1 /* sm3.c - Functions to compute SM3 message digest of files or memory blocks
2 according to the specification GM/T 004-2012 Cryptographic Hash Algorithm
3 SM3, published by State Encryption Management Bureau, China.
4
5 SM3 cryptographic hash algorithm.
6 <http://www.sca.gov.cn/sca/xwdt/2010-12/17/content_1002389.shtml>
7
8 Copyright (C) 2017-2023 Free Software Foundation, Inc.
9
10 This file is free software: you can redistribute it and/or modify
11 it under the terms of the GNU Lesser General Public License as
12 published by the Free Software Foundation; either version 2.1 of the
13 License, or (at your option) any later version.
14
15 This file is distributed in the hope that it will be useful,
16 but WITHOUT ANY WARRANTY; without even the implied warranty of
17 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 GNU Lesser General Public License for more details.
19
20 You should have received a copy of the GNU Lesser General Public License
21 along with this program. If not, see <https://www.gnu.org/licenses/>. */
22
23 /* Written by Jia Zhang <qianyue.zj@alibaba-inc.com>, 2017,
24 considerably copypasting from David Madore's sha256.c */
25
26 #include <config.h>
27
28 /* Specification. */
29 #if HAVE_OPENSSL_SM3
30 # define GL_OPENSSL_INLINE _GL_EXTERN_INLINE
31 #endif
32 #include "sm3.h"
33
34 #include <stdint.h>
35 #include <string.h>
36
37 #include <byteswap.h>
38 #ifdef WORDS_BIGENDIAN
39 # define SWAP(n) (n)
40 #else
41 # define SWAP(n) bswap_32 (n)
42 #endif
43
44 #ifndef DEBUG_SM3
45 # define DEBUG_SM3 0
46 #endif
47
48 #if ! DEBUG_SM3
49 # define dbg_printf(fmt, ...) do { } while (0)
50 #else
51 # define dbg_printf printf
52 #endif
53
54 #if ! HAVE_OPENSSL_SM3
55
56 /* This array contains the bytes used to pad the buffer to the next
57 64-byte boundary. */
58 static const unsigned char fillbuf[64] = { 0x80, 0 /* , 0, 0, ... */ };
59
60
61 /*
62 Takes a pointer to a 256 bit block of data (eight 32 bit ints) and
63 initializes it to the start constants of the SM3 algorithm. This
64 must be called before using hash in the call to sm3_hash
65 */
66 void
67 sm3_init_ctx (struct sm3_ctx *ctx)
68 {
69 ctx->state[0] = 0x7380166fUL;
70 ctx->state[1] = 0x4914b2b9UL;
71 ctx->state[2] = 0x172442d7UL;
72 ctx->state[3] = 0xda8a0600UL;
73 ctx->state[4] = 0xa96f30bcUL;
74 ctx->state[5] = 0x163138aaUL;
75 ctx->state[6] = 0xe38dee4dUL;
76 ctx->state[7] = 0xb0fb0e4eUL;
77
78 ctx->total[0] = ctx->total[1] = 0;
79 ctx->buflen = 0;
80 }
81
82 /* Copy the value from v into the memory location pointed to by *cp,
83 If your architecture allows unaligned access this is equivalent to
84 * (uint32_t *) cp = v */
85 static void
86 set_uint32 (char *cp, uint32_t v)
87 {
88 memcpy (cp, &v, sizeof v);
89 }
90
91 /* Put result from CTX in first 32 bytes following RESBUF. The result
92 must be in little endian byte order. */
93 void *
94 sm3_read_ctx (const struct sm3_ctx *ctx, void *resbuf)
95 {
96 int i;
97 char *r = resbuf;
98
99 for (i = 0; i < 8; i++)
100 set_uint32 (r + i * sizeof ctx->state[0], SWAP (ctx->state[i]));
101
102 return resbuf;
103 }
104
105 /* Process the remaining bytes in the internal buffer and the usual
106 prolog according to the standard and write the result to RESBUF. */
107 static void
108 sm3_conclude_ctx (struct sm3_ctx *ctx)
109 {
110 /* Take yet unprocessed bytes into account. */
111 size_t bytes = ctx->buflen;
112 size_t size = (bytes < 56) ? 64 / 4 : 64 * 2 / 4;
113
114 /* Now count remaining bytes. */
115 ctx->total[0] += bytes;
116 if (ctx->total[0] < bytes)
117 ++ctx->total[1];
118
119 /* Put the 64-bit file length in *bits* at the end of the buffer.
