FFmpeg coverage

Directory: ../../../ffmpeg/
File: src/libavutil/aes.c
Date: 2026-04-24 19:58:39
Exec Total Coverage
Lines: 139 140 99.3%
Functions: 14 14 100.0%
Branches: 51 52 98.1%
Line Branch Exec Source
1 /*
2 * copyright (c) 2007 Michael Niedermayer <michaelni@gmx.at>
3 *
4 * some optimization ideas from aes128.c by Reimar Doeffinger
5 *
6 * This file is part of FFmpeg.
7 *
8 * FFmpeg is free software; you can redistribute it and/or
9 * modify it under the terms of the GNU Lesser General Public
10 * License as published by the Free Software Foundation; either
11 * version 2.1 of the License, or (at your option) any later version.
12 *
13 * FFmpeg is distributed in the hope that it will be useful,
14 * but WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16 * Lesser General Public License for more details.
17 *
18 * You should have received a copy of the GNU Lesser General Public
19 * License along with FFmpeg; if not, write to the Free Software
20 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
21 */
22
23 #include <string.h>
24
25 #include "config.h"
26 #include "aes.h"
27 #include "aes_internal.h"
28 #include "attributes.h"
29 #include "error.h"
30 #include "intreadwrite.h"
31 #include "macros.h"
32 #include "mem.h"
33 #include "thread.h"
34
35 const int av_aes_size= sizeof(AVAES);
36
37 16 struct AVAES *av_aes_alloc(void)
38 {
39 16 return av_mallocz(sizeof(struct AVAES));
40 }
41
42 static const uint8_t rcon[10] = {
43 0x01, 0x02, 0x04, 0x08, 0x10, 0x20, 0x40, 0x80, 0x1b, 0x36
44 };
45
46 static uint8_t sbox[256];
47 static uint8_t inv_sbox[256];
48 #if CONFIG_SMALL
49 static uint32_t enc_multbl[1][256];
50 static uint32_t dec_multbl[1][256];
51 #else
52 static uint32_t enc_multbl[4][256];
53 static uint32_t dec_multbl[4][256];
54 #endif
55
56 #if HAVE_BIGENDIAN
57 # define ROT(x, s) (((x) >> (s)) | ((x) << (32-(s))))
58 #else
59 # define ROT(x, s) (((x) << (s)) | ((x) >> (32-(s))))
60 #endif
61
62 96394 static inline void addkey(av_aes_block *dst, const av_aes_block *src,
63 const av_aes_block *round_key)
64 {
65 96394 dst->u64[0] = src->u64[0] ^ round_key->u64[0];
66 96394 dst->u64[1] = src->u64[1] ^ round_key->u64[1];
67 96394 }
68
69 10800 static inline void addkey_s(av_aes_block *dst, const uint8_t *src,
70 const av_aes_block *round_key)
71 {
72 10800 dst->u64[0] = AV_RN64(src) ^ round_key->u64[0];
73 10800 dst->u64[1] = AV_RN64(src + 8) ^ round_key->u64[1];
74 10800 }
75
76 10654 static inline void addkey_d(uint8_t *dst, const av_aes_block *src,
77 const av_aes_block *round_key)
78 {
79 10654 AV_WN64(dst, src->u64[0] ^ round_key->u64[0]);
80 10654 AV_WN64(dst + 8, src->u64[1] ^ round_key->u64[1]);
81 10654 }
82
83 11134 static void subshift(av_aes_block s0[2], int s, const uint8_t *box)
84 {
