/src/nettle-with-libgmp/sm3.c

Line	Count	Source (jump to first uncovered line)
1		/* sm3.c
2
3		The SM3 hash function.
4
5		Copyright (C) 2017 Jia Zhang
6		Copyright (C) 2021 Tianjia Zhang <tianjia.zhang@linux.alibaba.com>
7
8		This file is part of GNU Nettle.
9
10		GNU Nettle is free software: you can redistribute it and/or
11		modify it under the terms of either:
12
13		* the GNU Lesser General Public License as published by the Free
14		Software Foundation; either version 3 of the License, or (at your
15		option) any later version.
16
17		or
18
19		* the GNU General Public License as published by the Free
20		Software Foundation; either version 2 of the License, or (at your
21		option) any later version.
22
23		or both in parallel, as here.
24
25		GNU Nettle is distributed in the hope that it will be useful,
26		but WITHOUT ANY WARRANTY; without even the implied warranty of
27		MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
28		General Public License for more details.
29
30		You should have received copies of the GNU General Public License and
31		the GNU Lesser General Public License along with this program. If
32		not, see http://www.gnu.org/licenses/.
33		*/
34
35		#if HAVE_CONFIG_H
36		# include "config.h"
37		#endif
38
39		#include <assert.h>
40		#include <string.h>
41
42		#include "sm3.h"
43
44		#include "macros.h"
45		#include "nettle-write.h"
46
47		static const uint32_t K[64] =
48		{
49		0x79cc4519UL, 0xf3988a32UL, 0xe7311465UL, 0xce6228cbUL,
50		0x9cc45197UL, 0x3988a32fUL, 0x7311465eUL, 0xe6228cbcUL,
51		0xcc451979UL, 0x988a32f3UL, 0x311465e7UL, 0x6228cbceUL,
52		0xc451979cUL, 0x88a32f39UL, 0x11465e73UL, 0x228cbce6UL,
53		0x9d8a7a87UL, 0x3b14f50fUL, 0x7629ea1eUL, 0xec53d43cUL,
54		0xd8a7a879UL, 0xb14f50f3UL, 0x629ea1e7UL, 0xc53d43ceUL,
55		0x8a7a879dUL, 0x14f50f3bUL, 0x29ea1e76UL, 0x53d43cecUL,
56		0xa7a879d8UL, 0x4f50f3b1UL, 0x9ea1e762UL, 0x3d43cec5UL,
57		0x7a879d8aUL, 0xf50f3b14UL, 0xea1e7629UL, 0xd43cec53UL,
58		0xa879d8a7UL, 0x50f3b14fUL, 0xa1e7629eUL, 0x43cec53dUL,
59		0x879d8a7aUL, 0x0f3b14f5UL, 0x1e7629eaUL, 0x3cec53d4UL,
60		0x79d8a7a8UL, 0xf3b14f50UL, 0xe7629ea1UL, 0xcec53d43UL,
61		0x9d8a7a87UL, 0x3b14f50fUL, 0x7629ea1eUL, 0xec53d43cUL,
62		0xd8a7a879UL, 0xb14f50f3UL, 0x629ea1e7UL, 0xc53d43ceUL,
63		0x8a7a879dUL, 0x14f50f3bUL, 0x29ea1e76UL, 0x53d43cecUL,
64		0xa7a879d8UL, 0x4f50f3b1UL, 0x9ea1e762UL, 0x3d43cec5UL
65		};
66
67		/*
68		Transform the message X which consists of 16 32-bit-words. See
69		GM/T 004-2012 for details. */
70		#define R(i, a, b, c, d, e, f, g, h, t, w1, w2) \
71	446k	do { \
72	446k	ss1 = ROTL32(7, (ROTL32(12, (a)) + (e) + (t))); \
73	446k	ss2 = ss1 ^ ROTL32(12, (a)); \
74	446k	d += FF ## i(a, b, c) + ss2 + ((w1) ^ (w2)); \
75	446k	h += GG ## i(e, f, g) + ss1 + (w1); \
76	446k	b = ROTL32(9, (b)); \
77	446k	f = ROTL32(19, (f)); \
78	446k	h = P0((h)); \
79	446k	} while (0)
80
81	111k	#define R1(a,b,c,d,e,f,g,h,t,w1,w2) R(1,a,b,c,d,e,f,g,h,t,w1,w2)
82	334k	#define R2(a,b,c,d,e,f,g,h,t,w1,w2) R(2,a,b,c,d,e,f,g,h,t,w1,w2)
83
84	111k	#define FF1(x, y, z) (x ^ y ^ z)
85	334k	#define FF2(x, y, z) ((x & y) \| (x & z) \| (y & z))
86
87	111k	#define GG1(x, y, z) (x ^ y ^ z)
88	334k	#define GG2(x, y, z) ((x & y) \| ( ~x & z))
89
90		/* Message expansion */
