• Main Page
  • Related Pages
  • Modules
  • Data Structures
  • Files
  • File List
  • Globals

libavutil/aes.c

Go to the documentation of this file.
00001 /*
00002  * copyright (c) 2007 Michael Niedermayer <michaelni@gmx.at>
00003  *
00004  * some optimization ideas from aes128.c by Reimar Doeffinger
00005  *
00006  * This file is part of FFmpeg.
00007  *
00008  * FFmpeg is free software; you can redistribute it and/or
00009  * modify it under the terms of the GNU Lesser General Public
00010  * License as published by the Free Software Foundation; either
00011  * version 2.1 of the License, or (at your option) any later version.
00012  *
00013  * FFmpeg is distributed in the hope that it will be useful,
00014  * but WITHOUT ANY WARRANTY; without even the implied warranty of
00015  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
00016  * Lesser General Public License for more details.
00017  *
00018  * You should have received a copy of the GNU Lesser General Public
00019  * License along with FFmpeg; if not, write to the Free Software
00020  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
00021  */
00022 
00023 #include "common.h"
00024 #include "aes.h"
00025 
00026 typedef struct AVAES{
00027     // Note: round_key[16] is accessed in the init code, but this only
00028     // overwrites state, which does not matter (see also r7471).
00029     uint8_t round_key[15][4][4];
00030     uint8_t state[2][4][4];
00031     int rounds;
00032 }AVAES;
00033 
00034 const int av_aes_size= sizeof(AVAES);
00035 
00036 static const uint8_t rcon[10] = {
00037   0x01, 0x02, 0x04, 0x08, 0x10, 0x20, 0x40, 0x80, 0x1b, 0x36
00038 };
00039 
00040 static uint8_t     sbox[256];
00041 static uint8_t inv_sbox[256];
00042 #if CONFIG_SMALL
00043 static uint32_t enc_multbl[1][256];
00044 static uint32_t dec_multbl[1][256];
00045 #else
00046 static uint32_t enc_multbl[4][256];
00047 static uint32_t dec_multbl[4][256];
00048 #endif
00049 
00050 static inline void addkey(uint64_t dst[2], const uint64_t src[2], const uint64_t round_key[2]){
00051     dst[0] = src[0] ^ round_key[0];
00052     dst[1] = src[1] ^ round_key[1];
00053 }
00054 
00055 static void subshift(uint8_t s0[2][16], int s, const uint8_t *box){
00056     uint8_t (*s1)[16]= s0[0] - s;
00057     uint8_t (*s3)[16]= s0[0] + s;
00058     s0[0][0]=box[s0[1][ 0]]; s0[0][ 4]=box[s0[1][ 4]]; s0[0][ 8]=box[s0[1][ 8]]; s0[0][12]=box[s0[1][12]];
00059     s1[0][3]=box[s1[1][ 7]]; s1[0][ 7]=box[s1[1][11]]; s1[0][11]=box[s1[1][15]]; s1[0][15]=box[s1[1][ 3]];
00060     s0[0][2]=box[s0[1][10]]; s0[0][10]=box[s0[1][ 2]]; s0[0][ 6]=box[s0[1][14]]; s0[0][14]=box[s0[1][ 6]];
00061     s3[0][1]=box[s3[1][13]]; s3[0][13]=box[s3[1][ 9]]; s3[0][ 9]=box[s3[1][ 5]]; s3[0][ 5]=box[s3[1][ 1]];
00062 }
00063 
00064 static inline int mix_core(uint32_t multbl[4][256], int a, int b, int c, int d){
00065 #if CONFIG_SMALL
00066 #define ROT(x,s) ((x<<s)|(x>>(32-s)))
00067     return multbl[0][a] ^ ROT(multbl[0][b], 8) ^ ROT(multbl[0][c], 16) ^ ROT(multbl[0][d], 24);
00068 #else
00069     return multbl[0][a] ^ multbl[1][b] ^ multbl[2][c] ^ multbl[3][d];
00070 #endif
00071 }
00072 
00073 static inline void mix(uint8_t state[2][4][4], uint32_t multbl[4][256], int s1, int s3){
