first step of v2 final release

This commit is contained in:
Zhi Guan
2017-11-05 21:00:36 +08:00
parent 480b9e8d88
commit 27bde477a5
395 changed files with 26341 additions and 31364 deletions

236
engines/asm/e_gmi-x86.pl Executable file
View File

@@ -0,0 +1,236 @@
#!/usr/bin/env perl
# ====================================================================
# Written by Yun Shen <yunshen@via-alliance.com> and
# Kai Li <kelvinkli@via-alliance.com>, and refer to the code
# written by Andy Polyakov <appro@openssl.org> for the OpenSSL
# project. The module is, however, dual licensed under OpenSSL and
# CRYPTOGAMS licenses depending on where you obtain it. For further
# details see http://www.openssl.org/~appro/cryptogams/.
# ====================================================================
# ====================================================================
# Copyright 2016 Shanghai Zhaoxin Semiconductor Co., Ltd. ALL RIGHTS RESERVED.
# ====================================================================
$0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1;
push(@INC,"${dir}","${dir}../../crypto/perlasm");
require "x86asm.pl";
&asm_init($ARGV[0],$0);
%PADLOCK_PREFETCH=(ecb=>128, cbc=>64); # prefetch errata
$PADLOCK_CHUNK=512; # Must be a power of 2 larger than 16
$ctx="edx";
$out="edi";
$inp="esi";
$len="ecx";
$chunk="ebx";
&function_begin_B("zx_gmi_capability");
&push ("ebx");
&pushf ();
&pop ("eax");
&mov ("ecx","eax");
&xor ("eax",1<<21);
&push ("eax");
&popf ();
&pushf ();
&pop ("eax");
&xor ("ecx","eax");
&xor ("eax","eax");
&bt ("ecx",21);
&jnc (&label("zx_noluck"));
&cpuid ();
&xor ("eax","eax");
&cmp ("ebx","0x".unpack("H*",'hS '));
&jne (&label("zx_noluck"));
&cmp ("edx","0x".unpack("H*",'hgna'));
&jne (&label("zx_noluck"));
&cmp ("ecx","0x".unpack("H*",' ia'));
&jne (&label("zx_noluck"));
&mov ("eax",0xC0000000);
&cpuid ();
&mov ("edx","eax");
&xor ("eax","eax");
&cmp ("edx",0xC0000001);
&jb (&label("zx_noluck"));
&mov ("eax",1);
&cpuid ();
&or ("eax",0x0f);
&xor ("ebx","ebx");
&and ("eax",0x0fff);
&cmp ("eax",0x06ff); # check for Nano
&sete ("bl");
&mov ("eax",0xC0000001);
&push ("ebx");
&cpuid ();
&pop ("ebx");
&mov ("eax","edx");
&shl ("ebx",4); # bit#4 denotes Nano
&and ("eax",0xffffffef);
&or ("eax","ebx")
&set_label("zx_noluck");
&pop ("ebx");
&ret ();
&function_end_B("zx_gmi_capability")
&function_begin_B("gmi_reload_key");
&pushf ();
&popf ();
&ret ();
&function_end_B("gmi_reload_key");
&function_begin_B("gmi_xstore");
&push ("edi");
&mov ("edi",&wparam(0));
&mov ("edx",&wparam(1));
&data_byte(0x0f,0xa7,0xc0); # xstore
&pop ("edi");
&ret ();
&function_end_B("gmi_xstore");
&function_begin_B("_win32_segv_handler");
&mov ("eax",1); # ExceptionContinueSearch
&mov ("edx",&wparam(0)); # *ExceptionRecord
&mov ("ecx",&wparam(2)); # *ContextRecord
&cmp (&DWP(0,"edx"),0xC0000005) # ExceptionRecord->ExceptionCode == STATUS_ACCESS_VIOLATION
&jne (&label("ret"));
&add (&DWP(184,"ecx"),4); # skip over rep sha*
&mov ("eax",0); # ExceptionContinueExecution
&set_label("ret");
&ret ();
&function_end_B("_win32_segv_handler");
&safeseh("_win32_segv_handler") if ($::win32);
&function_begin_B("gmi_sm3_oneshot");
&push ("ebx");
&push ("edi");
&push ("esi");
&xor ("eax","eax");
&mov ("edi",&wparam(0));
&mov ("esi",&wparam(1));
&mov ("ecx",&wparam(2));
if ($::win32 or $::coff) {
&push (&::islabel("_win32_segv_handler"));
&data_byte(0x64,0xff,0x30); # push %fs:(%eax)
&data_byte(0x64,0x89,0x20); # mov %esp,%fs:(%eax)
}
&mov ("edx","esp"); # put aside %esp
&add ("esp",-128);
&movups ("xmm0",&QWP(0,"edi")); # copy-in context
&and ("esp",-16);
&movups ("xmm1",&QWP(16,"edi"));
&movaps (&QWP(0,"esp"),"xmm0");
&mov ("edi","esp");
&movaps (&QWP(16,"esp"),"xmm1");
&mov ("ebx", 0x20);
&xor ("eax","eax");
&data_byte(0xf3,0x0f,0xa6,0xe8); # gm5 ccs_hash
&movaps ("xmm0",&QWP(0,"esp"));
&movaps ("xmm1",&QWP(16,"esp"));
&mov ("esp","edx"); # restore %esp
if ($::win32 or $::coff) {
&data_byte(0x64,0x8f,0x05,0,0,0,0); # pop %fs:0
&lea ("esp",&DWP(4,"esp"));
}
&mov ("edi",&wparam(0));
&movups (&QWP(0,"edi"),"xmm0"); # copy-out context
&movups (&QWP(16,"edi"),"xmm1");
&pop ("esi");
&pop ("edi");
&pop ("ebx");
&ret ();
&function_end_B("gmi_sm3_oneshot");
&function_begin_B("gmi_sm3_blocks");
&push ("ebx");
&push ("edi");
&push ("esi");
&mov ("edi",&wparam(0));
&mov ("esi",&wparam(1));
&mov ("ecx",&wparam(2));
&mov ("edx","esp"); # put aside %esp
&add ("esp",-128);
&movups ("xmm0",&QWP(0,"edi")); # copy-in context
&and ("esp",-16);
&movups ("xmm1",&QWP(16,"edi"));
&movaps (&QWP(0,"esp"),"xmm0");
&mov ("edi","esp");
&movaps (&QWP(16,"esp"),"xmm1");
&mov ("ebx", 0x20);
&mov ("eax",-1);
&data_byte(0xf3,0x0f,0xa6,0xe8); # gm5 ccs_hash
&movaps ("xmm0",&QWP(0,"esp"));
&movaps ("xmm1",&QWP(16,"esp"));
&mov ("esp","edx"); # restore %esp
&mov ("edi",&wparam(0));
&movups (&QWP(0,"edi"),"xmm0"); # copy-out context
&movups (&QWP(16,"edi"),"xmm1");
&pop ("esi");
&pop ("edi");
&pop ("ebx");
&ret ();
&function_end_B("gmi_sm3_blocks");
&function_begin_B("gmi_sm4_encrypt");
&push ("ebx");
&push ("edi");
&push ("esi");
&mov ("edi",&wparam(0));
&mov ("esi",&wparam(1));
&mov ("edx",&wparam(2));
&mov ("ecx",&wparam(3));
&lea ("ebx",&DWP(32,"edx"));
&shr ("ecx", 4);
&mov ("eax",&DWP(16,"edx"));
&data_byte(0xf3,0x0f,0xa7,0xf0); # gx6 ccs_encrypt
&pop ("esi");
&pop ("edi");
&pop ("ebx");
&ret ();
&function_end_B("gmi_sm4_encrypt");
&function_begin_B("gmi_sm4_ecb_enc");
&push ("ebx");
&push ("edi");
&push ("esi");
&mov ("esi",&wparam(0));
&mov ("edi",&wparam(1));
&mov ("ebx",&wparam(2));
&mov ("ecx", 1);
&mov ("eax", 0x60);
&data_byte(0xf3,0x0f,0xa7,0xf0); # gx6 ccs_encrypt
&pop ("esi");
&pop ("edi");
&pop ("ebx");
&ret ();
&function_end_B("gmi_sm4_ecb_enc");
&asciz ("ZX GMI x86 module");
&align (16);
&dataseg();
# Essentially this variable belongs in thread local storage.
# Having this variable global on the other hand can only cause
# few bogus key reloads [if any at all on signle-CPU system],
# so we accept the penalty...
&set_label("gmi_saved_context",4);
&data_word(0);
&asm_finish();

208
engines/asm/e_gmi-x86_64.pl Executable file
View File

@@ -0,0 +1,208 @@
#!/usr/bin/env perl
# ====================================================================
# Written by Yun Shen <yunshe@via-alliance.com> and
# Kai Li <kelvinkli@via-alliance.com>, and refer to the code
# written by Andy Polyakov <appro@openssl.org> for the OpenSSL
# project. The module is, however, dual licensed under OpenSSL and
# CRYPTOGAMS licenses depending on where you obtain it. For further
# details see http://www.openssl.org/~appro/cryptogams/.
# ====================================================================
# ====================================================================
# Copyright 2016 Shanghai Zhaoxin Semiconductor Co., Ltd. ALL RIGHTS RESERVED.
# ====================================================================
# May 2016
#
# Assembler helpers for Padlock engine. See even e_gmi-x86.pl for
# details.
$flavour = shift;
$output = shift;
if ($flavour =~ /\./) { $output = $flavour; undef $flavour; }
$win64=0; $win64=1 if ($flavour =~ /[nm]asm|mingw64/ || $output =~ /\.asm$/);
$0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1;
( $xlate="${dir}x86_64-xlate.pl" and -f $xlate ) or
( $xlate="${dir}../../crypto/perlasm/x86_64-xlate.pl" and -f $xlate) or
die "can't locate x86_64-xlate.pl";
open OUT,"| \"$^X\" $xlate $flavour $output";
*STDOUT=*OUT;
$code=".text\n";
%PADLOCK_PREFETCH=(ecb=>128, cbc=>64, ctr32=>32); # prefetch errata
$PADLOCK_CHUNK=512; # Must be a power of 2 between 32 and 2^20
$ctx="%rdx";
$out="%rdi";
$inp="%rsi";
$len="%rcx";
$chunk="%rbx";
($arg1,$arg2,$arg3,$arg4)=$win64?("%rcx","%rdx","%r8", "%r9") : # Win64 order
("%rdi","%rsi","%rdx","%rcx"); # Unix order
$code.=<<___;
.globl zx_gmi_capability
.type zx_gmi_capability,\@abi-omnipotent
.align 16
zx_gmi_capability:
mov %rbx,%r8
xor %eax,%eax
cpuid
xor %eax,%eax
cmp \$`"0x".unpack("H*",'hS ')`,%ebx
jne .zx_Lnoluck
cmp \$`"0x".unpack("H*",'hgna')`,%edx
jne .zx_Lnoluck
cmp \$`"0x".unpack("H*",' ia')`,%ecx
jne .zx_Lnoluck
mov \$0xC0000000,%eax
cpuid
mov %eax,%edx
xor %eax,%eax
cmp \$0xC0000001,%edx
jb .zx_Lnoluck
mov \$0xC0000001,%eax
cpuid
mov %edx,%eax
and \$0xffffffef,%eax
or \$0x10,%eax # set Nano bit#4
.zx_Lnoluck:
mov %r8,%rbx
ret
.size zx_gmi_capability,.-zx_gmi_capability
.globl gmi_reload_key
.type gmi_reload_key,\@abi-omnipotent
.align 16
gmi_reload_key:
pushf
popf
ret
.size gmi_reload_key,.-gmi_reload_key
.globl gmi_sm3_oneshot
.type gmi_sm3_oneshot,\@function,3
.align 16
gmi_sm3_oneshot:
mov %rbx, %r11 # save rbx
mov %rdx,%rcx
mov %rdi,%rdx # put aside %rdi
movups (%rdi),%xmm0 # copy-in context
sub \$128+8,%rsp
movups 16(%rdi),%xmm1
movaps %xmm0,(%rsp)
mov %rsp,%rdi
movaps %xmm1,16(%rsp)
mov \$0x20, %rbx
xor %rax,%rax
.byte 0xf3,0x0f,0xa6,0xe8 # gm5 ccs_hash
movaps (%rsp),%xmm0
movaps 16(%rsp),%xmm1
add \$128+8,%rsp
movups %xmm0,(%rdx) # copy-out context
movups %xmm1,16(%rdx)
mov %r11, %rbx #restore rbx
ret
.size gmi_sm3_oneshot,.-gmi_sm3_oneshot
.globl gmi_sm3_blocks
.type gmi_sm3_blocks,\@function,3
.align 16
gmi_sm3_blocks:
mov %rbx, %r11 # save rbx
mov %rdx,%rcx
mov %rdi,%rdx # put aside %rdi
movups (%rdi),%xmm0 # copy-in context
sub \$128+8,%rsp
movups 16(%rdi),%xmm1
movaps %xmm0,(%rsp)
mov %rsp,%rdi
movaps %xmm1,16(%rsp)
mov \$0x20, %rbx
mov \$-1,%rax
.byte 0xf3,0x0f,0xa6,0xe8 # gm5 ccs_hash
movaps (%rsp),%xmm0
movaps 16(%rsp),%xmm1
add \$128+8,%rsp
movups %xmm0,(%rdx) # copy-out context
movups %xmm1,16(%rdx)
mov %r11, %rbx #restore rbx
ret
.size gmi_sm3_blocks,.-gmi_sm3_blocks
.globl gmi_sm4_encrypt
.type gmi_sm4_encrypt,\@function,4
.align 16
gmi_sm4_encrypt:
push %rbp
push %rbx # save rbx
push %rdi
push %rsi
lea 32(%rdx), %rbx
shr \$0x04, %rcx
mov 16(%rdx), %rax
.byte 0xf3,0x0f,0xa7,0xf0 # gx6 ccs_encrypt
pop %rsi
pop %rdi
pop %rbx #restore rbx
pop %rbp
ret
.size gmi_sm4_encrypt,.-gmi_sm4_encrypt
.globl gmi_sm4_ecb_enc
.type gmi_sm4_ecb_enc,\@function,3
.align 16
gmi_sm4_ecb_enc:
push %rbp
push %rbx # save rbx
push %rdi
push %rsi
mov %rsi, %rax
mov %rdi, %rsi
mov %rax, %rdi
mov %rdx, %rbx
mov \$1, %rcx
mov \$0x60, %rax
.byte 0xf3,0x0f,0xa7,0xf0 # gx6 ccs_encrypt
pop %rsi
pop %rdi
pop %rbx #restore rbx
pop %rbp
ret
.size gmi_sm4_ecb_enc,.-gmi_sm4_ecb_enc
___
$code.=<<___;
.asciz "ZX GMI x86_64 module"
.align 16
.data
.align 8
.Lgmi_saved_context:
.quad 0
___
$code =~ s/\`([^\`]*)\`/eval($1)/gem;
print $code;
close STDOUT;

View File

@@ -6,6 +6,9 @@ IF[{- !$disabled{"engine"} -}]
IF[{- !$disabled{capieng} -}]
SOURCE[../libcrypto]=e_capi.c
ENDIF
IF[{- !$disabled{gmieng} -}]
SOURCE[../libcrypto]=e_gmi.c {- $target{gmi_asm_src} -}
ENDIF
ELSE
ENGINES=padlock
SOURCE[padlock]=e_padlock.c {- $target{padlock_asm_src} -}
@@ -17,8 +20,14 @@ IF[{- !$disabled{"engine"} -}]
DEPEND[capi]=../libcrypto
INCLUDE[capi]=../include
ENDIF
IF[{- !$disabled{gmieng} -}]
ENGINES=gmi
SOURCE[gmi]=e_gmi.c {- $target{gmi_asm_src} -}
DEPEND[gmi]=../libcrypto
INCLUDE[gmi]=../include
ENDIF
ENGINES_NO_INST=ossltest dasync
ENGINES_NO_INST=ossltest
SOURCE[dasync]=e_dasync.c
DEPEND[dasync]=../libcrypto
INCLUDE[dasync]=../include
@@ -29,4 +38,8 @@ IF[{- !$disabled{"engine"} -}]
GENERATE[e_padlock-x86.s]=asm/e_padlock-x86.pl $(PERLASM_SCHEME) $(CFLAGS) $(LIB_CFLAGS) $(PROCESSOR)
GENERATE[e_padlock-x86_64.s]=asm/e_padlock-x86_64.pl $(PERLASM_SCHEME)
IF[{- !$disabled{gmieng} -}]
GENERATE[e_gmi-x86.s]=asm/e_gmi-x86.pl $(PERLASM_SCHEME) $(CFLAGS) $(LIB_CFLAGS) $(PROCESSOR)
GENERATE[e_gmi-x86_64.s]=asm/e_gmi-x86_64.pl $(PERLASM_SCHEME)
ENDIF
ENDIF

