Go to most recent revision | Details | Last modification | View Log | RSS feed
| Rev | Author | Line No. | Line |
|---|---|---|---|
| 4349 | Serge | 1 | /* |
| 2 | * copyright (c) 2007 Michael Niedermayer |
||
| 3 | * |
||
| 4 | * some optimization ideas from aes128.c by Reimar Doeffinger |
||
| 5 | * |
||
| 6 | * This file is part of FFmpeg. |
||
| 7 | * |
||
| 8 | * FFmpeg is free software; you can redistribute it and/or |
||
| 9 | * modify it under the terms of the GNU Lesser General Public |
||
| 10 | * License as published by the Free Software Foundation; either |
||
| 11 | * version 2.1 of the License, or (at your option) any later version. |
||
| 12 | * |
||
| 13 | * FFmpeg is distributed in the hope that it will be useful, |
||
| 14 | * but WITHOUT ANY WARRANTY; without even the implied warranty of |
||
| 15 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU |
||
| 16 | * Lesser General Public License for more details. |
||
| 17 | * |
||
| 18 | * You should have received a copy of the GNU Lesser General Public |
||
| 19 | * License along with FFmpeg; if not, write to the Free Software |
||
| 20 | * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA |
||
| 21 | */ |
||
| 22 | |||
| 23 | #include "common.h" |
||
| 24 | #include "aes.h" |
||
| 25 | #include "intreadwrite.h" |
||
| 26 | |||
| 27 | typedef union { |
||
| 28 | uint64_t u64[2]; |
||
| 29 | uint32_t u32[4]; |
||
| 30 | uint8_t u8x4[4][4]; |
||
| 31 | uint8_t u8[16]; |
||
| 32 | } av_aes_block; |
||
| 33 | |||
| 34 | typedef struct AVAES { |
||
| 35 | // Note: round_key[16] is accessed in the init code, but this only |
||
| 36 | // overwrites state, which does not matter (see also commit ba554c0). |
||
| 37 | av_aes_block round_key[15]; |
||
| 38 | av_aes_block state[2]; |
||
| 39 | int rounds; |
||
| 40 | } AVAES; |
||
| 41 | |||
| 42 | const int av_aes_size= sizeof(AVAES); |
||
| 43 | |||
| 44 | struct AVAES *av_aes_alloc(void) |
||
| 45 | { |
||
| 46 | return av_mallocz(sizeof(struct AVAES)); |
||
| 47 | } |
||
| 48 | |||
| 49 | static const uint8_t rcon[10] = { |
||
| 50 | 0x01, 0x02, 0x04, 0x08, 0x10, 0x20, 0x40, 0x80, 0x1b, 0x36 |
||
| 51 | }; |
||
| 52 | |||
| 53 | static uint8_t sbox[256]; |
||
| 54 | static uint8_t inv_sbox[256]; |
||
| 55 | #if CONFIG_SMALL |
||
| 56 | static uint32_t enc_multbl[1][256]; |
||
| 57 | static uint32_t dec_multbl[1][256]; |
||
| 58 | #else |
||
| 59 | static uint32_t enc_multbl[4][256]; |
||
| 60 | static uint32_t dec_multbl[4][256]; |
||
| 61 | #endif |
||
| 62 | |||
| 63 | #if HAVE_BIGENDIAN |
||
