1 /* sm3.c - Functions to compute SM3 message digest of files or memory blocks
2 according to the specification GM/T 004-2012 Cryptographic Hash Algorithm
3 SM3, published by State Encryption Management Bureau, China.
5 SM3 cryptographic hash algorithm.
6 <http://www.sca.gov.cn/sca/xwdt/2010-12/17/content_1002389.shtml>
8 Copyright (C) 2017-2024 Free Software Foundation, Inc.
10 This file is free software: you can redistribute it and/or modify
11 it under the terms of the GNU Lesser General Public License as
12 published by the Free Software Foundation; either version 2.1 of the
13 License, or (at your option) any later version.
15 This file is distributed in the hope that it will be useful,
16 but WITHOUT ANY WARRANTY; without even the implied warranty of
17 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 GNU Lesser General Public License for more details.
20 You should have received a copy of the GNU Lesser General Public License
21 along with this program. If not, see <https://www.gnu.org/licenses/>. */
23 /* Written by Jia Zhang <qianyue.zj@alibaba-inc.com>, 2017,
24 considerably copypasting from David Madore's sha256.c */
30 # define GL_OPENSSL_INLINE _GL_EXTERN_INLINE
38 #ifdef WORDS_BIGENDIAN
41 # define SWAP(n) bswap_32 (n)
49 # define dbg_printf(fmt, ...) do { } while (0)
51 # define dbg_printf printf
54 #if ! HAVE_OPENSSL_SM3
56 /* This array contains the bytes used to pad the buffer to the next
58 static const unsigned char fillbuf
[64] = { 0x80, 0 /* , 0, 0, ... */ };
62 Takes a pointer to a 256 bit block of data (eight 32 bit ints) and
63 initializes it to the start constants of the SM3 algorithm. This
64 must be called before using hash in the call to sm3_hash
67 sm3_init_ctx (struct sm3_ctx
*ctx
)
69 ctx
->state
[0] = 0x7380166fUL
;
70 ctx
->state
[1] = 0x4914b2b9UL
;
71 ctx
->state
[2] = 0x172442d7UL
;
72 ctx
->state
[3] = 0xda8a0600UL
;
73 ctx
->state
[4] = 0xa96f30bcUL
;
74 ctx
->state
[5] = 0x163138aaUL
;
75 ctx
->state
[6] = 0xe38dee4dUL
;
76 ctx
->state
[7] = 0xb0fb0e4eUL
;
78 ctx
->total
[0] = ctx
->total
[1] = 0;
82 /* Copy the value from v into the memory location pointed to by *cp,
83 If your architecture allows unaligned access this is equivalent to
84 * (uint32_t *) cp = v */
86 set_uint32 (char *cp
, uint32_t v
)
88 memcpy (cp
, &v
, sizeof v
);
91 /* Put result from CTX in first 32 bytes following RESBUF. The result
92 must be in little endian byte order. */
94 sm3_read_ctx (const struct sm3_ctx
*ctx
, void *resbuf
)
99 for (i
= 0; i
< 8; i
++)
100 set_uint32 (r
+ i
* sizeof ctx
->state
[0], SWAP (ctx
->state
[i
]));
105 /* Process the remaining bytes in the internal buffer and the usual
106 prolog according to the standard and write the result to RESBUF. */
108 sm3_conclude_ctx (struct sm3_ctx
*ctx
)
110 /* Take yet unprocessed bytes into account. */
111 size_t bytes
= ctx
->buflen
;
112 size_t size
= (bytes
< 56) ? 64 / 4 : 64 * 2 / 4;
114 /* Now count remaining bytes. */
115 ctx
->total
[0] += bytes
;
116 if (ctx
->total
[0] < bytes
)
119 /* Put the 64-bit file length in *bits* at the end of the buffer.