View File

@@ -1,299 +0,0 @@
/* ====================================================================
* Copyright (c) 2016 - 2017 The GmSSL Project. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in
* the documentation and/or other materials provided with the
* distribution.
*
* 3. All advertising materials mentioning features or use of this
* software must display the following acknowledgment:
* "This product includes software developed by the GmSSL Project.
* (http://gmssl.org/)"
*
* 4. The name "GmSSL Project" must not be used to endorse or promote
* products derived from this software without prior written
* permission. For written permission, please contact
* guanzhi1980@gmail.com.
*
* 5. Products derived from this software may not be called "GmSSL"
* nor may "GmSSL" appear in their names without prior written
* permission of the GmSSL Project.
*
* 6. Redistributions of any form whatsoever must retain the following
* acknowledgment:
* "This product includes software developed by the GmSSL Project
* (http://gmssl.org/)"
*
* THIS SOFTWARE IS PROVIDED BY THE GmSSL PROJECT ``AS IS'' AND ANY
* EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE GmSSL PROJECT OR
* ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
* STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
* OF THE POSSIBILITY OF SUCH DAMAGE.
* ====================================================================
*/
#include <stdio.h>
#include <string.h>
#include <openssl/err.h>
#include <openssl/evp.h>
#include <openssl/engine.h>
#if (defined(__x86_64) || defined(__x86_64__)) && defined(OPENSSL_CPUID_OBJ)
#endif
static const char *avx2_id = "avx2";
static const char *avx2_name = "ENGINE with Intel AVX2 Intructions";
#define SDF_CMD_CPUID ENGINE_CMD_BASE
static const ENGINE_CMD_DEFN avx2_cmd_defns[] = {
{SDF_CMD_CPUID,
"CPUID",
"Show CPUID",
ENGINE_CMD_FLAG_NO_INPUT},
{0, NULL, NULL, 0},
};
static int avx2_ctrl(ENGINE *e, int cmd, long i, void *p, void (*f)(void))
{
switch (cmd) {
case SDF_CMD_CPUID:
printf("not implemented\n");
break;
default:
printf("unknown cmd\n");
return 0;
}
return 1;
}
static int avx2_cipher_nids[] = {NID_sms4_ecb, NID_sms4_ctr, 0};
static int avx2_num_ciphers = OSSL_NELEM(avx2_cipher_nids) - 1;
static EVP_CIPHER *avx2_sms4_ecb = NULL;
static EVP_CIPHER *avx2_sms4_ctr = NULL;
static int avx2_sms4_ecb_init(EVP_CIPHER_CTX *ctx, const unsigned char *key,
const unsigned char *iv, int enc)
{
if (enc)
sms4_avx2_encrypt_init(ctx->data, key);
else
sms4_avx2_decrypt_init(ctx->data, key);
return 1;
}
static int avx2_sms4_ecb_do_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
const unsigned char *in, size_t inlen)
{
while (inlen >= 8 * 16) {
sms4_avx2_encrypt_8blocks(ctx, out, in);
inlen -= 8 * 16;
}
return 1;
}
static int avx2_sms4_ecb_cleanup(EVP_CIPHER_CTX *ctx)
{
memset(ctx->data, 0, sizeof(sms4_avx2_key));
return 1;
}
static const EVP_CIPHER *avx2_get_sms4_ecb(void)
{
EVP_CIPHER *ret = NULL;
if (avx2_sms4_ecb) {
return avx2_sms4_ecb;
}
if (!(ret = EVP_CIPHER_meth_new(NID_sms4_ecb, 16, 16))
|| !EVP_CIPHER_meth_set_iv_length(ret, 0)
|| !EVP_CIPHER_meth_set_flags(ret, EVP_CIPH_ECB_MODE|EVP_CIPH_FLAG_DEFAULT_ASN1)
|| !EVP_CIPHER_meth_set_impl_ctx_size(ret, sizeof(struct sms4_cipher_ctx))
|| !EVP_CIPHER_meth_set_init(ret, avx2_sms4_ecb_init)
|| !EVP_CIPHER_meth_set_do_cipher(ret, avx2_sms4_ecb_do_cipher)
|| !EVP_CIPHER_meth_set_cleanup(ret, avx2_sms4_ecb_cleanup)) {
EVP_CIPHER_meth_free(ret);
return NULL;
}
avx2_sms4_ecb = ret;
return ret;
}
static int avx2_sms4_ctr_init(EVP_CIPHER_CTX *ctx, const unsigned char *key,
const unsigned char *iv, int enc)
{
printf(" %s\n", __FUNCTION__);
return 1;
}
static int avx2_sms4_ctr_do_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
const unsigned char *in, size_t inlen)
{
printf(" %s\n", __FUNCTION__);
memcpy(out, in, inlen);
return 1;
}
static int avx2_sms4_ctr_cleanup(EVP_CIPHER_CTX *ctx)
{
printf(" %s\n", __FUNCTION__);
return 1;
}
static const EVP_CIPHER *avx2_get_sms4_ctr(void)
{
EVP_CIPHER *ret = NULL;
if (avx2_sms4_ctr) {
return avx2_sms4_ctr;
}
if (!(ret = EVP_CIPHER_meth_new(NID_sms4_ctr, 16, 16))
|| !EVP_CIPHER_meth_set_iv_length(ret, 16)
|| !EVP_CIPHER_meth_set_flags(ret, EVP_CIPH_CTR_MODE|EVP_CIPH_FLAG_DEFAULT_ASN1)
|| !EVP_CIPHER_meth_set_impl_ctx_size(ret, sizeof(struct sms4_cipher_ctx))
|| !EVP_CIPHER_meth_set_init(ret, avx2_sms4_ctr_init)
|| !EVP_CIPHER_meth_set_do_cipher(ret, avx2_sms4_ctr_do_cipher)
|| !EVP_CIPHER_meth_set_cleanup(ret, avx2_sms4_ctr_cleanup)) {
EVP_CIPHER_meth_free(ret);
return NULL;
}
avx2_sms4_ctr = ret;
return ret;
}
static int avx2_ciphers(ENGINE *e, const EVP_CIPHER **cipher,
const int **nids, int nid)
{
if (!cipher) {
*nids = avx2_cipher_nids;
return avx2_num_ciphers;
}
switch (nid) {
case NID_sms4_ecb:
*cipher = avx2_get_sms4_ecb();
return 1;
case NID_sms4_ctr:
*cipher = avx2_get_sms4_ctr();
return 1;
}
return 0;
}
static void avx2_destroy_ciphers(void)
{
EVP_CIPHER_meth_free(avx2_sms4_ecb);
EVP_CIPHER_meth_free(avx2_sms4_ctr);
avx2_sms4_ecb = NULL;
avx2_sms4_ctr = NULL;
}
static int avx2_destroy(ENGINE *e)
{
avx2_destroy_ciphers();
return 1;
}
static int avx2_init(ENGINE *e)
{
return 1;
}
static int avx2_finish(ENGINE *e)
{
return 1;
}
static int bind_avx2(ENGINE *e)
{
if (!ENGINE_set_id(e, avx2_id)
|| !ENGINE_set_name(e, avx2_name)
|| !ENGINE_set_flags(e, ENGINE_FLAGS_NO_REGISTER_ALL)
|| !ENGINE_set_cmd_defns(e, avx2_cmd_defns)
|| !ENGINE_set_ctrl_function(e, avx2_ctrl)
|| !ENGINE_set_init_function(e, avx2_init)
|| !ENGINE_set_finish_function(e, avx2_finish)
|| !ENGINE_set_destroy_function(e, avx2_destroy)
|| !ENGINE_set_ciphers(e, avx2_ciphers)) {
return 0;
}
if (!(avx2_sms4_ecb = avx2_get_sms4_ecb())
|| !(avx2_sms4_ctr = avx2_get_sms4_ctr())) {
return 0;
}
return 1;
}
#ifndef OPENSSL_NO_DYNAMIC_ENGINE
static int bind_helper(ENGINE *e, const char *id)
{
if (id && strcmp(id, avx2_id) != 0) {
return 0;
}
if (!bind_avx2(e)) {
return 0;
}
return 1;
}
IMPLEMENT_DYNAMIC_CHECK_FN()
IMPLEMENT_DYNAMIC_BIND_FN(bind_helper)
#else
static ENGINE *engine_avx2(void)
{
ENGINE *ret = NULL;
if (!(ret = ENGINE_new())) {
return NULL;
}
if (!bind_avx2(ret)) {
ENGINE_free(ret);
return NULL;
}
return ret;
}
void engine_load_avx2_int(void)
{
extern unsigned int OPENSSL_ia32cap_P[];
if (OPENSSL_ia32cap_P[1] & (1 << (62 - 32))) {
ENGINE *toadd = ENGINE_rdrand();
ENGINE *eng = NULL;
if (!(eng = engine_avx2())) {
return;
}
ENGINE_add(eng);
ENGINE_free(eng);
ERR_clear_error();
}
}
#endif /* OPENSSL_NO_DYNAMIC_ENGINE */

21
engines/e_dasync.d.tmp Normal file
View File

@@ -0,0 +1,21 @@
engines/e_dasync.o: engines/e_dasync.c include/openssl/engine.h \
include/openssl/opensslconf.h include/openssl/bn.h \
include/openssl/e_os2.h include/openssl/ossl_typ.h \
include/openssl/crypto.h include/openssl/stack.h \
include/openssl/safestack.h include/openssl/opensslv.h \
include/openssl/symhacks.h include/openssl/bytestring.h \
include/openssl/base.h include/openssl/is_boringssl.h \
include/openssl/rsa.h include/openssl/dsa.h include/openssl/bio.h \
include/openssl/dh.h include/openssl/asn1.h include/openssl/ec.h \
include/openssl/rand.h include/openssl/ui.h include/openssl/err.h \
include/openssl/lhash.h include/openssl/x509.h \
include/openssl/buffer.h include/openssl/evp.h \
include/openssl/objects.h include/openssl/obj_mac.h \
include/openssl/paillier.h include/openssl/sha.h \
include/openssl/x509_vfy.h include/openssl/pkcs7.h \
include/openssl/aes.h include/openssl/async.h include/openssl/ssl.h \
include/openssl/comp.h include/openssl/pem.h include/openssl/pem2.h \
include/openssl/hmac.h include/openssl/ct.h include/openssl/ssl2.h \
include/openssl/ssl3.h include/openssl/tls1.h include/openssl/dtls1.h \
include/openssl/srtp.h include/openssl/gmtls.h include/openssl/modes.h \
engines/e_dasync_err.c engines/e_dasync_err.h

