130 static void gcm_gmult_4bit(uint64_t Xi[2], const u128 Htable[16]) {  in gcm_gmult_4bit()
135   nlo = ((const uint8_t *)Xi)[15];  in gcm_gmult_4bit()
159     nlo = ((const uint8_t *)Xi)[cnt];  in gcm_gmult_4bit()
176   Xi[0] = CRYPTO_bswap8(Z.hi);  in gcm_gmult_4bit()
177   Xi[1] = CRYPTO_bswap8(Z.lo);  in gcm_gmult_4bit()
185 static void gcm_ghash_4bit(uint64_t Xi[2], const u128 Htable[16],  in gcm_ghash_4bit()
193     nlo = ((const uint8_t *)Xi)[15];  in gcm_ghash_4bit()
218       nlo = ((const uint8_t *)Xi)[cnt];  in gcm_ghash_4bit()
236     Xi[0] = CRYPTO_bswap8(Z.hi);  in gcm_ghash_4bit()
237     Xi[1] = CRYPTO_bswap8(Z.lo);  in gcm_ghash_4bit()
241 void gcm_gmult_4bit(uint64_t Xi[2], const u128 Htable[16]);
242 void gcm_ghash_4bit(uint64_t Xi[2], const u128 Htable[16], const uint8_t *inp,
246 #define GCM_MUL(ctx, Xi) gcm_gmult_4bit((ctx)->Xi.u, (ctx)->Htable)  argument
248 #define GHASH(ctx, in, len) gcm_ghash_4bit((ctx)->Xi.u, (ctx)->Htable, in, len)
260 void gcm_init_clmul(u128 Htable[16], const uint64_t Xi[2]);
261 void gcm_gmult_clmul(uint64_t Xi[2], const u128 Htable[16]);
262 void gcm_ghash_clmul(uint64_t Xi[2], const u128 Htable[16], const uint8_t *inp,
267 void gcm_init_avx(u128 Htable[16], const uint64_t Xi[2]);
268 void gcm_gmult_avx(uint64_t Xi[2], const u128 Htable[16]);
269 void gcm_ghash_avx(uint64_t Xi[2], const u128 Htable[16], const uint8_t *in,
273                          const void *key, uint8_t ivec[16], uint64_t *Xi);
275                          const void *key, uint8_t ivec[16], uint64_t *Xi);
280 void gcm_gmult_4bit_mmx(uint64_t Xi[2], const u128 Htable[16]);
281 void gcm_ghash_4bit_mmx(uint64_t Xi[2], const u128 Htable[16], const uint8_t *inp,
295 void gcm_init_v8(u128 Htable[16], const uint64_t Xi[2]);
296 void gcm_gmult_v8(uint64_t Xi[2], const u128 Htable[16]);
297 void gcm_ghash_v8(uint64_t Xi[2], const u128 Htable[16], const uint8_t *inp,
306 void gcm_init_neon(u128 Htable[16], const uint64_t Xi[2]);
307 void gcm_gmult_neon(uint64_t Xi[2], const u128 Htable[16]);
308 void gcm_ghash_neon(uint64_t Xi[2], const u128 Htable[16], const uint8_t *inp,
315 static void gcm_init_neon(u128 Htable[16], const uint64_t Xi[2]) {  in gcm_init_neon()
318 static void gcm_gmult_neon(uint64_t Xi[2], const u128 Htable[16]) {  in gcm_gmult_neon()
321 static void gcm_ghash_neon(uint64_t Xi[2], const u128 Htable[16],  in gcm_ghash_neon()
331 void gcm_init_p8(u128 Htable[16], const uint64_t Xi[2]);
332 void gcm_gmult_p8(uint64_t Xi[2], const u128 Htable[16]);
333 void gcm_ghash_p8(uint64_t Xi[2], const u128 Htable[16], const uint8_t *inp,
340 #define GCM_MUL(ctx, Xi) (*gcm_gmult_p)((ctx)->Xi.u, (ctx)->Htable)  argument
343 #define GHASH(ctx, in, len) (*gcm_ghash_p)((ctx)->Xi.u, (ctx)->Htable, in, len)
440   void (*gcm_gmult_p)(uint64_t Xi[2], const u128 Htable[16]) = ctx->gmult;  in CRYPTO_gcm128_setiv()
445   ctx->Xi.u[0] = 0;  in CRYPTO_gcm128_setiv()
446   ctx->Xi.u[1] = 0;  in CRYPTO_gcm128_setiv()
489   void (*gcm_gmult_p)(uint64_t Xi[2], const u128 Htable[16]) = ctx->gmult;  in CRYPTO_gcm128_aad()
491   void (*gcm_ghash_p)(uint64_t Xi[2], const u128 Htable[16], const uint8_t *inp,  in CRYPTO_gcm128_aad()
509       ctx->Xi.c[n] ^= *(aad++);  in CRYPTO_gcm128_aad()
514       GCM_MUL(ctx, Xi);  in CRYPTO_gcm128_aad()
532       ctx->Xi.c[i] ^= aad[i];  in CRYPTO_gcm128_aad()
534     GCM_MUL(ctx, Xi);  in CRYPTO_gcm128_aad()
544       ctx->Xi.c[i] ^= aad[i];  in CRYPTO_gcm128_aad()
559   void (*gcm_gmult_p)(uint64_t Xi[2], const u128 Htable[16]) = ctx->gmult;  in CRYPTO_gcm128_encrypt()
