/src/nettle-with-libgmp/sm3.c

Line	Count	Source
1		/* sm3.c
2
3		The SM3 hash function.
4
5		Copyright (C) 2017 Jia Zhang
6		Copyright (C) 2021 Tianjia Zhang <tianjia.zhang@linux.alibaba.com>
7
8		This file is part of GNU Nettle.
9
10		GNU Nettle is free software: you can redistribute it and/or
11		modify it under the terms of either:
12
13		* the GNU Lesser General Public License as published by the Free
14		Software Foundation; either version 3 of the License, or (at your
15		option) any later version.
16
17		or
18
19		* the GNU General Public License as published by the Free
20		Software Foundation; either version 2 of the License, or (at your
21		option) any later version.
22
23		or both in parallel, as here.
24
25		GNU Nettle is distributed in the hope that it will be useful,
26		but WITHOUT ANY WARRANTY; without even the implied warranty of
27		MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
28		General Public License for more details.
29
30		You should have received copies of the GNU General Public License and
31		the GNU Lesser General Public License along with this program. If
32		not, see http://www.gnu.org/licenses/.
33		*/
34
35		#if HAVE_CONFIG_H
36		# include "config.h"
37		#endif
38
39		#include <assert.h>
40		#include <string.h>
41
42		#include "sm3.h"
43
44		#include "macros.h"
45		#include "nettle-write.h"
46
47		static const uint32_t K[64] =
48		{
49		0x79cc4519UL, 0xf3988a32UL, 0xe7311465UL, 0xce6228cbUL,
50		0x9cc45197UL, 0x3988a32fUL, 0x7311465eUL, 0xe6228cbcUL,
51		0xcc451979UL, 0x988a32f3UL, 0x311465e7UL, 0x6228cbceUL,
52		0xc451979cUL, 0x88a32f39UL, 0x11465e73UL, 0x228cbce6UL,
53		0x9d8a7a87UL, 0x3b14f50fUL, 0x7629ea1eUL, 0xec53d43cUL,
54		0xd8a7a879UL, 0xb14f50f3UL, 0x629ea1e7UL, 0xc53d43ceUL,
55		0x8a7a879dUL, 0x14f50f3bUL, 0x29ea1e76UL, 0x53d43cecUL,
56		0xa7a879d8UL, 0x4f50f3b1UL, 0x9ea1e762UL, 0x3d43cec5UL,
57		0x7a879d8aUL, 0xf50f3b14UL, 0xea1e7629UL, 0xd43cec53UL,
58		0xa879d8a7UL, 0x50f3b14fUL, 0xa1e7629eUL, 0x43cec53dUL,
59		0x879d8a7aUL, 0x0f3b14f5UL, 0x1e7629eaUL, 0x3cec53d4UL,
60		0x79d8a7a8UL, 0xf3b14f50UL, 0xe7629ea1UL, 0xcec53d43UL,
61		0x9d8a7a87UL, 0x3b14f50fUL, 0x7629ea1eUL, 0xec53d43cUL,
62		0xd8a7a879UL, 0xb14f50f3UL, 0x629ea1e7UL, 0xc53d43ceUL,
63		0x8a7a879dUL, 0x14f50f3bUL, 0x29ea1e76UL, 0x53d43cecUL,
64		0xa7a879d8UL, 0x4f50f3b1UL, 0x9ea1e762UL, 0x3d43cec5UL
65		};
66
67		/*
68		Transform the message X which consists of 16 32-bit-words. See
