/src/nettle-with-libgmp/sm3.c

Line	Count	Source
1		/* sm3.c
2
3		The SM3 hash function.
4
5		Copyright (C) 2017 Jia Zhang
6		Copyright (C) 2021 Tianjia Zhang <tianjia.zhang@linux.alibaba.com>
7
8		This file is part of GNU Nettle.
9
10		GNU Nettle is free software: you can redistribute it and/or
11		modify it under the terms of either:
12
13		* the GNU Lesser General Public License as published by the Free
14		Software Foundation; either version 3 of the License, or (at your
15		option) any later version.
16
17		or
18
19		* the GNU General Public License as published by the Free
20		Software Foundation; either version 2 of the License, or (at your
21		option) any later version.
22
23		or both in parallel, as here.
24
25		GNU Nettle is distributed in the hope that it will be useful,
26		but WITHOUT ANY WARRANTY; without even the implied warranty of
27		MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
28		General Public License for more details.
29
30		You should have received copies of the GNU General Public License and
31		the GNU Lesser General Public License along with this program. If
32		not, see http://www.gnu.org/licenses/.
33		*/
34
35		#if HAVE_CONFIG_H
36		# include "config.h"
37		#endif
38
39		#include <assert.h>
40		#include <string.h>
41
42		#include "sm3.h"
43
44		#include "macros.h"
45		#include "nettle-write.h"
46
47		static const uint32_t K[64] =
48		{
49		0x79cc4519UL, 0xf3988a32UL, 0xe7311465UL, 0xce6228cbUL,
50		0x9cc45197UL, 0x3988a32fUL, 0x7311465eUL, 0xe6228cbcUL,
51		0xcc451979UL, 0x988a32f3UL, 0x311465e7UL, 0x6228cbceUL,
52		0xc451979cUL, 0x88a32f39UL, 0x11465e73UL, 0x228cbce6UL,
53		0x9d8a7a87UL, 0x3b14f50fUL, 0x7629ea1eUL, 0xec53d43cUL,
54		0xd8a7a879UL, 0xb14f50f3UL, 0x629ea1e7UL, 0xc53d43ceUL,
55		0x8a7a879dUL, 0x14f50f3bUL, 0x29ea1e76UL, 0x53d43cecUL,
56		0xa7a879d8UL, 0x4f50f3b1UL, 0x9ea1e762UL, 0x3d43cec5UL,
57		0x7a879d8aUL, 0xf50f3b14UL, 0xea1e7629UL, 0xd43cec53UL,
58		0xa879d8a7UL, 0x50f3b14fUL, 0xa1e7629eUL, 0x43cec53dUL,
59		0x879d8a7aUL, 0x0f3b14f5UL, 0x1e7629eaUL, 0x3cec53d4UL,
60		0x79d8a7a8UL, 0xf3b14f50UL, 0xe7629ea1UL, 0xcec53d43UL,
61		0x9d8a7a87UL, 0x3b14f50fUL, 0x7629ea1eUL, 0xec53d43cUL,
62		0xd8a7a879UL, 0xb14f50f3UL, 0x629ea1e7UL, 0xc53d43ceUL,
63		0x8a7a879dUL, 0x14f50f3bUL, 0x29ea1e76UL, 0x53d43cecUL,
64		0xa7a879d8UL, 0x4f50f3b1UL, 0x9ea1e762UL, 0x3d43cec5UL
65		};
66
67		/*
68		Transform the message X which consists of 16 32-bit-words. See
