aes(2): document aes_xts_encrypt() and aes_xts_decrypt() functions

[plan9front.git] / sys / man / 2 / aes

.TH AES 2
.SH NAME
setupAESstate, \
aesCBCencrypt, \
aesCBCdecrypt, \
aesCFBencrypt, \
aesCFBdecrypt, \
aesOFBencrypt, \
aes_xts_encrypt, aes_xts_decrypt, \
setupAESXCBCstate, aesXCBCmac, \
setupAESGCMstate, \
aesgcm_setiv, aesgcm_encrypt, aesgcm_decrypt \
- advanced encryption standard (rijndael)
.SH SYNOPSIS
.B #include <u.h>
.br
.B #include <libc.h>
.br
.B #include <mp.h>
.br
.B #include <libsec.h>
.PP
.in +0.5i
.ti -0.5i
.B
void    aes_encrypt(ulong rk[], int Nr, uchar pt[16], uchar ct[16]);
.PP
.B
void    aes_decrypt(ulong rk[], int Nr, uchar ct[16], uchar pt[16]);
.PP
.B
void    setupAESstate(AESstate *s, uchar key[], int keybytes, uchar *ivec)
.PP
.B
void    aesCBCencrypt(uchar *p, int len, AESstate *s)
.PP
.B
void    aesCBCdecrypt(uchar *p, int len, AESstate *s)
.PP
.B
void    aesCFBencrypt(uchar *p, int len, AESstate *s)
.PP
.B
void    aesCFBdecrypt(uchar *p, int len, AESstate *s)
.PP
.B
void    aesOFBencrypt(uchar *p, int len, AESstate *s)
.PP
.B
void    aes_xts_encrypt(AESstate *tweak, AESstate *ecb, uvlong sectorNumber, uchar *input, uchar *output, ulong len)
.PP
.B
void    aes_xts_decrypt(AESstate *tweak, AESstate *ecb, uvlong sectorNumber, uchar *input, uchar *output, ulong len)
.PP
.B
void    setupAESXCBCstate(AESstate *s)
.PP
.B
void    aesXCBCmac(uchar *p, int len, AESstate *s)
.PP
.B
void    setupAESGCMstate(AESGCMstate *s, uchar *key, int keylen, uchar *iv, int ivlen)
.PP
.B
void    aesgcm_setiv(AESGCMstate *s, uchar *iv, int ivlen)
.PP
.B
void    aesgcm_encrypt(uchar *dat, ulong ndat, uchar *aad, ulong naad, uchar tag[16], AESGCMstate *s)
.PP
.B
int     aesgcm_decrypt(uchar *dat, ulong ndat, uchar *aad, ulong naad, uchar tag[16], AESGCMstate *s)
.SH DESCRIPTION
AES (a.k.a. Rijndael) has replaced DES as the preferred
block cipher.
.I Aes_encrypt
and
.I aes_decrypt
are the block ciphers, corresponding to
.IR des (2)'s
.IR block_cipher .
.IR AesCBCencrypt ,
and
.I aesCBCdecrypt
implement cipher-block-chaining encryption.
.IR AesCFBencrypt ,
.I aesCFBdecrypt
and
.I aesOFBencrypt
implement cipher-feedback- and output-feedback-mode
stream cipher encryption.
.I Aes_xts_encrypt
and
.I aes_xts_decrypt
implement the XTS-AES tweakable block cipher, per IEEE 1619-2017 (see bugs below).
.IR SetupAESstate
is used to initialize the state of the above encryption modes.
.I SetupAESXCBCstate
and
.I aesXCBCmac
implement AES XCBC message authentication, per RFC 3566.
.IR SetupAESGCMstate ,
.IR aesgcm_setiv ,
.I aesgcm_encrypt
and
.I aesgcm_decrypt
implement Galois/Counter Mode (GCM) authenticated encryption with associated data (AEAD).
Before encryption or decryption, a new initialization vector (nonce) has to be set with
.I aesgcm_setiv
or by calling
.I setupAESGCMstate
with non-zero
.I iv
and
.I ivlen
arguments.
Aesgcm_decrypt returns zero when authentication and decryption where successfull and
non-zero otherwise.
All ciphering is performed in place.
.I Keybytes
should be 16, 24, or 32.
The initialization vector
.I ivec
of
.I AESbsize
bytes should be random enough to be unlikely to be reused
but does not need to be
cryptographically strongly unpredictable.
.SH SOURCE
.B /sys/src/libsec
.SH SEE ALSO
.I aescbc
in
.IR secstore (1),
.IR mp (2),
.IR blowfish (2),
.IR des (2),
.IR dsa (2),
.IR elgamal (2),
.IR rc4 (2),
.IR rsa (2),
.IR sechash (2),
.IR prime (2),
.IR rand (2)
.br
.B http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf
.SH BUGS
The functions
.IR aes_encrypt ,
.IR aes_decrypt ,
.IR setupAESXCBCstate ,
and
.IR aesXCBCmac
have not yet been verified by running test vectors through them.
.PP
Because of the way that non-multiple-of-16 buffers are handled,
.I aesCBCdecrypt
must be fed buffers of the same size as the
.I aesCBCencrypt
calls that encrypted it.
.PP
The functions
.I aes_xts_encrypt
an
.I aes_xts_decrypt
abort on a non-multiple-of-16 length as ciphertext stealing
is not implemented.