Make |gcm128_context| memcpy-safe.

This removes the confusion about whether |gcm128_context| copies the
key (it didn't) or whether the caller is responsible for keeping the
key alive for the lifetime of the |gcm128_context| (it was).

Change-Id: Ia0ad0a8223e664381fbbfb56570b2545f51cad9f
Reviewed-on: https://boringssl-review.googlesource.com/6053
Reviewed-by: Adam Langley <alangley@gmail.com>
diff --git a/crypto/cipher/e_aes.c b/crypto/cipher/e_aes.c
index 74f3223..444af3a 100644
--- a/crypto/cipher/e_aes.c
+++ b/crypto/cipher/e_aes.c
@@ -481,14 +481,14 @@
       iv = gctx->iv;
     }
     if (iv) {
-      CRYPTO_gcm128_setiv(&gctx->gcm, iv, gctx->ivlen);
+      CRYPTO_gcm128_setiv(&gctx->gcm, &gctx->ks.ks, iv, gctx->ivlen);
       gctx->iv_set = 1;
     }
     gctx->key_set = 1;
   } else {
     /* If key set use IV, otherwise copy */
     if (gctx->key_set) {
-      CRYPTO_gcm128_setiv(&gctx->gcm, iv, gctx->ivlen);
+      CRYPTO_gcm128_setiv(&gctx->gcm, &gctx->ks.ks, iv, gctx->ivlen);
     } else {
       memcpy(gctx->iv, iv, gctx->ivlen);
     }
@@ -592,7 +592,7 @@
       if (gctx->iv_gen == 0 || gctx->key_set == 0) {
         return 0;
       }
-      CRYPTO_gcm128_setiv(&gctx->gcm, gctx->iv, gctx->ivlen);
+      CRYPTO_gcm128_setiv(&gctx->gcm, &gctx->ks.ks, gctx->iv, gctx->ivlen);
       if (arg <= 0 || arg > gctx->ivlen) {
         arg = gctx->ivlen;
       }
@@ -609,19 +609,13 @@
         return 0;
       }
       memcpy(gctx->iv + gctx->ivlen - arg, ptr, arg);
-      CRYPTO_gcm128_setiv(&gctx->gcm, gctx->iv, gctx->ivlen);
+      CRYPTO_gcm128_setiv(&gctx->gcm, &gctx->ks.ks, gctx->iv, gctx->ivlen);
       gctx->iv_set = 1;
       return 1;
 
     case EVP_CTRL_COPY: {
       EVP_CIPHER_CTX *out = ptr;
       EVP_AES_GCM_CTX *gctx_out = out->cipher_data;
-      if (gctx->gcm.key) {
-        if (gctx->gcm.key != &gctx->ks) {
-          return 0;
-        }
-        gctx_out->gcm.key = &gctx_out->ks;
-      }
       if (gctx->iv == c->iv) {
         gctx_out->iv = out->iv;
       } else {
@@ -663,24 +657,24 @@
         if (len >= 32 && AES_GCM_ASM(gctx)) {
           size_t res = (16 - gctx->gcm.mres) % 16;
 
-          if (!CRYPTO_gcm128_encrypt(&gctx->gcm, in, out, res)) {
+          if (!CRYPTO_gcm128_encrypt(&gctx->gcm, &gctx->ks.ks, in, out, res)) {
             return -1;
           }
 
-          bulk = AES_gcm_encrypt(in + res, out + res, len - res, gctx->gcm.key,
+          bulk = AES_gcm_encrypt(in + res, out + res, len - res, &gctx->ks.ks,
                                  gctx->gcm.Yi.c, gctx->gcm.Xi.u);
           gctx->gcm.len.u[1] += bulk;
           bulk += res;
         }
 #endif
-        if (!CRYPTO_gcm128_encrypt_ctr32(&gctx->gcm, in + bulk, out + bulk,
-                                        len - bulk, gctx->ctr)) {
+        if (!CRYPTO_gcm128_encrypt_ctr32(&gctx->gcm, &gctx->ks.ks, in + bulk,
+                                         out + bulk, len - bulk, gctx->ctr)) {
           return -1;
         }
       } else {
         size_t bulk = 0;
-        if (!CRYPTO_gcm128_encrypt(&gctx->gcm, in + bulk, out + bulk,
-                                  len - bulk)) {
+        if (!CRYPTO_gcm128_encrypt(&gctx->gcm, &gctx->ks.ks, in + bulk,
+                                   out + bulk, len - bulk)) {
           return -1;
         }
       }
@@ -691,24 +685,24 @@
         if (len >= 16 && AES_GCM_ASM(gctx)) {
           size_t res = (16 - gctx->gcm.mres) % 16;
 
