Mercurial > libavutil.hg
annotate aes.c @ 191:a2a3c80706e5 libavutil
merge encrypt and decrypt so the source is simpler and the compiler can choose with inlining if it wants speed or small size
| author | michael |
|---|---|
| date | Sun, 14 Jan 2007 19:39:38 +0000 |
| parents | ce75e74f160f |
| children | 7787c6fb07e1 |
| rev | line source |
|---|---|
| 164 | 1 /* |
| 177 | 2 * copyright (c) 2007 Michael Niedermayer <michaelni@gmx.at> and Reimar Doeffinger |
| 164 | 3 * |
| 4 * This file is part of FFmpeg. | |
| 5 * | |
| 6 * FFmpeg is free software; you can redistribute it and/or | |
| 7 * modify it under the terms of the GNU Lesser General Public | |
| 8 * License as published by the Free Software Foundation; either | |
| 9 * version 2.1 of the License, or (at your option) any later version. | |
| 10 * | |
| 11 * FFmpeg is distributed in the hope that it will be useful, | |
| 12 * but WITHOUT ANY WARRANTY; without even the implied warranty of | |
| 13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU | |
| 14 * Lesser General Public License for more details. | |
| 15 * | |
| 16 * You should have received a copy of the GNU Lesser General Public | |
| 17 * License along with FFmpeg; if not, write to the Free Software | |
| 18 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA | |
| 19 */ | |
| 20 | |
| 21 #include "common.h" | |
| 22 #include "log.h" | |
| 23 #include "aes.h" | |
| 24 | |
| 25 typedef struct AVAES{ | |
| 189 | 26 uint8_t round_key[15][4][4]; |
| 164 | 27 uint8_t state[4][4]; |
| 28 int rounds; | |
| 29 }AVAES; | |
| 30 | |
| 171 | 31 static const uint8_t rcon[11] = { |
| 32 0x01, 0x02, 0x04, 0x08, 0x10, 0x20, 0x40, 0x80, 0x1b, 0x36, 0x6c | |
| 164 | 33 }; |
| 34 | |
| 35 static uint8_t sbox[256]; | |
| 36 static uint8_t inv_sbox[256]; | |
| 169 | 37 #ifdef CONFIG_SMALL |
| 38 static uint32_t enc_multbl[1][256]; | |
| 39 static uint32_t dec_multbl[1][256]; | |
| 40 #else | |
| 41 static uint32_t enc_multbl[4][256]; | |
| 42 static uint32_t dec_multbl[4][256]; | |
| 43 #endif | |
| 164 | 44 |
| 168 | 45 static inline void addkey(uint64_t state[2], uint64_t round_key[2]){ |
| 46 state[0] ^= round_key[0]; | |
| 47 state[1] ^= round_key[1]; | |
| 164 | 48 } |
| 49 | |
| 50 #define SUBSHIFT0(s, box) s[0]=box[s[ 0]]; s[ 4]=box[s[ 4]]; s[ 8]=box[s[ 8]]; s[12]=box[s[12]]; | |
| 51 #define SUBSHIFT1(s, box) t=s[0]; s[0]=box[s[ 4]]; s[ 4]=box[s[ 8]]; s[ 8]=box[s[12]]; s[12]=box[t]; | |
| 52 #define SUBSHIFT2(s, box) t=s[0]; s[0]=box[s[ 8]]; s[ 8]=box[ t]; t=s[ 4]; s[ 4]=box[s[12]]; s[12]=box[t]; | |
| 53 #define SUBSHIFT3(s, box) t=s[0]; s[0]=box[s[12]]; s[12]=box[s[ 8]]; s[ 8]=box[s[ 4]]; s[ 4]=box[t]; | |
| 54 | |
| 185 | 55 #define SUBSHIFT1x(s) t=s[0]; s[0]=s[ 4]; s[ 4]=s[ 8]; s[ 8]=s[12]; s[12]=t; |
