search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
autoupdate
[gnulib.git] / lib / sm3.c
blobdf357d199cfcb9371da188c52b1b6de8509e4fdf
1 /* sm3.c - Functions to compute SM3 message digest of files or memory blocks
2 according to the specification GM/T 004-2012 Cryptographic Hash Algorithm
3 SM3, published by State Encryption Management Bureau, China.
4
5 SM3 cryptographic hash algorithm.
6 <http://www.sca.gov.cn/sca/xwdt/2010-12/17/content_1002389.shtml>
7
8 Copyright (C) 2017-2019 Free Software Foundation, Inc.
9
10 This program is free software: you can redistribute it and/or modify
11 it under the terms of the GNU General Public License as published by
12 the Free Software Foundation, either version 3 of the License, or
13 (at your option) any later version.
14
15 This program is distributed in the hope that it will be useful,
16 but WITHOUT ANY WARRANTY; without even the implied warranty of
17 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 GNU General Public License for more details.
19
20 You should have received a copy of the GNU General Public License
21 along with this program. If not, see <https://www.gnu.org/licenses/>. */
22
23 /* Written by Jia Zhang <qianyue.zj@alibaba-inc.com>, 2017,
24 considerably copypasting from David Madore's sha256.c */
25
26 #ifndef DEBUG_SM3
27 # define DEBUG_SM3 0
28 #endif
29
30 #include <config.h>
31
32 #if HAVE_OPENSSL_SM3
33 # define GL_OPENSSL_INLINE _GL_EXTERN_INLINE
34 #endif
35 #include "sm3.h"
36
37 #include <stdalign.h>
38 #include <stdint.h>
39 #include <stdlib.h>
40 #include <string.h>
41
42 #if USE_UNLOCKED_IO
43 # include "unlocked-io.h"
44 #endif
45
46 #if ! DEBUG_SM3
47 # define dbg_printf(fmt, ...) do { } while (0)
48 #else
49 # define dbg_printf printf
50 #endif
51
52 #include <byteswap.h>
53 #ifdef WORDS_BIGENDIAN
54 # define SWAP(n) (n)
55 #else
56 # define SWAP(n) bswap_32 (n)
57 #endif
58
59 #define BLOCKSIZE 32768
60 #if BLOCKSIZE % 64 != 0
61 # error "invalid BLOCKSIZE"
62 #endif
63
64 #if ! HAVE_OPENSSL_SM3
65 /* This array contains the bytes used to pad the buffer to the next
66 64-byte boundary. */
67 static const unsigned char fillbuf[64] = { 0x80, 0 /* , 0, 0, ... */ };
68
69
70 /*
71 Takes a pointer to a 256 bit block of data (eight 32 bit ints) and
72 initializes it to the start constants of the SM3 algorithm. This
73 must be called before using hash in the call to sm3_hash
74 */
75 void
76 sm3_init_ctx (struct sm3_ctx *ctx)
77 {
78 ctx->state[0] = 0x7380166fUL;
79 ctx->state[1] = 0x4914b2b9UL;
80 ctx->state[2] = 0x172442d7UL;
81 ctx->state[3] = 0xda8a0600UL;
82 ctx->state[4] = 0xa96f30bcUL;
83 ctx->state[5] = 0x163138aaUL;
84 ctx->state[6] = 0xe38dee4dUL;
85 ctx->state[7] = 0xb0fb0e4eUL;
86
87 ctx->total[0] = ctx->total[1] = 0;
88 ctx->buflen = 0;
89 }
90
91 /* Copy the value from v into the memory location pointed to by *cp,
92 If your architecture allows unaligned access this is equivalent to
93 * (uint32_t *) cp = v */
94 static void
95 set_uint32 (char *cp, uint32_t v)
96 {
97 memcpy (cp, &v, sizeof v);
98 }
99
100 /* Put result from CTX in first 32 bytes following RESBUF. The result
101 must be in little endian byte order. */
102 void *
103 sm3_read_ctx (const struct sm3_ctx *ctx, void *resbuf)
104 {
105 int i;
106 char *r = resbuf;
107
108 for (i = 0; i < 8; i++)
109 set_uint32 (r + i * sizeof ctx->state[0], SWAP (ctx->state[i]));
110
111 return resbuf;
112 }
113
114 /* Process the remaining bytes in the internal buffer and the usual
115 prolog according to the standard and write the result to RESBUF. */
116 static void
117 sm3_conclude_ctx (struct sm3_ctx *ctx)
118 {
119 /* Take yet unprocessed bytes into account. */
120 size_t bytes = ctx->buflen;
121 size_t size = (bytes < 56) ? 64 / 4 : 64 * 2 / 4;
122
123 /* Now count remaining bytes. */
124 ctx->total[0] += bytes;
125 if (ctx->total[0] < bytes)
126 ++ctx->total[1];
127
128 /* Put the 64-bit file length in *bits* at the end of the buffer.
