/src/nettle-with-libgmp/sm3.c

Line	Count	Source
1		/* sm3.c
2
3		The SM3 hash function.
4
5		Copyright (C) 2017 Jia Zhang
6		Copyright (C) 2021 Tianjia Zhang <tianjia.zhang@linux.alibaba.com>
7
8		This file is part of GNU Nettle.
9
10		GNU Nettle is free software: you can redistribute it and/or
11		modify it under the terms of either:
12
13		* the GNU Lesser General Public License as published by the Free
14		Software Foundation; either version 3 of the License, or (at your
15		option) any later version.
16
17		or
18
19		* the GNU General Public License as published by the Free
20		Software Foundation; either version 2 of the License, or (at your
21		option) any later version.
22
23		or both in parallel, as here.
24
25		GNU Nettle is distributed in the hope that it will be useful,
26		but WITHOUT ANY WARRANTY; without even the implied warranty of
27		MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
28		General Public License for more details.
29
30		You should have received copies of the GNU General Public License and
31		the GNU Lesser General Public License along with this program. If
32		not, see http://www.gnu.org/licenses/.
33		*/
34
35		#if HAVE_CONFIG_H
36		# include "config.h"
37		#endif
38
39		#include <assert.h>
40		#include <string.h>
41
42		#include "sm3.h"
43
44		#include "macros.h"
45		#include "nettle-write.h"
46
47		static const uint32_t K[64] =
48		{
49		0x79cc4519UL, 0xf3988a32UL, 0xe7311465UL, 0xce6228cbUL,
50		0x9cc45197UL, 0x3988a32fUL, 0x7311465eUL, 0xe6228cbcUL,
51		0xcc451979UL, 0x988a32f3UL, 0x311465e7UL, 0x6228cbceUL,
52		0xc451979cUL, 0x88a32f39UL, 0x11465e73UL, 0x228cbce6UL,
53		0x9d8a7a87UL, 0x3b14f50fUL, 0x7629ea1eUL, 0xec53d43cUL,
54		0xd8a7a879UL, 0xb14f50f3UL, 0x629ea1e7UL, 0xc53d43ceUL,
55		0x8a7a879dUL, 0x14f50f3bUL, 0x29ea1e76UL, 0x53d43cecUL,
56		0xa7a879d8UL, 0x4f50f3b1UL, 0x9ea1e762UL, 0x3d43cec5UL,
57		0x7a879d8aUL, 0xf50f3b14UL, 0xea1e7629UL, 0xd43cec53UL,
58		0xa879d8a7UL, 0x50f3b14fUL, 0xa1e7629eUL, 0x43cec53dUL,
59		0x879d8a7aUL, 0x0f3b14f5UL, 0x1e7629eaUL, 0x3cec53d4UL,
60		0x79d8a7a8UL, 0xf3b14f50UL, 0xe7629ea1UL, 0xcec53d43UL,
61		0x9d8a7a87UL, 0x3b14f50fUL, 0x7629ea1eUL, 0xec53d43cUL,
62		0xd8a7a879UL, 0xb14f50f3UL, 0x629ea1e7UL, 0xc53d43ceUL,
63		0x8a7a879dUL, 0x14f50f3bUL, 0x29ea1e76UL, 0x53d43cecUL,
64		0xa7a879d8UL, 0x4f50f3b1UL, 0x9ea1e762UL, 0x3d43cec5UL
65		};
66
67		/*
68		Transform the message X which consists of 16 32-bit-words. See
