/src/nettle-with-mini-gmp/sm3.c

Line	Count	Source
1		/* sm3.c
2
3		The SM3 hash function.
4
5		Copyright (C) 2017 Jia Zhang
6		Copyright (C) 2021 Tianjia Zhang <tianjia.zhang@linux.alibaba.com>
7
8		This file is part of GNU Nettle.
9
10		GNU Nettle is free software: you can redistribute it and/or
11		modify it under the terms of either:
12
13		* the GNU Lesser General Public License as published by the Free
14		Software Foundation; either version 3 of the License, or (at your
15		option) any later version.
16
17		or
18
19		* the GNU General Public License as published by the Free
20		Software Foundation; either version 2 of the License, or (at your
21		option) any later version.
22
23		or both in parallel, as here.
24
25		GNU Nettle is distributed in the hope that it will be useful,
26		but WITHOUT ANY WARRANTY; without even the implied warranty of
27		MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
28		General Public License for more details.
29
30		You should have received copies of the GNU General Public License and
31		the GNU Lesser General Public License along with this program. If
32		not, see http://www.gnu.org/licenses/.
33		*/
34
35		#if HAVE_CONFIG_H
36		# include "config.h"
37		#endif
38
39		#include <assert.h>
40		#include <string.h>
41
42		#include "sm3.h"
43
44		#include "macros.h"
45		#include "nettle-write.h"
46
47		static const uint32_t K[64] =
48		{
49		0x79cc4519UL, 0xf3988a32UL, 0xe7311465UL, 0xce6228cbUL,
50		0x9cc45197UL, 0x3988a32fUL, 0x7311465eUL, 0xe6228cbcUL,
51		0xcc451979UL, 0x988a32f3UL, 0x311465e7UL, 0x6228cbceUL,
52		0xc451979cUL, 0x88a32f39UL, 0x11465e73UL, 0x228cbce6UL,
53		0x9d8a7a87UL, 0x3b14f50fUL, 0x7629ea1eUL, 0xec53d43cUL,
54		0xd8a7a879UL, 0xb14f50f3UL, 0x629ea1e7UL, 0xc53d43ceUL,
55		0x8a7a879dUL, 0x14f50f3bUL, 0x29ea1e76UL, 0x53d43cecUL,
56		0xa7a879d8UL, 0x4f50f3b1UL, 0x9ea1e762UL, 0x3d43cec5UL,
57		0x7a879d8aUL, 0xf50f3b14UL, 0xea1e7629UL, 0xd43cec53UL,
58		0xa879d8a7UL, 0x50f3b14fUL, 0xa1e7629eUL, 0x43cec53dUL,
59		0x879d8a7aUL, 0x0f3b14f5UL, 0x1e7629eaUL, 0x3cec53d4UL,
60		0x79d8a7a8UL, 0xf3b14f50UL, 0xe7629ea1UL, 0xcec53d43UL,
61		0x9d8a7a87UL, 0x3b14f50fUL, 0x7629ea1eUL, 0xec53d43cUL,
62		0xd8a7a879UL, 0xb14f50f3UL, 0x629ea1e7UL, 0xc53d43ceUL,
63		0x8a7a879dUL, 0x14f50f3bUL, 0x29ea1e76UL, 0x53d43cecUL,
64		0xa7a879d8UL, 0x4f50f3b1UL, 0x9ea1e762UL, 0x3d43cec5UL
65		};
66
67		/*
68		Transform the message X which consists of 16 32-bit-words. See
