+#define NWORDS ((130 + BIGNUM_INT_BITS-1) / BIGNUM_INT_BITS)
+typedef struct bigval {
+ BignumInt w[NWORDS];
+} bigval;
+
+static void bigval_clear(bigval *r)
+{
+ int i;
+ for (i = 0; i < NWORDS; i++)
+ r->w[i] = 0;
+}
+
+static void bigval_import_le(bigval *r, const void *vdata, int len)
+{
+ const unsigned char *data = (const unsigned char *)vdata;
+ int i;
+ bigval_clear(r);
+ for (i = 0; i < len; i++)
+ r->w[i / BIGNUM_INT_BYTES] |=
+ (BignumInt)data[i] << (8 * (i % BIGNUM_INT_BYTES));
+}
+
+static void bigval_export_le(const bigval *r, void *vdata, int len)
+{
+ unsigned char *data = (unsigned char *)vdata;
+ int i;
+ for (i = 0; i < len; i++)
+ data[i] = r->w[i / BIGNUM_INT_BYTES] >> (8 * (i % BIGNUM_INT_BYTES));
+}
+
+/*
+ * Addition of bigvals, not mod p.
+ */
+static void bigval_add(bigval *r, const bigval *a, const bigval *b)
+{
+#if BIGNUM_INT_BITS == 64
+ /* ./contrib/make1305.py add 64 */
+ BignumDblInt acclo;
+ acclo = 0;
+ acclo += a->w[0];
+ acclo += b->w[0];
+ r->w[0] = acclo;
+ acclo >>= 64;
+ acclo += a->w[1];
+ acclo += b->w[1];
+ r->w[1] = acclo;
+ acclo >>= 64;
+ acclo += a->w[2];
+ acclo += b->w[2];
+ r->w[2] = acclo;
+ acclo >>= 64;
+#elif BIGNUM_INT_BITS == 32
+ /* ./contrib/make1305.py add 32 */
+ BignumDblInt acclo;
+ acclo = 0;
+ acclo += a->w[0];
+ acclo += b->w[0];
+ r->w[0] = acclo;
+ acclo >>= 32;
+ acclo += a->w[1];
+ acclo += b->w[1];
+ r->w[1] = acclo;
+ acclo >>= 32;
+ acclo += a->w[2];
+ acclo += b->w[2];
+ r->w[2] = acclo;
+ acclo >>= 32;
+ acclo += a->w[3];
+ acclo += b->w[3];
+ r->w[3] = acclo;
+ acclo >>= 32;
+ acclo += a->w[4];
+ acclo += b->w[4];
+ r->w[4] = acclo;
+ acclo >>= 32;
+#elif BIGNUM_INT_BITS == 16
+ /* ./contrib/make1305.py add 16 */
+ BignumDblInt acclo;
+ acclo = 0;
+ acclo += a->w[0];
+ acclo += b->w[0];
+ r->w[0] = acclo;
+ acclo >>= 16;
+ acclo += a->w[1];
+ acclo += b->w[1];
+ r->w[1] = acclo;
+ acclo >>= 16;
+ acclo += a->w[2];
+ acclo += b->w[2];
+ r->w[2] = acclo;
+ acclo >>= 16;
+ acclo += a->w[3];
+ acclo += b->w[3];
+ r->w[3] = acclo;
+ acclo >>= 16;
+ acclo += a->w[4];
+ acclo += b->w[4];
+ r->w[4] = acclo;
+ acclo >>= 16;
+ acclo += a->w[5];
+ acclo += b->w[5];
+ r->w[5] = acclo;
+ acclo >>= 16;
+ acclo += a->w[6];
+ acclo += b->w[6];
+ r->w[6] = acclo;
+ acclo >>= 16;
+ acclo += a->w[7];
+ acclo += b->w[7];
+ r->w[7] = acclo;
+ acclo >>= 16;
+ acclo += a->w[8];
+ acclo += b->w[8];
+ r->w[8] = acclo;
+ acclo >>= 16;
+#else
+#error Run contrib/make1305.py again with a different bit count
+#endif
+}
+
+/*
+ * Multiplication of bigvals mod p. Uses r as temporary storage, so
+ * don't pass r aliasing a or b.
