/src/nettle-with-mini-gmp/sm3.c

Line	Count	Source
1		/* sm3.c
2
3		The SM3 hash function.
4
5		Copyright (C) 2017 Jia Zhang
6		Copyright (C) 2021 Tianjia Zhang <tianjia.zhang@linux.alibaba.com>
7
8		This file is part of GNU Nettle.
9
10		GNU Nettle is free software: you can redistribute it and/or
11		modify it under the terms of either:
12
13		* the GNU Lesser General Public License as published by the Free
14		Software Foundation; either version 3 of the License, or (at your
15		option) any later version.
16
17		or
18
19		* the GNU General Public License as published by the Free
20		Software Foundation; either version 2 of the License, or (at your
21		option) any later version.
22
23		or both in parallel, as here.
24
25		GNU Nettle is distributed in the hope that it will be useful,
26		but WITHOUT ANY WARRANTY; without even the implied warranty of
27		MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
28		General Public License for more details.
29
30		You should have received copies of the GNU General Public License and
31		the GNU Lesser General Public License along with this program. If
32		not, see http://www.gnu.org/licenses/.
33		*/
34
35		#if HAVE_CONFIG_H
36		# include "config.h"
37		#endif
38
39		#include <assert.h>
40		#include <string.h>
41
42		#include "sm3.h"
43
44		#include "macros.h"
45		#include "nettle-write.h"
46
47		static const uint32_t K[64] =
48		{
49		0x79cc4519UL, 0xf3988a32UL, 0xe7311465UL, 0xce6228cbUL,
50		0x9cc45197UL, 0x3988a32fUL, 0x7311465eUL, 0xe6228cbcUL,
51		0xcc451979UL, 0x988a32f3UL, 0x311465e7UL, 0x6228cbceUL,
52		0xc451979cUL, 0x88a32f39UL, 0x11465e73UL, 0x228cbce6UL,
53		0x9d8a7a87UL, 0x3b14f50fUL, 0x7629ea1eUL, 0xec53d43cUL,
54		0xd8a7a879UL, 0xb14f50f3UL, 0x629ea1e7UL, 0xc53d43ceUL,
55		0x8a7a879dUL, 0x14f50f3bUL, 0x29ea1e76UL, 0x53d43cecUL,
56		0xa7a879d8UL, 0x4f50f3b1UL, 0x9ea1e762UL, 0x3d43cec5UL,
57		0x7a879d8aUL, 0xf50f3b14UL, 0xea1e7629UL, 0xd43cec53UL,
58		0xa879d8a7UL, 0x50f3b14fUL, 0xa1e7629eUL, 0x43cec53dUL,
59		0x879d8a7aUL, 0x0f3b14f5UL, 0x1e7629eaUL, 0x3cec53d4UL,
60		0x79d8a7a8UL, 0xf3b14f50UL, 0xe7629ea1UL, 0xcec53d43UL,
61		0x9d8a7a87UL, 0x3b14f50fUL, 0x7629ea1eUL, 0xec53d43cUL,
62		0xd8a7a879UL, 0xb14f50f3UL, 0x629ea1e7UL, 0xc53d43ceUL,
63		0x8a7a879dUL, 0x14f50f3bUL, 0x29ea1e76UL, 0x53d43cecUL,
64		0xa7a879d8UL, 0x4f50f3b1UL, 0x9ea1e762UL, 0x3d43cec5UL
65		};
66
67		/*
68		Transform the message X which consists of 16 32-bit-words. See