-          if (!CRYPTO_gcm128_decrypt(&gctx->gcm, in, out, res)) {
+          if (!CRYPTO_gcm128_decrypt(&gctx->gcm, &gctx->ks.ks, in, out, res)) {
             return -1;
           }
 
-          bulk = AES_gcm_decrypt(in + res, out + res, len - res, gctx->gcm.key,
+          bulk = AES_gcm_decrypt(in + res, out + res, len - res, &gctx->ks.ks,
                                  gctx->gcm.Yi.c, gctx->gcm.Xi.u);
           gctx->gcm.len.u[1] += bulk;
           bulk += res;
         }
 #endif
-        if (!CRYPTO_gcm128_decrypt_ctr32(&gctx->gcm, in + bulk, out + bulk,
-                                        len - bulk, gctx->ctr)) {
+        if (!CRYPTO_gcm128_decrypt_ctr32(&gctx->gcm, &gctx->ks.ks, in + bulk,
+                                         out + bulk, len - bulk, gctx->ctr)) {
           return -1;
         }
       } else {
         size_t bulk = 0;
-        if (!CRYPTO_gcm128_decrypt(&gctx->gcm, in + bulk, out + bulk,
-                                  len - bulk)) {
+        if (!CRYPTO_gcm128_decrypt(&gctx->gcm, &gctx->ks.ks, in + bulk,
+                                   out + bulk, len - bulk)) {
           return -1;
         }
       }
@@ -902,14 +896,14 @@
       iv = gctx->iv;
     }
     if (iv) {
-      CRYPTO_gcm128_setiv(&gctx->gcm, iv, gctx->ivlen);
+      CRYPTO_gcm128_setiv(&gctx->gcm, &gctx->ks.ks, iv, gctx->ivlen);
       gctx->iv_set = 1;
     }
     gctx->key_set = 1;
   } else {
     /* If key set use IV, otherwise copy */
     if (gctx->key_set) {
-      CRYPTO_gcm128_setiv(&gctx->gcm, iv, gctx->ivlen);
+      CRYPTO_gcm128_setiv(&gctx->gcm, &gctx->ks.ks, iv, gctx->ivlen);
     } else {
       memcpy(gctx->iv, iv, gctx->ivlen);
     }
@@ -1122,19 +1116,22 @@
     return 0;
   }
 
+  const AES_KEY *key = &gcm_ctx->ks.ks;
+
   memcpy(&gcm, &gcm_ctx->gcm, sizeof(gcm));
-  CRYPTO_gcm128_setiv(&gcm, nonce, nonce_len);
+  CRYPTO_gcm128_setiv(&gcm, key, nonce, nonce_len);
 
   if (ad_len > 0 && !CRYPTO_gcm128_aad(&gcm, ad, ad_len)) {
     return 0;
   }
 
   if (gcm_ctx->ctr) {
-    if (!CRYPTO_gcm128_encrypt_ctr32(&gcm, in, out, in_len, gcm_ctx->ctr)) {
+    if (!CRYPTO_gcm128_encrypt_ctr32(&gcm, key, in, out, in_len,
+                                     gcm_ctx->ctr)) {
       return 0;
     }
   } else {
-    if (!CRYPTO_gcm128_encrypt(&gcm, in, out, in_len)) {
+    if (!CRYPTO_gcm128_encrypt(&gcm, key, in, out, in_len)) {
       return 0;
     }
   }
@@ -1166,20 +1163,22 @@
     return 0;
   }
 
