Mercurial > libavutil.hg
annotate aes.c @ 191:a2a3c80706e5 libavutil
merge encrypt and decrypt so the source is simpler and the compiler can choose with inlining if it wants speed or small size
author | michael |
---|---|
date | Sun, 14 Jan 2007 19:39:38 +0000 |
parents | ce75e74f160f |
children | 7787c6fb07e1 |
rev | line source |
---|---|
164 | 1 /* |
177 | 2 * copyright (c) 2007 Michael Niedermayer <michaelni@gmx.at> and Reimar Doeffinger |
164 | 3 * |
4 * This file is part of FFmpeg. | |
5 * | |
6 * FFmpeg is free software; you can redistribute it and/or | |
7 * modify it under the terms of the GNU Lesser General Public | |
8 * License as published by the Free Software Foundation; either | |
9 * version 2.1 of the License, or (at your option) any later version. | |
10 * | |
11 * FFmpeg is distributed in the hope that it will be useful, | |
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of | |
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU | |
14 * Lesser General Public License for more details. | |
15 * | |
16 * You should have received a copy of the GNU Lesser General Public | |
17 * License along with FFmpeg; if not, write to the Free Software | |
18 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA | |
19 */ | |
20 | |
21 #include "common.h" | |
22 #include "log.h" | |
23 #include "aes.h" | |
24 | |
25 typedef struct AVAES{ | |
189 | 26 uint8_t round_key[15][4][4]; |
164 | 27 uint8_t state[4][4]; |
28 int rounds; | |
29 }AVAES; | |
30 | |
171 | 31 static const uint8_t rcon[11] = { |
32 0x01, 0x02, 0x04, 0x08, 0x10, 0x20, 0x40, 0x80, 0x1b, 0x36, 0x6c | |
164 | 33 }; |
34 | |
35 static uint8_t sbox[256]; | |
36 static uint8_t inv_sbox[256]; | |
169 | 37 #ifdef CONFIG_SMALL |
38 static uint32_t enc_multbl[1][256]; | |
39 static uint32_t dec_multbl[1][256]; | |
40 #else | |
41 static uint32_t enc_multbl[4][256]; | |
42 static uint32_t dec_multbl[4][256]; | |
43 #endif | |
164 | 44 |
168 | 45 static inline void addkey(uint64_t state[2], uint64_t round_key[2]){ |
46 state[0] ^= round_key[0]; | |
47 state[1] ^= round_key[1]; | |
164 | 48 } |
49 | |
50 #define SUBSHIFT0(s, box) s[0]=box[s[ 0]]; s[ 4]=box[s[ 4]]; s[ 8]=box[s[ 8]]; s[12]=box[s[12]]; | |
51 #define SUBSHIFT1(s, box) t=s[0]; s[0]=box[s[ 4]]; s[ 4]=box[s[ 8]]; s[ 8]=box[s[12]]; s[12]=box[t]; | |
52 #define SUBSHIFT2(s, box) t=s[0]; s[0]=box[s[ 8]]; s[ 8]=box[ t]; t=s[ 4]; s[ 4]=box[s[12]]; s[12]=box[t]; | |
53 #define SUBSHIFT3(s, box) t=s[0]; s[0]=box[s[12]]; s[12]=box[s[ 8]]; s[ 8]=box[s[ 4]]; s[ 4]=box[t]; | |
54 | |
185 | 55 #define SUBSHIFT1x(s) t=s[0]; s[0]=s[ 4]; s[ 4]=s[ 8]; s[ 8]=s[12]; s[12]=t; |
56 #define SUBSHIFT2x(s) t=s[0]; s[0]=s[ 8]; s[ 8]= t; t=s[ 4]; s[ 4]=s[12]; s[12]=t; | |