+ */
+static void bigval_mul_mod_p(bigval *r, const bigval *a, const bigval *b)
+{
+#if BIGNUM_INT_BITS == 64
+ /* ./contrib/make1305.py mul 64 */
+ BignumDblInt tmp;
+ BignumDblInt acclo;
+ BignumDblInt acchi;
+ BignumDblInt acc2lo;
+ acclo = 0;
+ acchi = 0;
+ tmp = (BignumDblInt)(a->w[0]) * (b->w[0]);
+ acclo += tmp & BIGNUM_INT_MASK;
+ acchi += tmp >> 64;
+ r->w[0] = acclo;
+ acclo = acchi + (acclo >> 64);
+ acchi = 0;
+ tmp = (BignumDblInt)(a->w[0]) * (b->w[1]);
+ acclo += tmp & BIGNUM_INT_MASK;
+ acchi += tmp >> 64;
+ tmp = (BignumDblInt)(a->w[1]) * (b->w[0]);
+ acclo += tmp & BIGNUM_INT_MASK;
+ acchi += tmp >> 64;
+ r->w[1] = acclo;
+ acclo = acchi + (acclo >> 64);
+ acchi = 0;
+ tmp = (BignumDblInt)(a->w[0]) * (b->w[2]);
+ acclo += tmp & BIGNUM_INT_MASK;
+ acchi += tmp >> 64;
+ tmp = (BignumDblInt)(a->w[1]) * (b->w[1]);
+ acclo += tmp & BIGNUM_INT_MASK;
+ acchi += tmp >> 64;
+ tmp = (BignumDblInt)(a->w[2]) * (b->w[0]);
+ acclo += tmp & BIGNUM_INT_MASK;
+ acchi += tmp >> 64;
+ r->w[2] = acclo & (((BignumInt)1 << 2)-1);
+ acc2lo = 0;
+ acc2lo += ((acclo >> 2) & (((BignumInt)1 << 62)-1)) * ((BignumDblInt)5 << 0);
+ acclo = acchi + (acclo >> 64);
+ acchi = 0;
+ tmp = (BignumDblInt)(a->w[1]) * (b->w[2]);
+ acclo += tmp & BIGNUM_INT_MASK;
+ acchi += tmp >> 64;
+ tmp = (BignumDblInt)(a->w[2]) * (b->w[1]);
+ acclo += tmp & BIGNUM_INT_MASK;
+ acchi += tmp >> 64;
+ acc2lo += (acclo & (((BignumInt)1 << 2)-1)) * ((BignumDblInt)5 << 62);
+ acc2lo += r->w[0];
+ r->w[0] = acc2lo;
+ acc2lo >>= 64;
+ acc2lo += ((acclo >> 2) & (((BignumInt)1 << 62)-1)) * ((BignumDblInt)5 << 0);
+ acclo = acchi + (acclo >> 64);
+ acchi = 0;
+ tmp = (BignumDblInt)(a->w[2]) * (b->w[2]);
+ acclo += tmp & BIGNUM_INT_MASK;
+ acchi += tmp >> 64;
+ acc2lo += (acclo & (((BignumInt)1 << 2)-1)) * ((BignumDblInt)5 << 62);
+ acc2lo += r->w[1];
+ r->w[1] = acc2lo;
+ acc2lo >>= 64;
+ acc2lo += ((acclo >> 2) & (((BignumInt)1 << 2)-1)) * ((BignumDblInt)5 << 0);
+ acc2lo += r->w[2];
+ r->w[2] = acc2lo;
+ acc2lo = 0;
+ acc2lo += ((acclo >> 4) & (((BignumInt)1 << 60)-1)) * ((BignumDblInt)25 << 0);
+ acclo = acchi + (acclo >> 64);
+ acchi = 0;
+ acc2lo += (acclo & (((BignumInt)1 << 4)-1)) * ((BignumDblInt)25 << 60);
+ acc2lo += r->w[0];
+ r->w[0] = acc2lo;
+ acc2lo >>= 64;
+ acc2lo += ((acclo >> 4) & (((BignumInt)1 << 60)-1)) * ((BignumDblInt)25 << 0);
+ acclo = acchi + (acclo >> 64);
+ acchi = 0;
+ acc2lo += r->w[1];
+ r->w[1] = acc2lo;
+ acc2lo >>= 64;
+ acc2lo += r->w[2];
+ r->w[2] = acc2lo;
+ acc2lo >>= 64;
+#elif BIGNUM_INT_BITS == 32
+ /* ./contrib/make1305.py mul 32 */
+ BignumDblInt tmp;
+ BignumDblInt acclo;
+ BignumDblInt acchi;
+ BignumDblInt acc2lo;
+ acclo = 0;
+ acchi = 0;
+ tmp = (BignumDblInt)(a->w[0]) * (b->w[0]);
+ acclo += tmp & BIGNUM_INT_MASK;
+ acchi += tmp >> 32;
+ r->w[0] = acclo;
+ acclo = acchi + (acclo >> 32);
+ acchi = 0;
+ tmp = (BignumDblInt)(a->w[0]) * (b->w[1]);
+ acclo += tmp & BIGNUM_INT_MASK;
+ acchi += tmp >> 32;
+ tmp = (BignumDblInt)(a->w[1]) * (b->w[0]);
+ acclo += tmp & BIGNUM_INT_MASK;
+ acchi += tmp >> 32;
+ r->w[1] = acclo;