| 56 #define SUBSHIFT2x(s) t=s[0]; s[0]=s[ 8]; s[ 8]= t; t=s[ 4]; s[ 4]=s[12]; s[12]=t; | |
| 57 #define SUBSHIFT3x(s) t=s[0]; s[0]=s[12]; s[12]=s[ 8]; s[ 8]=s[ 4]; s[ 4]=t; | |
| 183 | 58 |
| 181 | 59 #define ROT(x,s) ((x<<s)|(x>>(32-s))) |
| 164 | 60 |
| 169 | 61 static inline void mix(uint8_t state[4][4], uint32_t multbl[4][256]){ |
| 62 int i; | |
| 63 for(i=0; i<4; i++) | |
| 64 #ifdef CONFIG_SMALL | |
| 65 ((uint32_t *)(state))[i] = multbl[0][state[i][0]] ^ ROT(multbl[0][state[i][1]], 8) | |
| 66 ^ROT(multbl[0][state[i][2]],16) ^ ROT(multbl[0][state[i][3]],24); | |
| 67 | |
| 68 #else | |
| 69 ((uint32_t *)(state))[i] = multbl[0][state[i][0]] ^ multbl[1][state[i][1]] | |
| 70 ^multbl[2][state[i][2]] ^ multbl[3][state[i][3]]; | |
| 71 #endif | |
| 164 | 72 } |
| 73 | |
|
191
a2a3c80706e5
merge encrypt and decrypt so the source is simpler and the compiler can choose with inlining if it wants speed or small size
michael
parents:
190
diff
changeset
|
74 static inline void crypt(AVAES *a, int s, uint8_t *sbox, uint32_t *multbl){ |
| 164 | 75 int t, r; |
| 76 | |
| 188 | 77 for(r=a->rounds; r>1; r--){ |
| 189 | 78 addkey(a->state, a->round_key[r]); |
|
191
a2a3c80706e5
merge encrypt and decrypt so the source is simpler and the compiler can choose with inlining if it wants speed or small size
michael
parents:
190
diff
changeset
|
79 SUBSHIFT3x((a->state[0]+1+s)) |
| 185 | 80 SUBSHIFT2x((a->state[0]+2)) |
|
191
a2a3c80706e5
merge encrypt and decrypt so the source is simpler and the compiler can choose with inlining if it wants speed or small size
michael
parents:
190
diff
changeset
|
81 SUBSHIFT1x((a->state[0]+3-s)) |
|
a2a3c80706e5
merge encrypt and decrypt so the source is simpler and the compiler can choose with inlining if it wants speed or small size
michael
parents:
190
diff
changeset
|
82 mix(a->state, multbl); |
| 164 | 83 } |
| 189 | 84 addkey(a->state, a->round_key[1]); |
|
191
a2a3c80706e5
merge encrypt and decrypt so the source is simpler and the compiler can choose with inlining if it wants speed or small size
michael
parents:
190
diff
changeset
|
85 SUBSHIFT0((a->state[0]+0 ), sbox) |
|
a2a3c80706e5
merge encrypt and decrypt so the source is simpler and the compiler can choose with inlining if it wants speed or small size
michael
parents:
190
diff
changeset
|
86 SUBSHIFT3((a->state[0]+1+s), sbox) |
|
a2a3c80706e5
merge encrypt and decrypt so the source is simpler and the compiler can choose with inlining if it wants speed or small size
michael
parents:
190
diff
changeset
|
87 SUBSHIFT2((a->state[0]+2 ), sbox) |
|
a2a3c80706e5
merge encrypt and decrypt so the source is simpler and the compiler can choose with inlining if it wants speed or small size
michael
parents:
190
diff
changeset
|
88 SUBSHIFT1((a->state[0]+3-s), sbox) |
| 189 | 89 addkey(a->state, a->round_key[0]); |