69		GM/T 004-2012 for details. */
70		#define R(i, a, b, c, d, e, f, g, h, t, w1, w2) \
71	1.99M	do { \
72	1.99M	ss1 = ROTL32(7, (ROTL32(12, (a)) + (e) + (t))); \
73	1.99M	ss2 = ss1 ^ ROTL32(12, (a)); \
74	1.99M	d += FF ## i(a, b, c) + ss2 + ((w1) ^ (w2)); \
75	1.99M	h += GG ## i(e, f, g) + ss1 + (w1); \
76	1.99M	b = ROTL32(9, (b)); \
77	1.99M	f = ROTL32(19, (f)); \
78	1.99M	h = P0((h)); \
79	1.99M	} while (0)
80
81	497k	#define R1(a,b,c,d,e,f,g,h,t,w1,w2) R(1,a,b,c,d,e,f,g,h,t,w1,w2)
82	1.49M	#define R2(a,b,c,d,e,f,g,h,t,w1,w2) R(2,a,b,c,d,e,f,g,h,t,w1,w2)
83
84	497k	#define FF1(x, y, z) (x ^ y ^ z)
85	1.49M	#define FF2(x, y, z) ((x & y) \| (x & z) \| (y & z))
86
87	497k	#define GG1(x, y, z) (x ^ y ^ z)
88	1.49M	#define GG2(x, y, z) ((x & y) \| ( ~x & z))
89
90		/* Message expansion */
91	1.99M	#define P0(x) ((x) ^ ROTL32(9, (x)) ^ ROTL32(17, (x)))
92		#define P1(x) ((x) ^ ROTL32(15, (x)) ^ ROTL32(23, (x)))
93		#define I(i) (w[i] = READ_UINT32(input + i * 4))
94		#define W1(i) (w[i & 0x0f])
95		#define W2(i) (w[i & 0x0f] = \
96		P1(w[i & 0x0f] ^ w[(i-9) & 0x0f] ^ ROTL32(15, w[(i-3) & 0x0f])) \
97		^ ROTL32(7, w[(i-13) & 0x0f]) \
98		^ w[(i-6) & 0x0f])
99
100
101		static void
102		sm3_compress(uint32_t state, const uint8_t input)
103	31.1k	{
104	31.1k	uint32_t a, b, c, d, e, f, g, h, ss1, ss2;
105	31.1k	uint32_t w[16];
106
107	31.1k	a = state[0];
108	31.1k	b = state[1];
109	31.1k	c = state[2];
110	31.1k	d = state[3];
111	31.1k	e = state[4];
112	31.1k	f = state[5];
113	31.1k	g = state[6];
114	31.1k	h = state[7];
115
116	31.1k	R1(a, b, c, d, e, f, g, h, K[0], I(0), I(4));
117	31.1k	R1(d, a, b, c, h, e, f, g, K[1], I(1), I(5));
118	31.1k	R1(c, d, a, b, g, h, e, f, K[2], I(2), I(6));
119	31.1k	R1(b, c, d, a, f, g, h, e, K[3], I(3), I(7));
120	31.1k	R1(a, b, c, d, e, f, g, h, K[4], W1(4), I(8));
121	31.1k	R1(d, a, b, c, h, e, f, g, K[5], W1(5), I(9));
122	31.1k	R1(c, d, a, b, g, h, e, f, K[6], W1(6), I(10));
123	31.1k	R1(b, c, d, a, f, g, h, e, K[7], W1(7), I(11));
124	31.1k	R1(a, b, c, d, e, f, g, h, K[8], W1(8), I(12));
125	31.1k	R1(d, a, b, c, h, e, f, g, K[9], W1(9), I(13));
126	31.1k	R1(c, d, a, b, g, h, e, f, K[10], W1(10), I(14));
127	31.1k	R1(b, c, d, a, f, g, h, e, K[11], W1(11), I(15));
128	31.1k	R1(a, b, c, d, e, f, g, h, K[12], W1(12), W2(16));
129	31.1k	R1(d, a, b, c, h, e, f, g, K[13], W1(13), W2(17));
130	31.1k	R1(c, d, a, b, g, h, e, f, K[14], W1(14), W2(18));
