Added POWER8 implementation for AES/CTR+CBC-MAC (for CCM and EAX modes).
authorThomas Pornin <pornin@bolet.org>
Sun, 12 Aug 2018 21:53:23 +0000 (23:53 +0200)
committerThomas Pornin <pornin@bolet.org>
Sun, 12 Aug 2018 21:53:23 +0000 (23:53 +0200)
inc/bearssl_block.h
mk/Rules.mk
mk/mkrules.sh
src/inner.h
src/ssl/ssl_engine_default_aesccm.c
src/symcipher/aes_pwr8_ctrcbc.c [new file with mode: 0644]
test/test_crypto.c
test/test_speed.c
tools/names.c
tools/sslio.c

index 7152be8..683a490 100644 (file)
@@ -1919,6 +1919,24 @@ typedef struct {
 #endif
 } br_aes_pwr8_ctr_keys;
 
+/**
+ * \brief Context for AES subkeys (`aes_pwr8` implementation, CTR encryption
+ * and decryption + CBC-MAC).
+ *
+ * First field is a pointer to the vtable; it is set by the initialisation
+ * function. Other fields are not supposed to be accessed by user code.
+ */
+typedef struct {
+       /** \brief Pointer to vtable for this context. */
+       const br_block_ctrcbc_class *vtable;
+#ifndef BR_DOXYGEN_IGNORE
+       union {
+               unsigned char skni[16 * 15];
+       } skey;
+       unsigned num_rounds;
+#endif
+} br_aes_pwr8_ctrcbc_keys;
+
 /**
  * \brief Class instance for AES CBC encryption (`aes_pwr8` implementation).
  *
@@ -1947,6 +1965,16 @@ extern const br_block_cbcdec_class br_aes_pwr8_cbcdec_vtable;
  */
 extern const br_block_ctr_class br_aes_pwr8_ctr_vtable;
 
+/**
+ * \brief Class instance for AES CTR encryption/decryption + CBC-MAC
+ * (`aes_pwr8` implementation).
+ *
+ * Since this implementation might be omitted from the library, or the
+ * AES opcode unavailable on the current CPU, a pointer to this class
+ * instance should be obtained through `br_aes_pwr8_ctrcbc_get_vtable()`.
+ */
+extern const br_block_ctrcbc_class br_aes_pwr8_ctrcbc_vtable;
+
 /**
  * \brief Context initialisation (key schedule) for AES CBC encryption
  * (`aes_pwr8` implementation).
@@ -1980,6 +2008,17 @@ void br_aes_pwr8_cbcdec_init(br_aes_pwr8_cbcdec_keys *ctx,
 void br_aes_pwr8_ctr_init(br_aes_pwr8_ctr_keys *ctx,
        const void *key, size_t len);
 
+/**
+ * \brief Context initialisation (key schedule) for AES CTR + CBC-MAC
+ * (`aes_pwr8` implementation).
+ *
+ * \param ctx   context to initialise.
+ * \param key   secret key.
+ * \param len   secret key length (in bytes).
+ */
+void br_aes_pwr8_ctrcbc_init(br_aes_pwr8_ctrcbc_keys *ctx,
+       const void *key, size_t len);
+
 /**
  * \brief CBC encryption with AES (`aes_pwr8` implementation).
  *
@@ -2015,6 +2054,52 @@ void br_aes_pwr8_cbcdec_run(const br_aes_pwr8_cbcdec_keys *ctx, void *iv,
 uint32_t br_aes_pwr8_ctr_run(const br_aes_pwr8_ctr_keys *ctx,
        const void *iv, uint32_t cc, void *data, size_t len);
 
+/**
+ * \brief CTR encryption + CBC-MAC with AES (`aes_pwr8` implementation).
+ *
+ * \param ctx      context (already initialised).
+ * \param ctr      counter for CTR (16 bytes, updated).
+ * \param cbcmac   IV for CBC-MAC (updated).
+ * \param data     data to encrypt (updated).
+ * \param len      data length (in bytes, MUST be a multiple of 16).
+ */
+void br_aes_pwr8_ctrcbc_encrypt(const br_aes_pwr8_ctrcbc_keys *ctx,
+       void *ctr, void *cbcmac, void *data, size_t len);
+
+/**
+ * \brief CTR decryption + CBC-MAC with AES (`aes_pwr8` implementation).
+ *
+ * \param ctx      context (already initialised).
+ * \param ctr      counter for CTR (16 bytes, updated).
+ * \param cbcmac   IV for CBC-MAC (updated).
+ * \param data     data to decrypt (updated).
+ * \param len      data length (in bytes, MUST be a multiple of 16).
+ */
+void br_aes_pwr8_ctrcbc_decrypt(const br_aes_pwr8_ctrcbc_keys *ctx,
+       void *ctr, void *cbcmac, void *data, size_t len);
+
+/**
+ * \brief CTR encryption/decryption with AES (`aes_pwr8` implementation).
+ *
+ * \param ctx      context (already initialised).
+ * \param ctr      counter for CTR (16 bytes, updated).
+ * \param data     data to MAC (updated).
+ * \param len      data length (in bytes, MUST be a multiple of 16).
+ */
+void br_aes_pwr8_ctrcbc_ctr(const br_aes_pwr8_ctrcbc_keys *ctx,
+       void *ctr, void *data, size_t len);
+
+/**
+ * \brief CBC-MAC with AES (`aes_pwr8` implementation).
+ *
+ * \param ctx      context (already initialised).
+ * \param cbcmac   IV for CBC-MAC (updated).
+ * \param data     data to MAC (unmodified).
+ * \param len      data length (in bytes, MUST be a multiple of 16).
+ */
+void br_aes_pwr8_ctrcbc_mac(const br_aes_pwr8_ctrcbc_keys *ctx,
+       void *cbcmac, const void *data, size_t len);
+
 /**
  * \brief Obtain the `aes_pwr8` AES-CBC (encryption) implementation, if
  * available.
@@ -2053,6 +2138,19 @@ const br_block_cbcdec_class *br_aes_pwr8_cbcdec_get_vtable(void);
  */
 const br_block_ctr_class *br_aes_pwr8_ctr_get_vtable(void);
 
+/**
+ * \brief Obtain the `aes_pwr8` AES-CTR + CBC-MAC implementation, if
+ * available.
+ *
+ * This function returns a pointer to `br_aes_pwr8_ctrcbc_vtable`, if
+ * that implementation was compiled in the library _and_ the POWER8 AES
+ * opcodes are available on the currently running CPU. If either of
+ * these conditions is not met, then this function returns `NULL`.
+ *
+ * \return  the `aes_pwr8` AES-CTR implementation, or `NULL`.
+ */
+const br_block_ctrcbc_class *br_aes_pwr8_ctrcbc_get_vtable(void);
+
 /**
  * \brief Aggregate structure large enough to be used as context for
  * subkeys (CBC encryption) for all AES implementations.
@@ -2106,9 +2204,7 @@ typedef union {
        br_aes_ct_ctrcbc_keys c_ct;
        br_aes_ct64_ctrcbc_keys c_ct64;
        br_aes_x86ni_ctrcbc_keys c_x86ni;
-       /* FIXME
        br_aes_pwr8_ctrcbc_keys c_pwr8;
-       */
 } br_aes_gen_ctrcbc_keys;
 