57 #define SUBSHIFT3x(s) t=s[0]; s[0]=s[12]; s[12]=s[ 8]; s[ 8]=s[ 4]; s[ 4]=t; | |
183 | 58 |
181 | 59 #define ROT(x,s) ((x<<s)|(x>>(32-s))) |
164 | 60 |
169 | 61 static inline void mix(uint8_t state[4][4], uint32_t multbl[4][256]){ |
62 int i; | |
63 for(i=0; i<4; i++) | |
64 #ifdef CONFIG_SMALL | |
65 ((uint32_t *)(state))[i] = multbl[0][state[i][0]] ^ ROT(multbl[0][state[i][1]], 8) | |
66 ^ROT(multbl[0][state[i][2]],16) ^ ROT(multbl[0][state[i][3]],24); | |
67 | |
68 #else | |
69 ((uint32_t *)(state))[i] = multbl[0][state[i][0]] ^ multbl[1][state[i][1]] | |
70 ^multbl[2][state[i][2]] ^ multbl[3][state[i][3]]; | |
71 #endif | |
164 | 72 } |
73 | |
191
a2a3c80706e5
merge encrypt and decrypt so the source is simpler and the compiler can choose with inlining if it wants speed or small size
michael
parents:
190
diff
changeset
|
74 static inline void crypt(AVAES *a, int s, uint8_t *sbox, uint32_t *multbl){ |
164 | 75 int t, r; |
76 | |
188 | 77 for(r=a->rounds; r>1; r--){ |
189 | 78 addkey(a->state, a->round_key[r]); |
191
a2a3c80706e5
merge encrypt and decrypt so the source is simpler and the compiler can choose with inlining if it wants speed or small size
michael
parents:
190
diff
changeset
|
79 SUBSHIFT3x((a->state[0]+1+s)) |
185 | 80 SUBSHIFT2x((a->state[0]+2)) |
191
a2a3c80706e5
merge encrypt and decrypt so the source is simpler and the compiler can choose with inlining if it wants speed or small size
michael
parents:
190
diff
changeset
|
81 SUBSHIFT1x((a->state[0]+3-s)) |
a2a3c80706e5
merge encrypt and decrypt so the source is simpler and the compiler can choose with inlining if it wants speed or small size
michael
parents:
190
diff
changeset
|
82 mix(a->state, multbl); |
164 | 83 } |
189 | 84 addkey(a->state, a->round_key[1]); |
191
a2a3c80706e5
merge encrypt and decrypt so the source is simpler and the compiler can choose with inlining if it wants speed or small size
michael
parents:
190
diff
changeset
|
85 SUBSHIFT0((a->state[0]+0 ), sbox) |
a2a3c80706e5
merge encrypt and decrypt so the source is simpler and the compiler can choose with inlining if it wants speed or small size
michael
parents:
190
diff
changeset
|
86 SUBSHIFT3((a->state[0]+1+s), sbox) |
a2a3c80706e5
merge encrypt and decrypt so the source is simpler and the compiler can choose with inlining if it wants speed or small size
michael
parents:
190
diff
changeset
|
87 SUBSHIFT2((a->state[0]+2 ), sbox) |
a2a3c80706e5
merge encrypt and decrypt so the source is simpler and the compiler can choose with inlining if it wants speed or small size
michael
parents:
190
diff
changeset
|
88 SUBSHIFT1((a->state[0]+3-s), sbox) |
189 | 89 addkey(a->state, a->round_key[0]); |
