13  * This file contains an AES-GCM wrapper implementation from OpenSSL, using
150 	memset(&ctx->gcm, 0, sizeof(ctx->gcm));  in gcm_init()
160 	memcpy(tag, ctx->gcm.Xi.c, len);  in gcm_tag_op()
166 	AES_encrypt(ctx->gcm.H.c, ctx->gcm.H.c, &ctx->aes_ks);  in gcm_init_op()
169 	ctx->gcm.H.u[0] = bswap64(ctx->gcm.H.u[0]);  in gcm_init_op()
170 	ctx->gcm.H.u[1] = bswap64(ctx->gcm.H.u[1]);  in gcm_init_op()
173 	GCM_init(ctx->gcm.Htable, ctx->gcm.H.u);  in gcm_init_op()
185 	ctx->gcm.len.u[0] = 0;  in gcm_setiv_op()
186 	ctx->gcm.len.u[1] = 0;  in gcm_setiv_op()
187 	ctx->gcm.ares = ctx->gcm.mres = 0;  in gcm_setiv_op()
189 	memcpy(ctx->gcm.Yi.c, iv, len);  in gcm_setiv_op()
190 	ctx->gcm.Yi.c[12] = 0;  in gcm_setiv_op()
191 	ctx->gcm.Yi.c[13] = 0;  in gcm_setiv_op()
192 	ctx->gcm.Yi.c[14] = 0;  in gcm_setiv_op()
193 	ctx->gcm.Yi.c[15] = 1;  in gcm_setiv_op()
196 	ctx->gcm.Xi.u[0] = 0;  in gcm_setiv_op()
197 	ctx->gcm.Xi.u[1] = 0;  in gcm_setiv_op()
199 	AES_encrypt(ctx->gcm.Yi.c, ctx->gcm.EK0.c, &ctx->aes_ks);  in gcm_setiv_op()
203 	ctx->gcm.Yi.d[3] = bswap32(ctr);  in gcm_setiv_op()
205 	ctx->gcm.Yi.d[3] = ctr;  in gcm_setiv_op()
215 	uint64_t alen = ctx->gcm.len.u[0];  in gcm_aad_op()
217 	if (ctx->gcm.len.u[1])  in gcm_aad_op()
223 	ctx->gcm.len.u[0] = alen;  in gcm_aad_op()
225 	n = ctx->gcm.ares;  in gcm_aad_op()
228 			ctx->gcm.Xi.c[n] ^= *(aad++);  in gcm_aad_op()
233 			GCM_gmult(ctx->gcm.Xi.u, ctx->gcm.Htable);  in gcm_aad_op()
235 			ctx->gcm.ares = n;  in gcm_aad_op()
240 		GCM_ghash(ctx->gcm.Xi.u, ctx->gcm.Htable, aad, i);  in gcm_aad_op()
247 			ctx->gcm.Xi.c[i] ^= aad[i];  in gcm_aad_op()
250 	ctx->gcm.ares = n;  in gcm_aad_op()
260 	uint64_t mlen = ctx->gcm.len.u[1];  in gcm_encrypt()
265 	ctx->gcm.len.u[1] = mlen;  in gcm_encrypt()
267 	mres = ctx->gcm.mres;  in gcm_encrypt()
269 	if (ctx->gcm.ares) {  in gcm_encrypt()
271 		GCM_gmult(ctx->gcm.Xi.u, ctx->gcm.Htable);  in gcm_encrypt()
272 		ctx->gcm.ares = 0;  in gcm_encrypt()
276 	ctr = bswap32(ctx->gcm.Yi.d[3]);  in gcm_encrypt()
278 	ctr = ctx->gcm.Yi.d[3];  in gcm_encrypt()
284 			AES_encrypt(ctx->gcm.Yi.c, ctx->gcm.EKi.c,  in gcm_encrypt()
288 			ctx->gcm.Yi.d[3] = bswap32(ctr);  in gcm_encrypt()
290 			ctx->gcm.Yi.d[3] = ctr;  in gcm_encrypt()
293 		ctx->gcm.Xi.c[n] ^= out[i] = in[i] ^ ctx->gcm.EKi.c[n];  in gcm_encrypt()