775
engines/e_gmi.c Normal file
View File

@@ -0,0 +1,775 @@
/*
* Support for ZHAOXIN GMI (GuoMi Instruction)
* Written by Yun Shen (yunshen@via-alliance.com) and
* Kai Li <kelvinkli@via-alliance.com>
*/
/* ====================================================================
* Copyright (c) 1999-2016 The OpenSSL Project. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in
* the documentation and/or other materials provided with the
* distribution.
*
* 3. All advertising materials mentioning features or use of this
* software must display the following acknowledgment:
* "This product includes software developed by the OpenSSL Project
* for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
*
* 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
* endorse or promote products derived from this software without
* prior written permission. For written permission, please contact
* licensing@OpenSSL.org.
*
* 5. Products derived from this software may not be called "OpenSSL"
* nor may "OpenSSL" appear in their names without prior written
* permission of the OpenSSL Project.
*
* 6. Redistributions of any form whatsoever must retain the following
* acknowledgment:
* "This product includes software developed by the OpenSSL Project
* for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
*
* THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
* EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
* ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
* STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
* OF THE POSSIBILITY OF SUCH DAMAGE.
* ====================================================================
*
* This product includes cryptographic software written by Eric Young
* (eay@cryptsoft.com). This product includes software written by Tim
* Hudson (tjh@cryptsoft.com).
*
*/
/* ====================================================================
* Copyright 2016 Shanghai Zhaoxin Semiconductor Co., Ltd. ALL RIGHTS RESERVED.
*/
#include <stdio.h>
#include <string.h>
#include <openssl/opensslconf.h>
#include <openssl/crypto.h>
#include <openssl/engine.h>
#include <openssl/objects.h>
#include <openssl/evp.h>
#include <openssl/aes.h>
#include <openssl/rand.h>
#include <openssl/err.h>
#include <openssl/modes.h>
#include "../crypto/evp/evp_locl.h"
/* gmi sm3 header */
# define SM3_LONG unsigned int
# define SM3_LBLOCK 16
# define SM3_CBLOCK (SM3_LBLOCK*4)/* SHA treats input data as a
* contiguous array of 32 bit wide
* big-endian values. */
# define SM3_LAST_BLOCK (SM3_CBLOCK-8)
# define SM3_DIGEST_LENGTH 32
typedef struct SM3state_st {
SM3_LONG h[8];
SM3_LONG Nl, Nh;
SM3_LONG data[SM3_LBLOCK];
unsigned int num, md_len;
} SM3_CTX;
/* gmi sm4 header */
# define SM4_ENCRYPT 1
# define SM4_DECRYPT 0
/*
* Because array size can't be a const in C, the following two are macros.
* Both sizes are in bytes.
*/
#define SM4_BLOCK_SIZE 16
#define SM4_KEY_SIZE 16
/* This should be a hidden type, but EVP requires that the size be known */
struct sm4_key_st {
# ifdef SM4_LONG
unsigned long rd_key[32];
# else
unsigned int rd_key[32];
# endif
};
typedef struct sm4_key_st SM4_KEY;
#define NID_sm3WithRSAEncryption NID_sm3
#define NID_sm4_ecb NID_sms4_ecb
#define NID_sm4_cbc NID_sms4_cbc
#define NID_sm4_cfb NID_sms4_cfb8
#define NID_sm4_ofb NID_sms4_ofb128
#define NID_sm4_ctr NID_sms4_ctr
#include "../crypto/include/internal/evp_int.h"
#ifndef OPENSSL_NO_HW
# ifndef OPENSSL_NO_HW_GMI
/* Attempt to have a single source for both 0.9.7 and 0.9.8 :-) */
# if (OPENSSL_VERSION_NUMBER >= 0x00908000L)
# ifndef OPENSSL_NO_DYNAMIC_ENGINE
# define DYNAMIC_ENGINE
# endif
# elif (OPENSSL_VERSION_NUMBER >= 0x00907000L)
# ifdef ENGINE_DYNAMIC_SUPPORT
# define DYNAMIC_ENGINE
# endif
# else
# error "Only OpenSSL >= 0.9.7 is supported"
# endif
/*
* ZHAOXIN GMI is available *ONLY* on some x86 CPUs. Not only that it
* doesn't exist elsewhere, but it even can't be compiled on other platforms!
*/
# undef COMPILE_HW_GMI
# if !defined(I386_ONLY) && !defined(OPENSSL_NO_ASM)
# if defined(__i386__) || defined(__i386) || \
defined(__x86_64__) || defined(__x86_64) || \
defined(_M_IX86) || defined(_M_AMD64) || defined(_M_X64) || \
defined(__INTEL__)
# define COMPILE_HW_GMI
# ifdef OPENSSL_NO_DYNAMIC_ENGINE
static ENGINE *ENGINE_gmi(void);
# endif
# endif
# endif
# ifdef OPENSSL_NO_DYNAMIC_ENGINE
void engine_load_gmi_int(void);
void engine_load_gmi_int(void)
{
/* On non-x86 CPUs it just returns. */
# ifdef COMPILE_HW_GMI
ENGINE *toadd = ENGINE_gmi();
if (!toadd)
return;
ENGINE_add(toadd);
ENGINE_free(toadd);
ERR_clear_error();
# endif
}
# endif
# ifdef COMPILE_HW_GMI
/* Function for ENGINE detection and control */
static int gmi_available(void);
static int gmi_init(ENGINE *e);
/* Cipher Stuff */
static int gmi_ciphers(ENGINE *e, const EVP_CIPHER **cipher,
const int **nids, int nid);
static int gmi_digests(ENGINE *e, const EVP_MD **digest,
const int **nids, int nid);
/* Engine names */
static const char *gmi_id = "gmi";
static char gmi_name[100];
/* Available features */
static int gmi_use_ccs = 0; /* CCS */
/* ===== Engine "management" functions ===== */
/* Prepare the ENGINE structure for registration */
static int gmi_bind_helper(ENGINE *e)
{
/* Check available features */
gmi_available();
/* Generate a nice engine name with available features */
BIO_snprintf(gmi_name, sizeof(gmi_name),
"ZX GMI (%s)",
gmi_use_ccs ? "CCS" : "no-CCS");
/* Register everything or return with an error */
if (!ENGINE_set_id(e, gmi_id) ||
!ENGINE_set_name(e, gmi_name) ||
!ENGINE_set_init_function(e, gmi_init) ||
(gmi_use_ccs && !ENGINE_set_ciphers(e, gmi_ciphers)) ||
(gmi_use_ccs && !ENGINE_set_digests(e, gmi_digests))) {
return 0;
}
/* Everything looks good */
return 1;
}
# ifdef OPENSSL_NO_DYNAMIC_ENGINE
/* Constructor */
static ENGINE *ENGINE_gmi(void)
{
ENGINE *eng = ENGINE_new();
if (eng == NULL) {
return NULL;
}
if (!gmi_bind_helper(eng)) {
ENGINE_free(eng);
return NULL;
}
return eng;
}
# endif
/* Check availability of the engine */
static int gmi_init(ENGINE *e)
{
return (gmi_use_ccs);
}
/*
* This stuff is needed if this ENGINE is being compiled into a
* self-contained shared-library.
*/
# ifdef DYNAMIC_ENGINE
static int gmi_bind_fn(ENGINE *e, const char *id)
{
if (id && (strcmp(id, gmi_id) != 0)) {
return 0;
}
if (!gmi_bind_helper(e)) {
return 0;
}
return 1;
}
IMPLEMENT_DYNAMIC_CHECK_FN()
IMPLEMENT_DYNAMIC_BIND_FN(gmi_bind_fn)
# endif /* DYNAMIC_ENGINE */
/* ===== Here comes the "real" engine ===== */
#define CCS_ENCRYPT_FUNC_SM4 0x10
#define CCS_ENCRYPT_MODE_ECB 0x1
#define CCS_ENCRYPT_MODE_CBC 0x2
#define CCS_ENCRYPT_MODE_CFB 0x4
#define CCS_ENCRYPT_MODE_OFB 0x8
#define CCS_ENCRYPT_MODE_CTR 0x10
/*
* Here we store the status information relevant to the current context.
*/
/*
* BIG FAT WARNING: Inline assembler in GMI_XCRYPT_ASM() depends on
* the order of items in this structure. Don't blindly modify, reorder,
* etc!
*/
struct gmi_cipher_data {
unsigned char iv[SM4_BLOCK_SIZE]; /* Initialization vector */
union {
unsigned int pad[4];
struct {
int encdec:1;
int func:5;
int mode:5;
int digest:1;
} b;
} cword; /* Control word */
SM4_KEY ks; /* Encryption key */
};
/* Interface to assembler module */
unsigned int zx_gmi_capability();
void gmi_sm3_oneshot(void *ctx, const void *inp, size_t len);
void gmi_sm3_blocks(void *ctx, const void *inp, size_t len);
void gmi_reload_key();
void gmi_verify_context(struct gmi_cipher_data *ctx);
void gmi_sm4_block(void *out, const void *inp,
struct gmi_cipher_data *ctx);
int gmi_ecb_encrypt(void *out, const void *inp,
struct gmi_cipher_data *ctx, size_t len);
int gmi_cbc_encrypt(void *out, const void *inp,
struct gmi_cipher_data *ctx, size_t len);
int gmi_ctr32_encrypt(void *out, const void *inp,
struct gmi_cipher_data *ctx, size_t len);
/*
* Load supported features of the CPU to see if the PadLock is available.
*/
static int gmi_available(void)
{
int zx_gmi_use_ccs = 0;
//unsigned int edx; //original code
unsigned int edx = 0;
/* Fill up some flags */
gmi_use_ccs = ((edx & (0x3 << 4)) == (0x3 << 4));
edx = zx_gmi_capability();
zx_gmi_use_ccs = ((edx & (0x3 << 6)) == (0x3 << 6));
gmi_use_ccs = gmi_use_ccs | zx_gmi_use_ccs;
return gmi_use_ccs;
}
#define SM3_MAKE_STRING(c, s) do { \
unsigned long ll; \
unsigned int nn; \
for (nn=0;nn<SM3_DIGEST_LENGTH/4;nn++) \
{ ll=(c)->h[nn]; (void)HOST_l2c(ll,(s)); } \
\
} while (0)
#define HOST_l2c(l,c) ({ unsigned int r=(l); \
asm ("bswapl %0":"=r"(r):"0"(r)); \
*((unsigned int *)(c))=r; (c)+=4; r; })
static int gmi_sm3_init(EVP_MD_CTX *ctx)
{
BIO *b = BIO_new_fp(stdout, BIO_NOCLOSE|BIO_FP_TEXT);
BIO_printf(b, "%s\n", __FUNCTION__);
SM3_CTX *c = (SM3_CTX *)EVP_MD_CTX_md_data(ctx);
/* set the IV in Big-Endian */
c->h[0]=0x6f168073UL;
c->h[1]=0xb9b21449UL;
c->h[2]=0xd7422417UL;
c->h[3]=0x00068adaUL;
c->h[4]=0xbc306fa9UL;
c->h[5]=0xaa383116UL;
c->h[6]=0x4dee8de3UL;
c->h[7]=0x4e0efbb0UL;
c->md_len = SM3_DIGEST_LENGTH;
c->num = 0; //
BIO_free(b);
return 1;
}
static int gmi_sm3_update(EVP_MD_CTX *ctx, const void *data_, size_t len)
{
const unsigned char *data = data_;
unsigned char *p;
SM3_LONG l;
size_t n;
SM3_CTX *c = (SM3_CTX *)EVP_MD_CTX_md_data(ctx);
if (len == 0)
return 1;
l = (c->Nl + (((SM3_LONG) len) << 3)) & 0xffffffffUL;
if (l < c->Nl) /* overflow */
c->Nh++;
c->Nh += (SM3_LONG) (len >> 29); /* might cause compiler warning on
* 16-bit */
c->Nl = l;
n = c->num;
if (n != 0) {
p = (unsigned char *)c->data;
if (len >= SM3_CBLOCK || len + n >= SM3_CBLOCK) {
memcpy(p + n, data, SM3_CBLOCK - n);
gmi_sm3_blocks(c->h, p, 1);
n = SM3_CBLOCK - n;
data += n;
len -= n;
c->num = 0;
memset(p, 0, SM3_CBLOCK); /* keep it zeroed */
} else {
memcpy(p + n, data, len);
c->num += (unsigned int)len;
return 1;
}
}
n = len / SM3_CBLOCK;
if (n > 0) {
gmi_sm3_blocks(c->h, data, n);
n *= SM3_CBLOCK;
data += n;
len -= n;
}
if (len != 0) {
p = (unsigned char *)c->data;
c->num = (unsigned int)len;
memcpy(p, data, len);
}
return 1;
}
static int gmi_sm3_final(EVP_MD_CTX *ctx, unsigned char *md)
{
SM3_CTX *c = (SM3_CTX *)EVP_MD_CTX_md_data(ctx);
unsigned char *p = (unsigned char *)c->data;
size_t n = c->num;
p[n] = 0x80; /* there is always room for one */
n++;
if (n > (SM3_CBLOCK - 8)) {
memset(p + n, 0, SM3_CBLOCK - n);
n = 0;
gmi_sm3_blocks(c->h, p, 1);
}
memset(p + n, 0, SM3_CBLOCK - 8 - n);
p += SM3_CBLOCK - 8;
(void)HOST_l2c(c->Nh, p);
(void)HOST_l2c(c->Nl, p);
p -= SM3_CBLOCK;
gmi_sm3_blocks(c->h, p, 1);
c->num = 0;
memset(p, 0, SM3_CBLOCK);
memcpy(md, c->h, c->md_len);
return 1;
}
/* List of supported ciphers. */
static const int gmi_digest_nids[] = {
NID_sm3,
0
};
static const EVP_MD digest_sm3= {
NID_sm3,
NID_sm3WithRSAEncryption,
SM3_DIGEST_LENGTH,
EVP_MD_FLAG_DIGALGID_ABSENT,
gmi_sm3_init,
gmi_sm3_update,
gmi_sm3_final,
NULL,
NULL,
SM3_CBLOCK,
sizeof(EVP_MD *) + sizeof(SM3_CTX),
};
static int gmi_digests(ENGINE *e, const EVP_MD **digest,
const int **nids, int nid)
{
int ok = 1;
if (!digest) {
/* We are returning a list of supported nids */
*nids = gmi_digest_nids;
return (sizeof(gmi_digest_nids) -
1) / sizeof(gmi_digest_nids[0]);
}
/* We are being asked for a specific digest */
switch (nid) {
case NID_sm3:
*digest = &digest_sm3;
break;
default:
ok = 0;
*digest = NULL;
break;
}
return ok;
}
/* ======== GX6 ===================== */
# define NEAREST_ALIGNED(ptr) ( (unsigned char *)(ptr) + \
( (0x10 - ((size_t)(ptr) & 0x0F)) & 0x0F ) )
# define ALIGNED_CIPHER_DATA(ctx) ((struct gmi_cipher_data *)\
NEAREST_ALIGNED(EVP_CIPHER_CTX_get_cipher_data(ctx)))
/* Prepare the encryption key for PadLock usage */
static int
gmi_sm4_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
const unsigned char *iv, int enc)
{
struct gmi_cipher_data *cdata;
unsigned long mode = EVP_CIPHER_CTX_mode(ctx);
if (key == NULL)
return 0; /* ERROR */
cdata = ALIGNED_CIPHER_DATA(ctx);
memset(cdata, 0, sizeof(*cdata));
/* Prepare Control word. */
if (mode == EVP_CIPH_OFB_MODE || mode == EVP_CIPH_CTR_MODE)
cdata->cword.b.encdec = 0;
else
cdata->cword.b.encdec = (ctx->encrypt == 0);
cdata->cword.b.func = CCS_ENCRYPT_FUNC_SM4;
cdata->cword.b.mode = 1<<(mode-1);;
cdata->cword.b.digest = 0;
if(iv != NULL)
{
memcpy(cdata->iv, iv, SM4_BLOCK_SIZE);
}
memcpy(cdata->ks.rd_key, key, SM4_KEY_SIZE);
/*
* This is done to cover for cases when user reuses the
* context for new key. The catch is that if we don't do
* this, gmi_eas_cipher might proceed with old key...
*/
gmi_reload_key();
return 1;
}
void gmi_sm4_encrypt(unsigned char *out, const unsigned char *in, struct gmi_cipher_data *ctx, size_t len);
void gmi_sm4_ecb_enc(unsigned char *in, unsigned char *out, unsigned char *key);
static int
gmi_sm4_ecb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out_arg,
const unsigned char *in_arg, size_t nbytes)
{
struct gmi_cipher_data *cdata = ALIGNED_CIPHER_DATA(ctx);
gmi_sm4_encrypt(out_arg, in_arg, cdata, nbytes);
return 1;
}
static int
gmi_sm4_cbc_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out_arg,
const unsigned char *in_arg, size_t nbytes)
{
struct gmi_cipher_data *cdata = ALIGNED_CIPHER_DATA(ctx);
memcpy(cdata->iv, ctx->iv, SM4_BLOCK_SIZE);
gmi_sm4_encrypt(out_arg, in_arg, cdata, nbytes);
memcpy(ctx->iv, cdata->iv, SM4_BLOCK_SIZE);
return 1;
}
#if 0
static int
gmi_sm4_ctr_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out_arg,
const unsigned char *in_arg, size_t nbytes)
{
struct gmi_cipher_data *cdata = ALIGNED_CIPHER_DATA(ctx);
unsigned int num = ctx->num;
CRYPTO_ctr128_encrypt(in_arg, out_arg, nbytes,
cdata->ks.rd_key, ctx->iv, ctx->buf, &num,
(block128_f) gmi_sm4_ecb_enc);
ctx->num = (size_t)num;
return 1;
}
#endif
#if 1
static int
gmi_sm4_ctr_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out_arg,
const unsigned char *in_arg, size_t nbytes)
{
struct gmi_cipher_data *cdata = ALIGNED_CIPHER_DATA(ctx);
unsigned int num = ctx->num;
memcpy(cdata->iv, ctx->iv, SM4_BLOCK_SIZE);
gmi_sm4_encrypt(out_arg, in_arg, cdata, nbytes);
ctx->num = (size_t)num;
return 1;
}
#endif
static int
gmi_sm4_cfb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out_arg,
const unsigned char *in_arg, size_t nbytes)
{
#if 0
struct gmi_cipher_data *cdata = ALIGNED_CIPHER_DATA(ctx);
CRYPTO_cfb128_encrypt(in_arg, out_arg, nbytes, cdata->ks.rd_key,
ctx->iv, &ctx->num, ctx->encrypt,
(block128_f)gmi_sm4_ecb_enc);
#else
struct gmi_cipher_data *cdata = ALIGNED_CIPHER_DATA(ctx);
memcpy(cdata->iv, ctx->iv, SM4_BLOCK_SIZE);
gmi_sm4_encrypt(out_arg, in_arg, cdata, nbytes);
memcpy(ctx->iv, cdata->iv, SM4_BLOCK_SIZE);
#endif
return 1;
}
static int
gmi_sm4_ofb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out_arg,
const unsigned char *in_arg, size_t nbytes)
{
#if 0
struct gmi_cipher_data *cdata = ALIGNED_CIPHER_DATA(ctx);
CRYPTO_ofb128_encrypt(in_arg, out_arg, nbytes,cdata->ks.rd_key,
ctx->iv, &ctx->num, (block128_f) gmi_sm4_ecb_enc);
#else
struct gmi_cipher_data *cdata = ALIGNED_CIPHER_DATA(ctx);
memcpy(cdata->iv, ctx->iv, SM4_BLOCK_SIZE);
gmi_sm4_encrypt(out_arg, in_arg, cdata, nbytes);
memcpy(ctx->iv, cdata->iv, SM4_BLOCK_SIZE);
#endif
return 1;
}
#define EVP_SM4_CIPHER_block_size_ECB SM4_BLOCK_SIZE
#define EVP_SM4_CIPHER_block_size_CBC SM4_BLOCK_SIZE
#define EVP_SM4_CIPHER_block_size_OFB 1
#define EVP_SM4_CIPHER_block_size_CFB 1
#define EVP_SM4_CIPHER_block_size_CTR 1
/*
* Declaring so many ciphers by hand would be a pain. Instead introduce a bit
* of preprocessor magic :-)
*/
# define DECLARE_SM4_EVP(lmode,umode) \
static EVP_CIPHER *_hidden_sm4_##lmode = NULL; \
static const EVP_CIPHER *gmi_sm4_##lmode(void) \
{ \
if (_hidden_sm4_##lmode == NULL \
&& ((_hidden_sm4_##lmode = \
EVP_CIPHER_meth_new(NID_sm4_##lmode, \
EVP_SM4_CIPHER_block_size_##umode, \
SM4_KEY_SIZE)) == NULL \
|| !EVP_CIPHER_meth_set_iv_length(_hidden_sm4_##lmode, \
SM4_BLOCK_SIZE) \
|| !EVP_CIPHER_meth_set_flags(_hidden_sm4_##lmode, \
0 | EVP_CIPH_##umode##_MODE) \
|| !EVP_CIPHER_meth_set_init(_hidden_sm4_##lmode, \
gmi_sm4_init_key) \
|| !EVP_CIPHER_meth_set_do_cipher(_hidden_sm4_##lmode, \
gmi_sm4_##lmode##_cipher) \
|| !EVP_CIPHER_meth_set_impl_ctx_size(_hidden_sm4_##lmode, \
sizeof(struct gmi_cipher_data) + 16) \
|| !EVP_CIPHER_meth_set_set_asn1_params(_hidden_sm4_##lmode, \
EVP_CIPHER_set_asn1_iv) \
|| !EVP_CIPHER_meth_set_get_asn1_params(_hidden_sm4_##lmode, \
EVP_CIPHER_get_asn1_iv))) { \
EVP_CIPHER_meth_free(_hidden_sm4_##lmode); \
_hidden_sm4_##lmode = NULL; \
} \
return _hidden_sm4_##lmode; \
}
DECLARE_SM4_EVP(ecb, ECB);
DECLARE_SM4_EVP(cbc, CBC);
DECLARE_SM4_EVP(ctr, CTR);
DECLARE_SM4_EVP(cfb, CFB);
DECLARE_SM4_EVP(ofb, OFB);
/* List of supported ciphers. */
static const int gmi_cipher_nids[] = {
NID_sm4_ecb,
NID_sm4_cbc,
NID_sm4_cfb,
NID_sm4_ofb,
NID_sm4_ctr,
0
};
static int gmi_cipher_nids_num = (sizeof(gmi_cipher_nids) /
sizeof(gmi_cipher_nids[0]));
static int
gmi_ciphers(ENGINE *e, const EVP_CIPHER **cipher, const int **nids,
int nid)
{
/* No specific cipher => return a list of supported nids ... */
if (!cipher) {
*nids = gmi_cipher_nids;
return gmi_cipher_nids_num;
}
/* ... or the requested "cipher" otherwise */
switch (nid) {
case NID_sm4_ecb:
*cipher = gmi_sm4_ecb();
break;
case NID_sm4_cbc:
*cipher = gmi_sm4_cbc();
break;
case NID_sm4_cfb:
*cipher = gmi_sm4_cfb();
break;
case NID_sm4_ofb:
*cipher = gmi_sm4_ofb();
break;
case NID_sm4_ctr:
*cipher = gmi_sm4_ctr();
break;
default:
/* Sorry, we don't support this NID */
*cipher = NULL;
return 0;
}
return 1;
}
# endif /* COMPILE_HW_GMI */
# endif /* !OPENSSL_NO_HW_GMI */
#endif /* !OPENSSL_NO_HW */
#if defined(OPENSSL_NO_HW) || defined(OPENSSL_NO_HW_GMI) \
|| !defined(COMPILE_HW_GMI)
# ifndef OPENSSL_NO_DYNAMIC_ENGINE
OPENSSL_EXPORT
int bind_engine(ENGINE *e, const char *id, const dynamic_fns *fns);
OPENSSL_EXPORT
int bind_engine(ENGINE *e, const char *id, const dynamic_fns *fns)
{
return 0;
}
IMPLEMENT_DYNAMIC_CHECK_FN()
# endif
#endif

View File

@@ -17,12 +17,20 @@
#include <string.h>
#include <openssl/engine.h>
#include <openssl/sha.h>
#include <openssl/md5.h>
#include <openssl/rsa.h>
#ifndef OPENSSL_NO_SHA
# include <openssl/sha.h>
#endif
#ifndef OPENSSL_NO_MD5
# include <openssl/md5.h>
#endif
#ifndef OPENSSL_NO_RSA
# include <openssl/rsa.h>
#endif
#include <openssl/evp.h>
#include <openssl/modes.h>
#ifndef OPENSSL_NO_AES
#include <openssl/aes.h>
#endif
#include <openssl/crypto.h>
#define OSSLTEST_LIB_NAME "OSSLTEST"
@@ -226,11 +234,14 @@ static int ossltest_ciphers(ENGINE *, const EVP_CIPHER **,
const int **, int);
static int ossltest_cipher_nids[] = {
NID_aes_128_cbc, 0
#ifndef OPENSSL_NO_AES
NID_aes_128_cbc,
#endif
0
};
#ifndef OPENSSL_NO_AES
/* AES128 */
int ossltest_aes128_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
const unsigned char *iv, int enc);
int ossltest_aes128_cbc_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
@@ -258,10 +269,14 @@ static const EVP_CIPHER *ossltest_aes_128_cbc(void)
}
return _hidden_aes_128_cbc;
}
#endif
static void destroy_ciphers(void)
{
#ifndef OPENSSL_NO_AES
EVP_CIPHER_meth_free(_hidden_aes_128_cbc);
_hidden_aes_128_cbc = NULL;
#endif
}
static int bind_ossltest(ENGINE *e)
@@ -386,9 +401,11 @@ static int ossltest_ciphers(ENGINE *e, const EVP_CIPHER **cipher,
}
/* We are being asked for a specific cipher */
switch (nid) {
#ifndef OPENSSL_NO_AES
case NID_aes_128_cbc:
*cipher = ossltest_aes_128_cbc();
break;
#endif
default:
ok = 0;
*cipher = NULL;
@@ -537,7 +554,7 @@ static int digest_sha512_final(EVP_MD_CTX *ctx, unsigned char *md)
/*
* AES128 Implementation
*/
#ifndef OPENSSL_NO_AES
int ossltest_aes128_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
const unsigned char *iv, int enc)
{
@@ -566,3 +583,4 @@ int ossltest_aes128_cbc_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
return ret;
}
#endif

