Libav 0.7.1
|
00001 /* 00002 * copyright (c) 2007 Michael Niedermayer <michaelni@gmx.at> 00003 * 00004 * some optimization ideas from aes128.c by Reimar Doeffinger 00005 * 00006 * This file is part of Libav. 00007 * 00008 * Libav is free software; you can redistribute it and/or 00009 * modify it under the terms of the GNU Lesser General Public 00010 * License as published by the Free Software Foundation; either 00011 * version 2.1 of the License, or (at your option) any later version. 00012 * 00013 * Libav is distributed in the hope that it will be useful, 00014 * but WITHOUT ANY WARRANTY; without even the implied warranty of 00015 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 00016 * Lesser General Public License for more details. 00017 * 00018 * You should have received a copy of the GNU Lesser General Public 00019 * License along with Libav; if not, write to the Free Software 00020 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA 00021 */ 00022 00023 #include "common.h" 00024 #include "aes.h" 00025 00026 typedef union { 00027 uint64_t u64[2]; 00028 uint32_t u32[4]; 00029 uint8_t u8x4[4][4]; 00030 uint8_t u8[16]; 00031 } av_aes_block; 00032 00033 typedef struct AVAES{ 00034 // Note: round_key[16] is accessed in the init code, but this only 00035 // overwrites state, which does not matter (see also r7471). 00036 av_aes_block round_key[15]; 00037 av_aes_block state[2]; 00038 int rounds; 00039 }AVAES; 00040 00041 const int av_aes_size= sizeof(AVAES); 00042 00043 static const uint8_t rcon[10] = { 00044 0x01, 0x02, 0x04, 0x08, 0x10, 0x20, 0x40, 0x80, 0x1b, 0x36 00045 }; 00046 00047 static uint8_t sbox[256]; 00048 static uint8_t inv_sbox[256]; 00049 #if CONFIG_SMALL 00050 static uint32_t enc_multbl[1][256]; 00051 static uint32_t dec_multbl[1][256]; 00052 #else 00053 static uint32_t enc_multbl[4][256]; 00054 static uint32_t dec_multbl[4][256]; 00055 #endif 00056 00057 static inline void addkey(av_aes_block *dst, const av_aes_block *src, const av_aes_block *round_key){ 00058 dst->u64[0] = src->u64[0] ^ round_key->u64[0]; 00059 dst->u64[1] = src->u64[1] ^ round_key->u64[1]; 00060 } 00061 00062 static void subshift(av_aes_block s0[2], int s, const uint8_t *box){ 00063 av_aes_block *s1= (av_aes_block *)(s0[0].u8 - s); 00064 av_aes_block *s3= (av_aes_block *)(s0[0].u8 + s); 00065 s0[0].u8[0]=box[s0[1].u8[ 0]]; s0[0].u8[ 4]=box[s0[1].u8[ 4]]; s0[0].u8[ 8]=box[s0[1].u8[ 8]]; s0[0].u8[12]=box[s0[1].u8[12]]; 00066 s1[0].u8[3]=box[s1[1].u8[ 7]]; s1[0].u8[ 7]=box[s1[1].u8[11]]; s1[0].u8[11]=box[s1[1].u8[15]]; s1[0].u8[15]=box[s1[1].u8[ 3]]; 00067 s0[0].u8[2]=box[s0[1].u8[10]]; s0[0].u8[10]=box[s0[1].u8[ 2]]; s0[0].u8[ 6]=box[s0[1].u8[14]]; s0[0].u8[14]=box[s0[1].u8[ 6]]; 00068 s3[0].u8[1]=box[s3[1].u8[13]]; s3[0].u8[13]=box[s3[1].u8[ 9]]; s3[0].u8[ 9]=box[s3[1].u8[ 5]]; s3[0].u8[ 5]=box[s3[1].u8[ 1]]; 00069 } 00070 00071 static inline int mix_core(uint32_t multbl[][256], int a, int b, int c, int d){ 00072 #if CONFIG_SMALL 00073 #define ROT(x,s) ((x<<s)|(x>>(32-s))) 00074 return multbl[0][a] ^ ROT(multbl[0][b], 8) ^ ROT(multbl[0][c], 16) ^ ROT(multbl[0][d], 24); 00075 #else 00076 return multbl[0][a] ^ multbl[1][b] ^ multbl[2][c] ^ multbl[3][d]; 00077 #endif 00078 } 00079 00080 static inline void mix(av_aes_block state[2], uint32_t multbl[][256], int s1, int s3){ 00081 uint8_t (*src)[4] = state[1].u8x4; 00082 state[0].u32[0] = mix_core(multbl, src[0][0], src[s1 ][1], src[2][2], src[s3 ][3]); 00083 state[0].u32[1] = mix_core(multbl, src[1][0], src[s3-1][1], src[3][2], src[s1-1][3]); 00084 state[0].u32[2] = mix_core(multbl, src[2][0], src[s3 ][1], src[0][2], src[s1 ][3]); 00085 state[0].u32[3] = mix_core(multbl, src[3][0], src[s1-1][1], src[1][2], src[s3-1][3]); 00086 } 00087 00088 static inline void crypt(AVAES *a, int s, const uint8_t *sbox, uint32_t multbl[][256]){ 00089 int r; 00090 00091 for(r=a->rounds-1; r>0; r--){ 00092 mix(a->state, multbl, 3-s, 1+s); 00093 addkey(&a->state[1], &a->state[0], &a->round_key[r]); 00094 } 00095 subshift(&a->state[0], s, sbox); 00096 } 00097 00098 void av_aes_crypt(AVAES *a, uint8_t *dst_, const uint8_t *src_, int count, uint8_t *iv_, int decrypt){ 00099 av_aes_block *dst = (av_aes_block *)dst_; 00100 const av_aes_block *src = (const av_aes_block *)src_; 00101 av_aes_block *iv = (av_aes_block *)iv_; 00102 while(count--){ 00103 addkey(&a->state[1], src, &a->round_key[a->rounds]); 00104 if(decrypt) { 00105 crypt(a, 0, inv_sbox, dec_multbl); 00106 if(iv){ 00107 addkey(&a->state[0], &a->state[0], iv); 00108 memcpy(iv, src, 16); 00109 } 00110 addkey(dst, &a->state[0], &a->round_key[0]); 00111 }else{ 00112 if(iv) addkey(&a->state[1], &a->state[1], iv); 00113 crypt(a, 2, sbox, enc_multbl); 00114 addkey(dst, &a->state[0], &a->round_key[0]); 00115 if(iv) memcpy(iv, dst, 16); 00116 } 00117 src++; 00118 dst++; 00119 } 00120 } 00121 00122 static void init_multbl2(uint8_t tbl[1024], const int c[4], const uint8_t *log8, const uint8_t *alog8, const uint8_t *sbox){ 00123 int i, j; 00124 for(i=0; i<1024; i++){ 00125 int x= sbox[i>>2]; 00126 if(x) tbl[i]= alog8[ log8[x] + log8[c[i&3]] ]; 00127 } 00128 #if !CONFIG_SMALL 00129 for(j=256; j<1024; j++) 00130 for(i=0; i<4; i++) 00131 tbl[4*j+i]= tbl[4*j + ((i-1)&3) - 1024]; 00132 #endif 00133 } 00134 00135 // this is based on the reference AES code by Paulo Barreto and Vincent Rijmen 00136 int av_aes_init(AVAES *a, const uint8_t *key, int key_bits, int decrypt) { 00137 int i, j, t, rconpointer = 0; 00138 uint8_t tk[8][4]; 00139 int KC= key_bits>>5; 00140 int rounds= KC + 6; 00141 uint8_t log8[256]; 00142 uint8_t alog8[512]; 00143 00144 if(!enc_multbl[FF_ARRAY_ELEMS(enc_multbl)-1][FF_ARRAY_ELEMS(enc_multbl[0])-1]){ 00145 j=1; 00146 for(i=0; i<255; i++){ 00147 alog8[i]= 00148 alog8[i+255]= j; 00149 log8[j]= i; 00150 j^= j+j; 00151 if(j>255) j^= 0x11B; 00152 } 00153 for(i=0; i<256; i++){ 00154 j= i ? alog8[255-log8[i]] : 0; 00155 j ^= (j<<1) ^ (j<<2) ^ (j<<3) ^ (j<<4); 00156 j = (j ^ (j>>8) ^ 99) & 255; 00157 inv_sbox[j]= i; 00158 sbox [i]= j; 00159 } 00160 init_multbl2(dec_multbl[0], (const int[4]){0xe, 0x9, 0xd, 0xb}, log8, alog8, inv_sbox); 00161 init_multbl2(enc_multbl[0], (const int[4]){0x2, 0x1, 0x1, 0x3}, log8, alog8, sbox); 00162 } 00163 00164 if(key_bits!