+ acclo = acchi + (acclo >> 32);
+ acchi = 0;
+ tmp = (BignumDblInt)(a->w[0]) * (b->w[2]);
+ acclo += tmp & BIGNUM_INT_MASK;
+ acchi += tmp >> 32;
+ tmp = (BignumDblInt)(a->w[1]) * (b->w[1]);
+ acclo += tmp & BIGNUM_INT_MASK;
+ acchi += tmp >> 32;
+ tmp = (BignumDblInt)(a->w[2]) * (b->w[0]);
+ acclo += tmp & BIGNUM_INT_MASK;
+ acchi += tmp >> 32;
+ r->w[2] = acclo;
+ acclo = acchi + (acclo >> 32);
+ acchi = 0;
+ tmp = (BignumDblInt)(a->w[0]) * (b->w[3]);
+ acclo += tmp & BIGNUM_INT_MASK;
+ acchi += tmp >> 32;
+ tmp = (BignumDblInt)(a->w[1]) * (b->w[2]);
+ acclo += tmp & BIGNUM_INT_MASK;
+ acchi += tmp >> 32;
+ tmp = (BignumDblInt)(a->w[2]) * (b->w[1]);
+ acclo += tmp & BIGNUM_INT_MASK;
+ acchi += tmp >> 32;
+ tmp = (BignumDblInt)(a->w[3]) * (b->w[0]);
+ acclo += tmp & BIGNUM_INT_MASK;
+ acchi += tmp >> 32;
+ r->w[3] = acclo;
+ acclo = acchi + (acclo >> 32);
+ acchi = 0;
+ tmp = (BignumDblInt)(a->w[0]) * (b->w[4]);
+ acclo += tmp & BIGNUM_INT_MASK;
+ acchi += tmp >> 32;
+ tmp = (BignumDblInt)(a->w[1]) * (b->w[3]);
+ acclo += tmp & BIGNUM_INT_MASK;
+ acchi += tmp >> 32;
+ tmp = (BignumDblInt)(a->w[2]) * (b->w[2]);
+ acclo += tmp & BIGNUM_INT_MASK;
+ acchi += tmp >> 32;
+ tmp = (BignumDblInt)(a->w[3]) * (b->w[1]);
+ acclo += tmp & BIGNUM_INT_MASK;
+ acchi += tmp >> 32;
+ tmp = (BignumDblInt)(a->w[4]) * (b->w[0]);
+ acclo += tmp & BIGNUM_INT_MASK;
+ acchi += tmp >> 32;
+ r->w[4] = acclo & (((BignumInt)1 << 2)-1);
+ acc2lo = 0;
+ acc2lo += ((acclo >> 2) & (((BignumInt)1 << 30)-1)) * ((BignumDblInt)5 << 0);
+ acclo = acchi + (acclo >> 32);
+ acchi = 0;
+ tmp = (BignumDblInt)(a->w[1]) * (b->w[4]);
+ acclo += tmp & BIGNUM_INT_MASK;
+ acchi += tmp >> 32;
+ tmp = (BignumDblInt)(a->w[2]) * (b->w[3]);
+ acclo += tmp & BIGNUM_INT_MASK;
+ acchi += tmp >> 32;
+ tmp = (BignumDblInt)(a->w[3]) * (b->w[2]);
+ acclo += tmp & BIGNUM_INT_MASK;
+ acchi += tmp >> 32;
+ tmp = (BignumDblInt)(a->w[4]) * (b->w[1]);
+ acclo += tmp & BIGNUM_INT_MASK;
+ acchi += tmp >> 32;
+ acc2lo += (acclo & (((BignumInt)1 << 2)-1)) * ((BignumDblInt)5 << 30);
+ acc2lo += r->w[0];
+ r->w[0] = acc2lo;
+ acc2lo >>= 32;
+ acc2lo += ((acclo >> 2) & (((BignumInt)1 << 30)-1)) * ((BignumDblInt)5 << 0);
+ acclo = acchi + (acclo >> 32);
+ acchi = 0;
+ tmp = (BignumDblInt)(a->w[2]) * (b->w[4]);
+ acclo += tmp & BIGNUM_INT_MASK;
+ acchi += tmp >> 32;
+ tmp = (BignumDblInt)(a->w[3]) * (b->w[3]);
+ acclo += tmp & BIGNUM_INT_MASK;
+ acchi += tmp >> 32;
+ tmp = (BignumDblInt)(a->w[4]) * (b->w[2]);
+ acclo += tmp & BIGNUM_INT_MASK;
+ acchi += tmp >> 32;
+ acc2lo += (acclo & (((BignumInt)1 << 2)-1)) * ((BignumDblInt)5 << 30);
+ acc2lo += r->w[1];
+ r->w[1] = acc2lo;
+ acc2lo >>= 32;
+ acc2lo += ((acclo >> 2) & (((BignumInt)1 << 30)-1)) * ((BignumDblInt)5 << 0);
+ acclo = acchi + (acclo >> 32);
+ acchi = 0;
+ tmp = (BignumDblInt)(a->w[3]) * (b->w[4]);
+ acclo += tmp & BIGNUM_INT_MASK;
+ acchi += tmp >> 32;
+ tmp = (BignumDblInt)(a->w[4]) * (b->w[3]);
+ acclo += tmp & BIGNUM_INT_MASK;
+ acchi += tmp >> 32;
+ acc2lo += (acclo & (((BignumInt)1 << 2)-1)) * ((BignumDblInt)5 << 30);
+ acc2lo += r->w[2];