View File

@@ -1,299 +0,0 @@
/* ====================================================================
* Copyright (c) 2014 - 2017 The GmSSL Project. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in
* the documentation and/or other materials provided with the
* distribution.
*
* 3. All advertising materials mentioning features or use of this
* software must display the following acknowledgment:
* "This product includes software developed by the GmSSL Project.
* (http://gmssl.org/)"
*
* 4. The name "GmSSL Project" must not be used to endorse or promote
* products derived from this software without prior written
* permission. For written permission, please contact
* guanzhi1980@gmail.com.
*
* 5. Products derived from this software may not be called "GmSSL"
* nor may "GmSSL" appear in their names without prior written
* permission of the GmSSL Project.
*
* 6. Redistributions of any form whatsoever must retain the following
* acknowledgment:
* "This product includes software developed by the GmSSL Project
* (http://gmssl.org/)"
*
* THIS SOFTWARE IS PROVIDED BY THE GmSSL PROJECT ``AS IS'' AND ANY
* EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE GmSSL PROJECT OR
* ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
* STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
* OF THE POSSIBILITY OF SUCH DAMAGE.
* ====================================================================
*/
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <assert.h>
#include <openssl/ec.h>
#include <openssl/err.h>
#include <openssl/evp.h>
#include <openssl/sha.h>
#include <openssl/engine.h>
static const SDF_METHOD *sdf_meth;
static const char *sdf_id = "sdf";
static const char *sdf_name = "ENGINE connect to SDF Devices";
#define SDF_CMD_SO_PATH ENGINE_CMD_BASE
static const ENGINE_CMD_DEFN sdf_cmd_defns[] = {
{SDF_CMD_SO_PATH,
"SO_PATH",
"Specifies the path to the vendor's SDF shared library",
ENGINE_CMD_FLAG_STRING},
{0, NULL, NULL, 0},
};
static int sdf_load_library(const char *so_path)
{
sdf_meth = SDF_METHOD_load_library(so_path);
return 1;
}
static int sdf_open_device()
{
int rv;
if ((rv = sdf_meth->OpenDevice(&hDevice)) != SDR_OK) {
ESDFerr(ESDF_F_SDF_OPEN_DEVICE, ESDF_R_OPEN_DEVICE_FAILURE);
fprintf(stderr, "so_path: %s\n", SDF_GetErrorString(rv));
return 0;
}
if ((rv = sdf_meth->OpenSession(hDevice, &hSession)) != SDR_OK) {
ESDFerr(ESDF_F_SDF_OPEN_DEVICE, ESDF_R_OPEN_SESSION_FAILURE);
fprintf(stderr, "so_path: %s\n", SDF_GetErrorString(rv));
return 0;
}
return 1;
}
static int sdf_ctrl(ENGINE *e, int cmd, long i, void *p, void (*f)(void))
{
switch (cmd) {
case SDF_CMD_SO_PATH:
so_path = (char *)p;
sdf_load_library(so_path);
break;
default:
printf("unknown cmd\n");
return 0;
}
return 1;
}
static int sdf_ec_idx = -1;
static const EC_KEY_METHOD *sdf_ec_method = NULL;
static ECDSA_SIG *sdf_ec_sign_sig(const unsigned char *dgst, int dgstlen,
const BIGNUM *kinv, const BIGNUM *r,
EC_KEY *ec_key)
{
unsigned int key_index;
ECCSignature sigbuf;
rv = sdf_meth->InternalSign_ECC(
hSession,
key_index,
dgst,
dgstlen,
&sigbuf);
return ret;
}
const EC_KEY_METHOD *sdf_get_ec_method(void)
{
EC_KEY_METHOD *ret = NULL;
if (sdf_ec_method) {
return sdf_ec_method;
}
if (!(ret = EC_KEY_METHOD_new(EC_KEY_OpenSSL()))) {
return NULL;
}
EC_KEY_METHOD_set_sign(ret, NULL, NULL, sdf_ec_sign_sig);
sdf_ec_method = ret;
return ret;
}
static EVP_PKEY *sdf_load_privkey(ENGINE *e, const char *key_id,
UI_METHOD *ui_method, void *callback_data)
{
UI *ui = NULL;
char buf1[256];
char buf2[256];
int r;
char *password;
ECCrefPublicKey keybuf;
ui = UI_new_method(ui_method);
if ((r = UI_add_input_string(ui, "> ", 0, buf1, 0, sizeof(buf1)-1)) < 0) {
goto end;
}
if (UI_process(ui) < 0) {
}
password = UI_get0_result(ui, 0);
sdf_meth->GetPrivateKeyAccessRight(
hSession,
key_index,
password,
strlen(password));
sdf_meth->ExportSignPublicKey_ECC(
hSession,
key_index,
&keybuf);
ec_key = EC_KEY_new_by_ECCrefPublicKey(&keybuf);
EVP_PKEY_set0_EC(ret, ec_key);
return NULL;
}
static EVP_PKEY *sdf_load_pubkey(ENGINE *e, const char *key_id,
UI_METHOD *ui_method, void *callback_data)
{
EVP_PKEY *ret = NULL;
int rv;
unsigned int index;
int is_sign_key;
RSArefPublicKey publicKey;
parse_key_id(key_id, &index, &is_sign_key);
rv = SDF_OpenSession(hDevice, &hSession);
if (is_sign_key) {
rv = SDF_ExportSignPublicKey_RSA(hSession, index, &publicKey);
} else {
rv = SDF_ExportEncPublicKey_RSA(hSession, index, &publicKey);
}
return NULL;
}
static int sdf_destroy(ENGINE *e)
{
return 1;
}
static void *hDevice = NULL;
static void *hSession = NULL;
static int sdf_init(ENGINE *e)
{
sdf_meth = NULL;
return 1;
}
static int sdf_finish(ENGINE *e)
{
if (hSession) {
sdf_meth->CloseSession(hSession);
hSession = NULL;
}
if (hDevice) {
sdf_meth->CloseDevice(hDevice);
}
return 1;
}
static int bind_sdf(ENGINE *e)
{
if (!ENGINE_set_id(e, sdf_id)
|| !ENGINE_set_name(e, sdf_name)
|| !ENGINE_set_flags(e, ENGINE_FLAGS_NO_REGISTER_ALL)
|| !ENGINE_set_cmd_defns(e, sdf_cmd_defns)
|| !ENGINE_set_ctrl_function(e, sdf_ctrl)
|| !ENGINE_set_init_function(e, sdf_init)
|| !ENGINE_set_finish_function(e, sdf_finish)
|| !ENGINE_set_destroy_function(e, sdf_destroy)
|| !ENGINE_set_load_privkey_function(e, sdf_load_privkey)
|| !ENGINE_set_load_pubkey_function(e, sdf_load_pubkey)
|| !ENGINE_set_EC(e, sdf_get_ec_method())) {
return 0;
}
return 1;
}
#ifndef OPENSSL_NO_DYNAMIC_ENGINE
static int bind_helper(ENGINE *e, const char *id)
{
if (id && strcmp(id, sdf_id) != 0) {
return 0;
}
if (!bind_sdf(e)) {
return 0;
}
return 1;
}
IMPLEMENT_DYNAMIC_CHECK_FN()
IMPLEMENT_DYNAMIC_BIND_FN(bind_helper)
#else
static ENGINE *engine_sdf(void)
{
ENGINE *ret = NULL;
if (!(ret = ENGINE_new())) {
return NULL;
}
if (!bind_sdf(ret)) {
ENGINE_free(ret);
return NULL;
}
return ret;
}
void engine_load_sdf_int(void)
{
ENGINE *eng = NULL;
if (!(eng = engine_sdf())) {
return;
}
ENGINE_add(eng);
ENGINE_free(eng);
ERR_clear_error();
}
#endif /* OPENSSL_NO_DYNAMIC_ENGINE */

View File

@@ -1 +0,0 @@
L ESDF e_sdf_err.h e_sdf_err.c

View File

@@ -1,86 +0,0 @@
/*
* Generated by util/mkerr.pl DO NOT EDIT
* Copyright 1995-2017 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
* in the file LICENSE in the source distribution or at
* https://www.openssl.org/source/license.html
*/
#include <stdio.h>
#include <openssl/err.h>
#include "e_sdf_err.h"
/* BEGIN ERROR CODES */
#ifndef OPENSSL_NO_ERR
# define ERR_FUNC(func) ERR_PACK(0,func,0)
# define ERR_REASON(reason) ERR_PACK(0,0,reason)
static ERR_STRING_DATA ESDF_str_functs[] = {
{ERR_FUNC(ESDF_F_SDF_OPEN_DEVICE), "sdf_open_device"},
{ERR_FUNC(ESDF_F_SDF_RAND_BYTES), "sdf_rand_bytes"},
{0, NULL}
};
static ERR_STRING_DATA ESDF_str_reasons[] = {
{ERR_REASON(ESDF_R_OPEN_DEVICE_FAILURE), "open device failure"},
{ERR_REASON(ESDF_R_OPEN_SESSION_FAILURE), "open session failure"},
{ERR_REASON(ESDF_R_OPERATION_FAILURE), "operation failure"},
{0, NULL}
};
#endif
#ifdef ESDF_LIB_NAME
static ERR_STRING_DATA ESDF_lib_name[] = {
{0, ESDF_LIB_NAME},
{0, NULL}
};
#endif
static int ESDF_lib_error_code = 0;
static int ESDF_error_init = 1;
static int ERR_load_ESDF_strings(void)
{
if (ESDF_lib_error_code == 0)
ESDF_lib_error_code = ERR_get_next_error_library();
if (ESDF_error_init) {
ESDF_error_init = 0;
#ifndef OPENSSL_NO_ERR
ERR_load_strings(ESDF_lib_error_code, ESDF_str_functs);
ERR_load_strings(ESDF_lib_error_code, ESDF_str_reasons);
#endif
#ifdef ESDF_LIB_NAME
ESDF_lib_name->error = ERR_PACK(ESDF_lib_error_code, 0, 0);
ERR_load_strings(0, ESDF_lib_name);
#endif
}
return 1;
}
static void ERR_unload_ESDF_strings(void)
{
if (ESDF_error_init == 0) {
#ifndef OPENSSL_NO_ERR
ERR_unload_strings(ESDF_lib_error_code, ESDF_str_functs);
ERR_unload_strings(ESDF_lib_error_code, ESDF_str_reasons);
#endif
#ifdef ESDF_LIB_NAME
ERR_unload_strings(0, ESDF_lib_name);
#endif
ESDF_error_init = 1;
}
}
static void ERR_ESDF_error(int function, int reason, char *file, int line)
{
if (ESDF_lib_error_code == 0)
ESDF_lib_error_code = ERR_get_next_error_library();
ERR_PUT_error(ESDF_lib_error_code, function, reason, file, line);
}

View File

@@ -1,42 +0,0 @@
/*
* Copyright 1995-2017 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
* in the file LICENSE in the source distribution or at
* https://www.openssl.org/source/license.html
*/
#ifndef HEADER_ESDF_ERR_H
# define HEADER_ESDF_ERR_H
# ifdef __cplusplus
extern "C" {
# endif
/* BEGIN ERROR CODES */
/*
* The following lines are auto generated by the script mkerr.pl. Any changes
* made after this point may be overwritten when the script is next run.
*/
static int ERR_load_ESDF_strings(void);
static void ERR_unload_ESDF_strings(void);
static void ERR_ESDF_error(int function, int reason, char *file, int line);
# define ESDFerr(f,r) ERR_ESDF_error((f),(r),OPENSSL_FILE,OPENSSL_LINE)
/* Error codes for the ESDF functions. */
/* Function codes. */
# define ESDF_F_SDF_OPEN_DEVICE 100
# define ESDF_F_SDF_RAND_BYTES 101
/* Reason codes. */
# define ESDF_R_OPEN_DEVICE_FAILURE 100
# define ESDF_R_OPEN_SESSION_FAILURE 101
# define ESDF_R_OPERATION_FAILURE 102
# ifdef __cplusplus
}
# endif
#endif

View File

@@ -1,293 +0,0 @@
/* ====================================================================
* Copyright (c) 2014 - 2017 The GmSSL Project. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in
* the documentation and/or other materials provided with the
* distribution.
*
* 3. All advertising materials mentioning features or use of this
* software must display the following acknowledgment:
* "This product includes software developed by the GmSSL Project.
* (http://gmssl.org/)"
*
* 4. The name "GmSSL Project" must not be used to endorse or promote
* products derived from this software without prior written
* permission. For written permission, please contact
* guanzhi1980@gmail.com.
*
* 5. Products derived from this software may not be called "GmSSL"
* nor may "GmSSL" appear in their names without prior written
* permission of the GmSSL Project.
*
* 6. Redistributions of any form whatsoever must retain the following
* acknowledgment:
* "This product includes software developed by the GmSSL Project
* (http://gmssl.org/)"
*
* THIS SOFTWARE IS PROVIDED BY THE GmSSL PROJECT ``AS IS'' AND ANY
* EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE GmSSL PROJECT OR
* ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
* STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
* OF THE POSSIBILITY OF SUCH DAMAGE.
* ====================================================================
*/
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <assert.h>
#include <openssl/ec.h>
#include <openssl/err.h>
#include <openssl/evp.h>
#include <openssl/sha.h>
#include <openssl/engine.h>
static const SDF_METHOD *sdf_meth;
static const char *sdf_id = "sdf";
static const char *sdf_name = "ENGINE connect to SDF Devices";
#define SDF_CMD_SO_PATH ENGINE_CMD_BASE
static const ENGINE_CMD_DEFN sdf_cmd_defns[] = {
{SDF_CMD_SO_PATH,
"SO_PATH",
"Specifies the path to the vendor's SDF shared library",
ENGINE_CMD_FLAG_STRING},
{0, NULL, NULL, 0},
};
static int sdf_ctrl(ENGINE *e, int cmd, long i, void *p, void (*f)(void))
{
switch (cmd) {
case SDF_CMD_SO_PATH:
so_path = (char *)p;
sdf_load_library(so_path);
break;
default:
printf("unknown cmd\n");
return 0;
}
return 1;
}
static int sdf_rand_bytes(unsigned char *out, int outlen)
{
if (sdf_meth->GenerateRandom) {
if ((sdf_meth->GenerateRandom(hSession, out, outlen)) != SDR_OK) {
ESDFerr(ESDF_F_SDF_RAND_BYTES, ESDF_R_OPERATION_FAILURE);
return 0;
}
}
return 1;
}
static int sdf_rand_status(void)
{
return 1;
}
static RAND_METHOD sdf_rand_method = {
NULL,
sdf_rand_bytes,
NULL,
NULL,
sdf_rand_bytes,
sdf_rand_status,
};
const RAND_METHOD *sdf_get_rand_method(void)
{
return &sdf_rand_method;
}
static int sdf_ec_idx = -1;
static const EC_KEY_METHOD *sdf_ec_method = NULL;
static int sdf_ec_sign(int type, const unsigned char *dgst, int dgstlen,
unsigned char *sig, unsigned int *siglen,
const BIGNUM *kinv, const BIGNUM *r,
EC_KEY *ec_key)
{
printf(" call %s()\n", __func__);
return 1;
}
static int sdf_ec_sign_setup(EC_KEY *ec_key, BN_CTX *ctx,
BIGNUM **kinvp, BIGNUM **rp)
{
printf(" call %s()\n", __func__);
return 1;
}
static ECDSA_SIG *sdf_ec_sign_sig(const unsigned char *dgst, int dgstlen,
const BIGNUM *kinv, const BIGNUM *r,
EC_KEY *ec_key)
{
ECDSA_SIG *ret = ECDSA_SIG_new();
printf(" call %s()\n", __func__);
return ret;
}
const EC_KEY_METHOD *sdf_get_ec_method(void)
{
EC_KEY_METHOD *ret = NULL;
if (sdf_ec_method) {
return sdf_ec_method;
}
if (!(ret = EC_KEY_METHOD_new(EC_KEY_OpenSSL()))) {
return NULL;
}
EC_KEY_METHOD_set_sign(ret, sdf_ec_sign, sdf_ec_sign_setup, sdf_ec_sign_sig);
sdf_ec_method = ret;
return ret;
}
static EVP_PKEY *sdf_load_privkey(ENGINE *e, const char *key_id,
UI_METHOD *ui_method, void *callback_data)
{
UI *ui = NULL;
char buf1[256];
char buf2[256];
int r;
ui = UI_new_method(ui_method);
r = UI_add_input_string(ui, "> ", 0, buf1, 0, sizeof(buf1)-1);
assert(r >= 0);
r = UI_process(ui);
assert(r >= 0);
printf("password = %s\n", UI_get0_result(ui, 0));
printf("%s\n", __func__);
return NULL;
}
static EVP_PKEY *sdf_load_pubkey(ENGINE *e, const char *key_id,
UI_METHOD *ui_method, void *callback_data)
{
unsigned int index;
int is_sign_key;
RSArefPublicKey publicKey;
parse_key_id(key_id, &index, &is_sign_key);
rv = SDF_OpenSession(hDevice, &hSession);
if (is_sign_key) {
rv = SDF_ExportSignPublicKey_RSA(hSession, index, &publicKey);
} else {
rv = SDF_ExportEncPublicKey_RSA(hSession, index, &publicKey);
}
printf("%s\n", __func__);
return NULL;
}
/****************************************************************************/
static int sdf_destroy(ENGINE *e)
{
return 1;
}
static void *hDevice = NULL;
static void *hSession = NULL;
static int sdf_init(ENGINE *e)
{
int rv;
rv = sdf_meth->OpenDevice(&hDevice);
rv = sdf_meth->OpenSession(hDevice, &hSession);
return 1;
}
static int sdf_finish(ENGINE *e)
{
sdf_meth->CloseSession(hSession);
sdf_meth->CloseDevice(hDevice);
return 1;
}
static int bind_sdf(ENGINE *e)
{
if (!ENGINE_set_id(e, sdf_id)
|| !ENGINE_set_name(e, sdf_name)
|| !ENGINE_set_flags(e, ENGINE_FLAGS_NO_REGISTER_ALL)
|| !ENGINE_set_cmd_defns(e, sdf_cmd_defns)
|| !ENGINE_set_ctrl_function(e, sdf_ctrl)
|| !ENGINE_set_init_function(e, sdf_init)
|| !ENGINE_set_finish_function(e, sdf_finish)
|| !ENGINE_set_destroy_function(e, sdf_destroy)
|| !ENGINE_set_load_privkey_function(e, sdf_load_privkey)
|| !ENGINE_set_load_pubkey_function(e, sdf_load_pubkey)
|| !ENGINE_set_RAND(e, sdf_get_rand_method())
|| !ENGINE_set_EC(e, sdf_get_ec_method())) {
return 0;
}
return 1;
}
#ifndef OPENSSL_NO_DYNAMIC_ENGINE
static int bind_helper(ENGINE *e, const char *id)
{
if (id && strcmp(id, sdf_id) != 0) {
return 0;
}
if (!bind_sdf(e)) {
return 0;
}
return 1;
}
IMPLEMENT_DYNAMIC_CHECK_FN()
IMPLEMENT_DYNAMIC_BIND_FN(bind_helper)
#else
static ENGINE *engine_sdf(void)
{
ENGINE *ret = NULL;
if (!(ret = ENGINE_new())) {
return NULL;
}
if (!bind_sdf(ret)) {
ENGINE_free(ret);
return NULL;
}
return ret;
}
void engine_load_sdf_int(void)
{
ENGINE *eng = NULL;
if (!(eng = engine_sdf())) {
return;
}
ENGINE_add(eng);
ENGINE_free(eng);
ERR_clear_error();
}
#endif /* OPENSSL_NO_DYNAMIC_ENGINE */

View File

@@ -1 +0,0 @@
L ESKF e_skf_err.h e_skf_err.c

View File

@@ -1,9 +0,0 @@
# About SM standard implementation
This is only a standard implementation of the SM.
In the standard implementation, it uses the **MIRACL** library. **MIRACL** (Multiprecision Integer and Rational Arithmetic Crytographic Library) is a C software library. See also [About the MIRACL Crypto SDK](https://libraries.docs.miracl.com/miracl-user-manual/about).
Also, you can download the source code in the Github. Here is a reference link. [Github MIRACL](https://github.com/miracl/MIRACL).
What's more, when you want test it and compile locally, you need add *-lm* option to solve some math functions problems like *ceil* in the code.