| 164 | 90 } |
| 91 | |
|
191
a2a3c80706e5
merge encrypt and decrypt so the source is simpler and the compiler can choose with inlining if it wants speed or small size
michael
parents:
190
diff
changeset
|
92 void av_aes_decrypt(AVAES *a){ |
|
a2a3c80706e5
merge encrypt and decrypt so the source is simpler and the compiler can choose with inlining if it wants speed or small size
michael
parents:
190
diff
changeset
|
93 crypt(a, 0, inv_sbox, dec_multbl); |
|
a2a3c80706e5
merge encrypt and decrypt so the source is simpler and the compiler can choose with inlining if it wants speed or small size
michael
parents:
190
diff
changeset
|
94 } |
|
a2a3c80706e5
merge encrypt and decrypt so the source is simpler and the compiler can choose with inlining if it wants speed or small size
michael
parents:
190
diff
changeset
|
95 |
| 164 | 96 void av_aes_encrypt(AVAES *a){ |
|
191
a2a3c80706e5
merge encrypt and decrypt so the source is simpler and the compiler can choose with inlining if it wants speed or small size
michael
parents:
190
diff
changeset
|
97 crypt(a, 2, sbox, enc_multbl); |
| 178 | 98 } |
| 99 | |
| 183 | 100 static init_multbl2(uint8_t tbl[1024], int c[4], uint8_t *log8, uint8_t *alog8, uint8_t *sbox){ |
| 101 int i; | |
| 102 for(i=0; i<1024; i++){ | |
| 103 int x= sbox[i/4]; | |
| 104 if(x) tbl[i]= alog8[ log8[x] + log8[c[i&3]] ]; | |
| 105 } | |
| 106 } | |
| 107 | |
| 108 | |
| 164 | 109 // this is based on the reference AES code by Paulo Barreto and Vincent Rijmen |
| 189 | 110 AVAES *av_aes_init(uint8_t *key, int key_bits, int decrypt) { |
| 166 | 111 AVAES *a; |
| 164 | 112 int i, j, t, rconpointer = 0; |
| 113 uint8_t tk[8][4]; | |
| 167 | 114 int KC= key_bits/32; |
| 115 int rounds= KC + 6; | |
| 169 | 116 uint8_t log8[256]; |
| 117 uint8_t alog8[512]; | |
| 164 | 118 |
| 119 if(!sbox[255]){ | |
| 120 j=1; | |
| 121 for(i=0; i<255; i++){ | |
| 122 alog8[i]= | |
| 123 alog8[i+255]= j; | |
| 124 log8[j]= i; | |
| 125 j^= j+j; | |
| 126 if(j>255) j^= 0x11B; | |
| 127 } | |
| 128 log8[0]= 255; | |
| 129 for(i=0; i<256; i++){ | |
| 130 j= i ? alog8[255-log8[i]] : 0; | |
| 165 | 131 j ^= (j<<1) ^ (j<<2) ^ (j<<3) ^ (j<<4); |
| 132 j = (j ^ (j>>8) ^ 99) & 255; | |
| 164 | 133 inv_sbox[j]= i; |
| 134 sbox [i]= j; | |
| 135 // av_log(NULL, AV_LOG_ERROR, "%d, ", log8[i]); | |
| 136 } | |
| 184 | 137 init_multbl2(dec_multbl[0], (int[4]){0xe, 0x9, 0xd, 0xb}, log8, alog8, inv_sbox); |
| 181 | 138 #ifndef CONFIG_SMALL |
| 184 | 139 init_multbl2(dec_multbl[1], (int[4]){0xb, 0xe, 0x9, 0xd}, log8, alog8, inv_sbox); |
| 140 init_multbl2(dec_multbl[2], (int[4]){0xd, 0xb, 0xe, 0x9}, log8, alog8, inv_sbox); | |
| 141 init_multbl2(dec_multbl[3], (int[4]){0x9, 0xd, 0xb, 0xe}, log8, alog8, inv_sbox); | |
| 181 | 142 #endif |