| 64 | # define ROT(x, s) ((x >> s) | (x << (32-s))) |
||
| 65 | #else |
||
| 66 | # define ROT(x, s) ((x << s) | (x >> (32-s))) |
||
| 67 | #endif |
||
| 68 | |||
| 69 | static inline void addkey(av_aes_block *dst, const av_aes_block *src, |
||
| 70 | const av_aes_block *round_key) |
||
| 71 | { |
||
| 72 | dst->u64[0] = src->u64[0] ^ round_key->u64[0]; |
||
| 73 | dst->u64[1] = src->u64[1] ^ round_key->u64[1]; |
||
| 74 | } |
||
| 75 | |||
| 76 | static inline void addkey_s(av_aes_block *dst, const uint8_t *src, |
||
| 77 | const av_aes_block *round_key) |
||
| 78 | { |
||
| 79 | dst->u64[0] = AV_RN64(src) ^ round_key->u64[0]; |
||
| 80 | dst->u64[1] = AV_RN64(src + 8) ^ round_key->u64[1]; |
||
| 81 | } |
||
| 82 | |||
| 83 | static inline void addkey_d(uint8_t *dst, const av_aes_block *src, |
||
| 84 | const av_aes_block *round_key) |
||
| 85 | { |
||
| 86 | AV_WN64(dst, src->u64[0] ^ round_key->u64[0]); |
||
| 87 | AV_WN64(dst + 8, src->u64[1] ^ round_key->u64[1]); |
||
| 88 | } |
||
| 89 | |||
| 90 | static void subshift(av_aes_block s0[2], int s, const uint8_t *box) |
||
| 91 | { |
||
| 92 | av_aes_block *s1 = (av_aes_block *) (s0[0].u8 - s); |
||
| 93 | av_aes_block *s3 = (av_aes_block *) (s0[0].u8 + s); |
||
| 94 | |||
| 95 | s0[0].u8[ 0] = box[s0[1].u8[ 0]]; |
||
| 96 | s0[0].u8[ 4] = box[s0[1].u8[ 4]]; |
||
| 97 | s0[0].u8[ 8] = box[s0[1].u8[ 8]]; |
||
| 98 | s0[0].u8[12] = box[s0[1].u8[12]]; |
||
| 99 | s1[0].u8[ 3] = box[s1[1].u8[ 7]]; |
||
| 100 | s1[0].u8[ 7] = box[s1[1].u8[11]]; |
||
| 101 | s1[0].u8[11] = box[s1[1].u8[15]]; |
||
| 102 | s1[0].u8[15] = box[s1[1].u8[ 3]]; |
||
| 103 | s0[0].u8[ 2] = box[s0[1].u8[10]]; |
||
| 104 | s0[0].u8[10] = box[s0[1].u8[ 2]]; |
||
| 105 | s0[0].u8[ 6] = box[s0[1].u8[14]]; |
||
| 106 | s0[0].u8[14] = box[s0[1].u8[ 6]]; |
||
| 107 | s3[0].u8[ 1] = box[s3[1].u8[13]]; |
||
| 108 | s3[0].u8[13] = box[s3[1].u8[ 9]]; |
||
| 109 | s3[0].u8[ 9] = box[s3[1].u8[ 5]]; |
||
| 110 | s3[0].u8[ 5] = box[s3[1].u8[ 1]]; |
||
| 111 | } |
||
| 112 | |||
| 113 | static inline int mix_core(uint32_t multbl[][256], int a, int b, int c, int d){ |
||
| 114 | #if CONFIG_SMALL |
||
| 115 | return multbl[0][a] ^ ROT(multbl[0][b], 8) ^ ROT(multbl[0][c], 16) ^ ROT(multbl[0][d], 24); |
||
| 116 | #else |
||
| 117 | return multbl[0][a] ^ multbl[1][b] ^ multbl[2][c] ^ multbl[3][d]; |
||
| 118 | #endif |
||
| 119 | } |
||
| 120 | |||
| 121 | static inline void mix(av_aes_block state[2], uint32_t multbl[][256], int s1, int s3){ |
||
| 122 | uint8_t (*src)[4] = state[1].u8x4; |
||