131	31.1k	R1(b, c, d, a, f, g, h, e, K[15], W1(15), W2(19));
132
133	31.1k	R2(a, b, c, d, e, f, g, h, K[16], W1(16), W2(20));
134	31.1k	R2(d, a, b, c, h, e, f, g, K[17], W1(17), W2(21));
135	31.1k	R2(c, d, a, b, g, h, e, f, K[18], W1(18), W2(22));
136	31.1k	R2(b, c, d, a, f, g, h, e, K[19], W1(19), W2(23));
137	31.1k	R2(a, b, c, d, e, f, g, h, K[20], W1(20), W2(24));
138	31.1k	R2(d, a, b, c, h, e, f, g, K[21], W1(21), W2(25));
139	31.1k	R2(c, d, a, b, g, h, e, f, K[22], W1(22), W2(26));
140	31.1k	R2(b, c, d, a, f, g, h, e, K[23], W1(23), W2(27));
141	31.1k	R2(a, b, c, d, e, f, g, h, K[24], W1(24), W2(28));
142	31.1k	R2(d, a, b, c, h, e, f, g, K[25], W1(25), W2(29));
143	31.1k	R2(c, d, a, b, g, h, e, f, K[26], W1(26), W2(30));
144	31.1k	R2(b, c, d, a, f, g, h, e, K[27], W1(27), W2(31));
145	31.1k	R2(a, b, c, d, e, f, g, h, K[28], W1(28), W2(32));
146	31.1k	R2(d, a, b, c, h, e, f, g, K[29], W1(29), W2(33));
147	31.1k	R2(c, d, a, b, g, h, e, f, K[30], W1(30), W2(34));
148	31.1k	R2(b, c, d, a, f, g, h, e, K[31], W1(31), W2(35));
149
150	31.1k	R2(a, b, c, d, e, f, g, h, K[32], W1(32), W2(36));
151	31.1k	R2(d, a, b, c, h, e, f, g, K[33], W1(33), W2(37));
152	31.1k	R2(c, d, a, b, g, h, e, f, K[34], W1(34), W2(38));
153	31.1k	R2(b, c, d, a, f, g, h, e, K[35], W1(35), W2(39));
154	31.1k	R2(a, b, c, d, e, f, g, h, K[36], W1(36), W2(40));
155	31.1k	R2(d, a, b, c, h, e, f, g, K[37], W1(37), W2(41));
156	31.1k	R2(c, d, a, b, g, h, e, f, K[38], W1(38), W2(42));
157	31.1k	R2(b, c, d, a, f, g, h, e, K[39], W1(39), W2(43));
158	31.1k	R2(a, b, c, d, e, f, g, h, K[40], W1(40), W2(44));
159	31.1k	R2(d, a, b, c, h, e, f, g, K[41], W1(41), W2(45));
160	31.1k	R2(c, d, a, b, g, h, e, f, K[42], W1(42), W2(46));
161	31.1k	R2(b, c, d, a, f, g, h, e, K[43], W1(43), W2(47));
162	31.1k	R2(a, b, c, d, e, f, g, h, K[44], W1(44), W2(48));
163	31.1k	R2(d, a, b, c, h, e, f, g, K[45], W1(45), W2(49));
164	31.1k	R2(c, d, a, b, g, h, e, f, K[46], W1(46), W2(50));
165	31.1k	R2(b, c, d, a, f, g, h, e, K[47], W1(47), W2(51));
166
167	31.1k	R2(a, b, c, d, e, f, g, h, K[48], W1(48), W2(52));
168	31.1k	R2(d, a, b, c, h, e, f, g, K[49], W1(49), W2(53));
169	31.1k	R2(c, d, a, b, g, h, e, f, K[50], W1(50), W2(54));
170	31.1k	R2(b, c, d, a, f, g, h, e, K[51], W1(51), W2(55));
171	31.1k	R2(a, b, c, d, e, f, g, h, K[52], W1(52), W2(56));
172	31.1k	R2(d, a, b, c, h, e, f, g, K[53], W1(53), W2(57));
173	31.1k	R2(c, d, a, b, g, h, e, f, K[54], W1(54), W2(58));
