/src/nettle-with-mini-gmp/sm3.c

Line	Count	Source
1		/* sm3.c
2
3		The SM3 hash function.
4
5		Copyright (C) 2017 Jia Zhang
6		Copyright (C) 2021 Tianjia Zhang <tianjia.zhang@linux.alibaba.com>
7
8		This file is part of GNU Nettle.
9
10		GNU Nettle is free software: you can redistribute it and/or
11		modify it under the terms of either:
12
13		* the GNU Lesser General Public License as published by the Free
14		Software Foundation; either version 3 of the License, or (at your
15		option) any later version.
16
17		or
18
19		* the GNU General Public License as published by the Free
20		Software Foundation; either version 2 of the License, or (at your
21		option) any later version.
22
23		or both in parallel, as here.
24
25		GNU Nettle is distributed in the hope that it will be useful,
26		but WITHOUT ANY WARRANTY; without even the implied warranty of
27		MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
28		General Public License for more details.
29
30		You should have received copies of the GNU General Public License and
31		the GNU Lesser General Public License along with this program. If
32		not, see http://www.gnu.org/licenses/.
33		*/
34
35		#if HAVE_CONFIG_H
36		# include "config.h"
37		#endif
38
39		#include <assert.h>
40		#include <string.h>
41
42		#include "sm3.h"
43
44		#include "macros.h"
45		#include "nettle-write.h"
46
47		static const uint32_t K[64] =
48		{
49		0x79cc4519UL, 0xf3988a32UL, 0xe7311465UL, 0xce6228cbUL,
50		0x9cc45197UL, 0x3988a32fUL, 0x7311465eUL, 0xe6228cbcUL,
51		0xcc451979UL, 0x988a32f3UL, 0x311465e7UL, 0x6228cbceUL,
52		0xc451979cUL, 0x88a32f39UL, 0x11465e73UL, 0x228cbce6UL,
53		0x9d8a7a87UL, 0x3b14f50fUL, 0x7629ea1eUL, 0xec53d43cUL,
54		0xd8a7a879UL, 0xb14f50f3UL, 0x629ea1e7UL, 0xc53d43ceUL,
55		0x8a7a879dUL, 0x14f50f3bUL, 0x29ea1e76UL, 0x53d43cecUL,
56		0xa7a879d8UL, 0x4f50f3b1UL, 0x9ea1e762UL, 0x3d43cec5UL,
57		0x7a879d8aUL, 0xf50f3b14UL, 0xea1e7629UL, 0xd43cec53UL,
58		0xa879d8a7UL, 0x50f3b14fUL, 0xa1e7629eUL, 0x43cec53dUL,
59		0x879d8a7aUL, 0x0f3b14f5UL, 0x1e7629eaUL, 0x3cec53d4UL,
60		0x79d8a7a8UL, 0xf3b14f50UL, 0xe7629ea1UL, 0xcec53d43UL,
61		0x9d8a7a87UL, 0x3b14f50fUL, 0x7629ea1eUL, 0xec53d43cUL,
62		0xd8a7a879UL, 0xb14f50f3UL, 0x629ea1e7UL, 0xc53d43ceUL,
63		0x8a7a879dUL, 0x14f50f3bUL, 0x29ea1e76UL, 0x53d43cecUL,
64		0xa7a879d8UL, 0x4f50f3b1UL, 0x9ea1e762UL, 0x3d43cec5UL
65		};
66
67		/*
68		Transform the message X which consists of 16 32-bit-words. See