| 123 | state[0].u32[0] = mix_core(multbl, src[0][0], src[s1 ][1], src[2][2], src[s3 ][3]); |
||
| 124 | state[0].u32[1] = mix_core(multbl, src[1][0], src[s3-1][1], src[3][2], src[s1-1][3]); |
||
| 125 | state[0].u32[2] = mix_core(multbl, src[2][0], src[s3 ][1], src[0][2], src[s1 ][3]); |
||
| 126 | state[0].u32[3] = mix_core(multbl, src[3][0], src[s1-1][1], src[1][2], src[s3-1][3]); |
||
| 127 | } |
||
| 128 | |||
| 129 | static inline void crypt(AVAES *a, int s, const uint8_t *sbox, |
||
| 130 | uint32_t multbl[][256]) |
||
| 131 | { |
||
| 132 | int r; |
||
| 133 | |||
| 134 | for (r = a->rounds - 1; r > 0; r--) { |
||
| 135 | mix(a->state, multbl, 3 - s, 1 + s); |
||
| 136 | addkey(&a->state[1], &a->state[0], &a->round_key[r]); |
||
| 137 | } |
||
| 138 | |||
| 139 | subshift(&a->state[0], s, sbox); |
||
| 140 | } |
||
| 141 | |||
| 142 | void av_aes_crypt(AVAES *a, uint8_t *dst, const uint8_t *src, |
||
| 143 | int count, uint8_t *iv, int decrypt) |
||
| 144 | { |
||
| 145 | while (count--) { |
||
| 146 | addkey_s(&a->state[1], src, &a->round_key[a->rounds]); |
||
| 147 | if (decrypt) { |
||
| 148 | crypt(a, 0, inv_sbox, dec_multbl); |
||
| 149 | if (iv) { |
||
| 150 | addkey_s(&a->state[0], iv, &a->state[0]); |
||
| 151 | memcpy(iv, src, 16); |
||
| 152 | } |
||
| 153 | addkey_d(dst, &a->state[0], &a->round_key[0]); |
||
| 154 | } else { |
||
| 155 | if (iv) |
||
| 156 | addkey_s(&a->state[1], iv, &a->state[1]); |
||
| 157 | crypt(a, 2, sbox, enc_multbl); |
||
| 158 | addkey_d(dst, &a->state[0], &a->round_key[0]); |
||
| 159 | if (iv) |
||
| 160 | memcpy(iv, dst, 16); |
||
| 161 | } |
||
| 162 | src += 16; |
||
| 163 | dst += 16; |
||
| 164 | } |
||
| 165 | } |
||
| 166 | |||
| 167 | static void init_multbl2(uint32_t tbl[][256], const int c[4], |
||
| 168 | const uint8_t *log8, const uint8_t *alog8, |
||
| 169 | const uint8_t *sbox) |
||
| 170 | { |
||
| 171 | int i; |
||
| 172 | |||
| 173 | for (i = 0; i < 256; i++) { |
||
| 174 | int x = sbox[i]; |
||
| 175 | if (x) { |
||
| 176 | int k, l, m, n; |
||
| 177 | x = log8[x]; |
||
| 178 | k = alog8[x + log8[c[0]]]; |
||
| 179 | l = alog8[x + log8[c[1]]]; |
||
| 180 | m = alog8[x + log8[c[2]]]; |
||
| 181 | n = alog8[x + log8[c[3]]]; |
||
| 182 | tbl[0][i] = AV_NE(MKBETAG(k,l,m,n), MKTAG(k,l,m,n)); |
||
| 183 | #if !CONFIG_SMALL |
||
| 184 | tbl[1][i] = ROT(tbl[0][i], 8); |
||
| 185 | tbl[2][i] = ROT(tbl[0][i], 16); |
||
| 186 | tbl[3][i] = ROT(tbl[0][i], 24); |
||
| 187 | #endif |
||
| 188 | } |
||
| 189 | } |
||
| 190 | } |
||
| 191 | |||
| 192 | // this is based on the reference AES code by Paulo Barreto and Vincent Rijmen |
