FFmpeg
aes.c
Go to the documentation of this file.
1 /*
2  * copyright (c) 2007 Michael Niedermayer <michaelni@gmx.at>
3  *
4  * some optimization ideas from aes128.c by Reimar Doeffinger
5  *
6  * This file is part of FFmpeg.
7  *
8  * FFmpeg is free software; you can redistribute it and/or
9  * modify it under the terms of the GNU Lesser General Public
10  * License as published by the Free Software Foundation; either
11  * version 2.1 of the License, or (at your option) any later version.
12  *
13  * FFmpeg is distributed in the hope that it will be useful,
14  * but WITHOUT ANY WARRANTY; without even the implied warranty of
15  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16  * Lesser General Public License for more details.
17  *
18  * You should have received a copy of the GNU Lesser General Public
19  * License along with FFmpeg; if not, write to the Free Software
20  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
21  */
22 
23 #include <string.h>
24 
25 #include "config.h"
26 #include "aes.h"
27 #include "aes_internal.h"
28 #include "error.h"
29 #include "intreadwrite.h"
30 #include "macros.h"
31 #include "mem.h"
32 
33 const int av_aes_size= sizeof(AVAES);
34 
35 struct AVAES *av_aes_alloc(void)
36 {
37  return av_mallocz(sizeof(struct AVAES));
38 }
39 
40 static const uint8_t rcon[10] = {
41  0x01, 0x02, 0x04, 0x08, 0x10, 0x20, 0x40, 0x80, 0x1b, 0x36
42 };
43 
44 static uint8_t sbox[256];
45 static uint8_t inv_sbox[256];
46 #if CONFIG_SMALL
47 static uint32_t enc_multbl[1][256];
48 static uint32_t dec_multbl[1][256];
49 #else
50 static uint32_t enc_multbl[4][256];
51 static uint32_t dec_multbl[4][256];
52 #endif
53 
54 #if HAVE_BIGENDIAN
55 # define ROT(x, s) (((x) >> (s)) | ((x) << (32-(s))))
56 #else
57 # define ROT(x, s) (((x) << (s)) | ((x) >> (32-(s))))
58 #endif
59 
60 static inline void addkey(av_aes_block *dst, const av_aes_block *src,
61  const av_aes_block *round_key)
62 {
63  dst->u64[0] = src->u64[0] ^ round_key->u64[0];
64  dst->u64[1] = src->u64[1] ^ round_key->u64[1];
65 }
66 
67 static inline void addkey_s(av_aes_block *dst, const uint8_t *src,
68  const av_aes_block *round_key)
69 {
70  dst->u64[0] = AV_RN64(src) ^ round_key->u64[0];
71  dst->u64[1] = AV_RN64(src + 8) ^ round_key->u64[1];
72 }
73 
74 static inline void addkey_d(uint8_t *dst, const av_aes_block *src,
75  const av_aes_block *round_key)
76 {
77  AV_WN64(dst, src->u64[0] ^ round_key->u64[0]);
78  AV_WN64(dst + 8, src->u64[1] ^ round_key->u64[1]);
79 }
80 
81 static void subshift(av_aes_block s0[2], int s, const uint8_t *box)
82 {
83  unsigned char *s1_dst = (unsigned char*)s0[0].u8 + 3 - s;
84  const unsigned char *s1_src = s1_dst + sizeof(*s0);
85  unsigned char *s3_dst = (unsigned char*)s0[0].u8 + s + 1;
86  const unsigned char *s3_src = s3_dst + sizeof(*s0);
87 
88  s0[0].u8[ 0] = box[s0[1].u8[ 0]];
89  s0[0].u8[ 4] = box[s0[1].u8[ 4]];
90  s0[0].u8[ 8] = box[s0[1].u8[ 8]];
91  s0[0].u8[12] = box[s0[1].u8[12]];
92  s1_dst[ 0] = box[s1_src[ 4]];
93  s1_dst[ 4] = box[s1_src[ 8]];
94  s1_dst[ 8] = box[s1_src[12]];
95  s1_dst[12] = box[s1_src[ 0]];
96  s0[0].u8[ 2] = box[s0[1].u8[10]];
97  s0[0].u8[10] = box[s0[1].u8[ 2]];
98  s0[0].u8[ 6] = box[s0[1].u8[14]];
99  s0[0].u8[14] = box[s0[1].u8[ 6]];
100  s3_dst[ 0] = box[s3_src[12]];
101  s3_dst[12] = box[s3_src[ 8]];
102  s3_dst[ 8] = box[s3_src[ 4]];
103  s3_dst[ 4] = box[s3_src[ 0]];
104 }
105 
106 static inline int mix_core(uint32_t multbl[][256], int a, int b, int c, int d)
107 {
108 #if CONFIG_SMALL
