/src/nettle-with-mini-gmp/sm3.c

Line	Count	Source
1		/* sm3.c
2
3		The SM3 hash function.
4
5		Copyright (C) 2017 Jia Zhang
6		Copyright (C) 2021 Tianjia Zhang <tianjia.zhang@linux.alibaba.com>
7
8		This file is part of GNU Nettle.
9
10		GNU Nettle is free software: you can redistribute it and/or
11		modify it under the terms of either:
12
13		* the GNU Lesser General Public License as published by the Free
14		Software Foundation; either version 3 of the License, or (at your
15		option) any later version.
16
17		or
18
19		* the GNU General Public License as published by the Free
20		Software Foundation; either version 2 of the License, or (at your
21		option) any later version.
22
23		or both in parallel, as here.
24
25		GNU Nettle is distributed in the hope that it will be useful,
26		but WITHOUT ANY WARRANTY; without even the implied warranty of
27		MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
28		General Public License for more details.
29
30		You should have received copies of the GNU General Public License and
31		the GNU Lesser General Public License along with this program. If
32		not, see http://www.gnu.org/licenses/.
33		*/
34
35		#if HAVE_CONFIG_H
36		# include "config.h"
37		#endif
38
39		#include <assert.h>
40		#include <string.h>
41
42		#include "sm3.h"
43
44		#include "macros.h"
45		#include "nettle-write.h"
46
47		static const uint32_t K[64] =
48		{
49		0x79cc4519UL, 0xf3988a32UL, 0xe7311465UL, 0xce6228cbUL,
50		0x9cc45197UL, 0x3988a32fUL, 0x7311465eUL, 0xe6228cbcUL,
51		0xcc451979UL, 0x988a32f3UL, 0x311465e7UL, 0x6228cbceUL,
52		0xc451979cUL, 0x88a32f39UL, 0x11465e73UL, 0x228cbce6UL,
53		0x9d8a7a87UL, 0x3b14f50fUL, 0x7629ea1eUL, 0xec53d43cUL,
54		0xd8a7a879UL, 0xb14f50f3UL, 0x629ea1e7UL, 0xc53d43ceUL,
55		0x8a7a879dUL, 0x14f50f3bUL, 0x29ea1e76UL, 0x53d43cecUL,
56		0xa7a879d8UL, 0x4f50f3b1UL, 0x9ea1e762UL, 0x3d43cec5UL,
57		0x7a879d8aUL, 0xf50f3b14UL, 0xea1e7629UL, 0xd43cec53UL,
58		0xa879d8a7UL, 0x50f3b14fUL, 0xa1e7629eUL, 0x43cec53dUL,
59		0x879d8a7aUL, 0x0f3b14f5UL, 0x1e7629eaUL, 0x3cec53d4UL,
60		0x79d8a7a8UL, 0xf3b14f50UL, 0xe7629ea1UL, 0xcec53d43UL,
61		0x9d8a7a87UL, 0x3b14f50fUL, 0x7629ea1eUL, 0xec53d43cUL,
62		0xd8a7a879UL, 0xb14f50f3UL, 0x629ea1e7UL, 0xc53d43ceUL,
63		0x8a7a879dUL, 0x14f50f3bUL, 0x29ea1e76UL, 0x53d43cecUL,
64		0xa7a879d8UL, 0x4f50f3b1UL, 0x9ea1e762UL, 0x3d43cec5UL
65		};
66
67		/*
68		Transform the message X which consists of 16 32-bit-words. See
