FFmpeg
aes.c
Go to the documentation of this file.
1 /*
2  * copyright (c) 2007 Michael Niedermayer <michaelni@gmx.at>
3  *
4  * some optimization ideas from aes128.c by Reimar Doeffinger
5  *
6  * This file is part of FFmpeg.
7  *
8  * FFmpeg is free software; you can redistribute it and/or
9  * modify it under the terms of the GNU Lesser General Public
10  * License as published by the Free Software Foundation; either
11  * version 2.1 of the License, or (at your option) any later version.
12  *
13  * FFmpeg is distributed in the hope that it will be useful,
14  * but WITHOUT ANY WARRANTY; without even the implied warranty of
15  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16  * Lesser General Public License for more details.
17  *
18  * You should have received a copy of the GNU Lesser General Public
19  * License along with FFmpeg; if not, write to the Free Software
20  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
21  */
22 
23 #include <string.h>
24 
25 #include "config.h"
26 #include "aes.h"
27 #include "aes_internal.h"
28 #include "error.h"
29 #include "intreadwrite.h"
30 #include "macros.h"
31 #include "mem.h"
32 #include "thread.h"
33 
34 const int av_aes_size= sizeof(AVAES);
35 
36 struct AVAES *av_aes_alloc(void)
37 {
38  return av_mallocz(sizeof(struct AVAES));
39 }
40 
41 static const uint8_t rcon[10] = {
42  0x01, 0x02, 0x04, 0x08, 0x10, 0x20, 0x40, 0x80, 0x1b, 0x36
43 };
44 
45 static uint8_t sbox[256];
46 static uint8_t inv_sbox[256];
47 #if CONFIG_SMALL
48 static uint32_t enc_multbl[1][256];
49 static uint32_t dec_multbl[1][256];
50 #else
51 static uint32_t enc_multbl[4][256];
52 static uint32_t dec_multbl[4][256];
53 #endif
54 
55 #if HAVE_BIGENDIAN
56 # define ROT(x, s) (((x) >> (s)) | ((x) << (32-(s))))
57 #else
58 # define ROT(x, s) (((x) << (s)) | ((x) >> (32-(s))))
59 #endif
60 
61 static inline void addkey(av_aes_block *dst, const av_aes_block *src,
62  const av_aes_block *round_key)
63 {
64  dst->u64[0] = src->u64[0] ^ round_key->u64[0];
65  dst->u64[1] = src->u64[1] ^ round_key->u64[1];
66 }
67 
68 static inline void addkey_s(av_aes_block *dst, const uint8_t *src,
69  const av_aes_block *round_key)
70 {
71  dst->u64[0] = AV_RN64(src) ^ round_key->u64[0];
72  dst->u64[1] = AV_RN64(src + 8) ^ round_key->u64[1];
73 }
74 
75 static inline void addkey_d(uint8_t *dst, const av_aes_block *src,
76  const av_aes_block *round_key)
77 {
78  AV_WN64(dst, src->u64[0] ^ round_key->u64[0]);
79  AV_WN64(dst + 8, src->u64[1] ^ round_key->u64[1]);
80 }
81 
82 static void subshift(av_aes_block s0[2], int s, const uint8_t *box)
83 {
84  unsigned char *s1_dst = (unsigned char*)s0[0].u8 + 3 - s;
85  const unsigned char *s1_src = s1_dst + sizeof(*s0);
86  unsigned char *s3_dst = (unsigned char*)s0[0].u8 + s + 1;
87  const unsigned char *s3_src = s3_dst + sizeof(*s0);
88 
89  s0[0].u8[ 0] = box[s0[1].u8[ 0]];
90  s0[0].u8[ 4] = box[s0[1].u8[ 4]];
91  s0[0].u8[ 8] = box[s0[1].u8[ 8]];
92  s0[0].u8[12] = box[s0[1].u8[12]];
93  s1_dst[ 0] = box[s1_src[ 4]];
94  s1_dst[ 4] = box[s1_src[ 8]];
95  s1_dst[ 8] = box[s1_src[12]];
96  s1_dst[12] = box[s1_src[ 0]];
97  s0[0].u8[ 2] = box[s0[1].u8[10]];
98  s0[0].u8[10] = box[s0[1].u8[ 2]];
99  s0[0].u8[ 6] = box[s0[1].u8[14]];
100  s0[0].u8[14] = box[s0[1].u8[ 6]];
101  s3_dst[ 0] = box[s3_src[12]];
102  s3_dst[12] = box[s3_src[ 8]];
103  s3_dst[ 8] = box[s3_src[ 4]];
104  s3_dst[ 4] = box[s3_src[ 0]];
105 }
106 
107 static inline int mix_core(uint32_t multbl[][256], int a, int b, int c, int d)
108 {
109 #if CONFIG_SMALL
110  return multbl[0][a] ^ ROT(multbl[0][b], 8) ^ ROT(multbl[0][c], 16) ^ ROT(multbl[0][d], 24);