164 | 90 } |
91 | |
191
a2a3c80706e5
merge encrypt and decrypt so the source is simpler and the compiler can choose with inlining if it wants speed or small size
michael
parents:
190
diff
changeset
|
92 void av_aes_decrypt(AVAES *a){ |
a2a3c80706e5
merge encrypt and decrypt so the source is simpler and the compiler can choose with inlining if it wants speed or small size
michael
parents:
190
diff
changeset
|
93 crypt(a, 0, inv_sbox, dec_multbl); |
a2a3c80706e5
merge encrypt and decrypt so the source is simpler and the compiler can choose with inlining if it wants speed or small size
michael
parents:
190
diff
changeset
|
94 } |
a2a3c80706e5
merge encrypt and decrypt so the source is simpler and the compiler can choose with inlining if it wants speed or small size
michael
parents:
190
diff
changeset
|
95 |
164 | 96 void av_aes_encrypt(AVAES *a){ |
191
a2a3c80706e5
merge encrypt and decrypt so the source is simpler and the compiler can choose with inlining if it wants speed or small size
michael
parents:
190
diff
changeset
|
97 crypt(a, 2, sbox, enc_multbl); |
178 | 98 } |
99 | |
183 | 100 static init_multbl2(uint8_t tbl[1024], int c[4], uint8_t *log8, uint8_t *alog8, uint8_t *sbox){ |
101 int i; | |
102 for(i=0; i<1024; i++){ | |
103 int x= sbox[i/4]; | |
104 if(x) tbl[i]= alog8[ log8[x] + log8[c[i&3]] ]; | |
105 } | |
106 } | |
107 | |
108 | |
164 | 109 // this is based on the reference AES code by Paulo Barreto and Vincent Rijmen |
189 | 110 AVAES *av_aes_init(uint8_t *key, int key_bits, int decrypt) { |
166 | 111 AVAES *a; |
164 | 112 int i, j, t, rconpointer = 0; |
113 uint8_t tk[8][4]; | |
167 | 114 int KC= key_bits/32; |
115 int rounds= KC + 6; | |
169 | 116 uint8_t log8[256]; |
117 uint8_t alog8[512]; | |
164 | 118 |
119 if(!sbox[255]){ | |
120 j=1; | |
121 for(i=0; i<255; i++){ | |
122 alog8[i]= | |
123 alog8[i+255]= j; | |
124 log8[j]= i; | |
125 j^= j+j; | |
126 if(j>255) j^= 0x11B; | |
127 } | |
128 log8[0]= 255; | |
129 for(i=0; i<256; i++){ | |
130 j= i ? alog8[255-log8[i]] : 0; | |
165 | 131 j ^= (j<<1) ^ (j<<2) ^ (j<<3) ^ (j<<4); |
132 j = (j ^ (j>>8) ^ 99) & 255; | |
164 | 133 inv_sbox[j]= i; |
134 sbox [i]= j; | |
135 // av_log(NULL, AV_LOG_ERROR, "%d, ", log8[i]); | |
136 } | |
184 | 137 init_multbl2(dec_multbl[0], (int[4]){0xe, 0x9, 0xd, 0xb}, log8, alog8, inv_sbox); |
181 | 138 #ifndef CONFIG_SMALL |
184 | 139 init_multbl2(dec_multbl[1], (int[4]){0xb, 0xe, 0x9, 0xd}, log8, alog8, inv_sbox); |
140 init_multbl2(dec_multbl[2], (int[4]){0xd, 0xb, 0xe, 0x9}, log8, alog8, inv_sbox); | |
141 init_multbl2(dec_multbl[3], (int[4]){0x9, 0xd, 0xb, 0xe}, log8, alog8, inv_sbox); | |
181 | 142 #endif |
