![cinap_lenrek](/assets/img/avatar_default.png)
Add assembler versions for aes_encrypt/aes_decrypt and the key setup using AES-NI instruction set. This makes aes_encrypt and aes_decrypt into function pointers which get initialized by the first call to setupAESstate(). Note that the expanded round key words are *NOT* stored in big endian order as with the portable implementation. For that reason the AESstate.ekey and AESstate.dkey fields have been changed to void* forcing an error when someone is accessing the roundkey words. One offender was aesXCBmac, which doesnt appear to be used and the code looks horrible so it has been deleted. The AES-NI implementation is for amd64 only as it requires the kernel to save/restore the FPU state across syscalls and pagefaults.
164 lines
3.6 KiB
Plaintext
164 lines
3.6 KiB
Plaintext
.TH AES 2
|
|
.SH NAME
|
|
setupAESstate, \
|
|
aesCBCencrypt, \
|
|
aesCBCdecrypt, \
|
|
aesCFBencrypt, \
|
|
aesCFBdecrypt, \
|
|
aesOFBencrypt, \
|
|
aes_xts_encrypt, aes_xts_decrypt, \
|
|
setupAESGCMstate, \
|
|
aesgcm_setiv, aesgcm_encrypt, aesgcm_decrypt \
|
|
- advanced encryption standard (rijndael)
|
|
.SH SYNOPSIS
|
|
.B #include <u.h>
|
|
.br
|
|
.B #include <libc.h>
|
|
.br
|
|
.B #include <mp.h>
|
|
.br
|
|
.B #include <libsec.h>
|
|
.PP
|
|
.in +0.5i
|
|
.ti -0.5i
|
|
.PP
|
|
.B
|
|
void aes_encrypt(ulong rk[], int Nr, uchar pt[16], uchar ct[16])
|
|
.PP
|
|
.B
|
|
void aes_decrypt(ulong rk[], int Nr, uchar ct[16], uchar pt[16])
|
|
.PP
|
|
.B
|
|
void setupAESstate(AESstate *s, uchar key[], int nkey, uchar *ivec)
|
|
.PP
|
|
.B
|
|
void aesCBCencrypt(uchar *p, int len, AESstate *s)
|
|
.PP
|
|
.B
|
|
void aesCBCdecrypt(uchar *p, int len, AESstate *s)
|
|
.PP
|
|
.B
|
|
void aesCFBencrypt(uchar *p, int len, AESstate *s)
|
|
.PP
|
|
.B
|
|
void aesCFBdecrypt(uchar *p, int len, AESstate *s)
|
|
.PP
|
|
.B
|
|
void aesOFBencrypt(uchar *p, int len, AESstate *s)
|
|
.PP
|
|
.B
|
|
void aes_xts_encrypt(AESstate *tweak, AESstate *ecb, uvlong sectorNumber, uchar *input, uchar *output, ulong len)
|
|
.PP
|
|
.B
|
|
void aes_xts_decrypt(AESstate *tweak, AESstate *ecb, uvlong sectorNumber, uchar *input, uchar *output, ulong len)
|
|
.PP
|
|
.B
|
|
void setupAESGCMstate(AESGCMstate *s, uchar *key, int keylen, uchar *iv, int ivlen)
|
|
.PP
|
|
.B
|
|
void aesgcm_setiv(AESGCMstate *s, uchar *iv, int ivlen)
|
|
.PP
|
|
.B
|
|
void aesgcm_encrypt(uchar *dat, ulong ndat, uchar *aad, ulong naad, uchar tag[16], AESGCMstate *s)
|
|
.PP
|
|
.B
|
|
int aesgcm_decrypt(uchar *dat, ulong ndat, uchar *aad, ulong naad, uchar tag[16], AESGCMstate *s)
|
|
.SH DESCRIPTION
|
|
AES (a.k.a. Rijndael) has replaced DES as the preferred
|
|
block cipher.
|
|
.I Aes_encrypt
|
|
and
|
|
.I aes_decrypt
|
|
are the block ciphers, corresponding to
|
|
.IR des (2)'s
|
|
.IR block_cipher .
|
|
.I AesCBCencrypt
|
|
and
|
|
.I aesCBCdecrypt
|
|
implement cipher-block-chaining encryption.
|
|
.IR AesCFBencrypt ,
|
|
.I aesCFBdecrypt
|
|
and
|
|
.I aesOFBencrypt
|
|
implement cipher-feedback- and output-feedback-mode
|
|
stream cipher encryption.
|
|
.I Aes_xts_encrypt
|
|
and
|
|
.I aes_xts_decrypt
|
|
implement the XTS-AES tweakable block cipher, per IEEE 1619-2017 (see bugs below).
|
|
.IR SetupAESstate
|
|
is used to initialize the state of the above encryption modes.
|
|
The expanded roundkey parameters
|
|
.I rk
|
|
and
|
|
.I Nr
|
|
of
|
|
.I aes_encrypt
|
|
and
|
|
.I aes_decrypt
|
|
are returned in
|
|
.I AESstate.ekey
|
|
and
|
|
.I AESstate.dkey
|
|
with the corresponding number of rounds in
|
|
.IR AESstate.rounds .
|
|
.IR SetupAESGCMstate ,
|
|
.IR aesgcm_setiv ,
|
|
.I aesgcm_encrypt
|
|
and
|
|
.I aesgcm_decrypt
|
|
implement Galois/Counter Mode (GCM) authenticated encryption with associated data (AEAD).
|
|
Before encryption or decryption, a new initialization vector (nonce) has to be set with
|
|
.I aesgcm_setiv
|
|
or by calling
|
|
.I setupAESGCMstate
|
|
with non-zero
|
|
.I iv
|
|
and
|
|
.I ivlen
|
|
arguments.
|
|
Aesgcm_decrypt returns zero when authentication and decryption where successfull and
|
|
non-zero otherwise.
|
|
All ciphering is performed in place.
|
|
The byte keysize
|
|
.I nkey
|
|
should be 16, 24, or 32.
|
|
The initialization vector
|
|
.I ivec
|
|
of
|
|
.I AESbsize
|
|
bytes should be random enough to be unlikely to be reused
|
|
but does not need to be
|
|
cryptographically strongly unpredictable.
|
|
.SH SOURCE
|
|
.B /sys/src/libsec
|
|
.SH SEE ALSO
|
|
.I aescbc
|
|
in
|
|
.IR secstore (1),
|
|
.IR mp (2),
|
|
.IR blowfish (2),
|
|
.IR des (2),
|
|
.IR dsa (2),
|
|
.IR elgamal (2),
|
|
.IR rc4 (2),
|
|
.IR rsa (2),
|
|
.IR sechash (2),
|
|
.IR prime (2),
|
|
.IR rand (2)
|
|
.br
|
|
.B http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf
|
|
.SH BUGS
|
|
Because of the way that non-multiple-of-16 buffers are handled,
|
|
.I aesCBCdecrypt
|
|
must be fed buffers of the same size as the
|
|
.I aesCBCencrypt
|
|
calls that encrypted it.
|
|
.PP
|
|
The functions
|
|
.I aes_xts_encrypt
|
|
an
|
|
.I aes_xts_decrypt
|
|
abort on a non-multiple-of-16 length as ciphertext stealing
|
|
is not implemented.
|