+ r->w[2] = acc2lo;
+ acc2lo >>= 32;
+ acc2lo += ((acclo >> 2) & (((BignumInt)1 << 30)-1)) * ((BignumDblInt)5 << 0);
+ acclo = acchi + (acclo >> 32);
+ acchi = 0;
+ tmp = (BignumDblInt)(a->w[4]) * (b->w[4]);
+ acclo += tmp & BIGNUM_INT_MASK;
+ acchi += tmp >> 32;
+ acc2lo += (acclo & (((BignumInt)1 << 2)-1)) * ((BignumDblInt)5 << 30);
+ acc2lo += r->w[3];
+ r->w[3] = acc2lo;
+ acc2lo >>= 32;
+ acc2lo += ((acclo >> 2) & (((BignumInt)1 << 2)-1)) * ((BignumDblInt)5 << 0);
+ acc2lo += r->w[4];
+ r->w[4] = acc2lo;
+ acc2lo = 0;
+ acc2lo += ((acclo >> 4) & (((BignumInt)1 << 28)-1)) * ((BignumDblInt)25 << 0);
+ acclo = acchi + (acclo >> 32);
+ acchi = 0;
+ acc2lo += (acclo & (((BignumInt)1 << 4)-1)) * ((BignumDblInt)25 << 28);
+ acc2lo += r->w[0];
+ r->w[0] = acc2lo;
+ acc2lo >>= 32;
+ acc2lo += ((acclo >> 4) & (((BignumInt)1 << 28)-1)) * ((BignumDblInt)25 << 0);
+ acclo = acchi + (acclo >> 32);
+ acchi = 0;
+ acc2lo += r->w[1];
+ r->w[1] = acc2lo;
+ acc2lo >>= 32;
+ acc2lo += r->w[2];
+ r->w[2] = acc2lo;
+ acc2lo >>= 32;
+ acc2lo += r->w[3];
+ r->w[3] = acc2lo;
+ acc2lo >>= 32;
+ acc2lo += r->w[4];
+ r->w[4] = acc2lo;
+ acc2lo >>= 32;
+#elif BIGNUM_INT_BITS == 16
+ /* ./contrib/make1305.py mul 16 */
+ BignumDblInt tmp;
+ BignumDblInt acclo;
+ BignumDblInt acchi;
+ BignumDblInt acc2lo;
+ acclo = 0;
+ acchi = 0;
+ tmp = (BignumDblInt)(a->w[0]) * (b->w[0]);
+ acclo += tmp & BIGNUM_INT_MASK;
+ acchi += tmp >> 16;
+ r->w[0] = acclo;
+ acclo = acchi + (acclo >> 16);
+ acchi = 0;
+ tmp = (BignumDblInt)(a->w[0]) * (b->w[1]);
+ acclo += tmp & BIGNUM_INT_MASK;
+ acchi += tmp >> 16;
+ tmp = (BignumDblInt)(a->w[1]) * (b->w[0]);
+ acclo += tmp & BIGNUM_INT_MASK;
+ acchi += tmp >> 16;
+ r->w[1] = acclo;
+ acclo = acchi + (acclo >> 16);
+ acchi = 0;
+ tmp = (BignumDblInt)(a->w[0]) * (b->w[2]);
+ acclo += tmp & BIGNUM_INT_MASK;
+ acchi += tmp >> 16;
+ tmp = (BignumDblInt)(a->w[1]) * (b->w[1]);
+ acclo += tmp & BIGNUM_INT_MASK;
+ acchi += tmp >> 16;
+ tmp = (BignumDblInt)(a->w[2]) * (b->w[0]);
+ acclo += tmp & BIGNUM_INT_MASK;
+ acchi += tmp >> 16;
+ r->w[2] = acclo;
+ acclo = acchi + (acclo >> 16);
+ acchi = 0;
+ tmp = (BignumDblInt)(a->w[0]) * (b->w[3]);
+ acclo += tmp & BIGNUM_INT_MASK;
+ acchi += tmp >> 16;
+ tmp = (BignumDblInt)(a->w[1]) * (b->w[2]);
+ acclo += tmp & BIGNUM_INT_MASK;
+ acchi += tmp >> 16;
+ tmp = (BignumDblInt)(a->w[2]) * (b->w[1]);
+ acclo += tmp & BIGNUM_INT_MASK;
+ acchi += tmp >> 16;
+ tmp = (BignumDblInt)(a->w[3]) * (b->w[0]);
+ acclo += tmp & BIGNUM_INT_MASK;
+ acchi += tmp >> 16;
+ r->w[3] = acclo;
+ acclo = acchi + (acclo >> 16);
+ acchi = 0;
+ tmp = (BignumDblInt)(a->w[0]) * (b->w[4]);
+ acclo += tmp & BIGNUM_INT_MASK;
+ acchi += tmp >> 16;
+ tmp = (BignumDblInt)(a->w[1]) * (b->w[3]);
+ acclo += tmp & BIGNUM_INT_MASK;
+ acchi += tmp >> 16;
+ tmp = (BignumDblInt)(a->w[2]) * (b->w[2]);
+ acclo += tmp & BIGNUM_INT_MASK;
+ acchi += tmp >> 16;
+ tmp = (BignumDblInt)(a->w[3]) * (b->w[1]);
+ acclo += tmp & BIGNUM_INT_MASK;
+ acchi += tmp >> 16;
+ tmp = (BignumDblInt)(a->w[4]) * (b->w[0]);
+ acclo += tmp & BIGNUM_INT_MASK;
+ acchi += tmp >> 16;