+  const AES_KEY *key = &gcm_ctx->ks.ks;
+
   memcpy(&gcm, &gcm_ctx->gcm, sizeof(gcm));
-  CRYPTO_gcm128_setiv(&gcm, nonce, nonce_len);
+  CRYPTO_gcm128_setiv(&gcm, key, nonce, nonce_len);
 
   if (!CRYPTO_gcm128_aad(&gcm, ad, ad_len)) {
     return 0;
   }
 
   if (gcm_ctx->ctr) {
-    if (!CRYPTO_gcm128_decrypt_ctr32(&gcm, in, out, in_len - gcm_ctx->tag_len,
-                                     gcm_ctx->ctr)) {
+    if (!CRYPTO_gcm128_decrypt_ctr32(&gcm, key, in, out,
+                                     in_len - gcm_ctx->tag_len, gcm_ctx->ctr)) {
       return 0;
     }
   } else {
-    if (!CRYPTO_gcm128_decrypt(&gcm, in, out, in_len - gcm_ctx->tag_len)) {
+    if (!CRYPTO_gcm128_decrypt(&gcm, key, in, out, in_len - gcm_ctx->tag_len)) {
       return 0;
     }
   }
diff --git a/crypto/modes/gcm.c b/crypto/modes/gcm.c
index 34e5dcf..c934fbd 100644
--- a/crypto/modes/gcm.c
+++ b/crypto/modes/gcm.c
@@ -426,7 +426,6 @@
 
   memset(ctx, 0, sizeof(*ctx));
   ctx->block = block;
-  ctx->key = key;
 
   (*block)(ctx->H.c, ctx->H.c, key);
 
@@ -492,7 +491,8 @@
 #endif
 }
 
-void CRYPTO_gcm128_setiv(GCM128_CONTEXT *ctx, const uint8_t *iv, size_t len) {
+void CRYPTO_gcm128_setiv(GCM128_CONTEXT *ctx, const void *key,
+                         const uint8_t *iv, size_t len) {
   const union {
     long one;
     char little;
@@ -560,7 +560,7 @@
     }
   }
 
-  (*ctx->block)(ctx->Yi.c, ctx->EK0.c, ctx->key);
+  (*ctx->block)(ctx->Yi.c, ctx->EK0.c, key);
   ++ctr;
   if (is_endian.little) {
     PUTU32(ctx->Yi.c + 12, ctr);
@@ -633,8 +633,9 @@
   return 1;
 }
 
-int CRYPTO_gcm128_encrypt(GCM128_CONTEXT *ctx, const unsigned char *in,
-                          unsigned char *out, size_t len) {
+int CRYPTO_gcm128_encrypt(GCM128_CONTEXT *ctx, const void *key,
+                          const unsigned char *in, unsigned char *out,
+                          size_t len) {
   const union {
     long one;
     char little;
@@ -643,7 +644,6 @@
   size_t i;
   uint64_t mlen = ctx->len.u[1];
   block128_f block = ctx->block;
-  const void *key = ctx->key;
 #ifdef GCM_FUNCREF_4BIT
   void (*gcm_gmult_p)(uint64_t Xi[2], const u128 Htable[16]) = ctx->gmult;
 #ifdef GHASH
@@ -793,8 +793,9 @@
   return 1;
 }
 
-int CRYPTO_gcm128_decrypt(GCM128_CONTEXT *ctx, const unsigned char *in,
-                          unsigned char *out, size_t len) {
+int CRYPTO_gcm128_decrypt(GCM128_CONTEXT *ctx, const void *key,
+                          const unsigned char *in, unsigned char *out,
+                          size_t len) {
   const union {
     long one;
     char little;
@@ -803,7 +804,6 @@
   size_t i;
   uint64_t mlen = ctx->len.u[1];
   block128_f block = ctx->block;
-  const void *key = ctx->key;
 #ifdef GCM_FUNCREF_4BIT
   void (*gcm_gmult_p)(uint64_t Xi[2], const u128 Htable[16]) = ctx->gmult;
 #ifdef GHASH
@@ -960,15 +960,15 @@
   return 1;
 }
 
-int CRYPTO_gcm128_encrypt_ctr32(GCM128_CONTEXT *ctx, const uint8_t *in,
-                                uint8_t *out, size_t len, ctr128_f stream) {
+int CRYPTO_gcm128_encrypt_ctr32(GCM128_CONTEXT *ctx, const void *key,
+                                const uint8_t *in, uint8_t *out, size_t len,
+                                ctr128_f stream) {
   const union {
     long one;
     char little;
   } is_endian = {1};
   unsigned int n, ctr;
   uint64_t mlen = ctx->len.u[1];
-  const void *key = ctx->key;
 #ifdef GCM_FUNCREF_4BIT
   void (*gcm_gmult_p)(uint64_t Xi[2], const u128 Htable[16]) = ctx->gmult;
 #ifdef GHASH
@@ -1069,8 +1069,8 @@
   return 1;
 }
 
