NAME
setupAESstate, aesCBCencrypt, aesCBCdecrypt, setupAESXCBCstate, aesXCBCmac, setupAESGCMstate – advanced encryption standard (rijndael)

SYNOPSIS
#include <u.h>
#include <libc.h>
#include <mp.h>
#include <libsec.h>

void aes_encrypt(ulong rk[], int Nr, uchar pt[16], uchar ct[16]);

void aes_decrypt(ulong rk[], int Nr, uchar ct[16], uchar pt[16]);

void setupAESstate(AESstate *s, uchar key[], int keybytes, uchar *ivec)

void aesCBCencrypt(uchar *p, int len, AESstate *s)

void aesCBCdecrypt(uchar *p, int len, AESstate *s)

void setupAESXCBCstate(AESstate *s)

void aesXCBCmac(uchar *p, int len, AESstate *s)

void setupAESGCMstate(AESGCMstate *s, uchar *key, int keylen, uchar *iv, int ivlen)

void aesgcm_setiv(AESGCMstate *s, uchar *iv, int ivlen)

void aesgcm_encrypt(uchar *dat, ulong ndat, uchar *aad, ulong naad, uchar tag[16], AESGCMstate *s)

int    aesgcm_decrypt(uchar *dat, ulong ndat, uchar *aad, ulong naad, uchar tag[16], AESGCMstate *s)

DESCRIPTION
AES (a.k.a. Rijndael) has replaced DES as the preferred block cipher. Aes_encrypt and aes_decrypt are the block ciphers, corresponding to des(2)'s block_cipher. SetupAESstate, aesCBCencrypt, and aesCBCdecrypt implement cipher–block–chaining encryption. SetupAESXCBCstate and aesXCBCmac implement AES XCBC message authentication, per RFC 3566. SetupAESGCMstate, aesgcm_setiv, aesgcm_encrypt and aesgcm_decrypt implement Galois/Counter Mode (GCM) authenticated encryption with associated data (AEAD). Before encryption or decryption, a new initialization vector (nonce) has to be set with aesgcm_setiv or by calling setupAESGCMstate with non–zero iv and ivlen arguments. Aesgcm_decrypt returns zero when authentication and decryption where successfull and non–zero otherwise. All ciphering is performed in place. Keybytes should be 16, 24, or 32. The initialization vector ivec of AESbsize bytes should be random enough to be unlikely to be reused but does not need to be cryptographically strongly unpredictable.

SOURCE
/sys/src/libsec

SEE ALSO
aescbc in secstore(1), mp(2), blowfish(2), des(2), dsa(2), elgamal(2), rc4(2), rsa(2), sechash(2), prime(2), rand(2)
http://csrc.nist.gov/publications/fips/fips197/fips–197.pdf

BUGS
The functions aes_encrypt, aes_decrypt, setupAESXCBCstate, and aesXCBCmac have not yet been verified by running test vectors through them.

Because of the way that non–multiple–of–16 buffers are handled, aesCBCdecrypt must be fed buffers of the same size as the aesCBCencrypt calls that encrypted it.