45 	 * Compute the actual lengths of p and q, in bytes.  in br_rsa_i31_private()
47 	 * them anyway in constant-time code).  in br_rsa_i31_private()
49 	p = sk->p;  in br_rsa_i31_private()
50 	plen = sk->plen;  in br_rsa_i31_private()
53 		plen --;  in br_rsa_i31_private()
55 	q = sk->q;  in br_rsa_i31_private()
56 	qlen = sk->qlen;  in br_rsa_i31_private()
59 		qlen --;  in br_rsa_i31_private()
63 	 * Compute the maximum factor length, in words.  in br_rsa_i31_private()
68 		z -= 31;  in br_rsa_i31_private()
85 	 * Compute modulus length (in bytes).  in br_rsa_i31_private()
87 	xlen = (sk->n_bitlen + 7) >> 3;  in br_rsa_i31_private()
102 	 * Compute the modulus (product of the two factors), to compare  in br_rsa_i31_private()
126 		u --;  in br_rsa_i31_private()
129 		r = ((wx - (wn + r)) >> 8) & 1;  in br_rsa_i31_private()
139 	 * Compute s2 = x^dq mod q.  in br_rsa_i31_private()
144 	r &= br_i31_modpow_opt(s2, sk->dq, sk->dqlen, mq, q0i,  in br_rsa_i31_private()
145 		mq + 3 * fwlen, TLEN - 3 * fwlen);  in br_rsa_i31_private()
148 	 * Compute s1 = x^dp mod p.  in br_rsa_i31_private()
153 	r &= br_i31_modpow_opt(s1, sk->dp, sk->dplen, mp, p0i,  in br_rsa_i31_private()
154 		mq + 4 * fwlen, TLEN - 4 * fwlen);  in br_rsa_i31_private()
157 	 * Compute:  in br_rsa_i31_private()
158 	 *   h = (s1 - s2)*(1/q) mod p  in br_rsa_i31_private()
174 	br_i31_decode_reduce(t1, sk->iq, sk->iqlen, mp);  in br_rsa_i31_private()
178 	 * h is now in t2. We compute the final result:  in br_rsa_i31_private()
180 	 * All these operations are non-modular.  in br_rsa_i31_private()