69		GM/T 004-2012 for details. */
70		#define R(i, a, b, c, d, e, f, g, h, t, w1, w2) \
71	3.87M	do { \
72	3.87M	ss1 = ROTL32(7, (ROTL32(12, (a)) + (e) + (t))); \
73	3.87M	ss2 = ss1 ^ ROTL32(12, (a)); \
74	3.87M	d += FF ## i(a, b, c) + ss2 + ((w1) ^ (w2)); \
75	3.87M	h += GG ## i(e, f, g) + ss1 + (w1); \
76	3.87M	b = ROTL32(9, (b)); \
77	3.87M	f = ROTL32(19, (f)); \
78	3.87M	h = P0((h)); \
79	3.87M	} while (0)
80
81	969k	#define R1(a,b,c,d,e,f,g,h,t,w1,w2) R(1,a,b,c,d,e,f,g,h,t,w1,w2)
82	2.90M	#define R2(a,b,c,d,e,f,g,h,t,w1,w2) R(2,a,b,c,d,e,f,g,h,t,w1,w2)
83
84	969k	#define FF1(x, y, z) (x ^ y ^ z)
85	2.90M	#define FF2(x, y, z) ((x & y) \| (x & z) \| (y & z))
86
87	969k	#define GG1(x, y, z) (x ^ y ^ z)
88	2.90M	#define GG2(x, y, z) ((x & y) \| ( ~x & z))
89
90		/* Message expansion */
91	3.87M	#define P0(x) ((x) ^ ROTL32(9, (x)) ^ ROTL32(17, (x)))
92		#define P1(x) ((x) ^ ROTL32(15, (x)) ^ ROTL32(23, (x)))
93		#define I(i) (w[i] = READ_UINT32(input + i * 4))
94		#define W1(i) (w[i & 0x0f])
95		#define W2(i) (w[i & 0x0f] = \
96		P1(w[i & 0x0f] ^ w[(i-9) & 0x0f] ^ ROTL32(15, w[(i-3) & 0x0f])) \
97		^ ROTL32(7, w[(i-13) & 0x0f]) \
98		^ w[(i-6) & 0x0f])
99
100
101		static void
102		sm3_compress(uint32_t state, const uint8_t input)
103	60.5k	{
104	60.5k	uint32_t a, b, c, d, e, f, g, h, ss1, ss2;
105	60.5k	uint32_t w[16];
106
107	60.5k	a = state[0];
108	60.5k	b = state[1];
109	60.5k	c = state[2];
110	60.5k	d = state[3];
111	60.5k	e = state[4];
112	60.5k	f = state[5];
113	60.5k	g = state[6];
114	60.5k	h = state[7];
115
116	60.5k	R1(a, b, c, d, e, f, g, h, K[0], I(0), I(4));
117	60.5k	R1(d, a, b, c, h, e, f, g, K[1], I(1), I(5));
118	60.5k	R1(c, d, a, b, g, h, e, f, K[2], I(2), I(6));
119	60.5k	R1(b, c, d, a, f, g, h, e, K[3], I(3), I(7));
120	60.5k	R1(a, b, c, d, e, f, g, h, K[4], W1(4), I(8));
121	60.5k	R1(d, a, b, c, h, e, f, g, K[5], W1(5), I(9));
122	60.5k	R1(c, d, a, b, g, h, e, f, K[6], W1(6), I(10));
123	60.5k	R1(b, c, d, a, f, g, h, e, K[7], W1(7), I(11));
124	60.5k	R1(a, b, c, d, e, f, g, h, K[8], W1(8), I(12));
125	60.5k	R1(d, a, b, c, h, e, f, g, K[9], W1(9), I(13));
126	60.5k	R1(c, d, a, b, g, h, e, f, K[10], W1(10), I(14));
127	60.5k	R1(b, c, d, a, f, g, h, e, K[11], W1(11), I(15));
128	60.5k	R1(a, b, c, d, e, f, g, h, K[12], W1(12), W2(16));
129	60.5k	R1(d, a, b, c, h, e, f, g, K[13], W1(13), W2(17));
130	60.5k	R1(c, d, a, b, g, h, e, f, K[14], W1(14), W2(18));