120 Use set_uint32 rather than a simple assignment, to avoid risk of
122 set_uint32 ((char *) &ctx
->buffer
[size
- 2],
123 SWAP ((ctx
->total
[1] << 3) | (ctx
->total
[0] >> 29)));
124 set_uint32 ((char *) &ctx
->buffer
[size
- 1],
125 SWAP (ctx
->total
[0] << 3));
127 memcpy (&((char *) ctx
->buffer
)[bytes
], fillbuf
, (size
- 2) * 4 - bytes
);
129 /* Process last bytes. */
130 sm3_process_block (ctx
->buffer
, size
* 4, ctx
);
134 sm3_finish_ctx (struct sm3_ctx
*ctx
, void *resbuf
)
136 sm3_conclude_ctx (ctx
);
137 return sm3_read_ctx (ctx
, resbuf
);
140 /* Compute SM3 message digest for LEN bytes beginning at BUFFER. The
141 result is always in little endian byte order, so that a byte-wise
142 output yields to the wanted ASCII representation of the message
145 sm3_buffer (const char *buffer
, size_t len
, void *resblock
)
149 /* Initialize the computation context. */
152 /* Process whole buffer but last len % 64 bytes. */
153 sm3_process_bytes (buffer
, len
, &ctx
);
155 /* Put result in desired memory area. */
156 return sm3_finish_ctx (&ctx
, resblock
);
160 sm3_process_bytes (const void *buffer
, size_t len
, struct sm3_ctx
*ctx
)
162 /* When we already have some bits in our internal buffer concatenate
163 both inputs first. */
164 if (ctx
->buflen
!= 0)
166 size_t left_over
= ctx
->buflen
;
167 size_t add
= 128 - left_over
> len
? len
: 128 - left_over
;
169 memcpy (&((char *) ctx
->buffer
)[left_over
], buffer
, add
);
172 if (ctx
->buflen
> 64)
174 sm3_process_block (ctx
->buffer
, ctx
->buflen
& ~63, ctx
);
177 /* The regions in the following copy operation cannot overlap,
178 because ctx->buflen < 64 ≤ (left_over + add) & ~63. */
180 &((char *) ctx
->buffer
)[(left_over
+ add
) & ~63],
184 buffer
= (const char *) buffer
+ add
;
188 /* Process available complete blocks. */
191 #if !(_STRING_ARCH_unaligned || _STRING_INLINE_unaligned)
192 # define UNALIGNED_P(p) ((uintptr_t) (p) % alignof (uint32_t) != 0)
193 if (UNALIGNED_P (buffer
))
196 sm3_process_block (memcpy (ctx
->buffer
, buffer
, 64), 64, ctx
);
197 buffer
= (const char *) buffer
+ 64;
203 sm3_process_block (buffer
, len
& ~63, ctx
);
204 buffer
= (const char *) buffer
+ (len
& ~63);
209 /* Move remaining bytes in internal buffer. */
212 size_t left_over
= ctx
->buflen
;
214 memcpy (&((char *) ctx
->buffer
)[left_over
], buffer
, len
);
218 sm3_process_block (ctx
->buffer
, 64, ctx
);
220 /* The regions in the following copy operation cannot overlap,
221 because left_over ≤ 64. */
222 memcpy (ctx
->buffer
, &ctx
->buffer
[16], left_over
);
224 ctx
->buflen
= left_over
;
