/src/nettle-with-libgmp/sm3.c

Line	Count	Source
1		/* sm3.c
2
3		The SM3 hash function.
4
5		Copyright (C) 2017 Jia Zhang
6		Copyright (C) 2021 Tianjia Zhang <tianjia.zhang@linux.alibaba.com>
7
8		This file is part of GNU Nettle.
9
10		GNU Nettle is free software: you can redistribute it and/or
11		modify it under the terms of either:
12
13		* the GNU Lesser General Public License as published by the Free
14		Software Foundation; either version 3 of the License, or (at your
15		option) any later version.
16
17		or
18
19		* the GNU General Public License as published by the Free
20		Software Foundation; either version 2 of the License, or (at your
21		option) any later version.
22
23		or both in parallel, as here.
24
25		GNU Nettle is distributed in the hope that it will be useful,
26		but WITHOUT ANY WARRANTY; without even the implied warranty of
27		MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
28		General Public License for more details.
29
30		You should have received copies of the GNU General Public License and
31		the GNU Lesser General Public License along with this program. If
32		not, see http://www.gnu.org/licenses/.
33		*/
34
35		#if HAVE_CONFIG_H
36		# include "config.h"
37		#endif
38
39		#include <assert.h>
40		#include <string.h>
41
42		#include "sm3.h"
43
44		#include "macros.h"
45		#include "nettle-write.h"
46
47		static const uint32_t K[64] =
48		{
49		0x79cc4519UL, 0xf3988a32UL, 0xe7311465UL, 0xce6228cbUL,
50		0x9cc45197UL, 0x3988a32fUL, 0x7311465eUL, 0xe6228cbcUL,
51		0xcc451979UL, 0x988a32f3UL, 0x311465e7UL, 0x6228cbceUL,
52		0xc451979cUL, 0x88a32f39UL, 0x11465e73UL, 0x228cbce6UL,
53		0x9d8a7a87UL, 0x3b14f50fUL, 0x7629ea1eUL, 0xec53d43cUL,
54		0xd8a7a879UL, 0xb14f50f3UL, 0x629ea1e7UL, 0xc53d43ceUL,
55		0x8a7a879dUL, 0x14f50f3bUL, 0x29ea1e76UL, 0x53d43cecUL,
56		0xa7a879d8UL, 0x4f50f3b1UL, 0x9ea1e762UL, 0x3d43cec5UL,
57		0x7a879d8aUL, 0xf50f3b14UL, 0xea1e7629UL, 0xd43cec53UL,
58		0xa879d8a7UL, 0x50f3b14fUL, 0xa1e7629eUL, 0x43cec53dUL,
59		0x879d8a7aUL, 0x0f3b14f5UL, 0x1e7629eaUL, 0x3cec53d4UL,
60		0x79d8a7a8UL, 0xf3b14f50UL, 0xe7629ea1UL, 0xcec53d43UL,
61		0x9d8a7a87UL, 0x3b14f50fUL, 0x7629ea1eUL, 0xec53d43cUL,
62		0xd8a7a879UL, 0xb14f50f3UL, 0x629ea1e7UL, 0xc53d43ceUL,
63		0x8a7a879dUL, 0x14f50f3bUL, 0x29ea1e76UL, 0x53d43cecUL,
64		0xa7a879d8UL, 0x4f50f3b1UL, 0x9ea1e762UL, 0x3d43cec5UL
65		};
66
67		/*
68		Transform the message X which consists of 16 32-bit-words. See