296 			GCM_gmult(ctx->gcm.Xi.u, ctx->gcm.Htable);  in gcm_encrypt()
299 	ctx->gcm.mres = mres;  in gcm_encrypt()
309 	uint64_t mlen = ctx->gcm.len.u[1];  in gcm_encrypt_ctr32()
314 	ctx->gcm.len.u[1] = mlen;  in gcm_encrypt_ctr32()
316 	mres = ctx->gcm.mres;  in gcm_encrypt_ctr32()
318 	if (ctx->gcm.ares) {  in gcm_encrypt_ctr32()
320 		GCM_gmult(ctx->gcm.Xi.u, ctx->gcm.Htable);  in gcm_encrypt_ctr32()
321 		ctx->gcm.ares = 0;  in gcm_encrypt_ctr32()
325 	ctr = bswap32(ctx->gcm.Yi.d[3]);  in gcm_encrypt_ctr32()
327 	ctr = ctx->gcm.Yi.d[3];  in gcm_encrypt_ctr32()
333 			ctx->gcm.Xi.c[n] ^= *(out++) = *(in++) ^ ctx->gcm.EKi.c[n];  in gcm_encrypt_ctr32()
338 			GCM_gmult(ctx->gcm.Xi.u, ctx->gcm.Htable);  in gcm_encrypt_ctr32()
341 			ctx->gcm.mres = n;  in gcm_encrypt_ctr32()
348 		AES_ctr32_encrypt_blocks(in, out, j, &ctx->aes_ks, ctx->gcm.Yi.c);  in gcm_encrypt_ctr32()
351 		ctx->gcm.Yi.d[3] = bswap32(ctr);  in gcm_encrypt_ctr32()
353 		ctx->gcm.Yi.d[3] = ctr;  in gcm_encrypt_ctr32()
359 				ctx->gcm.Xi.c[i] ^= out[i];  in gcm_encrypt_ctr32()
360 			GCM_gmult(ctx->gcm.Xi.u, ctx->gcm.Htable);  in gcm_encrypt_ctr32()
365 		AES_encrypt(ctx->gcm.Yi.c, ctx->gcm.EKi.c, &ctx->aes_ks);  in gcm_encrypt_ctr32()
368 		ctx->gcm.Yi.d[3] = bswap32(ctr);  in gcm_encrypt_ctr32()
370 		ctx->gcm.Yi.d[3] = ctr;  in gcm_encrypt_ctr32()
373 			ctx->gcm.Xi.c[mres++] ^= out[n] = in[n] ^ ctx->gcm.EKi.c[n];  in gcm_encrypt_ctr32()
378 	ctx->gcm.mres = mres;  in gcm_encrypt_ctr32()
389 	res = MIN(len, (AES_BLOCK_LEN - ctx->gcm.mres) % AES_BLOCK_LEN);  in gcm_encrypt_op()
394 	    &ctx->aes_ks, ctx->gcm.Yi.c, ctx->gcm.Xi.u);  in gcm_encrypt_op()
395 	ctx->gcm.len.u[1] += bulk;  in gcm_encrypt_op()
411 	uint64_t mlen = ctx->gcm.len.u[1];  in gcm_decrypt()
416 	ctx->gcm.len.u[1] = mlen;  in gcm_decrypt()
418 	mres = ctx->gcm.mres;  in gcm_decrypt()
420 	if (ctx->gcm.ares) {  in gcm_decrypt()
422 		GCM_gmult(ctx->gcm.Xi.u, ctx->gcm.Htable);  in gcm_decrypt()
423 		ctx->gcm.ares = 0;  in gcm_decrypt()
427 	ctr = bswap32(ctx->gcm.Yi.d[3]);  in gcm_decrypt()
429 	ctr = ctx->gcm.Yi.d[3];  in gcm_decrypt()
436 			AES_encrypt(ctx->gcm.Yi.c, ctx->gcm.EKi.c,  in gcm_decrypt()
440 			ctx->gcm.Yi.d[3] = bswap32(ctr);  in gcm_decrypt()
442 			ctx->gcm.Yi.d[3] = ctr;  in gcm_decrypt()
446 		out[i] = c ^ ctx->gcm.EKi.c[n];  in gcm_decrypt()
447 		ctx->gcm.Xi.c[n] ^= c;  in gcm_decrypt()