131	60.5k	R1(b, c, d, a, f, g, h, e, K[15], W1(15), W2(19));
132
133	60.5k	R2(a, b, c, d, e, f, g, h, K[16], W1(16), W2(20));
134	60.5k	R2(d, a, b, c, h, e, f, g, K[17], W1(17), W2(21));
135	60.5k	R2(c, d, a, b, g, h, e, f, K[18], W1(18), W2(22));
136	60.5k	R2(b, c, d, a, f, g, h, e, K[19], W1(19), W2(23));
137	60.5k	R2(a, b, c, d, e, f, g, h, K[20], W1(20), W2(24));
138	60.5k	R2(d, a, b, c, h, e, f, g, K[21], W1(21), W2(25));
139	60.5k	R2(c, d, a, b, g, h, e, f, K[22], W1(22), W2(26));
140	60.5k	R2(b, c, d, a, f, g, h, e, K[23], W1(23), W2(27));
141	60.5k	R2(a, b, c, d, e, f, g, h, K[24], W1(24), W2(28));
142	60.5k	R2(d, a, b, c, h, e, f, g, K[25], W1(25), W2(29));
143	60.5k	R2(c, d, a, b, g, h, e, f, K[26], W1(26), W2(30));
144	60.5k	R2(b, c, d, a, f, g, h, e, K[27], W1(27), W2(31));
145	60.5k	R2(a, b, c, d, e, f, g, h, K[28], W1(28), W2(32));
146	60.5k	R2(d, a, b, c, h, e, f, g, K[29], W1(29), W2(33));
147	60.5k	R2(c, d, a, b, g, h, e, f, K[30], W1(30), W2(34));
148	60.5k	R2(b, c, d, a, f, g, h, e, K[31], W1(31), W2(35));
149
150	60.5k	R2(a, b, c, d, e, f, g, h, K[32], W1(32), W2(36));
151	60.5k	R2(d, a, b, c, h, e, f, g, K[33], W1(33), W2(37));
152	60.5k	R2(c, d, a, b, g, h, e, f, K[34], W1(34), W2(38));
153	60.5k	R2(b, c, d, a, f, g, h, e, K[35], W1(35), W2(39));
154	60.5k	R2(a, b, c, d, e, f, g, h, K[36], W1(36), W2(40));
155	60.5k	R2(d, a, b, c, h, e, f, g, K[37], W1(37), W2(41));
156	60.5k	R2(c, d, a, b, g, h, e, f, K[38], W1(38), W2(42));
157	60.5k	R2(b, c, d, a, f, g, h, e, K[39], W1(39), W2(43));
158	60.5k	R2(a, b, c, d, e, f, g, h, K[40], W1(40), W2(44));
159	60.5k	R2(d, a, b, c, h, e, f, g, K[41], W1(41), W2(45));
160	60.5k	R2(c, d, a, b, g, h, e, f, K[42], W1(42), W2(46));
161	60.5k	R2(b, c, d, a, f, g, h, e, K[43], W1(43), W2(47));
162	60.5k	R2(a, b, c, d, e, f, g, h, K[44], W1(44), W2(48));
163	60.5k	R2(d, a, b, c, h, e, f, g, K[45], W1(45), W2(49));
164	60.5k	R2(c, d, a, b, g, h, e, f, K[46], W1(46), W2(50));
165	60.5k	R2(b, c, d, a, f, g, h, e, K[47], W1(47), W2(51));
166
167	60.5k	R2(a, b, c, d, e, f, g, h, K[48], W1(48), W2(52));
168	60.5k	R2(d, a, b, c, h, e, f, g, K[49], W1(49), W2(53));
169	60.5k	R2(c, d, a, b, g, h, e, f, K[50], W1(50), W2(54));
170	60.5k	R2(b, c, d, a, f, g, h, e, K[51], W1(51), W2(55));
171	60.5k	R2(a, b, c, d, e, f, g, h, K[52], W1(52), W2(56));
172	60.5k	R2(d, a, b, c, h, e, f, g, K[53], W1(53), W2(57));
173	60.5k	R2(c, d, a, b, g, h, e, f, K[54], W1(54), W2(58));
174	60.5k	R2(b, c, d, a, f, g, h, e, K[55], W1(55), W2(59));
175	60.5k	R2(a, b, c, d, e, f, g, h, K[56], W1(56), W2(60));
176	60.5k	R2(d, a, b, c, h, e, f, g, K[57], W1(57), W2(61));
177	60.5k	R2(c, d, a, b, g, h, e, f, K[58], W1(58), W2(62));
178	60.5k	R2(b, c, d, a, f, g, h, e, K[59], W1(59), W2(63));
179	60.5k	R2(a, b, c, d, e, f, g, h, K[60], W1(60), W2(64));
180	60.5k	R2(d, a, b, c, h, e, f, g, K[61], W1(61), W2(65));
181	60.5k	R2(c, d, a, b, g, h, e, f, K[62], W1(62), W2(66));
182	60.5k	R2(b, c, d, a, f, g, h, e, K[63], W1(63), W2(67));
183
184	60.5k	state[0] ^= a;
185	60.5k	state[1] ^= b;
186	60.5k	state[2] ^= c;
187	60.5k	state[3] ^= d;
188	60.5k	state[4] ^= e;
189	60.5k	state[5] ^= f;
190	60.5k	state[6] ^= g;
191	60.5k	state[7] ^= h;
192	60.5k	}
193
194		void
195		sm3_init(struct sm3_ctx *ctx)
196	57.1k	{
197	57.1k	static const uint32_t H0[_SM3_DIGEST_LENGTH] =
198	57.1k	{
199	57.1k	0x7380166fUL, 0x4914b2b9UL, 0x172442d7UL, 0xda8a0600UL,
200	57.1k	0xa96f30bcUL, 0x163138aaUL, 0xe38dee4dUL, 0xb0fb0e4eUL
201	57.1k	};
202
203	57.1k	memcpy(ctx->state, H0, sizeof(H0));
204
205		/* Initialize bit count */
206	57.1k	ctx->count = 0;
207
208		/* Initialize buffer */
209	57.1k	ctx->index = 0;
210	57.1k	}
211
212	60.5k	#define COMPRESS(ctx, data) (sm3_compress((ctx)->state, (data)))
213
214		void
215		sm3_update(struct sm3_ctx *ctx,
216		size_t length, const uint8_t *data)
217	112k	{
218	112k	MD_UPDATE(ctx, length, data, COMPRESS, ctx->count++);
219	112k	}
220
221		static void
222		sm3_write_digest(struct sm3_ctx *ctx,
223		size_t length,
224		uint8_t *digest)
225	55.9k	{
226	55.9k	uint64_t bit_count;
227
228	55.9k	assert(length <= SM3_DIGEST_SIZE);
229
230	55.9k	MD_PAD(ctx, 8, COMPRESS);
231
232		/* There are 512 = 2^9 bits in one block */
233	55.9k	bit_count = (ctx->count << 9) \| (ctx->index << 3);
234
235		/* This is slightly inefficient, as the numbers are converted to
236		big-endian format, and will be converted back by the compression
237		function. It's probably not worth the effort to fix this. */
238	55.9k	WRITE_UINT64(ctx->block + (SM3_BLOCK_SIZE - 8), bit_count);
239	55.9k	COMPRESS(ctx, ctx->block);
240
241	55.9k	_nettle_write_be32(length, digest, ctx->state);
242	55.9k	}
243
244		void
245		sm3_digest(struct sm3_ctx *ctx,
246		size_t length,
247		uint8_t *digest)
248	55.9k	{
249	55.9k	sm3_write_digest(ctx, length, digest);
250	55.9k	sm3_init(ctx);
251	55.9k	}

Coverage Report

Created: 2023-09-25 06:34