69		GM/T 004-2012 for details. */
70		#define R(i, a, b, c, d, e, f, g, h, t, w1, w2) \
71	2.22M	do { \
72	2.22M	ss1 = ROTL32(7, (ROTL32(12, (a)) + (e) + (t))); \
73	2.22M	ss2 = ss1 ^ ROTL32(12, (a)); \
74	2.22M	d += FF ## i(a, b, c) + ss2 + ((w1) ^ (w2)); \
75	2.22M	h += GG ## i(e, f, g) + ss1 + (w1); \
76	2.22M	b = ROTL32(9, (b)); \
77	2.22M	f = ROTL32(19, (f)); \
78	2.22M	h = P0((h)); \
79	2.22M	} while (0)
80
81	555k	#define R1(a,b,c,d,e,f,g,h,t,w1,w2) R(1,a,b,c,d,e,f,g,h,t,w1,w2)
82	1.66M	#define R2(a,b,c,d,e,f,g,h,t,w1,w2) R(2,a,b,c,d,e,f,g,h,t,w1,w2)
83
84	555k	#define FF1(x, y, z) (x ^ y ^ z)
85	1.66M	#define FF2(x, y, z) ((x & y) \| (x & z) \| (y & z))
86
87	555k	#define GG1(x, y, z) (x ^ y ^ z)
88	1.66M	#define GG2(x, y, z) ((x & y) \| ( ~x & z))
89
90		/* Message expansion */
91	2.22M	#define P0(x) ((x) ^ ROTL32(9, (x)) ^ ROTL32(17, (x)))
92		#define P1(x) ((x) ^ ROTL32(15, (x)) ^ ROTL32(23, (x)))
93		#define I(i) (w[i] = READ_UINT32(input + i * 4))
94		#define W1(i) (w[i & 0x0f])
95		#define W2(i) (w[i & 0x0f] = \
96		P1(w[i & 0x0f] ^ w[(i-9) & 0x0f] ^ ROTL32(15, w[(i-3) & 0x0f])) \
97		^ ROTL32(7, w[(i-13) & 0x0f]) \
98		^ w[(i-6) & 0x0f])
99
100
101		static void
102		sm3_compress(uint32_t state, const uint8_t input)
103	34.6k	{
104	34.6k	uint32_t a, b, c, d, e, f, g, h, ss1, ss2;
105	34.6k	uint32_t w[16];
106
107	34.6k	a = state[0];
108	34.6k	b = state[1];
109	34.6k	c = state[2];
110	34.6k	d = state[3];
111	34.6k	e = state[4];
112	34.6k	f = state[5];
113	34.6k	g = state[6];
114	34.6k	h = state[7];
115
116	34.6k	R1(a, b, c, d, e, f, g, h, K[0], I(0), I(4));
117	34.6k	R1(d, a, b, c, h, e, f, g, K[1], I(1), I(5));
118	34.6k	R1(c, d, a, b, g, h, e, f, K[2], I(2), I(6));
119	34.6k	R1(b, c, d, a, f, g, h, e, K[3], I(3), I(7));
120	34.6k	R1(a, b, c, d, e, f, g, h, K[4], W1(4), I(8));
121	34.6k	R1(d, a, b, c, h, e, f, g, K[5], W1(5), I(9));
122	34.6k	R1(c, d, a, b, g, h, e, f, K[6], W1(6), I(10));
123	34.6k	R1(b, c, d, a, f, g, h, e, K[7], W1(7), I(11));
124	34.6k	R1(a, b, c, d, e, f, g, h, K[8], W1(8), I(12));
125	34.6k	R1(d, a, b, c, h, e, f, g, K[9], W1(9), I(13));
126	34.6k	R1(c, d, a, b, g, h, e, f, K[10], W1(10), I(14));
127	34.6k	R1(b, c, d, a, f, g, h, e, K[11], W1(11), I(15));
128	34.6k	R1(a, b, c, d, e, f, g, h, K[12], W1(12), W2(16));
129	34.6k	R1(d, a, b, c, h, e, f, g, K[13], W1(13), W2(17));
130	34.6k	R1(c, d, a, b, g, h, e, f, K[14], W1(14), W2(18));