85 11134 unsigned char *s1_dst = (unsigned char*)s0[0].u8 + 3 - s;
86 11134 const unsigned char *s1_src = s1_dst + sizeof(*s0);
87 11134 unsigned char *s3_dst = (unsigned char*)s0[0].u8 + s + 1;
88 11134 const unsigned char *s3_src = s3_dst + sizeof(*s0);
89
90 11134 s0[0].u8[ 0] = box[s0[1].u8[ 0]];
91 11134 s0[0].u8[ 4] = box[s0[1].u8[ 4]];
92 11134 s0[0].u8[ 8] = box[s0[1].u8[ 8]];
93 11134 s0[0].u8[12] = box[s0[1].u8[12]];
94 11134 s1_dst[ 0] = box[s1_src[ 4]];
95 11134 s1_dst[ 4] = box[s1_src[ 8]];
96 11134 s1_dst[ 8] = box[s1_src[12]];
97 11134 s1_dst[12] = box[s1_src[ 0]];
98 11134 s0[0].u8[ 2] = box[s0[1].u8[10]];
99 11134 s0[0].u8[10] = box[s0[1].u8[ 2]];
100 11134 s0[0].u8[ 6] = box[s0[1].u8[14]];
101 11134 s0[0].u8[14] = box[s0[1].u8[ 6]];
102 11134 s3_dst[ 0] = box[s3_src[12]];
103 11134 s3_dst[12] = box[s3_src[ 8]];
104 11134 s3_dst[ 8] = box[s3_src[ 4]];
105 11134 s3_dst[ 4] = box[s3_src[ 0]];
106 11134 }
107
108 387496 static inline int mix_core(uint32_t multbl[][256], int a, int b, int c, int d)
109 {
110 #if CONFIG_SMALL
111 return multbl[0][a] ^ ROT(multbl[0][b], 8) ^ ROT(multbl[0][c], 16) ^ ROT(multbl[0][d], 24);
112 #else
113 387496 return multbl[0][a] ^ multbl[1][b] ^ multbl[2][c] ^ multbl[3][d];
114 #endif
115 }
116
117 96874 static inline void mix(av_aes_block state[2], uint32_t multbl[][256], int s1, int s3)
118 {
119 96874 uint8_t (*src)[4] = state[1].u8x4;
120 96874 state[0].u32[0] = mix_core(multbl, src[0][0], src[s1 ][1], src[2][2], src[s3 ][3]);
121 96874 state[0].u32[1] = mix_core(multbl, src[1][0], src[s3 - 1][1], src[3][2], src[s1 - 1][3]);
122 96874 state[0].u32[2] = mix_core(multbl, src[2][0], src[s3 ][1], src[0][2], src[s1 ][3]);
123 96874 state[0].u32[3] = mix_core(multbl, src[3][0], src[s1 - 1][1], src[1][2], src[s3 - 1][3]);
124 96874 }
125
126 10654 static inline void aes_crypt(AVAES *a, int s, const uint8_t *sbox_arg,
127 uint32_t multbl[][256])
128 {
129 int r;
130
131
2/2
✓ Branch 0 taken 96394 times.
✓ Branch 1 taken 10654 times.
 107048 for (r = a->rounds - 1; r > 0; r--) {
132 96394 mix(a->state, multbl, 3 - s, 1 + s);
133 96394 addkey(&a->state[1], &a->state[0], &a->round_key[r]);
134 }
135
136 10654 subshift(&a->state[0], s, sbox_arg);
137 10654 }
138
139 10380 static void aes_encrypt(AVAES *a, uint8_t *dst, const uint8_t *src,
140 int count, uint8_t *iv, int rounds)
141 {
142
2/2
✓ Branch 0 taken 10550 times.
✓ Branch 1 taken 10380 times.
 20930 while (count--) {
143 10550 addkey_s(&a->state[1], src, &a->round_key[rounds]);
144
2/2
✓ Branch 0 taken 94 times.
✓ Branch 1 taken 10456 times.
 10550 if (iv)
145 94 addkey_s(&a->state[1], iv, &a->state[1]);
146 10550 aes_crypt(a, 2, sbox, enc_multbl);
147 10550 addkey_d(dst, &a->state[0], &a->round_key[0]);
148
2/2
✓ Branch 0 taken 94 times.
✓ Branch 1 taken 10456 times.
