FFmpeg
All Data Structures Namespaces Files Functions Variables Typedefs Enumerations Enumerator Macros Modules Pages
aes.c
Go to the documentation of this file.
1 /*
2  * copyright (c) 2007 Michael Niedermayer <michaelni@gmx.at>
3  *
4  * some optimization ideas from aes128.c by Reimar Doeffinger
5  *
6  * This file is part of FFmpeg.
7  *
8  * FFmpeg is free software; you can redistribute it and/or
9  * modify it under the terms of the GNU Lesser General Public
10  * License as published by the Free Software Foundation; either
11  * version 2.1 of the License, or (at your option) any later version.
12  *
13  * FFmpeg is distributed in the hope that it will be useful,
14  * but WITHOUT ANY WARRANTY; without even the implied warranty of
15  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16  * Lesser General Public License for more details.
17  *
18  * You should have received a copy of the GNU Lesser General Public
19  * License along with FFmpeg; if not, write to the Free Software
20  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
21  */
22 
23 #include <string.h>
24 
25 #include "config.h"
26 #include "aes.h"
27 #include "aes_internal.h"
28 #include "attributes.h"
29 #include "error.h"
30 #include "intreadwrite.h"
31 #include "macros.h"
32 #include "mem.h"
33 #include "thread.h"
34 
35 const int av_aes_size= sizeof(AVAES);
36 
37 struct AVAES *av_aes_alloc(void)
38 {
39  return av_mallocz(sizeof(struct AVAES));
40 }
41 
42 static const uint8_t rcon[10] = {
43  0x01, 0x02, 0x04, 0x08, 0x10, 0x20, 0x40, 0x80, 0x1b, 0x36
44 };
45 
46 static uint8_t sbox[256];
47 static uint8_t inv_sbox[256];
48 #if CONFIG_SMALL
49 static uint32_t enc_multbl[1][256];
50 static uint32_t dec_multbl[1][256];
51 #else
52 static uint32_t enc_multbl[4][256];
53 static uint32_t dec_multbl[4][256];
54 #endif
55 
56 #if HAVE_BIGENDIAN
57 # define ROT(x, s) (((x) >> (s)) | ((x) << (32-(s))))
58 #else
59 # define ROT(x, s) (((x) << (s)) | ((x) >> (32-(s))))
60 #endif
61 
62 static inline void addkey(av_aes_block *dst, const av_aes_block *src,
63  const av_aes_block *round_key)
64 {
65  dst->u64[0] = src->u64[0] ^ round_key->u64[0];
66  dst->u64[1] = src->u64[1] ^ round_key->u64[1];
67 }
68 
69 static inline void addkey_s(av_aes_block *dst, const uint8_t *src,
70  const av_aes_block *round_key)
71 {
72  dst->u64[0] = AV_RN64(src) ^ round_key->u64[0];
73  dst->u64[1] = AV_RN64(src + 8) ^ round_key->u64[1];
74 }
75 
76 static inline void addkey_d(uint8_t *dst, const av_aes_block *src,
77  const av_aes_block *round_key)
78 {
79  AV_WN64(dst, src->u64[0] ^ round_key->u64[0]);
80  AV_WN64(dst + 8, src->u64[1] ^ round_key->u64[1]);
81 }
82 
83 static void subshift(av_aes_block s0[2], int s, const uint8_t *box)
84 {
85  unsigned char *s1_dst = (unsigned char*)s0[0].u8 + 3 - s;
86  const unsigned char *s1_src = s1_dst + sizeof(*s0);
87  unsigned char *s3_dst = (unsigned char*)s0[0].u8 + s + 1;
88  const unsigned char *s3_src = s3_dst + sizeof(*s0);
89 
90  s0[0].u8[ 0] = box[s0[1].u8[ 0]];
91  s0[0].u8[ 4] = box[s0[1].u8[ 4]];
92  s0[0].u8[ 8] = box[s0[1].u8[ 8]];
93  s0[0].u8[12] = box[s0[1].u8[12]];
94  s1_dst[ 0] = box[s1_src[ 4]];
95  s1_dst[ 4] = box[s1_src[ 8]];
96  s1_dst[ 8] = box[s1_src[12]];
97  s1_dst[12] = box[s1_src[ 0]];
98  s0[0].u8[ 2] = box[s0[1].u8[10]];
99  s0[0].u8[10] = box[s0[1].u8[ 2]];
100  s0[0].u8[ 6] = box[s0[1].u8[14]];
101  s0[0].u8[14] = box[s0[1].u8[ 6]];
102  s3_dst[ 0] = box[s3_src[12]];
103  s3_dst[12] = box[s3_src[ 8]];
104  s3_dst[ 8] = box[s3_src[ 4]];
105  s3_dst[ 4] = box[s3_src[ 0]];
106 }
107 
108 static inline int mix_core(uint32_t multbl[][256], int a, int b, int c, int d)
109 {
110 #if CONFIG_SMALL