69		GM/T 004-2012 for details. */
70		#define R(i, a, b, c, d, e, f, g, h, t, w1, w2) \
71	5.15M	do { \
72	5.15M	ss1 = ROTL32(7, (ROTL32(12, (a)) + (e) + (t))); \
73	5.15M	ss2 = ss1 ^ ROTL32(12, (a)); \
74	5.15M	d += FF ## i(a, b, c) + ss2 + ((w1) ^ (w2)); \
75	5.15M	h += GG ## i(e, f, g) + ss1 + (w1); \
76	5.15M	b = ROTL32(9, (b)); \
77	5.15M	f = ROTL32(19, (f)); \
78	5.15M	h = P0((h)); \
79	5.15M	} while (0)
80
81	1.28M	#define R1(a,b,c,d,e,f,g,h,t,w1,w2) R(1,a,b,c,d,e,f,g,h,t,w1,w2)
82	3.86M	#define R2(a,b,c,d,e,f,g,h,t,w1,w2) R(2,a,b,c,d,e,f,g,h,t,w1,w2)
83
84	1.28M	#define FF1(x, y, z) (x ^ y ^ z)
85	3.86M	#define FF2(x, y, z) ((x & y) \| (x & z) \| (y & z))
86
87	1.28M	#define GG1(x, y, z) (x ^ y ^ z)
88	3.86M	#define GG2(x, y, z) ((x & y) \| ( ~x & z))
89
90		/* Message expansion */
91	5.15M	#define P0(x) ((x) ^ ROTL32(9, (x)) ^ ROTL32(17, (x)))
92		#define P1(x) ((x) ^ ROTL32(15, (x)) ^ ROTL32(23, (x)))
93		#define I(i) (w[i] = READ_UINT32(input + i * 4))
94		#define W1(i) (w[i & 0x0f])
95		#define W2(i) (w[i & 0x0f] = \
96		P1(w[i & 0x0f] ^ w[(i-9) & 0x0f] ^ ROTL32(15, w[(i-3) & 0x0f])) \
97		^ ROTL32(7, w[(i-13) & 0x0f]) \
98		^ w[(i-6) & 0x0f])
99
100
101		static void
102		sm3_compress(uint32_t state, const uint8_t input)
103	80.5k	{
104	80.5k	uint32_t a, b, c, d, e, f, g, h, ss1, ss2;
105	80.5k	uint32_t w[16];
106
107	80.5k	a = state[0];
108	80.5k	b = state[1];
109	80.5k	c = state[2];
110	80.5k	d = state[3];
111	80.5k	e = state[4];
112	80.5k	f = state[5];
113	80.5k	g = state[6];
114	80.5k	h = state[7];
115
116	80.5k	R1(a, b, c, d, e, f, g, h, K[0], I(0), I(4));
117	80.5k	R1(d, a, b, c, h, e, f, g, K[1], I(1), I(5));
118	80.5k	R1(c, d, a, b, g, h, e, f, K[2], I(2), I(6));
119	80.5k	R1(b, c, d, a, f, g, h, e, K[3], I(3), I(7));
120	80.5k	R1(a, b, c, d, e, f, g, h, K[4], W1(4), I(8));
121	80.5k	R1(d, a, b, c, h, e, f, g, K[5], W1(5), I(9));
122	80.5k	R1(c, d, a, b, g, h, e, f, K[6], W1(6), I(10));
123	80.5k	R1(b, c, d, a, f, g, h, e, K[7], W1(7), I(11));
124	80.5k	R1(a, b, c, d, e, f, g, h, K[8], W1(8), I(12));
125	80.5k	R1(d, a, b, c, h, e, f, g, K[9], W1(9), I(13));
126	80.5k	R1(c, d, a, b, g, h, e, f, K[10], W1(10), I(14));
127	80.5k	R1(b, c, d, a, f, g, h, e, K[11], W1(11), I(15));
128	80.5k	R1(a, b, c, d, e, f, g, h, K[12], W1(12), W2(16));
129	80.5k	R1(d, a, b, c, h, e, f, g, K[13], W1(13), W2(17));
130	80.5k	R1(c, d, a, b, g, h, e, f, K[14], W1(14), W2(18));