131	34.6k	R1(b, c, d, a, f, g, h, e, K[15], W1(15), W2(19));
132
133	34.6k	R2(a, b, c, d, e, f, g, h, K[16], W1(16), W2(20));
134	34.6k	R2(d, a, b, c, h, e, f, g, K[17], W1(17), W2(21));
135	34.6k	R2(c, d, a, b, g, h, e, f, K[18], W1(18), W2(22));
136	34.6k	R2(b, c, d, a, f, g, h, e, K[19], W1(19), W2(23));
137	34.6k	R2(a, b, c, d, e, f, g, h, K[20], W1(20), W2(24));
138	34.6k	R2(d, a, b, c, h, e, f, g, K[21], W1(21), W2(25));
139	34.6k	R2(c, d, a, b, g, h, e, f, K[22], W1(22), W2(26));
140	34.6k	R2(b, c, d, a, f, g, h, e, K[23], W1(23), W2(27));
141	34.6k	R2(a, b, c, d, e, f, g, h, K[24], W1(24), W2(28));
142	34.6k	R2(d, a, b, c, h, e, f, g, K[25], W1(25), W2(29));
143	34.6k	R2(c, d, a, b, g, h, e, f, K[26], W1(26), W2(30));
144	34.6k	R2(b, c, d, a, f, g, h, e, K[27], W1(27), W2(31));
145	34.6k	R2(a, b, c, d, e, f, g, h, K[28], W1(28), W2(32));
146	34.6k	R2(d, a, b, c, h, e, f, g, K[29], W1(29), W2(33));
147	34.6k	R2(c, d, a, b, g, h, e, f, K[30], W1(30), W2(34));
148	34.6k	R2(b, c, d, a, f, g, h, e, K[31], W1(31), W2(35));
149
150	34.6k	R2(a, b, c, d, e, f, g, h, K[32], W1(32), W2(36));
151	34.6k	R2(d, a, b, c, h, e, f, g, K[33], W1(33), W2(37));
152	34.6k	R2(c, d, a, b, g, h, e, f, K[34], W1(34), W2(38));
153	34.6k	R2(b, c, d, a, f, g, h, e, K[35], W1(35), W2(39));
154	34.6k	R2(a, b, c, d, e, f, g, h, K[36], W1(36), W2(40));
155	34.6k	R2(d, a, b, c, h, e, f, g, K[37], W1(37), W2(41));
156	34.6k	R2(c, d, a, b, g, h, e, f, K[38], W1(38), W2(42));
157	34.6k	R2(b, c, d, a, f, g, h, e, K[39], W1(39), W2(43));
158	34.6k	R2(a, b, c, d, e, f, g, h, K[40], W1(40), W2(44));
159	34.6k	R2(d, a, b, c, h, e, f, g, K[41], W1(41), W2(45));
160	34.6k	R2(c, d, a, b, g, h, e, f, K[42], W1(42), W2(46));
161	34.6k	R2(b, c, d, a, f, g, h, e, K[43], W1(43), W2(47));
162	34.6k	R2(a, b, c, d, e, f, g, h, K[44], W1(44), W2(48));
163	34.6k	R2(d, a, b, c, h, e, f, g, K[45], W1(45), W2(49));
164	34.6k	R2(c, d, a, b, g, h, e, f, K[46], W1(46), W2(50));
165	34.6k	R2(b, c, d, a, f, g, h, e, K[47], W1(47), W2(51));
166
167	34.6k	R2(a, b, c, d, e, f, g, h, K[48], W1(48), W2(52));
168	34.6k	R2(d, a, b, c, h, e, f, g, K[49], W1(49), W2(53));
169	34.6k	R2(c, d, a, b, g, h, e, f, K[50], W1(50), W2(54));
170	34.6k	R2(b, c, d, a, f, g, h, e, K[51], W1(51), W2(55));
171	34.6k	R2(a, b, c, d, e, f, g, h, K[52], W1(52), W2(56));
172	34.6k	R2(d, a, b, c, h, e, f, g, K[53], W1(53), W2(57));
173	34.6k	R2(c, d, a, b, g, h, e, f, K[54], W1(54), W2(58));