 /*
index fd55dfd..0a23fa5 100644 (file)
@@ -242,6 +242,7 @@ OBJ = \
  $(OBJDIR)$Paes_pwr8_cbcdec$O \
  $(OBJDIR)$Paes_pwr8_cbcenc$O \
  $(OBJDIR)$Paes_pwr8_ctr$O \
+ $(OBJDIR)$Paes_pwr8_ctrcbc$O \
  $(OBJDIR)$Paes_small_cbcdec$O \
  $(OBJDIR)$Paes_small_cbcenc$O \
  $(OBJDIR)$Paes_small_ctr$O \
@@ -1079,6 +1080,9 @@ $(OBJDIR)$Paes_pwr8_cbcenc$O: src$Psymcipher$Paes_pwr8_cbcenc.c $(HEADERSPRIV)
 $(OBJDIR)$Paes_pwr8_ctr$O: src$Psymcipher$Paes_pwr8_ctr.c $(HEADERSPRIV)
        $(CC) $(CFLAGS) $(INCFLAGS) $(CCOUT)$(OBJDIR)$Paes_pwr8_ctr$O src$Psymcipher$Paes_pwr8_ctr.c
 
+$(OBJDIR)$Paes_pwr8_ctrcbc$O: src$Psymcipher$Paes_pwr8_ctrcbc.c $(HEADERSPRIV)
+       $(CC) $(CFLAGS) $(INCFLAGS) $(CCOUT)$(OBJDIR)$Paes_pwr8_ctrcbc$O src$Psymcipher$Paes_pwr8_ctrcbc.c
+
 $(OBJDIR)$Paes_small_cbcdec$O: src$Psymcipher$Paes_small_cbcdec.c $(HEADERSPRIV)
        $(CC) $(CFLAGS) $(INCFLAGS) $(CCOUT)$(OBJDIR)$Paes_small_cbcdec$O src$Psymcipher$Paes_small_cbcdec.c
 
index 16f16ab..c72b820 100755 (executable)
@@ -290,6 +290,7 @@ coresrc=" \
        src/symcipher/aes_pwr8_cbcdec.c \
        src/symcipher/aes_pwr8_cbcenc.c \
        src/symcipher/aes_pwr8_ctr.c \
+       src/symcipher/aes_pwr8_ctrcbc.c \
        src/symcipher/aes_small_cbcdec.c \
        src/symcipher/aes_small_cbcenc.c \
        src/symcipher/aes_small_ctr.c \
index d7e4091..8c7f04e 100644 (file)
@@ -2337,6 +2337,7 @@ int br_ssl_choose_hash(unsigned bf);
 #define stxvw4x(xt, ra, rb)       stxvw4x_(xt, ra, rb)
 
 #define bdnz(foo)                 bdnz_(foo)
+#define bdz(foo)                  bdz_(foo)
 #define beq(foo)                  beq_(foo)
 
 #define li(rx, value)             li_(rx, value)
@@ -2355,6 +2356,7 @@ int br_ssl_choose_hash(unsigned bf);
 #define vsl(vrt, vra, vrb)        vsl_(vrt, vra, vrb)
 #define vsldoi(vt, va, vb, sh)    vsldoi_(vt, va, vb, sh)
 #define vsr(vrt, vra, vrb)        vsr_(vrt, vra, vrb)
+#define vaddcuw(vrt, vra, vrb)    vaddcuw_(vrt, vra, vrb)
 #define vadduwm(vrt, vra, vrb)    vadduwm_(vrt, vra, vrb)
 #define vsububm(vrt, vra, vrb)    vsububm_(vrt, vra, vrb)
 #define vsubuwm(vrt, vra, vrb)    vsubuwm_(vrt, vra, vrb)
@@ -2372,6 +2374,7 @@ int br_ssl_choose_hash(unsigned bf);
 
 #define label(foo)                #foo "%=:\n"
 #define bdnz_(foo)                "\tbdnz\t" #foo "%=\n"
+#define bdz_(foo)                 "\tbdz\t" #foo "%=\n"
 #define beq_(foo)                 "\tbeq\t" #foo "%=\n"
 
 #define li_(rx, value)            "\tli\t" #rx "," #value "\n"
@@ -2390,6 +2393,7 @@ int br_ssl_choose_hash(unsigned bf);
 #define vsl_(vrt, vra, vrb)       "\tvsl\t" #vrt "," #vra "," #vrb "\n"
 #define vsldoi_(vt, va, vb, sh)   "\tvsldoi\t" #vt "," #va "," #vb "," #sh "\n"
 #define vsr_(vrt, vra, vrb)       "\tvsr\t" #vrt "," #vra "," #vrb "\n"
+#define vaddcuw_(vrt, vra, vrb)   "\tvaddcuw\t" #vrt "," #vra "," #vrb "\n"
 #define vadduwm_(vrt, vra, vrb)   "\tvadduwm\t" #vrt "," #vra "," #vrb "\n"
 #define vsububm_(vrt, vra, vrb)   "\tvsububm\t" #vrt "," #vra "," #vrb "\n"
 #define vsubuwm_(vrt, vra, vrb)   "\tvsubuwm\t" #vrt "," #vra "," #vrb "\n"
index b79718e..15c0a78 100644 (file)
@@ -28,7 +28,7 @@
 void
 br_ssl_engine_set_default_aes_ccm(br_ssl_engine_context *cc)
 {
-#if BR_AES_X86NI /* TODO: BR_POWER8 */
+#if BR_AES_X86NI || BR_POWER8
        const br_block_ctrcbc_class *ictrcbc;
 #endif
 