||
| 193 | int av_aes_init(AVAES *a, const uint8_t *key, int key_bits, int decrypt) |
||
| 194 | { |
||
| 195 | int i, j, t, rconpointer = 0; |
||
| 196 | uint8_t tk[8][4]; |
||
| 197 | int KC = key_bits >> 5; |
||
| 198 | int rounds = KC + 6; |
||
| 199 | uint8_t log8[256]; |
||
| 200 | uint8_t alog8[512]; |
||
| 201 | |||
| 202 | if (!enc_multbl[FF_ARRAY_ELEMS(enc_multbl)-1][FF_ARRAY_ELEMS(enc_multbl[0])-1]) { |
||
| 203 | j = 1; |
||
| 204 | for (i = 0; i < 255; i++) { |
||
| 205 | alog8[i] = alog8[i + 255] = j; |
||
| 206 | log8[j] = i; |
||
| 207 | j ^= j + j; |
||
| 208 | if (j > 255) |
||
| 209 | j ^= 0x11B; |
||
| 210 | } |
||
| 211 | for (i = 0; i < 256; i++) { |
||
| 212 | j = i ? alog8[255 - log8[i]] : 0; |
||
| 213 | j ^= (j << 1) ^ (j << 2) ^ (j << 3) ^ (j << 4); |
||
| 214 | j = (j ^ (j >> 8) ^ 99) & 255; |
||
| 215 | inv_sbox[j] = i; |
||
| 216 | sbox[i] = j; |
||
| 217 | } |
||
| 218 | init_multbl2(dec_multbl, (const int[4]) { 0xe, 0x9, 0xd, 0xb }, |
||
| 219 | log8, alog8, inv_sbox); |
||
| 220 | init_multbl2(enc_multbl, (const int[4]) { 0x2, 0x1, 0x1, 0x3 }, |
||
| 221 | log8, alog8, sbox); |
||
| 222 | } |
||
| 223 | |||
| 224 | if (key_bits != 128 && key_bits != 192 && key_bits != 256) |
||
| 225 | return -1; |
||
| 226 | |||
| 227 | a->rounds = rounds; |
||
| 228 | |||
| 229 | memcpy(tk, key, KC * 4); |
||
| 230 | memcpy(a->round_key[0].u8, key, KC * 4); |
||
| 231 | |||
| 232 | for (t = KC * 4; t < (rounds + 1) * 16; t += KC * 4) { |
||
| 233 | for (i = 0; i < 4; i++) |
||
| 234 | tk[0][i] ^= sbox[tk[KC - 1][(i + 1) & 3]]; |
||
| 235 | tk[0][0] ^= rcon[rconpointer++]; |
||
| 236 | |||
| 237 | for (j = 1; j < KC; j++) { |
||
| 238 | if (KC != 8 || j != KC >> 1) |
||
| 239 | for (i = 0; i < 4; i++) |
||
| 240 | tk[j][i] ^= tk[j - 1][i]; |
||
| 241 | else |
||
| 242 | for (i = 0; i < 4; i++) |
||
| 243 | tk[j][i] ^= sbox[tk[j - 1][i]]; |
||
| 244 | } |
||
| 245 | |||
| 246 | memcpy(a->round_key[0].u8 + t, tk, KC * 4); |
||
| 247 | } |
||
| 248 | |||
| 249 | if (decrypt) { |
||
| 250 | for (i = 1; i < rounds; i++) { |
||
| 251 | av_aes_block tmp[3]; |
||
| 252 | tmp[2] = a->round_key[i]; |
||
| 253 | subshift(&tmp[1], 0, sbox); |
||
| 254 | mix(tmp, dec_multbl, 1, 3); |
||
| 255 | a->round_key[i] = tmp[0]; |
||
| 256 | } |
||
| 257 | } else { |
||
| 258 | for (i = 0; i < (rounds + 1) >> 1; i++) { |
||
| 259 | FFSWAP(av_aes_block, a->round_key[i], a->round_key[rounds-i]); |
||
| 260 | } |
||
| 261 | } |
||
| 262 | |||
| 263 | return 0; |
||
| 264 | } |
||
| 265 | |||