+ r->w[4] = acclo;
+ acclo = acchi + (acclo >> 16);
+ acchi = 0;
+ tmp = (BignumDblInt)(a->w[0]) * (b->w[5]);
+ acclo += tmp & BIGNUM_INT_MASK;
+ acchi += tmp >> 16;
+ tmp = (BignumDblInt)(a->w[1]) * (b->w[4]);
+ acclo += tmp & BIGNUM_INT_MASK;
+ acchi += tmp >> 16;
+ tmp = (BignumDblInt)(a->w[2]) * (b->w[3]);
+ acclo += tmp & BIGNUM_INT_MASK;
+ acchi += tmp >> 16;
+ tmp = (BignumDblInt)(a->w[3]) * (b->w[2]);
+ acclo += tmp & BIGNUM_INT_MASK;
+ acchi += tmp >> 16;
+ tmp = (BignumDblInt)(a->w[4]) * (b->w[1]);
+ acclo += tmp & BIGNUM_INT_MASK;
+ acchi += tmp >> 16;
+ tmp = (BignumDblInt)(a->w[5]) * (b->w[0]);
+ acclo += tmp & BIGNUM_INT_MASK;
+ acchi += tmp >> 16;
+ r->w[5] = acclo;
+ acclo = acchi + (acclo >> 16);
+ acchi = 0;
+ tmp = (BignumDblInt)(a->w[0]) * (b->w[6]);
+ acclo += tmp & BIGNUM_INT_MASK;
+ acchi += tmp >> 16;
+ tmp = (BignumDblInt)(a->w[1]) * (b->w[5]);
+ acclo += tmp & BIGNUM_INT_MASK;
+ acchi += tmp >> 16;
+ tmp = (BignumDblInt)(a->w[2]) * (b->w[4]);
+ acclo += tmp & BIGNUM_INT_MASK;
+ acchi += tmp >> 16;
+ tmp = (BignumDblInt)(a->w[3]) * (b->w[3]);
+ acclo += tmp & BIGNUM_INT_MASK;
+ acchi += tmp >> 16;
+ tmp = (BignumDblInt)(a->w[4]) * (b->w[2]);
+ acclo += tmp & BIGNUM_INT_MASK;
+ acchi += tmp >> 16;
+ tmp = (BignumDblInt)(a->w[5]) * (b->w[1]);
+ acclo += tmp & BIGNUM_INT_MASK;
+ acchi += tmp >> 16;
+ tmp = (BignumDblInt)(a->w[6]) * (b->w[0]);
+ acclo += tmp & BIGNUM_INT_MASK;
+ acchi += tmp >> 16;
+ r->w[6] = acclo;
+ acclo = acchi + (acclo >> 16);
+ acchi = 0;
+ tmp = (BignumDblInt)(a->w[0]) * (b->w[7]);
+ acclo += tmp & BIGNUM_INT_MASK;
+ acchi += tmp >> 16;
+ tmp = (BignumDblInt)(a->w[1]) * (b->w[6]);
+ acclo += tmp & BIGNUM_INT_MASK;
+ acchi += tmp >> 16;
+ tmp = (BignumDblInt)(a->w[2]) * (b->w[5]);
+ acclo += tmp & BIGNUM_INT_MASK;
+ acchi += tmp >> 16;
+ tmp = (BignumDblInt)(a->w[3]) * (b->w[4]);
+ acclo += tmp & BIGNUM_INT_MASK;
+ acchi += tmp >> 16;
+ tmp = (BignumDblInt)(a->w[4]) * (b->w[3]);
+ acclo += tmp & BIGNUM_INT_MASK;
+ acchi += tmp >> 16;
+ tmp = (BignumDblInt)(a->w[5]) * (b->w[2]);
+ acclo += tmp & BIGNUM_INT_MASK;
+ acchi += tmp >> 16;
+ tmp = (BignumDblInt)(a->w[6]) * (b->w[1]);
+ acclo += tmp & BIGNUM_INT_MASK;
+ acchi += tmp >> 16;
+ tmp = (BignumDblInt)(a->w[7]) * (b->w[0]);
+ acclo += tmp & BIGNUM_INT_MASK;
+ acchi += tmp >> 16;
+ r->w[7] = acclo;
+ acclo = acchi + (acclo >> 16);
+ acchi = 0;
+ tmp = (BignumDblInt)(a->w[0]) * (b->w[8]);
+ acclo += tmp & BIGNUM_INT_MASK;
+ acchi += tmp >> 16;
+ tmp = (BignumDblInt)(a->w[1]) * (b->w[7]);
+ acclo += tmp & BIGNUM_INT_MASK;
+ acchi += tmp >> 16;
+ tmp = (BignumDblInt)(a->w[2]) * (b->w[6]);
+ acclo += tmp & BIGNUM_INT_MASK;
+ acchi += tmp >> 16;
+ tmp = (BignumDblInt)(a->w[3]) * (b->w[5]);
+ acclo += tmp & BIGNUM_INT_MASK;
+ acchi += tmp >> 16;
+ tmp = (BignumDblInt)(a->w[4]) * (b->w[4]);
+ acclo += tmp & BIGNUM_INT_MASK;
+ acchi += tmp >> 16;
+ tmp = (BignumDblInt)(a->w[5]) * (b->w[3]);
+ acclo += tmp & BIGNUM_INT_MASK;
+ acchi += tmp >> 16;
+ tmp = (BignumDblInt)(a->w[6]) * (b->w[2]);
+ acclo += tmp & BIGNUM_INT_MASK;
+ acchi += tmp >> 16;