109  return multbl[0][a] ^ ROT(multbl[0][b], 8) ^ ROT(multbl[0][c], 16) ^ ROT(multbl[0][d], 24);
110 #else
111  return multbl[0][a] ^ multbl[1][b] ^ multbl[2][c] ^ multbl[3][d];
112 #endif
113 }
114 
115 static inline void mix(av_aes_block state[2], uint32_t multbl[][256], int s1, int s3)
116 {
117  uint8_t (*src)[4] = state[1].u8x4;
118  state[0].u32[0] = mix_core(multbl, src[0][0], src[s1 ][1], src[2][2], src[s3 ][3]);
119  state[0].u32[1] = mix_core(multbl, src[1][0], src[s3 - 1][1], src[3][2], src[s1 - 1][3]);
120  state[0].u32[2] = mix_core(multbl, src[2][0], src[s3 ][1], src[0][2], src[s1 ][3]);
121  state[0].u32[3] = mix_core(multbl, src[3][0], src[s1 - 1][1], src[1][2], src[s3 - 1][3]);
122 }
123 
124 static inline void aes_crypt(AVAES *a, int s, const uint8_t *sbox,
125  uint32_t multbl[][256])
126 {
127  int r;
128 
129  for (r = a->rounds - 1; r > 0; r--) {
130  mix(a->state, multbl, 3 - s, 1 + s);
131  addkey(&a->state[1], &a->state[0], &a->round_key[r]);
132  }
133 
134  subshift(&a->state[0], s, sbox);
135 }
136 
137 static void aes_encrypt(AVAES *a, uint8_t *dst, const uint8_t *src,
138  int count, uint8_t *iv, int rounds)
139 {
140  while (count--) {
141  addkey_s(&a->state[1], src, &a->round_key[rounds]);
142  if (iv)
143  addkey_s(&a->state[1], iv, &a->state[1]);
144  aes_crypt(a, 2, sbox, enc_multbl);
145  addkey_d(dst, &a->state[0], &a->round_key[0]);
146  if (iv)
147  memcpy(iv, dst, 16);
148  src += 16;
149  dst += 16;
150  }
151 }
152 
153 static void aes_decrypt(AVAES *a, uint8_t *dst, const uint8_t *src,
154  int count, uint8_t *iv, int rounds)
155 {
156  while (count--) {
157  addkey_s(&a->state[1], src, &a->round_key[rounds]);
158  aes_crypt(a, 0, inv_sbox, dec_multbl);
159  if (iv) {
160  addkey_s(&a->state[0], iv, &a->state[0]);
161  memcpy(iv, src, 16);
162  }
163  addkey_d(dst, &a->state[0], &a->round_key[0]);
164  src += 16;
165  dst += 16;
166  }
167 }
168 
169 void av_aes_crypt(AVAES *a, uint8_t *dst, const uint8_t *src,
170  int count, uint8_t *iv, int decrypt)
171 {
172  a->crypt(a, dst, src, count, iv, a->rounds);
173 }
174 
175 static void init_multbl2(uint32_t tbl[][256], const int c[4],
176  const uint8_t *log8, const uint8_t *alog8,
177  const uint8_t *sbox)
178 {
179  int i;
180 
181  for (i = 0; i < 256; i++) {
182  int x = sbox[i];
183  if (x) {
184  int k, l, m, n;
185  x = log8[x];
186  k = alog8[x + log8[c[0]]];
187  l = alog8[x + log8[c[1]]];
188  m = alog8[x + log8[c[2]]];
189  n = alog8[x + log8[c[3]]];
190  tbl[0][i] = AV_NE(MKBETAG(k, l, m, n), MKTAG(k, l, m, n));
191 #if !CONFIG_SMALL
192  tbl[1][i] = ROT(tbl[0][i], 8);
193  tbl[2][i] = ROT(tbl[0][i], 16);
194  tbl[3][i] = ROT(tbl[0][i], 24);
195 #endif
196  }
197  }
198 }
199 
200 // this is based on the reference AES code by Paulo Barreto and Vincent Rijmen
201 int av_aes_init(AVAES *a, const uint8_t *key, int key_bits, int decrypt)
202 {
203  int i, j, t, rconpointer = 0;
204  uint8_t tk[8][4];
205  int KC = key_bits >> 5;
206  int rounds = KC + 6;
207  uint8_t log8[256];
208  uint8_t alog8[512];
209 
210  a->crypt = decrypt ? aes_decrypt : aes_encrypt;
211  if (ARCH_X86)
212  ff_init_aes_x86(a, decrypt);
213 
214  if (!enc_multbl[FF_ARRAY_ELEMS(enc_multbl) - 1][FF_ARRAY_ELEMS(enc_multbl[0]) - 1]) {
215  j = 1;
216  for (i = 0; i < 255; i++) {
217  alog8[i] = alog8[i + 255] = j;
218  log8[j] = i;
219  j ^= j + j;
220  if (j > 255)
221  j ^= 0x11B;
222  }
223  for (i = 0; i < 256; i++) {
224  j = i ? alog8[255 - log8[i]] : 0;
225  j ^= (j << 1) ^ (j << 2) ^ (j << 3) ^ (j << 4);