174	34.6k	R2(b, c, d, a, f, g, h, e, K[55], W1(55), W2(59));
175	34.6k	R2(a, b, c, d, e, f, g, h, K[56], W1(56), W2(60));
176	34.6k	R2(d, a, b, c, h, e, f, g, K[57], W1(57), W2(61));
177	34.6k	R2(c, d, a, b, g, h, e, f, K[58], W1(58), W2(62));
178	34.6k	R2(b, c, d, a, f, g, h, e, K[59], W1(59), W2(63));
179	34.6k	R2(a, b, c, d, e, f, g, h, K[60], W1(60), W2(64));
180	34.6k	R2(d, a, b, c, h, e, f, g, K[61], W1(61), W2(65));
181	34.6k	R2(c, d, a, b, g, h, e, f, K[62], W1(62), W2(66));
182	34.6k	R2(b, c, d, a, f, g, h, e, K[63], W1(63), W2(67));
183
184	34.6k	state[0] ^= a;
185	34.6k	state[1] ^= b;
186	34.6k	state[2] ^= c;
187	34.6k	state[3] ^= d;
188	34.6k	state[4] ^= e;
189	34.6k	state[5] ^= f;
190	34.6k	state[6] ^= g;
191	34.6k	state[7] ^= h;
192	34.6k	}
193
194		void
195		sm3_init(struct sm3_ctx *ctx)
196	26.6k	{
197	26.6k	static const uint32_t H0[_SM3_DIGEST_LENGTH] =
198	26.6k	{
199	26.6k	0x7380166fUL, 0x4914b2b9UL, 0x172442d7UL, 0xda8a0600UL,
200	26.6k	0xa96f30bcUL, 0x163138aaUL, 0xe38dee4dUL, 0xb0fb0e4eUL
201	26.6k	};
202
203	26.6k	memcpy(ctx->state, H0, sizeof(H0));
204
205		/* Initialize bit count */
206	26.6k	ctx->count = 0;
207
208		/* Initialize buffer */
209	26.6k	ctx->index = 0;
210	26.6k	}
211
212	34.6k	#define COMPRESS(ctx, data) (sm3_compress((ctx)->state, (data)))
213
214		void
215		sm3_update(struct sm3_ctx *ctx,
216		size_t length, const uint8_t *data)
217	60.5k	{
218	60.5k	MD_UPDATE(ctx, length, data, COMPRESS, ctx->count++);
219	60.5k	}
220
221		static void
222		sm3_write_digest(struct sm3_ctx *ctx,
223		size_t length,
224		uint8_t *digest)
225	25.6k	{
226	25.6k	uint64_t bit_count;
227
228	25.6k	assert(length <= SM3_DIGEST_SIZE);
229
230	25.6k	MD_PAD(ctx, 8, COMPRESS);
231
232		/* There are 512 = 2^9 bits in one block */
233	25.6k	bit_count = (ctx->count << 9) \| (ctx->index << 3);
234
235		/* This is slightly inefficient, as the numbers are converted to
236		big-endian format, and will be converted back by the compression
237		function. It's probably not worth the effort to fix this. */
238	25.6k	WRITE_UINT64(ctx->block + (SM3_BLOCK_SIZE - 8), bit_count);
239	25.6k	COMPRESS(ctx, ctx->block);
240
241	25.6k	_nettle_write_be32(length, digest, ctx->state);
242	25.6k	}
243
244		void
245		sm3_digest(struct sm3_ctx *ctx,
246		size_t length,
247		uint8_t *digest)
248	25.6k	{
249	25.6k	sm3_write_digest(ctx, length, digest);
250	25.6k	sm3_init(ctx);
251	25.6k	}

Coverage Report

Created: 2024-02-25 06:16