129 Use set_uint32 rather than a simple assignment, to avoid risk of
130 unaligned access. */
131 set_uint32 ((char *) &ctx->buffer[size - 2],
132 SWAP ((ctx->total[1] << 3) | (ctx->total[0] >> 29)));
133 set_uint32 ((char *) &ctx->buffer[size - 1],
134 SWAP (ctx->total[0] << 3));
135
136 memcpy (&((char *) ctx->buffer)[bytes], fillbuf, (size - 2) * 4 - bytes);
137
138 /* Process last bytes. */
139 sm3_process_block (ctx->buffer, size * 4, ctx);
140 }
141
142 void *
143 sm3_finish_ctx (struct sm3_ctx *ctx, void *resbuf)
144 {
145 sm3_conclude_ctx (ctx);
146 return sm3_read_ctx (ctx, resbuf);
147 }
148 #endif
149
150 /* Compute SM3 message digest for bytes read from STREAM. The
151 resulting message digest number will be written into the 32 bytes
152 beginning at RESBLOCK. */
153 int
154 sm3_stream (FILE *stream, void *resblock)
155 {
156 struct sm3_ctx ctx;
157 size_t sum;
158
159 char *buffer = malloc (BLOCKSIZE + 72);
160 if (!buffer)
161 return 1;
162
163 /* Initialize the computation context. */
164 sm3_init_ctx (&ctx);
165
166 /* Iterate over full file contents. */
167 while (1)
168 {
169 /* We read the file in blocks of BLOCKSIZE bytes. One call of the
170 computation function processes the whole buffer so that with the
171 next round of the loop another block can be read. */
172 size_t n;
173 sum = 0;
174
175 /* Read block. Take care for partial reads. */
176 while (1)
177 {
178 n = fread (buffer + sum, 1, BLOCKSIZE - sum, stream);
179
180 sum += n;
181
182 if (sum == BLOCKSIZE)
183 break;
184
185 if (n == 0)
186 {
187 /* Check for the error flag IFF N == 0, so that we don't
188 exit the loop after a partial read due to e.g., EAGAIN
189 or EWOULDBLOCK. */
190 if (ferror (stream))
191 {
192 free (buffer);
193 return 1;
194 }
195 goto process_partial_block;
196 }
197
198 /* We've read at least one byte, so ignore errors. But always
199 check for EOF, since feof may be true even though N > 0.