@@ -46,6 +46,17 @@ br_ssl_engine_set_default_aes_ccm(br_ssl_engine_context *cc)
                br_ssl_engine_set_aes_ctrcbc(cc, &br_aes_ct_ctrcbc_vtable);
 #endif
        }
+#elif BR_POWER8
+       ictrcbc = br_aes_pwr8_ctrcbc_get_vtable();
+       if (ictrcbc != NULL) {
+               br_ssl_engine_set_aes_ctrcbc(cc, ictrcbc);
+       } else {
+#if BR_64
+               br_ssl_engine_set_aes_ctrcbc(cc, &br_aes_ct64_ctrcbc_vtable);
+#else
+               br_ssl_engine_set_aes_ctrcbc(cc, &br_aes_ct_ctrcbc_vtable);
+#endif
+       }
 #else
 #if BR_64
        br_ssl_engine_set_aes_ctrcbc(cc, &br_aes_ct64_ctrcbc_vtable);
diff --git a/src/symcipher/aes_pwr8_ctrcbc.c b/src/symcipher/aes_pwr8_ctrcbc.c
new file mode 100644 (file)
index 0000000..a67d30b
--- /dev/null
@@ -0,0 +1,946 @@
+/*
+ * Copyright (c) 2018 Thomas Pornin <pornin@bolet.org>
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining 
+ * a copy of this software and associated documentation files (the
+ * "Software"), to deal in the Software without restriction, including
+ * without limitation the rights to use, copy, modify, merge, publish,
+ * distribute, sublicense, and/or sell copies of the Software, and to
+ * permit persons to whom the Software is furnished to do so, subject to
+ * the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be 
+ * included in all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, 
+ * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+ * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND 
+ * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
+ * BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
+ * ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
+ * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+ * SOFTWARE.
+ */
+
+#define BR_POWER_ASM_MACROS   1
+#include "inner.h"
+
+#if BR_POWER8
+
+/* see bearssl_block.h */
+const br_block_ctrcbc_class *
+br_aes_pwr8_ctrcbc_get_vtable(void)
+{
+       return br_aes_pwr8_supported() ? &br_aes_pwr8_ctrcbc_vtable : NULL;
+}
+
+/* see bearssl_block.h */
+void
+br_aes_pwr8_ctrcbc_init(br_aes_pwr8_ctrcbc_keys *ctx,
+       const void *key, size_t len)
+{
+       ctx->vtable = &br_aes_pwr8_ctrcbc_vtable;
+       ctx->num_rounds = br_aes_pwr8_keysched(ctx->skey.skni, key, len);
+}
+
+/*
+ * Register conventions for CTR + CBC-MAC:
+ *
+ *   AES subkeys are in registers 0 to 10/12/14 (depending on keys size)
+ *   Register v15 contains the byteswap index register (little-endian only)
+ *   Register v16 contains the CTR counter value
+ *   Register v17 contains the CBC-MAC current value
+ *   Registers v18 to v27 are scratch
+ *   Counter increment uses v28, v29 and v30
+ *
+ * For CTR alone:
+ *  
+ *   AES subkeys are in registers 0 to 10/12/14 (depending on keys size)
+ *   Register v15 contains the byteswap index register (little-endian only)
+ *   Registers v16 to v19 contain the CTR counter values (four blocks)
+ *   Registers v20 to v27 are scratch
+ *   Counter increment uses v28, v29 and v30
+ */
+
+#define LOAD_SUBKEYS_128 \
+               lxvw4x(32, %[cc], %[sk])   \
+               addi(%[cc], %[cc], 16)     \
+               lxvw4x(33, %[cc], %[sk])   \
+               addi(%[cc], %[cc], 16)     \
+               lxvw4x(34, %[cc], %[sk])   \
+               addi(%[cc], %[cc], 16)     \
+               lxvw4x(35, %[cc], %[sk])   \
+               addi(%[cc], %[cc], 16)     \
+               lxvw4x(36, %[cc], %[sk])   \
+               addi(%[cc], %[cc], 16)     \
+               lxvw4x(37, %[cc], %[sk])   \
+               addi(%[cc], %[cc], 16)     \
+               lxvw4x(38, %[cc], %[sk])   \
+               addi(%[cc], %[cc], 16)     \
+               lxvw4x(39, %[cc], %[sk])   \
+               addi(%[cc], %[cc], 16)     \
+               lxvw4x(40, %[cc], %[sk])   \
+               addi(%[cc], %[cc], 16)     \
+               lxvw4x(41, %[cc], %[sk])   \
+               addi(%[cc], %[cc], 16)     \
+               lxvw4x(42, %[cc], %[sk])
+
+#define LOAD_SUBKEYS_192 \
+               LOAD_SUBKEYS_128 \
+               addi(%[cc], %[cc], 16)     \
+               lxvw4x(43, %[cc], %[sk])   \
+               addi(%[cc], %[cc], 16)     \
+               lxvw4x(44, %[cc], %[sk])
+
+#define LOAD_SUBKEYS_256 \
+               LOAD_SUBKEYS_192 \
+               addi(%[cc], %[cc], 16)     \
+               lxvw4x(45, %[cc], %[sk])   \
+               addi(%[cc], %[cc], 16)     \
+               lxvw4x(46, %[cc], %[sk])
+
+#define BLOCK_ENCRYPT_128(x) \
+               vxor(x, x, 0) \
+               vcipher(x, x, 1) \
+               vcipher(x, x, 2) \
+               vcipher(x, x, 3) \
+               vcipher(x, x, 4) \
+               vcipher(x, x, 5) \
+               vcipher(x, x, 6) \
+               vcipher(x, x, 7) \
+               vcipher(x, x, 8) \
+               vcipher(x, x, 9) \
+               vcipherlast(x, x, 10)
+
+#define BLOCK_ENCRYPT_192(x) \
+               vxor(x, x, 0) \
+               vcipher(x, x, 1) \
+               vcipher(x, x, 2) \
+               vcipher(x, x, 3) \
+               vcipher(x, x, 4) \
+               vcipher(x, x, 5) \
+               vcipher(x, x, 6) \
+               vcipher(x, x, 7) \
+               vcipher(x, x, 8) \
+               vcipher(x, x, 9) \
+               vcipher(x, x, 10) \
+               vcipher(x, x, 11) \
+               vcipherlast(x, x, 12)
+
+#define BLOCK_ENCRYPT_256(x) \
+               vxor(x, x, 0) \
+               vcipher(x, x, 1) \
+               vcipher(x, x, 2) \
+               vcipher(x, x, 3) \
+               vcipher(x, x, 4) \
+               vcipher(x, x, 5) \
+               vcipher(x, x, 6) \
+               vcipher(x, x, 7) \
+               vcipher(x, x, 8) \
+               vcipher(x, x, 9) \
+               vcipher(x, x, 10) \
+               vcipher(x, x, 11) \
+               vcipher(x, x, 12) \
+               vcipher(x, x, 13) \
+               vcipherlast(x, x, 14)
+
+#define BLOCK_ENCRYPT_X2_128(x, y) \
+               vxor(x, x, 0) \
+               vxor(y, y, 0) \
+               vcipher(x, x, 1) \
+               vcipher(y, y, 1) \
+               vcipher(x, x, 2) \
+               vcipher(y, y, 2) \
+               vcipher(x, x, 3) \
+               vcipher(y, y, 3) \
+               vcipher(x, x, 4) \
+               vcipher(y, y, 4) \
+               vcipher(x, x, 5) \
+               vcipher(y, y, 5) \
+               vcipher(x, x, 6) \
+               vcipher(y, y, 6) \
+               vcipher(x, x, 7) \
+               vcipher(y, y, 7) \
+               vcipher(x, x, 8) \
+               vcipher(y, y, 8) \
+               vcipher(x, x, 9) \
+               vcipher(y, y, 9) \
+               vcipherlast(x, x, 10) \
+               vcipherlast(y, y, 10)
+
+#define BLOCK_ENCRYPT_X2_192(x, y) \
+               vxor(x, x, 0) \
+               vxor(y, y, 0) \
+               vcipher(x, x, 1) \
+               vcipher(y, y, 1) \
+               vcipher(x, x, 2) \
+               vcipher(y, y, 2) \
+               vcipher(x, x, 3) \
+               vcipher(y, y, 3) \
+               vcipher(x, x, 4) \
+               vcipher(y, y, 4) \
+               vcipher(x, x, 5) \
+               vcipher(y, y, 5) \
+               vcipher(x, x, 6) \
+               vcipher(y, y, 6) \
+               vcipher(x, x, 7) \
+               vcipher(y, y, 7) \
+               vcipher(x, x, 8) \
+               vcipher(y, y, 8) \
+               vcipher(x, x, 9) \
+               vcipher(y, y, 9) \
+               vcipher(x, x, 10) \
+               vcipher(y, y, 10) \
+               vcipher(x, x, 11) \
+               vcipher(y, y, 11) \
+               vcipherlast(x, x, 12) \
+               vcipherlast(y, y, 12)
+
+#define BLOCK_ENCRYPT_X2_256(x, y) \
+               vxor(x, x, 0) \
+               vxor(y, y, 0) \
+               vcipher(x, x, 1) \
+               vcipher(y, y, 1) \
+               vcipher(x, x, 2) \
+               vcipher(y, y, 2) \
+               vcipher(x, x, 3) \
+               vcipher(y, y, 3) \
+               vcipher(x, x, 4) \
+               vcipher(y, y, 4) \
+               vcipher(x, x, 5) \
+               vcipher(y, y, 5) \
+               vcipher(x, x, 6) \
+               vcipher(y, y, 6) \
+               vcipher(x, x, 7) \
+               vcipher(y, y, 7) \
+               vcipher(x, x, 8) \
+               vcipher(y, y, 8) \
+               vcipher(x, x, 9) \
+               vcipher(y, y, 9) \
+               vcipher(x, x, 10) \
+               vcipher(y, y, 10) \
+               vcipher(x, x, 11) \
+               vcipher(y, y, 11) \
+               vcipher(x, x, 12) \
+               vcipher(y, y, 12) \
+               vcipher(x, x, 13) \
+               vcipher(y, y, 13) \
+               vcipherlast(x, x, 14) \
+               vcipherlast(y, y, 14)
+
+#define BLOCK_ENCRYPT_X4_128(x0, x1, x2, x3) \
+               vxor(x0, x0, 0) \
+               vxor(x1, x1, 0) \
+               vxor(x2, x2, 0) \
+               vxor(x3, x3, 0) \
+               vcipher(x0, x0, 1) \
+               vcipher(x1, x1, 1) \
+               vcipher(x2, x2, 1) \
+               vcipher(x3, x3, 1) \
+               vcipher(x0, x0, 2) \
+               vcipher(x1, x1, 2) \
+               vcipher(x2, x2, 2) \
+               vcipher(x3, x3, 2) \
+               vcipher(x0, x0, 3) \
+               vcipher(x1, x1, 3) \
+               vcipher(x2, x2, 3) \
+               vcipher(x3, x3, 3) \
+               vcipher(x0, x0, 4) \
+               vcipher(x1, x1, 4) \
+               vcipher(x2, x2, 4) \
+               vcipher(x3, x3, 4) \
+               vcipher(x0, x0, 5) \
+               vcipher(x1, x1, 5) \
+               vcipher(x2, x2, 5) \
+               vcipher(x3, x3, 5) \
+               vcipher(x0, x0, 6) \
+               vcipher(x1, x1, 6) \
+               vcipher(x2, x2, 6) \
+               vcipher(x3, x3, 6) \
+               vcipher(x0, x0, 7) \
+               vcipher(x1, x1, 7) \
+               vcipher(x2, x2, 7) \
+               vcipher(x3, x3, 7) \
+               vcipher(x0, x0, 8) \
+               vcipher(x1, x1, 8) \
+               vcipher(x2, x2, 8) \
+               vcipher(x3, x3, 8) \
+               vcipher(x0, x0, 9) \
+               vcipher(x1, x1, 9) \
+               vcipher(x2, x2, 9) \
+               vcipher(x3, x3, 9) \
+               vcipherlast(x0, x0, 10) \
+               vcipherlast(x1, x1, 10) \
+               vcipherlast(x2, x2, 10) \
+               vcipherlast(x3, x3, 10)
+
+#define BLOCK_ENCRYPT_X4_192(x0, x1, x2, x3) \
+               vxor(x0, x0, 0) \
+               vxor(x1, x1, 0) \
+               vxor(x2, x2, 0) \
+               vxor(x3, x3, 0) \
+               vcipher(x0, x0, 1) \
+               vcipher(x1, x1, 1) \
+               vcipher(x2, x2, 1) \
+               vcipher(x3, x3, 1) \
+               vcipher(x0, x0, 2) \
+               vcipher(x1, x1, 2) \
