AES(2)                                                     AES(2)

     NAME
          setupAESstate, aesCBCencrypt, aesCBCdecrypt,
          setupAESXCBCstate, aesXCBCmac, setupAESGCMstate - advanced
          encryption standard (rijndael)

     SYNOPSIS
          #include <u.h>
          #include <libc.h>
          #include <mp.h>
          #include <libsec.h>

          void aes_encrypt(ulong rk[], int Nr, uchar pt[16], uchar
               ct[16]);

          void aes_decrypt(ulong rk[], int Nr, uchar ct[16], uchar
          pt[16]);

          void setupAESstate(AESstate *s, uchar key[], int keybytes,
          uchar *ivec)

          void aesCBCencrypt(uchar *p, int len, AESstate *s)

          void aesCBCdecrypt(uchar *p, int len, AESstate *s)

          void setupAESXCBCstate(AESstate *s)

          void aesXCBCmac(uchar *p, int len, AESstate *s)

          void setupAESGCMstate(AESGCMstate *s, uchar *key, int
          keylen, uchar *iv, int ivlen)

          void aesgcm_setiv(AESGCMstate *s, uchar *iv, int ivlen)

          void aesgcm_encrypt(uchar *dat, ulong ndat, uchar *aad,
          ulong naad, uchar tag[16], AESGCMstate *s)

          int  aesgcm_decrypt(uchar *dat, ulong ndat, uchar *aad,
          ulong naad, uchar tag[16], AESGCMstate *s)

     DESCRIPTION
          AES (a.k.a. Rijndael) has replaced DES as the preferred
          block cipher.  Aes_encrypt and aes_decrypt are the block
          ciphers, corresponding to des(2)'s block_cipher.
          SetupAESstate, aesCBCencrypt, and aesCBCdecrypt implement
          cipher-block-chaining encryption.  SetupAESXCBCstate and
          aesXCBCmac implement AES XCBC message authentication, per
          RFC 3566.  SetupAESGCMstate, aesgcm_setiv, aesgcm_encrypt
          and aesgcm_decrypt implement Galois/Counter Mode (GCM)
          authenticated encryption with associated data (AEAD).
          Before encryption or decryption, a new initialization vector

     AES(2)                                                     AES(2)

          (nonce) has to be set with aesgcm_setiv or by calling
          setupAESGCMstate with non-zero iv and ivlen arguments.
          Aesgcm_decrypt returns zero when authentication and decryp-
          tion where successfull and non-zero otherwise.  All cipher-
          ing is performed in place.  Keybytes should be 16, 24, or
          32.  The initialization vector ivec of AESbsize bytes should
          be random enough to be unlikely to be reused but does not
          need to be cryptographically strongly unpredictable.

     SOURCE
          /sys/src/libsec

     SEE ALSO
          aescbc in secstore(1), mp(2), blowfish(2), des(2), dsa(2),
          elgamal(2), rc4(2), rsa(2), sechash(2), prime(2), rand(2)
          http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf

     BUGS
          The functions aes_encrypt, aes_decrypt, setupAESXCBCstate,
          and aesXCBCmac have not yet been verified by running test
          vectors through them.

          Because of the way that non-multiple-of-16 buffers are han-
          dled, aesCBCdecrypt must be fed buffers of the same size as
          the aesCBCencrypt calls that encrypted it.