+ tmp = (BignumDblInt)(a->w[7]) * (b->w[1]);
+ acclo += tmp & BIGNUM_INT_MASK;
+ acchi += tmp >> 16;
+ tmp = (BignumDblInt)(a->w[8]) * (b->w[0]);
+ acclo += tmp & BIGNUM_INT_MASK;
+ acchi += tmp >> 16;
+ r->w[8] = acclo & (((BignumInt)1 << 2)-1);
+ acc2lo = 0;
+ acc2lo += ((acclo >> 2) & (((BignumInt)1 << 14)-1)) * ((BignumDblInt)5 << 0);
+ acclo = acchi + (acclo >> 16);
+ acchi = 0;
+ tmp = (BignumDblInt)(a->w[1]) * (b->w[8]);
+ acclo += tmp & BIGNUM_INT_MASK;
+ acchi += tmp >> 16;
+ tmp = (BignumDblInt)(a->w[2]) * (b->w[7]);
+ acclo += tmp & BIGNUM_INT_MASK;
+ acchi += tmp >> 16;
+ tmp = (BignumDblInt)(a->w[3]) * (b->w[6]);
+ acclo += tmp & BIGNUM_INT_MASK;
+ acchi += tmp >> 16;
+ tmp = (BignumDblInt)(a->w[4]) * (b->w[5]);
+ acclo += tmp & BIGNUM_INT_MASK;
+ acchi += tmp >> 16;
+ tmp = (BignumDblInt)(a->w[5]) * (b->w[4]);
+ acclo += tmp & BIGNUM_INT_MASK;
+ acchi += tmp >> 16;
+ tmp = (BignumDblInt)(a->w[6]) * (b->w[3]);
+ acclo += tmp & BIGNUM_INT_MASK;
+ acchi += tmp >> 16;
+ tmp = (BignumDblInt)(a->w[7]) * (b->w[2]);
+ acclo += tmp & BIGNUM_INT_MASK;
+ acchi += tmp >> 16;
+ tmp = (BignumDblInt)(a->w[8]) * (b->w[1]);
+ acclo += tmp & BIGNUM_INT_MASK;
+ acchi += tmp >> 16;
+ acc2lo += (acclo & (((BignumInt)1 << 2)-1)) * ((BignumDblInt)5 << 14);
+ acc2lo += r->w[0];
+ r->w[0] = acc2lo;
+ acc2lo >>= 16;
+ acc2lo += ((acclo >> 2) & (((BignumInt)1 << 14)-1)) * ((BignumDblInt)5 << 0);
+ acclo = acchi + (acclo >> 16);
+ acchi = 0;
+ tmp = (BignumDblInt)(a->w[2]) * (b->w[8]);
+ acclo += tmp & BIGNUM_INT_MASK;
+ acchi += tmp >> 16;
+ tmp = (BignumDblInt)(a->w[3]) * (b->w[7]);
+ acclo += tmp & BIGNUM_INT_MASK;
+ acchi += tmp >> 16;
+ tmp = (BignumDblInt)(a->w[4]) * (b->w[6]);
+ acclo += tmp & BIGNUM_INT_MASK;
+ acchi += tmp >> 16;
+ tmp = (BignumDblInt)(a->w[5]) * (b->w[5]);
+ acclo += tmp & BIGNUM_INT_MASK;
+ acchi += tmp >> 16;
+ tmp = (BignumDblInt)(a->w[6]) * (b->w[4]);
+ acclo += tmp & BIGNUM_INT_MASK;
+ acchi += tmp >> 16;
+ tmp = (BignumDblInt)(a->w[7]) * (b->w[3]);
+ acclo += tmp & BIGNUM_INT_MASK;
+ acchi += tmp >> 16;
+ tmp = (BignumDblInt)(a->w[8]) * (b->w[2]);
+ acclo += tmp & BIGNUM_INT_MASK;
+ acchi += tmp >> 16;
+ acc2lo += (acclo & (((BignumInt)1 << 2)-1)) * ((BignumDblInt)5 << 14);
+ acc2lo += r->w[1];
+ r->w[1] = acc2lo;
+ acc2lo >>= 16;
+ acc2lo += ((acclo >> 2) & (((BignumInt)1 << 14)-1)) * ((BignumDblInt)5 << 0);
+ acclo = acchi + (acclo >> 16);
+ acchi = 0;
+ tmp = (BignumDblInt)(a->w[3]) * (b->w[8]);
+ acclo += tmp & BIGNUM_INT_MASK;
+ acchi += tmp >> 16;
+ tmp = (BignumDblInt)(a->w[4]) * (b->w[7]);
+ acclo += tmp & BIGNUM_INT_MASK;
+ acchi += tmp >> 16;
+ tmp = (BignumDblInt)(a->w[5]) * (b->w[6]);
+ acclo += tmp & BIGNUM_INT_MASK;
+ acchi += tmp >> 16;
+ tmp = (BignumDblInt)(a->w[6]) * (b->w[5]);
+ acclo += tmp & BIGNUM_INT_MASK;
+ acchi += tmp >> 16;
+ tmp = (BignumDblInt)(a->w[7]) * (b->w[4]);
+ acclo += tmp & BIGNUM_INT_MASK;
+ acchi += tmp >> 16;
+ tmp = (BignumDblInt)(a->w[8]) * (b->w[3]);
+ acclo += tmp & BIGNUM_INT_MASK;
+ acchi += tmp >> 16;
+ acc2lo += (acclo & (((BignumInt)1 << 2)-1)) * ((BignumDblInt)5 << 14);