226  j = (j ^ (j >> 8) ^ 99) & 255;
227  inv_sbox[j] = i;
228  sbox[i] = j;
229  }
230  init_multbl2(dec_multbl, (const int[4]) { 0xe, 0x9, 0xd, 0xb },
231  log8, alog8, inv_sbox);
232  init_multbl2(enc_multbl, (const int[4]) { 0x2, 0x1, 0x1, 0x3 },
233  log8, alog8, sbox);
234  }
235 
236  if (key_bits != 128 && key_bits != 192 && key_bits != 256)
237  return AVERROR(EINVAL);
238 
239  a->rounds = rounds;
240 
241  memcpy(tk, key, KC * 4);
242  memcpy(a->round_key[0].u8, key, KC * 4);
243 
244  for (t = KC * 4; t < (rounds + 1) * 16; t += KC * 4) {
245  for (i = 0; i < 4; i++)
246  tk[0][i] ^= sbox[tk[KC - 1][(i + 1) & 3]];
247  tk[0][0] ^= rcon[rconpointer++];
248 
249  for (j = 1; j < KC; j++) {
250  if (KC != 8 || j != KC >> 1)
251  for (i = 0; i < 4; i++)
252  tk[j][i] ^= tk[j - 1][i];
253  else
254  for (i = 0; i < 4; i++)
255  tk[j][i] ^= sbox[tk[j - 1][i]];
256  }
257 
258  memcpy((unsigned char*)a->round_key + t, tk, KC * 4);
259  }
260 
261  if (decrypt) {
262  for (i = 1; i < rounds; i++) {
263  av_aes_block tmp[3];
264  tmp[2] = a->round_key[i];
265  subshift(&tmp[1], 0, sbox);
266  mix(tmp, dec_multbl, 1, 3);
267  a->round_key[i] = tmp[0];
268  }
269  } else {
270  for (i = 0; i < (rounds + 1) >> 1; i++)
271  FFSWAP(av_aes_block, a->round_key[i], a->round_key[rounds - i]);
272  }
273 
274  return 0;
275 }
276 
enc_multbl
static uint32_t enc_multbl[4][256]
Definition: aes.c:50
av_aes_init
int av_aes_init(AVAES *a, const uint8_t *key, int key_bits, int decrypt)
Initialize an AVAES context.
Definition: aes.c:201
mix
static void mix(av_aes_block state[2], uint32_t multbl[][256], int s1, int s3)
Definition: aes.c:115
r
const char * r
Definition: vf_curves.c:127
AVERROR
Filter the word “frame” indicates either a video frame or a group of audio as stored in an AVFrame structure Format for each input and each output the list of supported formats For video that means pixel format For audio that means channel sample they are references to shared objects When the negotiation mechanism computes the intersection of the formats supported at each end of a all references to both lists are replaced with a reference to the intersection And when a single format is eventually chosen for a link amongst the remaining all references to the list are updated That means that if a filter requires that its input and output have the same format amongst a supported all it has to do is use a reference to the same list of formats query_formats can leave some formats unset and return AVERROR(EAGAIN) to cause the negotiation mechanism toagain later. That can be used by filters with complex requirements to use the format negotiated on one link to set the formats supported on another. Frame references ownership and permissions
av_aes_block::u64
uint64_t u64[2]
Definition: aes_internal.h:28
av_aes_size
const int av_aes_size
Definition: aes.c:33
aes_crypt
static void aes_crypt(AVAES *a, int s, const uint8_t *sbox, uint32_t multbl[][256])
Definition: aes.c:124
AV_RN64
#define AV_RN64(p)
Definition: intreadwrite.h:364
subshift
static void subshift(av_aes_block s0[2], int s, const uint8_t *box)
Definition: aes.c:81
b
#define b
Definition: input.c:42
addkey_d
static void addkey_d(uint8_t *dst, const av_aes_block *src, const av_aes_block *round_key)
Definition: aes.c:74
addkey
static void addkey(av_aes_block *dst, const av_aes_block *src, const av_aes_block *round_key)
Definition: aes.c:60
mix_core
static int mix_core(uint32_t multbl[][256], int a, int b, int c, int d)
Definition: aes.c:106
