plan9fox/sys/man/2/aes

.TH AES 2
.SH NAME
setupAESstate, \
aesCBCencrypt, \
aesCBCdecrypt, \
aesCFBencrypt, \
aesCFBdecrypt, \
aesOFBencrypt, \
aes_xts_encrypt, aes_xts_decrypt, \
setupAESGCMstate, \
aesgcm_setiv, aesgcm_encrypt, aesgcm_decrypt \
- advanced encryption standard (rijndael)
.SH SYNOPSIS
.B #include <u.h>
.br
.B #include <libc.h>
.br
.B #include <mp.h>
.br
.B #include <libsec.h>
.PP
.in +0.5i
.ti -0.5i
.PP
.B
void	aes_encrypt(ulong rk[], int Nr, uchar pt[16], uchar ct[16])
.PP
.B
void	aes_decrypt(ulong rk[], int Nr, uchar ct[16], uchar pt[16])
.PP
.B
void	setupAESstate(AESstate *s, uchar key[], int nkey, uchar *ivec)
.PP
.B
void	aesCBCencrypt(uchar *p, int len, AESstate *s)
.PP
.B
void	aesCBCdecrypt(uchar *p, int len, AESstate *s)
.PP
.B
void	aesCFBencrypt(uchar *p, int len, AESstate *s)
.PP
.B
void	aesCFBdecrypt(uchar *p, int len, AESstate *s)
.PP
.B
void	aesOFBencrypt(uchar *p, int len, AESstate *s)
.PP
.B
void	aes_xts_encrypt(AESstate *tweak, AESstate *ecb, uvlong sectorNumber, uchar *input, uchar *output, ulong len)
.PP
.B
void	aes_xts_decrypt(AESstate *tweak, AESstate *ecb, uvlong sectorNumber, uchar *input, uchar *output, ulong len)
.PP
.B
void	setupAESGCMstate(AESGCMstate *s, uchar *key, int keylen, uchar *iv, int ivlen)
.PP
.B
void	aesgcm_setiv(AESGCMstate *s, uchar *iv, int ivlen)
.PP
.B
void	aesgcm_encrypt(uchar *dat, ulong ndat, uchar *aad, ulong naad, uchar tag[16], AESGCMstate *s)
.PP
.B
int	aesgcm_decrypt(uchar *dat, ulong ndat, uchar *aad, ulong naad, uchar tag[16], AESGCMstate *s)
.SH DESCRIPTION
AES (a.k.a. Rijndael) has replaced DES as the preferred
block cipher.
.I Aes_encrypt
and
.I aes_decrypt
are the block ciphers, corresponding to
.IR des (2)'s
.IR block_cipher .
.I AesCBCencrypt
and
.I aesCBCdecrypt
implement cipher-block-chaining encryption.
.IR AesCFBencrypt ,
.I aesCFBdecrypt
and
.I aesOFBencrypt
implement cipher-feedback- and output-feedback-mode
stream cipher encryption.
.I Aes_xts_encrypt
and
.I aes_xts_decrypt
implement the XTS-AES tweakable block cipher, per IEEE 1619-2017 (see bugs below).
.IR SetupAESstate
is used to initialize the state of the above encryption modes.
The expanded roundkey parameters
.I rk
and
.I Nr
of
.I aes_encrypt
and
.I aes_decrypt
are returned in
.I AESstate.ekey
and
.I AESstate.dkey
with the corresponding number of rounds in
.IR AESstate.rounds .
.IR SetupAESGCMstate ,
.IR aesgcm_setiv ,
.I aesgcm_encrypt
and
.I aesgcm_decrypt
implement Galois/Counter Mode (GCM) authenticated encryption with associated data (AEAD).
Before encryption or decryption, a new initialization vector (nonce) has to be set with
.I aesgcm_setiv
or by calling
.I setupAESGCMstate
with non-zero
.I iv
and
.I ivlen
arguments.
Aesgcm_decrypt returns zero when authentication and decryption where successfull and
non-zero otherwise.
All ciphering is performed in place.
The byte keysize
.I nkey
should be 16, 24, or 32.
The initialization vector
.I ivec
of
.I AESbsize
bytes should be random enough to be unlikely to be reused
but does not need to be
cryptographically strongly unpredictable.
.SH SOURCE
.B /sys/src/libsec
.SH SEE ALSO
.I aescbc
in
.IR secstore (1),
.IR mp (2),
.IR blowfish (2),
.IR des (2),
.IR dsa (2),
.IR elgamal (2),
.IR rc4 (2),
.IR rsa (2),
.IR sechash (2),
.IR prime (2),
.IR rand (2)
.br
.B http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf
.SH BUGS
Because of the way that non-multiple-of-16 buffers are handled,
.I aesCBCdecrypt
must be fed buffers of the same size as the
.I aesCBCencrypt
calls that encrypted it.
