From: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
To: ffmpeg-devel@ffmpeg.org
Subject: Re: [FFmpeg-devel] [PATCH 3/3] avutil/aes: add an OpenSSL-libcrypto backed implementation
Date: Wed, 11 Jun 2025 08:02:48 +0200
Message-ID: <GV1P250MB0737E098B467D004C623FF2D8F75A@GV1P250MB0737.EURP250.PROD.OUTLOOK.COM> (raw)
In-Reply-To: <20250611015415.19575-3-jamrial@gmail.com>
James Almer:
> OpenSSL has optimizations for more architectures than x86-AESNI, so use it if
> libavutil is configured with libcrypto explicitly (Enabling OpenSSL alone will
> not make use of it).
>
> Signed-off-by: James Almer <jamrial@gmail.com>
> ---
> configure | 8 +++++++-
> libavutil/aes.c | 37 ++++++++++++++++++++++++++++++++++---
> libavutil/aes_internal.h | 11 ++++++++++-
> libavutil/x86/aes_init.c | 2 ++
> 4 files changed, 53 insertions(+), 5 deletions(-)
>
> diff --git a/configure b/configure
> index 534b443f7d..c7b4fbb2fe 100755
> --- a/configure
> +++ b/configure
> @@ -223,6 +223,7 @@ External library support:
> --enable-libcelt enable CELT decoding via libcelt [no]
> --enable-libcdio enable audio CD grabbing with libcdio [no]
> --enable-libcodec2 enable codec2 en/decoding using libcodec2 [no]
> + --enable-libcrypto enable crypto via libcrypto (AES only) [no]
> --enable-libdav1d enable AV1 decoding via libdav1d [no]
> --enable-libdavs2 enable AVS2 decoding via libdavs2 [no]
> --enable-libdc1394 enable IIDC-1394 grabbing using libdc1394
> @@ -1931,6 +1932,7 @@ EXTERNAL_LIBRARY_LIST="
> libcaca
> libcelt
> libcodec2
> + libcrypto
> libdav1d
> libdc1394
> libflite
> @@ -4091,7 +4093,7 @@ avfilter_deps="avutil"
> avfilter_suggest="libm stdatomic spirv_compiler"
> avformat_deps="avcodec avutil"
> avformat_suggest="libm network zlib stdatomic"
> -avutil_suggest="clock_gettime ffnvcodec gcrypt libm libdrm libmfx opencl openssl user32 vaapi vulkan videotoolbox corefoundation corevideo coremedia bcrypt stdatomic"
> +avutil_suggest="clock_gettime ffnvcodec gcrypt libcrypto libm libdrm libmfx opencl openssl user32 vaapi vulkan videotoolbox corefoundation corevideo coremedia bcrypt stdatomic"
> swresample_deps="avutil"
> swresample_suggest="libm libsoxr stdatomic"
> swscale_deps="avutil"
> @@ -7193,6 +7195,10 @@ enabled openssl && { { check_pkg_config openssl "openssl >= 3.0.0" ope
> check_lib openssl openssl/ssl.h SSL_library_init -lssl32 -leay32 ||
> check_lib openssl openssl/ssl.h SSL_library_init -lssl -lcrypto -lws2_32 -lgdi32 ||
> die "ERROR: openssl not found"; }
> +enabled libcrypto && { { check_pkg_config libcrypto "libcrypto >= 3.0.0" openssl/aes.h AES_set_encrypt_key &&
> + { enabled gplv3 || ! enabled gpl || enabled nonfree || die "ERROR: OpenSSL-libcrypto >= 3.0.0 requires --enable-version3"; }; } ||
> + { enabled gpl && ! enabled nonfree && die "ERROR: OpenSSL-libcrypto < 3.0.0 is incompatible with the gpl"; } ||
> + require_pkg_config libcrypto libcrypto openssl/aes.h AES_set_encrypt_key; }
> enabled pocketsphinx && require_pkg_config pocketsphinx pocketsphinx pocketsphinx/pocketsphinx.h ps_init
> enabled rkmpp && { require_pkg_config rkmpp rockchip_mpp rockchip/rk_mpi.h mpp_create &&
> require_pkg_config rockchip_mpp "rockchip_mpp >= 1.3.7" rockchip/rk_mpi.h mpp_create &&
> diff --git a/libavutil/aes.c b/libavutil/aes.c
> index 7fe42a5548..3a0d4e1385 100644
> --- a/libavutil/aes.c
> +++ b/libavutil/aes.c
> @@ -39,6 +39,7 @@ struct AVAES *av_aes_alloc(void)
> return av_mallocz(sizeof(struct AVAES));