131	80.5k	R1(b, c, d, a, f, g, h, e, K[15], W1(15), W2(19));
132
133	80.5k	R2(a, b, c, d, e, f, g, h, K[16], W1(16), W2(20));
134	80.5k	R2(d, a, b, c, h, e, f, g, K[17], W1(17), W2(21));
135	80.5k	R2(c, d, a, b, g, h, e, f, K[18], W1(18), W2(22));
136	80.5k	R2(b, c, d, a, f, g, h, e, K[19], W1(19), W2(23));
137	80.5k	R2(a, b, c, d, e, f, g, h, K[20], W1(20), W2(24));
138	80.5k	R2(d, a, b, c, h, e, f, g, K[21], W1(21), W2(25));
139	80.5k	R2(c, d, a, b, g, h, e, f, K[22], W1(22), W2(26));
140	80.5k	R2(b, c, d, a, f, g, h, e, K[23], W1(23), W2(27));
141	80.5k	R2(a, b, c, d, e, f, g, h, K[24], W1(24), W2(28));
142	80.5k	R2(d, a, b, c, h, e, f, g, K[25], W1(25), W2(29));
143	80.5k	R2(c, d, a, b, g, h, e, f, K[26], W1(26), W2(30));
144	80.5k	R2(b, c, d, a, f, g, h, e, K[27], W1(27), W2(31));
145	80.5k	R2(a, b, c, d, e, f, g, h, K[28], W1(28), W2(32));
146	80.5k	R2(d, a, b, c, h, e, f, g, K[29], W1(29), W2(33));
147	80.5k	R2(c, d, a, b, g, h, e, f, K[30], W1(30), W2(34));
148	80.5k	R2(b, c, d, a, f, g, h, e, K[31], W1(31), W2(35));
149
150	80.5k	R2(a, b, c, d, e, f, g, h, K[32], W1(32), W2(36));
151	80.5k	R2(d, a, b, c, h, e, f, g, K[33], W1(33), W2(37));
152	80.5k	R2(c, d, a, b, g, h, e, f, K[34], W1(34), W2(38));
153	80.5k	R2(b, c, d, a, f, g, h, e, K[35], W1(35), W2(39));
154	80.5k	R2(a, b, c, d, e, f, g, h, K[36], W1(36), W2(40));
155	80.5k	R2(d, a, b, c, h, e, f, g, K[37], W1(37), W2(41));
156	80.5k	R2(c, d, a, b, g, h, e, f, K[38], W1(38), W2(42));
157	80.5k	R2(b, c, d, a, f, g, h, e, K[39], W1(39), W2(43));
158	80.5k	R2(a, b, c, d, e, f, g, h, K[40], W1(40), W2(44));
159	80.5k	R2(d, a, b, c, h, e, f, g, K[41], W1(41), W2(45));
160	80.5k	R2(c, d, a, b, g, h, e, f, K[42], W1(42), W2(46));
161	80.5k	R2(b, c, d, a, f, g, h, e, K[43], W1(43), W2(47));
162	80.5k	R2(a, b, c, d, e, f, g, h, K[44], W1(44), W2(48));
163	80.5k	R2(d, a, b, c, h, e, f, g, K[45], W1(45), W2(49));
164	80.5k	R2(c, d, a, b, g, h, e, f, K[46], W1(46), W2(50));
165	80.5k	R2(b, c, d, a, f, g, h, e, K[47], W1(47), W2(51));
166
167	80.5k	R2(a, b, c, d, e, f, g, h, K[48], W1(48), W2(52));
168	80.5k	R2(d, a, b, c, h, e, f, g, K[49], W1(49), W2(53));
169	80.5k	R2(c, d, a, b, g, h, e, f, K[50], W1(50), W2(54));
170	80.5k	R2(b, c, d, a, f, g, h, e, K[51], W1(51), W2(55));
171	80.5k	R2(a, b, c, d, e, f, g, h, K[52], W1(52), W2(56));
172	80.5k	R2(d, a, b, c, h, e, f, g, K[53], W1(53), W2(57));
173	80.5k	R2(c, d, a, b, g, h, e, f, K[54], W1(54), W2(58));