69		GM/T 004-2012 for details. */
70		#define R(i, a, b, c, d, e, f, g, h, t, w1, w2) \
71	1.49M	do { \
72	1.49M	ss1 = ROTL32(7, (ROTL32(12, (a)) + (e) + (t))); \
73	1.49M	ss2 = ss1 ^ ROTL32(12, (a)); \
74	1.49M	d += FF ## i(a, b, c) + ss2 + ((w1) ^ (w2)); \
75	1.49M	h += GG ## i(e, f, g) + ss1 + (w1); \
76	1.49M	b = ROTL32(9, (b)); \
77	1.49M	f = ROTL32(19, (f)); \
78	1.49M	h = P0((h)); \
79	1.49M	} while (0)
80
81	373k	#define R1(a,b,c,d,e,f,g,h,t,w1,w2) R(1,a,b,c,d,e,f,g,h,t,w1,w2)
82	1.11M	#define R2(a,b,c,d,e,f,g,h,t,w1,w2) R(2,a,b,c,d,e,f,g,h,t,w1,w2)
83
84	373k	#define FF1(x, y, z) (x ^ y ^ z)
85	1.11M	#define FF2(x, y, z) ((x & y) \| (x & z) \| (y & z))
86
87	373k	#define GG1(x, y, z) (x ^ y ^ z)
88	1.11M	#define GG2(x, y, z) ((x & y) \| ( ~x & z))
89
90		/* Message expansion */
91	1.49M	#define P0(x) ((x) ^ ROTL32(9, (x)) ^ ROTL32(17, (x)))
92		#define P1(x) ((x) ^ ROTL32(15, (x)) ^ ROTL32(23, (x)))
93		#define I(i) (w[i] = READ_UINT32(input + i * 4))
94		#define W1(i) (w[i & 0x0f])
95		#define W2(i) (w[i & 0x0f] = \
96		P1(w[i & 0x0f] ^ w[(i-9) & 0x0f] ^ ROTL32(15, w[(i-3) & 0x0f])) \
97		^ ROTL32(7, w[(i-13) & 0x0f]) \
98		^ w[(i-6) & 0x0f])
99
100
101		static void
102		sm3_compress(uint32_t state, const uint8_t input)
103	23.3k	{
104	23.3k	uint32_t a, b, c, d, e, f, g, h, ss1, ss2;
105	23.3k	uint32_t w[16];
106
107	23.3k	a = state[0];
108	23.3k	b = state[1];
109	23.3k	c = state[2];
110	23.3k	d = state[3];
111	23.3k	e = state[4];
112	23.3k	f = state[5];
113	23.3k	g = state[6];
114	23.3k	h = state[7];
115
116	23.3k	R1(a, b, c, d, e, f, g, h, K[0], I(0), I(4));
117	23.3k	R1(d, a, b, c, h, e, f, g, K[1], I(1), I(5));
118	23.3k	R1(c, d, a, b, g, h, e, f, K[2], I(2), I(6));
119	23.3k	R1(b, c, d, a, f, g, h, e, K[3], I(3), I(7));
120	23.3k	R1(a, b, c, d, e, f, g, h, K[4], W1(4), I(8));
121	23.3k	R1(d, a, b, c, h, e, f, g, K[5], W1(5), I(9));
122	23.3k	R1(c, d, a, b, g, h, e, f, K[6], W1(6), I(10));
123	23.3k	R1(b, c, d, a, f, g, h, e, K[7], W1(7), I(11));
124	23.3k	R1(a, b, c, d, e, f, g, h, K[8], W1(8), I(12));
125	23.3k	R1(d, a, b, c, h, e, f, g, K[9], W1(9), I(13));
126	23.3k	R1(c, d, a, b, g, h, e, f, K[10], W1(10), I(14));
127	23.3k	R1(b, c, d, a, f, g, h, e, K[11], W1(11), I(15));
128	23.3k	R1(a, b, c, d, e, f, g, h, K[12], W1(12), W2(16));
129	23.3k	R1(d, a, b, c, h, e, f, g, K[13], W1(13), W2(17));
130	23.3k	R1(c, d, a, b, g, h, e, f, K[14], W1(14), W2(18));