111  return multbl[0][a] ^ ROT(multbl[0][b], 8) ^ ROT(multbl[0][c], 16) ^ ROT(multbl[0][d], 24);
112 #else
113  return multbl[0][a] ^ multbl[1][b] ^ multbl[2][c] ^ multbl[3][d];
114 #endif
115 }
116 
117 static inline void mix(av_aes_block state[2], uint32_t multbl[][256], int s1, int s3)
118 {
119  uint8_t (*src)[4] = state[1].u8x4;
120  state[0].u32[0] = mix_core(multbl, src[0][0], src[s1 ][1], src[2][2], src[s3 ][3]);
121  state[0].u32[1] = mix_core(multbl, src[1][0], src[s3 - 1][1], src[3][2], src[s1 - 1][3]);
122  state[0].u32[2] = mix_core(multbl, src[2][0], src[s3 ][1], src[0][2], src[s1 ][3]);
123  state[0].u32[3] = mix_core(multbl, src[3][0], src[s1 - 1][1], src[1][2], src[s3 - 1][3]);
124 }
125 
126 static inline void aes_crypt(AVAES *a, int s, const uint8_t *sbox,
127  uint32_t multbl[][256])
128 {
129  int r;
130 
131  for (r = a->rounds - 1; r > 0; r--) {
132  mix(a->state, multbl, 3 - s, 1 + s);
133  addkey(&a->state[1], &a->state[0], &a->round_key[r]);
134  }
135 
136  subshift(&a->state[0], s, sbox);
137 }
138 
139 static void aes_encrypt(AVAES *a, uint8_t *dst, const uint8_t *src,
140  int count, uint8_t *iv, int rounds)
141 {
142  while (count--) {
143  addkey_s(&a->state[1], src, &a->round_key[rounds]);
144  if (iv)
145  addkey_s(&a->state[1], iv, &a->state[1]);
146  aes_crypt(a, 2, sbox, enc_multbl);
147  addkey_d(dst, &a->state[0], &a->round_key[0]);
148  if (iv)
149  memcpy(iv, dst, 16);
150  src += 16;
151  dst += 16;
152  }
153 }
154 
155 static void aes_decrypt(AVAES *a, uint8_t *dst, const uint8_t *src,
156  int count, uint8_t *iv, int rounds)
157 {
158  while (count--) {
159  addkey_s(&a->state[1], src, &a->round_key[rounds]);
160  aes_crypt(a, 0, inv_sbox, dec_multbl);
161  if (iv) {
162  addkey_s(&a->state[0], iv, &a->state[0]);
163  memcpy(iv, src, 16);
164  }
165  addkey_d(dst, &a->state[0], &a->round_key[0]);
166  src += 16;
167  dst += 16;
168  }
169 }
170 
171 void av_aes_crypt(AVAES *a, uint8_t *dst, const uint8_t *src,
172  int count, uint8_t *iv, int decrypt)
173 {
174  a->crypt(a, dst, src, count, iv, a->rounds);
175 }
176 
177 static void init_multbl2(uint32_t tbl[][256], const int c[4],
178  const uint8_t *log8, const uint8_t *alog8,
179  const uint8_t *sbox)
180 {
181  int i;
182 
183  for (i = 0; i < 256; i++) {
184  int x = sbox[i];
185  if (x) {
186  int k, l, m, n;
187  x = log8[x];
188  k = alog8[x + log8[c[0]]];
189  l = alog8[x + log8[c[1]]];
190  m = alog8[x + log8[c[2]]];
191  n = alog8[x + log8[c[3]]];
192  tbl[0][i] = AV_NE(MKBETAG(k, l, m, n), MKTAG(k, l, m, n));
193 #if !CONFIG_SMALL
194  tbl[1][i] = ROT(tbl[0][i], 8);
195  tbl[2][i] = ROT(tbl[0][i], 16);
196  tbl[3][i] = ROT(tbl[0][i], 24);
197 #endif
198  }
199  }
200 }
201 
202 static AVOnce aes_static_init = AV_ONCE_INIT;
203 
204 static av_cold void aes_init_static(void)
205 {
206  uint8_t log8[256];
207  uint8_t alog8[512];
208  int i, j = 1;
209 
210  for (i = 0; i < 255; i++) {
211  alog8[i] = alog8[i + 255] = j;
212  log8[j] = i;
213  j ^= j + j;
214  if (j > 255)
215  j ^= 0x11B;
216  }
217  for (i = 0; i < 256; i++) {
218  j = i ? alog8[255 - log8[i]] : 0;
219  j ^= (j << 1) ^ (j << 2) ^ (j << 3) ^ (j << 4);
220  j = (j ^ (j >> 8) ^ 99) & 255;
221  inv_sbox[j] = i;
222  sbox[i] = j;
223  }
224  init_multbl2(dec_multbl, (const int[4]) { 0xe, 0x9, 0xd, 0xb },
225  log8, alog8, inv_sbox);
226  init_multbl2(enc_multbl, (const int[4]) { 0x2, 0x1, 0x1, 0x3 },
227  log8, alog8, sbox);
228 }
229 
230 // this is based on the reference AES code by Paulo Barreto and Vincent Rijmen
231 int av_aes_init(AVAES *a, const uint8_t *key, int key_bits, int decrypt)
232 {
233  int i, j, t, rconpointer = 0;
234  uint8_t tk[8][4];