120 Use set_uint32 rather than a simple assignment, to avoid risk of
121 unaligned access. */
122 set_uint32 ((char *) &ctx->buffer[size - 2],
123 SWAP ((ctx->total[1] << 3) | (ctx->total[0] >> 29)));
124 set_uint32 ((char *) &ctx->buffer[size - 1],
125 SWAP (ctx->total[0] << 3));
126
127 memcpy (&((char *) ctx->buffer)[bytes], fillbuf, (size - 2) * 4 - bytes);
128
129 /* Process last bytes. */
130 sm3_process_block (ctx->buffer, size * 4, ctx);
131 }
132
133 void *
134 sm3_finish_ctx (struct sm3_ctx *ctx, void *resbuf)
135 {
136 sm3_conclude_ctx (ctx);
137 return sm3_read_ctx (ctx, resbuf);
138 }
139
140 /* Compute SM3 message digest for LEN bytes beginning at BUFFER. The
141 result is always in little endian byte order, so that a byte-wise
142 output yields to the wanted ASCII representation of the message
143 digest. */
144 void *
145 sm3_buffer (const char *buffer, size_t len, void *resblock)
146 {
147 struct sm3_ctx ctx;
148
149 /* Initialize the computation context. */
150 sm3_init_ctx (&ctx);
151
152 /* Process whole buffer but last len % 64 bytes. */
153 sm3_process_bytes (buffer, len, &ctx);
154
155 /* Put result in desired memory area. */
156 return sm3_finish_ctx (&ctx, resblock);
157 }
158
159 void
160 sm3_process_bytes (const void *buffer, size_t len, struct sm3_ctx *ctx)
161 {
162 /* When we already have some bits in our internal buffer concatenate
163 both inputs first. */
164 if (ctx->buflen != 0)
165 {
166 size_t left_over = ctx->buflen;
167 size_t add = 128 - left_over > len ? len : 128 - left_over;
168
169 memcpy (&((char *) ctx->buffer)[left_over], buffer, add);
170 ctx->buflen += add;
171
172 if (ctx->buflen > 64)
173 {
174 sm3_process_block (ctx->buffer, ctx->buflen & ~63, ctx);
175
176 ctx->buflen &= 63;
177 /* The regions in the following copy operation cannot overlap,
178 because ctx->buflen < 64 ≤ (left_over + add) & ~63. */
179 memcpy (ctx->buffer,
180 &((char *) ctx->buffer)[(left_over + add) & ~63],
181 ctx->buflen);
182 }
183
184 buffer = (const char *) buffer + add;
185 len -= add;
186 }
187
188 /* Process available complete blocks. */
189 if (len >= 64)
190 {
191 #if !(_STRING_ARCH_unaligned || _STRING_INLINE_unaligned)
192 # define UNALIGNED_P(p) ((uintptr_t) (p) % alignof (uint32_t) != 0)
193 if (UNALIGNED_P (buffer))
194 while (len > 64)
195 {
196 sm3_process_block (memcpy (ctx->buffer, buffer, 64), 64, ctx);
197 buffer = (const char *) buffer + 64;
198 len -= 64;
199 }
200 else
201 #endif
202 {
203 sm3_process_block (buffer, len & ~63, ctx);
204 buffer = (const char *) buffer + (len & ~63);
205 len &= 63;
206 }
207 }
208
209 /* Move remaining bytes in internal buffer. */
210 if (len > 0)
211 {