69		GM/T 004-2012 for details. */
70		#define R(i, a, b, c, d, e, f, g, h, t, w1, w2) \
71	3.42M	do { \
72	3.42M	ss1 = ROTL32(7, (ROTL32(12, (a)) + (e) + (t))); \
73	3.42M	ss2 = ss1 ^ ROTL32(12, (a)); \
74	3.42M	d += FF ## i(a, b, c) + ss2 + ((w1) ^ (w2)); \
75	3.42M	h += GG ## i(e, f, g) + ss1 + (w1); \
76	3.42M	b = ROTL32(9, (b)); \
77	3.42M	f = ROTL32(19, (f)); \
78	3.42M	h = P0((h)); \
79	3.42M	} while (0)
80
81	857k	#define R1(a,b,c,d,e,f,g,h,t,w1,w2) R(1,a,b,c,d,e,f,g,h,t,w1,w2)
82	2.57M	#define R2(a,b,c,d,e,f,g,h,t,w1,w2) R(2,a,b,c,d,e,f,g,h,t,w1,w2)
83
84	857k	#define FF1(x, y, z) (x ^ y ^ z)
85	2.57M	#define FF2(x, y, z) ((x & y) \| (x & z) \| (y & z))
86
87	857k	#define GG1(x, y, z) (x ^ y ^ z)
88	2.57M	#define GG2(x, y, z) ((x & y) \| ( ~x & z))
89
90		/* Message expansion */
91	3.42M	#define P0(x) ((x) ^ ROTL32(9, (x)) ^ ROTL32(17, (x)))
92		#define P1(x) ((x) ^ ROTL32(15, (x)) ^ ROTL32(23, (x)))
93		#define I(i) (w[i] = READ_UINT32(input + i * 4))
94		#define W1(i) (w[i & 0x0f])
95		#define W2(i) (w[i & 0x0f] = \
96		P1(w[i & 0x0f] ^ w[(i-9) & 0x0f] ^ ROTL32(15, w[(i-3) & 0x0f])) \
97		^ ROTL32(7, w[(i-13) & 0x0f]) \
98		^ w[(i-6) & 0x0f])
99
100
101		static void
102		sm3_compress(uint32_t state, const uint8_t input)
103	53.5k	{
104	53.5k	uint32_t a, b, c, d, e, f, g, h, ss1, ss2;
105	53.5k	uint32_t w[16];
106
107	53.5k	a = state[0];
108	53.5k	b = state[1];
109	53.5k	c = state[2];
110	53.5k	d = state[3];
111	53.5k	e = state[4];
112	53.5k	f = state[5];
113	53.5k	g = state[6];
114	53.5k	h = state[7];
115
116	53.5k	R1(a, b, c, d, e, f, g, h, K[0], I(0), I(4));
117	53.5k	R1(d, a, b, c, h, e, f, g, K[1], I(1), I(5));
118	53.5k	R1(c, d, a, b, g, h, e, f, K[2], I(2), I(6));
119	53.5k	R1(b, c, d, a, f, g, h, e, K[3], I(3), I(7));
120	53.5k	R1(a, b, c, d, e, f, g, h, K[4], W1(4), I(8));
121	53.5k	R1(d, a, b, c, h, e, f, g, K[5], W1(5), I(9));
122	53.5k	R1(c, d, a, b, g, h, e, f, K[6], W1(6), I(10));
123	53.5k	R1(b, c, d, a, f, g, h, e, K[7], W1(7), I(11));
124	53.5k	R1(a, b, c, d, e, f, g, h, K[8], W1(8), I(12));
125	53.5k	R1(d, a, b, c, h, e, f, g, K[9], W1(9), I(13));
126	53.5k	R1(c, d, a, b, g, h, e, f, K[10], W1(10), I(14));
127	53.5k	R1(b, c, d, a, f, g, h, e, K[11], W1(11), I(15));
128	53.5k	R1(a, b, c, d, e, f, g, h, K[12], W1(12), W2(16));
129	53.5k	R1(d, a, b, c, h, e, f, g, K[13], W1(13), W2(17));
130	53.5k	R1(c, d, a, b, g, h, e, f, K[14], W1(14), W2(18));