91	446k	#define P0(x) ((x) ^ ROTL32(9, (x)) ^ ROTL32(17, (x)))
92		#define P1(x) ((x) ^ ROTL32(15, (x)) ^ ROTL32(23, (x)))
93		#define I(i) (w[i] = READ_UINT32(input + i * 4))
94		#define W1(i) (w[i & 0x0f])
95		#define W2(i) (w[i & 0x0f] = \
96		P1(w[i & 0x0f] ^ w[(i-9) & 0x0f] ^ ROTL32(15, w[(i-3) & 0x0f])) \
97		^ ROTL32(7, w[(i-13) & 0x0f]) \
98		^ w[(i-6) & 0x0f])
99
100
101		static void
102		sm3_compress(uint32_t state, const uint8_t input)
103	6.97k	{
104	6.97k	uint32_t a, b, c, d, e, f, g, h, ss1, ss2;
105	6.97k	uint32_t w[16];
106
107	6.97k	a = state[0];
108	6.97k	b = state[1];
109	6.97k	c = state[2];
110	6.97k	d = state[3];
111	6.97k	e = state[4];
112	6.97k	f = state[5];
113	6.97k	g = state[6];
114	6.97k	h = state[7];
115
116	6.97k	R1(a, b, c, d, e, f, g, h, K[0], I(0), I(4));
117	6.97k	R1(d, a, b, c, h, e, f, g, K[1], I(1), I(5));
118	6.97k	R1(c, d, a, b, g, h, e, f, K[2], I(2), I(6));
119	6.97k	R1(b, c, d, a, f, g, h, e, K[3], I(3), I(7));
120	6.97k	R1(a, b, c, d, e, f, g, h, K[4], W1(4), I(8));
121	6.97k	R1(d, a, b, c, h, e, f, g, K[5], W1(5), I(9));
122	6.97k	R1(c, d, a, b, g, h, e, f, K[6], W1(6), I(10));
123	6.97k	R1(b, c, d, a, f, g, h, e, K[7], W1(7), I(11));
124	6.97k	R1(a, b, c, d, e, f, g, h, K[8], W1(8), I(12));
125	6.97k	R1(d, a, b, c, h, e, f, g, K[9], W1(9), I(13));
126	6.97k	R1(c, d, a, b, g, h, e, f, K[10], W1(10), I(14));
127	6.97k	R1(b, c, d, a, f, g, h, e, K[11], W1(11), I(15));
128	6.97k	R1(a, b, c, d, e, f, g, h, K[12], W1(12), W2(16));
129	6.97k	R1(d, a, b, c, h, e, f, g, K[13], W1(13), W2(17));
130	6.97k	R1(c, d, a, b, g, h, e, f, K[14], W1(14), W2(18));
131	6.97k	R1(b, c, d, a, f, g, h, e, K[15], W1(15), W2(19));
132
133	6.97k	R2(a, b, c, d, e, f, g, h, K[16], W1(16), W2(20));
134	6.97k	R2(d, a, b, c, h, e, f, g, K[17], W1(17), W2(21));
135	6.97k	R2(c, d, a, b, g, h, e, f, K[18], W1(18), W2(22));
136	6.97k	R2(b, c, d, a, f, g, h, e, K[19], W1(19), W2(23));
137	6.97k	R2(a, b, c, d, e, f, g, h, K[20], W1(20), W2(24));
138	6.97k	R2(d, a, b, c, h, e, f, g, K[21], W1(21), W2(25));
139	6.97k	R2(c, d, a, b, g, h, e, f, K[22], W1(22), W2(26));
140	6.97k	R2(b, c, d, a, f, g, h, e, K[23], W1(23), W2(27));
141	6.97k	R2(a, b, c, d, e, f, g, h, K[24], W1(24), W2(28));
142	6.97k	R2(d, a, b, c, h, e, f, g, K[25], W1(25), W2(29));
143	6.97k	R2(c, d, a, b, g, h, e, f, K[26], W1(26), W2(30));
144	6.97k	R2(b, c, d, a, f, g, h, e, K[27], W1(27), W2(31));
145	6.97k	R2(a, b, c, d, e, f, g, h, K[28], W1(28), W2(32));
146	6.97k	R2(d, a, b, c, h, e, f, g, K[29], W1(29), W2(33));
147	6.97k	R2(c, d, a, b, g, h, e, f, K[30], W1(30), W2(34));
148	6.97k	R2(b, c, d, a, f, g, h, e, K[31], W1(31), W2(35));
149
150	6.97k	R2(a, b, c, d, e, f, g, h, K[32], W1(32), W2(36));
151	6.97k	R2(d, a, b, c, h, e, f, g, K[33], W1(33), W2(37));
152	6.97k	R2(c, d, a, b, g, h, e, f, K[34], W1(34), W2(38));
153	6.97k	R2(b, c, d, a, f, g, h, e, K[35], W1(35), W2(39));
154	6.97k	R2(a, b, c, d, e, f, g, h, K[36], W1(36), W2(40));
155	6.97k	R2(d, a, b, c, h, e, f, g, K[37], W1(37), W2(41));
156	6.97k	R2(c, d, a, b, g, h, e, f, K[38], W1(38), W2(42));
157	6.97k	R2(b, c, d, a, f, g, h, e, K[39], W1(39), W2(43));
158	6.97k	R2(a, b, c, d, e, f, g, h, K[40], W1(40), W2(44));
159	6.97k	R2(d, a, b, c, h, e, f, g, K[41], W1(41), W2(45));