200 Otherwise, we could end up calling fread after EOF. */
201 if (feof (stream))
202 goto process_partial_block;
203 }
204
205 /* Process buffer with BLOCKSIZE bytes. Note that
206 BLOCKSIZE % 64 == 0
207 */
208 sm3_process_block (buffer, BLOCKSIZE, &ctx);
209 }
210
211 process_partial_block:;
212
213 /* Process any remaining bytes. */
214 if (sum > 0)
215 sm3_process_bytes (buffer, sum, &ctx);
216
217 /* Construct result in desired memory. */
218 sm3_finish_ctx (&ctx, resblock);
219 free (buffer);
220 return 0;
221 }
222
223 #if ! HAVE_OPENSSL_SM3
224 /* Compute SM3 message digest for LEN bytes beginning at BUFFER. The
225 result is always in little endian byte order, so that a byte-wise
226 output yields to the wanted ASCII representation of the message
227 digest. */
228 void *
229 sm3_buffer (const char *buffer, size_t len, void *resblock)
230 {
231 struct sm3_ctx ctx;
232
233 /* Initialize the computation context. */
234 sm3_init_ctx (&ctx);
235
236 /* Process whole buffer but last len % 64 bytes. */
237 sm3_process_bytes (buffer, len, &ctx);
238
239 /* Put result in desired memory area. */
240 return sm3_finish_ctx (&ctx, resblock);
241 }
242
243 void
244 sm3_process_bytes (const void *buffer, size_t len, struct sm3_ctx *ctx)
245 {
246 /* When we already have some bits in our internal buffer concatenate
247 both inputs first. */
248 if (ctx->buflen != 0)
249 {
250 size_t left_over = ctx->buflen;
251 size_t add = 128 - left_over > len ? len : 128 - left_over;
252
253 memcpy (&((char *) ctx->buffer)[left_over], buffer, add);
254 ctx->buflen += add;
255
256 if (ctx->buflen > 64)
257 {
258 sm3_process_block (ctx->buffer, ctx->buflen & ~63, ctx);
259
260 ctx->buflen &= 63;
261 /* The regions in the following copy operation cannot overlap,
262 because ctx->buflen < 64 ≤ (left_over + add) & ~63. */
263 memcpy (ctx->buffer,
264 &((char *) ctx->buffer)[(left_over + add) & ~63],
265 ctx->buflen);
266 }
267
268 buffer = (const char *) buffer + add;
269 len -= add;
270 }
271
272 /* Process available complete blocks. */
273 if (len >= 64)
274 {
275 #if !(_STRING_ARCH_unaligned || _STRING_INLINE_unaligned)
276 # define UNALIGNED_P(p) ((uintptr_t) (p) % alignof (uint32_t) != 0)
277 if (UNALIGNED_P (buffer))
278 while (len > 64)
279 {
280 sm3_process_block (memcpy (ctx->buffer, buffer, 64), 64, ctx);
281 buffer = (const char *) buffer + 64;
282 len -= 64;
283 }
284 else
285 #endif
286 {
287 sm3_process_block (buffer, len & ~63, ctx);
288 buffer = (const char *) buffer + (len & ~63);
289 len &= 63;
290 }
291 }
292
293 /* Move remaining bytes in internal buffer. */
294 if (len > 0)
295 {
296 size_t left_over = ctx->buflen;
297
