diff --git a/ChangeLog b/ChangeLog
index 6f9647563d06e358b8c314e18cfeaed9bf45af3a..ba1c1a72cca0780353c40c9583c4a164a3ea9ed5 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,14 @@
+2013-04-04  Niels Möller  <nisse@lysator.liu.se>
+
+	* gmp-glue.h (cnd_add_n, cnd_sub_n): Moved here, define in terms
+	of mpn_cnd_add_n and mpn_sub_n if available, otherwise in terms of
+	mpn_addmul_1 and mpn_submul_1. This seems to be an improvement for
+	subtraction, but more questionable for addition.
+
+	* ecc-internal.h: Include gmp-glue.h. Deleted corresponding
+	include in all files using ecc-internal.h.
+	(cnd_add_n, cnd_sub_n): Moved from here.
+
 2013-04-03  Niels Möller  <nisse@lysator.liu.se>
 
 	* ecc-point-mul-g.c (ecc_point_mul_g): New file and function.
diff --git a/ecc-hash.c b/ecc-hash.c
index 7fd5c57856473ccf1ed61a00e7528c66724bddbd..8040974ff5df5771286f3bb6b1c5d09620a0de65 100644
--- a/ecc-hash.c
+++ b/ecc-hash.c
@@ -27,7 +27,6 @@
 #endif
 
 #include "ecc-internal.h"
-#include "gmp-glue.h"
 
 /* Convert hash value to an integer. If the digest is larger than
    the ecc bit size, then we must truncate it and use the leftmost
diff --git a/ecc-internal.h b/ecc-internal.h
index 0df8c9e155350dff20e4caf7efe22275eaa07199..0c3c18b3812107e9f3337834dffb20c1cfd5da50 100644
--- a/ecc-internal.h
+++ b/ecc-internal.h
@@ -29,6 +29,7 @@
 
 #include "nettle-types.h"
 #include "ecc-curve.h"
+#include "gmp-glue.h"
 
 /* Name mangling */
 #define ecc_generic_modp _nettle_ecc_generic_modp
@@ -203,12 +204,6 @@ ecc_hash (const struct ecc_curve *ecc,
 	  mp_limb_t *hp,
 	  unsigned length, const uint8_t *digest);
 
-#define cnd_add_n(cnd, rp, ap, n)		\
-  mpn_addmul_1 ((rp), (ap), (n), (cnd) != 0)
-
-#define cnd_sub_n(cnd, rp, ap, n)		\
-  mpn_submul_1 ((rp), (ap), (n), (cnd) != 0)
-
 void
 cnd_copy (int cnd, mp_limb_t *rp, const mp_limb_t *ap, mp_size_t n);
 
diff --git a/ecc-point-mul-g.c b/ecc-point-mul-g.c
index aa9d6a9218c8c911368d4926f3cedbf27dde0a7b..e6f51f180ef09454ec3cb396859f53270fc52d0c 100644
--- a/ecc-point-mul-g.c
+++ b/ecc-point-mul-g.c
@@ -30,7 +30,6 @@
 
 #include "ecc.h"
 #include "ecc-internal.h"
-#include "gmp-glue.h"
 #include "nettle-internal.h"
 
 void
diff --git a/ecc-point-mul.c b/ecc-point-mul.c
index 5ddc5685c8b2e0303076fd52c625de257bb87f87..2ecea1f9ac2b523883fa423fcb8525f161216028 100644
--- a/ecc-point-mul.c
+++ b/ecc-point-mul.c
@@ -30,7 +30,6 @@
 
 #include "ecc.h"
 #include "ecc-internal.h"
-#include "gmp-glue.h"
 
 void
 ecc_point_mul (struct ecc_point *r, const struct ecc_scalar *n,
diff --git a/ecc-point.c b/ecc-point.c
index 9b2639adfdf96588ce178afe2af7d3ca19a0ca81..4d3489c472c9a26ba1d29998c756940605837f58 100644
--- a/ecc-point.c
+++ b/ecc-point.c
@@ -28,7 +28,6 @@
 
 #include "ecc.h"
 #include "ecc-internal.h"
-#include "gmp-glue.h"
 
 void
 ecc_point_init (struct ecc_point *p, const struct ecc_curve *ecc)
diff --git a/ecc-random.c b/ecc-random.c
index 5a8faefd8a4f11a261ce998d261abfb1d27acf6a..0866a7d42ffe82517addf8a05b824fafb6544e23 100644
--- a/ecc-random.c
+++ b/ecc-random.c
@@ -30,7 +30,6 @@
 
 #include "ecc.h"
 #include "ecc-internal.h"
-#include "gmp-glue.h"
 #include "nettle-internal.h"
 
 static int
diff --git a/ecc-scalar.c b/ecc-scalar.c
index f02fc0afcd5a8a9065219e5ec90c26caba1a272a..2b3c4176edd918139f0d8f2750216fd6c5cb89ca 100644
--- a/ecc-scalar.c
+++ b/ecc-scalar.c
@@ -28,7 +28,6 @@
 
 #include "ecc.h"
 #include "ecc-internal.h"
-#include "gmp-glue.h"
 
 void
 ecc_scalar_init (struct ecc_scalar *s, const struct ecc_curve *ecc)
diff --git a/ecdsa-sign.c b/ecdsa-sign.c
index c0827bfd18c98cd3e034fb47c6d7a95eed98f546..fadd342460e60c90ea4c67a1605d0b67251baf25 100644
--- a/ecdsa-sign.c
+++ b/ecdsa-sign.c
@@ -31,7 +31,6 @@
 
 #include "ecdsa.h"
 #include "ecc-internal.h"
-#include "gmp-glue.h"
 #include "nettle-internal.h"
 
 void
diff --git a/ecdsa-verify.c b/ecdsa-verify.c
index 37ed86867cbe178f6aa3dc14f587437ee5689ca6..7696d59d2eaee7a156124ada121360d74c5ad5e2 100644
--- a/ecdsa-verify.c
+++ b/ecdsa-verify.c
@@ -31,7 +31,6 @@
 
 #include "ecdsa.h"
 #include "ecc-internal.h"
-#include "gmp-glue.h"
 
 int
 ecdsa_verify (const struct ecc_point *pub,
diff --git a/gmp-glue.h b/gmp-glue.h
index e7645716b02fb131ef452342a4dc62a63309f9bb..fcc47d0012e6fd1cd5545fde447c747f328b816e 100644
--- a/gmp-glue.h
+++ b/gmp-glue.h
@@ -50,6 +50,15 @@
 #define gmp_alloc_limbs _nettle_gmp_alloc_limbs
 #define gmp_free_limbs _nettle_gmp_free_limbs
 
+/* Use only in-place operations, so we can fall back to addmul_1/submul_1 */
+#ifdef mpn_cnd_add_n
+# define cnd_add_n(cnd, rp, ap, n) mpn_cnd_add_n ((cnd), (rp), (rp), (ap), (n))
+# define cnd_sub_n(cnd, rp, ap, n) mpn_cnd_sub_n ((cnd), (rp), (rp), (ap), (n))
+#else
+# define cnd_add_n(cnd, rp, ap, n) mpn_addmul_1 ((rp), (ap), (n), (cnd) != 0)
+# define cnd_sub_n(cnd, rp, ap, n) mpn_submul_1 ((rp), (ap), (n), (cnd) != 0)
+#endif
+
 /* Some functions for interfacing between mpz and mpn code. Signs of
    the mpz numbers are generally ignored. */