40 	memset(&ctx->gcm, 0, sizeof(ctx->gcm));  in gcm_init()
44 	AES_encrypt(ctx->gcm.H.c, ctx->gcm.H.c, &ctx->aes_ks);  in gcm_init()
47 	ctx->gcm.H.u[0] = bswap64(ctx->gcm.H.u[0]);  in gcm_init()
48 	ctx->gcm.H.u[1] = bswap64(ctx->gcm.H.u[1]);  in gcm_init()
51 	gcm_init_neon(ctx->gcm.Htable, ctx->gcm.H.u);  in gcm_init()
62 	ctx->gcm.len.u[0] = 0;  in gcm_setiv()
63 	ctx->gcm.len.u[1] = 0;  in gcm_setiv()
64 	ctx->gcm.ares = ctx->gcm.mres = 0;  in gcm_setiv()
66 	memcpy(ctx->gcm.Yi.c, iv, len);  in gcm_setiv()
67 	ctx->gcm.Yi.c[12] = 0;  in gcm_setiv()
68 	ctx->gcm.Yi.c[13] = 0;  in gcm_setiv()
69 	ctx->gcm.Yi.c[14] = 0;  in gcm_setiv()
70 	ctx->gcm.Yi.c[15] = 1;  in gcm_setiv()
73 	ctx->gcm.Xi.u[0] = 0;  in gcm_setiv()
74 	ctx->gcm.Xi.u[1] = 0;  in gcm_setiv()
76 	AES_encrypt(ctx->gcm.Yi.c, ctx->gcm.EK0.c, &ctx->aes_ks);  in gcm_setiv()
80 	ctx->gcm.Yi.d[3] = bswap32(ctr);  in gcm_setiv()
82 	ctx->gcm.Yi.d[3] = ctr;  in gcm_setiv()
89 	uint64_t alen = ctx->gcm.len.u[0] << 3;  in gcm_finish()
90 	uint64_t clen = ctx->gcm.len.u[1] << 3;  in gcm_finish()
92 	if (ctx->gcm.mres || ctx->gcm.ares)  in gcm_finish()
93 		gcm_gmult_neon(ctx->gcm.Xi.u, ctx->gcm.Htable);  in gcm_finish()
100 	ctx->gcm.Xi.u[0] ^= alen;  in gcm_finish()
101 	ctx->gcm.Xi.u[1] ^= clen;  in gcm_finish()
102 	gcm_gmult_neon(ctx->gcm.Xi.u, ctx->gcm.Htable);  in gcm_finish()
104 	ctx->gcm.Xi.u[0] ^= ctx->gcm.EK0.u[0];  in gcm_finish()
105 	ctx->gcm.Xi.u[1] ^= ctx->gcm.EK0.u[1];  in gcm_finish()
108 		return timingsafe_bcmp(ctx->gcm.Xi.c, tag, len);  in gcm_finish()
117 	uint64_t alen = ctx->gcm.len.u[0];  in gcm_aad()
119 	if (ctx->gcm.len.u[1])  in gcm_aad()
125 	ctx->gcm.len.u[0] = alen;  in gcm_aad()
127 	n = ctx->gcm.ares;  in gcm_aad()
130 			ctx->gcm.Xi.c[n] ^= *(aad++);  in gcm_aad()
135 			gcm_gmult_neon(ctx->gcm.Xi.u, ctx->gcm.Htable);  in gcm_aad()
137 			ctx->gcm.ares = n;  in gcm_aad()
142 		gcm_ghash_neon(ctx->gcm.Xi.u, ctx->gcm.Htable, aad, i);  in gcm_aad()
149 			ctx->gcm.Xi.c[i] ^= aad[i];  in gcm_aad()
152 	ctx->gcm.ares = n;  in gcm_aad()
163 	uint64_t mlen = ctx->gcm.len.u[1];  in gcm_encrypt()
169 	ctx->gcm.len.u[1] = mlen;  in gcm_encrypt()
171 	mres = ctx->gcm.mres;  in gcm_encrypt()
173 	if (ctx->gcm.ares) {  in gcm_encrypt()