View File

@@ -1,406 +0,0 @@
/*
* Copyright 2016 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
* in the file LICENSE in the source distribution or at
* https://www.openssl.org/source/license.html
*/
#ifndef HEADER_KDF_STANDARD_H
#define HEADER_KDF_STANDARD_H
#include <string.h>
#ifdef __cplusplus
extern "C" {
#endif
#define SM3_len 256
#define SM3_T1 0x79CC4519
#define SM3_T2 0x7A879D8A
#define SM3_IVA 0x7380166f
#define SM3_IVB 0x4914b2b9
#define SM3_IVC 0x172442d7
#define SM3_IVD 0xda8a0600
#define SM3_IVE 0xa96f30bc
#define SM3_IVF 0x163138aa
#define SM3_IVG 0xe38dee4d
#define SM3_IVH 0xb0fb0e4e
#define SM2_WORDSIZE 8
#define SM2_NUMBITS 256
#define SM2_NUMWORD (SM2_NUMBITS / SM2_WORDSIZE) //32
/* Various logical functions */
#define SM3_p1(x) (x ^ SM3_rotl32(x, 15) ^ SM3_rotl32(x, 23))
#define SM3_p0(x) (x ^ SM3_rotl32(x, 9) ^ SM3_rotl32(x, 17))
#define SM3_ff0(a, b, c) (a ^ b ^ c)
#define SM3_ff1(a, b, c) ((a & b) | (a & c) | (b & c))
#define SM3_gg0(e, f, g) (e ^ f ^ g)
#define SM3_gg1(e, f, g) ((e & f) | ((~e) & g))
#define SM3_rotl32(x, n) (((x) << n) | ((x) >> (32 - n)))
#define SM3_rotr32(x, n) (((x) >> n) | ((x) << (32 - n)))
typedef struct {
unsigned long state[8];
unsigned long length;
unsigned long curlen;
unsigned char buf[64];
} SM3_STATE;
static void BiToW(unsigned long Bi[], unsigned long W[]);
static void WToW1(unsigned long W[], unsigned long W1[]);
static void CF(unsigned long W[], unsigned long W1[], unsigned long V[]);
static void BigEndian(unsigned char src[], unsigned int bytelen, unsigned char des[]);
static void SM3_init(SM3_STATE *md);
static void SM3_compress(SM3_STATE *md);
static void SM3_process(SM3_STATE *md, unsigned char *buf, int len);
static void SM3_done(SM3_STATE *md, unsigned char hash[]);
static void SM3_256(unsigned char buf[], int len, unsigned char hash[]);
static void SM3_kdf(unsigned char Z[], unsigned short zlen, unsigned short klen, unsigned char K[]);
/* calculate W from Bi */
static void BiToW(unsigned long Bi[], unsigned long W[])
{
int i;
unsigned long tmp;
for(i = 0; i <= 15; i++)
{
W[i] = Bi[i];
}
for(i = 16;i <= 67; i++)
{
tmp = W[i - 16] ^ W[i - 9] ^ SM3_rotl32(W[i - 3], 15);
W[i] = SM3_p1(tmp) ^ (SM3_rotl32(W[i - 13], 7)) ^ W[i - 6];
}
}
/* calculate W1 from W */
static void WToW1(unsigned long W[], unsigned long W1[])
{
int i;
for(i = 0; i <= 63; i++)
{
W1[i] = W[i] ^ W[i + 4];
}
}
/* calculate the CF compress function and update V */
static void CF(unsigned long W[], unsigned long W1[], unsigned long V[])
{
unsigned long SS1;
unsigned long SS2;
unsigned long TT1;
unsigned long TT2;
unsigned long A, B, C, D, E, F, G, H;
unsigned long T = SM3_T1;
unsigned long FF;
unsigned long GG;
int j;
//reg init, set ABCDEFGH = V0
A = V[0];
B = V[1];
C = V[2];
D = V[3];
E = V[4];
F = V[5];
G = V[6];
H = V[7];
for (j = 0; j <= 63; j++)
{
//SS1
if (j == 0)
{
T = SM3_T1;
}
else if (j == 16)
{
T = SM3_rotl32(SM3_T2, 16);
}
else
{
T = SM3_rotl32(T, 1);
}
SS1 = SM3_rotl32((SM3_rotl32(A, 12) + E + T), 7);
//SS2
SS2 = SS1 ^ SM3_rotl32(A, 12);
//TT1
if (j <= 15)
{
FF = SM3_ff0(A, B, C);
}
else
{
FF = SM3_ff1(A, B, C);
}
TT1 = FF + D + SS2 + *W1;
W1++;
//TT2
if (j <= 15)
{
GG = SM3_gg0(E, F, G);
}
else
{
GG = SM3_gg1(E, F, G);
}
TT2 = GG + H + SS1 + *W;
W++;
//D
D = C;
//C
C = SM3_rotl32(B, 9);
//B
B = A;
//A
A = TT1;
//H
H = G;
//G
G = SM3_rotl32(F, 19);
//F
F = E;
//E
E = SM3_p0(TT2);
}
//update V
V[0] = A ^ V[0];
V[1] = B ^ V[1];
V[2] = C ^ V[2];
V[3] = D ^ V[3];
V[4] = E ^ V[4];
V[5] = F ^ V[5];
V[6] = G ^ V[6];
V[7] = H ^ V[7];
}
/* unsigned int endian converse. GM/T 0004-2012 requires to use big-endian.
* if CPu uses little-endian, BigEndian function is a necessary
* call to change the little-endian format into big-endian format.
*/
static void BigEndian(unsigned char src[], unsigned int bytelen, unsigned char des[])
{
unsigned char tmp = 0;
unsigned long i = 0;
for (i = 0; i < bytelen / 4; i++)
{
tmp = des[4 * i];
des[4 * i] = src[4 * i + 3];
src[4 * i + 3] = tmp;
tmp = des[4 * i + 1];
des[4 * i + 1] = src[4 * i + 2];
des[4 * i + 2] = tmp;
}
}
/* initiate SM3 state */
static void SM3_init(SM3_STATE *md)
{
md->curlen = md->length = 0;
md->state[0] = SM3_IVA;
md->state[1] = SM3_IVB;
md->state[2] = SM3_IVC;
md->state[3] = SM3_IVD;
md->state[4] = SM3_IVE;
md->state[5] = SM3_IVF;
md->state[6] = SM3_IVG;
md->state[7] = SM3_IVH;
}
/* compress a single a block of message */
static void SM3_compress(SM3_STATE *md)
{
unsigned long W[68];
unsigned long W1[64];
//if CPU uses little-endian, BigEndian function is a necessary call
BigEndian(md->buf, 64, md->buf);
BiToW((unsigned long *)md->buf, W);
WToW1(W, W1);
CF(W, W1, md->state);
}
/* compress the first(len/64) blocks of message */
static void SM3_process(SM3_STATE *md, unsigned char *buf, int len)
{
while (len--)
{
/* copy byte */
md->buf[md->curlen] = *buf++;
md->curlen++;
/* is 64 bytes full? */
if (md->curlen == 64)
{
SM3_compress(md);
md->length += 512;
md->curlen = 0;
}
}
}
/* compress the rest message that the SM3_process has left behind */
static void SM3_done(SM3_STATE *md, unsigned char hash[])
{
int i;
unsigned char tmp = 0;
/* increase the bit length of the message */
md->length += md->curlen << 3;
/* append the '1' bit */
md->buf[md->curlen] = 0x80;
md->curlen++;
/* if the length is currently above 56 bytes, appends zeros till
it reaches 64 bytes, compress the current block, creat a new
block by appending zeros and length,and then compress it
*/
if (md->curlen > 56)
{
for (; md->curlen < 64;)
{
md->buf[md->curlen] = 0;
md->curlen++;
}
SM3_compress(md);
md->curlen = 0;
}
/* if the length is less than 56 bytes, pad upto 56 bytes of zeroes */
for (; md->curlen < 56;)
{
md->buf[md->curlen] = 0;
md->curlen++;
}
/* since all messages are under 2^32 bits we mark the top bits zero */
for (i = 56; i < 60; i++)
{
md->buf[i] = 0;
}
/* append length */
md->buf[63] = md->length & 0xff;
md->buf[62] = (md->length >> 8) & 0xff;
md->buf[61] = (md->length >> 16) & 0xff;
md->buf[60] = (md->length >> 24) & 0xff;
SM3_compress(md);
/* copy output */
memcpy(hash, md->state, SM3_len / 8);
BigEndian(hash, SM3_len / 8, hash); //if CPU uses little-endian, BigEndian function is a necessary call
}
/* calculate a hash value from a given message */
static void SM3_256(unsigned char buf[], int len, unsigned char hash[])
{
SM3_STATE md;
SM3_init(&md);
SM3_process(&md, buf, len);
SM3_done(&md, hash);
}
/* key derivation function */
static void SM3_kdf(unsigned char Z[], unsigned short zlen, unsigned short klen, unsigned char K[])
{
unsigned short i, j, t;
unsigned int bitklen;
SM3_STATE md;
unsigned char Ha[SM2_NUMWORD];
unsigned char ct[4] = {0, 0, 0, 1};
bitklen = klen * 8;
if (bitklen % SM2_NUMBITS)
t = bitklen / SM2_NUMBITS + 1;
else
t = bitklen / SM2_NUMBITS;
//s4: K = Ha1 || Ha2 || ...
for (i = 1; i < t; i++)
{
//s2: Hai = Hv(Z || ct)
SM3_init(&md);
SM3_process(&md, Z, zlen);
SM3_process(&md, ct, 4);
SM3_done(&md, Ha);
memcpy((K + SM2_NUMWORD * (i - 1)), Ha, SM2_NUMWORD);
if (ct[3] == 0xff)
{
ct[3] = 0;
if (ct[2] == 0xff)
{
ct[2] = 0;
if (ct[1] == 0xff)
{
ct[1] = 0;
ct[0]++;
}
else
ct[1]++;
}
else
ct[2]++;
}
else
ct[3]++;
}
//s3
SM3_init(&md);
SM3_process(&md, Z, zlen);
SM3_process(&md, ct, 4);
SM3_done(&md, Ha);
if(bitklen % SM2_NUMBITS)
{
i = (SM2_NUMBITS - bitklen + SM2_NUMBITS * (bitklen / SM2_NUMBITS)) / 8;
j = (bitklen - SM2_NUMBITS * (bitklen / SM2_NUMBITS)) / 8;
memcpy((K + SM2_NUMWORD * (t - 1)), Ha, j);
}
else
{
memcpy((K + SM2_NUMWORD * (t - 1)), Ha, SM2_NUMWORD);
}
}
#ifdef __cplusplus
}
# endif
#endif

View File

@@ -1,278 +0,0 @@
/* ====================================================================
* Copyright (c) 2015 - 2016 The GmSSL Project. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in
* the documentation and/or other materials provided with the
* distribution.
*
* 3. All advertising materials mentioning features or use of this
* software must display the following acknowledgment:
* "This product includes software developed by the GmSSL Project.
* (http://gmssl.org/)"
*
* 4. The name "GmSSL Project" must not be used to endorse or promote
* products derived from this software without prior written
* permission. For written permission, please contact
* guanzhi1980@gmail.com.
*
* 5. Products derived from this software may not be called "GmSSL"
* nor may "GmSSL" appear in their names without prior written
* permission of the GmSSL Project.
*
* 6. Redistributions of any form whatsoever must retain the following
* acknowledgment:
* "This product includes software developed by the GmSSL Project
* (http://gmssl.org/)"
*
* THIS SOFTWARE IS PROVIDED BY THE GmSSL PROJECT ``AS IS'' AND ANY
* EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE GmSSL PROJECT OR
* ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
* STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
* OF THE POSSIBILITY OF SUCH DAMAGE.
* ====================================================================
*/
#ifndef HEADER_SM2_STANDARD_H
#define HEADER_SM2_STANDARD_H
#include <string.h>
#include <stdlib.h>
#include <stdio.h>
#ifdef __cplusplus
extern "C" {
#endif
#include "miracl.h"
#include "mirdef.h"
#include "kdf_standard.h"
#define ERR_INFINITY_POINT 0x00000001
#define ERR_NOT_VALID_ELEMENT 0x00000002
#define ERR_NOT_VALID_POINT 0x00000003
#define ERR_ORDER 0x00000004
#define ERR_ECURVE_INIT 0x00000005
#define ERR_KEYEX_RA 0x00000006
#define ERR_KEYEX_RB 0x00000007
#define ERR_EQUAL_S1SB 0x00000008
#define ERR_EQUAL_S2SA 0x00000009
#define ERR_SELFTEST_Z 0x0000000A
#define ERR_SELFTEST_INI_I 0x0000000B
#define ERR_SELFTEST_RES_I 0x0000000C
#define ERR_SELFTEST_INI_II 0x0000000D
#define ERR_GENERATE_R 0x0000000E
#define ERR_GENERATE_S 0x0000000F
#define ERR_OUTRANGE_R 0x00000010
#define ERR_OUTRANGE_S 0x00000011
#define ERR_GENERATE_T 0x00000012
#define ERR_PUBKEY_INIT 0x00000013
#define ERR_DATA_MEMCMP 0x00000014
#define ERR_ARRAY_NULL 0x00000015
#define ERR_C3_MATCH 0x00000016
#define ERR_SELFTEST_KG 0x00000017
#define ERR_SELFTEST_ENC 0x00000018
#define ERR_SELFTEST_DEC 0x00000019
static unsigned char SM2_p[32] = {0xFF, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF};
static unsigned char SM2_a[32] = {0xFF, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFC};
static unsigned char SM2_b[32] = {0x28, 0xE9, 0xFA, 0x9E, 0x9D, 0x9F, 0x5E, 0x34, 0x4D, 0x5A, 0x9E, 0x4B, 0xCF, 0x65, 0x09, 0xA7,
0xF3, 0x97, 0x89, 0xF5, 0x15, 0xAB, 0x8F, 0x92, 0xDD, 0xBC, 0xBD, 0x41, 0x4D, 0x94, 0x0E, 0x93};
static unsigned char SM2_n[32] = {0xFF, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
0x72, 0x03, 0xDF, 0x6B, 0x21, 0xC6, 0x05, 0x2B, 0x53, 0xBB, 0xF4, 0x09, 0x39, 0xD5, 0x41, 0x23};
static unsigned char SM2_Gx[32] = {0x32, 0xC4, 0xAE, 0x2C, 0x1F, 0x19, 0x81, 0x19, 0x5F, 0x99, 0x04, 0x46, 0x6A, 0x39, 0xC9, 0x94,
0x8F, 0xE3, 0x0B, 0xBF, 0xF2, 0x66, 0x0B, 0xE1, 0x71, 0x5A, 0x45, 0x89, 0x33, 0x4C, 0x74, 0xC7};
static unsigned char SM2_Gy[32] = {0xBC, 0x37, 0x36, 0xA2, 0xF4, 0xF6, 0x77, 0x9C, 0x59, 0xBD, 0xCE, 0xE3, 0x6B, 0x69, 0x21, 0x53,
0xD0, 0xA9, 0x87, 0x7C, 0xC6, 0x2A, 0x47, 0x40, 0x02, 0xDF, 0x32, 0xE5, 0x21, 0x39, 0xF0, 0xA0};
static unsigned char SM2_h[32] = {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01};
big para_p, para_a, para_b, para_n, para_Gx, para_Gy, para_h;
epoint *G;
miracl *mip;
int SM2_w(big n);
void SM3_z(unsigned char ID[], unsigned short int ELAN, epoint* pubKey, unsigned char hash[]);
static int Test_Point(epoint* point);
static int Test_PubKey(epoint *pubKey);
int Test_Null(unsigned char array[], int len);
int Test_Zero(big x);
int Test_n(big x);
static int Test_Range(big x);
static int SM2_standard_init();
static int SM2_standard_keygeneration(big priKey, epoint *pubKey);
int SM2_standard_sign_keygeneration(unsigned char PriKey[], unsigned char Px[], unsigned char Py[]);
int SM2_standard_keyex_init_i(big ra, epoint* RA);
int SM2_standard_keyex_re_i(big rb, big dB, epoint* RA, epoint* PA, unsigned char ZA[], unsigned char ZB[], unsigned char K[], int klen, epoint* RB, epoint* V, unsigned char hash[]);
int SM2_standard_keyex_init_ii(big ra, big dA, epoint* RA, epoint* RB, epoint* PB, unsigned char ZA[], unsigned char ZB[], unsigned char SB[], unsigned char K[], int klen, unsigned char SA[]);
int SM2_standard_keyex_re_ii(epoint *V, epoint *RA, epoint *RB, unsigned char ZA[], unsigned char ZB[], unsigned char SA[]);
int SM2_standard_keyex_selftest();
int SM2_standard_encrypt(unsigned char* randK, epoint *pubKey, unsigned char M[], int klen, unsigned char C[]);
int SM2_standard_decrypt(big dB, unsigned char C[], int Clen, unsigned char M[]);
int SM2_standard_enc_selftest();
int SM2_standard_sign(unsigned char *message, int len, unsigned char ZA[], unsigned char rand[], unsigned char d[], unsigned char R[], unsigned char S[]);
int SM2_standard_verify(unsigned char *message, int len, unsigned char ZA[], unsigned char Px[], unsigned char Py[], unsigned char R[], unsigned char S[]);
int SM2_standard_selfcheck();
/* Initiate SM2 curve */
static int SM2_standard_init()
{
epoint *nG;
para_p = mirvar(0);
para_a = mirvar(0);
para_b = mirvar(0);
para_n = mirvar(0);
para_Gx = mirvar(0);
para_Gy = mirvar(0);
para_h = mirvar(0);
G = epoint_init();
nG = epoint_init();
bytes_to_big(SM2_NUMWORD, SM2_p, para_p);
bytes_to_big(SM2_NUMWORD, SM2_a, para_a);
bytes_to_big(SM2_NUMWORD, SM2_b, para_b);
bytes_to_big(SM2_NUMWORD, SM2_n, para_n);
bytes_to_big(SM2_NUMWORD, SM2_Gx, para_Gx);
bytes_to_big(SM2_NUMWORD, SM2_Gy, para_Gy);
bytes_to_big(SM2_NUMWORD, SM2_h, para_h);
ecurve_init(para_a, para_b, para_p, MR_PROJECTIVE); //Initialises GF(p) elliptic curve.
//MR_PROJECTIVE specifying projective coordinates
if (!epoint_set(para_Gx, para_Gy, 0, G)) //initialise point G
{
return ERR_ECURVE_INIT;
}
ecurve_mult(para_n, G, nG);
if (!point_at_infinity(nG)) //test if the order of the point is n
{
return ERR_ORDER;
}
return 0;
}
/* test if the given point is on SM2 curve */
static int Test_Point(epoint* point)
{
big x, y, x_3, tmp;
x = mirvar(0);
y = mirvar(0);
x_3 = mirvar(0);
tmp = mirvar(0);
//test if y^2 = x^3 + ax + b
epoint_get(point, x, y);
power(x, 3, para_p, x_3); //x_3 = x^3 mod p
multiply(x, para_a, x); //x = a * x
divide(x, para_p, tmp); //x = a * x mod p, tmp = a * x / p
add(x_3, x, x); //x = x^3 + ax
add(x, para_b, x); //x = x^3 + ax + b
divide(x, para_p, tmp); //x = x^3 + ax + b mod p
power(y, 2, para_p, y); //y = y^2 mod p
if (mr_compare(x, y) != 0)
return ERR_NOT_VALID_POINT;
else
return 0;
}
/* test if the given public key is valid */
static int Test_PubKey(epoint *pubKey)
{
big x, y, x_3, tmp;
epoint *nP;
x = mirvar(0);
y = mirvar(0);
x_3 = mirvar(0);
tmp = mirvar(0);
nP = epoint_init();
//test if the pubKey is the point at infinity
if (point_at_infinity(pubKey)) //if pubKey is point at infinity, return error;
return ERR_INFINITY_POINT;
//test if x < p and y<p both hold
epoint_get(pubKey, x, y);
if ((mr_compare(x, para_p) != -1) || (mr_compare(y, para_p) != -1))
return ERR_NOT_VALID_ELEMENT;
if (Test_Point(pubKey) != 0)
return ERR_NOT_VALID_POINT;
//test if the order of pubKey is equal to n
ecurve_mult(para_n, pubKey, nP); //nP=[n]P
if (!point_at_infinity(nP)) //if np is point NOT at infinity, return error;
return ERR_ORDER;
return 0;
}
/* test if the big x belong to the range[1, n-1] */
static int Test_Range(big x)
{
big one, decr_n;
one = mirvar(0);
decr_n = mirvar(0);
convert(1, one);
decr(para_n, 1, decr_n);
if ((mr_compare(x, one) < 0) | (mr_compare(x, decr_n) > 0))
return 1;
return 0;
}
/* calculate a pubKey out of a given priKey */
static int SM2_standard_keygeneration(big priKey, epoint *pubKey)
{
int i = 0;
big x, y;
x = mirvar(0);
y = mirvar(0);
//mip = mirsys(1000, 16);
//mip->IOBASE = 16;
ecurve_mult(priKey, G, pubKey);
epoint_get(pubKey, x, y);
i = Test_PubKey(pubKey);
if (i)
return i;
else
return 0;
}
#ifdef __cplusplus
}
# endif
#endif