298 memcpy (&((char *) ctx->buffer)[left_over], buffer, len);
299 left_over += len;
300 if (left_over >= 64)
301 {
302 sm3_process_block (ctx->buffer, 64, ctx);
303 left_over -= 64;
304 /* The regions in the following copy operation cannot overlap,
305 because left_over ≤ 64. */
306 memcpy (ctx->buffer, &ctx->buffer[16], left_over);
307 }
308 ctx->buflen = left_over;
309 }
310 }
311
312 /* --- Code below is the primary difference between sha256.c and sm3.c --- */
313
314 /* SM3 round constants */
315 #define T(j) sm3_round_constants[j]
316 static const uint32_t sm3_round_constants[64] = {
317 0x79cc4519UL, 0xf3988a32UL, 0xe7311465UL, 0xce6228cbUL,
318 0x9cc45197UL, 0x3988a32fUL, 0x7311465eUL, 0xe6228cbcUL,
319 0xcc451979UL, 0x988a32f3UL, 0x311465e7UL, 0x6228cbceUL,
320 0xc451979cUL, 0x88a32f39UL, 0x11465e73UL, 0x228cbce6UL,
321 0x9d8a7a87UL, 0x3b14f50fUL, 0x7629ea1eUL, 0xec53d43cUL,
322 0xd8a7a879UL, 0xb14f50f3UL, 0x629ea1e7UL, 0xc53d43ceUL,
323 0x8a7a879dUL, 0x14f50f3bUL, 0x29ea1e76UL, 0x53d43cecUL,
324 0xa7a879d8UL, 0x4f50f3b1UL, 0x9ea1e762UL, 0x3d43cec5UL,
325 0x7a879d8aUL, 0xf50f3b14UL, 0xea1e7629UL, 0xd43cec53UL,
326 0xa879d8a7UL, 0x50f3b14fUL, 0xa1e7629eUL, 0x43cec53dUL,
327 0x879d8a7aUL, 0x0f3b14f5UL, 0x1e7629eaUL, 0x3cec53d4UL,
328 0x79d8a7a8UL, 0xf3b14f50UL, 0xe7629ea1UL, 0xcec53d43UL,
329 0x9d8a7a87UL, 0x3b14f50fUL, 0x7629ea1eUL, 0xec53d43cUL,
330 0xd8a7a879UL, 0xb14f50f3UL, 0x629ea1e7UL, 0xc53d43ceUL,
331 0x8a7a879dUL, 0x14f50f3bUL, 0x29ea1e76UL, 0x53d43cecUL,
332 0xa7a879d8UL, 0x4f50f3b1UL, 0x9ea1e762UL, 0x3d43cec5UL,
333 };
334
335 /* Round functions. */
336 #define FF1(X,Y,Z) ( X ^ Y ^ Z )
337 #define FF2(X,Y,Z) ( ( X & Y ) | ( X & Z ) | ( Y & Z ) )
338 #define GG1(X,Y,Z) ( X ^ Y ^ Z )
339 #define GG2(X,Y,Z) ( ( X & Y ) | ( ~X & Z ) )
340
341 /* Process LEN bytes of BUFFER, accumulating context into CTX.
342 It is assumed that LEN % 64 == 0.
343 Most of this code comes from David Madore's sha256.c. */
344
345 void
346 sm3_process_block (const void *buffer, size_t len, struct sm3_ctx *ctx)
347 {
348 const uint32_t *words = buffer;
349 size_t nwords = len / sizeof (uint32_t);
350 const uint32_t *endp = words + nwords;
351 uint32_t x[16];
352 uint32_t a = ctx->state[0];
353 uint32_t b = ctx->state[1];
354 uint32_t c = ctx->state[2];
355 uint32_t d = ctx->state[3];
356 uint32_t e = ctx->state[4];
357 uint32_t f = ctx->state[5];
358 uint32_t g = ctx->state[6];
359 uint32_t h = ctx->state[7];
360 uint32_t lolen = len;
361
362 /* First increment the byte count. GM/T 004-2012 specifies the possible
363 length of the file up to 2^64 bits. Here we only compute the
364 number of bytes. Do a double word increment. */
365 ctx->total[0] += lolen;