111 #else
112  return multbl[0][a] ^ multbl[1][b] ^ multbl[2][c] ^ multbl[3][d];
113 #endif
114 }
115 
116 static inline void mix(av_aes_block state[2], uint32_t multbl[][256], int s1, int s3)
117 {
118  uint8_t (*src)[4] = state[1].u8x4;
119  state[0].u32[0] = mix_core(multbl, src[0][0], src[s1 ][1], src[2][2], src[s3 ][3]);
120  state[0].u32[1] = mix_core(multbl, src[1][0], src[s3 - 1][1], src[3][2], src[s1 - 1][3]);
121  state[0].u32[2] = mix_core(multbl, src[2][0], src[s3 ][1], src[0][2], src[s1 ][3]);
122  state[0].u32[3] = mix_core(multbl, src[3][0], src[s1 - 1][1], src[1][2], src[s3 - 1][3]);
123 }
124 
125 static inline void aes_crypt(AVAES *a, int s, const uint8_t *sbox,
126  uint32_t multbl[][256])
127 {
128  int r;
129 
130  for (r = a->rounds - 1; r > 0; r--) {
131  mix(a->state, multbl, 3 - s, 1 + s);
132  addkey(&a->state[1], &a->state[0], &a->round_key[r]);
133  }
134 
135  subshift(&a->state[0], s, sbox);
136 }
137 
138 static void aes_encrypt(AVAES *a, uint8_t *dst, const uint8_t *src,
139  int count, uint8_t *iv, int rounds)
140 {
141  while (count--) {
142  addkey_s(&a->state[1], src, &a->round_key[rounds]);
143  if (iv)
144  addkey_s(&a->state[1], iv, &a->state[1]);
145  aes_crypt(a, 2, sbox, enc_multbl);
146  addkey_d(dst, &a->state[0], &a->round_key[0]);
147  if (iv)
148  memcpy(iv, dst, 16);
149  src += 16;
150  dst += 16;
151  }
152 }
153 
154 static void aes_decrypt(AVAES *a, uint8_t *dst, const uint8_t *src,
155  int count, uint8_t *iv, int rounds)
156 {
157  while (count--) {
158  addkey_s(&a->state[1], src, &a->round_key[rounds]);
159  aes_crypt(a, 0, inv_sbox, dec_multbl);
160  if (iv) {
161  addkey_s(&a->state[0], iv, &a->state[0]);
162  memcpy(iv, src, 16);
163  }
164  addkey_d(dst, &a->state[0], &a->round_key[0]);
165  src += 16;
166  dst += 16;
167  }
168 }
169 
170 void av_aes_crypt(AVAES *a, uint8_t *dst, const uint8_t *src,
171  int count, uint8_t *iv, int decrypt)
172 {
173  a->crypt(a, dst, src, count, iv, a->rounds);
174 }
175 
176 static void init_multbl2(uint32_t tbl[][256], const int c[4],
177  const uint8_t *log8, const uint8_t *alog8,
178  const uint8_t *sbox)
179 {
180  int i;
181 
182  for (i = 0; i < 256; i++) {
183  int x = sbox[i];
184  if (x) {
185  int k, l, m, n;
186  x = log8[x];
187  k = alog8[x + log8[c[0]]];
188  l = alog8[x + log8[c[1]]];
189  m = alog8[x + log8[c[2]]];
190  n = alog8[x + log8[c[3]]];
191  tbl[0][i] = AV_NE(MKBETAG(k, l, m, n), MKTAG(k, l, m, n));
192 #if !CONFIG_SMALL
193  tbl[1][i] = ROT(tbl[0][i], 8);
194  tbl[2][i] = ROT(tbl[0][i], 16);
195  tbl[3][i] = ROT(tbl[0][i], 24);
196 #endif
197  }
198  }
199 }
200 
201 static AVOnce aes_static_init = AV_ONCE_INIT;
202 
203 static void aes_init_static(void)
204 {
205  uint8_t log8[256];
206  uint8_t alog8[512];
207  int i, j = 1;
208 
209  for (i = 0; i < 255; i++) {
210  alog8[i] = alog8[i + 255] = j;
211  log8[j] = i;
212  j ^= j + j;
213  if (j > 255)
214  j ^= 0x11B;
215  }
216  for (i = 0; i < 256; i++) {
217  j = i ? alog8[255 - log8[i]] : 0;
218  j ^= (j << 1) ^ (j << 2) ^ (j << 3) ^ (j << 4);
219  j = (j ^ (j >> 8) ^ 99) & 255;
220  inv_sbox[j] = i;
221  sbox[i] = j;
222  }
223  init_multbl2(dec_multbl, (const int[4]) { 0xe, 0x9, 0xd, 0xb },
224  log8, alog8, inv_sbox);
225  init_multbl2(enc_multbl, (const int[4]) { 0x2, 0x1, 0x1, 0x3 },
226  log8, alog8, sbox);
227 }
228 
229 // this is based on the reference AES code by Paulo Barreto and Vincent Rijmen
230 int av_aes_init(AVAES *a, const uint8_t *key, int key_bits, int decrypt)
231 {
232  int i, j, t, rconpointer = 0;
233  uint8_t tk[8][4];
234  int KC = key_bits >> 5;