235  int KC = key_bits >> 5;
236  int rounds = KC + 6;
237 
238  a->rounds = rounds;
239  a->crypt = decrypt ? aes_decrypt : aes_encrypt;
240 #if ARCH_X86
241  ff_init_aes_x86(a, decrypt);
242 #endif
243 
244  ff_thread_once(&aes_static_init, aes_init_static);
245 
246  if (key_bits != 128 && key_bits != 192 && key_bits != 256)
247  return AVERROR(EINVAL);
248 
249  memcpy(tk, key, KC * 4);
250  memcpy(a->round_key[0].u8, key, KC * 4);
251 
252  for (t = KC * 4; t < (rounds + 1) * 16; t += KC * 4) {
253  for (i = 0; i < 4; i++)
254  tk[0][i] ^= sbox[tk[KC - 1][(i + 1) & 3]];
255  tk[0][0] ^= rcon[rconpointer++];
256 
257  for (j = 1; j < KC; j++) {
258  if (KC != 8 || j != KC >> 1)
259  for (i = 0; i < 4; i++)
260  tk[j][i] ^= tk[j - 1][i];
261  else
262  for (i = 0; i < 4; i++)
263  tk[j][i] ^= sbox[tk[j - 1][i]];
264  }
265 
266  memcpy((unsigned char*)a->round_key + t, tk, KC * 4);
267  }
268 
269  if (decrypt) {
270  for (i = 1; i < rounds; i++) {
271  av_aes_block tmp[3];
272  tmp[2] = a->round_key[i];
273  subshift(&tmp[1], 0, sbox);
274  mix(tmp, dec_multbl, 1, 3);
275  a->round_key[i] = tmp[0];
276  }
277  } else {
278  for (i = 0; i < (rounds + 1) >> 1; i++)
279  FFSWAP(av_aes_block, a->round_key[i], a->round_key[rounds - i]);
280  }
281 
282  return 0;
283 }
284 
enc_multbl
static uint32_t enc_multbl[4][256]
Definition: aes.c:52
av_aes_init
int av_aes_init(AVAES *a, const uint8_t *key, int key_bits, int decrypt)
Initialize an AVAES context.
Definition: aes.c:231
mix
static void mix(av_aes_block state[2], uint32_t multbl[][256], int s1, int s3)
Definition: aes.c:117
r
const char * r
Definition: vf_curves.c:127
AVERROR
Filter the word “frame” indicates either a video frame or a group of audio as stored in an AVFrame structure Format for each input and each output the list of supported formats For video that means pixel format For audio that means channel sample they are references to shared objects When the negotiation mechanism computes the intersection of the formats supported at each end of a all references to both lists are replaced with a reference to the intersection And when a single format is eventually chosen for a link amongst the remaining all references to the list are updated That means that if a filter requires that its input and output have the same format amongst a supported all it has to do is use a reference to the same list of formats query_formats can leave some formats unset and return AVERROR(EAGAIN) to cause the negotiation mechanism toagain later. That can be used by filters with complex requirements to use the format negotiated on one link to set the formats supported on another. Frame references ownership and permissions
av_aes_block::u64
uint64_t u64[2]
Definition: aes_internal.h:28
thread.h
av_aes_size
const int av_aes_size
Definition: aes.c:35
aes_crypt
static void aes_crypt(AVAES *a, int s, const uint8_t *sbox, uint32_t multbl[][256])
Definition: aes.c:126
AV_RN64
#define AV_RN64(p)
Definition: intreadwrite.h:364
subshift
static void subshift(av_aes_block s0[2], int s, const uint8_t *box)
Definition: aes.c:83
b
#define b
Definition: input.c:42
addkey_d
static void addkey_d(uint8_t *dst, const av_aes_block *src, const av_aes_block *round_key)
Definition: aes.c:76
addkey
static void addkey(av_aes_block *dst, const av_aes_block *src, const av_aes_block *round_key)
Definition: aes.c:62
mix_core
static int mix_core(uint32_t multbl[][256], int a, int b, int c, int d)
Definition: aes.c:108
AVAES::rounds
int rounds
Definition: aes_internal.h:39
macros.h
addkey_s
static void addkey_s(av_aes_block *dst, const uint8_t *src, const av_aes_block *round_key)
Definition: aes.c:69
rcon