131	23.3k	R1(b, c, d, a, f, g, h, e, K[15], W1(15), W2(19));
132
133	23.3k	R2(a, b, c, d, e, f, g, h, K[16], W1(16), W2(20));
134	23.3k	R2(d, a, b, c, h, e, f, g, K[17], W1(17), W2(21));
135	23.3k	R2(c, d, a, b, g, h, e, f, K[18], W1(18), W2(22));
136	23.3k	R2(b, c, d, a, f, g, h, e, K[19], W1(19), W2(23));
137	23.3k	R2(a, b, c, d, e, f, g, h, K[20], W1(20), W2(24));
138	23.3k	R2(d, a, b, c, h, e, f, g, K[21], W1(21), W2(25));
139	23.3k	R2(c, d, a, b, g, h, e, f, K[22], W1(22), W2(26));
140	23.3k	R2(b, c, d, a, f, g, h, e, K[23], W1(23), W2(27));
141	23.3k	R2(a, b, c, d, e, f, g, h, K[24], W1(24), W2(28));
142	23.3k	R2(d, a, b, c, h, e, f, g, K[25], W1(25), W2(29));
143	23.3k	R2(c, d, a, b, g, h, e, f, K[26], W1(26), W2(30));
144	23.3k	R2(b, c, d, a, f, g, h, e, K[27], W1(27), W2(31));
145	23.3k	R2(a, b, c, d, e, f, g, h, K[28], W1(28), W2(32));
146	23.3k	R2(d, a, b, c, h, e, f, g, K[29], W1(29), W2(33));
147	23.3k	R2(c, d, a, b, g, h, e, f, K[30], W1(30), W2(34));
148	23.3k	R2(b, c, d, a, f, g, h, e, K[31], W1(31), W2(35));
149
150	23.3k	R2(a, b, c, d, e, f, g, h, K[32], W1(32), W2(36));
151	23.3k	R2(d, a, b, c, h, e, f, g, K[33], W1(33), W2(37));
152	23.3k	R2(c, d, a, b, g, h, e, f, K[34], W1(34), W2(38));
153	23.3k	R2(b, c, d, a, f, g, h, e, K[35], W1(35), W2(39));
154	23.3k	R2(a, b, c, d, e, f, g, h, K[36], W1(36), W2(40));
155	23.3k	R2(d, a, b, c, h, e, f, g, K[37], W1(37), W2(41));
156	23.3k	R2(c, d, a, b, g, h, e, f, K[38], W1(38), W2(42));
157	23.3k	R2(b, c, d, a, f, g, h, e, K[39], W1(39), W2(43));
158	23.3k	R2(a, b, c, d, e, f, g, h, K[40], W1(40), W2(44));
159	23.3k	R2(d, a, b, c, h, e, f, g, K[41], W1(41), W2(45));
160	23.3k	R2(c, d, a, b, g, h, e, f, K[42], W1(42), W2(46));
161	23.3k	R2(b, c, d, a, f, g, h, e, K[43], W1(43), W2(47));
162	23.3k	R2(a, b, c, d, e, f, g, h, K[44], W1(44), W2(48));
163	23.3k	R2(d, a, b, c, h, e, f, g, K[45], W1(45), W2(49));
164	23.3k	R2(c, d, a, b, g, h, e, f, K[46], W1(46), W2(50));
165	23.3k	R2(b, c, d, a, f, g, h, e, K[47], W1(47), W2(51));
166
167	23.3k	R2(a, b, c, d, e, f, g, h, K[48], W1(48), W2(52));
168	23.3k	R2(d, a, b, c, h, e, f, g, K[49], W1(49), W2(53));
169	23.3k	R2(c, d, a, b, g, h, e, f, K[50], W1(50), W2(54));
170	23.3k	R2(b, c, d, a, f, g, h, e, K[51], W1(51), W2(55));
171	23.3k	R2(a, b, c, d, e, f, g, h, K[52], W1(52), W2(56));
172	23.3k	R2(d, a, b, c, h, e, f, g, K[53], W1(53), W2(57));
173	23.3k	R2(c, d, a, b, g, h, e, f, K[54], W1(54), W2(58));