View File

@@ -1,253 +0,0 @@
/*
* Copyright (c) 2015 - 2017 The GmSSL Project. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in
* the documentation and/or other materials provided with the
* distribution.
*
* 3. All advertising materials mentioning features or use of this
* software must display the following acknowledgment:
* "This product includes software developed by the GmSSL Project.
* (http://gmssl.org/)"
*
* 4. The name "GmSSL Project" must not be used to endorse or promote
* products derived from this software without prior written
* permission. For written permission, please contact
* guanzhi1980@gmail.com.
*
* 5. Products derived from this software may not be called "GmSSL"
* nor may "GmSSL" appear in their names without prior written
* permission of the GmSSL Project.
*
* 6. Redistributions of any form whatsoever must retain the following
* acknowledgment:
* "This product includes software developed by the GmSSL Project
* (http://gmssl.org/)"
*
* THIS SOFTWARE IS PROVIDED BY THE GmSSL PROJECT ``AS IS'' AND ANY
* EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE GmSSL PROJECT OR
* ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
* STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
* OF THE POSSIBILITY OF SUCH DAMAGE.
*/
#include "miracl.h"
#include "mirdef.h"
#include "sm2_standard.h"
/* test if the given array is all zero */
int Test_Null(unsigned char array[], int len)
{
int i;
i = 0;
for (i = 0; i < len; i++)
{
if (array[i] != 0x00)
return 0;
}
return 1;
}
/* sm2 encryption */
int SM2_standard_encrypt(unsigned char* randK, epoint *pubKey, unsigned char M[], int klen, unsigned char C[])
{
big C1x, C1y, x2, y2, rand;
epoint *C1, *kP, *S;
int i;
i = 0;
unsigned char x2y2[SM2_NUMWORD * 2] = {0};
SM3_STATE md;
C1x = mirvar(0);
C1y = mirvar(0);
x2 = mirvar(0);
y2 = mirvar(0);
rand = mirvar(0);
C1 = epoint_init();
kP = epoint_init();
S = epoint_init();
//step2. calculate C1 = [k]G = (rGx, rGy)
bytes_to_big(SM2_NUMWORD, randK, rand);
ecurve_mult(rand, G, C1); //C1 = [k]G
epoint_get(C1, C1x, C1y);
big_to_bytes(SM2_NUMWORD, C1x, C, 1);
big_to_bytes(SM2_NUMWORD, C1y, C + SM2_NUMWORD, 1);
//step3. test if S = [h]pubKey if the point at infinity
ecurve_mult(para_h, pubKey, S);
if (point_at_infinity(S)) //if S is point at infinity, return error;
return ERR_INFINITY_POINT;
//step4. calculate [k]PB = (x2, y2)
ecurve_mult(rand, pubKey, kP); //kP = [k]P
epoint_get(kP, x2, y2);
//step5. KDF(x2 || y2, klen)
big_to_bytes(SM2_NUMWORD, x2, x2y2, 1);
big_to_bytes(SM2_NUMWORD, y2, x2y2 + SM2_NUMWORD, 1);
SM3_kdf(x2y2, SM2_NUMWORD * 2, klen, C + SM2_NUMWORD * 3);
if (Test_Null(C + SM2_NUMWORD * 3, klen) != 0)
return ERR_ARRAY_NULL;
//step6. C2 = M^t
for (i = 0; i < klen; i++)
{
C[SM2_NUMWORD * 3 + i] = M[i] ^ C[SM2_NUMWORD * 3 + i];
}
//step7. C3 = hash(x2, M, y2)
SM3_init(&md);
SM3_process(&md, x2y2, SM2_NUMWORD);
SM3_process(&md, M, klen);
SM3_process(&md, x2y2 + SM2_NUMWORD, SM2_NUMWORD);
SM3_done(&md, C + SM2_NUMWORD * 2);
return 0;
}
/* sm2 decryption */
int SM2_standard_decrypt(big dB, unsigned char C[], int Clen, unsigned char M[])
{
SM3_STATE md;
int i;
i = 0;
unsigned char x2y2[SM2_NUMWORD * 2] = {0};
unsigned char hash[SM2_NUMWORD] = {0};
big C1x, C1y, x2, y2;
epoint *C1, *S, *dBC1;
C1x = mirvar(0);
C1y = mirvar(0);
x2 = mirvar(0);
y2 = mirvar(0);
C1 = epoint_init();
S = epoint_init();
dBC1 = epoint_init();
//step1. test if C1 fits the curve
bytes_to_big(SM2_NUMWORD, C, C1x);
bytes_to_big(SM2_NUMWORD, C + SM2_NUMWORD, C1y);
epoint_set(C1x, C1y, 0, C1);
i = Test_Point(C1);
if (i != 0)
return i;
//step2. S = [h]C1 and test if S is the point at infinity
ecurve_mult(para_h, C1, S);
if (point_at_infinity(S)) // if S is point at infinity, return error;
return ERR_INFINITY_POINT;
//step3. [dB]C1 = (x2, y2)
ecurve_mult(dB, C1, dBC1);
epoint_get(dBC1, x2, y2);
big_to_bytes(SM2_NUMWORD, x2, x2y2, 1);
big_to_bytes(SM2_NUMWORD, y2, x2y2 + SM2_NUMWORD, 1);
//step4. t = KDF(x2 || y2, klen)
SM3_kdf(x2y2, SM2_NUMWORD * 2, Clen - SM2_NUMWORD * 3, M);
if (Test_Null(M, Clen - SM2_NUMWORD * 3) != 0)
return ERR_ARRAY_NULL;
//step5. M = C2^t
for (i = 0; i < Clen - SM2_NUMWORD * 3; i++)
M[i] = M[i] ^ C[SM2_NUMWORD * 3 + i];
//step6. hash(x2, m, y2)
SM3_init(&md);
SM3_process(&md, x2y2, SM2_NUMWORD);
SM3_process(&md, M, Clen - SM2_NUMWORD * 3);
SM3_process(&md, x2y2 + SM2_NUMWORD, SM2_NUMWORD);
SM3_done(&md, hash);
if (memcmp(hash, C + SM2_NUMWORD * 2, SM2_NUMWORD) != 0)
return ERR_C3_MATCH;
else
return 0;
}
/* test whether the SM2 calculation is correct by comparing the result with the standard data */
int SM2_standard_enc_selftest()
{
int tmp, i;
tmp = 0;
i = 0;
unsigned char Cipher[115] = {0};
unsigned char M[19] = {0};
unsigned char kGxy[SM2_NUMWORD * 2] = {0};
big ks, x, y;
epoint *kG;
//standard data
unsigned char std_priKey[32] = {0x39, 0x45, 0x20, 0x8F, 0x7B, 0x21, 0x44, 0xB1, 0x3F, 0x36, 0xE3, 0x8A, 0xC6, 0xD3, 0x9F, 0x95,
0x88, 0x93, 0x93, 0x69, 0x28, 0x60, 0xB5, 0x1A, 0x42, 0xFB, 0x81, 0xEF, 0x4D, 0xF7, 0xC5, 0xB8};
unsigned char std_pubKey[64] = {0x09, 0xF9, 0xDF, 0x31, 0x1E, 0x54, 0x21, 0xA1, 0x50, 0xDD, 0x7D, 0x16, 0x1E, 0x4B, 0xC5, 0xC6,
0x72, 0x17, 0x9F, 0xAD, 0x18, 0x33, 0xFC, 0x07, 0x6B, 0xB0, 0x8F, 0xF3, 0x56, 0xF3, 0x50, 0x20,
0xCC, 0xEA, 0x49, 0x0C, 0xE2, 0x67, 0x75, 0xA5, 0x2D, 0xC6, 0xEA, 0x71, 0x8C, 0xC1, 0xAA, 0x60,
0x0A, 0xED, 0x05, 0xFB, 0xF3, 0x5E, 0x08, 0x4A, 0x66, 0x32, 0xF6, 0x07, 0x2D, 0xA9, 0xAD, 0x13};
unsigned char std_rand[32] = {0x59, 0x27, 0x6E, 0x27, 0xD5, 0x06, 0x86, 0x1A, 0x16, 0x68, 0x0F, 0x3A, 0xD9, 0xC0, 0x2D, 0xCC,
0xEF, 0x3C, 0xC1, 0xFA, 0x3C, 0xDB, 0xE4, 0xCE, 0x6D, 0x54, 0xB8, 0x0D, 0xEA, 0xC1, 0xBC, 0x21};
unsigned char std_Message[19] = {0x65, 0x6E, 0x63, 0x72, 0x79, 0x70, 0x74, 0x69, 0x6F, 0x6E, 0x20, 0x73, 0x74, 0x61, 0x6E, 0x64,
0x61, 0x72, 0x64};
unsigned char std_Cipher[115] = {0x04, 0xEB, 0xFC, 0x71, 0x8E, 0x8D, 0x17, 0x98, 0x62, 0x04, 0x32, 0x26, 0x8E, 0x77, 0xFE, 0xB6,
0x41, 0x5E, 0x2E, 0xDE, 0x0E, 0x07, 0x3C, 0x0F, 0x4F, 0x64, 0x0E, 0xCD, 0x2E, 0x14, 0x9A, 0x73,
0xE8, 0x58, 0xF9, 0xD8, 0x1E, 0x54, 0x30, 0xA5, 0x7B, 0x36, 0xDA, 0xAB, 0x8F, 0x95, 0x0A, 0x3C,
0x64, 0xE6, 0xEE, 0x6A, 0x63, 0x09, 0x4D, 0x99, 0x28, 0x3A, 0xFF, 0x76, 0x7E, 0x12, 0x4D, 0xF0,
0x59, 0x98, 0x3C, 0x18, 0xF8, 0x09, 0xE2, 0x62, 0x92, 0x3C, 0x53, 0xAE, 0xC2, 0x95, 0xD3, 0x03,
0x83, 0xB5, 0x4E, 0x39, 0xD6, 0x09, 0xD1, 0x60, 0xAF, 0xCB, 0x19, 0x08, 0xD0, 0xBD, 0x87, 0x66,
0x21, 0x88, 0x6C, 0xA9, 0x89, 0xCA, 0x9C, 0x7D, 0x58, 0x08, 0x73, 0x07, 0xCA, 0x93, 0x09, 0x2D,
0x65, 0x1E, 0xFA};
mip= mirsys(1000, 16);
mip->IOBASE = 16;
x = mirvar(0);
y = mirvar(0);
ks = mirvar(0);
kG = epoint_init();
bytes_to_big(32, std_priKey, ks); //ks is the standard private key
//initiate SM2 curve
SM2_standard_init();
//generate key pair
tmp = SM2_standard_keygeneration(ks, kG);
if (tmp != 0)
return tmp;
epoint_get(kG, x, y);
big_to_bytes(SM2_NUMWORD, x, kGxy, 1);
big_to_bytes(SM2_NUMWORD, y, kGxy + SM2_NUMWORD, 1);
if (memcmp(kGxy, std_pubKey, SM2_NUMWORD * 2) != 0)
return ERR_SELFTEST_KG;
//encrypt data and compare the result with the standard data
tmp = SM2_standard_encrypt(std_rand, kG, std_Message, 19, Cipher);
if (tmp != 0)
return tmp;
if (memcmp(Cipher, std_Cipher, 19 + SM2_NUMWORD * 3) != 0)
return ERR_SELFTEST_ENC;
//decrypt cipher and compare the result with the standard data
tmp = SM2_standard_decrypt(ks, Cipher, 115, M);
if (tmp != 0)
return tmp;
if (memcmp(M, std_Message, 19) != 0)
return ERR_SELFTEST_DEC;
return 0;
}