.PP
The functions
.I aes_xts_encrypt
an
.I aes_xts_decrypt
abort on a non-multiple-of-16 length as ciphertext stealing
is not implemented.
Import sources from 2011-03-30 iso image - sys/man 2011-03-30 13:49:47 +00:00			`.TH AES 2`
			`.SH NAME`
aes(2): document aes_xts_encrypt() and aes_xts_decrypt() functions 2017-10-30 02:04:05 +00:00			`setupAESstate, \`
			`aesCBCencrypt, \`
			`aesCBCdecrypt, \`
			`aesCFBencrypt, \`
			`aesCFBdecrypt, \`
			`aesOFBencrypt, \`
			`aes_xts_encrypt, aes_xts_decrypt, \`
			`setupAESGCMstate, \`
			`aesgcm_setiv, aesgcm_encrypt, aesgcm_decrypt \`
			`- advanced encryption standard (rijndael)`
Import sources from 2011-03-30 iso image - sys/man 2011-03-30 13:49:47 +00:00			`.SH SYNOPSIS`
			`.B #include <u.h>`
			`.br`
			`.B #include <libc.h>`
			`.br`
			`.B #include <mp.h>`
			`.br`
			`.B #include <libsec.h>`
			`.PP`
			`.in +0.5i`
			`.ti -0.5i`
libsec: AES-NI support for amd64 Add assembler versions for aes_encrypt/aes_decrypt and the key setup using AES-NI instruction set. This makes aes_encrypt and aes_decrypt into function pointers which get initialized by the first call to setupAESstate(). Note that the expanded round key words are NOT stored in big endian order as with the portable implementation. For that reason the AESstate.ekey and AESstate.dkey fields have been changed to void* forcing an error when someone is accessing the roundkey words. One offender was aesXCBmac, which doesnt appear to be used and the code looks horrible so it has been deleted. The AES-NI implementation is for amd64 only as it requires the kernel to save/restore the FPU state across syscalls and pagefaults. 2017-11-12 22:15:15 +00:00			`.PP`
Import sources from 2011-03-30 iso image - sys/man 2011-03-30 13:49:47 +00:00			`.B`
libsec: AES-NI support for amd64 Add assembler versions for aes_encrypt/aes_decrypt and the key setup using AES-NI instruction set. This makes aes_encrypt and aes_decrypt into function pointers which get initialized by the first call to setupAESstate(). Note that the expanded round key words are NOT stored in big endian order as with the portable implementation. For that reason the AESstate.ekey and AESstate.dkey fields have been changed to void* forcing an error when someone is accessing the roundkey words. One offender was aesXCBmac, which doesnt appear to be used and the code looks horrible so it has been deleted. The AES-NI implementation is for amd64 only as it requires the kernel to save/restore the FPU state across syscalls and pagefaults. 2017-11-12 22:15:15 +00:00			`void aes_encrypt(ulong rk[], int Nr, uchar pt[16], uchar ct[16])`
Import sources from 2011-03-30 iso image - sys/man 2011-03-30 13:49:47 +00:00			`.PP`
			`.B`
libsec: AES-NI support for amd64 Add assembler versions for aes_encrypt/aes_decrypt and the key setup using AES-NI instruction set. This makes aes_encrypt and aes_decrypt into function pointers which get initialized by the first call to setupAESstate(). Note that the expanded round key words are NOT stored in big endian order as with the portable implementation. For that reason the AESstate.ekey and AESstate.dkey fields have been changed to void* forcing an error when someone is accessing the roundkey words. One offender was aesXCBmac, which doesnt appear to be used and the code looks horrible so it has been deleted. The AES-NI implementation is for amd64 only as it requires the kernel to save/restore the FPU state across syscalls and pagefaults. 2017-11-12 22:15:15 +00:00			`void aes_decrypt(ulong rk[], int Nr, uchar ct[16], uchar pt[16])`
Import sources from 2011-03-30 iso image - sys/man 2011-03-30 13:49:47 +00:00			`.PP`
			`.B`
libsec: AES-NI support for amd64 Add assembler versions for aes_encrypt/aes_decrypt and the key setup using AES-NI instruction set. This makes aes_encrypt and aes_decrypt into function pointers which get initialized by the first call to setupAESstate(). Note that the expanded round key words are NOT stored in big endian order as with the portable implementation. For that reason the AESstate.ekey and AESstate.dkey fields have been changed to void* forcing an error when someone is accessing the roundkey words. One offender was aesXCBmac, which doesnt appear to be used and the code looks horrible so it has been deleted. The AES-NI implementation is for amd64 only as it requires the kernel to save/restore the FPU state across syscalls and pagefaults. 2017-11-12 22:15:15 +00:00			`void setupAESstate(AESstate s, uchar key[], int nkey, uchar ivec)`