561   void (*gcm_ghash_p)(uint64_t Xi[2], const u128 Htable[16], const uint8_t *inp,  in CRYPTO_gcm128_encrypt()
575     GCM_MUL(ctx, Xi);  in CRYPTO_gcm128_encrypt()
584       ctx->Xi.c[n] ^= *(out++) = *(in++) ^ ctx->EKi.c[n];  in CRYPTO_gcm128_encrypt()
589       GCM_MUL(ctx, Xi);  in CRYPTO_gcm128_encrypt()
602       ctx->Xi.c[n] ^= out[i] = in[i] ^ ctx->EKi.c[n];  in CRYPTO_gcm128_encrypt()
605         GCM_MUL(ctx, Xi);  in CRYPTO_gcm128_encrypt()
660       ctx->Xi.t[i] ^= out_t[i] = in_t[i] ^ ctx->EKi.t[i];  in CRYPTO_gcm128_encrypt()
662     GCM_MUL(ctx, Xi);  in CRYPTO_gcm128_encrypt()
673       ctx->Xi.c[n] ^= out[n] = in[n] ^ ctx->EKi.c[n];  in CRYPTO_gcm128_encrypt()
689   void (*gcm_gmult_p)(uint64_t Xi[2], const u128 Htable[16]) = ctx->gmult;  in CRYPTO_gcm128_decrypt()
691   void (*gcm_ghash_p)(uint64_t Xi[2], const u128 Htable[16], const uint8_t *inp,  in CRYPTO_gcm128_decrypt()
705     GCM_MUL(ctx, Xi);  in CRYPTO_gcm128_decrypt()
716       ctx->Xi.c[n] ^= c;  in CRYPTO_gcm128_decrypt()
721       GCM_MUL(ctx, Xi);  in CRYPTO_gcm128_decrypt()
737       ctx->Xi.c[n] ^= c;  in CRYPTO_gcm128_decrypt()
740         GCM_MUL(ctx, Xi);  in CRYPTO_gcm128_decrypt()
797       ctx->Xi.t[i] ^= c;  in CRYPTO_gcm128_decrypt()
799     GCM_MUL(ctx, Xi);  in CRYPTO_gcm128_decrypt()
811       ctx->Xi.c[n] ^= c;  in CRYPTO_gcm128_decrypt()
827   void (*gcm_gmult_p)(uint64_t Xi[2], const u128 Htable[16]) = ctx->gmult;  in CRYPTO_gcm128_encrypt_ctr32()
829   void (*gcm_ghash_p)(uint64_t Xi[2], const u128 Htable[16], const uint8_t *inp,  in CRYPTO_gcm128_encrypt_ctr32()
843     GCM_MUL(ctx, Xi);  in CRYPTO_gcm128_encrypt_ctr32()
850       ctx->Xi.c[n] ^= *(out++) = *(in++) ^ ctx->EKi.c[n];  in CRYPTO_gcm128_encrypt_ctr32()
855       GCM_MUL(ctx, Xi);  in CRYPTO_gcm128_encrypt_ctr32()
866     size_t bulk = aesni_gcm_encrypt(in, out, len, key, ctx->Yi.c, ctx->Xi.u);  in CRYPTO_gcm128_encrypt_ctr32()
901         ctx->Xi.c[i] ^= out[i];  in CRYPTO_gcm128_encrypt_ctr32()
903       GCM_MUL(ctx, Xi);  in CRYPTO_gcm128_encrypt_ctr32()
913       ctx->Xi.c[n] ^= out[n] = in[n] ^ ctx->EKi.c[n];  in CRYPTO_gcm128_encrypt_ctr32()
928   void (*gcm_gmult_p)(uint64_t Xi[2], const u128 Htable[16]) = ctx->gmult;  in CRYPTO_gcm128_decrypt_ctr32()
930   void (*gcm_ghash_p)(uint64_t Xi[2], const u128 Htable[16], const uint8_t *inp,  in CRYPTO_gcm128_decrypt_ctr32()
944     GCM_MUL(ctx, Xi);  in CRYPTO_gcm128_decrypt_ctr32()
953       ctx->Xi.c[n] ^= c;  in CRYPTO_gcm128_decrypt_ctr32()
958       GCM_MUL(ctx, Xi);  in CRYPTO_gcm128_decrypt_ctr32()
969     size_t bulk = aesni_gcm_decrypt(in, out, len, key, ctx->Yi.c, ctx->Xi.u);  in CRYPTO_gcm128_decrypt_ctr32()
999         ctx->Xi.c[k] ^= in[k];  in CRYPTO_gcm128_decrypt_ctr32()
1001       GCM_MUL(ctx, Xi);  in CRYPTO_gcm128_decrypt_ctr32()
1020       ctx->Xi.c[n] ^= c;  in CRYPTO_gcm128_decrypt_ctr32()
1034   void (*gcm_gmult_p)(uint64_t Xi[2], const u128 Htable[16]) = ctx->gmult;  in CRYPTO_gcm128_finish()
1038     GCM_MUL(ctx, Xi);  in CRYPTO_gcm128_finish()
1044   ctx->Xi.u[0] ^= alen;  in CRYPTO_gcm128_finish()
1045   ctx->Xi.u[1] ^= clen;  in CRYPTO_gcm128_finish()
1046   GCM_MUL(ctx, Xi);  in CRYPTO_gcm128_finish()
1048   ctx->Xi.u[0] ^= ctx->EK0.u[0];  in CRYPTO_gcm128_finish()
1049   ctx->Xi.u[1] ^= ctx->EK0.u[1];  in CRYPTO_gcm128_finish()
1051   if (tag && len <= sizeof(ctx->Xi)) {  in CRYPTO_gcm128_finish()
1052     return CRYPTO_memcmp(ctx->Xi.c, tag, len) == 0;  in CRYPTO_gcm128_finish()
1060   OPENSSL_memcpy(tag, ctx->Xi.c,  in CRYPTO_gcm128_tag()
1061                  len <= sizeof(ctx->Xi.c) ? len : sizeof(ctx->Xi.c));  in CRYPTO_gcm128_tag()