366 ctx->total[1] += (len >> 31 >> 1) + (ctx->total[0] < lolen);
367
368 #define rol(x, n) (((x) << ((n) & 31)) | ((x) >> ((32 - (n)) & 31)))
369 #define P0(x) ((x)^rol(x,9)^rol(x,17))
370 #define P1(x) ((x)^rol(x,15)^rol(x,23))
371
372 #define W1(I) ( x[I&0x0f] )
373 #define W2(I) ( tw = P1(x[I&0x0f]^x[(I-9)&0x0f]^rol(x[(I-3)&0x0f],15)) \
374 ^ rol(x[(I-13)&0x0f],7) ^ x[(I-6)&0x0f] \
375 , x[I&0x0f] = tw )
376
377 #define R(i,A,B,C,D,E,F,G,H,T,W1,W2) \
378 do { \
379 if (++j) \
380 dbg_printf("%2d %08x %08x %08x %08x %08x %08x %08x %08x\n", \
381 j-1, A, B, C, D, E, F, G, H); \
382 ss1 = rol(rol(A,12) + E + T,7); \
383 ss2 = ss1 ^ rol(A,12); \
384 D += FF##i(A,B,C) + ss2 + (W1 ^ W2); \
385 H += GG##i(E,F,G) + ss1 + W1; \
386 B = rol(B,9); \
387 F = rol(F,19); \
388 H = P0(H); \
389 } while(0)
390
391 #define R1(A,B,C,D,E,F,G,H,T,W1,W2) R(1,A,B,C,D,E,F,G,H,T,W1,W2)
392 #define R2(A,B,C,D,E,F,G,H,T,W1,W2) R(2,A,B,C,D,E,F,G,H,T,W1,W2)
393
394 while (words < endp)
395 {
396 uint32_t tw;
397 uint32_t ss1, ss2;
398 int j;
399
400 for (j = 0; j < 16; j++)
401 {
402 x[j] = SWAP (*words);
403 words++;
404 }
405
406 j = -1;
407
408 dbg_printf (" j A B C D E "
409 " F G H\n");
410 dbg_printf (" %08x %08x %08x %08x %08x %08x %08x %08x\n",
411 a, b, c, d, e, f, g, h);
412
413 R1( a, b, c, d, e, f, g, h, T( 0), W1( 0), W1( 4) );
414 R1( d, a, b, c, h, e, f, g, T( 1), W1( 1), W1( 5) );
415 R1( c, d, a, b, g, h, e, f, T( 2), W1( 2), W1( 6) );
416 R1( b, c, d, a, f, g, h, e, T( 3), W1( 3), W1( 7) );
417 R1( a, b, c, d, e, f, g, h, T( 4), W1( 4), W1( 8) );
418 R1( d, a, b, c, h, e, f, g, T( 5), W1( 5), W1( 9) );
419 R1( c, d, a, b, g, h, e, f, T( 6), W1( 6), W1(10) );
420 R1( b, c, d, a, f, g, h, e, T( 7), W1( 7), W1(11) );
421 R1( a, b, c, d, e, f, g, h, T( 8), W1( 8), W1(12) );
422 R1( d, a, b, c, h, e, f, g, T( 9), W1( 9), W1(13) );
423 R1( c, d, a, b, g, h, e, f, T(10), W1(10), W1(14) );
424 R1( b, c, d, a, f, g, h, e, T(11), W1(11), W1(15) );
425 R1( a, b, c, d, e, f, g, h, T(12), W1(12), W2(16) );
426 R1( d, a, b, c, h, e, f, g, T(13), W1(13), W2(17) );
427 R1( c, d, a, b, g, h, e, f, T(14), W1(14), W2(18) );
428 R1( b, c, d, a, f, g, h, e, T(15), W1(15), W2(19) );
429 R2( a, b, c, d, e, f, g, h, T(16), W1(16), W2(20) );
430 R2( d, a, b, c, h, e, f, g, T(17), W1(17), W2(21) );
431 R2( c, d, a, b, g, h, e, f, T(18), W1(18), W2(22) );
432 R2( b, c, d, a, f, g, h, e, T(19), W1(19), W2(23) );
433 R2( a, b, c, d, e, f, g, h, T(20), W1(20), W2(24) );
434 R2( d, a, b, c, h, e, f, g, T(21), W1(21), W2(25) );
435 R2( c, d, a, b, g, h, e, f, T(22), W1(22), W2(26) );
436 R2( b, c, d, a, f, g, h, e, T(23), W1(23), W2(27) );
437 R2( a, b, c, d, e, f, g, h, T(24), W1(24), W2(28) );
