0x1FFF;  in br_poly1305_ctmul32_run()
251 	z = acc[0] + cc + (cc << 2);  in br_poly1305_ctmul32_run()
252 	acc[0] = z & 0x1FFF;  in br_poly1305_ctmul32_run()
253 	acc[1] += z >> 13;  in br_poly1305_ctmul32_run()
258 	 * in constant-time, between 'acc' and 'acc-p',  in br_poly1305_ctmul32_run()
260 	ctl = GT(acc[0], 0x1FFA);  in br_poly1305_ctmul32_run()
262 		ctl &= EQ(acc[i], 0x1FFF);  in br_poly1305_ctmul32_run()
264 	acc[0] = MUX(ctl, acc[0] - 0x1FFB, acc[0]);  in br_poly1305_ctmul32_run()
266 		acc[i] &= ~(-ctl);  in br_poly1305_ctmul32_run()
274 	z = acc[0] + (acc[1] << 13) + br_dec16le(pkey + 16);  in br_poly1305_ctmul32_run()
276 	z = (z >> 16) + (acc[2] << 10) + br_dec16le(pkey + 18);  in br_poly1305_ctmul32_run()
278 	z = (z >> 16) + (acc[3] << 7) + br_dec16le(pkey + 20);  in br_poly1305_ctmul32_run()
280 	z = (z >> 16) + (acc[4] << 4) + br_dec16le(pkey + 22);  in br_poly1305_ctmul32_run()
282 	z = (z >> 16) + (acc[5] << 1) + (acc[6] << 14) + br_dec16le(pkey + 24);  in br_poly1305_ctmul32_run()
284 	z = (z >> 16) + (acc[7] << 11) + br_dec16le(pkey + 26);  in br_poly1305_ctmul32_run()
286 	z = (z >> 16) + (acc[8] << 8) + br_dec16le(pkey + 28);  in br_poly1305_ctmul32_run()
288 	z = (z >> 16) + (acc[9] << 5) + br_dec16le(pkey + 30);  in br_poly1305_ctmul32_run()