174	31.1k	R2(b, c, d, a, f, g, h, e, K[55], W1(55), W2(59));
175	31.1k	R2(a, b, c, d, e, f, g, h, K[56], W1(56), W2(60));
176	31.1k	R2(d, a, b, c, h, e, f, g, K[57], W1(57), W2(61));
177	31.1k	R2(c, d, a, b, g, h, e, f, K[58], W1(58), W2(62));
178	31.1k	R2(b, c, d, a, f, g, h, e, K[59], W1(59), W2(63));
179	31.1k	R2(a, b, c, d, e, f, g, h, K[60], W1(60), W2(64));
180	31.1k	R2(d, a, b, c, h, e, f, g, K[61], W1(61), W2(65));
181	31.1k	R2(c, d, a, b, g, h, e, f, K[62], W1(62), W2(66));
182	31.1k	R2(b, c, d, a, f, g, h, e, K[63], W1(63), W2(67));
183
184	31.1k	state[0] ^= a;
185	31.1k	state[1] ^= b;
186	31.1k	state[2] ^= c;
187	31.1k	state[3] ^= d;
188	31.1k	state[4] ^= e;
189	31.1k	state[5] ^= f;
190	31.1k	state[6] ^= g;
191	31.1k	state[7] ^= h;
192	31.1k	}
193
194		void
195		sm3_init(struct sm3_ctx *ctx)
196	18.9k	{
197	18.9k	static const uint32_t H0[_SM3_DIGEST_LENGTH] =
198	18.9k	{
199	18.9k	0x7380166fUL, 0x4914b2b9UL, 0x172442d7UL, 0xda8a0600UL,
200	18.9k	0xa96f30bcUL, 0x163138aaUL, 0xe38dee4dUL, 0xb0fb0e4eUL
201	18.9k	};
202
203	18.9k	memcpy(ctx->state, H0, sizeof(H0));
204
205		/* Initialize bit count */
206	18.9k	ctx->count = 0;
207
208		/* Initialize buffer */
209	18.9k	ctx->index = 0;
210	18.9k	}
211
212	31.1k	#define COMPRESS(ctx, data) (sm3_compress((ctx)->state, (data)))
213
214		void
215		sm3_update(struct sm3_ctx *ctx,
216		size_t length, const uint8_t *data)
217	42.0k	{
218	42.0k	MD_UPDATE(ctx, length, data, COMPRESS, ctx->count++);
219	42.0k	}
220
221		static void
222		sm3_write_digest(struct sm3_ctx *ctx,
223		size_t length,
224		uint8_t *digest)
225	18.4k	{
226	18.4k	uint64_t bit_count;
227
228	18.4k	assert(length <= SM3_DIGEST_SIZE);
229
230	18.4k	MD_PAD(ctx, 8, COMPRESS);
231
232		/* There are 512 = 2^9 bits in one block */
233	18.4k	bit_count = (ctx->count << 9) \| (ctx->index << 3);
234
235		/* This is slightly inefficient, as the numbers are converted to
236		big-endian format, and will be converted back by the compression
237		function. It's probably not worth the effort to fix this. */
238	18.4k	WRITE_UINT64(ctx->block + (SM3_BLOCK_SIZE - 8), bit_count);
239	18.4k	COMPRESS(ctx, ctx->block);
240
241	18.4k	_nettle_write_be32(length, digest, ctx->state);
242	18.4k	}
243
244		void
245		sm3_digest(struct sm3_ctx *ctx,
246		size_t length,
247		uint8_t *digest)
248	18.4k	{
249	18.4k	sm3_write_digest(ctx, length, digest);
250	18.4k	sm3_init(ctx);
251	18.4k	}

Coverage Report

Created: 2024-06-28 06:39