View File

@@ -1,491 +0,0 @@
/* ====================================================================
* Copyright (c) 2015 - 2016 The GmSSL Project. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in
* the documentation and/or other materials provided with the
* distribution.
*
* 3. All advertising materials mentioning features or use of this
* software must display the following acknowledgment:
* "This product includes software developed by the GmSSL Project.
* (http://gmssl.org/)"
*
* 4. The name "GmSSL Project" must not be used to endorse or promote
* products derived from this software without prior written
* permission. For written permission, please contact
* guanzhi1980@gmail.com.
*
* 5. Products derived from this software may not be called "GmSSL"
* nor may "GmSSL" appear in their names without prior written
* permission of the GmSSL Project.
*
* 6. Redistributions of any form whatsoever must retain the following
* acknowledgment:
* "This product includes software developed by the GmSSL Project
* (http://gmssl.org/)"
*
* THIS SOFTWARE IS PROVIDED BY THE GmSSL PROJECT ``AS IS'' AND ANY
* EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE GmSSL PROJECT OR
* ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
* STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
* OF THE POSSIBILITY OF SUCH DAMAGE.
* ====================================================================
*
*/
#include "mirdef.h"
#include "miracl.h"
#include "sm2_standard.h"
/* calculation of w */
int SM2_w(big n)
{
big n1;
int w = 0;
n1 = mirvar(0);
w = logb2(para_n); //approximate integer log to the base 2 of para_n
expb2(w, n1); //n1 = 2^w
if (mr_compare(para_n, n1) == 1)
w++;
if ((w % 2) == 0)
w = w / 2 - 1;
else
w = (w + 1) / 2 - 1;
return w;
}
/* calculation of ZA or ZB */
void SM3_z(unsigned char ID[], unsigned short int ELAN, epoint* pubKey, unsigned char hash[])
{
unsigned char Px[SM2_NUMWORD] = {0}, Py[SM2_NUMWORD] = {0};
unsigned char IDlen[2] = {0};
big x, y;
SM3_STATE md;
x = mirvar(0);
y = mirvar(0);
epoint_get(pubKey, x, y);
big_to_bytes(SM2_NUMWORD, x, Px, 1);
big_to_bytes(SM2_NUMWORD, y, Py, 1);
memcpy(IDlen, &ELAN + 1, 1);
memcpy(IDlen + 1, &ELAN, 1);
SM3_init(&md);
SM3_process(&md, IDlen, 2);
SM3_process(&md, ID, ELAN / 8);
SM3_process(&md, SM2_a, SM2_NUMWORD);
SM3_process(&md, SM2_b, SM2_NUMWORD);
SM3_process(&md, SM2_Gx, SM2_NUMWORD);
SM3_process(&md, SM2_Gy, SM2_NUMWORD);
SM3_process(&md, Px, SM2_NUMWORD);
SM3_process(&md, Py, SM2_NUMWORD);
SM3_done(&md, hash);
return;
}
/* calculate RA */
int SM2_standard_keyex_init_i(big ra, epoint* RA)
{
return SM2_standard_keygeneration(ra, RA);
}
/* calculate RB and a secret key */
int SM2_standard_keyex_re_i(big rb, big dB, epoint* RA, epoint* PA, unsigned char ZA[], unsigned char ZB[], unsigned char K[], int klen, epoint* RB, epoint* V, unsigned char hash[])
{
SM3_STATE md;
int i = 0, w = 0;
unsigned char Z[SM2_NUMWORD * 2 + SM3_len / 4] = {0};
unsigned char x1y1[SM2_NUMWORD * 2] = {0};
unsigned char x2y2[SM2_NUMWORD * 2] = {0};
unsigned char temp = 0x02;
big x1, y1, x1_, x2, y2, x2_, tmp, Vx, Vy, temp_x, temp_y;
//mip = mirsys(1000, 16);
//mip->IOBASE = 16;
x1 = mirvar(0);
y1 = mirvar(0);
x1_ = mirvar(0);
x2 = mirvar(0);
y2 = mirvar(0);
x2_ = mirvar(0);
tmp = mirvar(0);
Vx = mirvar(0);
Vy = mirvar(0);
temp_x = mirvar(0);
temp_y = mirvar(0);
w = SM2_w(para_n);
//--------B2: RB = [rb]G = (x2, y2)--------
SM2_standard_keygeneration(rb, RB);
epoint_get(RB, x2, y2);
big_to_bytes(SM2_NUMWORD, x2, x2y2, 1);
big_to_bytes(SM2_NUMWORD, y2, x2y2 + SM2_NUMWORD, 1);
//--------B3: x2_ = 2^w + x2 & (2^w - 1)--------
expb2(w, x2_); //x2_ = 2^w
divide(x2, x2_, tmp); //x2 = x2 mod x2_ = x2 & (2^w - 1)
add(x2_, x2, x2_);
divide(x2_, para_n, tmp); //x2_ = n mod q
//--------B4: tB = (dB + x2_ * rB) mod n--------
multiply(x2_, rb, x2_);
add(dB, x2_, x2_);
divide(x2_, para_n, tmp);
//--------B5: x1_ = 2^w + x1 & (2^w - 1)--------
if (Test_Point(RA) != 0)
return ERR_KEYEX_RA;
epoint_get(RA, x1, y1);
big_to_bytes(SM2_NUMWORD, x1, x1y1, 1);
big_to_bytes(SM2_NUMWORD, y1, x1y1 + SM2_NUMWORD, 1);
expb2(w, x1_); //x1_ = 2^w
divide(x1, x1_, tmp); //x1 = x1 mod x1_ = x1 & (2^w - 1)
add(x1_,x1, x1_);
divide(x1_, para_n, tmp); //x1_ = n mod q
//--------B6: V = [h * tB](PA + [x1_]RA)--------
ecurve_mult(x1_, RA, V); //v = [x1_]RA
epoint_get(V, temp_x, temp_y);
ecurve_add(PA, V); //V = PA + V
epoint_get(V, temp_x, temp_y);
multiply(para_h, x2_, x2_); //tB = tB * h
ecurve_mult(x2_, V, V);
if (point_at_infinity(V) == 1)
return ERR_INFINITY_POINT;
epoint_get(V, Vx, Vy);
big_to_bytes(SM2_NUMWORD, Vx, Z, 1);
big_to_bytes(SM2_NUMWORD, Vy, Z + SM2_NUMWORD, 1);
//------------B7:KB = KDF(VX, VY, ZA, ZB, KLEN)----------
memcpy(Z + SM2_NUMWORD * 2, ZA, SM3_len / 8);
memcpy(Z + SM2_NUMWORD * 2 + SM3_len / 8, ZB, SM3_len / 8);
SM3_kdf(Z, SM2_NUMWORD * 2 + SM3_len / 4, klen / 8, K);
//---------------B8:(optional)SB = hash(0x02 || Vy || HASH(Vx || ZA || ZB || x1 || y1 || x2 || y2)-------------
SM3_init(&md);
SM3_process(&md, Z, SM2_NUMWORD);
SM3_process(&md, ZA, SM3_len / 8);
SM3_process(&md, ZB, SM3_len / 8);
SM3_process(&md, x1y1, SM2_NUMWORD * 2);
SM3_process(&md, x2y2, SM2_NUMWORD * 2);
SM3_done(&md, hash);
SM3_init(&md);
SM3_process(&md, &temp, 1);
SM3_process(&md, Z + SM2_NUMWORD, SM2_NUMWORD);
SM3_process(&md, hash, SM3_len / 8);
SM3_done(&md, hash);
return 0;
}
/* initiator A calculates the secret key out of RA and RB, and calculates a hash */
int SM2_standard_keyex_init_ii(big ra, big dA, epoint* RA, epoint* RB, epoint* PB, unsigned char ZA[], unsigned char ZB[], unsigned char SB[], unsigned char K[], int klen, unsigned char SA[])
{
SM3_STATE md;
int i = 0, w = 0;
unsigned char Z[SM2_NUMWORD * 2 + SM3_len / 4] = {0};
unsigned char x1y1[SM2_NUMWORD * 2] = {0};
unsigned char x2y2[SM2_NUMWORD * 2] = {0};
unsigned char hash[SM2_NUMWORD], S1[SM2_NUMWORD];
unsigned char temp[2] = {0x02, 0x03};
big x1, y1, x1_, x2, y2, x2_, tmp, Ux, Uy, temp_x, temp_y, tA;
epoint* U;
//mip = mirsys(1000, 16);
//mip->IOBASE = 16;
U = epoint_init();
x1 = mirvar(0);
y1 = mirvar(0);
x1_ = mirvar(0);
x2 = mirvar(0);
y2 = mirvar(0);
x2_ = mirvar(0);
tmp = mirvar(0);
Ux = mirvar(0);
Uy = mirvar(0);
temp_x = mirvar(0);
temp_y = mirvar(0);
tA=mirvar(0);
w = SM2_w(para_n);
epoint_get(RA, x1, y1);
big_to_bytes(SM2_NUMWORD, x1, x1y1, TRUE);
big_to_bytes(SM2_NUMWORD, y1, x1y1 + SM2_NUMWORD, TRUE);
//--------A4: x1_ = 2^w + x2 & (2^w - 1)--------
expb2(w, x1_); //x1_ = 2^w
divide(x1, x1_, tmp); //x1 = x1 mod x1_ = x1 & (2^w - 1)
add(x1_, x1, x1_);
divide(x1_, para_n, tmp);
//-------- A5:tA = (dA + x1_ * rA) mod n--------
multiply(x1_, ra, tA);
divide(tA, para_n, tmp);
add(tA, dA, tA);
divide(tA, para_n, tmp);
//-------- A6:x2_ = 2^w + x2 & (2^w - 1)-----------------
if (Test_Point(RB) != 0)
return ERR_KEYEX_RB;//////////////////////////////////
epoint_get(RB, x2, y2);
big_to_bytes(SM2_NUMWORD, x2, x2y2, TRUE);
big_to_bytes(SM2_NUMWORD, y2, x2y2 + SM2_NUMWORD, TRUE);
expb2(w, x2_); //x2_ = 2^w
divide(x2, x2_, tmp); //x2 = x2 mod x2_ = x2 & (2^w - 1)
add(x2_, x2, x2_);
divide(x2_, para_n, tmp);
//--------A7:U = [h * tA](PB + [x2_]RB)-----------------
ecurve_mult(x2_, RB, U); //U = [x2_]RB
epoint_get(U, temp_x, temp_y);
ecurve_add(PB, U); //U = PB + U
epoint_get(U, temp_x, temp_y);
multiply(para_h, tA, tA); //tA = tA * h
divide(tA, para_n, tmp);
ecurve_mult(tA, U, U);
if (point_at_infinity(U) == 1)
return ERR_INFINITY_POINT;
epoint_get(U, Ux, Uy);
big_to_bytes(SM2_NUMWORD, Ux, Z, 1);
big_to_bytes(SM2_NUMWORD, Uy, Z + SM2_NUMWORD, 1);
//------------A8:KA = KDF(UX, UY, ZA, ZB, KLEN)----------
memcpy(Z + SM2_NUMWORD * 2, ZA, SM3_len / 8);
memcpy(Z + SM2_NUMWORD * 2 + SM3_len / 8, ZB, SM3_len / 8);
SM3_kdf(Z, SM2_NUMWORD * 2 + SM3_len / 4, klen / 8, K);
//---------------A9:(optional) S1 = Hash(0x02 || Uy || Hash(Ux || ZA || ZB || x1 || y1 || x2 || y2))-----------
SM3_init (&md);
SM3_process(&md, Z, SM2_NUMWORD);
SM3_process(&md, ZA, SM3_len / 8);
SM3_process(&md, ZB, SM3_len / 8);
SM3_process(&md, x1y1, SM2_NUMWORD * 2);
SM3_process(&md, x2y2, SM2_NUMWORD * 2);
SM3_done(&md, hash);
SM3_init(&md);
SM3_process(&md, temp, 1);
SM3_process(&md, Z + SM2_NUMWORD, SM2_NUMWORD);
SM3_process(&md, hash, SM3_len / 8);
SM3_done(&md, S1);
//test S1 = SB?
if (memcmp(S1, SB, SM2_NUMWORD) != 0)
return ERR_EQUAL_S1SB;
//---------------A10 SA = Hash(0x03 || yU || Hash(xU || ZA || ZB || x1 || y1 || x2 || y2))-------------
SM3_init(&md);
SM3_process(&md, &temp[1], 1);
SM3_process(&md, Z + SM2_NUMWORD, SM2_NUMWORD);
SM3_process(&md, hash, SM3_len / 8);
SM3_done(&md, SA);
return 0;
}
/* (optional)Step B10: verifies the hash value received from initiator A */
int SM2_standard_keyex_re_ii(epoint *V, epoint *RA, epoint *RB, unsigned char ZA[], unsigned char ZB[], unsigned char SA[])
{
big x1, y1, x2, y2, Vx, Vy;
unsigned char hash[SM2_NUMWORD], S2[SM2_NUMWORD];
unsigned char temp = 0x03;
unsigned char xV[SM2_NUMWORD], yV[SM2_NUMWORD];
unsigned char x1y1[SM2_NUMWORD * 2] = {0};
unsigned char x2y2[SM2_NUMWORD * 2] = {0};
SM3_STATE md;
x1 = mirvar(0);
y1 = mirvar(0);
x2 = mirvar(0);
y2 = mirvar(0);
Vx = mirvar(0);
Vy = mirvar(0);
epoint_get(RA, x1, y1);
epoint_get(RB, x2, y2);
epoint_get(V, Vx, Vy);
big_to_bytes(SM2_NUMWORD, Vx, xV, TRUE);
big_to_bytes(SM2_NUMWORD, Vy, yV, TRUE);
big_to_bytes(SM2_NUMWORD, x1, x1y1, TRUE);
big_to_bytes(SM2_NUMWORD, y1, x1y1 + SM2_NUMWORD, TRUE);
big_to_bytes(SM2_NUMWORD, x2, x2y2, TRUE);
big_to_bytes(SM2_NUMWORD, y2, x2y2 + SM2_NUMWORD, TRUE);
//---------------B10:(optional) S2 = Hash(0x03 || Vy || Hash(Vx || ZA || ZB || x1 || y1 || x2 || y2))
SM3_init(&md);
SM3_process(&md, xV, SM2_NUMWORD);
SM3_process(&md, ZA, SM3_len / 8);
SM3_process(&md, ZB, SM3_len / 8);
SM3_process(&md, x1y1, SM2_NUMWORD * 2);
SM3_process(&md, x2y2, SM2_NUMWORD * 2);
SM3_done(&md, hash);
SM3_init(&md);
SM3_process(&md, &temp, 1);
SM3_process(&md, yV, SM2_NUMWORD);
SM3_process(&md, hash, SM3_len / 8);
SM3_done(&md, S2);
if (memcmp(S2, SA, SM3_len / 8) != 0)
return ERR_EQUAL_S2SA;
return 0;
}
/* self check of SM2 key exchange */
int SM2_standard_keyex_selftest()
{
//standard data
unsigned char std_priKeyA[SM2_NUMWORD] = {0x81, 0xEB, 0x26, 0xE9, 0x41, 0xBB, 0x5A, 0xF1, 0x6D, 0xF1, 0x16, 0x49, 0x5F, 0x90, 0x69, 0x52,
0x72, 0xAE, 0x2C, 0xD6, 0x3D, 0x6C, 0x4A, 0xE1, 0x67, 0x84, 0x18, 0xBE, 0x48, 0x23, 0x00, 0x29};
unsigned char std_pubKeyA[SM2_NUMWORD * 2] = {0x16, 0x0E, 0x12, 0x89, 0x7D, 0xF4, 0xED, 0xB6, 0x1D, 0xD8, 0x12, 0xFE, 0xB9, 0x67, 0x48,
0xFB, 0xD3, 0xCC, 0xF4, 0xFF, 0xE2, 0x6A, 0xA6, 0xF6, 0xDB, 0x95, 0x40, 0xAF, 0x49, 0xC9,
0x42, 0x32, 0x4A, 0x7D, 0xAD, 0x08, 0xBB, 0x9A, 0x45, 0x95, 0x31, 0x69, 0x4B, 0xEB, 0x20,
0xAA, 0x48, 0x9D, 0x66, 0x49, 0x97, 0x5E, 0x1B, 0xFC, 0xF8, 0xC4, 0x74, 0x1B, 0x78, 0xB4,
0xB2, 0x23, 0x00, 0x7F};
unsigned char std_randA[SM2_NUMWORD] = {0xD4, 0xDE, 0x15, 0x47, 0x4D, 0xB7, 0x4D, 0x06, 0x49, 0x1C, 0x44, 0x0D, 0x30, 0x5E, 0x01, 0x24,
0x00, 0x99, 0x0F, 0x3E, 0x39, 0x0C, 0x7E, 0x87, 0x15, 0x3C, 0x12, 0xDB, 0x2E, 0xA6, 0x0B, 0xB3};
unsigned char std_priKeyB[SM2_NUMWORD] = {0x78, 0x51, 0x29, 0x91, 0x7D, 0x45, 0xA9, 0xEA, 0x54, 0x37, 0xA5, 0x93, 0x56, 0xB8, 0x23, 0x38,
0xEA, 0xAD, 0xDA, 0x6C, 0xEB, 0x19, 0x90, 0x88, 0xF1, 0x4A, 0xE1, 0x0D, 0xEF, 0xA2, 0x29, 0xB5};
unsigned char std_pubKeyB[SM2_NUMWORD * 2] = {0x6A, 0xE8, 0x48, 0xC5, 0x7C, 0x53, 0xC7, 0xB1, 0xB5, 0xFA, 0x99, 0xEB, 0x22, 0x86, 0xAF,
0x07, 0x8B, 0xA6, 0x4C, 0x64, 0x59, 0x1B, 0x8B, 0x56, 0x6F, 0x73, 0x57, 0xD5, 0x76, 0xF1,
0x6D, 0xFB, 0xEE, 0x48, 0x9D, 0x77, 0x16, 0x21, 0xA2, 0x7B, 0x36, 0xC5, 0xC7, 0x99, 0x20,
0x62, 0xE9, 0xCD, 0x09, 0xA9, 0x26, 0x43, 0x86, 0xF3, 0xFB, 0xEA, 0x54, 0xDF, 0xF6, 0x93,
0x05, 0x62, 0x1C, 0x4D};
unsigned char std_randB[SM2_NUMWORD] = {0x7E, 0x07, 0x12, 0x48, 0x14, 0xB3, 0x09, 0x48, 0x91, 0x25, 0xEA, 0xED, 0x10, 0x11, 0x13, 0x16,
0x4E, 0xBF, 0x0F, 0x34, 0x58, 0xC5, 0xBD, 0x88, 0x33, 0x5C, 0x1F, 0x9D, 0x59, 0x62, 0x43, 0xD6};
unsigned char std_IDA[16] = {0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37, 0x38, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37, 0x38};
unsigned char std_IDB[16] = {0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37, 0x38, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37, 0x38};
unsigned short int std_ENTLA = 0x0080;
unsigned short int std_ENTLB = 0x0080;
unsigned char std_ZA[SM3_len] = {0x3B, 0x85, 0xA5, 0x71, 0x79, 0xE1, 0x1E, 0x7E, 0x51, 0x3A, 0xA6, 0x22, 0x99, 0x1F, 0x2C,
0xA7, 0x4D, 0x18, 0x07, 0xA0, 0xBD, 0x4D, 0x4B, 0x38, 0xF9, 0x09, 0x87, 0xA1, 0x7A, 0xC2,
0x45, 0xB1};
unsigned char std_ZB[SM3_len] = {0x79, 0xC9, 0x88, 0xD6, 0x32, 0x29, 0xD9, 0x7E, 0xF1, 0x9F, 0xE0, 0x2C, 0xA1, 0x05, 0x6E,
0x01, 0xE6, 0xA7, 0x41, 0x1E, 0xD2, 0x46, 0x94, 0xAA, 0x8F, 0x83, 0x4F, 0x4A, 0x4A, 0xB0,
0x22, 0xF7};
unsigned char std_RA[SM2_NUMWORD * 2] = {0x64, 0xCE, 0xD1, 0xBD, 0xBC, 0x99, 0xD5, 0x90, 0x04, 0x9B, 0x43, 0x4D, 0x0F, 0xD7, 0x34, 0x28,
0xCF, 0x60, 0x8A, 0x5D, 0xB8, 0xFE, 0x5C, 0xE0, 0x7F, 0x15, 0x02, 0x69, 0x40, 0xBA, 0xE4, 0x0E,
0x37, 0x66, 0x29, 0xC7, 0xAB, 0x21, 0xE7, 0xDB, 0x26, 0x09, 0x22, 0x49, 0x9D, 0xDB, 0x11, 0x8F,
0x07, 0xCE, 0x8E, 0xAA, 0xE3, 0xE7, 0x72, 0x0A, 0xFE, 0xF6, 0xA5, 0xCC, 0x06, 0x20, 0x70, 0xC0};
unsigned char std_K[16] = {0x6C, 0x89, 0x34, 0x73, 0x54, 0xDE, 0x24, 0x84, 0xC6, 0x0B, 0x4A, 0xB1, 0xFD, 0xE4, 0xC6, 0xE5};
unsigned char std_RB[SM2_NUMWORD * 2] = {0xAC, 0xC2, 0x76, 0x88, 0xA6, 0xF7, 0xB7, 0x06, 0x09, 0x8B, 0xC9, 0x1F, 0xF3, 0xAD, 0x1B, 0xFF,
0x7D, 0xC2, 0x80, 0x2C, 0xDB, 0x14, 0xCC, 0xCC, 0xDB, 0x0A, 0x90, 0x47, 0x1F, 0x9B, 0xD7, 0x07,
0x2F, 0xED, 0xAC, 0x04, 0x94, 0xB2, 0xFF, 0xC4, 0xD6, 0x85, 0x38, 0x76, 0xC7, 0x9B, 0x8F, 0x30,
0x1C, 0x65, 0x73, 0xAD, 0x0A, 0xA5, 0x0F, 0x39, 0xFC, 0x87, 0x18, 0x1E, 0x1A, 0x1B, 0x46, 0xFE};
unsigned char std_SB[SM3_len] = {0xD3, 0xA0, 0xFE, 0x15, 0xDE, 0xE1, 0x85, 0xCE, 0xAE, 0x90, 0x7A, 0x6B, 0x59, 0x5C, 0xC3,
0x2A, 0x26, 0x6E, 0xD7, 0xB3, 0x36, 0x7E, 0x99, 0x83, 0xA8, 0x96, 0xDC, 0x32, 0xFA, 0x20,
0xF8, 0xEB};
int std_Klen = 128; //bit len
int temp;
big x, y, dA, dB, rA, rB;
epoint* pubKeyA, *pubKeyB, *RA, *RB, *V;
unsigned char hash[SM3_len / 8] = {0};
unsigned char ZA[SM3_len / 8] = {0};
unsigned char ZB[SM3_len / 8] = {0};
unsigned char xy[SM2_NUMWORD * 2] = {0};
unsigned char *KA, *KB;
unsigned char SA[SM3_len / 8];
KA = malloc(std_Klen / 8);
KB = malloc(std_Klen / 8);
mip = mirsys(1000, 16);
mip->IOBASE = 16;
x = mirvar(0);
y = mirvar(0);
dA = mirvar(0);
dB = mirvar(0);
rA = mirvar(0);
rB = mirvar(0);
pubKeyA = epoint_init();
pubKeyB = epoint_init();
RA = epoint_init();
RB = epoint_init();
V = epoint_init();
SM2_standard_init();
bytes_to_big(SM2_NUMWORD, std_priKeyA, dA);
bytes_to_big(SM2_NUMWORD, std_priKeyB, dB);
bytes_to_big(SM2_NUMWORD, std_randA, rA);
bytes_to_big(SM2_NUMWORD, std_randB, rB);
bytes_to_big(SM2_NUMWORD, std_pubKeyA, x);
bytes_to_big(SM2_NUMWORD, std_pubKeyA + SM2_NUMWORD, y);
epoint_set(x, y, 0, pubKeyA);
bytes_to_big(SM2_NUMWORD, std_pubKeyB, x);
bytes_to_big(SM2_NUMWORD, std_pubKeyB + SM2_NUMWORD, y);
epoint_set(x, y, 0, pubKeyB);
SM3_z(std_IDA, std_ENTLA, pubKeyA, ZA);
if (memcmp(ZA, std_ZA, SM3_len / 8) != 0)
return ERR_SELFTEST_Z;
SM3_z(std_IDB, std_ENTLB, pubKeyB, ZB);
if (memcmp(ZB, std_ZB, SM3_len / 8) != 0)
return ERR_SELFTEST_Z;
temp = SM2_standard_keyex_init_i(rA, RA);
if (temp)
return temp;
epoint_get(RA, x, y);
big_to_bytes(SM2_NUMWORD, x, xy, 1);
big_to_bytes(SM2_NUMWORD, y, xy + SM2_NUMWORD, 1);
if (memcmp(xy, std_RA, SM2_NUMWORD * 2) != 0)
return ERR_SELFTEST_INI_I;
temp = SM2_standard_keyex_re_i(rB, dB, RA, pubKeyA, ZA, ZB, KA, std_Klen, RB, V, hash);
if (temp)
return temp;
if (memcmp(KA, std_K, std_Klen / 8) != 0)
return ERR_SELFTEST_RES_I;
temp = SM2_standard_keyex_init_ii(rA, dA, RA, RB, pubKeyB, ZA, ZB, hash, KB, std_Klen, SA);
if (temp)
return temp;
if (memcmp(KB, std_K, std_Klen / 8) != 0)
return ERR_SELFTEST_INI_II;
if (SM2_standard_keyex_re_ii(V, RA, RB, ZA, ZB, SA) != 0)
return ERR_EQUAL_S2SA;
free(KA);
free(KB);
return 0;
}