175 		gcm_gmult_neon(ctx->gcm.Xi.u, ctx->gcm.Htable);  in gcm_encrypt()
176 		ctx->gcm.ares = 0;  in gcm_encrypt()
180 	ctr = bswap32(ctx->gcm.Yi.d[3]);  in gcm_encrypt()
182 	ctr = ctx->gcm.Yi.d[3];  in gcm_encrypt()
188 			ctx->gcm.Xi.c[n] ^= *(out++) = *(in++) ^ ctx->gcm.EKi.c[n];  in gcm_encrypt()
193 			gcm_gmult_neon(ctx->gcm.Xi.u, ctx->gcm.Htable);  in gcm_encrypt()
196 			ctx->gcm.mres = n;  in gcm_encrypt()
206 		    ctx->gcm.Yi.c);  in gcm_encrypt()
209 		ctx->gcm.Yi.d[3] = bswap32(ctr);  in gcm_encrypt()
211 		ctx->gcm.Yi.d[3] = ctr;  in gcm_encrypt()
217 				ctx->gcm.Xi.c[i] ^= out[i];  in gcm_encrypt()
218 			gcm_gmult_neon(ctx->gcm.Xi.u, ctx->gcm.Htable);  in gcm_encrypt()
223 		AES_encrypt(ctx->gcm.Yi.c, ctx->gcm.EKi.c, &ctx->aes_ks);  in gcm_encrypt()
226 		ctx->gcm.Yi.d[3] = bswap32(ctr);  in gcm_encrypt()
228 		ctx->gcm.Yi.d[3] = ctr;  in gcm_encrypt()
231 			ctx->gcm.Xi.c[mres++] ^= out[n] = in[n] ^ ctx->gcm.EKi.c[n];  in gcm_encrypt()
236 	ctx->gcm.mres = mres;  in gcm_encrypt()
247 	uint64_t mlen = ctx->gcm.len.u[1];  in gcm_decrypt()
252 	ctx->gcm.len.u[1] = mlen;  in gcm_decrypt()
254 	mres = ctx->gcm.mres;  in gcm_decrypt()
256 	if (ctx->gcm.ares) {  in gcm_decrypt()
258 		gcm_gmult_neon(ctx->gcm.Xi.u, ctx->gcm.Htable);  in gcm_decrypt()
259 		ctx->gcm.ares = 0;  in gcm_decrypt()
263 	ctr = bswap32(ctx->gcm.Yi.d[3]);  in gcm_decrypt()
265 	ctr = ctx->gcm.Yi.d[3];  in gcm_decrypt()
272 			*(out++) = c ^ ctx->gcm.EKi.c[n];  in gcm_decrypt()
273 			ctx->gcm.Xi.c[n] ^= c;  in gcm_decrypt()
278 			gcm_gmult_neon(ctx->gcm.Xi.u, ctx->gcm.Htable);  in gcm_decrypt()
281 			ctx->gcm.mres = n;  in gcm_decrypt()
291 				ctx->gcm.Xi.c[k] ^= in[k];  in gcm_decrypt()
292 			gcm_gmult_neon(ctx->gcm.Xi.u, ctx->gcm.Htable);  in gcm_decrypt()
300 		    ctx->gcm.Yi.c);  in gcm_decrypt()
303 		ctx->gcm.Yi.d[3] = bswap32(ctr);  in gcm_decrypt()
305 		ctx->gcm.Yi.d[3] = ctr;  in gcm_decrypt()
312 		AES_encrypt(ctx->gcm.Yi.c, ctx->gcm.EKi.c, &ctx->aes_ks);  in gcm_decrypt()
315 		ctx->gcm.Yi.d[3] = bswap32(ctr);  in gcm_decrypt()
317 		ctx->gcm.Yi.d[3] = ctr;  in gcm_decrypt()
321 			ctx->gcm.Xi.c[mres++] ^= c;  in gcm_decrypt()
322 			out[n] = c ^ ctx->gcm.EKi.c[n];  in gcm_decrypt()
327 	ctx->gcm.mres = mres;  in gcm_decrypt()
335 	memcpy(tag, ctx->gcm.Xi.c, len);  in gcm_tag()