Import sources from 2011-03-30 iso image - sys/man 2011-03-30 13:49:47 +00:00			`.PP`
			`.B`
			`void aesCBCencrypt(uchar p, int len, AESstate s)`
			`.PP`
			`.B`
			`void aesCBCdecrypt(uchar p, int len, AESstate s)`
			`.PP`
			`.B`
libsec: add AES CFB and AES OFB stream ciphers 2017-10-17 19:34:01 +00:00			`void aesCFBencrypt(uchar p, int len, AESstate s)`
			`.PP`
			`.B`
			`void aesCFBdecrypt(uchar p, int len, AESstate s)`
			`.PP`
			`.B`
			`void aesOFBencrypt(uchar p, int len, AESstate s)`
			`.PP`
			`.B`
aes(2): document aes_xts_encrypt() and aes_xts_decrypt() functions 2017-10-30 02:04:05 +00:00			`void aes_xts_encrypt(AESstate tweak, AESstate ecb, uvlong sectorNumber, uchar input, uchar output, ulong len)`
			`.PP`
			`.B`
			`void aes_xts_decrypt(AESstate tweak, AESstate ecb, uvlong sectorNumber, uchar input, uchar output, ulong len)`
			`.PP`
			`.B`
add portable AES-GCM (Galois/Counter Mode) implementation to libsec and devtls 2016-03-23 01:45:35 +00:00			`void setupAESGCMstate(AESGCMstate s, uchar key, int keylen, uchar *iv, int ivlen)`
			`.PP`
			`.B`
			`void aesgcm_setiv(AESGCMstate s, uchar iv, int ivlen)`
			`.PP`
			`.B`
			`void aesgcm_encrypt(uchar dat, ulong ndat, uchar aad, ulong naad, uchar tag[16], AESGCMstate *s)`
			`.PP`
			`.B`
			`int aesgcm_decrypt(uchar dat, ulong ndat, uchar aad, ulong naad, uchar tag[16], AESGCMstate *s)`
Import sources from 2011-03-30 iso image - sys/man 2011-03-30 13:49:47 +00:00			`.SH DESCRIPTION`
			`AES (a.k.a. Rijndael) has replaced DES as the preferred`
			`block cipher.`
			`.I Aes_encrypt`
			`and`
			`.I aes_decrypt`
			`are the block ciphers, corresponding to`
			`.IR des (2)'s`
			`.IR block_cipher .`
libsec: AES-NI support for amd64 Add assembler versions for aes_encrypt/aes_decrypt and the key setup using AES-NI instruction set. This makes aes_encrypt and aes_decrypt into function pointers which get initialized by the first call to setupAESstate(). Note that the expanded round key words are NOT stored in big endian order as with the portable implementation. For that reason the AESstate.ekey and AESstate.dkey fields have been changed to void* forcing an error when someone is accessing the roundkey words. One offender was aesXCBmac, which doesnt appear to be used and the code looks horrible so it has been deleted. The AES-NI implementation is for amd64 only as it requires the kernel to save/restore the FPU state across syscalls and pagefaults. 2017-11-12 22:15:15 +00:00			`.I AesCBCencrypt`
Import sources from 2011-03-30 iso image - sys/man 2011-03-30 13:49:47 +00:00			`and`
			`.I aesCBCdecrypt`
			`implement cipher-block-chaining encryption.`
libsec: add AES CFB and AES OFB stream ciphers 2017-10-17 19:34:01 +00:00			`.IR AesCFBencrypt ,`
			`.I aesCFBdecrypt`
			`and`
			`.I aesOFBencrypt`
			`implement cipher-feedback- and output-feedback-mode`
			`stream cipher encryption.`
aes(2): document aes_xts_encrypt() and aes_xts_decrypt() functions 2017-10-30 02:04:05 +00:00			`.I Aes_xts_encrypt`
			`and`
			`.I aes_xts_decrypt`
			`implement the XTS-AES tweakable block cipher, per IEEE 1619-2017 (see bugs below).`
libsec: add AES CFB and AES OFB stream ciphers 2017-10-17 19:34:01 +00:00			`.IR SetupAESstate`
			`is used to initialize the state of the above encryption modes.`
libsec: AES-NI support for amd64 Add assembler versions for aes_encrypt/aes_decrypt and the key setup using AES-NI instruction set. This makes aes_encrypt and aes_decrypt into function pointers which get initialized by the first call to setupAESstate(). Note that the expanded round key words are NOT stored in big endian order as with the portable implementation. For that reason the AESstate.ekey and AESstate.dkey fields have been changed to void* forcing an error when someone is accessing the roundkey words. One offender was aesXCBmac, which doesnt appear to be used and the code looks horrible so it has been deleted. The AES-NI implementation is for amd64 only as it requires the kernel to save/restore the FPU state across syscalls and pagefaults. 2017-11-12 22:15:15 +00:00			`The expanded roundkey parameters`