+               vcipher(x2, x2, 2) \
+               vcipher(x3, x3, 2) \
+               vcipher(x0, x0, 3) \
+               vcipher(x1, x1, 3) \
+               vcipher(x2, x2, 3) \
+               vcipher(x3, x3, 3) \
+               vcipher(x0, x0, 4) \
+               vcipher(x1, x1, 4) \
+               vcipher(x2, x2, 4) \
+               vcipher(x3, x3, 4) \
+               vcipher(x0, x0, 5) \
+               vcipher(x1, x1, 5) \
+               vcipher(x2, x2, 5) \
+               vcipher(x3, x3, 5) \
+               vcipher(x0, x0, 6) \
+               vcipher(x1, x1, 6) \
+               vcipher(x2, x2, 6) \
+               vcipher(x3, x3, 6) \
+               vcipher(x0, x0, 7) \
+               vcipher(x1, x1, 7) \
+               vcipher(x2, x2, 7) \
+               vcipher(x3, x3, 7) \
+               vcipher(x0, x0, 8) \
+               vcipher(x1, x1, 8) \
+               vcipher(x2, x2, 8) \
+               vcipher(x3, x3, 8) \
+               vcipher(x0, x0, 9) \
+               vcipher(x1, x1, 9) \
+               vcipher(x2, x2, 9) \
+               vcipher(x3, x3, 9) \
+               vcipher(x0, x0, 10) \
+               vcipher(x1, x1, 10) \
+               vcipher(x2, x2, 10) \
+               vcipher(x3, x3, 10) \
+               vcipher(x0, x0, 11) \
+               vcipher(x1, x1, 11) \
+               vcipher(x2, x2, 11) \
+               vcipher(x3, x3, 11) \
+               vcipherlast(x0, x0, 12) \
+               vcipherlast(x1, x1, 12) \
+               vcipherlast(x2, x2, 12) \
+               vcipherlast(x3, x3, 12)
+
+#define BLOCK_ENCRYPT_X4_256(x0, x1, x2, x3) \
+               vxor(x0, x0, 0) \
+               vxor(x1, x1, 0) \
+               vxor(x2, x2, 0) \
+               vxor(x3, x3, 0) \
+               vcipher(x0, x0, 1) \
+               vcipher(x1, x1, 1) \
+               vcipher(x2, x2, 1) \
+               vcipher(x3, x3, 1) \
+               vcipher(x0, x0, 2) \
+               vcipher(x1, x1, 2) \
+               vcipher(x2, x2, 2) \
+               vcipher(x3, x3, 2) \
+               vcipher(x0, x0, 3) \
+               vcipher(x1, x1, 3) \
+               vcipher(x2, x2, 3) \
+               vcipher(x3, x3, 3) \
+               vcipher(x0, x0, 4) \
+               vcipher(x1, x1, 4) \
+               vcipher(x2, x2, 4) \
+               vcipher(x3, x3, 4) \
+               vcipher(x0, x0, 5) \
+               vcipher(x1, x1, 5) \
+               vcipher(x2, x2, 5) \
+               vcipher(x3, x3, 5) \
+               vcipher(x0, x0, 6) \
+               vcipher(x1, x1, 6) \
+               vcipher(x2, x2, 6) \
+               vcipher(x3, x3, 6) \
+               vcipher(x0, x0, 7) \
+               vcipher(x1, x1, 7) \
+               vcipher(x2, x2, 7) \
+               vcipher(x3, x3, 7) \
+               vcipher(x0, x0, 8) \
+               vcipher(x1, x1, 8) \
+               vcipher(x2, x2, 8) \
+               vcipher(x3, x3, 8) \
+               vcipher(x0, x0, 9) \
+               vcipher(x1, x1, 9) \
+               vcipher(x2, x2, 9) \
+               vcipher(x3, x3, 9) \
+               vcipher(x0, x0, 10) \
+               vcipher(x1, x1, 10) \
+               vcipher(x2, x2, 10) \
+               vcipher(x3, x3, 10) \
+               vcipher(x0, x0, 11) \
+               vcipher(x1, x1, 11) \
+               vcipher(x2, x2, 11) \
+               vcipher(x3, x3, 11) \
+               vcipher(x0, x0, 12) \
+               vcipher(x1, x1, 12) \
+               vcipher(x2, x2, 12) \
+               vcipher(x3, x3, 12) \
+               vcipher(x0, x0, 13) \
+               vcipher(x1, x1, 13) \
+               vcipher(x2, x2, 13) \
+               vcipher(x3, x3, 13) \
+               vcipherlast(x0, x0, 14) \
+               vcipherlast(x1, x1, 14) \
+               vcipherlast(x2, x2, 14) \
+               vcipherlast(x3, x3, 14)
+
+#if BR_POWER8_LE
+static const uint32_t idx2be[] = {
+       0x03020100, 0x07060504, 0x0B0A0908, 0x0F0E0D0C
+};
+#define BYTESWAP_INIT     lxvw4x(47, 0, %[idx2be])
+#define BYTESWAP(x)       vperm(x, x, x, 15)
+#define BYTESWAPX(d, s)   vperm(d, s, s, 15)
+#define BYTESWAP_REG      , [idx2be] "b" (idx2be)
+#else
+#define BYTESWAP_INIT
+#define BYTESWAP(x)
+#define BYTESWAPX(d, s)   vand(d, s, s)
+#define BYTESWAP_REG
+#endif
+
+static const uint32_t ctrinc[] = {
+       0, 0, 0, 1
+};
+static const uint32_t ctrinc_x4[] = {
+       0, 0, 0, 4
+};
+#define INCR_128_INIT      lxvw4x(60, 0, %[ctrinc])
+#define INCR_128_X4_INIT   lxvw4x(60, 0, %[ctrinc_x4])
+#define INCR_128(d, s) \
+               vaddcuw(29, s, 28) \
+               vadduwm(d, s, 28) \
+               vsldoi(30, 29, 29, 4) \
+               vaddcuw(29, d, 30) \
+               vadduwm(d, d, 30) \
+               vsldoi(30, 29, 29, 4) \
+               vaddcuw(29, d, 30) \
+               vadduwm(d, d, 30) \
+               vsldoi(30, 29, 29, 4) \
+               vadduwm(d, d, 30)
+
+#define MKCTR(size) \
+static void \
+ctr_ ## size(const unsigned char *sk, \
+       unsigned char *ctrbuf, unsigned char *buf, size_t num_blocks_x4) \
+{ \
+       long cc, cc0, cc1, cc2, cc3; \
+ \
+       cc = 0; \
+       cc0 = 0; \
+       cc1 = 16; \
+       cc2 = 32; \
+       cc3 = 48; \
+       asm volatile ( \
+ \
+               /* \
+                * Load subkeys into v0..v10 \
+                */ \
+               LOAD_SUBKEYS_ ## size \
+               li(%[cc], 0) \
+ \
+               BYTESWAP_INIT \
+               INCR_128_X4_INIT \
+ \
+               /* \
+                * Load current CTR counters into v16 to v19. \
+                */ \
+               lxvw4x(48, %[cc0], %[ctrbuf]) \
+               lxvw4x(49, %[cc1], %[ctrbuf]) \
+               lxvw4x(50, %[cc2], %[ctrbuf]) \
+               lxvw4x(51, %[cc3], %[ctrbuf]) \
+               BYTESWAP(16) \
+               BYTESWAP(17) \
+               BYTESWAP(18) \
+               BYTESWAP(19) \
+ \
+               mtctr(%[num_blocks_x4]) \
+ \
+       label(loop) \
+               /* \
+                * Compute next counter values into v20..v23. \
+                */ \
+               INCR_128(20, 16) \
+               INCR_128(21, 17) \
+               INCR_128(22, 18) \
+               INCR_128(23, 19) \
+ \
+               /* \
+                * Encrypt counter values and XOR into next data blocks. \
+                */ \
+               lxvw4x(56, %[cc0], %[buf]) \
+               lxvw4x(57, %[cc1], %[buf]) \
+               lxvw4x(58, %[cc2], %[buf]) \
+               lxvw4x(59, %[cc3], %[buf]) \
+               BYTESWAP(24) \
+               BYTESWAP(25) \
+               BYTESWAP(26) \
+               BYTESWAP(27) \
+               BLOCK_ENCRYPT_X4_ ## size(16, 17, 18, 19) \
+               vxor(16, 16, 24) \
+               vxor(17, 17, 25) \
+               vxor(18, 18, 26) \
+               vxor(19, 19, 27) \
+               BYTESWAP(16) \
+               BYTESWAP(17) \
+               BYTESWAP(18) \
+               BYTESWAP(19) \
+               stxvw4x(48, %[cc0], %[buf]) \
+               stxvw4x(49, %[cc1], %[buf]) \
+               stxvw4x(50, %[cc2], %[buf]) \
+               stxvw4x(51, %[cc3], %[buf]) \
+ \
+               /* \
+                * Update counters and data pointer. \
+                */ \
+               vand(16, 20, 20) \
+               vand(17, 21, 21) \
+               vand(18, 22, 22) \
+               vand(19, 23, 23) \
+               addi(%[buf], %[buf], 64) \
+ \
+               bdnz(loop) \
+ \
+               /* \
+                * Write back new counter values. \
+                */ \
+               BYTESWAP(16) \
+               BYTESWAP(17) \
+               BYTESWAP(18) \
+               BYTESWAP(19) \
+               stxvw4x(48, %[cc0], %[ctrbuf]) \
+               stxvw4x(49, %[cc1], %[ctrbuf]) \
+               stxvw4x(50, %[cc2], %[ctrbuf]) \
+               stxvw4x(51, %[cc3], %[ctrbuf]) \
+ \
+: [cc] "+b" (cc), [buf] "+b" (buf), \
+       [cc0] "+b" (cc0), [cc1] "+b" (cc1), [cc2] "+b" (cc2), [cc3] "+b" (cc3) \
+: [sk] "b" (sk), [ctrbuf] "b" (ctrbuf), \
+       [num_blocks_x4] "b" (num_blocks_x4), [ctrinc_x4] "b" (ctrinc_x4) \
+       BYTESWAP_REG \
+: "v0", "v1", "v2", "v3", "v4", "v5", "v6", "v7", "v8", "v9", \
+  "v10", "v11", "v12", "v13", "v14", "v15", "v16", "v17", "v18", "v19", \
+  "v20", "v21", "v22", "v23", "v24", "v25", "v26", "v27", "v28", "v29", \
+  "v30", "ctr", "memory" \
+       ); \
+}
+
+MKCTR(128)
+MKCTR(192)
+MKCTR(256)
+
+#define MKCBCMAC(size) \
+static void \
+cbcmac_ ## size(const unsigned char *sk, \
+       unsigned char *cbcmac, const unsigned char *buf, size_t num_blocks) \
+{ \
+       long cc; \
+ \
+       cc = 0; \
+       asm volatile ( \
+ \
+               /* \
+                * Load subkeys into v0..v10 \
+                */ \
+               LOAD_SUBKEYS_ ## size \
+               li(%[cc], 0) \
+ \
+               BYTESWAP_INIT \
+ \
+               /* \
+                * Load current CBC-MAC value into v16. \
+                */ \
+               lxvw4x(48, %[cc], %[cbcmac]) \
+               BYTESWAP(16) \
+ \
+               mtctr(%[num_blocks]) \
+ \
+       label(loop) \
+               /* \
+                * Load next block, XOR into current CBC-MAC value, \
+                * and then encrypt it. \
+                */ \
+               lxvw4x(49, %[cc], %[buf]) \
+               BYTESWAP(17) \
+               vxor(16, 16, 17) \
+               BLOCK_ENCRYPT_ ## size(16) \
+               addi(%[buf], %[buf], 16) \
+ \
+               bdnz(loop) \
+ \
+               /* \
+                * Write back new CBC-MAC value. \
+                */ \
+               BYTESWAP(16) \
+               stxvw4x(48, %[cc], %[cbcmac]) \
+ \
+: [cc] "+b" (cc), [buf] "+b" (buf) \
+: [sk] "b" (sk), [cbcmac] "b" (cbcmac), [num_blocks] "b" (num_blocks) \
+       BYTESWAP_REG \
+: "v0", "v1", "v2", "v3", "v4", "v5", "v6", "v7", "v8", "v9", \
+  "v10", "v11", "v12", "v13", "v14", "v15", "v16", "v17", "v18", "v19", \
+  "v20", "v21", "v22", "v23", "v24", "v25", "v26", "v27", "v28", "v29", \
+  "v30", "ctr", "memory" \
+       ); \
+}
+
+MKCBCMAC(128)
+MKCBCMAC(192)
+MKCBCMAC(256)
+
+#define MKENCRYPT(size) \
+static void \
+ctrcbc_ ## size ## _encrypt(const unsigned char *sk, \
+       unsigned char *ctr, unsigned char *cbcmac, unsigned char *buf, \
+       size_t num_blocks) \
+{ \
+       long cc; \
+ \
+       cc = 0; \
+       asm volatile ( \
+ \
+               /* \
+                * Load subkeys into v0..v10 \
+                */ \
+               LOAD_SUBKEYS_ ## size \
+               li(%[cc], 0) \
+ \
+               BYTESWAP_INIT \
+               INCR_128_INIT \
+ \
+               /* \
+                * Load current CTR counter into v16, and current \
+                * CBC-MAC IV into v17. \
+                */ \
+               lxvw4x(48, %[cc], %[ctr]) \
+               lxvw4x(49, %[cc], %[cbcmac]) \