228 /* --- Code below is the primary difference between sha256.c and sm3.c --- */
230 /* SM3 round constants */
231 #define T(j) sm3_round_constants[j]
232 static const uint32_t sm3_round_constants
[64] = {
233 0x79cc4519UL
, 0xf3988a32UL
, 0xe7311465UL
, 0xce6228cbUL
,
234 0x9cc45197UL
, 0x3988a32fUL
, 0x7311465eUL
, 0xe6228cbcUL
,
235 0xcc451979UL
, 0x988a32f3UL
, 0x311465e7UL
, 0x6228cbceUL
,
236 0xc451979cUL
, 0x88a32f39UL
, 0x11465e73UL
, 0x228cbce6UL
,
237 0x9d8a7a87UL
, 0x3b14f50fUL
, 0x7629ea1eUL
, 0xec53d43cUL
,
238 0xd8a7a879UL
, 0xb14f50f3UL
, 0x629ea1e7UL
, 0xc53d43ceUL
,
239 0x8a7a879dUL
, 0x14f50f3bUL
, 0x29ea1e76UL
, 0x53d43cecUL
,
240 0xa7a879d8UL
, 0x4f50f3b1UL
, 0x9ea1e762UL
, 0x3d43cec5UL
,
241 0x7a879d8aUL
, 0xf50f3b14UL
, 0xea1e7629UL
, 0xd43cec53UL
,
242 0xa879d8a7UL
, 0x50f3b14fUL
, 0xa1e7629eUL
, 0x43cec53dUL
,
243 0x879d8a7aUL
, 0x0f3b14f5UL
, 0x1e7629eaUL
, 0x3cec53d4UL
,
244 0x79d8a7a8UL
, 0xf3b14f50UL
, 0xe7629ea1UL
, 0xcec53d43UL
,
245 0x9d8a7a87UL
, 0x3b14f50fUL
, 0x7629ea1eUL
, 0xec53d43cUL
,
246 0xd8a7a879UL
, 0xb14f50f3UL
, 0x629ea1e7UL
, 0xc53d43ceUL
,
247 0x8a7a879dUL
, 0x14f50f3bUL
, 0x29ea1e76UL
, 0x53d43cecUL
,
248 0xa7a879d8UL
, 0x4f50f3b1UL
, 0x9ea1e762UL
, 0x3d43cec5UL
,
251 /* Round functions. */
252 #define FF1(X,Y,Z) ( X ^ Y ^ Z )
253 #define FF2(X,Y,Z) ( ( X & Y ) | ( X & Z ) | ( Y & Z ) )
254 #define GG1(X,Y,Z) ( X ^ Y ^ Z )
255 #define GG2(X,Y,Z) ( ( X & Y ) | ( ~X & Z ) )
257 /* Process LEN bytes of BUFFER, accumulating context into CTX.
258 It is assumed that LEN % 64 == 0.
259 Most of this code comes from David Madore's sha256.c. */
262 sm3_process_block (const void *buffer
, size_t len
, struct sm3_ctx
*ctx
)
264 const uint32_t *words
= buffer
;
265 size_t nwords
= len
/ sizeof (uint32_t);
266 const uint32_t *endp
= words
+ nwords
;
268 uint32_t a
= ctx
->state
[0];
269 uint32_t b
= ctx
->state
[1];
270 uint32_t c
= ctx
->state
[2];
271 uint32_t d
= ctx
->state
[3];
272 uint32_t e
= ctx
->state
[4];
273 uint32_t f
= ctx
->state
[5];
274 uint32_t g
= ctx
->state
[6];
275 uint32_t h
= ctx
->state
[7];
276 uint32_t lolen
= len
;
278 /* First increment the byte count. GM/T 004-2012 specifies the possible
279 length of the file up to 2^64 bits. Here we only compute the
280 number of bytes. Do a double word increment. */
281 ctx
->total
[0] += lolen
;
282 ctx
->total
[1] += (len
>> 31 >> 1) + (ctx
->total
[0] < lolen
);
284 #define rol(x, n) (((x) << ((n) & 31)) | ((x) >> ((32 - (n)) & 31)))
285 #define P0(x) ((x)^rol(x,9)^rol(x,17))
286 #define P1(x) ((x)^rol(x,15)^rol(x,23))
288 #define W1(I) ( x[I&0x0f] )