 10550 if (iv)
149 94 memcpy(iv, dst, 16);
150 10550 src += 16;
151 10550 dst += 16;
152 }
153 10380 }
154
155 18 static void aes_decrypt(AVAES *a, uint8_t *dst, const uint8_t *src,
156 int count, uint8_t *iv, int rounds)
157 {
158
2/2
✓ Branch 0 taken 104 times.
✓ Branch 1 taken 18 times.
 122 while (count--) {
159 104 addkey_s(&a->state[1], src, &a->round_key[rounds]);
160 104 aes_crypt(a, 0, inv_sbox, dec_multbl);
161
2/2
✓ Branch 0 taken 52 times.
✓ Branch 1 taken 52 times.
 104 if (iv) {
162 52 addkey_s(&a->state[0], iv, &a->state[0]);
163 52 memcpy(iv, src, 16);
164 }
165 104 addkey_d(dst, &a->state[0], &a->round_key[0]);
166 104 src += 16;
167 104 dst += 16;
168 }
169 18 }
170
171 10517 void av_aes_crypt(AVAES *a, uint8_t *dst, const uint8_t *src,
172 int count, uint8_t *iv, int decrypt)
173 {
174 10517 a->crypt(a, dst, src, count, iv, a->rounds);
175 10517 }
176
177 20 static void init_multbl2(uint32_t tbl[][256], const int c[4],
178 const uint8_t *log8, const uint8_t *alog8,
179 const uint8_t *sbox_arg)
180 {
181 int i;
182
183
2/2
✓ Branch 0 taken 5120 times.
✓ Branch 1 taken 20 times.
 5140 for (i = 0; i < 256; i++) {
184 5120 int x = sbox_arg[i];
185
2/2
✓ Branch 0 taken 5100 times.
✓ Branch 1 taken 20 times.
 5120 if (x) {
186 int k, l, m, n;
187 5100 x = log8[x];
188 5100 k = alog8[x + log8[c[0]]];
189 5100 l = alog8[x + log8[c[1]]];
190 5100 m = alog8[x + log8[c[2]]];
191 5100 n = alog8[x + log8[c[3]]];
192 5100 tbl[0][i] = AV_NE(MKBETAG(k, l, m, n), MKTAG(k, l, m, n));
193 #if !CONFIG_SMALL
194 5100 tbl[1][i] = ROT(tbl[0][i], 8);
195 5100 tbl[2][i] = ROT(tbl[0][i], 16);
196 5100 tbl[3][i] = ROT(tbl[0][i], 24);
197 #endif
198 }
199 }
200 20 }
201
202 static AVOnce aes_static_init = AV_ONCE_INIT;
203
204 10 static av_cold void aes_init_static(void)
205 {
206 uint8_t log8[256];
207 uint8_t alog8[512];
208 10 int i, j = 1;
209
210
2/2
✓ Branch 0 taken 2550 times.
✓ Branch 1 taken 10 times.
 2560 for (i = 0; i < 255; i++) {
211 2550 alog8[i] = alog8[i + 255] = j;
212 2550 log8[j] = i;
213 2550 j ^= j + j;
214
2/2
✓ Branch 0 taken 1280 times.
✓ Branch 1 taken 1270 times.
 2550 if (j > 255)
215 1280 j ^= 0x11B;
216 }
217
2/2
✓ Branch 0 taken 2560 times.
✓ Branch 1 taken 10 times.
 2570 for (i = 0; i < 256; i++) {
218
2/2
✓ Branch 0 taken 2550 times.
✓ Branch 1 taken 10 times.