+               BYTESWAP(16) \
+               BYTESWAP(17) \
+ \
+               /* \
+                * At each iteration, we do two parallel encryption: \
+                *  - new counter value for encryption of the next block; \
+                *  - CBC-MAC over the previous encrypted block. \
+                * Thus, each plaintext block implies two AES instances, \
+                * over two successive iterations. This requires a single \
+                * counter encryption before the loop, and a single \
+                * CBC-MAC encryption after the loop. \
+                */ \
+ \
+               /* \
+                * Encrypt first block (into v20). \
+                */ \
+               lxvw4x(52, %[cc], %[buf]) \
+               BYTESWAP(20) \
+               INCR_128(22, 16) \
+               BLOCK_ENCRYPT_ ## size(16) \
+               vxor(20, 20, 16) \
+               BYTESWAPX(21, 20) \
+               stxvw4x(53, %[cc], %[buf]) \
+               vand(16, 22, 22) \
+               addi(%[buf], %[buf], 16) \
+ \
+               /* \
+                * Load loop counter; skip the loop if there is only \
+                * one block in total (already handled by the boundary \
+                * conditions). \
+                */ \
+               mtctr(%[num_blocks]) \
+               bdz(fastexit) \
+ \
+       label(loop) \
+               /* \
+                * Upon loop entry: \
+                *    v16   counter value for next block \
+                *    v17   current CBC-MAC value \
+                *    v20   encrypted previous block \
+                */ \
+               vxor(17, 17, 20) \
+               INCR_128(22, 16) \
+               lxvw4x(52, %[cc], %[buf]) \
+               BYTESWAP(20) \
+               BLOCK_ENCRYPT_X2_ ## size(16, 17) \
+               vxor(20, 20, 16) \
+               BYTESWAPX(21, 20) \
+               stxvw4x(53, %[cc], %[buf]) \
+               addi(%[buf], %[buf], 16) \
+               vand(16, 22, 22) \
+ \
+               bdnz(loop) \
+ \
+       label(fastexit) \
+               vxor(17, 17, 20) \
+               BLOCK_ENCRYPT_ ## size(17) \
+               BYTESWAP(16) \
+               BYTESWAP(17) \
+               stxvw4x(48, %[cc], %[ctr]) \
+               stxvw4x(49, %[cc], %[cbcmac]) \
+ \
+: [cc] "+b" (cc), [buf] "+b" (buf) \
+: [sk] "b" (sk), [ctr] "b" (ctr), [cbcmac] "b" (cbcmac), \
+       [num_blocks] "b" (num_blocks), [ctrinc] "b" (ctrinc) \
+       BYTESWAP_REG \
+: "v0", "v1", "v2", "v3", "v4", "v5", "v6", "v7", "v8", "v9", \
+  "v10", "v11", "v12", "v13", "v14", "v15", "v16", "v17", "v18", "v19", \
+  "v20", "v21", "v22", "v23", "v24", "v25", "v26", "v27", "v28", "v29", \
+  "v30", "ctr", "memory" \
+       ); \
+}
+
+MKENCRYPT(128)
+MKENCRYPT(192)
+MKENCRYPT(256)
+
+#define MKDECRYPT(size) \
+static void \
+ctrcbc_ ## size ## _decrypt(const unsigned char *sk, \
+       unsigned char *ctr, unsigned char *cbcmac, unsigned char *buf, \
+       size_t num_blocks) \
+{ \
+       long cc; \
+ \
+       cc = 0; \
+       asm volatile ( \
+ \
+               /* \
+                * Load subkeys into v0..v10 \
+                */ \
+               LOAD_SUBKEYS_ ## size \
+               li(%[cc], 0) \
+ \
+               BYTESWAP_INIT \
+               INCR_128_INIT \
+ \
+               /* \
+                * Load current CTR counter into v16, and current \
+                * CBC-MAC IV into v17. \
+                */ \
+               lxvw4x(48, %[cc], %[ctr]) \
+               lxvw4x(49, %[cc], %[cbcmac]) \
+               BYTESWAP(16) \
+               BYTESWAP(17) \
+ \
+               /* \
+                * At each iteration, we do two parallel encryption: \
+                *  - new counter value for decryption of the next block; \
+                *  - CBC-MAC over the next encrypted block. \
+                * Each iteration performs the two AES instances related \
+                * to the current block; there is thus no need for some \
+                * extra pre-loop and post-loop work as in encryption. \
+                */ \
+ \
+               mtctr(%[num_blocks]) \
+ \
+       label(loop) \
+               /* \
+                * Upon loop entry: \
+                *    v16   counter value for next block \
+                *    v17   current CBC-MAC value \
+                */ \
+               lxvw4x(52, %[cc], %[buf]) \
+               BYTESWAP(20) \
+               vxor(17, 17, 20) \
+               INCR_128(22, 16) \
+               BLOCK_ENCRYPT_X2_ ## size(16, 17) \
+               vxor(20, 20, 16) \
+               BYTESWAPX(21, 20) \
+               stxvw4x(53, %[cc], %[buf]) \
+               addi(%[buf], %[buf], 16) \
+               vand(16, 22, 22) \
+ \
+               bdnz(loop) \
+ \
+               /* \
+                * Store back counter and CBC-MAC value. \
+                */ \
+               BYTESWAP(16) \
+               BYTESWAP(17) \
+               stxvw4x(48, %[cc], %[ctr]) \
+               stxvw4x(49, %[cc], %[cbcmac]) \
+ \
+: [cc] "+b" (cc), [buf] "+b" (buf) \
+: [sk] "b" (sk), [ctr] "b" (ctr), [cbcmac] "b" (cbcmac), \
+       [num_blocks] "b" (num_blocks), [ctrinc] "b" (ctrinc) \
+       BYTESWAP_REG \
+: "v0", "v1", "v2", "v3", "v4", "v5", "v6", "v7", "v8", "v9", \
+  "v10", "v11", "v12", "v13", "v14", "v15", "v16", "v17", "v18", "v19", \
+  "v20", "v21", "v22", "v23", "v24", "v25", "v26", "v27", "v28", "v29", \
+  "v30", "ctr", "memory" \
+       ); \
+}
+
+MKDECRYPT(128)
+MKDECRYPT(192)
+MKDECRYPT(256)
+
+/* see bearssl_block.h */
+void
+br_aes_pwr8_ctrcbc_encrypt(const br_aes_pwr8_ctrcbc_keys *ctx,
+       void *ctr, void *cbcmac, void *data, size_t len)
+{
+       if (len == 0) {
+               return;
+       }
+       switch (ctx->num_rounds) {
+       case 10:
+               ctrcbc_128_encrypt(ctx->skey.skni, ctr, cbcmac, data, len >> 4);
+               break;
+       case 12:
+               ctrcbc_192_encrypt(ctx->skey.skni, ctr, cbcmac, data, len >> 4);
+               break;
+       default:
+               ctrcbc_256_encrypt(ctx->skey.skni, ctr, cbcmac, data, len >> 4);
+               break;
+       }
+}
+
+/* see bearssl_block.h */
+void
+br_aes_pwr8_ctrcbc_decrypt(const br_aes_pwr8_ctrcbc_keys *ctx,
+       void *ctr, void *cbcmac, void *data, size_t len)
+{
+       if (len == 0) {
+               return;
+       }
+       switch (ctx->num_rounds) {
+       case 10:
+               ctrcbc_128_decrypt(ctx->skey.skni, ctr, cbcmac, data, len >> 4);
+               break;
+       case 12:
+               ctrcbc_192_decrypt(ctx->skey.skni, ctr, cbcmac, data, len >> 4);
+               break;
+       default:
+               ctrcbc_256_decrypt(ctx->skey.skni, ctr, cbcmac, data, len >> 4);
+               break;
+       }
+}
+
+static inline void
+incr_ctr(void *dst, const void *src)
+{
+       uint64_t hi, lo;
+
+       hi = br_dec64be(src);
+       lo = br_dec64be((const unsigned char *)src + 8);
+       lo ++;
+       hi += ((lo | -lo) >> 63) ^ (uint64_t)1;
+       br_enc64be(dst, hi);
+       br_enc64be((unsigned char *)dst + 8, lo);
+}
+
+/* see bearssl_block.h */
+void
+br_aes_pwr8_ctrcbc_ctr(const br_aes_pwr8_ctrcbc_keys *ctx,
+       void *ctr, void *data, size_t len)
+{
+       unsigned char ctrbuf[64];
+
+       memcpy(ctrbuf, ctr, 16);
+       incr_ctr(ctrbuf + 16, ctrbuf);
+       incr_ctr(ctrbuf + 32, ctrbuf + 16);
+       incr_ctr(ctrbuf + 48, ctrbuf + 32);
+       if (len >= 64) {
+               switch (ctx->num_rounds) {
+               case 10:
+                       ctr_128(ctx->skey.skni, ctrbuf, data, len >> 6);
+                       break;
+               case 12:
+                       ctr_192(ctx->skey.skni, ctrbuf, data, len >> 6);
+                       break;
+               default:
+                       ctr_256(ctx->skey.skni, ctrbuf, data, len >> 6);
+                       break;
+               }
+               data = (unsigned char *)data + (len & ~(size_t)63);
+               len &= 63;
+       }
+       if (len > 0) {
+               unsigned char tmp[64];
+
+               if (len >= 32) {
+                       if (len >= 48) {
+                               memcpy(ctr, ctrbuf + 48, 16);
+                       } else {
+                               memcpy(ctr, ctrbuf + 32, 16);
+                       }
+               } else {
+                       if (len >= 16) {
+                               memcpy(ctr, ctrbuf + 16, 16);
+                       }
+               }
+               memcpy(tmp, data, len);
+               memset(tmp + len, 0, (sizeof tmp) - len);
+               switch (ctx->num_rounds) {
+               case 10:
+                       ctr_128(ctx->skey.skni, ctrbuf, tmp, 1);
+                       break;
+               case 12:
+                       ctr_192(ctx->skey.skni, ctrbuf, tmp, 1);
+                       break;
+               default:
+                       ctr_256(ctx->skey.skni, ctrbuf, tmp, 1);
+                       break;
+               }
+               memcpy(data, tmp, len);
+       } else {
+               memcpy(ctr, ctrbuf, 16);
+       }
+}
+
+/* see bearssl_block.h */
+void
+br_aes_pwr8_ctrcbc_mac(const br_aes_pwr8_ctrcbc_keys *ctx,
+       void *cbcmac, const void *data, size_t len)
+{
+       if (len > 0) {
+               switch (ctx->num_rounds) {
+               case 10:
+                       cbcmac_128(ctx->skey.skni, cbcmac, data, len >> 4);
+                       break;
+               case 12:
+                       cbcmac_192(ctx->skey.skni, cbcmac, data, len >> 4);
+                       break;
+               default:
+                       cbcmac_256(ctx->skey.skni, cbcmac, data, len >> 4);
+                       break;
+               }
+       }
+}
+
+/* see bearssl_block.h */
+const br_block_ctrcbc_class br_aes_pwr8_ctrcbc_vtable = {
+       sizeof(br_aes_pwr8_ctrcbc_keys),
+       16,
+       4,
+       (void (*)(const br_block_ctrcbc_class **, const void *, size_t))
+               &br_aes_pwr8_ctrcbc_init,
+       (void (*)(const br_block_ctrcbc_class *const *,
+               void *, void *, void *, size_t))
+               &br_aes_pwr8_ctrcbc_encrypt,
+       (void (*)(const br_block_ctrcbc_class *const *,
+               void *, void *, void *, size_t))
+               &br_aes_pwr8_ctrcbc_decrypt,
+       (void (*)(const br_block_ctrcbc_class *const *,
+               void *, void *, size_t))
+               &br_aes_pwr8_ctrcbc_ctr,
+       (void (*)(const br_block_ctrcbc_class *const *,
+               void *, const void *, size_t))
+               &br_aes_pwr8_ctrcbc_mac
+};
+
+#else
+
+/* see bearssl_block.h */
+const br_block_ctrcbc_class *
+br_aes_pwr8_ctrcbc_get_vtable(void)
+{
+       return NULL;
+}
+
+#endif
index 70029b3..dd2562c 100644 (file)
@@ -3664,6 +3664,19 @@ test_AES_CTRCBC_x86ni(void)
        }
 }
 