289 #define W2(I) ( tw = P1(x[I&0x0f]^x[(I-9)&0x0f]^rol(x[(I-3)&0x0f],15)) \
290 ^ rol(x[(I-13)&0x0f],7) ^ x[(I-6)&0x0f] \
293 #define R(i,A,B,C,D,E,F,G,H,T,W1,W2) \
296 dbg_printf("%2d %08x %08x %08x %08x %08x %08x %08x %08x\n", \
297 j-1, A, B, C, D, E, F, G, H); \
298 ss1 = rol(rol(A,12) + E + T,7); \
299 ss2 = ss1 ^ rol(A,12); \
300 D += FF##i(A,B,C) + ss2 + (W1 ^ W2); \
301 H += GG##i(E,F,G) + ss1 + W1; \
307 #define R1(A,B,C,D,E,F,G,H,T,W1,W2) R(1,A,B,C,D,E,F,G,H,T,W1,W2)
308 #define R2(A,B,C,D,E,F,G,H,T,W1,W2) R(2,A,B,C,D,E,F,G,H,T,W1,W2)
316 for (j
= 0; j
< 16; j
++)
318 x
[j
] = SWAP (*words
);
324 dbg_printf (" j A B C D E "
326 " %08x %08x %08x %08x %08x %08x %08x %08x\n",
327 a
, b
, c
, d
, e
, f
, g
, h
);
329 R1( a
, b
, c
, d
, e
, f
, g
, h
, T( 0), W1( 0), W1( 4) );
330 R1( d
, a
, b
, c
, h
, e
, f
, g
, T( 1), W1( 1), W1( 5) );
331 R1( c
, d
, a
, b
, g
, h
, e
, f
, T( 2), W1( 2), W1( 6) );
332 R1( b
, c
, d
, a
, f
, g
, h
, e
, T( 3), W1( 3), W1( 7) );
333 R1( a
, b
, c
, d
, e
, f
, g
, h
, T( 4), W1( 4), W1( 8) );
334 R1( d
, a
, b
, c
, h
, e
, f
, g
, T( 5), W1( 5), W1( 9) );
335 R1( c
, d
, a
, b
, g
, h
, e
, f
, T( 6), W1( 6), W1(10) );
336 R1( b
, c
, d
, a
, f
, g
, h
, e
, T( 7), W1( 7), W1(11) );
337 R1( a
, b
, c
, d
, e
, f
, g
, h
, T( 8), W1( 8), W1(12) );
338 R1( d
, a
, b
, c
, h
, e
, f
, g
, T( 9), W1( 9), W1(13) );
339 R1( c
, d
, a
, b
, g
, h
, e
, f
, T(10), W1(10), W1(14) );
340 R1( b
, c
, d
, a
, f
, g
, h
, e
, T(11), W1(11), W1(15) );
341 R1( a
, b
, c
, d
, e
, f
, g
, h
, T(12), W1(12), W2(16) );
342 R1( d
, a
, b
, c
, h
, e
, f
, g
, T(13), W1(13), W2(17) );
343 R1( c
, d
, a
, b
, g
, h
, e
, f
, T(14), W1(14), W2(18) );
344 R1( b
, c
, d
, a
, f
, g
, h
, e
, T(15), W1(15), W2(19) );
345 R2( a
, b
, c
, d
, e
, f
, g
, h
, T(16), W1(16), W2(20) );
346 R2( d
, a
, b
, c
, h
, e
, f
, g
, T(17), W1(17), W2(21) );
347 R2( c
, d
, a
, b
, g
, h
, e
, f
, T(18), W1(18), W2(22) );
348 R2( b
, c
, d
, a
, f
, g
, h
, e
, T(19), W1(19), W2(23) );
349 R2( a
, b
, c
, d
, e
, f
, g
, h
, T(20), W1(20), W2(24) );
350 R2( d
, a
, b
, c
, h
, e
, f
, g
, T(21), W1(21), W2(25) );
351 R2( c
, d
, a
, b
, g
, h
, e
, f
, T(22), W1(22), W2(26) );
352 R2( b
, c
, d
, a
, f
, g
, h
, e
, T(23), W1(23), W2(27) );
353 R2( a
, b
, c
, d
, e
, f
, g
, h
, T(24), W1(24), W2(28) );
354 R2( d
, a
, b
, c
, h
, e
, f
, g
, T(25), W1(25), W2(29) );
355 R2( c
, d
, a
, b
, g
, h
, e
, f
, T(26), W1(26), W2(30) );
356 R2( b
, c
, d
, a
, f
, g
, h
, e
, T(27), W1(27), W2(31) );
357 R2( a
, b
, c
, d
, e
, f
, g
, h
, T(28), W1(28), W2(32) );
358 R2( d
, a
, b
