131 static void gcm_gmult_4bit(uint64_t Xi[2], const u128 Htable[16]) {  in gcm_gmult_4bit()
136   nlo = ((const uint8_t *)Xi)[15];  in gcm_gmult_4bit()
160     nlo = ((const uint8_t *)Xi)[cnt];  in gcm_gmult_4bit()
177   Xi[0] = CRYPTO_bswap8(Z.hi);  in gcm_gmult_4bit()
178   Xi[1] = CRYPTO_bswap8(Z.lo);  in gcm_gmult_4bit()
186 static void gcm_ghash_4bit(uint64_t Xi[2], const u128 Htable[16],  in gcm_ghash_4bit()
194     nlo = ((const uint8_t *)Xi)[15];  in gcm_ghash_4bit()
219       nlo = ((const uint8_t *)Xi)[cnt];  in gcm_ghash_4bit()
237     Xi[0] = CRYPTO_bswap8(Z.hi);  in gcm_ghash_4bit()
238     Xi[1] = CRYPTO_bswap8(Z.lo);  in gcm_ghash_4bit()
242 void gcm_gmult_4bit(uint64_t Xi[2], const u128 Htable[16]);
243 void gcm_ghash_4bit(uint64_t Xi[2], const u128 Htable[16], const uint8_t *inp,
247 #define GCM_MUL(ctx, Xi) gcm_gmult_4bit((ctx)->Xi.u, (ctx)->Htable)  argument
249 #define GHASH(ctx, in, len) gcm_ghash_4bit((ctx)->Xi.u, (ctx)->Htable, in, len)
261 void gcm_init_clmul(u128 Htable[16], const uint64_t Xi[2]);
262 void gcm_gmult_clmul(uint64_t Xi[2], const u128 Htable[16]);
263 void gcm_ghash_clmul(uint64_t Xi[2], const u128 Htable[16], const uint8_t *inp,
268 void gcm_init_avx(u128 Htable[16], const uint64_t Xi[2]);
269 void gcm_gmult_avx(uint64_t Xi[2], const u128 Htable[16]);
270 void gcm_ghash_avx(uint64_t Xi[2], const u128 Htable[16], const uint8_t *in,
279                          const void *key, uint8_t ivec[16], uint64_t *Xi);
281                          const void *key, uint8_t ivec[16], uint64_t *Xi);
286 void gcm_gmult_4bit_mmx(uint64_t Xi[2], const u128 Htable[16]);
287 void gcm_ghash_4bit_mmx(uint64_t Xi[2], const u128 Htable[16], const uint8_t *inp,
301 void gcm_init_v8(u128 Htable[16], const uint64_t Xi[2]);
302 void gcm_gmult_v8(uint64_t Xi[2], const u128 Htable[16]);
303 void gcm_ghash_v8(uint64_t Xi[2], const u128 Htable[16], const uint8_t *inp,
312 void gcm_init_neon(u128 Htable[16], const uint64_t Xi[2]);
313 void gcm_gmult_neon(uint64_t Xi[2], const u128 Htable[16]);
314 void gcm_ghash_neon(uint64_t Xi[2], const u128 Htable[16], const uint8_t *inp,
321 static void gcm_init_neon(u128 Htable[16], const uint64_t Xi[2]) {  in gcm_init_neon()
324 static void gcm_gmult_neon(uint64_t Xi[2], const u128 Htable[16]) {  in gcm_gmult_neon()
327 static void gcm_ghash_neon(uint64_t Xi[2], const u128 Htable[16],  in gcm_ghash_neon()
337 void gcm_init_p8(u128 Htable[16], const uint64_t Xi[2]);
338 void gcm_gmult_p8(uint64_t Xi[2], const u128 Htable[16]);
339 void gcm_ghash_p8(uint64_t Xi[2], const u128 Htable[16], const uint8_t *inp,
346 #define GCM_MUL(ctx, Xi) (*gcm_gmult_p)((ctx)->Xi.u, (ctx)->Htable)  argument
349 #define GHASH(ctx, in, len) (*gcm_ghash_p)((ctx)->Xi.u, (ctx)->Htable, in, len)
438   void (*gcm_gmult_p)(uint64_t Xi[2], const u128 Htable[16]) = ctx->gmult;  in CRYPTO_gcm128_setiv()
443   ctx->Xi.u[0] = 0;  in CRYPTO_gcm128_setiv()
444   ctx->Xi.u[1] = 0;  in CRYPTO_gcm128_setiv()
487   void (*gcm_gmult_p)(uint64_t Xi[2], const u128 Htable[16]) = ctx->gmult;  in CRYPTO_gcm128_aad()
489   void (*gcm_ghash_p)(uint64_t Xi[2], const u128 Htable[16], const uint8_t *inp,  in CRYPTO_gcm128_aad()
507       ctx->Xi.c[n] ^= *(aad++);  in CRYPTO_gcm128_aad()
512       GCM_MUL(ctx, Xi);  in CRYPTO_gcm128_aad()
530       ctx->Xi.c[i] ^= aad[i];  in CRYPTO_gcm128_aad()
532     GCM_MUL(ctx, Xi);  in CRYPTO_gcm128_aad()
542       ctx->Xi.c[i] ^= aad[i];  in CRYPTO_gcm128_aad()
557   void (*gcm_gmult_p)(uint64_t Xi[2], const u128 Htable[16]) = ctx->gmult;  in CRYPTO_gcm128_encrypt()