 2560 j = i ? alog8[255 - log8[i]] : 0;
219 2560 j ^= (j << 1) ^ (j << 2) ^ (j << 3) ^ (j << 4);
220 2560 j = (j ^ (j >> 8) ^ 99) & 255;
221 2560 inv_sbox[j] = i;
222 2560 sbox[i] = j;
223 }
224 10 init_multbl2(dec_multbl, (const int[4]) { 0xe, 0x9, 0xd, 0xb },
225 log8, alog8, inv_sbox);
226 10 init_multbl2(enc_multbl, (const int[4]) { 0x2, 0x1, 0x1, 0x3 },
227 log8, alog8, sbox);
228 10 }
229
230 // this is based on the reference AES code by Paulo Barreto and Vincent Rijmen
231 129 int av_aes_init(AVAES *a, const uint8_t *key, int key_bits, int decrypt)
232 {
233 129 int i, j, t, rconpointer = 0;
234 uint8_t tk[8][4];
235 129 int KC = key_bits >> 5;
236 129 int rounds = KC + 6;
237
238 129 a->rounds = rounds;
239
2/2
✓ Branch 0 taken 44 times.
✓ Branch 1 taken 85 times.
 129 a->crypt = decrypt ? aes_decrypt : aes_encrypt;
240 #if ARCH_X86 && HAVE_X86ASM && HAVE_AESNI_EXTERNAL
241 129 ff_init_aes_x86(a, decrypt);
242 #endif
243
244 129 ff_thread_once(&aes_static_init, aes_init_static);
245
246
5/6
✓ Branch 0 taken 56 times.
✓ Branch 1 taken 73 times.
✓ Branch 2 taken 28 times.
✓ Branch 3 taken 28 times.
✗ Branch 4 not taken.
✓ Branch 5 taken 28 times.
 129 if (key_bits != 128 && key_bits != 192 && key_bits != 256)
247 return AVERROR(EINVAL);
248
249 129 memcpy(tk, key, KC * 4);
250 129 memcpy(a->round_key[0].u8, key, KC * 4);
251
252
2/2
✓ Branch 0 taken 1150 times.
✓ Branch 1 taken 129 times.
 1279 for (t = KC * 4; t < (rounds + 1) * 16; t += KC * 4) {
253
2/2
✓ Branch 0 taken 4600 times.
✓ Branch 1 taken 1150 times.
 5750 for (i = 0; i < 4; i++)
254 4600 tk[0][i] ^= sbox[tk[KC - 1][(i + 1) & 3]];
255 1150 tk[0][0] ^= rcon[rconpointer++];
256
257
2/2
✓ Branch 0 taken 4682 times.
✓ Branch 1 taken 1150 times.
 5832 for (j = 1; j < KC; j++) {
258
4/4
✓ Branch 0 taken 1372 times.
✓ Branch 1 taken 3310 times.
✓ Branch 2 taken 1176 times.
✓ Branch 3 taken 196 times.
 4682 if (KC != 8 || j != KC >> 1)
259
2/2
✓ Branch 0 taken 17944 times.
✓ Branch 1 taken 4486 times.
 22430 for (i = 0; i < 4; i++)
260 17944 tk[j][i] ^= tk[j - 1][i];
261 else
262
2/2
✓ Branch 0 taken 784 times.
✓ Branch 1 taken 196 times.
 980 for (i = 0; i < 4; i++)
263 784 tk[j][i] ^= sbox[tk[j - 1][i]];
264 }
265
266 1150 memcpy((unsigned char*)a->round_key + t, tk, KC * 4);
267 }
268
269
2/2
✓ Branch 0 taken 44 times.
✓ Branch 1 taken 85 times.
 129 if (decrypt) {
270
2/2
✓ Branch 0 taken 480 times.
✓ Branch 1 taken 44 times.
 524 for (i = 1; i < rounds; i++) {
271 av_aes_block tmp[3];
272 480 tmp[2] = a->round_key[i];
273 480 subshift(&tmp[1], 0, sbox);
274 480 mix(tmp, dec_multbl, 1, 3);
275 480 a->round_key[i] = tmp[0];
276 }
277 } else {
278
2/2
✓ Branch 0 taken 467 times.
✓ Branch 1 taken 85 times.
 552 for (i = 0; i < (rounds + 1) >> 1; i++)
279 467 FFSWAP(av_aes_block, a->round_key[i], a->round_key[rounds - i]);
280 }
281
282 129 return 0;
283 }
284