| 183 | 143 init_multbl2(enc_multbl[0], (int[4]){0x2, 0x1, 0x1, 0x3}, log8, alog8, sbox); |
| 181 | 144 #ifndef CONFIG_SMALL |
| 183 | 145 init_multbl2(enc_multbl[1], (int[4]){0x3, 0x2, 0x1, 0x1}, log8, alog8, sbox); |
| 146 init_multbl2(enc_multbl[2], (int[4]){0x1, 0x3, 0x2, 0x1}, log8, alog8, sbox); | |
| 147 init_multbl2(enc_multbl[3], (int[4]){0x1, 0x1, 0x3, 0x2}, log8, alog8, sbox); | |
| 181 | 148 #endif |
| 164 | 149 } |
| 150 | |
| 167 | 151 if(key_bits!=128 && key_bits!=192 && key_bits!=256) |
| 164 | 152 return NULL; |
| 153 | |
| 166 | 154 a= av_malloc(sizeof(AVAES)); |
| 167 | 155 a->rounds= rounds; |
| 166 | 156 |
| 164 | 157 memcpy(tk, key, KC*4); |
| 158 | |
|
174
263bbdc10c1e
simplify round_key generation by writing over the end but ensuring that theres some irrelevant stuff afterwards
michael
parents:
173
diff
changeset
|
159 for(t= 0; t < (rounds+1)*4;) { |
| 189 | 160 memcpy(a->round_key[0][t], tk, KC*4); |
|
174
263bbdc10c1e
simplify round_key generation by writing over the end but ensuring that theres some irrelevant stuff afterwards
michael
parents:
173
diff
changeset
|
161 t+= KC; |
| 164 | 162 |
| 163 for(i = 0; i < 4; i++) | |
| 173 | 164 tk[0][i] ^= sbox[tk[KC-1][(i+1)&3]]; |
| 164 | 165 tk[0][0] ^= rcon[rconpointer++]; |
| 166 | |
| 167 for(j = 1; j < KC; j++){ | |
| 168 if(KC != 8 || j != KC/2) | |
| 175 | 169 for(i = 0; i < 4; i++) tk[j][i] ^= tk[j-1][i]; |
| 164 | 170 else |
| 175 | 171 for(i = 0; i < 4; i++) tk[j][i] ^= sbox[tk[j-1][i]]; |
| 164 | 172 } |
| 173 } | |
| 184 | 174 |
| 189 | 175 if(decrypt){ |
| 190 | 176 for(i=1; i<rounds; i++){ |
| 177 for(j=0; j<16; j++) | |
| 178 a->round_key[i][0][j]= sbox[a->round_key[i][0][j]]; | |
| 179 mix(a->round_key[i], dec_multbl); | |
| 180 } | |
|
191
a2a3c80706e5
merge encrypt and decrypt so the source is simpler and the compiler can choose with inlining if it wants speed or small size
michael
parents:
190
diff
changeset
|
181 }else{ |
|
a2a3c80706e5
merge encrypt and decrypt so the source is simpler and the compiler can choose with inlining if it wants speed or small size
michael
parents:
190
diff
changeset
|
182 for(i=0; i<(rounds+1)/2; i++){ |
|
a2a3c80706e5
merge encrypt and decrypt so the source is simpler and the compiler can choose with inlining if it wants speed or small size
michael
parents:
190
diff
changeset
|
183 for(j=0; j<16; j++) |
|
a2a3c80706e5
merge encrypt and decrypt so the source is simpler and the compiler can choose with inlining if it wants speed or small size
michael
parents:
190
diff
changeset
|
184 FFSWAP(int, a->round_key[i][0][j], a->round_key[rounds-i][0][j]); |
|
a2a3c80706e5
merge encrypt and decrypt so the source is simpler and the compiler can choose with inlining if it wants speed or small size
michael
parents:
190
diff
changeset
|
185 } |
| 187 | 186 } |
| 184 | 187 |