212 size_t left_over = ctx->buflen;
213
214 memcpy (&((char *) ctx->buffer)[left_over], buffer, len);
215 left_over += len;
216 if (left_over >= 64)
217 {
218 sm3_process_block (ctx->buffer, 64, ctx);
219 left_over -= 64;
220 /* The regions in the following copy operation cannot overlap,
221 because left_over ≤ 64. */
222 memcpy (ctx->buffer, &ctx->buffer[16], left_over);
223 }
224 ctx->buflen = left_over;
225 }
226 }
227
228 /* --- Code below is the primary difference between sha256.c and sm3.c --- */
229
230 /* SM3 round constants */
231 #define T(j) sm3_round_constants[j]
232 static const uint32_t sm3_round_constants[64] = {
233 0x79cc4519UL, 0xf3988a32UL, 0xe7311465UL, 0xce6228cbUL,
234 0x9cc45197UL, 0x3988a32fUL, 0x7311465eUL, 0xe6228cbcUL,
235 0xcc451979UL, 0x988a32f3UL, 0x311465e7UL, 0x6228cbceUL,
236 0xc451979cUL, 0x88a32f39UL, 0x11465e73UL, 0x228cbce6UL,
237 0x9d8a7a87UL, 0x3b14f50fUL, 0x7629ea1eUL, 0xec53d43cUL,
238 0xd8a7a879UL, 0xb14f50f3UL, 0x629ea1e7UL, 0xc53d43ceUL,
239 0x8a7a879dUL, 0x14f50f3bUL, 0x29ea1e76UL, 0x53d43cecUL,
240 0xa7a879d8UL, 0x4f50f3b1UL, 0x9ea1e762UL, 0x3d43cec5UL,
241 0x7a879d8aUL, 0xf50f3b14UL, 0xea1e7629UL, 0xd43cec53UL,
242 0xa879d8a7UL, 0x50f3b14fUL, 0xa1e7629eUL, 0x43cec53dUL,
243 0x879d8a7aUL, 0x0f3b14f5UL, 0x1e7629eaUL, 0x3cec53d4UL,
244 0x79d8a7a8UL, 0xf3b14f50UL, 0xe7629ea1UL, 0xcec53d43UL,
245 0x9d8a7a87UL, 0x3b14f50fUL, 0x7629ea1eUL, 0xec53d43cUL,
246 0xd8a7a879UL, 0xb14f50f3UL, 0x629ea1e7UL, 0xc53d43ceUL,
247 0x8a7a879dUL, 0x14f50f3bUL, 0x29ea1e76UL, 0x53d43cecUL,
248 0xa7a879d8UL, 0x4f50f3b1UL, 0x9ea1e762UL, 0x3d43cec5UL,
249 };
250
251 /* Round functions. */
252 #define FF1(X,Y,Z) ( X ^ Y ^ Z )
253 #define FF2(X,Y,Z) ( ( X & Y ) | ( X & Z ) | ( Y & Z ) )
254 #define GG1(X,Y,Z) ( X ^ Y ^ Z )
255 #define GG2(X,Y,Z) ( ( X & Y ) | ( ~X & Z ) )
256
257 /* Process LEN bytes of BUFFER, accumulating context into CTX.
258 It is assumed that LEN % 64 == 0.
259 Most of this code comes from David Madore's sha256.c. */
260
261 void
262 sm3_process_block (const void *buffer, size_t len, struct sm3_ctx *ctx)
263 {
264 const uint32_t *words = buffer;
265 size_t nwords = len / sizeof (uint32_t);
266 const uint32_t *endp = words + nwords;
267 uint32_t x[16];
268 uint32_t a = ctx->state[0];
269 uint32_t b = ctx->state[1];
270 uint32_t c = ctx->state[2];
271 uint32_t d = ctx->state[3];
272 uint32_t e = ctx->state[4];
273 uint32_t f = ctx->state[5];
274 uint32_t g = ctx->state[6];
275 uint32_t h = ctx->state[7];
276 uint32_t lolen = len;
277
278 /* First increment the byte count. GM/T 004-2012 specifies the possible
279 length of the file up to 2^64 bits. Here we only compute the
280 number of bytes. Do a double word increment. */