69		GM/T 004-2012 for details. */
70		#define R(i, a, b, c, d, e, f, g, h, t, w1, w2) \
71	2.62M	do { \
72	2.62M	ss1 = ROTL32(7, (ROTL32(12, (a)) + (e) + (t))); \
73	2.62M	ss2 = ss1 ^ ROTL32(12, (a)); \
74	2.62M	d += FF ## i(a, b, c) + ss2 + ((w1) ^ (w2)); \
75	2.62M	h += GG ## i(e, f, g) + ss1 + (w1); \
76	2.62M	b = ROTL32(9, (b)); \
77	2.62M	f = ROTL32(19, (f)); \
78	2.62M	h = P0((h)); \
79	2.62M	} while (0)
80
81	655k	#define R1(a,b,c,d,e,f,g,h,t,w1,w2) R(1,a,b,c,d,e,f,g,h,t,w1,w2)
82	1.96M	#define R2(a,b,c,d,e,f,g,h,t,w1,w2) R(2,a,b,c,d,e,f,g,h,t,w1,w2)
83
84	655k	#define FF1(x, y, z) (x ^ y ^ z)
85	1.96M	#define FF2(x, y, z) ((x & y) \| (x & z) \| (y & z))
86
87	655k	#define GG1(x, y, z) (x ^ y ^ z)
88	1.96M	#define GG2(x, y, z) ((x & y) \| ( ~x & z))
89
90		/* Message expansion */
91	2.62M	#define P0(x) ((x) ^ ROTL32(9, (x)) ^ ROTL32(17, (x)))
92		#define P1(x) ((x) ^ ROTL32(15, (x)) ^ ROTL32(23, (x)))
93		#define I(i) (w[i] = READ_UINT32(input + i * 4))
94		#define W1(i) (w[i & 0x0f])
95		#define W2(i) (w[i & 0x0f] = \
96		P1(w[i & 0x0f] ^ w[(i-9) & 0x0f] ^ ROTL32(15, w[(i-3) & 0x0f])) \
97		^ ROTL32(7, w[(i-13) & 0x0f]) \
98		^ w[(i-6) & 0x0f])
99
100
101		static void
102		sm3_compress(uint32_t state, const uint8_t input)
103	40.9k	{
104	40.9k	uint32_t a, b, c, d, e, f, g, h, ss1, ss2;
105	40.9k	uint32_t w[16];
106
107	40.9k	a = state[0];
108	40.9k	b = state[1];
109	40.9k	c = state[2];
110	40.9k	d = state[3];
111	40.9k	e = state[4];
112	40.9k	f = state[5];
113	40.9k	g = state[6];
114	40.9k	h = state[7];
115
116	40.9k	R1(a, b, c, d, e, f, g, h, K[0], I(0), I(4));
117	40.9k	R1(d, a, b, c, h, e, f, g, K[1], I(1), I(5));
118	40.9k	R1(c, d, a, b, g, h, e, f, K[2], I(2), I(6));
119	40.9k	R1(b, c, d, a, f, g, h, e, K[3], I(3), I(7));
120	40.9k	R1(a, b, c, d, e, f, g, h, K[4], W1(4), I(8));
121	40.9k	R1(d, a, b, c, h, e, f, g, K[5], W1(5), I(9));
122	40.9k	R1(c, d, a, b, g, h, e, f, K[6], W1(6), I(10));
123	40.9k	R1(b, c, d, a, f, g, h, e, K[7], W1(7), I(11));
124	40.9k	R1(a, b, c, d, e, f, g, h, K[8], W1(8), I(12));
125	40.9k	R1(d, a, b, c, h, e, f, g, K[9], W1(9), I(13));
126	40.9k	R1(c, d, a, b, g, h, e, f, K[10], W1(10), I(14));
127	40.9k	R1(b, c, d, a, f, g, h, e, K[11], W1(11), I(15));
128	40.9k	R1(a, b, c, d, e, f, g, h, K[12], W1(12), W2(16));
129	40.9k	R1(d, a, b, c, h, e, f, g, K[13], W1(13), W2(17));
130	40.9k	R1(c, d, a, b, g, h, e, f, K[14], W1(14), W2(18));