235  int rounds = KC + 6;
236 
237  a->rounds = rounds;
238  a->crypt = decrypt ? aes_decrypt : aes_encrypt;
239  if (ARCH_X86)
240  ff_init_aes_x86(a, decrypt);
241 
242  ff_thread_once(&aes_static_init, aes_init_static);
243 
244  if (key_bits != 128 && key_bits != 192 && key_bits != 256)
245  return AVERROR(EINVAL);
246 
247  memcpy(tk, key, KC * 4);
248  memcpy(a->round_key[0].u8, key, KC * 4);
249 
250  for (t = KC * 4; t < (rounds + 1) * 16; t += KC * 4) {
251  for (i = 0; i < 4; i++)
252  tk[0][i] ^= sbox[tk[KC - 1][(i + 1) & 3]];
253  tk[0][0] ^= rcon[rconpointer++];
254 
255  for (j = 1; j < KC; j++) {
256  if (KC != 8 || j != KC >> 1)
257  for (i = 0; i < 4; i++)
258  tk[j][i] ^= tk[j - 1][i];
259  else
260  for (i = 0; i < 4; i++)
261  tk[j][i] ^= sbox[tk[j - 1][i]];
262  }
263 
264  memcpy((unsigned char*)a->round_key + t, tk, KC * 4);
265  }
266 
267  if (decrypt) {
268  for (i = 1; i < rounds; i++) {
269  av_aes_block tmp[3];
270  tmp[2] = a->round_key[i];
271  subshift(&tmp[1], 0, sbox);
272  mix(tmp, dec_multbl, 1, 3);
273  a->round_key[i] = tmp[0];
274  }
275  } else {
276  for (i = 0; i < (rounds + 1) >> 1; i++)
277  FFSWAP(av_aes_block, a->round_key[i], a->round_key[rounds - i]);
278  }
279 
280  return 0;
281 }
282 
enc_multbl
static uint32_t enc_multbl[4][256]
Definition: aes.c:51
av_aes_init
int av_aes_init(AVAES *a, const uint8_t *key, int key_bits, int decrypt)
Initialize an AVAES context.
Definition: aes.c:230
mix
static void mix(av_aes_block state[2], uint32_t multbl[][256], int s1, int s3)
Definition: aes.c:116
r
const char * r
Definition: vf_curves.c:127
AVERROR
Filter the word “frame” indicates either a video frame or a group of audio as stored in an AVFrame structure Format for each input and each output the list of supported formats For video that means pixel format For audio that means channel sample they are references to shared objects When the negotiation mechanism computes the intersection of the formats supported at each end of a all references to both lists are replaced with a reference to the intersection And when a single format is eventually chosen for a link amongst the remaining all references to the list are updated That means that if a filter requires that its input and output have the same format amongst a supported all it has to do is use a reference to the same list of formats query_formats can leave some formats unset and return AVERROR(EAGAIN) to cause the negotiation mechanism toagain later. That can be used by filters with complex requirements to use the format negotiated on one link to set the formats supported on another. Frame references ownership and permissions
av_aes_block::u64
uint64_t u64[2]
Definition: aes_internal.h:28
thread.h
av_aes_size
const int av_aes_size
Definition: aes.c:34
aes_crypt
static void aes_crypt(AVAES *a, int s, const uint8_t *sbox, uint32_t multbl[][256])
Definition: aes.c:125
AV_RN64
#define AV_RN64(p)
Definition: intreadwrite.h:364
subshift
static void subshift(av_aes_block s0[2], int s, const uint8_t *box)
Definition: aes.c:82
b
#define b
Definition: input.c:42
addkey_d
static void addkey_d(uint8_t *dst, const av_aes_block *src, const av_aes_block *round_key)
Definition: aes.c:75
addkey
static void addkey(av_aes_block *dst, const av_aes_block *src, const av_aes_block *round_key)
Definition: aes.c:61
mix_core
static int mix_core(uint32_t multbl[][256], int a, int b, int c, int d)
Definition: aes.c:107
AVAES::rounds
int rounds
Definition: aes_internal.h:39
macros.h
addkey_s
static void addkey_s(av_aes_block *dst, const uint8_t *src, const av_aes_block *round_key)
Definition: aes.c:68