559   void (*gcm_ghash_p)(uint64_t Xi[2], const u128 Htable[16], const uint8_t *inp,  in CRYPTO_gcm128_encrypt()
573     GCM_MUL(ctx, Xi);  in CRYPTO_gcm128_encrypt()
582       ctx->Xi.c[n] ^= *(out++) = *(in++) ^ ctx->EKi.c[n];  in CRYPTO_gcm128_encrypt()
587       GCM_MUL(ctx, Xi);  in CRYPTO_gcm128_encrypt()
600       ctx->Xi.c[n] ^= out[i] = in[i] ^ ctx->EKi.c[n];  in CRYPTO_gcm128_encrypt()
603         GCM_MUL(ctx, Xi);  in CRYPTO_gcm128_encrypt()
658       ctx->Xi.t[i] ^= out_t[i] = in_t[i] ^ ctx->EKi.t[i];  in CRYPTO_gcm128_encrypt()
660     GCM_MUL(ctx, Xi);  in CRYPTO_gcm128_encrypt()
671       ctx->Xi.c[n] ^= out[n] = in[n] ^ ctx->EKi.c[n];  in CRYPTO_gcm128_encrypt()
687   void (*gcm_gmult_p)(uint64_t Xi[2], const u128 Htable[16]) = ctx->gmult;  in CRYPTO_gcm128_decrypt()
689   void (*gcm_ghash_p)(uint64_t Xi[2], const u128 Htable[16], const uint8_t *inp,  in CRYPTO_gcm128_decrypt()
703     GCM_MUL(ctx, Xi);  in CRYPTO_gcm128_decrypt()
714       ctx->Xi.c[n] ^= c;  in CRYPTO_gcm128_decrypt()
719       GCM_MUL(ctx, Xi);  in CRYPTO_gcm128_decrypt()
735       ctx->Xi.c[n] ^= c;  in CRYPTO_gcm128_decrypt()
738         GCM_MUL(ctx, Xi);  in CRYPTO_gcm128_decrypt()
795       ctx->Xi.t[i] ^= c;  in CRYPTO_gcm128_decrypt()
797     GCM_MUL(ctx, Xi);  in CRYPTO_gcm128_decrypt()
809       ctx->Xi.c[n] ^= c;  in CRYPTO_gcm128_decrypt()
825   void (*gcm_gmult_p)(uint64_t Xi[2], const u128 Htable[16]) = ctx->gmult;  in CRYPTO_gcm128_encrypt_ctr32()
827   void (*gcm_ghash_p)(uint64_t Xi[2], const u128 Htable[16], const uint8_t *inp,  in CRYPTO_gcm128_encrypt_ctr32()
841     GCM_MUL(ctx, Xi);  in CRYPTO_gcm128_encrypt_ctr32()
848       ctx->Xi.c[n] ^= *(out++) = *(in++) ^ ctx->EKi.c[n];  in CRYPTO_gcm128_encrypt_ctr32()
853       GCM_MUL(ctx, Xi);  in CRYPTO_gcm128_encrypt_ctr32()
864     size_t bulk = aesni_gcm_encrypt(in, out, len, key, ctx->Yi.c, ctx->Xi.u);  in CRYPTO_gcm128_encrypt_ctr32()
899         ctx->Xi.c[i] ^= out[i];  in CRYPTO_gcm128_encrypt_ctr32()
901       GCM_MUL(ctx, Xi);  in CRYPTO_gcm128_encrypt_ctr32()
911       ctx->Xi.c[n] ^= out[n] = in[n] ^ ctx->EKi.c[n];  in CRYPTO_gcm128_encrypt_ctr32()
926   void (*gcm_gmult_p)(uint64_t Xi[2], const u128 Htable[16]) = ctx->gmult;  in CRYPTO_gcm128_decrypt_ctr32()
928   void (*gcm_ghash_p)(uint64_t Xi[2], const u128 Htable[16], const uint8_t *inp,  in CRYPTO_gcm128_decrypt_ctr32()
942     GCM_MUL(ctx, Xi);  in CRYPTO_gcm128_decrypt_ctr32()
951       ctx->Xi.c[n] ^= c;  in CRYPTO_gcm128_decrypt_ctr32()
956       GCM_MUL(ctx, Xi);  in CRYPTO_gcm128_decrypt_ctr32()
967     size_t bulk = aesni_gcm_decrypt(in, out, len, key, ctx->Yi.c, ctx->Xi.u);  in CRYPTO_gcm128_decrypt_ctr32()
997         ctx->Xi.c[k] ^= in[k];  in CRYPTO_gcm128_decrypt_ctr32()
999       GCM_MUL(ctx, Xi);  in CRYPTO_gcm128_decrypt_ctr32()
1018       ctx->Xi.c[n] ^= c;  in CRYPTO_gcm128_decrypt_ctr32()
1032   void (*gcm_gmult_p)(uint64_t Xi[2], const u128 Htable[16]) = ctx->gmult;  in CRYPTO_gcm128_finish()
1036     GCM_MUL(ctx, Xi);  in CRYPTO_gcm128_finish()
1042   ctx->Xi.u[0] ^= alen;  in CRYPTO_gcm128_finish()
1043   ctx->Xi.u[1] ^= clen;  in CRYPTO_gcm128_finish()
1044   GCM_MUL(ctx, Xi);  in CRYPTO_gcm128_finish()
1046   ctx->Xi.u[0] ^= ctx->EK0.u[0];  in CRYPTO_gcm128_finish()
1047   ctx->Xi.u[1] ^= ctx->EK0.u[1];  in CRYPTO_gcm128_finish()
1049   if (tag && len <= sizeof(ctx->Xi)) {  in CRYPTO_gcm128_finish()
1050     return CRYPTO_memcmp(ctx->Xi.c, tag, len) == 0;  in CRYPTO_gcm128_finish()
1058   OPENSSL_memcpy(tag, ctx->Xi.c,  in CRYPTO_gcm128_tag()
1059                  len <= sizeof(ctx->Xi.c) ? len : sizeof(ctx->Xi.c));  in CRYPTO_gcm128_tag()