00074     ((uint32_t *)(state))[0] = mix_core(multbl, state[1][0][0], state[1][s1  ][1], state[1][2][2], state[1][s3  ][3]);
00075     ((uint32_t *)(state))[1] = mix_core(multbl, state[1][1][0], state[1][s3-1][1], state[1][3][2], state[1][s1-1][3]);
00076     ((uint32_t *)(state))[2] = mix_core(multbl, state[1][2][0], state[1][s3  ][1], state[1][0][2], state[1][s1  ][3]);
00077     ((uint32_t *)(state))[3] = mix_core(multbl, state[1][3][0], state[1][s1-1][1], state[1][1][2], state[1][s3-1][3]);
00078 }
00079 
00080 static inline void crypt(AVAES *a, int s, const uint8_t *sbox, const uint32_t *multbl){
00081     int r;
00082 
00083     for(r=a->rounds-1; r>0; r--){
00084         mix(a->state, multbl, 3-s, 1+s);
00085         addkey(a->state[1], a->state[0], a->round_key[r]);
00086     }
00087     subshift(a->state[0][0], s, sbox);
00088 }
00089 
00090 void av_aes_crypt(AVAES *a, uint8_t *dst, const uint8_t *src, int count, uint8_t *iv, int decrypt){
00091     while(count--){
00092         addkey(a->state[1], src, a->round_key[a->rounds]);
00093         if(decrypt) {
00094             crypt(a, 0, inv_sbox, dec_multbl);
00095             if(iv){
00096                 addkey(a->state[0], a->state[0], iv);
00097                 memcpy(iv, src, 16);
00098             }
00099             addkey(dst, a->state[0], a->round_key[0]);
00100         }else{
00101             if(iv) addkey(a->state[1], a->state[1], iv);
00102             crypt(a, 2,     sbox, enc_multbl);
00103             addkey(dst, a->state[0], a->round_key[0]);
00104             if(iv) memcpy(iv, dst, 16);
00105         }
00106         src+=16;
00107         dst+=16;
00108     }
00109 }
00110 
00111 static void init_multbl2(uint8_t tbl[1024], const int c[4], const uint8_t *log8, const uint8_t *alog8, const uint8_t *sbox){
00112     int i, j;
00113     for(i=0; i<1024; i++){
00114         int x= sbox[i>>2];
00115         if(x) tbl[i]= alog8[ log8[x] + log8[c[i&3]] ];
00116     }
00117 #if !CONFIG_SMALL
00118     for(j=256; j<1024; j++)
00119         for(i=0; i<4; i++)
00120             tbl[4*j+i]= tbl[4*j + ((i-1)&3) - 1024];
00121 #endif
00122 }
00123 
00124 // this is based on the reference AES code by Paulo Barreto and Vincent Rijmen
00125 int av_aes_init(AVAES *a, const uint8_t *key, int key_bits, int decrypt) {
00126     int i, j, t, rconpointer = 0;
00127     uint8_t tk[8][4];
00128     int KC= key_bits>>5;
00129     int rounds= KC + 6;
00130     uint8_t  log8[256];
00131     uint8_t alog8[512];
00132 
00133     if(!enc_multbl[0][sizeof(enc_multbl)/sizeof(enc_multbl[0][0])-1]){
00134         j=1;
00135         for(i=0; i<255; i++){
00136             alog8[i]=
00137             alog8[i+255]= j;
00138             log8[j]= i;
00139             j^= j+j;
00140             if(j>255) j^= 0x11B;
00141         }
00142         for(i=0; i<256; i++){
00143             j= i ? alog8[255-log8[i]] : 0;
00144             j ^= (j<<1) ^ (j<<2) ^ (j<<3) ^ (j<<4);
00145             j = (j ^ (j>>8) ^ 99) & 255;
00146             inv_sbox[j]= i;
00147             sbox    [i]= j;
00148         }
00149         init_multbl2(dec_multbl[0], (const int[4]){0xe, 0x9, 0xd, 0xb}, log8, alog8, inv_sbox);
00150         init_multbl2(enc_multbl[0], (const int[4]){0x2, 0x1, 0x1, 0x3}, log8, alog8, sbox);
00151     }
00152 
00153     if(key_bits!=128 && key_bits!=192 && key_bits!=256)