183 | 143 init_multbl2(enc_multbl[0], (int[4]){0x2, 0x1, 0x1, 0x3}, log8, alog8, sbox); |
181 | 144 #ifndef CONFIG_SMALL |
183 | 145 init_multbl2(enc_multbl[1], (int[4]){0x3, 0x2, 0x1, 0x1}, log8, alog8, sbox); |
146 init_multbl2(enc_multbl[2], (int[4]){0x1, 0x3, 0x2, 0x1}, log8, alog8, sbox); | |
147 init_multbl2(enc_multbl[3], (int[4]){0x1, 0x1, 0x3, 0x2}, log8, alog8, sbox); | |
181 | 148 #endif |
164 | 149 } |
150 | |
167 | 151 if(key_bits!=128 && key_bits!=192 && key_bits!=256) |
164 | 152 return NULL; |
153 | |
166 | 154 a= av_malloc(sizeof(AVAES)); |
167 | 155 a->rounds= rounds; |
166 | 156 |
164 | 157 memcpy(tk, key, KC*4); |
158 | |
174
263bbdc10c1e
simplify round_key generation by writing over the end but ensuring that theres some irrelevant stuff afterwards
michael
parents:
173
diff
changeset
|
159 for(t= 0; t < (rounds+1)*4;) { |
189 | 160 memcpy(a->round_key[0][t], tk, KC*4); |
174
263bbdc10c1e
simplify round_key generation by writing over the end but ensuring that theres some irrelevant stuff afterwards
michael
parents:
173
diff
changeset
|
161 t+= KC; |
164 | 162 |
163 for(i = 0; i < 4; i++) | |
173 | 164 tk[0][i] ^= sbox[tk[KC-1][(i+1)&3]]; |
164 | 165 tk[0][0] ^= rcon[rconpointer++]; |
166 | |
167 for(j = 1; j < KC; j++){ | |
168 if(KC != 8 || j != KC/2) | |
175 | 169 for(i = 0; i < 4; i++) tk[j][i] ^= tk[j-1][i]; |
164 | 170 else |
175 | 171 for(i = 0; i < 4; i++) tk[j][i] ^= sbox[tk[j-1][i]]; |
164 | 172 } |
173 } | |
184 | 174 |
189 | 175 if(decrypt){ |
190 | 176 for(i=1; i<rounds; i++){ |
177 for(j=0; j<16; j++) | |
178 a->round_key[i][0][j]= sbox[a->round_key[i][0][j]]; | |
179 mix(a->round_key[i], dec_multbl); | |
180 } | |
191
a2a3c80706e5
merge encrypt and decrypt so the source is simpler and the compiler can choose with inlining if it wants speed or small size
michael
parents:
190
diff
changeset
|
181 }else{ |
a2a3c80706e5
merge encrypt and decrypt so the source is simpler and the compiler can choose with inlining if it wants speed or small size
michael
parents:
190
diff
changeset
|
182 for(i=0; i<(rounds+1)/2; i++){ |
a2a3c80706e5
merge encrypt and decrypt so the source is simpler and the compiler can choose with inlining if it wants speed or small size
michael
parents:
190
diff
changeset
|
183 for(j=0; j<16; j++) |
a2a3c80706e5
merge encrypt and decrypt so the source is simpler and the compiler can choose with inlining if it wants speed or small size
michael
parents:
190
diff
changeset
|
184 FFSWAP(int, a->round_key[i][0][j], a->round_key[rounds-i][0][j]); |
a2a3c80706e5
merge encrypt and decrypt so the source is simpler and the compiler can choose with inlining if it wants speed or small size
michael
parents:
190
diff
changeset
|
185 } |