AVAES::rounds
int rounds
Definition: aes_internal.h:39
macros.h
addkey_s
static void addkey_s(av_aes_block *dst, const uint8_t *src, const av_aes_block *round_key)
Definition: aes.c:67
rcon
static const uint8_t rcon[10]
Definition: aes.c:40
FF_ARRAY_ELEMS
#define FF_ARRAY_ELEMS(a)
Definition: sinewin_tablegen.c:29
state
static struct @486 state
intreadwrite.h
s
#define s(width, name)
Definition: cbs_vp9.c:198
AV_NE
#define AV_NE(be, le)
Definition: macros.h:33
key
const char * key
Definition: hwcontext_opencl.c:189
av_aes_block
Definition: aes_internal.h:27
aes.h
tmp
static uint8_t tmp[20]
Definition: aes_ctr.c:47
av_aes_crypt
void av_aes_crypt(AVAES *a, uint8_t *dst, const uint8_t *src, int count, uint8_t *iv, int decrypt)
Encrypt or decrypt a buffer using a previously initialized context.
Definition: aes.c:169
av_aes_alloc
struct AVAES * av_aes_alloc(void)
Allocate an AVAES context.
Definition: aes.c:35
c
Undefined Behavior In the C some operations are like signed integer dereferencing freed accessing outside allocated Undefined Behavior must not occur in a C it is not safe even if the output of undefined operations is unused The unsafety may seem nit picking but Optimizing compilers have in fact optimized code on the assumption that no undefined Behavior occurs Optimizing code based on wrong assumptions can and has in some cases lead to effects beyond the output of computations The signed integer overflow problem in speed critical code Code which is highly optimized and works with signed integers sometimes has the problem that often the output of the computation does not c
Definition: undefined.txt:32
error.h
dst
uint8_t ptrdiff_t const uint8_t ptrdiff_t int intptr_t intptr_t int int16_t * dst
Definition: dsp.h:83
AVAES::round_key
av_aes_block round_key[15]
Definition: aes_internal.h:37
inv_sbox
static uint8_t inv_sbox[256]
Definition: aes.c:45
MKBETAG
#define MKBETAG(a, b, c, d)
Definition: macros.h:56
a
The reader does not expect b to be semantically here and if the code is changed by maybe adding a a division or other the signedness will almost certainly be mistaken To avoid this confusion a new type was SUINT is the C unsigned type but it holds a signed int to use the same example SUINT a
Definition: undefined.txt:41
ROT
#define ROT(x, s)
Definition: aes.c:57
aes_decrypt
static void aes_decrypt(AVAES *a, uint8_t *dst, const uint8_t *src, int count, uint8_t *iv, int rounds)
Definition: aes.c:153
aes_internal.h
i
#define i(width, name, range_min, range_max)
Definition: cbs_h2645.c:256
ff_init_aes_x86
void ff_init_aes_x86(AVAES *a, int decrypt)
Definition: aes_init.c:30
av_mallocz
void * av_mallocz(size_t size)
Allocate a memory block with alignment suitable for all memory accesses (including vectors if availab...
Definition: mem.c:256
FFSWAP
#define FFSWAP(type, a, b)
Definition: macros.h:52
AVAES
Definition: aes_internal.h:34
sbox
static uint8_t sbox[256]
Definition: aes.c:44
mem.h
AV_WN64
#define AV_WN64(p, v)
Definition: intreadwrite.h:376
MKTAG
#define MKTAG(a, b, c, d)
Definition: macros.h:55
dec_multbl
static uint32_t dec_multbl[4][256]
Definition: aes.c:51
aes_encrypt
static void aes_encrypt(AVAES *a, uint8_t *dst, const uint8_t *src, int count, uint8_t *iv, int rounds)
Definition: aes.c:137
init_multbl2
static void init_multbl2(uint32_t tbl[][256], const int c[4], const uint8_t *log8, const uint8_t *alog8, const uint8_t *sbox)
Definition: aes.c:175
src
#define src
Definition: vp8dsp.c:248
Generated on Tue Apr 8 2025 19:22:48 for FFmpeg by   doxygen 1.8.17