+ acc2lo += r->w[2];
+ r->w[2] = acc2lo;
+ acc2lo >>= 16;
+ acc2lo += ((acclo >> 2) & (((BignumInt)1 << 14)-1)) * ((BignumDblInt)5 << 0);
+ acclo = acchi + (acclo >> 16);
+ acchi = 0;
+ tmp = (BignumDblInt)(a->w[4]) * (b->w[8]);
+ acclo += tmp & BIGNUM_INT_MASK;
+ acchi += tmp >> 16;
+ tmp = (BignumDblInt)(a->w[5]) * (b->w[7]);
+ acclo += tmp & BIGNUM_INT_MASK;
+ acchi += tmp >> 16;
+ tmp = (BignumDblInt)(a->w[6]) * (b->w[6]);
+ acclo += tmp & BIGNUM_INT_MASK;
+ acchi += tmp >> 16;
+ tmp = (BignumDblInt)(a->w[7]) * (b->w[5]);
+ acclo += tmp & BIGNUM_INT_MASK;
+ acchi += tmp >> 16;
+ tmp = (BignumDblInt)(a->w[8]) * (b->w[4]);
+ acclo += tmp & BIGNUM_INT_MASK;
+ acchi += tmp >> 16;
+ acc2lo += (acclo & (((BignumInt)1 << 2)-1)) * ((BignumDblInt)5 << 14);
+ acc2lo += r->w[3];
+ r->w[3] = acc2lo;
+ acc2lo >>= 16;
+ acc2lo += ((acclo >> 2) & (((BignumInt)1 << 14)-1)) * ((BignumDblInt)5 << 0);
+ acclo = acchi + (acclo >> 16);
+ acchi = 0;
+ tmp = (BignumDblInt)(a->w[5]) * (b->w[8]);
+ acclo += tmp & BIGNUM_INT_MASK;
+ acchi += tmp >> 16;
+ tmp = (BignumDblInt)(a->w[6]) * (b->w[7]);
+ acclo += tmp & BIGNUM_INT_MASK;
+ acchi += tmp >> 16;
+ tmp = (BignumDblInt)(a->w[7]) * (b->w[6]);
+ acclo += tmp & BIGNUM_INT_MASK;
+ acchi += tmp >> 16;
+ tmp = (BignumDblInt)(a->w[8]) * (b->w[5]);
+ acclo += tmp & BIGNUM_INT_MASK;
+ acchi += tmp >> 16;
+ acc2lo += (acclo & (((BignumInt)1 << 2)-1)) * ((BignumDblInt)5 << 14);
+ acc2lo += r->w[4];
+ r->w[4] = acc2lo;
+ acc2lo >>= 16;
+ acc2lo += ((acclo >> 2) & (((BignumInt)1 << 14)-1)) * ((BignumDblInt)5 << 0);
+ acclo = acchi + (acclo >> 16);
+ acchi = 0;
+ tmp = (BignumDblInt)(a->w[6]) * (b->w[8]);
+ acclo += tmp & BIGNUM_INT_MASK;
+ acchi += tmp >> 16;
+ tmp = (BignumDblInt)(a->w[7]) * (b->w[7]);
+ acclo += tmp & BIGNUM_INT_MASK;
+ acchi += tmp >> 16;
+ tmp = (BignumDblInt)(a->w[8]) * (b->w[6]);
+ acclo += tmp & BIGNUM_INT_MASK;
+ acchi += tmp >> 16;
+ acc2lo += (acclo & (((BignumInt)1 << 2)-1)) * ((BignumDblInt)5 << 14);
+ acc2lo += r->w[5];
+ r->w[5] = acc2lo;
+ acc2lo >>= 16;
+ acc2lo += ((acclo >> 2) & (((BignumInt)1 << 14)-1)) * ((BignumDblInt)5 << 0);
+ acclo = acchi + (acclo >> 16);
+ acchi = 0;
+ tmp = (BignumDblInt)(a->w[7]) * (b->w[8]);
+ acclo += tmp & BIGNUM_INT_MASK;
+ acchi += tmp >> 16;
+ tmp = (BignumDblInt)(a->w[8]) * (b->w[7]);
+ acclo += tmp & BIGNUM_INT_MASK;
+ acchi += tmp >> 16;
+ acc2lo += (acclo & (((BignumInt)1 << 2)-1)) * ((BignumDblInt)5 << 14);
+ acc2lo += r->w[6];
+ r->w[6] = acc2lo;
+ acc2lo >>= 16;
+ acc2lo += ((acclo >> 2) & (((BignumInt)1 << 14)-1)) * ((BignumDblInt)5 << 0);
+ acclo = acchi + (acclo >> 16);
+ acchi = 0;
+ tmp = (BignumDblInt)(a->w[8]) * (b->w[8]);
+ acclo += tmp & BIGNUM_INT_MASK;
+ acchi += tmp >> 16;
+ acc2lo += (acclo & (((BignumInt)1 << 2)-1)) * ((BignumDblInt)5 << 14);
+ acc2lo += r->w[7];
+ r->w[7] = acc2lo;
+ acc2lo >>= 16;
+ acc2lo += ((acclo >> 2) & (((BignumInt)1 << 2)-1)) * ((BignumDblInt)5 << 0);
+ acc2lo += r->w[8];
+ r->w[8] = acc2lo;
+ acc2lo = 0;
+ acc2lo += ((acclo >> 4) & (((BignumInt)1 << 12)-1)) * ((BignumDblInt)25 << 0);