-int CRYPTO_gcm128_decrypt_ctr32(GCM128_CONTEXT *ctx, const uint8_t *in,
-                                uint8_t *out, size_t len,
+int CRYPTO_gcm128_decrypt_ctr32(GCM128_CONTEXT *ctx, const void *key,
+                                const uint8_t *in, uint8_t *out, size_t len,
                                 ctr128_f stream) {
   const union {
     long one;
@@ -1078,7 +1078,6 @@
   } is_endian = {1};
   unsigned int n, ctr;
   uint64_t mlen = ctx->len.u[1];
-  const void *key = ctx->key;
 #ifdef GCM_FUNCREF_4BIT
   void (*gcm_gmult_p)(uint64_t Xi[2], const u128 Htable[16]) = ctx->gmult;
 #ifdef GHASH
diff --git a/crypto/modes/gcm_test.c b/crypto/modes/gcm_test.c
index 89ed792..fec46de 100644
--- a/crypto/modes/gcm_test.c
+++ b/crypto/modes/gcm_test.c
@@ -346,13 +346,13 @@
   }
 
   CRYPTO_gcm128_init(&ctx, &aes_key, (block128_f) AES_encrypt);
-  CRYPTO_gcm128_setiv(&ctx, nonce, nonce_len);
+  CRYPTO_gcm128_setiv(&ctx, &aes_key, nonce, nonce_len);
   memset(out, 0, plaintext_len);
   if (additional_data) {
     CRYPTO_gcm128_aad(&ctx, additional_data, additional_data_len);
   }
   if (plaintext) {
-    CRYPTO_gcm128_encrypt(&ctx, plaintext, out, plaintext_len);
+    CRYPTO_gcm128_encrypt(&ctx, &aes_key, plaintext, out, plaintext_len);
   }
   if (!CRYPTO_gcm128_finish(&ctx, tag, tag_len) ||
       (ciphertext && memcmp(out, ciphertext, plaintext_len) != 0)) {
@@ -362,13 +362,13 @@
     goto out;
   }
 
-  CRYPTO_gcm128_setiv(&ctx, nonce, nonce_len);
+  CRYPTO_gcm128_setiv(&ctx, &aes_key, nonce, nonce_len);
   memset(out, 0, plaintext_len);
   if (additional_data) {
     CRYPTO_gcm128_aad(&ctx, additional_data, additional_data_len);
   }
   if (ciphertext) {
-    CRYPTO_gcm128_decrypt(&ctx, ciphertext, out, plaintext_len);
+    CRYPTO_gcm128_decrypt(&ctx, &aes_key, ciphertext, out, plaintext_len);
   }
   if (!CRYPTO_gcm128_finish(&ctx, tag, tag_len)) {
     fprintf(stderr, "%u: decrypt failed.\n", test_num);
diff --git a/crypto/modes/internal.h b/crypto/modes/internal.h
index 0c2200f..6d881ec 100644
--- a/crypto/modes/internal.h
+++ b/crypto/modes/internal.h
@@ -152,6 +152,9 @@
 /* GCM definitions */
 typedef struct { uint64_t hi,lo; } u128;
 
+/* This differs from upstream's |gcm128_context| in that it does not have the
+ * |key| pointer, in order to make it |memcpy|-friendly. Rather the key is
+ * passed into each call that needs it. */
 struct gcm128_context {
   /* Following 6 names follow names in GCM specification */
   union {
@@ -170,7 +173,6 @@
 
   unsigned int mres, ares;
   block128_f block;
-  const void *key;
 };
 
 struct ccm128_context {
diff --git a/include/openssl/modes.h b/include/openssl/modes.h
index fb4d496..cec5bb9 100644
--- a/include/openssl/modes.h
+++ b/include/openssl/modes.h
@@ -76,83 +76,88 @@
  * stored in |ecount_buf| and |*num|, which must be zeroed before the initial
  * call. The counter is a 128-bit, big-endian value in |ivec| and is
  * incremented by this function. */
-OPENSSL_EXPORT void CRYPTO_ctr128_encrypt(const uint8_t *in, uint8_t *out,
-                                          size_t len, const void *key,
-                                          uint8_t ivec[16],
-                                          uint8_t ecount_buf[16],
-                                          unsigned int *num, block128_f block);
+void CRYPTO_ctr128_encrypt(const uint8_t *in, uint8_t *out, size_t len,
+                           const void *key, uint8_t ivec[16],
+                           uint8_t ecount_buf[16], unsigned int *num,
+                           block128_f block);
 
