/src/nettle-with-libgmp/sm3.c

Line	Count	Source
1		/* sm3.c
2
3		The SM3 hash function.
4
5		Copyright (C) 2017 Jia Zhang
6		Copyright (C) 2021 Tianjia Zhang <tianjia.zhang@linux.alibaba.com>
7
8		This file is part of GNU Nettle.
9
10		GNU Nettle is free software: you can redistribute it and/or
11		modify it under the terms of either:
12
13		* the GNU Lesser General Public License as published by the Free
14		Software Foundation; either version 3 of the License, or (at your
15		option) any later version.
16
17		or
18
19		* the GNU General Public License as published by the Free
20		Software Foundation; either version 2 of the License, or (at your
21		option) any later version.
22
23		or both in parallel, as here.
24
25		GNU Nettle is distributed in the hope that it will be useful,
26		but WITHOUT ANY WARRANTY; without even the implied warranty of
27		MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
28		General Public License for more details.
29
30		You should have received copies of the GNU General Public License and
31		the GNU Lesser General Public License along with this program. If
32		not, see http://www.gnu.org/licenses/.
33		*/
34
35		#if HAVE_CONFIG_H
36		# include "config.h"
37		#endif
38
39		#include <assert.h>
40		#include <string.h>
41
42		#include "sm3.h"
43
44		#include "macros.h"
45		#include "nettle-write.h"
46
47		static const uint32_t K[64] =
48		{
49		0x79cc4519UL, 0xf3988a32UL, 0xe7311465UL, 0xce6228cbUL,
50		0x9cc45197UL, 0x3988a32fUL, 0x7311465eUL, 0xe6228cbcUL,
51		0xcc451979UL, 0x988a32f3UL, 0x311465e7UL, 0x6228cbceUL,
52		0xc451979cUL, 0x88a32f39UL, 0x11465e73UL, 0x228cbce6UL,
53		0x9d8a7a87UL, 0x3b14f50fUL, 0x7629ea1eUL, 0xec53d43cUL,
54		0xd8a7a879UL, 0xb14f50f3UL, 0x629ea1e7UL, 0xc53d43ceUL,
55		0x8a7a879dUL, 0x14f50f3bUL, 0x29ea1e76UL, 0x53d43cecUL,
56		0xa7a879d8UL, 0x4f50f3b1UL, 0x9ea1e762UL, 0x3d43cec5UL,
57		0x7a879d8aUL, 0xf50f3b14UL, 0xea1e7629UL, 0xd43cec53UL,
58		0xa879d8a7UL, 0x50f3b14fUL, 0xa1e7629eUL, 0x43cec53dUL,
59		0x879d8a7aUL, 0x0f3b14f5UL, 0x1e7629eaUL, 0x3cec53d4UL,
60		0x79d8a7a8UL, 0xf3b14f50UL, 0xe7629ea1UL, 0xcec53d43UL,
61		0x9d8a7a87UL, 0x3b14f50fUL, 0x7629ea1eUL, 0xec53d43cUL,
62		0xd8a7a879UL, 0xb14f50f3UL, 0x629ea1e7UL, 0xc53d43ceUL,
63		0x8a7a879dUL, 0x14f50f3bUL, 0x29ea1e76UL, 0x53d43cecUL,
64		0xa7a879d8UL, 0x4f50f3b1UL, 0x9ea1e762UL, 0x3d43cec5UL
65		};
66
67		/*
68		Transform the message X which consists of 16 32-bit-words. See