> }
>
> +#if !CONFIG_LIBCRYPTO
> static const uint8_t rcon[10] = {
> 0x01, 0x02, 0x04, 0x08, 0x10, 0x20, 0x40, 0x80, 0x1b, 0x36
> };
> @@ -137,7 +138,7 @@ static inline void aes_crypt(AVAES *a, int s, const uint8_t *sbox,
> }
>
> static void aes_encrypt(AVAES *a, uint8_t *dst, const uint8_t *src,
> - int count, uint8_t *iv)
> + int count, uint8_t *iv, int decrypt)
> {
> while (count--) {
> addkey_s(&a->state[1], src, &a->round_key[a->rounds]);
> @@ -153,7 +154,7 @@ static void aes_encrypt(AVAES *a, uint8_t *dst, const uint8_t *src,
> }
>
> static void aes_decrypt(AVAES *a, uint8_t *dst, const uint8_t *src,
> - int count, uint8_t *iv)
> + int count, uint8_t *iv, int decrypt)
> {
> while (count--) {
> addkey_s(&a->state[1], src, &a->round_key[a->rounds]);
> @@ -168,12 +169,32 @@ static void aes_decrypt(AVAES *a, uint8_t *dst, const uint8_t *src,
> }
> }
>
> +#else
> +
> +static void aes_libcrypto(AVAES *a, uint8_t *dst, const uint8_t *src,
> + int count, uint8_t *iv, int decrypt)
> +{
> + if (iv)
> + AES_cbc_encrypt((const unsigned char *)src,
> + (unsigned char *)dst,
> + count, &a->key,
> + (unsigned char *)iv, !decrypt);
> + else {
> + for (int i = 0; i < count; i++)
> + AES_ecb_encrypt((const unsigned char *)&src[i*16],
> + (unsigned char *)&dst[i*16],
Casts seem pointless. Lots of other part of the code presume that
uint8_t* and unsigned char* are compatible.
> + &a->key, !decrypt);
> + }
> +}
> +#endif
> +
> void av_aes_crypt(AVAES *a, uint8_t *dst, const uint8_t *src,
> int count, uint8_t *iv, int decrypt)
> {
> - a->crypt(a, dst, src, count, iv);
> + a->crypt(a, dst, src, count, iv, decrypt);
This new argument can be #if'ed away.
> }
>
> +#if !CONFIG_LIBCRYPTO
> static void init_multbl2(uint32_t tbl[][256], const int c[4],
> const uint8_t *log8, const uint8_t *alog8,
> const uint8_t *sbox)
> @@ -226,10 +247,19 @@ static av_cold void aes_init_static(void)
> init_multbl2(enc_multbl, (const int[4]) { 0x2, 0x1, 0x1, 0x3 },
> log8, alog8, sbox);
> }
> +#endif
>
> // this is based on the reference AES code by Paulo Barreto and Vincent Rijmen
> int av_aes_init(AVAES *a, const uint8_t *key, int key_bits, int decrypt)
> {
> +#if CONFIG_LIBCRYPTO
> + int ret = decrypt ? AES_set_decrypt_key(key, key_bits, &a->key) :
> + AES_set_encrypt_key(key, key_bits, &a->key);
> + if (ret < 0)
> + return AVERROR_EXTERNAL;
> +
> + a->crypt = aes_libcrypto;
> +#else
> int i, j, t, rconpointer = 0;
> uint8_t tk[8][4];
> int KC = key_bits >> 5;
> @@ -278,6 +308,7 @@ int av_aes_init(AVAES *a, const uint8_t *key, int key_bits, int decrypt)
> for (i = 0; i < (rounds + 1) >> 1; i++)
> FFSWAP(av_aes_block, a->round_key[i], a->round_key[rounds - i]);
> }
> +#endif
>
> return 0;
> }
> diff --git a/libavutil/aes_internal.h b/libavutil/aes_internal.h
> index e2de382f26..6713798ce2 100644
> --- a/libavutil/aes_internal.h
> +++ b/libavutil/aes_internal.h
> @@ -21,8 +21,13 @@
> #ifndef AVUTIL_AES_INTERNAL_H
> #define AVUTIL_AES_INTERNAL_H
>
> +#include "config.h"
> +
> #include "mem_internal.h"
> #include <stdint.h>
> +#if CONFIG_LIBCRYPTO
> +#include <openssl/aes.h>
> +#endif
>
> typedef union {
> uint64_t u64[2];
> @@ -32,12 +37,16 @@ typedef union {
> } av_aes_block;
>
> typedef struct AVAES {
> +#if CONFIG_LIBCRYPTO
> + AES_KEY key;
> +#else
> // Note: round_key[16] is accessed in the init code, but this only
> // overwrites state, which does not matter (see also commit ba554c0).