 /* CRYPTO_ctr128_encrypt_ctr32 acts like |CRYPTO_ctr128_encrypt| but takes
  * |ctr|, a function that performs CTR mode but only deals with the lower 32
  * bits of the counter. This is useful when |ctr| can be an optimised
  * function. */
-OPENSSL_EXPORT void CRYPTO_ctr128_encrypt_ctr32(
-    const uint8_t *in, uint8_t *out, size_t len, const void *key,
-    uint8_t ivec[16], uint8_t ecount_buf[16], unsigned int *num, ctr128_f ctr);
+void CRYPTO_ctr128_encrypt_ctr32(const uint8_t *in, uint8_t *out, size_t len,
+                                 const void *key, uint8_t ivec[16],
+                                 uint8_t ecount_buf[16], unsigned int *num,
+                                 ctr128_f ctr);
 
 
-/* GCM. */
+/* GCM.
+ *
+ * This API differs from the upstream API slightly. The |GCM128_CONTEXT| does
+ * not have a |key| pointer that points to the key as upstream's version does.
+ * Instead, every function takes a |key| parameter. This way |GCM128_CONTEXT|
+ * can be safely copied. */
 
 typedef struct gcm128_context GCM128_CONTEXT;
 
 /* CRYPTO_gcm128_new allocates a fresh |GCM128_CONTEXT| and calls
  * |CRYPTO_gcm128_init|. It returns the new context, or NULL on error. */
-OPENSSL_EXPORT GCM128_CONTEXT *CRYPTO_gcm128_new(const void *key,
-                                                 block128_f block);
+GCM128_CONTEXT *CRYPTO_gcm128_new(const void *key, block128_f block);
 
-/* CRYPTO_gcm128_init initialises |ctx| to use |block| (typically AES) with the
- * given key. */
-OPENSSL_EXPORT void CRYPTO_gcm128_init(GCM128_CONTEXT *ctx, const void *key,
-                                       block128_f block);
+/* CRYPTO_gcm128_init initialises |ctx| to use |block| (typically AES) with
+ * the given key. */
+void CRYPTO_gcm128_init(GCM128_CONTEXT *ctx, const void *key, block128_f block);
 
-/* CRYPTO_gcm128_setiv sets the IV (nonce) for |ctx|. */
-OPENSSL_EXPORT void CRYPTO_gcm128_setiv(GCM128_CONTEXT *ctx, const uint8_t *iv,
-                                        size_t len);
+/* CRYPTO_gcm128_setiv sets the IV (nonce) for |ctx|. The |key| must be the
+ * same key that was passed to |CRYPTO_gcm128_init|. */
+void CRYPTO_gcm128_setiv(GCM128_CONTEXT *ctx, const void *key,
+                         const uint8_t *iv, size_t iv_len);
 
-/* CRYPTO_gcm128_aad sets the authenticated data for an instance of GCM. This
- * must be called before and data is encrypted. It returns one on success and
- * zero otherwise. */
-OPENSSL_EXPORT int CRYPTO_gcm128_aad(GCM128_CONTEXT *ctx, const uint8_t *aad,
-                                     size_t len);
+/* CRYPTO_gcm128_aad sets the authenticated data for an instance of GCM.
+ * This must be called before and data is encrypted. It returns one on success
+ * and zero otherwise. */
+int CRYPTO_gcm128_aad(GCM128_CONTEXT *ctx, const uint8_t *aad, size_t len);
 
-/* CRYPTO_gcm128_encrypt encrypts |len| bytes from |in| to |out|. It returns
- * one on success and zero otherwise. */
-OPENSSL_EXPORT int CRYPTO_gcm128_encrypt(GCM128_CONTEXT *ctx, const uint8_t *in,
-                                         uint8_t *out, size_t len);
+/* CRYPTO_gcm128_encrypt encrypts |len| bytes from |in| to |out|. The |key|
+ * must be the same key that was passed to |CRYPTO_gcm128_init|. It returns one
+ * on success and zero otherwise. */
+int CRYPTO_gcm128_encrypt(GCM128_CONTEXT *ctx, const void *key,
+                          const uint8_t *in, uint8_t *out, size_t len);
 
