12  * This file contains an AES-GCM wrapper implementation from OpenSSL, using
37 	memset(&ctx->gcm, 0, sizeof(ctx->gcm));  in gcm_init()
47 	memcpy(tag, ctx->gcm.Xi.c, len);  in gcm_tag()
67 	ossl_aes_gcm_init_avx512(&ctx->aes_ks, &ctx->gcm);  in gcm_init_avx512()
77 	ctx->gcm.Yi.u[0] = 0;		/* Current counter */  in gcm_setiv_avx512()
78 	ctx->gcm.Yi.u[1] = 0;  in gcm_setiv_avx512()
79 	ctx->gcm.Xi.u[0] = 0;		/* AAD hash */  in gcm_setiv_avx512()
80 	ctx->gcm.Xi.u[1] = 0;  in gcm_setiv_avx512()
81 	ctx->gcm.len.u[0] = 0;		/* AAD length */  in gcm_setiv_avx512()
82 	ctx->gcm.len.u[1] = 0;		/* Message length */  in gcm_setiv_avx512()
83 	ctx->gcm.ares = 0;  in gcm_setiv_avx512()
84 	ctx->gcm.mres = 0;  in gcm_setiv_avx512()
93 	uint64_t alen = ctx->gcm.len.u[0];  in gcm_aad_avx512()
98 	if (ctx->gcm.len.u[1])  in gcm_aad_avx512()
105 	ctx->gcm.len.u[0] = alen;  in gcm_aad_avx512()
107 	ares = ctx->gcm.ares;  in gcm_aad_avx512()
115 			ctx->gcm.Xi.c[15 - ares] ^= *(aad++);  in gcm_aad_avx512()
121 			ossl_gcm_gmult_avx512(ctx->gcm.Xi.u, ctx);  in gcm_aad_avx512()
123 			ctx->gcm.ares = ares;  in gcm_aad_avx512()
140 			ctx->gcm.Xi.c[15 - i] ^= aad[i];  in gcm_aad_avx512()
143 	ctx->gcm.ares = ares;  in gcm_aad_avx512()
152 	uint64_t mlen = ctx->gcm.len.u[1];  in _gcm_encrypt_avx512()
158 	ctx->gcm.len.u[1] = mlen;  in _gcm_encrypt_avx512()
161 	if (ctx->gcm.ares > 0) {  in _gcm_encrypt_avx512()
162 		ossl_gcm_gmult_avx512(ctx->gcm.Xi.u, ctx);  in _gcm_encrypt_avx512()
163 		ctx->gcm.ares = 0;  in _gcm_encrypt_avx512()
167 		ossl_aes_gcm_encrypt_avx512(&ctx->aes_ks, ctx, &ctx->gcm.mres,  in _gcm_encrypt_avx512()
170 		ossl_aes_gcm_decrypt_avx512(&ctx->aes_ks, ctx, &ctx->gcm.mres,  in _gcm_encrypt_avx512()
195 	unsigned int *res = &ctx->gcm.mres;  in gcm_finish_avx512()
198 	if (ctx->gcm.ares > 0)  in gcm_finish_avx512()
199 		res = &ctx->gcm.ares;  in gcm_finish_avx512()
203 	ctx->gcm.ares = ctx->gcm.mres = 0;  in gcm_finish_avx512()
206 		return timingsafe_bcmp(ctx->gcm.Xi.c, tag, len);  in gcm_finish_avx512()