AES(2)                                                     AES(2)

     NAME
          setupAESstate, aesCBCencrypt, aesCBCdecrypt, aesCFBencrypt,
          aesCFBdecrypt, aesOFBencrypt, aes_xts_encrypt,
          aes_xts_decrypt, setupAESGCMstate, aesgcm_setiv,
          aesgcm_encrypt, aesgcm_decrypt - advanced encryption
          standard (rijndael)

     SYNOPSIS
          #include <u.h>
          #include <libc.h>
          #include <mp.h>
          #include <libsec.h>

          void aes_encrypt(ulong rk[], int Nr, uchar pt[16], uchar
          ct[16])

          void aes_decrypt(ulong rk[], int Nr, uchar ct[16], uchar
          pt[16])

          void setupAESstate(AESstate *s, uchar key[], int nkey, uchar
          *ivec)

          void aesCBCencrypt(uchar *p, int len, AESstate *s)

          void aesCBCdecrypt(uchar *p, int len, AESstate *s)

          void aesCFBencrypt(uchar *p, int len, AESstate *s)

          void aesCFBdecrypt(uchar *p, int len, AESstate *s)

          void aesOFBencrypt(uchar *p, int len, AESstate *s)

          void aes_xts_encrypt(AESstate *tweak, AESstate *ecb, uvlong
          sectorNumber, uchar *input, uchar *output, ulong len)

          void aes_xts_decrypt(AESstate *tweak, AESstate *ecb, uvlong
          sectorNumber, uchar *input, uchar *output, ulong len)

          void setupAESGCMstate(AESGCMstate *s, uchar *key, int
          keylen, uchar *iv, int ivlen)

          void aesgcm_setiv(AESGCMstate *s, uchar *iv, int ivlen)

          void aesgcm_encrypt(uchar *dat, ulong ndat, uchar *aad,
          ulong naad, uchar tag[16], AESGCMstate *s)

          int  aesgcm_decrypt(uchar *dat, ulong ndat, uchar *aad,
          ulong naad, uchar tag[16], AESGCMstate *s)

     DESCRIPTION

     AES(2)                                                     AES(2)

          AES (a.k.a. Rijndael) has replaced DES as the preferred
          block cipher.  Aes_encrypt and aes_decrypt are the block
          ciphers, corresponding to des(2)'s block_cipher.
          AesCBCencrypt and aesCBCdecrypt implement cipher-block-
          chaining encryption.  AesCFBencrypt, aesCFBdecrypt and
          aesOFBencrypt implement cipher-feedback- and output-
          feedback-mode stream cipher encryption.  Aes_xts_encrypt and
          aes_xts_decrypt implement the XTS-AES tweakable block
          cipher, per IEEE 1619-2017 (see bugs below).  SetupAESstate
          is used to initialize the state of the above encryption
          modes.  The expanded roundkey parameters rk and Nr of
          aes_encrypt and aes_decrypt are returned in AESstate.ekey
          and AESstate.dkey with the corresponding number of rounds in
          AESstate.rounds. SetupAESGCMstate, aesgcm_setiv,
          aesgcm_encrypt and aesgcm_decrypt implement Galois/Counter
          Mode (GCM) authenticated encryption with associated data
          (AEAD).  Before encryption or decryption, a new initializa-
          tion vector (nonce) has to be set with aesgcm_setiv or by
          calling setupAESGCMstate with non-zero iv and ivlen argu-
          ments.  Aesgcm_decrypt returns zero when authentication and
          decryption where successfull and non-zero otherwise.  All
          ciphering is performed in place.  The byte keysize nkey
          should be 16, 24, or 32.  The initialization vector ivec of
          AESbsize bytes should be random enough to be unlikely to be
          reused but does not need to be cryptographically strongly
          unpredictable.

     SOURCE
          /sys/src/libsec

     SEE ALSO
          aescbc in secstore(1), mp(2), blowfish(2), des(2), dsa(2),
          elgamal(2), rc4(2), rsa(2), sechash(2), prime(2), rand(2)
          http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf

     BUGS
          Because of the way that non-multiple-of-16 buffers are han-
          dled, aesCBCdecrypt must be fed buffers of the same size as
          the aesCBCencrypt calls that encrypted it.

          The functions aes_xts_encrypt an aes_xts_decrypt abort on a
          non-multiple-of-16 length as ciphertext stealing is not
          implemented.