, c
, h
, e
, f
, g
, T(29), W1(29), W2(33) );
359 R2( c
, d
, a
, b
, g
, h
, e
, f
, T(30), W1(30), W2(34) );
360 R2( b
, c
, d
, a
, f
, g
, h
, e
, T(31), W1(31), W2(35) );
361 R2( a
, b
, c
, d
, e
, f
, g
, h
, T(32), W1(32), W2(36) );
362 R2( d
, a
, b
, c
, h
, e
, f
, g
, T(33), W1(33), W2(37) );
363 R2( c
, d
, a
, b
, g
, h
, e
, f
, T(34), W1(34), W2(38) );
364 R2( b
, c
, d
, a
, f
, g
, h
, e
, T(35), W1(35), W2(39) );
365 R2( a
, b
, c
, d
, e
, f
, g
, h
, T(36), W1(36), W2(40) );
366 R2( d
, a
, b
, c
, h
, e
, f
, g
, T(37), W1(37), W2(41) );
367 R2( c
, d
, a
, b
, g
, h
, e
, f
, T(38), W1(38), W2(42) );
368 R2( b
, c
, d
, a
, f
, g
, h
, e
, T(39), W1(39), W2(43) );
369 R2( a
, b
, c
, d
, e
, f
, g
, h
, T(40), W1(40), W2(44) );
370 R2( d
, a
, b
, c
, h
, e
, f
, g
, T(41), W1(41), W2(45) );
371 R2( c
, d
, a
, b
, g
, h
, e
, f
, T(42), W1(42), W2(46) );
372 R2( b
, c
, d
, a
, f
, g
, h
, e
, T(43), W1(43), W2(47) );
373 R2( a
, b
, c
, d
, e
, f
, g
, h
, T(44), W1(44), W2(48) );
374 R2( d
, a
, b
, c
, h
, e
, f
, g
, T(45), W1(45), W2(49) );
375 R2( c
, d
, a
, b
, g
, h
, e
, f
, T(46), W1(46), W2(50) );
376 R2( b
, c
, d
, a
, f
, g
, h
, e
, T(47), W1(47), W2(51) );
377 R2( a
, b
, c
, d
, e
, f
, g
, h
, T(48), W1(48), W2(52) );
378 R2( d
, a
, b
, c
, h
, e
, f
, g
, T(49), W1(49), W2(53) );
379 R2( c
, d
, a
, b
, g
, h
, e
, f
, T(50), W1(50), W2(54) );
380 R2( b
, c
, d
, a
, f
, g
, h
, e
, T(51), W1(51), W2(55) );
381 R2( a
, b
, c
, d
, e
, f
, g
, h
, T(52), W1(52), W2(56) );
382 R2( d
, a
, b
, c
, h
, e
, f
, g
, T(53), W1(53), W2(57) );
383 R2( c
, d
, a
, b
, g
, h
, e
, f
, T(54), W1(54), W2(58) );
384 R2( b
, c
, d
, a
, f
, g
, h
, e
, T(55), W1(55), W2(59) );
385 R2( a
, b
, c
, d
, e
, f
, g
, h
, T(56), W1(56), W2(60) );
386 R2( d
, a
, b
, c
, h
, e
, f
, g
, T(57), W1(57), W2(61) );
387 R2( c
, d
, a
, b
, g
, h
, e
, f
, T(58), W1(58), W2(62) );
388 R2( b
, c
, d
, a
, f
, g
, h
, e
, T(59), W1(59), W2(63) );
389 R2( a
, b
, c
, d
, e
, f
, g
, h
, T(60), W1(60), W2(64) );
390 R2( d
, a
, b
, c
, h
, e
, f
, g
, T(61), W1(61), W2(65) );
391 R2( c
, d
, a
, b
, g
, h
, e
, f
, T(62), W1(62), W2(66) );
392 R2( b
, c
, d
, a
, f
, g
, h
, e
, T(63), W1(63), W2(67) );
394 dbg_printf("%2d %08x %08x %08x %08x %08x %08x %08x %08x\n",
395 j
, a
, b
, c
, d
, e
, f
, g
, h
);
397 a
= ctx
->state
[0] ^= a
;
398 b
= ctx
->state
[1] ^= b
;
399 c
= ctx
->state
[2] ^= c
;
400 d
= ctx
->state
[3] ^= d
;
401 e
= ctx
->state
[4] ^= e
;
402 f
= ctx
->state
[5] ^= f
;
403 g
= ctx
->state
[6] ^= g
;
404 h
= ctx
->state
[7] ^= h
;