+static void
+test_AES_CTRCBC_pwr8(void)
+{
+       const br_block_ctrcbc_class *vt;
+
+       vt = br_aes_pwr8_ctrcbc_get_vtable();
+       if (vt != NULL) {
+               test_AES_CTRCBC_inner("pwr8", vt);
+       } else {
+               printf("Test AES CTR/CBC-MAC pwr8: UNAVAILABLE\n");
+       }
+}
+
 /*
  * DES known-answer tests. Order: plaintext, key, ciphertext.
  * (mostly from NIST SP 800-20).
@@ -6839,6 +6852,13 @@ test_EAX(void)
        } else {
                printf("Test EAX aes_x86ni: UNAVAILABLE\n");
        }
+
+       x_ctrcbc = br_aes_pwr8_ctrcbc_get_vtable();
+       if (x_ctrcbc != NULL) {
+               test_EAX_inner("aes_pwr8", x_ctrcbc);
+       } else {
+               printf("Test EAX aes_pwr8: UNAVAILABLE\n");
+       }
 }
 
 /*
@@ -7051,6 +7071,13 @@ test_CCM(void)
        } else {
                printf("Test CCM aes_x86ni: UNAVAILABLE\n");
        }
+
+       x_ctrcbc = br_aes_pwr8_ctrcbc_get_vtable();
+       if (x_ctrcbc != NULL) {
+               test_CCM_inner("aes_pwr8", x_ctrcbc);
+       } else {
+               printf("Test CCM aes_pwr8: UNAVAILABLE\n");
+       }
 }
 