| 266 | #ifdef TEST |
||
| 267 | // LCOV_EXCL_START |
||
| 268 | #include |
||
| 269 | #include "lfg.h" |
||
| 270 | #include "log.h" |
||
| 271 | |||
| 272 | int main(int argc, char **argv) |
||
| 273 | { |
||
| 274 | int i, j; |
||
| 275 | AVAES b; |
||
| 276 | uint8_t rkey[2][16] = { |
||
| 277 | { 0 }, |
||
| 278 | { 0x10, 0xa5, 0x88, 0x69, 0xd7, 0x4b, 0xe5, 0xa3, |
||
| 279 | 0x74, 0xcf, 0x86, 0x7c, 0xfb, 0x47, 0x38, 0x59 } |
||
| 280 | }; |
||
| 281 | uint8_t pt[16], rpt[2][16]= { |
||
| 282 | { 0x6a, 0x84, 0x86, 0x7c, 0xd7, 0x7e, 0x12, 0xad, |
||
| 283 | 0x07, 0xea, 0x1b, 0xe8, 0x95, 0xc5, 0x3f, 0xa3 }, |
||
| 284 | { 0 } |
||
| 285 | }; |
||
| 286 | uint8_t rct[2][16]= { |
||
| 287 | { 0x73, 0x22, 0x81, 0xc0, 0xa0, 0xaa, 0xb8, 0xf7, |
||
| 288 | 0xa5, 0x4a, 0x0c, 0x67, 0xa0, 0xc4, 0x5e, 0xcf }, |
||
| 289 | { 0x6d, 0x25, 0x1e, 0x69, 0x44, 0xb0, 0x51, 0xe0, |
||
| 290 | 0x4e, 0xaa, 0x6f, 0xb4, 0xdb, 0xf7, 0x84, 0x65 } |
||
| 291 | }; |
||
| 292 | uint8_t temp[16]; |
||
| 293 | int err = 0; |
||
| 294 | |||
| 295 | av_log_set_level(AV_LOG_DEBUG); |
||
| 296 | |||
| 297 | for (i = 0; i < 2; i++) { |
||
| 298 | av_aes_init(&b, rkey[i], 128, 1); |
||
| 299 | av_aes_crypt(&b, temp, rct[i], 1, NULL, 1); |
||
| 300 | for (j = 0; j < 16; j++) { |
||
| 301 | if (rpt[i][j] != temp[j]) { |
||
| 302 | av_log(NULL, AV_LOG_ERROR, "%d %02X %02X\n", |
||
| 303 | j, rpt[i][j], temp[j]); |
||
| 304 | err = 1; |
||
| 305 | } |
||
| 306 | } |
||
| 307 | } |
||
| 308 | |||
| 309 | if (argc > 1 && !strcmp(argv[1], "-t")) { |
||
| 310 | AVAES ae, ad; |
||
| 311 | AVLFG prng; |
||
| 312 | |||
| 313 | av_aes_init(&ae, "PI=3.141592654..", 128, 0); |
||
| 314 | av_aes_init(&ad, "PI=3.141592654..", 128, 1); |
||
| 315 | av_lfg_init(&prng, 1); |
||
| 316 | |||
| 317 | for (i = 0; i < 10000; i++) { |
||
| 318 | for (j = 0; j < 16; j++) { |
||
| 319 | pt[j] = av_lfg_get(&prng); |
||
| 320 | } |
||
| 321 | { |
||
| 322 | START_TIMER; |
||
| 323 | av_aes_crypt(&ae, temp, pt, 1, NULL, 0); |
||
| 324 | if (!(i & (i - 1))) |
||
| 325 | av_log(NULL, AV_LOG_ERROR, "%02X %02X %02X %02X\n", |
||
| 326 | temp[0], temp[5], temp[10], temp[15]); |
||
| 327 | av_aes_crypt(&ad, temp, temp, 1, NULL, 1); |
||
| 328 | STOP_TIMER("aes"); |
||
| 329 | } |
||
| 330 | for (j = 0; j < 16; j++) { |
||
| 331 | if (pt[j] != temp[j]) { |
||
| 332 | av_log(NULL, AV_LOG_ERROR, "%d %d %02X %02X\n", |
||
| 333 | i, j, pt[j], temp[j]); |
||
| 334 | } |
||
| 335 | } |
||
| 336 | } |
||
| 337 | } |
||
| 338 | return err; |
||
| 339 | } |
||
| 340 | // LCOV_EXCL_STOP |
||
| 341 | #endif |