> DECLARE_ALIGNED(16, av_aes_block, round_key)[15];
> DECLARE_ALIGNED(16, av_aes_block, state)[2];
> int rounds;
> - void (*crypt)(struct AVAES *a, uint8_t *dst, const uint8_t *src, int count, uint8_t *iv);
> +#endif
> + void (*crypt)(struct AVAES *a, uint8_t *dst, const uint8_t *src, int count, uint8_t *iv, int decript);
> } AVAES;
>
> void ff_init_aes_x86(AVAES *a, int decrypt);
> diff --git a/libavutil/x86/aes_init.c b/libavutil/x86/aes_init.c
> index f825e0799c..54487e8832 100644
> --- a/libavutil/x86/aes_init.c
> +++ b/libavutil/x86/aes_init.c
> @@ -37,6 +37,7 @@ void ff_aes_encrypt_14_aesni(AVAES *a, uint8_t *dst, const uint8_t *src,
>
> void ff_init_aes_x86(AVAES *a, int decrypt)
> {
> +#if !CONFIG_LIBCRYPTO
> int cpu_flags = av_get_cpu_flags();
>
> if (EXTERNAL_AESNI(cpu_flags)) {
> @@ -47,4 +48,5 @@ void ff_init_aes_x86(AVAES *a, int decrypt)
> else if (a->rounds == 14)
> a->crypt = decrypt ? ff_aes_decrypt_14_aesni : ff_aes_encrypt_14_aesni;
> }
> +#endif
> }
Is this better than our implementation for x86 with AESNI?
Apart from that: If you don't need anything from ff_init_aes_x86(), then
it should not be exist, i.e. it should not be compiled (and neither
should the asm file).
- Andreas
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
prev parent reply other threads:[~2025-06-11 6:03 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-06-11 1:54 [FFmpeg-devel] [PATCH 1/3] avutil/aes_ctr: rename AES_BLOCK_SIZE to FF_AES_BLOCK_SIZE James Almer
2025-06-11 1:54 ` [FFmpeg-devel] [PATCH 2/3] avutil/aes: remove superfluous rounds argument James Almer
2025-06-11 1:54 ` [FFmpeg-devel] [PATCH 3/3] avutil/aes: add an OpenSSL-libcrypto backed implementation James Almer
2025-06-11 6:02 ` Andreas Rheinhardt [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=GV1P250MB0737E098B467D004C623FF2D8F75A@GV1P250MB0737.EURP250.PROD.OUTLOOK.COM \
--to=andreas.rheinhardt@outlook.com \
--cc=ffmpeg-devel@ffmpeg.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Git Inbox Mirror of the ffmpeg-devel mailing list - see https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
This inbox may be cloned and mirrored by anyone:
git clone --mirror https://master.gitmailbox.com/ffmpegdev/0 ffmpegdev/git/0.git
# If you have public-inbox 1.1+ installed, you may
# initialize and index your mirror using the following commands:
public-inbox-init -V2 ffmpegdev ffmpegdev/ https://master.gitmailbox.com/ffmpegdev \
ffmpegdev@gitmailbox.com
public-inbox-index ffmpegdev
Example config snippet for mirrors.
AGPL code for this site: git clone https://public-inbox.org/public-inbox.git