00154         return -1;
00155 
00156     a->rounds= rounds;
00157 
00158     memcpy(tk, key, KC*4);
00159 
00160     for(t= 0; t < (rounds+1)*16;) {
00161         memcpy(a->round_key[0][0]+t, tk, KC*4);
00162         t+= KC*4;
00163 
00164         for(i = 0; i < 4; i++)
00165             tk[0][i] ^= sbox[tk[KC-1][(i+1)&3]];
00166         tk[0][0] ^= rcon[rconpointer++];
00167 
00168         for(j = 1; j < KC; j++){
00169             if(KC != 8 || j != KC>>1)
00170                 for(i = 0; i < 4; i++) tk[j][i] ^=      tk[j-1][i];
00171             else
00172                 for(i = 0; i < 4; i++) tk[j][i] ^= sbox[tk[j-1][i]];
00173         }
00174     }
00175 
00176     if(decrypt){
00177         for(i=1; i<rounds; i++){
00178             uint8_t tmp[3][16];
00179             memcpy(tmp[2], a->round_key[i][0], 16);
00180             subshift(tmp[1], 0, sbox);
00181             mix(tmp, dec_multbl, 1, 3);
00182             memcpy(a->round_key[i][0], tmp[0], 16);
00183         }
00184     }else{
00185         for(i=0; i<(rounds+1)>>1; i++){
00186             for(j=0; j<16; j++)
00187                 FFSWAP(int, a->round_key[i][0][j], a->round_key[rounds-i][0][j]);
00188         }
00189     }
00190 
00191     return 0;
00192 }
00193 
00194 #ifdef TEST
00195 #include "lfg.h"
00196 #include "log.h"
00197 
00198 int main(void){
00199     int i,j;
00200     AVAES ae, ad, b;
00201     uint8_t rkey[2][16]= {
00202         {0},
00203         {0x10, 0xa5, 0x88, 0x69, 0xd7, 0x4b, 0xe5, 0xa3, 0x74, 0xcf, 0x86, 0x7c, 0xfb, 0x47, 0x38, 0x59}};
00204     uint8_t pt[16], rpt[2][16]= {
00205         {0x6a, 0x84, 0x86, 0x7c, 0xd7, 0x7e, 0x12, 0xad, 0x07, 0xea, 0x1b, 0xe8, 0x95, 0xc5, 0x3f, 0xa3},
00206         {0}};
00207     uint8_t rct[2][16]= {
00208         {0x73, 0x22, 0x81, 0xc0, 0xa0, 0xaa, 0xb8, 0xf7, 0xa5, 0x4a, 0x0c, 0x67, 0xa0, 0xc4, 0x5e, 0xcf},
00209         {0x6d, 0x25, 0x1e, 0x69, 0x44, 0xb0, 0x51, 0xe0, 0x4e, 0xaa, 0x6f, 0xb4, 0xdb, 0xf7, 0x84, 0x65}};
00210     uint8_t temp[16];
00211     AVLFG prng;
00212 
00213     av_aes_init(&ae, "PI=3.141592654..", 128, 0);
00214     av_aes_init(&ad, "PI=3.141592654..", 128, 1);
00215     av_log_set_level(AV_LOG_DEBUG);
00216     av_lfg_init(&prng, 1);
00217 
00218     for(i=0; i<2; i++){
00219         av_aes_init(&b, rkey[i], 128, 1);
00220         av_aes_crypt(&b, temp, rct[i], 1, NULL, 1);
00221         for(j=0; j<16; j++)
00222             if(rpt[i][j] != temp[j])
00223                 av_log(NULL, AV_LOG_ERROR, "%d %02X %02X\n", j, rpt[i][j], temp[j]);
00224     }
00225 
00226     for(i=0; i<10000; i++){
00227         for(j=0; j<16; j++){
00228             pt[j] = av_lfg_get(&prng);
00229         }
00230 {START_TIMER
00231         av_aes_crypt(&ae, temp, pt, 1, NULL, 0);
00232         if(!(i&(i-1)))
00233             av_log(NULL, AV_LOG_ERROR, "%02X %02X %02X %02X\n", temp[0], temp[5], temp[10], temp[15]);
00234         av_aes_crypt(&ad, temp, temp, 1, NULL, 1);
00235 STOP_TIMER("aes")}
00236         for(j=0; j<16; j++){
00237             if(pt[j] != temp[j]){
00238                 av_log(NULL, AV_LOG_ERROR, "%d %d %02X %02X\n", i,j, pt[j], temp[j]);
00239             }
00240         }
00241     }
00242     return 0;
00243 }
00244 #endif

Generated on Fri Sep 16 2011 17:17:51 for FFmpeg by  doxygen 1.7.1