281 ctx->total[0] += lolen;
282 ctx->total[1] += (len >> 31 >> 1) + (ctx->total[0] < lolen);
283
284 #define rol(x, n) (((x) << ((n) & 31)) | ((x) >> ((32 - (n)) & 31)))
285 #define P0(x) ((x)^rol(x,9)^rol(x,17))
286 #define P1(x) ((x)^rol(x,15)^rol(x,23))
287
288 #define W1(I) ( x[I&0x0f] )
289 #define W2(I) ( tw = P1(x[I&0x0f]^x[(I-9)&0x0f]^rol(x[(I-3)&0x0f],15)) \
290 ^ rol(x[(I-13)&0x0f],7) ^ x[(I-6)&0x0f] \
291 , x[I&0x0f] = tw )
292
293 #define R(i,A,B,C,D,E,F,G,H,T,W1,W2) \
294 do { \
295 if (++j) \
296 dbg_printf("%2d %08x %08x %08x %08x %08x %08x %08x %08x\n", \
297 j-1, A, B, C, D, E, F, G, H); \
298 ss1 = rol(rol(A,12) + E + T,7); \
299 ss2 = ss1 ^ rol(A,12); \
300 D += FF##i(A,B,C) + ss2 + (W1 ^ W2); \
301 H += GG##i(E,F,G) + ss1 + W1; \
302 B = rol(B,9); \
303 F = rol(F,19); \
304 H = P0(H); \
305 } while(0)
306
307 #define R1(A,B,C,D,E,F,G,H,T,W1,W2) R(1,A,B,C,D,E,F,G,H,T,W1,W2)
308 #define R2(A,B,C,D,E,F,G,H,T,W1,W2) R(2,A,B,C,D,E,F,G,H,T,W1,W2)
309
310 while (words < endp)
311 {
312 uint32_t tw;
313 uint32_t ss1, ss2;
314 int j;
315
316 for (j = 0; j < 16; j++)
317 {
318 x[j] = SWAP (*words);
319 words++;
320 }
321
322 j = -1;
323
324 dbg_printf (" j A B C D E "
325 " F G H\n"
326 " %08x %08x %08x %08x %08x %08x %08x %08x\n",
327 a, b, c, d, e, f, g, h);
328
329 R1( a, b, c, d, e, f, g, h, T( 0), W1( 0), W1( 4) );
330 R1( d, a, b, c, h, e, f, g, T( 1), W1( 1), W1( 5) );
331 R1( c, d, a, b, g, h, e, f, T( 2), W1( 2), W1( 6) );
332 R1( b, c, d, a, f, g, h, e, T( 3), W1( 3), W1( 7) );
333 R1( a, b, c, d, e, f, g, h, T( 4), W1( 4), W1( 8) );
334 R1( d, a, b, c, h, e, f, g, T( 5), W1( 5), W1( 9) );
335 R1( c, d, a, b, g, h, e, f, T( 6), W1( 6), W1(10) );
336 R1( b, c, d, a, f, g, h, e, T( 7), W1( 7), W1(11) );
337 R1( a, b, c, d, e, f, g, h, T( 8), W1( 8), W1(12) );
338 R1( d, a, b, c, h, e, f, g, T( 9), W1( 9), W1(13) );
339 R1( c, d, a, b, g, h, e, f, T(10), W1(10), W1(14) );
340 R1( b, c, d, a, f, g, h, e, T(11), W1(11), W1(15) );
341 R1( a, b, c, d, e, f, g, h, T(12), W1(12), W2(16) );
342 R1( d, a, b, c, h, e, f, g, T(13), W1(13), W2(17) );
343 R1( c, d, a, b, g, h, e, f, T(14), W1(14), W2(18) );
344 R1( b, c, d, a, f, g, h, e, T(15), W1(15), W2(19) );
345 R2( a, b, c, d, e, f, g, h, T(16), W1(16), W2(20) );
346 R2( d, a, b, c, h, e, f, g, T(17), W1(17), W2(21) );
347 R2( c, d, a, b, g, h, e, f, T(18), W1(18), W2(22) );
348 R2( b, c, d, a, f, g, h, e, T(19), W1(19), W2(23) );
349 R2( a, b, c, d, e, f, g, h, T(20), W1(20), W2(24) );
350 R2( d, a, b, c, h, e, f, g, T(21), W1(21), W2(25) );
351 R2( c, d, a, b, g, h, e, f, T(22), W1(22), W2(26) );
352 R2( b, c, d, a, f, g, h, e, T(23), W1(23), W2(27) );
353 R2( a, b, c, d, e, f, g, h, T(24), W1(24), W2(28) );