131	53.5k	R1(b, c, d, a, f, g, h, e, K[15], W1(15), W2(19));
132
133	53.5k	R2(a, b, c, d, e, f, g, h, K[16], W1(16), W2(20));
134	53.5k	R2(d, a, b, c, h, e, f, g, K[17], W1(17), W2(21));
135	53.5k	R2(c, d, a, b, g, h, e, f, K[18], W1(18), W2(22));
136	53.5k	R2(b, c, d, a, f, g, h, e, K[19], W1(19), W2(23));
137	53.5k	R2(a, b, c, d, e, f, g, h, K[20], W1(20), W2(24));
138	53.5k	R2(d, a, b, c, h, e, f, g, K[21], W1(21), W2(25));
139	53.5k	R2(c, d, a, b, g, h, e, f, K[22], W1(22), W2(26));
140	53.5k	R2(b, c, d, a, f, g, h, e, K[23], W1(23), W2(27));
141	53.5k	R2(a, b, c, d, e, f, g, h, K[24], W1(24), W2(28));
142	53.5k	R2(d, a, b, c, h, e, f, g, K[25], W1(25), W2(29));
143	53.5k	R2(c, d, a, b, g, h, e, f, K[26], W1(26), W2(30));
144	53.5k	R2(b, c, d, a, f, g, h, e, K[27], W1(27), W2(31));
145	53.5k	R2(a, b, c, d, e, f, g, h, K[28], W1(28), W2(32));
146	53.5k	R2(d, a, b, c, h, e, f, g, K[29], W1(29), W2(33));
147	53.5k	R2(c, d, a, b, g, h, e, f, K[30], W1(30), W2(34));
148	53.5k	R2(b, c, d, a, f, g, h, e, K[31], W1(31), W2(35));
149
150	53.5k	R2(a, b, c, d, e, f, g, h, K[32], W1(32), W2(36));
151	53.5k	R2(d, a, b, c, h, e, f, g, K[33], W1(33), W2(37));
152	53.5k	R2(c, d, a, b, g, h, e, f, K[34], W1(34), W2(38));
153	53.5k	R2(b, c, d, a, f, g, h, e, K[35], W1(35), W2(39));
154	53.5k	R2(a, b, c, d, e, f, g, h, K[36], W1(36), W2(40));
155	53.5k	R2(d, a, b, c, h, e, f, g, K[37], W1(37), W2(41));
156	53.5k	R2(c, d, a, b, g, h, e, f, K[38], W1(38), W2(42));
157	53.5k	R2(b, c, d, a, f, g, h, e, K[39], W1(39), W2(43));
158	53.5k	R2(a, b, c, d, e, f, g, h, K[40], W1(40), W2(44));
159	53.5k	R2(d, a, b, c, h, e, f, g, K[41], W1(41), W2(45));
160	53.5k	R2(c, d, a, b, g, h, e, f, K[42], W1(42), W2(46));
161	53.5k	R2(b, c, d, a, f, g, h, e, K[43], W1(43), W2(47));
162	53.5k	R2(a, b, c, d, e, f, g, h, K[44], W1(44), W2(48));
163	53.5k	R2(d, a, b, c, h, e, f, g, K[45], W1(45), W2(49));
164	53.5k	R2(c, d, a, b, g, h, e, f, K[46], W1(46), W2(50));
165	53.5k	R2(b, c, d, a, f, g, h, e, K[47], W1(47), W2(51));
166
167	53.5k	R2(a, b, c, d, e, f, g, h, K[48], W1(48), W2(52));
168	53.5k	R2(d, a, b, c, h, e, f, g, K[49], W1(49), W2(53));
169	53.5k	R2(c, d, a, b, g, h, e, f, K[50], W1(50), W2(54));
170	53.5k	R2(b, c, d, a, f, g, h, e, K[51], W1(51), W2(55));
171	53.5k	R2(a, b, c, d, e, f, g, h, K[52], W1(52), W2(56));
172	53.5k	R2(d, a, b, c, h, e, f, g, K[53], W1(53), W2(57));
173	53.5k	R2(c, d, a, b, g, h, e, f, K[54], W1(54), W2(58));
