Fix unrolled montgomery multiplication for POWER9

In the reference C implementation in bn_asm.c, tp[num + 1] contains the
carry bit for accumulations into tp[num]. tp[num + 1] is only ever
assigned, never itself incremented.

Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18883)

crypto/bn/asm/ppc64-mont-fixed.pl

@@ -63,6 +63,7 @@ my $SIZE_T= 8;
 # Registers are global so the code is remotely readable
 
 # Parameters for Montgomery multiplication
+my $ze	= "r0";
 my $sp	= "r1";
 my $toc	= "r2";
 my $rp	= "r3";
@@ -192,6 +193,7 @@ ___
 	$self->save_registers();
 
 	$self->add_code(<<___);
+	li		$ze,0
 	ld		$n0,0($n0)
 
 	ld		$bp0,0($bp)
@@ -242,7 +244,7 @@ ___
 
 	$self->add_code(<<___);
 	addc		$tp[$n],$tp[$n],$c0
-	addze		$tp[$n+1],$tp[$n+1]
+	addze		$tp[$n+1],$ze
 ___
 
 	$self->add_code(<<___);
@@ -272,7 +274,7 @@ ___
 	and.		$tp[$n],$tp[$n],$tp[$n]
 	bne		$label->{"sub"}
 
-	cmpld	$tp[$n-1],$npj
+	cmpld		$tp[$n-1],$npj
 	blt		$label->{"copy"}
 
 $label->{"sub"}: