164 lines
3.6 KiB
Plaintext
164 lines
3.6 KiB
Plaintext
.TH AES 2
|
|
.SH NAME
|
|
setupAESstate, \
|
|
aesCBCencrypt, \
|
|
aesCBCdecrypt, \
|
|
aesCFBencrypt, \
|
|
aesCFBdecrypt, \
|
|
aesOFBencrypt, \
|
|
aes_xts_encrypt, aes_xts_decrypt, \
|
|
setupAESGCMstate, \
|
|
aesgcm_setiv, aesgcm_encrypt, aesgcm_decrypt \
|
|
- advanced encryption standard (rijndael)
|
|
.SH SYNOPSIS
|
|
.B #include <u.h>
|
|
.br
|
|
.B #include <libc.h>
|
|
.br
|
|
.B #include <mp.h>
|
|
.br
|
|
.B #include <libsec.h>
|
|
.PP
|
|
.in +0.5i
|
|
.ti -0.5i
|
|
.PP
|
|
.B
|
|
void aes_encrypt(ulong rk[], int Nr, uchar pt[16], uchar ct[16])
|
|
.PP
|
|
.B
|
|
void aes_decrypt(ulong rk[], int Nr, uchar ct[16], uchar pt[16])
|
|
.PP
|
|
.B
|
|
void setupAESstate(AESstate *s, uchar key[], int nkey, uchar *ivec)
|
|
.PP
|
|
.B
|
|
void aesCBCencrypt(uchar *p, int len, AESstate *s)
|
|
.PP
|
|
.B
|
|
void aesCBCdecrypt(uchar *p, int len, AESstate *s)
|
|
.PP
|
|
.B
|
|
void aesCFBencrypt(uchar *p, int len, AESstate *s)
|
|
.PP
|
|
.B
|
|
void aesCFBdecrypt(uchar *p, int len, AESstate *s)
|
|
.PP
|
|
.B
|
|
void aesOFBencrypt(uchar *p, int len, AESstate *s)
|
|
.PP
|
|
.B
|
|
void aes_xts_encrypt(AESstate *tweak, AESstate *ecb, uvlong sectorNumber, uchar *input, uchar *output, ulong len)
|
|
.PP
|
|
.B
|
|
void aes_xts_decrypt(AESstate *tweak, AESstate *ecb, uvlong sectorNumber, uchar *input, uchar *output, ulong len)
|
|
.PP
|
|
.B
|
|
void setupAESGCMstate(AESGCMstate *s, uchar *key, int keylen, uchar *iv, int ivlen)
|
|
.PP
|
|
.B
|
|
void aesgcm_setiv(AESGCMstate *s, uchar *iv, int ivlen)
|
|
.PP
|
|
.B
|
|
void aesgcm_encrypt(uchar *dat, ulong ndat, uchar *aad, ulong naad, uchar tag[16], AESGCMstate *s)
|
|
.PP
|
|
.B
|
|
int aesgcm_decrypt(uchar *dat, ulong ndat, uchar *aad, ulong naad, uchar tag[16], AESGCMstate *s)
|
|
.SH DESCRIPTION
|
|
AES (a.k.a. Rijndael) has replaced DES as the preferred
|
|
block cipher.
|
|
.I Aes_encrypt
|
|
and
|
|
.I aes_decrypt
|
|
are the block ciphers, corresponding to
|
|
.IR des (2)'s
|
|
.IR block_cipher .
|
|
.I AesCBCencrypt
|
|
and
|
|
.I aesCBCdecrypt
|
|
implement cipher-block-chaining encryption.
|
|
.IR AesCFBencrypt ,
|
|
.I aesCFBdecrypt
|
|
and
|
|
.I aesOFBencrypt
|
|
implement cipher-feedback- and output-feedback-mode
|
|
stream cipher encryption.
|
|
.I Aes_xts_encrypt
|
|
and
|
|
.I aes_xts_decrypt
|
|
implement the XTS-AES tweakable block cipher, per IEEE 1619-2017 (see bugs below).
|
|
.IR SetupAESstate
|
|
is used to initialize the state of the above encryption modes.
|
|
The expanded roundkey parameters
|
|
.I rk
|
|
and
|
|
.I Nr
|
|
of
|
|
.I aes_encrypt
|
|
and
|
|
.I aes_decrypt
|
|
are returned in
|
|
.I AESstate.ekey
|
|
and
|
|
.I AESstate.dkey
|
|
with the corresponding number of rounds in
|
|
.IR AESstate.rounds .
|
|
.IR SetupAESGCMstate ,
|
|
.IR aesgcm_setiv ,
|
|
.I aesgcm_encrypt
|
|
and
|
|
.I aesgcm_decrypt
|
|
implement Galois/Counter Mode (GCM) authenticated encryption with associated data (AEAD).
|
|
Before encryption or decryption, a new initialization vector (nonce) has to be set with
|
|
.I aesgcm_setiv
|
|
or by calling
|
|
.I setupAESGCMstate
|
|
with non-zero
|
|
.I iv
|
|
and
|
|
.I ivlen
|
|
arguments.
|
|
Aesgcm_decrypt returns zero when authentication and decryption where successfull and
|
|
non-zero otherwise.
|
|
All ciphering is performed in place.
|
|
The byte keysize
|
|
.I nkey
|
|
should be 16, 24, or 32.
|
|
The initialization vector
|
|
.I ivec
|
|
of
|
|
.I AESbsize
|
|
bytes should be random enough to be unlikely to be reused
|
|
but does not need to be
|
|
cryptographically strongly unpredictable.
|
|
.SH SOURCE
|
|
.B /sys/src/libsec
|
|
.SH SEE ALSO
|
|
.I aescbc
|
|
in
|
|
.IR secstore (1),
|
|
.IR mp (2),
|
|
.IR blowfish (2),
|
|
.IR des (2),
|
|
.IR dsa (2),
|
|
.IR elgamal (2),
|
|
.IR rc4 (2),
|
|
.IR rsa (2),
|
|
.IR sechash (2),
|
|
.IR prime (2),
|
|
.IR rand (2)
|
|
.br
|
|
.B http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf
|
|
.SH BUGS
|
|
Because of the way that non-multiple-of-16 buffers are handled,
|
|
.I aesCBCdecrypt
|
|
must be fed buffers of the same size as the
|
|
.I aesCBCencrypt
|
|
calls that encrypted it.
|
|
.PP
|
|
The functions
|
|
.I aes_xts_encrypt
|
|
an
|
|
.I aes_xts_decrypt
|
|
abort on a non-multiple-of-16 length as ciphertext stealing
|
|
is not implemented.
|