+ acclo = acchi + (acclo >> 16);
+ acchi = 0;
+ acc2lo += (acclo & (((BignumInt)1 << 4)-1)) * ((BignumDblInt)25 << 12);
+ acc2lo += r->w[0];
+ r->w[0] = acc2lo;
+ acc2lo >>= 16;
+ acc2lo += ((acclo >> 4) & (((BignumInt)1 << 12)-1)) * ((BignumDblInt)25 << 0);
+ acclo = acchi + (acclo >> 16);
+ acchi = 0;
+ acc2lo += r->w[1];
+ r->w[1] = acc2lo;
+ acc2lo >>= 16;
+ acc2lo += r->w[2];
+ r->w[2] = acc2lo;
+ acc2lo >>= 16;
+ acc2lo += r->w[3];
+ r->w[3] = acc2lo;
+ acc2lo >>= 16;
+ acc2lo += r->w[4];
+ r->w[4] = acc2lo;
+ acc2lo >>= 16;
+ acc2lo += r->w[5];
+ r->w[5] = acc2lo;
+ acc2lo >>= 16;
+ acc2lo += r->w[6];
+ r->w[6] = acc2lo;
+ acc2lo >>= 16;
+ acc2lo += r->w[7];
+ r->w[7] = acc2lo;
+ acc2lo >>= 16;
+ acc2lo += r->w[8];
+ r->w[8] = acc2lo;
+ acc2lo >>= 16;
+#else
+#error Run contrib/make1305.py again with a different bit count
+#endif
+}
+
+static void bigval_final_reduce(bigval *n)
+{
+#if BIGNUM_INT_BITS == 64
+ /* ./contrib/make1305.py final_reduce 64 */
+ BignumDblInt acclo;
+ acclo = 0;
+ acclo += 5 * ((n->w[2] >> 2) + 1);
+ acclo += n->w[0];
+ acclo >>= 64;
+ acclo += n->w[1];
+ acclo >>= 64;
+ acclo += n->w[2];
+ acclo = 5 * (acclo >> 2);
+ acclo += n->w[0];
+ n->w[0] = acclo;
+ acclo >>= 64;
+ acclo += n->w[1];
+ n->w[1] = acclo;
+ acclo >>= 64;
+ acclo += n->w[2];
+ n->w[2] = acclo;
+ acclo >>= 64;
+ n->w[2] &= (1 << 2) - 1;
+#elif BIGNUM_INT_BITS == 32
+ /* ./contrib/make1305.py final_reduce 32 */
+ BignumDblInt acclo;
+ acclo = 0;
+ acclo += 5 * ((n->w[4] >> 2) + 1);
+ acclo += n->w[0];
+ acclo >>= 32;
+ acclo += n->w[1];
+ acclo >>= 32;
+ acclo += n->w[2];
+ acclo >>= 32;
+ acclo += n->w[3];
+ acclo >>= 32;
+ acclo += n->w[4];
+ acclo = 5 * (acclo >> 2);
+ acclo += n->w[0];
+ n->w[0] = acclo;
+ acclo >>= 32;
+ acclo += n->w[1];
+ n->w[1] = acclo;
+ acclo >>= 32;
+ acclo += n->w[2];
+ n->w[2] = acclo;
+ acclo >>= 32;
+ acclo += n->w[3];
+ n->w[3] = acclo;
+ acclo >>= 32;
+ acclo += n->w[4];
+ n->w[4] = acclo;
+ acclo >>= 32;
+ n->w[4] &= (1 << 2) - 1;
+#elif BIGNUM_INT_BITS == 16
+ /* ./contrib/make1305.py final_reduce 16 */
+ BignumDblInt acclo;
+ acclo = 0;
+ acclo += 5 * ((n->w[8] >> 2) + 1);
+ acclo += n->w[0];
+ acclo >>= 16;
+ acclo += n->w[1];
+ acclo >>= 16;
+ acclo += n->w[2];
+ acclo >>= 16;
+ acclo += n->w[3];
+ acclo >>= 16;
+ acclo += n->w[4];
+ acclo >>= 16;
+ acclo += n->w[5];
+ acclo >>= 16;
+ acclo += n->w[6];
+ acclo >>= 16;
+ acclo += n->w[7];
+ acclo >>= 16;
+ acclo += n->w[8];
+ acclo = 5 * (acclo >> 2);
+ acclo += n->w[0];
+ n->w[0] = acclo;
+ acclo >>= 16;
+ acclo += n->w[1];
+ n->w[1] = acclo;
+ acclo >>= 16;
+ acclo += n->w[2];
+ n->w[2] = acclo;
+ acclo >>= 16;
+ acclo += n->w[3];
+ n->w[3] = acclo;
+ acclo >>= 16;
+ acclo += n->w[4];
+ n->w[4] = acclo;
+ acclo >>= 16;
+ acclo += n->w[5];
+ n->w[5] = acclo;
+ acclo >>= 16;
+ acclo += n->w[6];
+ n->w[6] = acclo;
+ acclo >>= 16;
+ acclo += n->w[7];
+ n->w[7] = acclo;
+ acclo >>= 16;
+ acclo += n->w[8];
+ n->w[8] = acclo;
+ acclo >>= 16;
+ n->w[8] &= (1 << 2) - 1;
+#else
+#error Run contrib/make1305.py again with a different bit count
+#endif
+}
+