187 | 186 } |
184 | 187 |
164 | 188 return a; |
189 } | |
190 | |
191 #ifdef TEST | |
192 | |
193 int main(){ | |
194 int i,j,k; | |
189 | 195 AVAES *ae= av_aes_init("PI=3.141592654..", 128, 0); |
196 AVAES *ad= av_aes_init("PI=3.141592654..", 128, 1); | |
182 | 197 uint8_t zero[16]= {0}; |
198 uint8_t pt[16]= {0x6a, 0x84, 0x86, 0x7c, 0xd7, 0x7e, 0x12, 0xad, 0x07, 0xea, 0x1b, 0xe8, 0x95, 0xc5, 0x3f, 0xa3}; | |
199 uint8_t ct[16]= {0x73, 0x22, 0x81, 0xc0, 0xa0, 0xaa, 0xb8, 0xf7, 0xa5, 0x4a, 0x0c, 0x67, 0xa0, 0xc4, 0x5e, 0xcf}; | |
189 | 200 AVAES *b= av_aes_init(zero, 128, 1); |
183 | 201 |
202 /* uint8_t key[16]= {0x42, 0x78, 0xb8, 0x40, 0xfb, 0x44, 0xaa, 0xa7, 0x57, 0xc1, 0xbf, 0x04, 0xac, 0xbe, 0x1a, 0x3e}; | |
203 uint8_t IV[16] = {0x57, 0xf0, 0x2a, 0x5c, 0x53, 0x39, 0xda, 0xeb, 0x0a, 0x29, 0x08, 0xa0, 0x6a, 0xc6, 0x39, 0x3f}; | |
204 uint8_t pt[16] = {0x3c, 0x88, 0x8b, 0xbb, 0xb1, 0xa8, 0xeb, 0x9f, 0x3e, 0x9b, 0x87, 0xac, 0xaa, 0xd9, 0x86, 0xc4}; | |
205 // 66e2f7071c83083b8a557971918850e5 | |
206 uint8_t ct[16] = {0x47, 0x9c, 0x89, 0xec, 0x14, 0xbc, 0x98, 0x99, 0x4e, 0x62, 0xb2, 0xc7, 0x05, 0xb5, 0x0, 0x14e}; | |
207 // 175bd7832e7e60a1e92aac568a861eb7*/ | |
208 uint8_t ckey[16]= {0x10, 0xa5, 0x88, 0x69, 0xd7, 0x4b, 0xe5, 0xa3, 0x74, 0xcf, 0x86, 0x7c, 0xfb, 0x47, 0x38, 0x59}; | |
209 uint8_t cct[16] = {0x6d, 0x25, 0x1e, 0x69, 0x44, 0xb0, 0x51, 0xe0, 0x4e, 0xaa, 0x6f, 0xb4, 0xdb, 0xf7, 0x84, 0x65}; | |
189 | 210 AVAES *c= av_aes_init(ckey, 128, 1); |
164 | 211 |
179 | 212 av_log_level= AV_LOG_DEBUG; |
213 | |
182 | 214 memcpy(b->state, ct, 16); |
215 av_aes_decrypt(b); | |
216 for(j=0; j<16; j++) | |
217 if(pt[j] != b->state[0][j]){ | |
218 av_log(NULL, AV_LOG_ERROR, "%d %02X %02X\n", j, pt[j], b->state[0][j]); | |
219 } | |
220 | |
183 | 221 memcpy(c->state, cct, 16); |
222 av_aes_decrypt(c); | |
223 for(j=0; j<16; j++) | |
224 if(zero[j] != c->state[0][j]){ | |
225 av_log(NULL, AV_LOG_ERROR, "%d %02X %02X\n", j, zero[j], c->state[0][j]); | |
226 } | |
227 | |
164 | 228 for(i=0; i<10000; i++){ |
178 | 229 for(j=0; j<16; j++){ |
230 pt[j]= random(); | |
231 } | |
189 | 232 memcpy(ae->state, pt, 16); |
179 | 233 {START_TIMER |
189 | 234 av_aes_encrypt(ae); |
178 | 235 if(!(i&(i-1))) |
189 | 236 av_log(NULL, AV_LOG_ERROR, "%02X %02X %02X %02X\n", ae->state[0][0], ae->state[1][1], ae->state[2][2], ae->state[3][3]); |
237 memcpy(ad->state, ae->state, 16); | |
238 av_aes_decrypt(ad); | |
179 | 239 STOP_TIMER("aes")} |
178 | 240 for(j=0; j<16; j++){ |
189 | 241 if(pt[j] != ad->state[0][j]){ |
242 av_log(NULL, AV_LOG_ERROR, "%d %d %02X %02X\n", i,j, pt[j], ad->state[0][j]); | |
178 | 243 } |
244 } | |
164 | 245 } |
246 return 0; | |
247 } | |
248 #endif |