131	40.9k	R1(b, c, d, a, f, g, h, e, K[15], W1(15), W2(19));
132
133	40.9k	R2(a, b, c, d, e, f, g, h, K[16], W1(16), W2(20));
134	40.9k	R2(d, a, b, c, h, e, f, g, K[17], W1(17), W2(21));
135	40.9k	R2(c, d, a, b, g, h, e, f, K[18], W1(18), W2(22));
136	40.9k	R2(b, c, d, a, f, g, h, e, K[19], W1(19), W2(23));
137	40.9k	R2(a, b, c, d, e, f, g, h, K[20], W1(20), W2(24));
138	40.9k	R2(d, a, b, c, h, e, f, g, K[21], W1(21), W2(25));
139	40.9k	R2(c, d, a, b, g, h, e, f, K[22], W1(22), W2(26));
140	40.9k	R2(b, c, d, a, f, g, h, e, K[23], W1(23), W2(27));
141	40.9k	R2(a, b, c, d, e, f, g, h, K[24], W1(24), W2(28));
142	40.9k	R2(d, a, b, c, h, e, f, g, K[25], W1(25), W2(29));
143	40.9k	R2(c, d, a, b, g, h, e, f, K[26], W1(26), W2(30));
144	40.9k	R2(b, c, d, a, f, g, h, e, K[27], W1(27), W2(31));
145	40.9k	R2(a, b, c, d, e, f, g, h, K[28], W1(28), W2(32));
146	40.9k	R2(d, a, b, c, h, e, f, g, K[29], W1(29), W2(33));
147	40.9k	R2(c, d, a, b, g, h, e, f, K[30], W1(30), W2(34));
148	40.9k	R2(b, c, d, a, f, g, h, e, K[31], W1(31), W2(35));
149
150	40.9k	R2(a, b, c, d, e, f, g, h, K[32], W1(32), W2(36));
151	40.9k	R2(d, a, b, c, h, e, f, g, K[33], W1(33), W2(37));
152	40.9k	R2(c, d, a, b, g, h, e, f, K[34], W1(34), W2(38));
153	40.9k	R2(b, c, d, a, f, g, h, e, K[35], W1(35), W2(39));
154	40.9k	R2(a, b, c, d, e, f, g, h, K[36], W1(36), W2(40));
155	40.9k	R2(d, a, b, c, h, e, f, g, K[37], W1(37), W2(41));
156	40.9k	R2(c, d, a, b, g, h, e, f, K[38], W1(38), W2(42));
157	40.9k	R2(b, c, d, a, f, g, h, e, K[39], W1(39), W2(43));
158	40.9k	R2(a, b, c, d, e, f, g, h, K[40], W1(40), W2(44));
159	40.9k	R2(d, a, b, c, h, e, f, g, K[41], W1(41), W2(45));
160	40.9k	R2(c, d, a, b, g, h, e, f, K[42], W1(42), W2(46));
161	40.9k	R2(b, c, d, a, f, g, h, e, K[43], W1(43), W2(47));
162	40.9k	R2(a, b, c, d, e, f, g, h, K[44], W1(44), W2(48));
163	40.9k	R2(d, a, b, c, h, e, f, g, K[45], W1(45), W2(49));
164	40.9k	R2(c, d, a, b, g, h, e, f, K[46], W1(46), W2(50));
165	40.9k	R2(b, c, d, a, f, g, h, e, K[47], W1(47), W2(51));
166
167	40.9k	R2(a, b, c, d, e, f, g, h, K[48], W1(48), W2(52));
168	40.9k	R2(d, a, b, c, h, e, f, g, K[49], W1(49), W2(53));
169	40.9k	R2(c, d, a, b, g, h, e, f, K[50], W1(50), W2(54));
170	40.9k	R2(b, c, d, a, f, g, h, e, K[51], W1(51), W2(55));
171	40.9k	R2(a, b, c, d, e, f, g, h, K[52], W1(52), W2(56));
172	40.9k	R2(d, a, b, c, h, e, f, g, K[53], W1(53), W2(57));
173	40.9k	R2(c, d, a, b, g, h, e, f, K[54], W1(54), W2(58));