450 			GCM_gmult(ctx->gcm.Xi.u, ctx->gcm.Htable);  in gcm_decrypt()
453 	ctx->gcm.mres = mres;  in gcm_decrypt()
463 	uint64_t mlen = ctx->gcm.len.u[1];  in gcm_decrypt_ctr32()
468 	ctx->gcm.len.u[1] = mlen;  in gcm_decrypt_ctr32()
470 	mres = ctx->gcm.mres;  in gcm_decrypt_ctr32()
472 	if (ctx->gcm.ares) {  in gcm_decrypt_ctr32()
474 		GCM_gmult(ctx->gcm.Xi.u, ctx->gcm.Htable);  in gcm_decrypt_ctr32()
475 		ctx->gcm.ares = 0;  in gcm_decrypt_ctr32()
479 	ctr = bswap32(ctx->gcm.Yi.d[3]);  in gcm_decrypt_ctr32()
481 	ctr = ctx->gcm.Yi.d[3];  in gcm_decrypt_ctr32()
488 			*(out++) = c ^ ctx->gcm.EKi.c[n];  in gcm_decrypt_ctr32()
489 			ctx->gcm.Xi.c[n] ^= c;  in gcm_decrypt_ctr32()
494 			GCM_gmult(ctx->gcm.Xi.u, ctx->gcm.Htable);  in gcm_decrypt_ctr32()
497 			ctx->gcm.mres = n;  in gcm_decrypt_ctr32()
507 				ctx->gcm.Xi.c[k] ^= in[k];  in gcm_decrypt_ctr32()
508 			GCM_gmult(ctx->gcm.Xi.u, ctx->gcm.Htable);  in gcm_decrypt_ctr32()
513 		AES_ctr32_encrypt_blocks(in, out, j, &ctx->aes_ks, ctx->gcm.Yi.c);  in gcm_decrypt_ctr32()
516 		ctx->gcm.Yi.d[3] = bswap32(ctr);  in gcm_decrypt_ctr32()
518 		ctx->gcm.Yi.d[3] = ctr;  in gcm_decrypt_ctr32()
525 		AES_encrypt(ctx->gcm.Yi.c, ctx->gcm.EKi.c, &ctx->aes_ks);  in gcm_decrypt_ctr32()
528 		ctx->gcm.Yi.d[3] = bswap32(ctr);  in gcm_decrypt_ctr32()
530 		ctx->gcm.Yi.d[3] = ctr;  in gcm_decrypt_ctr32()
534 			ctx->gcm.Xi.c[mres++] ^= c;  in gcm_decrypt_ctr32()
535 			out[n] = c ^ ctx->gcm.EKi.c[n];  in gcm_decrypt_ctr32()
540 	ctx->gcm.mres = mres;  in gcm_decrypt_ctr32()
551 	res = MIN(len, (AES_BLOCK_LEN - ctx->gcm.mres) % AES_BLOCK_LEN);  in gcm_decrypt_op()
556 	    ctx->gcm.Yi.c, ctx->gcm.Xi.u);  in gcm_decrypt_op()
557 	ctx->gcm.len.u[1] += bulk;  in gcm_decrypt_op()
570 	uint64_t alen = ctx->gcm.len.u[0] << 3;  in gcm_finish_op()
571 	uint64_t clen = ctx->gcm.len.u[1] << 3;  in gcm_finish_op()
573 	if (ctx->gcm.mres || ctx->gcm.ares)  in gcm_finish_op()
574 		GCM_gmult(ctx->gcm.Xi.u, ctx->gcm.Htable);  in gcm_finish_op()
581 	ctx->gcm.Xi.u[0] ^= alen;  in gcm_finish_op()
582 	ctx->gcm.Xi.u[1] ^= clen;  in gcm_finish_op()
583 	GCM_gmult(ctx->gcm.Xi.u, ctx->gcm.Htable);  in gcm_finish_op()
585 	ctx->gcm.Xi.u[0] ^= ctx->gcm.EK0.u[0];  in gcm_finish_op()
586 	ctx->gcm.Xi.u[1] ^= ctx->gcm.EK0.u[1];  in gcm_finish_op()
589 		return timingsafe_bcmp(ctx->gcm.Xi.c, tag, len);  in gcm_finish_op()