| 164 | 188 return a; |
| 189 } | |
| 190 | |
| 191 #ifdef TEST | |
| 192 | |
| 193 int main(){ | |
| 194 int i,j,k; | |
| 189 | 195 AVAES *ae= av_aes_init("PI=3.141592654..", 128, 0); |
| 196 AVAES *ad= av_aes_init("PI=3.141592654..", 128, 1); | |
| 182 | 197 uint8_t zero[16]= {0}; |
| 198 uint8_t pt[16]= {0x6a, 0x84, 0x86, 0x7c, 0xd7, 0x7e, 0x12, 0xad, 0x07, 0xea, 0x1b, 0xe8, 0x95, 0xc5, 0x3f, 0xa3}; | |
| 199 uint8_t ct[16]= {0x73, 0x22, 0x81, 0xc0, 0xa0, 0xaa, 0xb8, 0xf7, 0xa5, 0x4a, 0x0c, 0x67, 0xa0, 0xc4, 0x5e, 0xcf}; | |
| 189 | 200 AVAES *b= av_aes_init(zero, 128, 1); |
| 183 | 201 |
| 202 /* uint8_t key[16]= {0x42, 0x78, 0xb8, 0x40, 0xfb, 0x44, 0xaa, 0xa7, 0x57, 0xc1, 0xbf, 0x04, 0xac, 0xbe, 0x1a, 0x3e}; | |
| 203 uint8_t IV[16] = {0x57, 0xf0, 0x2a, 0x5c, 0x53, 0x39, 0xda, 0xeb, 0x0a, 0x29, 0x08, 0xa0, 0x6a, 0xc6, 0x39, 0x3f}; | |
| 204 uint8_t pt[16] = {0x3c, 0x88, 0x8b, 0xbb, 0xb1, 0xa8, 0xeb, 0x9f, 0x3e, 0x9b, 0x87, 0xac, 0xaa, 0xd9, 0x86, 0xc4}; | |
| 205 // 66e2f7071c83083b8a557971918850e5 | |
| 206 uint8_t ct[16] = {0x47, 0x9c, 0x89, 0xec, 0x14, 0xbc, 0x98, 0x99, 0x4e, 0x62, 0xb2, 0xc7, 0x05, 0xb5, 0x0, 0x14e}; | |
| 207 // 175bd7832e7e60a1e92aac568a861eb7*/ | |
| 208 uint8_t ckey[16]= {0x10, 0xa5, 0x88, 0x69, 0xd7, 0x4b, 0xe5, 0xa3, 0x74, 0xcf, 0x86, 0x7c, 0xfb, 0x47, 0x38, 0x59}; | |
| 209 uint8_t cct[16] = {0x6d, 0x25, 0x1e, 0x69, 0x44, 0xb0, 0x51, 0xe0, 0x4e, 0xaa, 0x6f, 0xb4, 0xdb, 0xf7, 0x84, 0x65}; | |
| 189 | 210 AVAES *c= av_aes_init(ckey, 128, 1); |
| 164 | 211 |
| 179 | 212 av_log_level= AV_LOG_DEBUG; |
| 213 | |
| 182 | 214 memcpy(b->state, ct, 16); |
| 215 av_aes_decrypt(b); | |
| 216 for(j=0; j<16; j++) | |
| 217 if(pt[j] != b->state[0][j]){ | |
| 218 av_log(NULL, AV_LOG_ERROR, "%d %02X %02X\n", j, pt[j], b->state[0][j]); | |
| 219 } | |
| 220 | |
| 183 | 221 memcpy(c->state, cct, 16); |
| 222 av_aes_decrypt(c); | |
| 223 for(j=0; j<16; j++) | |
| 224 if(zero[j] != c->state[0][j]){ | |
| 225 av_log(NULL, AV_LOG_ERROR, "%d %02X %02X\n", j, zero[j], c->state[0][j]); | |
| 226 } | |
| 227 | |
| 164 | 228 for(i=0; i<10000; i++){ |
| 178 | 229 for(j=0; j<16; j++){ |
| 230 pt[j]= random(); | |
| 231 } | |
| 189 | 232 memcpy(ae->state, pt, 16); |
| 179 | 233 {START_TIMER |
| 189 | 234 av_aes_encrypt(ae); |
| 178 | 235 if(!(i&(i-1))) |
| 189 | 236 av_log(NULL, AV_LOG_ERROR, "%02X %02X %02X %02X\n", ae->state[0][0], ae->state[1][1], ae->state[2][2], ae->state[3][3]); |
| 237 memcpy(ad->state, ae->state, 16); | |
| 238 av_aes_decrypt(ad); | |
| 179 | 239 STOP_TIMER("aes")} |
| 178 | 240 for(j=0; j<16; j++){ |
| 189 | 241 if(pt[j] != ad->state[0][j]){ |
| 242 av_log(NULL, AV_LOG_ERROR, "%d %d %02X %02X\n", i,j, pt[j], ad->state[0][j]); | |
| 178 | 243 } |
| 244 } | |
| 164 | 245 } |
| 246 return 0; | |
| 247 } | |
| 248 #endif |