Improve bn_montgomery_multiply_words().

Improve bn_montgomery_multiply_words().

Rather than calling bn_mul_add_words() twice - once to multiply and once
to reduce - perform the multiplication and reduction in a single pass using
bn_mulw_addw_addw() directly. Also simplify the addition of the resulting
carries, which in turn allows us to avoid zeroing the top half of the
temporary words.

This provides a ~20-25% performance improvement for RSA operations on
aarch64.

ok tb@