			`.I rk`
			`and`
			`.I Nr`
			`of`
			`.I aes_encrypt`
			`and`
			`.I aes_decrypt`
			`are returned in`
			`.I AESstate.ekey`
Import sources from 2011-03-30 iso image - sys/man 2011-03-30 13:49:47 +00:00			`and`
libsec: AES-NI support for amd64 Add assembler versions for aes_encrypt/aes_decrypt and the key setup using AES-NI instruction set. This makes aes_encrypt and aes_decrypt into function pointers which get initialized by the first call to setupAESstate(). Note that the expanded round key words are NOT stored in big endian order as with the portable implementation. For that reason the AESstate.ekey and AESstate.dkey fields have been changed to void* forcing an error when someone is accessing the roundkey words. One offender was aesXCBmac, which doesnt appear to be used and the code looks horrible so it has been deleted. The AES-NI implementation is for amd64 only as it requires the kernel to save/restore the FPU state across syscalls and pagefaults. 2017-11-12 22:15:15 +00:00			`.I AESstate.dkey`
			`with the corresponding number of rounds in`
			`.IR AESstate.rounds .`
add portable AES-GCM (Galois/Counter Mode) implementation to libsec and devtls 2016-03-23 01:45:35 +00:00			`.IR SetupAESGCMstate ,`
			`.IR aesgcm_setiv ,`
			`.I aesgcm_encrypt`
			`and`
			`.I aesgcm_decrypt`
			`implement Galois/Counter Mode (GCM) authenticated encryption with associated data (AEAD).`
			`Before encryption or decryption, a new initialization vector (nonce) has to be set with`
			`.I aesgcm_setiv`
			`or by calling`
			`.I setupAESGCMstate`
			`with non-zero`
			`.I iv`
			`and`
			`.I ivlen`
			`arguments.`
			`Aesgcm_decrypt returns zero when authentication and decryption where successfull and`
			`non-zero otherwise.`
Import sources from 2011-03-30 iso image - sys/man 2011-03-30 13:49:47 +00:00			`All ciphering is performed in place.`
libsec: AES-NI support for amd64 Add assembler versions for aes_encrypt/aes_decrypt and the key setup using AES-NI instruction set. This makes aes_encrypt and aes_decrypt into function pointers which get initialized by the first call to setupAESstate(). Note that the expanded round key words are NOT stored in big endian order as with the portable implementation. For that reason the AESstate.ekey and AESstate.dkey fields have been changed to void* forcing an error when someone is accessing the roundkey words. One offender was aesXCBmac, which doesnt appear to be used and the code looks horrible so it has been deleted. The AES-NI implementation is for amd64 only as it requires the kernel to save/restore the FPU state across syscalls and pagefaults. 2017-11-12 22:15:15 +00:00			`The byte keysize`
			`.I nkey`
Import sources from 2011-03-30 iso image - sys/man 2011-03-30 13:49:47 +00:00			`should be 16, 24, or 32.`
			`The initialization vector`
			`.I ivec`
			`of`
			`.I AESbsize`
			`bytes should be random enough to be unlikely to be reused`
			`but does not need to be`
			`cryptographically strongly unpredictable.`
			`.SH SOURCE`
			`.B /sys/src/libsec`
			`.SH SEE ALSO`
			`.I aescbc`
			`in`
			`.IR secstore (1),`
			`.IR mp (2),`
			`.IR blowfish (2),`
			`.IR des (2),`
			`.IR dsa (2),`
			`.IR elgamal (2),`
			`.IR rc4 (2),`
			`.IR rsa (2),`
			`.IR sechash (2),`
			`.IR prime (2),`
			`.IR rand (2)`
			`.br`
			`.B http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf`
			`.SH BUGS`
aes(2): mention aesCBC bug 2016-04-09 18:51:24 +00:00			`Because of the way that non-multiple-of-16 buffers are handled,`
			`.I aesCBCdecrypt`
			`must be fed buffers of the same size as the`
			`.I aesCBCencrypt`
			`calls that encrypted it.`
aes(2): document aes_xts_encrypt() and aes_xts_decrypt() functions 2017-10-30 02:04:05 +00:00			`.PP`
			`The functions`
			`.I aes_xts_encrypt`
			`an`
			`.I aes_xts_decrypt`
			`abort on a non-multiple-of-16 length as ciphertext stealing`
			`is not implemented.`