69		GM/T 004-2012 for details. */
70		#define R(i, a, b, c, d, e, f, g, h, t, w1, w2) \
71	4.11M	do { \
72	4.11M	ss1 = ROTL32(7, (ROTL32(12, (a)) + (e) + (t))); \
73	4.11M	ss2 = ss1 ^ ROTL32(12, (a)); \
74	4.11M	d += FF ## i(a, b, c) + ss2 + ((w1) ^ (w2)); \
75	4.11M	h += GG ## i(e, f, g) + ss1 + (w1); \
76	4.11M	b = ROTL32(9, (b)); \
77	4.11M	f = ROTL32(19, (f)); \
78	4.11M	h = P0((h)); \
79	4.11M	} while (0)
80
81	1.02M	#define R1(a,b,c,d,e,f,g,h,t,w1,w2) R(1,a,b,c,d,e,f,g,h,t,w1,w2)
82	3.08M	#define R2(a,b,c,d,e,f,g,h,t,w1,w2) R(2,a,b,c,d,e,f,g,h,t,w1,w2)
83
84	1.02M	#define FF1(x, y, z) (x ^ y ^ z)
85	3.08M	#define FF2(x, y, z) ((x & y) \| (x & z) \| (y & z))
86
87	1.02M	#define GG1(x, y, z) (x ^ y ^ z)
88	3.08M	#define GG2(x, y, z) ((x & y) \| ( ~x & z))
89
90		/* Message expansion */
91	4.11M	#define P0(x) ((x) ^ ROTL32(9, (x)) ^ ROTL32(17, (x)))
92		#define P1(x) ((x) ^ ROTL32(15, (x)) ^ ROTL32(23, (x)))
93		#define I(i) (w[i] = READ_UINT32(input + i * 4))
94		#define W1(i) (w[i & 0x0f])
95		#define W2(i) (w[i & 0x0f] = \
96		P1(w[i & 0x0f] ^ w[(i-9) & 0x0f] ^ ROTL32(15, w[(i-3) & 0x0f])) \
97		^ ROTL32(7, w[(i-13) & 0x0f]) \
98		^ w[(i-6) & 0x0f])
99
100
101		static void
102		sm3_compress(uint32_t state, const uint8_t input)
103	64.2k	{
104	64.2k	uint32_t a, b, c, d, e, f, g, h, ss1, ss2;
105	64.2k	uint32_t w[16];
106
107	64.2k	a = state[0];
108	64.2k	b = state[1];
109	64.2k	c = state[2];
110	64.2k	d = state[3];
111	64.2k	e = state[4];
112	64.2k	f = state[5];
113	64.2k	g = state[6];
114	64.2k	h = state[7];
115
116	64.2k	R1(a, b, c, d, e, f, g, h, K[0], I(0), I(4));
117	64.2k	R1(d, a, b, c, h, e, f, g, K[1], I(1), I(5));
118	64.2k	R1(c, d, a, b, g, h, e, f, K[2], I(2), I(6));
119	64.2k	R1(b, c, d, a, f, g, h, e, K[3], I(3), I(7));
120	64.2k	R1(a, b, c, d, e, f, g, h, K[4], W1(4), I(8));
121	64.2k	R1(d, a, b, c, h, e, f, g, K[5], W1(5), I(9));
122	64.2k	R1(c, d, a, b, g, h, e, f, K[6], W1(6), I(10));
123	64.2k	R1(b, c, d, a, f, g, h, e, K[7], W1(7), I(11));
124	64.2k	R1(a, b, c, d, e, f, g, h, K[8], W1(8), I(12));
125	64.2k	R1(d, a, b, c, h, e, f, g, K[9], W1(9), I(13));
126	64.2k	R1(c, d, a, b, g, h, e, f, K[10], W1(10), I(14));
127	64.2k	R1(b, c, d, a, f, g, h, e, K[11], W1(11), I(15));
128	64.2k	R1(a, b, c, d, e, f, g, h, K[12], W1(12), W2(16));
129	64.2k	R1(d, a, b, c, h, e, f, g, K[13], W1(13), W2(17));
130	64.2k	R1(c, d, a, b, g, h, e, f, K[14], W1(14), W2(18));