354 R2( d, a, b, c, h, e, f, g, T(25), W1(25), W2(29) );
355 R2( c, d, a, b, g, h, e, f, T(26), W1(26), W2(30) );
356 R2( b, c, d, a, f, g, h, e, T(27), W1(27), W2(31) );
357 R2( a, b, c, d, e, f, g, h, T(28), W1(28), W2(32) );
358 R2( d, a, b, c, h, e, f, g, T(29), W1(29), W2(33) );
359 R2( c, d, a, b, g, h, e, f, T(30), W1(30), W2(34) );
360 R2( b, c, d, a, f, g, h, e, T(31), W1(31), W2(35) );
361 R2( a, b, c, d, e, f, g, h, T(32), W1(32), W2(36) );
362 R2( d, a, b, c, h, e, f, g, T(33), W1(33), W2(37) );
363 R2( c, d, a, b, g, h, e, f, T(34), W1(34), W2(38) );
364 R2( b, c, d, a, f, g, h, e, T(35), W1(35), W2(39) );
365 R2( a, b, c, d, e, f, g, h, T(36), W1(36), W2(40) );
366 R2( d, a, b, c, h, e, f, g, T(37), W1(37), W2(41) );
367 R2( c, d, a, b, g, h, e, f, T(38), W1(38), W2(42) );
368 R2( b, c, d, a, f, g, h, e, T(39), W1(39), W2(43) );
369 R2( a, b, c, d, e, f, g, h, T(40), W1(40), W2(44) );
370 R2( d, a, b, c, h, e, f, g, T(41), W1(41), W2(45) );
371 R2( c, d, a, b, g, h, e, f, T(42), W1(42), W2(46) );
372 R2( b, c, d, a, f, g, h, e, T(43), W1(43), W2(47) );
373 R2( a, b, c, d, e, f, g, h, T(44), W1(44), W2(48) );
374 R2( d, a, b, c, h, e, f, g, T(45), W1(45), W2(49) );
375 R2( c, d, a, b, g, h, e, f, T(46), W1(46), W2(50) );
376 R2( b, c, d, a, f, g, h, e, T(47), W1(47), W2(51) );
377 R2( a, b, c, d, e, f, g, h, T(48), W1(48), W2(52) );
378 R2( d, a, b, c, h, e, f, g, T(49), W1(49), W2(53) );
379 R2( c, d, a, b, g, h, e, f, T(50), W1(50), W2(54) );
380 R2( b, c, d, a, f, g, h, e, T(51), W1(51), W2(55) );
381 R2( a, b, c, d, e, f, g, h, T(52), W1(52), W2(56) );
382 R2( d, a, b, c, h, e, f, g, T(53), W1(53), W2(57) );
383 R2( c, d, a, b, g, h, e, f, T(54), W1(54), W2(58) );
384 R2( b, c, d, a, f, g, h, e, T(55), W1(55), W2(59) );
385 R2( a, b, c, d, e, f, g, h, T(56), W1(56), W2(60) );
386 R2( d, a, b, c, h, e, f, g, T(57), W1(57), W2(61) );
387 R2( c, d, a, b, g, h, e, f, T(58), W1(58), W2(62) );
388 R2( b, c, d, a, f, g, h, e, T(59), W1(59), W2(63) );
389 R2( a, b, c, d, e, f, g, h, T(60), W1(60), W2(64) );
390 R2( d, a, b, c, h, e, f, g, T(61), W1(61), W2(65) );
391 R2( c, d, a, b, g, h, e, f, T(62), W1(62), W2(66) );
392 R2( b, c, d, a, f, g, h, e, T(63), W1(63), W2(67) );
393
394 dbg_printf("%2d %08x %08x %08x %08x %08x %08x %08x %08x\n",
395 j, a, b, c, d, e, f, g, h);
396
397 a = ctx->state[0] ^= a;
398 b = ctx->state[1] ^= b;
399 c = ctx->state[2] ^= c;
400 d = ctx->state[3] ^= d;
401 e = ctx->state[4] ^= e;
402 f = ctx->state[5] ^= f;
403 g = ctx->state[6] ^= g;
404 h = ctx->state[7] ^= h;
405 }
406 }
407
408 #endif
409
410 /*
411 * Hey Emacs!
412 * Local Variables:
413 * coding: utf-8
414 * End:
415 */