174	53.5k	R2(b, c, d, a, f, g, h, e, K[55], W1(55), W2(59));
175	53.5k	R2(a, b, c, d, e, f, g, h, K[56], W1(56), W2(60));
176	53.5k	R2(d, a, b, c, h, e, f, g, K[57], W1(57), W2(61));
177	53.5k	R2(c, d, a, b, g, h, e, f, K[58], W1(58), W2(62));
178	53.5k	R2(b, c, d, a, f, g, h, e, K[59], W1(59), W2(63));
179	53.5k	R2(a, b, c, d, e, f, g, h, K[60], W1(60), W2(64));
180	53.5k	R2(d, a, b, c, h, e, f, g, K[61], W1(61), W2(65));
181	53.5k	R2(c, d, a, b, g, h, e, f, K[62], W1(62), W2(66));
182	53.5k	R2(b, c, d, a, f, g, h, e, K[63], W1(63), W2(67));
183
184	53.5k	state[0] ^= a;
185	53.5k	state[1] ^= b;
186	53.5k	state[2] ^= c;
187	53.5k	state[3] ^= d;
188	53.5k	state[4] ^= e;
189	53.5k	state[5] ^= f;
190	53.5k	state[6] ^= g;
191	53.5k	state[7] ^= h;
192	53.5k	}
193
194		void
195		sm3_init(struct sm3_ctx *ctx)
196	50.7k	{
197	50.7k	static const uint32_t H0[_SM3_DIGEST_LENGTH] =
198	50.7k	{
199	50.7k	0x7380166fUL, 0x4914b2b9UL, 0x172442d7UL, 0xda8a0600UL,
200	50.7k	0xa96f30bcUL, 0x163138aaUL, 0xe38dee4dUL, 0xb0fb0e4eUL
201	50.7k	};
202
203	50.7k	memcpy(ctx->state, H0, sizeof(H0));
204
205		/* Initialize bit count */
206	50.7k	ctx->count = 0;
207
208		/* Initialize buffer */
209	50.7k	ctx->index = 0;
210	50.7k	}
211
212	53.5k	#define COMPRESS(ctx, data) (sm3_compress((ctx)->state, (data)))
213
214		void
215		sm3_update(struct sm3_ctx *ctx,
216		size_t length, const uint8_t *data)
217	99.9k	{
218	99.9k	MD_UPDATE(ctx, length, data, COMPRESS, ctx->count++);
219	99.9k	}
220
221		static void
222		sm3_write_digest(struct sm3_ctx *ctx,
223		size_t length,
224		uint8_t *digest)
225	49.6k	{
226	49.6k	uint64_t bit_count;
227
228	49.6k	assert(length <= SM3_DIGEST_SIZE);
229
230	49.6k	MD_PAD(ctx, 8, COMPRESS);
231
232		/* There are 512 = 2^9 bits in one block */
233	49.6k	bit_count = (ctx->count << 9) \| (ctx->index << 3);
234
235		/* This is slightly inefficient, as the numbers are converted to
236		big-endian format, and will be converted back by the compression
237		function. It's probably not worth the effort to fix this. */
238	49.6k	WRITE_UINT64(ctx->block + (SM3_BLOCK_SIZE - 8), bit_count);
239	49.6k	COMPRESS(ctx, ctx->block);
240
241	49.6k	_nettle_write_be32(length, digest, ctx->state);
242	49.6k	}
243
244		void
245		sm3_digest(struct sm3_ctx *ctx,
246		size_t length,
247		uint8_t *digest)
248	49.6k	{
249	49.6k	sm3_write_digest(ctx, length, digest);
250	49.6k	sm3_init(ctx);
251	49.6k	}

Coverage Report

Created: 2023-09-25 06:34