 static void
@@ -8253,6 +8280,7 @@ static const struct {
        STU(AES_CTRCBC_ct),
        STU(AES_CTRCBC_ct64),
        STU(AES_CTRCBC_x86ni),
+       STU(AES_CTRCBC_pwr8),
        STU(DES_tab),
        STU(DES_ct),
        STU(ChaCha20_ct),
index 38da572..b1cd9f2 100644 (file)
@@ -518,16 +518,19 @@ SPEED_EAX(AES, aes, 128, small)
 SPEED_EAX(AES, aes, 128, ct)
 SPEED_EAX(AES, aes, 128, ct64)
 SPEED_EAX(AES, aes, 128, x86ni)
+SPEED_EAX(AES, aes, 128, pwr8)
 SPEED_EAX(AES, aes, 192, big)
 SPEED_EAX(AES, aes, 192, small)
 SPEED_EAX(AES, aes, 192, ct)
 SPEED_EAX(AES, aes, 192, ct64)
 SPEED_EAX(AES, aes, 192, x86ni)
+SPEED_EAX(AES, aes, 192, pwr8)
 SPEED_EAX(AES, aes, 256, big)
 SPEED_EAX(AES, aes, 256, small)
 SPEED_EAX(AES, aes, 256, ct)
 SPEED_EAX(AES, aes, 256, ct64)
 SPEED_EAX(AES, aes, 256, x86ni)
+SPEED_EAX(AES, aes, 256, pwr8)
 
