Is there a demand or plan to add various AES modes?

Is there a demand or plan to add various AES modes?

You tell us if there is a demand? :) Which modes, in particular? Most modes are fairly trivial. For CTR modes a different AES implementation approach may be best (in particular one that runs several blocks in parallel can be more efficient) although CTR modes are .. yuck.

libbtc has a CBC implementation based on ctaes (only 256). https://github.com/libbtc/libbtc/blob/master/src/aes256_cbc.c

I think there is a demand... I heard of serval developers who are doing (or did) an CBC implementation on top of ctaes.

I believe at least CTR and CBC mode should be included here. It's sort of incomplete and dangerous to use without.

CBC, CFB and CTR would be really nice to have.

SIV perhaps, it would be a shame to support ultra-footgunny CTR and not also support at least something relatively safe.

What's status of this? Still considered a good idea to include some AES modes here, just nobody has time and interest?

At my dayjob, we currently are looking for some AES library to use both at server and embedded end and this looks like a good candidate. And if we implement CBC anyway, I might as well send a PR here.

I would gladly include constant-time CBC here.

CBC mode is implemented in #14.