30 #define TLEN   (4 * U)  /* TLEN is counted in 64-bit words */
47 	 * Compute the actual lengths of p and q, in bytes.  in br_rsa_i62_private()
49 	 * them anyway in constant-time code).  in br_rsa_i62_private()
51 	p = sk->p;  in br_rsa_i62_private()
52 	plen = sk->plen;  in br_rsa_i62_private()
55 		plen --;  in br_rsa_i62_private()
57 	q = sk->q;  in br_rsa_i62_private()
58 	qlen = sk->qlen;  in br_rsa_i62_private()
61 		qlen --;  in br_rsa_i62_private()
65 	 * Compute the maximum factor length, in words.  in br_rsa_i62_private()
70 		z -= 31;  in br_rsa_i62_private()
75 	 * Convert size to 62-bit words.  in br_rsa_i62_private()
87 	 * Compute signature length (in bytes).  in br_rsa_i62_private()
89 	xlen = (sk->n_bitlen + 7) >> 3;  in br_rsa_i62_private()
104 	 * Compute the modulus (product of the two factors), to compare  in br_rsa_i62_private()
128 		u --;  in br_rsa_i62_private()
131 		r = ((wx - (wn + r)) >> 8) & 1;  in br_rsa_i62_private()
141 	 * Compute s2 = x^dq mod q.  in br_rsa_i62_private()
146 	r &= br_i62_modpow_opt(s2, sk->dq, sk->dqlen, mq, q0i,  in br_rsa_i62_private()
147 		tmp + 3 * fwlen, TLEN - 3 * fwlen);  in br_rsa_i62_private()
150 	 * Compute s1 = x^dp mod p.  in br_rsa_i62_private()
155 	r &= br_i62_modpow_opt(s1, sk->dp, sk->dplen, mp, p0i,  in br_rsa_i62_private()
156 		tmp + 4 * fwlen, TLEN - 4 * fwlen);  in br_rsa_i62_private()
159 	 * Compute:  in br_rsa_i62_private()
160 	 *   h = (s1 - s2)*(1/q) mod p  in br_rsa_i62_private()
176 	br_i31_decode_reduce(t1, sk->iq, sk->iqlen, mp);  in br_rsa_i62_private()
180 	 * h is now in t2. We compute the final result:  in br_rsa_i62_private()
182 	 * All these operations are non-modular.  in br_rsa_i62_private()