131	64.2k	R1(b, c, d, a, f, g, h, e, K[15], W1(15), W2(19));
132
133	64.2k	R2(a, b, c, d, e, f, g, h, K[16], W1(16), W2(20));
134	64.2k	R2(d, a, b, c, h, e, f, g, K[17], W1(17), W2(21));
135	64.2k	R2(c, d, a, b, g, h, e, f, K[18], W1(18), W2(22));
136	64.2k	R2(b, c, d, a, f, g, h, e, K[19], W1(19), W2(23));
137	64.2k	R2(a, b, c, d, e, f, g, h, K[20], W1(20), W2(24));
138	64.2k	R2(d, a, b, c, h, e, f, g, K[21], W1(21), W2(25));
139	64.2k	R2(c, d, a, b, g, h, e, f, K[22], W1(22), W2(26));
140	64.2k	R2(b, c, d, a, f, g, h, e, K[23], W1(23), W2(27));
141	64.2k	R2(a, b, c, d, e, f, g, h, K[24], W1(24), W2(28));
142	64.2k	R2(d, a, b, c, h, e, f, g, K[25], W1(25), W2(29));
143	64.2k	R2(c, d, a, b, g, h, e, f, K[26], W1(26), W2(30));
144	64.2k	R2(b, c, d, a, f, g, h, e, K[27], W1(27), W2(31));
145	64.2k	R2(a, b, c, d, e, f, g, h, K[28], W1(28), W2(32));
146	64.2k	R2(d, a, b, c, h, e, f, g, K[29], W1(29), W2(33));
147	64.2k	R2(c, d, a, b, g, h, e, f, K[30], W1(30), W2(34));
148	64.2k	R2(b, c, d, a, f, g, h, e, K[31], W1(31), W2(35));
149
150	64.2k	R2(a, b, c, d, e, f, g, h, K[32], W1(32), W2(36));
151	64.2k	R2(d, a, b, c, h, e, f, g, K[33], W1(33), W2(37));
152	64.2k	R2(c, d, a, b, g, h, e, f, K[34], W1(34), W2(38));
153	64.2k	R2(b, c, d, a, f, g, h, e, K[35], W1(35), W2(39));
154	64.2k	R2(a, b, c, d, e, f, g, h, K[36], W1(36), W2(40));
155	64.2k	R2(d, a, b, c, h, e, f, g, K[37], W1(37), W2(41));
156	64.2k	R2(c, d, a, b, g, h, e, f, K[38], W1(38), W2(42));
157	64.2k	R2(b, c, d, a, f, g, h, e, K[39], W1(39), W2(43));
158	64.2k	R2(a, b, c, d, e, f, g, h, K[40], W1(40), W2(44));
159	64.2k	R2(d, a, b, c, h, e, f, g, K[41], W1(41), W2(45));
160	64.2k	R2(c, d, a, b, g, h, e, f, K[42], W1(42), W2(46));
161	64.2k	R2(b, c, d, a, f, g, h, e, K[43], W1(43), W2(47));
162	64.2k	R2(a, b, c, d, e, f, g, h, K[44], W1(44), W2(48));
163	64.2k	R2(d, a, b, c, h, e, f, g, K[45], W1(45), W2(49));
164	64.2k	R2(c, d, a, b, g, h, e, f, K[46], W1(46), W2(50));
165	64.2k	R2(b, c, d, a, f, g, h, e, K[47], W1(47), W2(51));
166
167	64.2k	R2(a, b, c, d, e, f, g, h, K[48], W1(48), W2(52));
168	64.2k	R2(d, a, b, c, h, e, f, g, K[49], W1(49), W2(53));
169	64.2k	R2(c, d, a, b, g, h, e, f, K[50], W1(50), W2(54));
170	64.2k	R2(b, c, d, a, f, g, h, e, K[51], W1(51), W2(55));
171	64.2k	R2(a, b, c, d, e, f, g, h, K[52], W1(52), W2(56));
172	64.2k	R2(d, a, b, c, h, e, f, g, K[53], W1(53), W2(57));
173	64.2k	R2(c, d, a, b, g, h, e, f, K[54], W1(54), W2(58));