160	6.97k	R2(c, d, a, b, g, h, e, f, K[42], W1(42), W2(46));
161	6.97k	R2(b, c, d, a, f, g, h, e, K[43], W1(43), W2(47));
162	6.97k	R2(a, b, c, d, e, f, g, h, K[44], W1(44), W2(48));
163	6.97k	R2(d, a, b, c, h, e, f, g, K[45], W1(45), W2(49));
164	6.97k	R2(c, d, a, b, g, h, e, f, K[46], W1(46), W2(50));
165	6.97k	R2(b, c, d, a, f, g, h, e, K[47], W1(47), W2(51));
166
167	6.97k	R2(a, b, c, d, e, f, g, h, K[48], W1(48), W2(52));
168	6.97k	R2(d, a, b, c, h, e, f, g, K[49], W1(49), W2(53));
169	6.97k	R2(c, d, a, b, g, h, e, f, K[50], W1(50), W2(54));
170	6.97k	R2(b, c, d, a, f, g, h, e, K[51], W1(51), W2(55));
171	6.97k	R2(a, b, c, d, e, f, g, h, K[52], W1(52), W2(56));
172	6.97k	R2(d, a, b, c, h, e, f, g, K[53], W1(53), W2(57));
173	6.97k	R2(c, d, a, b, g, h, e, f, K[54], W1(54), W2(58));
174	6.97k	R2(b, c, d, a, f, g, h, e, K[55], W1(55), W2(59));
175	6.97k	R2(a, b, c, d, e, f, g, h, K[56], W1(56), W2(60));
176	6.97k	R2(d, a, b, c, h, e, f, g, K[57], W1(57), W2(61));
177	6.97k	R2(c, d, a, b, g, h, e, f, K[58], W1(58), W2(62));
178	6.97k	R2(b, c, d, a, f, g, h, e, K[59], W1(59), W2(63));
179	6.97k	R2(a, b, c, d, e, f, g, h, K[60], W1(60), W2(64));
180	6.97k	R2(d, a, b, c, h, e, f, g, K[61], W1(61), W2(65));
181	6.97k	R2(c, d, a, b, g, h, e, f, K[62], W1(62), W2(66));
182	6.97k	R2(b, c, d, a, f, g, h, e, K[63], W1(63), W2(67));
183
184	6.97k	state[0] ^= a;
185	6.97k	state[1] ^= b;
186	6.97k	state[2] ^= c;
187	6.97k	state[3] ^= d;
188	6.97k	state[4] ^= e;
189	6.97k	state[5] ^= f;
190	6.97k	state[6] ^= g;
191	6.97k	state[7] ^= h;
192	6.97k	}
193
194		void
195		sm3_init(struct sm3_ctx *ctx)
196	6.44k	{
197	6.44k	static const uint32_t H0[_SM3_DIGEST_LENGTH] =
198	6.44k	{
199	6.44k	0x7380166fUL, 0x4914b2b9UL, 0x172442d7UL, 0xda8a0600UL,
200	6.44k	0xa96f30bcUL, 0x163138aaUL, 0xe38dee4dUL, 0xb0fb0e4eUL
201	6.44k	};
202
203	6.44k	memcpy(ctx->state, H0, sizeof(H0));
204
205		/* Initialize bit count */
206	6.44k	ctx->count = 0;
207
208		/* Initialize buffer */
209	6.44k	ctx->index = 0;
210	6.44k	}
211
212	6.97k	#define COMPRESS(ctx, data) (sm3_compress((ctx)->state, (data)))
213
214		void
215		sm3_update(struct sm3_ctx *ctx,
216		size_t length, const uint8_t *data)
217	12.8k	{
218	12.8k	MD_UPDATE(ctx, length, data, COMPRESS, ctx->count++);
219	12.8k	}
220
221		static void
222		sm3_write_digest(struct sm3_ctx *ctx,
223		size_t length,
224		uint8_t *digest)
225	6.32k	{
226	6.32k	uint64_t bit_count;
227
228	6.32k	assert(length <= SM3_DIGEST_SIZE);
229
230	6.32k	MD_PAD(ctx, 8, COMPRESS);
231
232		/* There are 512 = 2^9 bits in one block */
233	6.32k	bit_count = (ctx->count << 9) \| (ctx->index << 3);
234
235		/* This is slightly inefficient, as the numbers are converted to
236		big-endian format, and will be converted back by the compression
237		function. It's probably not worth the effort to fix this. */
238	6.32k	WRITE_UINT64(ctx->block + (SM3_BLOCK_SIZE - 8), bit_count);
239	6.32k	COMPRESS(ctx, ctx->block);
240
241	6.32k	_nettle_write_be32(length, digest, ctx->state);
242	6.32k	}
243
244		void
245		sm3_digest(struct sm3_ctx *ctx,
246		size_t length,
247		uint8_t *digest)
248	6.32k	{
249	6.32k	sm3_write_digest(ctx, length, digest);
250	6.32k	sm3_init(ctx);
251	6.32k	}

Coverage Report

Created: 2023-09-25 06:33