69		GM/T 004-2012 for details. */
70		#define R(i, a, b, c, d, e, f, g, h, t, w1, w2) \
71	1.34M	do { \
72	1.34M	ss1 = ROTL32(7, (ROTL32(12, (a)) + (e) + (t))); \
73	1.34M	ss2 = ss1 ^ ROTL32(12, (a)); \
74	1.34M	d += FF ## i(a, b, c) + ss2 + ((w1) ^ (w2)); \
75	1.34M	h += GG ## i(e, f, g) + ss1 + (w1); \
76	1.34M	b = ROTL32(9, (b)); \
77	1.34M	f = ROTL32(19, (f)); \
78	1.34M	h = P0((h)); \
79	1.34M	} while (0)
80
81	336k	#define R1(a,b,c,d,e,f,g,h,t,w1,w2) R(1,a,b,c,d,e,f,g,h,t,w1,w2)
82	1.00M	#define R2(a,b,c,d,e,f,g,h,t,w1,w2) R(2,a,b,c,d,e,f,g,h,t,w1,w2)
83
84	336k	#define FF1(x, y, z) (x ^ y ^ z)
85	1.00M	#define FF2(x, y, z) ((x & y) \| (x & z) \| (y & z))
86
87	336k	#define GG1(x, y, z) (x ^ y ^ z)
88	1.00M	#define GG2(x, y, z) ((x & y) \| ( ~x & z))
89
90		/* Message expansion */
91	1.34M	#define P0(x) ((x) ^ ROTL32(9, (x)) ^ ROTL32(17, (x)))
92		#define P1(x) ((x) ^ ROTL32(15, (x)) ^ ROTL32(23, (x)))
93		#define I(i) (w[i] = READ_UINT32(input + i * 4))
94		#define W1(i) (w[i & 0x0f])
95		#define W2(i) (w[i & 0x0f] = \
96		P1(w[i & 0x0f] ^ w[(i-9) & 0x0f] ^ ROTL32(15, w[(i-3) & 0x0f])) \
97		^ ROTL32(7, w[(i-13) & 0x0f]) \
98		^ w[(i-6) & 0x0f])
99
100
101		static void
102		sm3_compress(uint32_t state, const uint8_t input)
103	21.0k	{
104	21.0k	uint32_t a, b, c, d, e, f, g, h, ss1, ss2;
105	21.0k	uint32_t w[16];
106
107	21.0k	a = state[0];
108	21.0k	b = state[1];
109	21.0k	c = state[2];
110	21.0k	d = state[3];
111	21.0k	e = state[4];
112	21.0k	f = state[5];
113	21.0k	g = state[6];
114	21.0k	h = state[7];
115
116	21.0k	R1(a, b, c, d, e, f, g, h, K[0], I(0), I(4));
117	21.0k	R1(d, a, b, c, h, e, f, g, K[1], I(1), I(5));
118	21.0k	R1(c, d, a, b, g, h, e, f, K[2], I(2), I(6));
119	21.0k	R1(b, c, d, a, f, g, h, e, K[3], I(3), I(7));
120	21.0k	R1(a, b, c, d, e, f, g, h, K[4], W1(4), I(8));
121	21.0k	R1(d, a, b, c, h, e, f, g, K[5], W1(5), I(9));
122	21.0k	R1(c, d, a, b, g, h, e, f, K[6], W1(6), I(10));
123	21.0k	R1(b, c, d, a, f, g, h, e, K[7], W1(7), I(11));
124	21.0k	R1(a, b, c, d, e, f, g, h, K[8], W1(8), I(12));
125	21.0k	R1(d, a, b, c, h, e, f, g, K[9], W1(9), I(13));
126	21.0k	R1(c, d, a, b, g, h, e, f, K[10], W1(10), I(14));
127	21.0k	R1(b, c, d, a, f, g, h, e, K[11], W1(11), I(15));
128	21.0k	R1(a, b, c, d, e, f, g, h, K[12], W1(12), W2(16));
129	21.0k	R1(d, a, b, c, h, e, f, g, K[13], W1(13), W2(17));
130	21.0k	R1(c, d, a, b, g, h, e, f, K[14], W1(14), W2(18));