174	64.2k	R2(b, c, d, a, f, g, h, e, K[55], W1(55), W2(59));
175	64.2k	R2(a, b, c, d, e, f, g, h, K[56], W1(56), W2(60));
176	64.2k	R2(d, a, b, c, h, e, f, g, K[57], W1(57), W2(61));
177	64.2k	R2(c, d, a, b, g, h, e, f, K[58], W1(58), W2(62));
178	64.2k	R2(b, c, d, a, f, g, h, e, K[59], W1(59), W2(63));
179	64.2k	R2(a, b, c, d, e, f, g, h, K[60], W1(60), W2(64));
180	64.2k	R2(d, a, b, c, h, e, f, g, K[61], W1(61), W2(65));
181	64.2k	R2(c, d, a, b, g, h, e, f, K[62], W1(62), W2(66));
182	64.2k	R2(b, c, d, a, f, g, h, e, K[63], W1(63), W2(67));
183
184	64.2k	state[0] ^= a;
185	64.2k	state[1] ^= b;
186	64.2k	state[2] ^= c;
187	64.2k	state[3] ^= d;
188	64.2k	state[4] ^= e;
189	64.2k	state[5] ^= f;
190	64.2k	state[6] ^= g;
191	64.2k	state[7] ^= h;
192	64.2k	}
193
194		void
195		sm3_init(struct sm3_ctx *ctx)
196	54.9k	{
197	54.9k	static const uint32_t H0[_SM3_DIGEST_LENGTH] =
198	54.9k	{
199	54.9k	0x7380166fUL, 0x4914b2b9UL, 0x172442d7UL, 0xda8a0600UL,
200	54.9k	0xa96f30bcUL, 0x163138aaUL, 0xe38dee4dUL, 0xb0fb0e4eUL
201	54.9k	};
202
203	54.9k	memcpy(ctx->state, H0, sizeof(H0));
204
205		/* Initialize bit count */
206	54.9k	ctx->count = 0;
207
208		/* Initialize buffer */
209	54.9k	ctx->index = 0;
210	54.9k	}
211
212	64.2k	#define COMPRESS(ctx, data) (sm3_compress((ctx)->state, (data)))
213
214		void
215		sm3_update(struct sm3_ctx *ctx,
216		size_t length, const uint8_t *data)
217	114k	{
218	114k	MD_UPDATE(ctx, length, data, COMPRESS, ctx->count++);
219	114k	}
220
221		static void
222		sm3_write_digest(struct sm3_ctx *ctx,
223		size_t length,
224		uint8_t *digest)
225	53.7k	{
226	53.7k	uint64_t bit_count;
227
228	53.7k	assert(length <= SM3_DIGEST_SIZE);
229
230	53.7k	MD_PAD(ctx, 8, COMPRESS);
231
232		/* There are 512 = 2^9 bits in one block */
233	53.7k	bit_count = (ctx->count << 9) \| (ctx->index << 3);
234
235		/* This is slightly inefficient, as the numbers are converted to
236		big-endian format, and will be converted back by the compression
237		function. It's probably not worth the effort to fix this. */
238	53.7k	WRITE_UINT64(ctx->block + (SM3_BLOCK_SIZE - 8), bit_count);
239	53.7k	COMPRESS(ctx, ctx->block);
240
241	53.7k	_nettle_write_be32(length, digest, ctx->state);
242	53.7k	}
243
244		void
245		sm3_digest(struct sm3_ctx *ctx,
246		size_t length,
247		uint8_t *digest)
248	53.7k	{
249	53.7k	sm3_write_digest(ctx, length, digest);
250	53.7k	sm3_init(ctx);
251	53.7k	}

Coverage Report

Created: 2023-02-22 06:14