rcon
static const uint8_t rcon[10]
Definition: aes.c:41
ff_thread_once
static int ff_thread_once(char *control, void(*routine)(void))
Definition: thread.h:205
state
static struct @486 state
intreadwrite.h
s
#define s(width, name)
Definition: cbs_vp9.c:198
AV_NE
#define AV_NE(be, le)
Definition: macros.h:33
key
const char * key
Definition: hwcontext_opencl.c:189
av_aes_block
Definition: aes_internal.h:27
AV_ONCE_INIT
#define AV_ONCE_INIT
Definition: thread.h:203
aes.h
tmp
static uint8_t tmp[20]
Definition: aes_ctr.c:47
aes_init_static
static void aes_init_static(void)
Definition: aes.c:203
av_aes_crypt
void av_aes_crypt(AVAES *a, uint8_t *dst, const uint8_t *src, int count, uint8_t *iv, int decrypt)
Encrypt or decrypt a buffer using a previously initialized context.
Definition: aes.c:170
av_aes_alloc
struct AVAES * av_aes_alloc(void)
Allocate an AVAES context.
Definition: aes.c:36
AVOnce
#define AVOnce
Definition: thread.h:202
c
Undefined Behavior In the C some operations are like signed integer dereferencing freed accessing outside allocated Undefined Behavior must not occur in a C it is not safe even if the output of undefined operations is unused The unsafety may seem nit picking but Optimizing compilers have in fact optimized code on the assumption that no undefined Behavior occurs Optimizing code based on wrong assumptions can and has in some cases lead to effects beyond the output of computations The signed integer overflow problem in speed critical code Code which is highly optimized and works with signed integers sometimes has the problem that often the output of the computation does not c
Definition: undefined.txt:32
error.h
dst
uint8_t ptrdiff_t const uint8_t ptrdiff_t int intptr_t intptr_t int int16_t * dst
Definition: dsp.h:83
AVAES::round_key
av_aes_block round_key[15]
Definition: aes_internal.h:37
inv_sbox
static uint8_t inv_sbox[256]
Definition: aes.c:46
MKBETAG
#define MKBETAG(a, b, c, d)
Definition: macros.h:56
a
The reader does not expect b to be semantically here and if the code is changed by maybe adding a a division or other the signedness will almost certainly be mistaken To avoid this confusion a new type was SUINT is the C unsigned type but it holds a signed int to use the same example SUINT a
Definition: undefined.txt:41
ROT
#define ROT(x, s)
Definition: aes.c:58
aes_decrypt
static void aes_decrypt(AVAES *a, uint8_t *dst, const uint8_t *src, int count, uint8_t *iv, int rounds)
Definition: aes.c:154
aes_internal.h
i
#define i(width, name, range_min, range_max)
Definition: cbs_h2645.c:256
ff_init_aes_x86
void ff_init_aes_x86(AVAES *a, int decrypt)
Definition: aes_init.c:38
aes_static_init
static AVOnce aes_static_init
Definition: aes.c:201
av_mallocz
void * av_mallocz(size_t size)
Allocate a memory block with alignment suitable for all memory accesses (including vectors if availab...
Definition: mem.c:256
FFSWAP
#define FFSWAP(type, a, b)
Definition: macros.h:52
AVAES
Definition: aes_internal.h:34
sbox
static uint8_t sbox[256]
Definition: aes.c:45
mem.h
AV_WN64
#define AV_WN64(p, v)
Definition: intreadwrite.h:376
MKTAG
#define MKTAG(a, b, c, d)
Definition: macros.h:55
dec_multbl
static uint32_t dec_multbl[4][256]
Definition: aes.c:52
aes_encrypt
static void aes_encrypt(AVAES *a, uint8_t *dst, const uint8_t *src, int count, uint8_t *iv, int rounds)
Definition: aes.c:138
init_multbl2
static void init_multbl2(uint32_t tbl[][256], const int c[4], const uint8_t *log8, const uint8_t *alog8, const uint8_t *sbox)
Definition: aes.c:176
src
#define src
Definition: vp8dsp.c:248
Generated on Fri Apr 11 2025 19:22:51 for FFmpeg by   doxygen 1.8.17