131	21.0k	R1(b, c, d, a, f, g, h, e, K[15], W1(15), W2(19));
132
133	21.0k	R2(a, b, c, d, e, f, g, h, K[16], W1(16), W2(20));
134	21.0k	R2(d, a, b, c, h, e, f, g, K[17], W1(17), W2(21));
135	21.0k	R2(c, d, a, b, g, h, e, f, K[18], W1(18), W2(22));
136	21.0k	R2(b, c, d, a, f, g, h, e, K[19], W1(19), W2(23));
137	21.0k	R2(a, b, c, d, e, f, g, h, K[20], W1(20), W2(24));
138	21.0k	R2(d, a, b, c, h, e, f, g, K[21], W1(21), W2(25));
139	21.0k	R2(c, d, a, b, g, h, e, f, K[22], W1(22), W2(26));
140	21.0k	R2(b, c, d, a, f, g, h, e, K[23], W1(23), W2(27));
141	21.0k	R2(a, b, c, d, e, f, g, h, K[24], W1(24), W2(28));
142	21.0k	R2(d, a, b, c, h, e, f, g, K[25], W1(25), W2(29));
143	21.0k	R2(c, d, a, b, g, h, e, f, K[26], W1(26), W2(30));
144	21.0k	R2(b, c, d, a, f, g, h, e, K[27], W1(27), W2(31));
145	21.0k	R2(a, b, c, d, e, f, g, h, K[28], W1(28), W2(32));
146	21.0k	R2(d, a, b, c, h, e, f, g, K[29], W1(29), W2(33));
147	21.0k	R2(c, d, a, b, g, h, e, f, K[30], W1(30), W2(34));
148	21.0k	R2(b, c, d, a, f, g, h, e, K[31], W1(31), W2(35));
149
150	21.0k	R2(a, b, c, d, e, f, g, h, K[32], W1(32), W2(36));
151	21.0k	R2(d, a, b, c, h, e, f, g, K[33], W1(33), W2(37));
152	21.0k	R2(c, d, a, b, g, h, e, f, K[34], W1(34), W2(38));
153	21.0k	R2(b, c, d, a, f, g, h, e, K[35], W1(35), W2(39));
154	21.0k	R2(a, b, c, d, e, f, g, h, K[36], W1(36), W2(40));
155	21.0k	R2(d, a, b, c, h, e, f, g, K[37], W1(37), W2(41));
156	21.0k	R2(c, d, a, b, g, h, e, f, K[38], W1(38), W2(42));
157	21.0k	R2(b, c, d, a, f, g, h, e, K[39], W1(39), W2(43));
158	21.0k	R2(a, b, c, d, e, f, g, h, K[40], W1(40), W2(44));
159	21.0k	R2(d, a, b, c, h, e, f, g, K[41], W1(41), W2(45));
160	21.0k	R2(c, d, a, b, g, h, e, f, K[42], W1(42), W2(46));
161	21.0k	R2(b, c, d, a, f, g, h, e, K[43], W1(43), W2(47));
162	21.0k	R2(a, b, c, d, e, f, g, h, K[44], W1(44), W2(48));
163	21.0k	R2(d, a, b, c, h, e, f, g, K[45], W1(45), W2(49));
164	21.0k	R2(c, d, a, b, g, h, e, f, K[46], W1(46), W2(50));
165	21.0k	R2(b, c, d, a, f, g, h, e, K[47], W1(47), W2(51));
166
167	21.0k	R2(a, b, c, d, e, f, g, h, K[48], W1(48), W2(52));
168	21.0k	R2(d, a, b, c, h, e, f, g, K[49], W1(49), W2(53));
169	21.0k	R2(c, d, a, b, g, h, e, f, K[50], W1(50), W2(54));
170	21.0k	R2(b, c, d, a, f, g, h, e, K[51], W1(51), W2(55));
171	21.0k	R2(a, b, c, d, e, f, g, h, K[52], W1(52), W2(56));
172	21.0k	R2(d, a, b, c, h, e, f, g, K[53], W1(53), W2(57));
173	21.0k	R2(c, d, a, b, g, h, e, f, K[54], W1(54), W2(58));