=128 && key_bits!=192 && key_bits!=256) 00165 return -1; 00166 00167 a->rounds= rounds; 00168 00169 memcpy(tk, key, KC*4); 00170 00171 for(t= 0; t < (rounds+1)*16;) { 00172 memcpy(a->round_key[0].u8+t, tk, KC*4); 00173 t+= KC*4; 00174 00175 for(i = 0; i < 4; i++) 00176 tk[0][i] ^= sbox[tk[KC-1][(i+1)&3]]; 00177 tk[0][0] ^= rcon[rconpointer++]; 00178 00179 for(j = 1; j < KC; j++){ 00180 if(KC != 8 || j != KC>>1) 00181 for(i = 0; i < 4; i++) tk[j][i] ^= tk[j-1][i]; 00182 else 00183 for(i = 0; i < 4; i++) tk[j][i] ^= sbox[tk[j-1][i]]; 00184 } 00185 } 00186 00187 if(decrypt){ 00188 for(i=1; i<rounds; i++){ 00189 av_aes_block tmp[3]; 00190 memcpy(&tmp[2], &a->round_key[i], 16); 00191 subshift(&tmp[1], 0, sbox); 00192 mix(tmp, dec_multbl, 1, 3); 00193 memcpy(&a->round_key[i], &tmp[0], 16); 00194 } 00195 }else{ 00196 for(i=0; i<(rounds+1)>>1; i++){ 00197 for(j=0; j<16; j++) 00198 FFSWAP(int, a->round_key[i].u8[j], a->round_key[rounds-i].u8[j]); 00199 } 00200 } 00201 00202 return 0; 00203 } 00204 00205 #ifdef TEST 00206 #include "lfg.h" 00207 #include "log.h" 00208 00209 int main(void){ 00210 int i,j; 00211 AVAES ae, ad, b; 00212 uint8_t rkey[2][16]= { 00213 {0}, 00214 {0x10, 0xa5, 0x88, 0x69, 0xd7, 0x4b, 0xe5, 0xa3, 0x74, 0xcf, 0x86, 0x7c, 0xfb, 0x47, 0x38, 0x59}}; 00215 uint8_t pt[16], rpt[2][16]= { 00216 {0x6a, 0x84, 0x86, 0x7c, 0xd7, 0x7e, 0x12, 0xad, 0x07, 0xea, 0x1b, 0xe8, 0x95, 0xc5, 0x3f, 0xa3}, 00217 {0}}; 00218 uint8_t rct[2][16]= { 00219 {0x73, 0x22, 0x81, 0xc0, 0xa0, 0xaa, 0xb8, 0xf7, 0xa5, 0x4a, 0x0c, 0x67, 0xa0, 0xc4, 0x5e, 0xcf}, 00220 {0x6d, 0x25, 0x1e, 0x69, 0x44, 0xb0, 0x51, 0xe0, 0x4e, 0xaa, 0x6f, 0xb4, 0xdb, 0xf7, 0x84, 0x65}}; 00221 uint8_t temp[16]; 00222 AVLFG prng; 00223 00224 av_aes_init(&ae, "PI=3.141592654..", 128, 0); 00225 av_aes_init(&ad, "PI=3.141592654..", 128, 1); 00226 av_log_set_level(AV_LOG_DEBUG); 00227 av_lfg_init(&prng, 1); 00228 00229 for(i=0; i<2; i++){ 00230 av_aes_init(&b, rkey[i], 128, 1); 00231 av_aes_crypt(&b, temp, rct[i], 1, NULL, 1); 00232 for(j=0; j<16; j++) 00233 if(rpt[i][j] != temp[j]) 00234 av_log(NULL, AV_LOG_ERROR, "%d %02X %02X\n", j, rpt[i][j], temp[j]); 00235 } 00236 00237 for(i=0; i<10000; i++){ 00238 for(j=0; j<16; j++){ 00239 pt[j] = av_lfg_get(&prng); 00240 } 00241 {START_TIMER 00242 av_aes_crypt(&ae, temp, pt, 1, NULL, 0); 00243 if(!(i&(i-1))) 00244 av_log(NULL, AV_LOG_ERROR, "%02X %02X %02X %02X\n", temp[0], temp[5], temp[10], temp[15]); 00245 av_aes_crypt(&ad, temp, temp, 1, NULL, 1); 00246 STOP_TIMER("aes")} 00247 for(j=0; j<16; j++){ 00248 if(pt[j] != temp[j]){ 00249 av_log(NULL, AV_LOG_ERROR, "%d %d %02X %02X\n", i,j, pt[j], temp[j]); 00250 } 00251 } 00252 } 00253 return 0; 00254 } 00255 #endif