174	23.3k	R2(b, c, d, a, f, g, h, e, K[55], W1(55), W2(59));
175	23.3k	R2(a, b, c, d, e, f, g, h, K[56], W1(56), W2(60));
176	23.3k	R2(d, a, b, c, h, e, f, g, K[57], W1(57), W2(61));
177	23.3k	R2(c, d, a, b, g, h, e, f, K[58], W1(58), W2(62));
178	23.3k	R2(b, c, d, a, f, g, h, e, K[59], W1(59), W2(63));
179	23.3k	R2(a, b, c, d, e, f, g, h, K[60], W1(60), W2(64));
180	23.3k	R2(d, a, b, c, h, e, f, g, K[61], W1(61), W2(65));
181	23.3k	R2(c, d, a, b, g, h, e, f, K[62], W1(62), W2(66));
182	23.3k	R2(b, c, d, a, f, g, h, e, K[63], W1(63), W2(67));
183
184	23.3k	state[0] ^= a;
185	23.3k	state[1] ^= b;
186	23.3k	state[2] ^= c;
187	23.3k	state[3] ^= d;
188	23.3k	state[4] ^= e;
189	23.3k	state[5] ^= f;
190	23.3k	state[6] ^= g;
191	23.3k	state[7] ^= h;
192	23.3k	}
193
194		void
195		sm3_init(struct sm3_ctx *ctx)
196	19.7k	{
197	19.7k	static const uint32_t H0[_SM3_DIGEST_LENGTH] =
198	19.7k	{
199	19.7k	0x7380166fUL, 0x4914b2b9UL, 0x172442d7UL, 0xda8a0600UL,
200	19.7k	0xa96f30bcUL, 0x163138aaUL, 0xe38dee4dUL, 0xb0fb0e4eUL
201	19.7k	};
202
203	19.7k	memcpy(ctx->state, H0, sizeof(H0));
204
205		/* Initialize bit count */
206	19.7k	ctx->count = 0;
207
208		/* Initialize buffer */
209	19.7k	ctx->index = 0;
210	19.7k	}
211
212	23.3k	#define COMPRESS(ctx, data) (sm3_compress((ctx)->state, (data)))
213
214		void
215		sm3_update(struct sm3_ctx *ctx,
216		size_t length, const uint8_t *data)
217	43.2k	{
218	43.2k	MD_UPDATE(ctx, length, data, COMPRESS, ctx->count++);
219	43.2k	}
220
221		static void
222		sm3_write_digest(struct sm3_ctx *ctx,
223		size_t length,
224		uint8_t *digest)
225	19.2k	{
226	19.2k	uint64_t bit_count;
227
228	19.2k	assert(length <= SM3_DIGEST_SIZE);
229
230	19.2k	MD_PAD(ctx, 8, COMPRESS);
231
232		/* There are 512 = 2^9 bits in one block */
233	19.2k	bit_count = (ctx->count << 9) \| (ctx->index << 3);
234
235		/* This is slightly inefficient, as the numbers are converted to
236		big-endian format, and will be converted back by the compression
237		function. It's probably not worth the effort to fix this. */
238	19.2k	WRITE_UINT64(ctx->block + (SM3_BLOCK_SIZE - 8), bit_count);
239	19.2k	COMPRESS(ctx, ctx->block);
240
241	19.2k	_nettle_write_be32(length, digest, ctx->state);
242	19.2k	}
243
244		void
245		sm3_digest(struct sm3_ctx *ctx,
246		size_t length,
247		uint8_t *digest)
248	19.2k	{
249	19.2k	sm3_write_digest(ctx, length, digest);
250	19.2k	sm3_init(ctx);
251	19.2k	}

Coverage Report

Created: 2023-02-22 06:14