 static const unsigned char RSA_N[] = {
        0xE9, 0xF2, 0x4A, 0x2F, 0x96, 0xDF, 0x0A, 0x23,
@@ -1477,6 +1480,9 @@ static const struct {
        STU(eax_aes128_x86ni),
        STU(eax_aes192_x86ni),
        STU(eax_aes256_x86ni),
+       STU(eax_aes128_pwr8),
+       STU(eax_aes192_pwr8),
+       STU(eax_aes256_pwr8),
 
        STU(rsa_i15),
        STU(rsa_i31),
index f9487fd..6d6fec0 100644 (file)
@@ -495,6 +495,8 @@ static const struct {
                (const void *(*)(void))&br_aes_pwr8_cbcdec_get_vtable },
        { "aes_pwr8_ctr",         "pwr8",
                (const void *(*)(void))&br_aes_pwr8_ctr_get_vtable },
+       { "aes_pwr8_ctrcbc",      "pwr8",
+               (const void *(*)(void))&br_aes_pwr8_ctrcbc_get_vtable },
        { "aes_x86ni_cbcenc",     "x86ni",
                (const void *(*)(void))&br_aes_x86ni_cbcenc_get_vtable },
        { "aes_x86ni_cbcdec",     "x86ni",
index 7fc1d53..ef7dd3f 100644 (file)
@@ -283,6 +283,10 @@ run_ssl_engine(br_ssl_engine_context *cc, unsigned long fd, unsigned flags)
                        fprintf(stderr, "   AES/CTR:       %s\n",
                                get_algo_name(cc->iaes_cbcdec, 0));
                }
+               if (cc->iaes_ctrcbc != 0) {
+                       fprintf(stderr, "   AES/CCM:       %s\n",
+                               get_algo_name(cc->iaes_ctrcbc, 0));
+               }
                if (cc->ides_cbcenc != 0) {
                        fprintf(stderr, "   DES/CBC (enc): %s\n",
                                get_algo_name(cc->ides_cbcenc, 0));