static const uint8_t rcon[10]
Definition: aes.c:42
ff_thread_once
static int ff_thread_once(char *control, void(*routine)(void))
Definition: thread.h:205
av_cold
#define av_cold
Definition: attributes.h:90
intreadwrite.h
s
#define s(width, name)
Definition: cbs_vp9.c:198
AV_NE
#define AV_NE(be, le)
Definition: macros.h:33
state
static struct @492 state
key
const char * key
Definition: hwcontext_opencl.c:189
av_aes_block
Definition: aes_internal.h:27
AV_ONCE_INIT
#define AV_ONCE_INIT
Definition: thread.h:203
aes.h
tmp
static uint8_t tmp[20]
Definition: aes_ctr.c:47
av_aes_crypt
void av_aes_crypt(AVAES *a, uint8_t *dst, const uint8_t *src, int count, uint8_t *iv, int decrypt)
Encrypt or decrypt a buffer using a previously initialized context.
Definition: aes.c:171
av_aes_alloc
struct AVAES * av_aes_alloc(void)
Allocate an AVAES context.
Definition: aes.c:37
AVOnce
#define AVOnce
Definition: thread.h:202
c
Undefined Behavior In the C some operations are like signed integer dereferencing freed accessing outside allocated Undefined Behavior must not occur in a C it is not safe even if the output of undefined operations is unused The unsafety may seem nit picking but Optimizing compilers have in fact optimized code on the assumption that no undefined Behavior occurs Optimizing code based on wrong assumptions can and has in some cases lead to effects beyond the output of computations The signed integer overflow problem in speed critical code Code which is highly optimized and works with signed integers sometimes has the problem that often the output of the computation does not c
Definition: undefined.txt:32
error.h
dst
uint8_t ptrdiff_t const uint8_t ptrdiff_t int intptr_t intptr_t int int16_t * dst
Definition: dsp.h:83
AVAES::round_key
av_aes_block round_key[15]
Definition: aes_internal.h:37
inv_sbox
static uint8_t inv_sbox[256]
Definition: aes.c:47
MKBETAG
#define MKBETAG(a, b, c, d)
Definition: macros.h:56
a
The reader does not expect b to be semantically here and if the code is changed by maybe adding a a division or other the signedness will almost certainly be mistaken To avoid this confusion a new type was SUINT is the C unsigned type but it holds a signed int to use the same example SUINT a
Definition: undefined.txt:41
attributes.h
ROT
#define ROT(x, s)
Definition: aes.c:59
aes_decrypt
static void aes_decrypt(AVAES *a, uint8_t *dst, const uint8_t *src, int count, uint8_t *iv, int rounds)
Definition: aes.c:155
aes_internal.h
i
#define i(width, name, range_min, range_max)
Definition: cbs_h2645.c:256
ff_init_aes_x86
void ff_init_aes_x86(AVAES *a, int decrypt)
Definition: aes_init.c:38
aes_static_init
static AVOnce aes_static_init
Definition: aes.c:202
av_mallocz
void * av_mallocz(size_t size)
Allocate a memory block with alignment suitable for all memory accesses (including vectors if availab...
Definition: mem.c:256
FFSWAP
#define FFSWAP(type, a, b)
Definition: macros.h:52
AVAES
Definition: aes_internal.h:34
sbox
static uint8_t sbox[256]
Definition: aes.c:46
mem.h
AV_WN64
#define AV_WN64(p, v)
Definition: intreadwrite.h:376
MKTAG
#define MKTAG(a, b, c, d)
Definition: macros.h:55
dec_multbl
static uint32_t dec_multbl[4][256]
Definition: aes.c:53
aes_encrypt
static void aes_encrypt(AVAES *a, uint8_t *dst, const uint8_t *src, int count, uint8_t *iv, int rounds)
Definition: aes.c:139
init_multbl2
static void init_multbl2(uint32_t tbl[][256], const int c[4], const uint8_t *log8, const uint8_t *alog8, const uint8_t *sbox)
Definition: aes.c:177
src
#define src
Definition: vp8dsp.c:248
aes_init_static
static av_cold void aes_init_static(void)
Definition: aes.c:204
Generated on Thu Apr 24 2025 19:23:01 for FFmpeg by   doxygen 1.8.17