.TH AES 2
.SH NAME
-setupAESstate, aesCBCencrypt, aesCBCdecrypt, aesCTRencrypt, aesCTRdecrypt, setupAESXCBCstate, aesXCBCmac - advanced encryption standard (rijndael)
+setupAESstate, aesCBCencrypt, aesCBCdecrypt, setupAESXCBCstate, aesXCBCmac, setupAESGCMstate - advanced encryption standard (rijndael)
.SH SYNOPSIS
.B #include <u.h>
.br
void aesCBCdecrypt(uchar *p, int len, AESstate *s)
.PP
.B
-void aesCTRencrypt(uchar *p, int len, AESstate *s)
+void setupAESXCBCstate(AESstate *s)
.PP
.B
-void aesCTRdecrypt(uchar *p, int len, AESstate *s)
+void aesXCBCmac(uchar *p, int len, AESstate *s)
.PP
.B
-void setupAESXCBCstate(AESstate *s)
+void setupAESGCMstate(AESGCMstate *s, uchar *key, int keylen, uchar *iv, int ivlen)
.PP
.B
-void aesXCBCmac(uchar *p, int len, AESstate *s)
+void aesgcm_setiv(AESGCMstate *s, uchar *iv, int ivlen)
+.PP
+.B
+void aesgcm_encrypt(uchar *dat, ulong ndat, uchar *aad, ulong naad, uchar tag[16], AESGCMstate *s)
+.PP
+.B
+int aesgcm_decrypt(uchar *dat, ulong ndat, uchar *aad, ulong naad, uchar tag[16], AESGCMstate *s)
.SH DESCRIPTION
AES (a.k.a. Rijndael) has replaced DES as the preferred
block cipher.
and
.I aesCBCdecrypt
implement cipher-block-chaining encryption.
-.I AesCTRencrypt
-and
-.I aesCTRdecrypt
-implement counter mode, per RFC 3686;
-they are identical operations.
-.I setupAESXCBCstate
+.I SetupAESXCBCstate
and
.I aesXCBCmac
implement AES XCBC message authentication, per RFC 3566.
+.IR SetupAESGCMstate ,
+.IR aesgcm_setiv ,
+.I aesgcm_encrypt
+and
+.I aesgcm_decrypt
+implement Galois/Counter Mode (GCM) authenticated encryption with associated data (AEAD).
+Before encryption or decryption, a new initialization vector (nonce) has to be set with
+.I aesgcm_setiv
+or by calling
+.I setupAESGCMstate
+with non-zero
+.I iv
+and
+.I ivlen
+arguments.
+Aesgcm_decrypt returns zero when authentication and decryption where successfull and
+non-zero otherwise.
All ciphering is performed in place.
.I Keybytes
should be 16, 24, or 32.
The functions
.IR aes_encrypt ,
.IR aes_decrypt ,
-.IR aesCTRencrypt ,
-.IR aesCTRdecrypt ,
.IR setupAESXCBCstate ,
and
.IR aesXCBCmac
have not yet been verified by running test vectors through them.
+.PP
+Because of the way that non-multiple-of-16 buffers are handled,
+.I aesCBCdecrypt
+must be fed buffers of the same size as the
+.I aesCBCencrypt
+calls that encrypted it.