174	21.0k	R2(b, c, d, a, f, g, h, e, K[55], W1(55), W2(59));
175	21.0k	R2(a, b, c, d, e, f, g, h, K[56], W1(56), W2(60));
176	21.0k	R2(d, a, b, c, h, e, f, g, K[57], W1(57), W2(61));
177	21.0k	R2(c, d, a, b, g, h, e, f, K[58], W1(58), W2(62));
178	21.0k	R2(b, c, d, a, f, g, h, e, K[59], W1(59), W2(63));
179	21.0k	R2(a, b, c, d, e, f, g, h, K[60], W1(60), W2(64));
180	21.0k	R2(d, a, b, c, h, e, f, g, K[61], W1(61), W2(65));
181	21.0k	R2(c, d, a, b, g, h, e, f, K[62], W1(62), W2(66));
182	21.0k	R2(b, c, d, a, f, g, h, e, K[63], W1(63), W2(67));
183
184	21.0k	state[0] ^= a;
185	21.0k	state[1] ^= b;
186	21.0k	state[2] ^= c;
187	21.0k	state[3] ^= d;
188	21.0k	state[4] ^= e;
189	21.0k	state[5] ^= f;
190	21.0k	state[6] ^= g;
191	21.0k	state[7] ^= h;
192	21.0k	}
193
194		void
195		sm3_init(struct sm3_ctx *ctx)
196	16.8k	{
197	16.8k	static const uint32_t H0[_SM3_DIGEST_LENGTH] =
198	16.8k	{
199	16.8k	0x7380166fUL, 0x4914b2b9UL, 0x172442d7UL, 0xda8a0600UL,
200	16.8k	0xa96f30bcUL, 0x163138aaUL, 0xe38dee4dUL, 0xb0fb0e4eUL
201	16.8k	};
202
203	16.8k	memcpy(ctx->state, H0, sizeof(H0));
204
205		/* Initialize bit count */
206	16.8k	ctx->count = 0;
207
208		/* Initialize buffer */
209	16.8k	ctx->index = 0;
210	16.8k	}
211
212	21.0k	#define COMPRESS(ctx, data) (sm3_compress((ctx)->state, (data)))
213
214		void
215		sm3_update(struct sm3_ctx *ctx,
216		size_t length, const uint8_t *data)
217	35.0k	{
218	35.0k	MD_UPDATE(ctx, length, data, COMPRESS, ctx->count++);
219	35.0k	}
220
221		static void
222		sm3_write_digest(struct sm3_ctx *ctx,
223		size_t length,
224		uint8_t *digest)
225	16.2k	{
226	16.2k	uint64_t bit_count;
227
228	16.2k	assert(length <= SM3_DIGEST_SIZE);
229
230	16.2k	MD_PAD(ctx, 8, COMPRESS);
231
232		/* There are 512 = 2^9 bits in one block */
233	16.2k	bit_count = (ctx->count << 9) \| (ctx->index << 3);
234
235		/* This is slightly inefficient, as the numbers are converted to
236		big-endian format, and will be converted back by the compression
237		function. It's probably not worth the effort to fix this. */
238	16.2k	WRITE_UINT64(ctx->block + (SM3_BLOCK_SIZE - 8), bit_count);
239	16.2k	COMPRESS(ctx, ctx->block);
240
241	16.2k	_nettle_write_be32(length, digest, ctx->state);
242	16.2k	}
243
244		void
245		sm3_digest(struct sm3_ctx *ctx,
246		size_t length,
247		uint8_t *digest)
248	16.2k	{
249	16.2k	sm3_write_digest(ctx, length, digest);
250	16.2k	sm3_init(ctx);
251	16.2k	}

Coverage Report

Created: 2024-06-28 06:39