438 R2( d, a, b, c, h, e, f, g, T(25), W1(25), W2(29) );
439 R2( c, d, a, b, g, h, e, f, T(26), W1(26), W2(30) );
440 R2( b, c, d, a, f, g, h, e, T(27), W1(27), W2(31) );
441 R2( a, b, c, d, e, f, g, h, T(28), W1(28), W2(32) );
442 R2( d, a, b, c, h, e, f, g, T(29), W1(29), W2(33) );
443 R2( c, d, a, b, g, h, e, f, T(30), W1(30), W2(34) );
444 R2( b, c, d, a, f, g, h, e, T(31), W1(31), W2(35) );
445 R2( a, b, c, d, e, f, g, h, T(32), W1(32), W2(36) );
446 R2( d, a, b, c, h, e, f, g, T(33), W1(33), W2(37) );
447 R2( c, d, a, b, g, h, e, f, T(34), W1(34), W2(38) );
448 R2( b, c, d, a, f, g, h, e, T(35), W1(35), W2(39) );
449 R2( a, b, c, d, e, f, g, h, T(36), W1(36), W2(40) );
450 R2( d, a, b, c, h, e, f, g, T(37), W1(37), W2(41) );
451 R2( c, d, a, b, g, h, e, f, T(38), W1(38), W2(42) );
452 R2( b, c, d, a, f, g, h, e, T(39), W1(39), W2(43) );
453 R2( a, b, c, d, e, f, g, h, T(40), W1(40), W2(44) );
454 R2( d, a, b, c, h, e, f, g, T(41), W1(41), W2(45) );
455 R2( c, d, a, b, g, h, e, f, T(42), W1(42), W2(46) );
456 R2( b, c, d, a, f, g, h, e, T(43), W1(43), W2(47) );
457 R2( a, b, c, d, e, f, g, h, T(44), W1(44), W2(48) );
458 R2( d, a, b, c, h, e, f, g, T(45), W1(45), W2(49) );
459 R2( c, d, a, b, g, h, e, f, T(46), W1(46), W2(50) );
460 R2( b, c, d, a, f, g, h, e, T(47), W1(47), W2(51) );
461 R2( a, b, c, d, e, f, g, h, T(48), W1(48), W2(52) );
462 R2( d, a, b, c, h, e, f, g, T(49), W1(49), W2(53) );
463 R2( c, d, a, b, g, h, e, f, T(50), W1(50), W2(54) );
464 R2( b, c, d, a, f, g, h, e, T(51), W1(51), W2(55) );
465 R2( a, b, c, d, e, f, g, h, T(52), W1(52), W2(56) );
466 R2( d, a, b, c, h, e, f, g, T(53), W1(53), W2(57) );
467 R2( c, d, a, b, g, h, e, f, T(54), W1(54), W2(58) );
468 R2( b, c, d, a, f, g, h, e, T(55), W1(55), W2(59) );
469 R2( a, b, c, d, e, f, g, h, T(56), W1(56), W2(60) );
470 R2( d, a, b, c, h, e, f, g, T(57), W1(57), W2(61) );
471 R2( c, d, a, b, g, h, e, f, T(58), W1(58), W2(62) );
472 R2( b, c, d, a, f, g, h, e, T(59), W1(59), W2(63) );
473 R2( a, b, c, d, e, f, g, h, T(60), W1(60), W2(64) );
474 R2( d, a, b, c, h, e, f, g, T(61), W1(61), W2(65) );
475 R2( c, d, a, b, g, h, e, f, T(62), W1(62), W2(66) );
476 R2( b, c, d, a, f, g, h, e, T(63), W1(63), W2(67) );
477
478 dbg_printf("%2d %08x %08x %08x %08x %08x %08x %08x %08x\n",
479 j, a, b, c, d, e, f, g, h);
480
481 a = ctx->state[0] ^= a;
482 b = ctx->state[1] ^= b;
483 c = ctx->state[2] ^= c;
484 d = ctx->state[3] ^= d;
485 e = ctx->state[4] ^= e;
486 f = ctx->state[5] ^= f;
487 g = ctx->state[6] ^= g;
488 h = ctx->state[7] ^= h;
489 }
490 }
491 #endif
492
493 /*
494 * Hey Emacs!
495 * Local Variables:
496 * coding: utf-8
497 * End:
498 */
Mirror of the GNU Gnulib repository