174	80.5k	R2(b, c, d, a, f, g, h, e, K[55], W1(55), W2(59));
175	80.5k	R2(a, b, c, d, e, f, g, h, K[56], W1(56), W2(60));
176	80.5k	R2(d, a, b, c, h, e, f, g, K[57], W1(57), W2(61));
177	80.5k	R2(c, d, a, b, g, h, e, f, K[58], W1(58), W2(62));
178	80.5k	R2(b, c, d, a, f, g, h, e, K[59], W1(59), W2(63));
179	80.5k	R2(a, b, c, d, e, f, g, h, K[60], W1(60), W2(64));
180	80.5k	R2(d, a, b, c, h, e, f, g, K[61], W1(61), W2(65));
181	80.5k	R2(c, d, a, b, g, h, e, f, K[62], W1(62), W2(66));
182	80.5k	R2(b, c, d, a, f, g, h, e, K[63], W1(63), W2(67));
183
184	80.5k	state[0] ^= a;
185	80.5k	state[1] ^= b;
186	80.5k	state[2] ^= c;
187	80.5k	state[3] ^= d;
188	80.5k	state[4] ^= e;
189	80.5k	state[5] ^= f;
190	80.5k	state[6] ^= g;
191	80.5k	state[7] ^= h;
192	80.5k	}
193
194		void
195		sm3_init(struct sm3_ctx *ctx)
196	14.5k	{
197	14.5k	static const uint32_t H0[_SM3_DIGEST_LENGTH] =
198	14.5k	{
199	14.5k	0x7380166fUL, 0x4914b2b9UL, 0x172442d7UL, 0xda8a0600UL,
200	14.5k	0xa96f30bcUL, 0x163138aaUL, 0xe38dee4dUL, 0xb0fb0e4eUL
201	14.5k	};
202
203	14.5k	memcpy(ctx->state, H0, sizeof(H0));
204
205		/* Initialize bit count */
206	14.5k	ctx->count = 0;
207
208		/* Initialize buffer */
209	14.5k	ctx->index = 0;
210	14.5k	}
211
212	80.5k	#define COMPRESS(ctx, data) (sm3_compress((ctx)->state, (data)))
213
214		void
215		sm3_update(struct sm3_ctx *ctx,
216		size_t length, const uint8_t *data)
217	30.0k	{
218	61.5k	MD_UPDATE(ctx, length, data, COMPRESS, ctx->count++);
219	30.0k	}
220
221		static void
222		sm3_write_digest(struct sm3_ctx *ctx,
223		size_t length,
224		uint8_t *digest)
225	14.0k	{
226	14.0k	uint64_t bit_count;
227
228	14.0k	assert(length <= SM3_DIGEST_SIZE);
229
230	14.0k	MD_PAD(ctx, 8, COMPRESS);
231
232		/* There are 512 = 2^9 bits in one block */
233	14.0k	bit_count = (ctx->count << 9) \| (ctx->index << 3);
234
235		/* This is slightly inefficient, as the numbers are converted to
236		big-endian format, and will be converted back by the compression
237		function. It's probably not worth the effort to fix this. */
238	14.0k	WRITE_UINT64(ctx->block + (SM3_BLOCK_SIZE - 8), bit_count);
239	14.0k	COMPRESS(ctx, ctx->block);
240
241	14.0k	_nettle_write_be32(length, digest, ctx->state);
242	14.0k	}
243
244		void
245		sm3_digest(struct sm3_ctx *ctx,
246		size_t length,
247		uint8_t *digest)
248	14.0k	{
249	14.0k	sm3_write_digest(ctx, length, digest);
250	14.0k	sm3_init(ctx);
251	14.0k	}

Coverage Report

Created: 2024-02-25 06:16