174	40.9k	R2(b, c, d, a, f, g, h, e, K[55], W1(55), W2(59));
175	40.9k	R2(a, b, c, d, e, f, g, h, K[56], W1(56), W2(60));
176	40.9k	R2(d, a, b, c, h, e, f, g, K[57], W1(57), W2(61));
177	40.9k	R2(c, d, a, b, g, h, e, f, K[58], W1(58), W2(62));
178	40.9k	R2(b, c, d, a, f, g, h, e, K[59], W1(59), W2(63));
179	40.9k	R2(a, b, c, d, e, f, g, h, K[60], W1(60), W2(64));
180	40.9k	R2(d, a, b, c, h, e, f, g, K[61], W1(61), W2(65));
181	40.9k	R2(c, d, a, b, g, h, e, f, K[62], W1(62), W2(66));
182	40.9k	R2(b, c, d, a, f, g, h, e, K[63], W1(63), W2(67));
183
184	40.9k	state[0] ^= a;
185	40.9k	state[1] ^= b;
186	40.9k	state[2] ^= c;
187	40.9k	state[3] ^= d;
188	40.9k	state[4] ^= e;
189	40.9k	state[5] ^= f;
190	40.9k	state[6] ^= g;
191	40.9k	state[7] ^= h;
192	40.9k	}
193
194		void
195		sm3_init(struct sm3_ctx *ctx)
196	35.2k	{
197	35.2k	static const uint32_t H0[_SM3_DIGEST_LENGTH] =
198	35.2k	{
199	35.2k	0x7380166fUL, 0x4914b2b9UL, 0x172442d7UL, 0xda8a0600UL,
200	35.2k	0xa96f30bcUL, 0x163138aaUL, 0xe38dee4dUL, 0xb0fb0e4eUL
201	35.2k	};
202
203	35.2k	memcpy(ctx->state, H0, sizeof(H0));
204
205		/* Initialize bit count */
206	35.2k	ctx->count = 0;
207
208		/* Initialize buffer */
209	35.2k	ctx->index = 0;
210	35.2k	}
211
212	40.9k	#define COMPRESS(ctx, data) (sm3_compress((ctx)->state, (data)))
213
214		void
215		sm3_update(struct sm3_ctx *ctx,
216		size_t length, const uint8_t *data)
217	71.5k	{
218	71.5k	MD_UPDATE(ctx, length, data, COMPRESS, ctx->count++);
219	71.5k	}
220
221		static void
222		sm3_write_digest(struct sm3_ctx *ctx,
223		size_t length,
224		uint8_t *digest)
225	34.5k	{
226	34.5k	uint64_t bit_count;
227
228	34.5k	assert(length <= SM3_DIGEST_SIZE);
229
230	34.5k	MD_PAD(ctx, 8, COMPRESS);
231
232		/* There are 512 = 2^9 bits in one block */
233	34.5k	bit_count = (ctx->count << 9) \| (ctx->index << 3);
234
235		/* This is slightly inefficient, as the numbers are converted to
236		big-endian format, and will be converted back by the compression
237		function. It's probably not worth the effort to fix this. */
238	34.5k	WRITE_UINT64(ctx->block + (SM3_BLOCK_SIZE - 8), bit_count);
239	34.5k	COMPRESS(ctx, ctx->block);
240
241	34.5k	_nettle_write_be32(length, digest, ctx->state);
242	34.5k	}
243
244		void
245		sm3_digest(struct sm3_ctx *ctx,
246		size_t length,
247		uint8_t *digest)
248	34.5k	{
249	34.5k	sm3_write_digest(ctx, length, digest);
250	34.5k	sm3_init(ctx);
251	34.5k	}

Coverage Report

Created: 2023-02-22 06:14