-/* CRYPTO_gcm128_decrypt decrypts |len| bytes from |in| to |out|. It returns
- * one on success and zero otherwise. */
-OPENSSL_EXPORT int CRYPTO_gcm128_decrypt(GCM128_CONTEXT *ctx, const uint8_t *in,
-                                         uint8_t *out, size_t len);
+/* CRYPTO_gcm128_decrypt decrypts |len| bytes from |in| to |out|. The |key|
+ * must be the same key that was passed to |CRYPTO_gcm128_init|. It returns one
+ * on success and zero otherwise. */
+int CRYPTO_gcm128_decrypt(GCM128_CONTEXT *ctx, const void *key,
+                          const uint8_t *in, uint8_t *out, size_t len);
 
-/* CRYPTO_gcm128_encrypt_ctr32 encrypts |len| bytes from |in| to |out| using a
- * CTR function that only handles the bottom 32 bits of the nonce, like
- * |CRYPTO_ctr128_encrypt_ctr32|. It returns one on success and zero
+/* CRYPTO_gcm128_encrypt_ctr32 encrypts |len| bytes from |in| to |out| using
+ * a CTR function that only handles the bottom 32 bits of the nonce, like
+ * |CRYPTO_ctr128_encrypt_ctr32|. The |key| must be the same key that was
+ * passed to |CRYPTO_gcm128_init|. It returns one on success and zero
  * otherwise. */
-OPENSSL_EXPORT int CRYPTO_gcm128_encrypt_ctr32(GCM128_CONTEXT *ctx,
-                                               const uint8_t *in, uint8_t *out,
-                                               size_t len, ctr128_f stream);
+int CRYPTO_gcm128_encrypt_ctr32(GCM128_CONTEXT *ctx, const void *key,
+                                const uint8_t *in, uint8_t *out, size_t len,
+                                ctr128_f stream);
 
-/* CRYPTO_gcm128_decrypt_ctr32 decrypts |len| bytes from |in| to |out| using a
- * CTR function that only handles the bottom 32 bits of the nonce, like
- * |CRYPTO_ctr128_encrypt_ctr32|. It returns one on success and zero
+/* CRYPTO_gcm128_decrypt_ctr32 decrypts |len| bytes from |in| to |out| using
+ * a CTR function that only handles the bottom 32 bits of the nonce, like
+ * |CRYPTO_ctr128_encrypt_ctr32|. The |key| must be the same key that was
+ * passed to |CRYPTO_gcm128_init|. It returns one on success and zero
  * otherwise. */
-OPENSSL_EXPORT int CRYPTO_gcm128_decrypt_ctr32(GCM128_CONTEXT *ctx,
-                                               const uint8_t *in, uint8_t *out,
-                                               size_t len, ctr128_f stream);
+int CRYPTO_gcm128_decrypt_ctr32(GCM128_CONTEXT *ctx, const void *key,
+                                const uint8_t *in, uint8_t *out, size_t len,
+                                ctr128_f stream);
 
 /* CRYPTO_gcm128_finish calculates the authenticator and compares it against
  * |len| bytes of |tag|. It returns one on success and zero otherwise. */
-OPENSSL_EXPORT int CRYPTO_gcm128_finish(GCM128_CONTEXT *ctx, const uint8_t *tag,
-                                        size_t len);
+int CRYPTO_gcm128_finish(GCM128_CONTEXT *ctx, const uint8_t *tag, size_t len);
 
-/* CRYPTO_gcm128_tag calculates the authenticator and copies it into |tag|. The
- * minimum of |len| and 16 bytes are copied into |tag|. */
-OPENSSL_EXPORT void CRYPTO_gcm128_tag(GCM128_CONTEXT *ctx, uint8_t *tag,
-                                      size_t len);
+/* CRYPTO_gcm128_tag calculates the authenticator and copies it into |tag|.
+ * The minimum of |len| and 16 bytes are copied into |tag|. */
+void CRYPTO_gcm128_tag(GCM128_CONTEXT *ctx, uint8_t *tag, size_t len);
 
 /* CRYPTO_gcm128_release clears and frees |ctx|. */
-OPENSSL_EXPORT void CRYPTO_gcm128_release(GCM128_CONTEXT *ctx);
+void CRYPTO_gcm128_release(GCM128_CONTEXT *ctx);
 
 
 /* CBC. */