View File

@@ -1,333 +0,0 @@
/* ====================================================================
* Copyright (c) 2015 - 2016 The GmSSL Project. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in
* the documentation and/or other materials provided with the
* distribution.
*
* 3. All advertising materials mentioning features or use of this
* software must display the following acknowledgment:
* "This product includes software developed by the GmSSL Project.
* (http://gmssl.org/)"
*
* 4. The name "GmSSL Project" must not be used to endorse or promote
* products derived from this software without prior written
* permission. For written permission, please contact
* guanzhi1980@gmail.com.
*
* 5. Products derived from this software may not be called "GmSSL"
* nor may "GmSSL" appear in their names without prior written
* permission of the GmSSL Project.
*
* 6. Redistributions of any form whatsoever must retain the following
* acknowledgment:
* "This product includes software developed by the GmSSL Project
* (http://gmssl.org/)"
*
* THIS SOFTWARE IS PROVIDED BY THE GmSSL PROJECT ``AS IS'' AND ANY
* EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE GmSSL PROJECT OR
* ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
* STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
* OF THE POSSIBILITY OF SUCH DAMAGE.
* ====================================================================
*/
#include "mirdef.h"
#include "miracl.h"
#include "sm2_standard.h"
/* test if the big x is zero */
int Test_Zero(big x)
{
big zero;
zero = mirvar(0);
if (mr_compare(x, zero) == 0)
return 1;
else
return 0;
}
/* test if the big x is order n */
int Test_n(big x)
{
//bytes_to_big(32, SM2_n, n);
if (mr_compare(x, para_n) == 0)
return 1;
else
return 0;
}
/* calculate a pubKey out of a given priKey */
int SM2_standard_sign_keygeneration(unsigned char PriKey[], unsigned char Px[], unsigned char Py[])
{
int i = 0;
big d, PAx, PAy;
epoint *PA;
SM2_standard_init();
PA = epoint_init();
d = mirvar(0);
PAx = mirvar(0);
PAy = mirvar(0);
bytes_to_big(SM2_NUMWORD, PriKey, d);
ecurve_mult(d, G, PA);
epoint_get(PA, PAx, PAy);
big_to_bytes(SM2_NUMWORD, PAx, Px, TRUE);
big_to_bytes(SM2_NUMWORD, PAy, Py, TRUE);
i = Test_PubKey(PA);
if (i)
return i;
else
return 0;
}
/* SM2 signature algorithm */
int SM2_standard_sign(unsigned char *message, int len, unsigned char ZA[], unsigned char rand[], unsigned char d[], unsigned char R[], unsigned char S[])
{
unsigned char hash[SM3_len / 8];
int M_len = len + SM3_len / 8;
unsigned char *M = NULL;
int i;
big dA, r, s, e, k, KGx, KGy;
big rem, rk, z1, z2;
epoint *KG;
i = SM2_standard_init();
if (i)
return i;
//initiate
dA = mirvar(0);
e = mirvar(0);
k = mirvar(0);
KGx = mirvar(0);
KGy = mirvar(0);
r = mirvar(0);
s = mirvar(0);
rem = mirvar(0);
rk = mirvar(0);
z1 = mirvar(0);
z2 = mirvar(0);
bytes_to_big(SM2_NUMWORD, d, dA); //cinstr(dA, d);
KG = epoint_init();
//step1, set M = ZA || M
M = (char *)malloc(sizeof(char)*(M_len + 1));
memcpy(M, ZA, SM3_len / 8);
memcpy(M + SM3_len / 8, message, len);
//step2, generate e = H(M)
SM3_256(M, M_len, hash);
bytes_to_big(SM3_len / 8, hash, e);
//step3:generate k
bytes_to_big(SM3_len / 8, rand, k);
//step4:calculate kG
ecurve_mult(k, G, KG);
//step5:calculate r
epoint_get(KG, KGx, KGy);
add(e, KGx, r);
divide(r, para_n, rem);
//judge r = 0 or n + k = n?
add(r, k, rk);
if (Test_Zero(r) | Test_n(rk))
return ERR_GENERATE_R;
//step6:generate s
incr(dA, 1, z1);
xgcd(z1, para_n, z1, z1, z1);
multiply(r, dA, z2);
divide(z2, para_n, rem);
subtract(k, z2, z2);
add(z2, para_n, z2);
multiply(z1, z2, s);
divide(s, para_n, rem);
//judge s = 0?
if (Test_Zero(s))
return ERR_GENERATE_S ;
big_to_bytes(SM2_NUMWORD, r, R, TRUE);
big_to_bytes(SM2_NUMWORD, s, S, TRUE);
free(M);
return 0;
}
/* SM2 verification algorithm */
int SM2_standard_verify(unsigned char *message, int len, unsigned char ZA[], unsigned char Px[], unsigned char Py[], unsigned char R[], unsigned char S[])
{
unsigned char hash[SM3_len / 8];
int M_len = len + SM3_len / 8;
unsigned char *M = NULL;
int i;
big PAx, PAy, r, s, e, t, rem, x1, y1;
big RR;
epoint *PA, *sG, *tPA;
i = SM2_standard_init();
if (i)
return i;
PAx = mirvar(0);
PAy = mirvar(0);
r = mirvar(0);
s = mirvar(0);
e = mirvar(0);
t = mirvar(0);
x1 = mirvar(0);
y1 = mirvar(0);
rem = mirvar(0);
RR = mirvar(0);
PA = epoint_init();
sG = epoint_init();
tPA = epoint_init();
bytes_to_big(SM2_NUMWORD, Px, PAx);
bytes_to_big(SM2_NUMWORD, Py, PAy);
bytes_to_big(SM2_NUMWORD, R, r);
bytes_to_big(SM2_NUMWORD, S, s);
if (!epoint_set(PAx, PAy, 0, PA)) //initialise public key
{
return ERR_PUBKEY_INIT;
}
//step1: test if r belong to [1, n-1]
if (Test_Range(r))
return ERR_OUTRANGE_R;
//step2: test if s belong to [1, n-1]
if (Test_Range(s))
return ERR_OUTRANGE_S;
//step3, generate M
M = (char *)malloc(sizeof(char)*(M_len + 1));
memcpy(M, ZA, SM3_len / 8);
memcpy(M + SM3_len / 8, message, len);
//step4, generate e = H(M)
SM3_256(M, M_len, hash);
bytes_to_big(SM3_len / 8, hash, e);
//step5:generate t
add(r, s, t);
divide(t, para_n, rem);
if (Test_Zero(t))
return ERR_GENERATE_T;
//step 6: generate(x1, y1)
ecurve_mult(s, G, sG);
ecurve_mult(t, PA, tPA);
ecurve_add(sG, tPA);
epoint_get(tPA, x1, y1);
//step7:generate RR
add(e, x1, RR);
divide(RR, para_n, rem);
free(M);
if (mr_compare(RR, r) == 0)
return 0;
else
return ERR_DATA_MEMCMP;
}
/* SM2 self check */
int SM2_standard_selfcheck()
{
//the private key
unsigned char dA[32] = {0x39, 0x45, 0x20, 0x8f, 0x7b, 0x21, 0x44, 0xb1, 0x3f, 0x36, 0xe3, 0x8a, 0xc6, 0xd3, 0x9f,
0x95, 0x88, 0x93, 0x93, 0x69, 0x28, 0x60, 0xb5, 0x1a, 0x42, 0xfb, 0x81, 0xef, 0x4d, 0xf7,
0xc5, 0xb8};
unsigned char rand[32] = {0x59, 0x27, 0x6E, 0x27, 0xD5, 0x06, 0x86, 0x1A, 0x16, 0x68, 0x0F, 0x3A, 0xD9, 0xC0, 0x2D,
0xCC, 0xEF, 0x3C, 0xC1, 0xFA, 0x3C, 0xDB, 0xE4, 0xCE, 0x6D, 0x54, 0xB8, 0x0D, 0xEA, 0xC1,
0xBC, 0x21};
//the public key
/* unsigned char xA[32] = {0x09, 0xf9, 0xdf, 0x31, 0x1e, 0x54, 0x21, 0xa1, 0x50, 0xdd, 0x7d, 0x16, 0x1e, 0x4b, 0xc5,
0xc6, 0x72, 0x17, 0x9f, 0xad, 0x18, 0x33, 0xfc, 0x07, 0x6b, 0xb0, 0x8f, 0xf3, 0x56, 0xf3,
0x50, 0x20};
unsigned char yA[32] = {0xcc, 0xea, 0x49, 0x0c, 0xe2, 0x67, 0x75, 0xa5, 0x2d, 0xc6, 0xea, 0x71, 0x8c, 0xc1, 0xaa,
0x60, 0x0a, 0xed, 0x05, 0xfb, 0xf3, 0x5e, 0x08, 0x4a, 0x66, 0x32, 0xf6, 0x07, 0x2d, 0xa9,
0xad, 0x13};*/
unsigned char xA[32], yA[32];
unsigned char r[32], s[32]; // Signature
unsigned char IDA[16] = {0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37, 0x38, 0x31, 0x32, 0x33,
0x34, 0x35, 0x36, 0x37, 0x38}; //ASCII code of userA's identification
int IDA_len = 16;
unsigned char ENTLA[2] = {0x00, 0x80}; //the length of userA's identification, presentation in ASCII code
unsigned char *message = "message digest"; //the message to be signed
int len = strlen(message); //the length of message
unsigned char ZA[SM3_len / 8]; //ZA = Hash(ENTLA || IDA || a || b || Gx || Gy || xA|| yA)
unsigned char Msg[210]; //210 = IDA_len + 2 + SM2_NUMWORD * 6
int temp;
mip = mirsys(10000, 16);
mip->IOBASE = 16;
temp = SM2_standard_sign_keygeneration(dA, xA, yA);
if (temp)
return temp;
//ENTLA || IDA || a || b || Gx || Gy || xA || yA
memcpy(Msg, ENTLA, 2);
memcpy(Msg + 2, IDA, IDA_len);
memcpy(Msg + 2 + IDA_len, SM2_a, SM2_NUMWORD);
memcpy(Msg + 2 + IDA_len + SM2_NUMWORD, SM2_b, SM2_NUMWORD);
memcpy(Msg + 2 + IDA_len + SM2_NUMWORD * 2, SM2_Gx, SM2_NUMWORD);
memcpy(Msg + 2 + IDA_len + SM2_NUMWORD * 3, SM2_Gy, SM2_NUMWORD);
memcpy(Msg + 2 + IDA_len + SM2_NUMWORD * 4, xA, SM2_NUMWORD);
memcpy(Msg + 2 + IDA_len + SM2_NUMWORD * 5, yA, SM2_NUMWORD);
SM3_256(Msg, 210, ZA);
temp = SM2_standard_sign(message, len, ZA, rand, dA, r, s);
if (temp)
return temp;
temp = SM2_standard_verify(message, len, ZA, xA, yA, r, s);
if (temp)
return temp;
return 0;
}

View File

@@ -1,368 +0,0 @@
#include "sm3_standard.h"
/****************************************************************
Function: BiToW
Description: calculate W from Bi
Calls:
Called By: SM3_compress
Input: Bi[16] //a block of a message
Output: W[64]
Return: null
Others:
****************************************************************/
void BiToW(unsigned int Bi[], unsigned int W[])
{
int i;
unsigned int tmp;
for (i = 0; i <= 15; i++)
{
W[i] = Bi[i];
}
for (i = 16; i <= 67; i++)
{
tmp = W[i - 16]
^ W[i - 9]
^ SM3_rotl32(W[i - 3], 15);
W[i] = SM3_p1(tmp)
^ (SM3_rotl32(W[i - 13], 7))
^ W[i - 6];
}
}
/*****************************************************************
Function: WToW1
Description: calculate W1 from W
Calls:
Called By: SM3_compress
Input: W[64]
Output: W1[64]
Return: null
Others:
*****************************************************************/
void WToW1(unsigned int W[], unsigned int W1[])
{
int i;
for (i = 0; i <= 63; i++)
{
W1[i] = W[i] ^ W[i + 4];
}
}
/******************************************************************
Function: CF
Description: calculate the CF compress function and update V
Calls:
Called By: SM3_compress
Input: W[64]
W1[64]
V[8]
Output: V[8]
Return: null
Others:
********************************************************************/
void CF(unsigned int W[], unsigned int W1[], unsigned int V[])
{
unsigned int SS1;
unsigned int SS2;
unsigned int TT1;
unsigned int TT2;
unsigned int A, B, C, D, E, F, G, H;
unsigned int T = SM3_T1;
unsigned int FF;
unsigned int GG;
int j;
//reg init,set ABCDEFGH=V0
A = V[0];
B = V[1];
C = V[2];
D = V[3];
E = V[4];
F = V[5];
G = V[6];
H = V[7];
for (j = 0; j <= 63; j++)
{
//SS1
if (j == 0)
{
T = SM3_T1;
}
else if (j == 16)
{
T = SM3_rotl32(SM3_T2, 16);
}
else
{
T = SM3_rotl32(T, 1);
}
SS1 = SM3_rotl32((SM3_rotl32(A, 12) + E + T), 7);
//SS2
SS2 = SS1^SM3_rotl32(A, 12);
//TT1
if (j <= 15)
{
FF = SM3_ff0(A, B, C);
}
else
{
FF = SM3_ff1(A, B, C);
}
TT1 = FF + D + SS2 + *W1;
W1++;
//TT2
if (j <= 15)
{
GG = SM3_gg0(E, F, G);
}
else
{
GG = SM3_gg1(E, F, G);
}
TT2 = GG + H + SS1 + *W;
W++;
//D
D = C;
//C
C = SM3_rotl32(B, 9);
//B
B = A;
//A
A = TT1;
//H
H = G;
//G
G = SM3_rotl32(F, 19);
//F
F = E;
//E
E = SM3_p0(TT2);
}
//update V
V[0] = A^V[0];
V[1] = B^V[1];
V[2] = C^V[2];
V[3] = D^V[3];
V[4] = E^V[4];
V[5] = F^V[5];
V[6] = G^V[6];
V[7] = H^V[7];
}
/******************************************************************************
Function: BigEndian
Description: U32 endian converse.GM/T 0004-2012 requires to use big-endian.
if CPU uses little-endian, BigEndian function is a necessary
call to change the little-endian format into big-endian format.
Calls:
Called By: SM3_compress, SM3_done
Input: src[bytelen]
bytelen
Output: des[bytelen]
Return: null
Others: src and des could implies the same address
*******************************************************************************/
void BigEndian(unsigned char src[], unsigned int bytelen, unsigned char des[])
{
unsigned char tmp = 0;
unsigned int i = 0;
for (i = 0; i<bytelen / 4; i++)
{
tmp = des[4 * i];
des[4 * i] = src[4 * i + 3];
src[4 * i + 3] = tmp;
tmp = des[4 * i + 1];
des[4 * i + 1] = src[4 * i + 2];
des[4 * i + 2] = tmp;
}
}
/******************************************************************************
Function: SM3_init
Description: initiate SM3 state
Calls:
Called By: SM3_256
Input: SM3_STATE *md
Output: SM3_STATE *md
Return: null
Others:
*******************************************************************************/
void SM3_init(SM3_STATE *md)
{
md->curlen = md->length = 0;
md->state[0] = SM3_IVA;
md->state[1] = SM3_IVB;
md->state[2] = SM3_IVC;
md->state[3] = SM3_IVD;
md->state[4] = SM3_IVE;
md->state[5] = SM3_IVF;
md->state[6] = SM3_IVG;
md->state[7] = SM3_IVH;
}
/******************************************************************************
Function: SM3_compress
Description: compress a single block of message
Calls: BigEndian
BiToW
WToW1
CF
Called By: SM3_256
Input: SM3_STATE *md
Output: SM3_STATE *md
Return: null
Others:
*******************************************************************************/
void SM3_compress(SM3_STATE * md)
{
unsigned int W[68];
unsigned int W1[64];
//if CPU uses little-endian, BigEndian function is a necessary call
BigEndian(md->buf, 64, md->buf);
BiToW((unsigned int *)md->buf, W);
WToW1(W, W1);
CF(W, W1, md->state);
}
/******************************************************************************
Function: SM3_process
Description: compress the first (len/64) blocks of message
Calls: SM3_compress
Called By: SM3_256
Input: SM3_STATE *md
unsigned char buf[len] //the input message
int len //bytelen of message
Output: SM3_STATE *md
Return: null
Others:
*******************************************************************************/
void SM3_process(SM3_STATE * md, unsigned char *buf, int len)
{
while (len--)
{
/* copy byte */
md->buf[md->curlen] = *buf++;
md->curlen++;
/* is 64 bytes full? */
if (md->curlen == 64)
{
SM3_compress(md);
md->length += 512;
md->curlen = 0;
}
}
}
/******************************************************************************
Function: SM3_done
Description: compress the rest message that the SM3_process has left behind
Calls: SM3_compress
Called By: SM3_256
Input: SM3_STATE *md
Output: unsigned char *hash
Return: null
Others:
*******************************************************************************/
void SM3_done(SM3_STATE *md, unsigned char hash[])
{
int i;
unsigned char tmp = 0;
/* increase the bit length of the message */
md->length += md->curlen << 3;
/* append the '1' bit */
md->buf[md->curlen] = 0x80;
md->curlen++;
/* if the length is currently above 56 bytes, appends zeros till
it reaches 64 bytes, compress the current block, creat a new
block by appending zeros and length,and then compress it
*/
if (md->curlen >56)
{
for (; md->curlen < 64;)
{
md->buf[md->curlen] = 0;
md->curlen++;
}
SM3_compress(md);
md->curlen = 0;
}
/* if the length is less than 56 bytes, pad upto 56 bytes of zeroes */
for (; md->curlen < 56;)
{
md->buf[md->curlen] = 0;
md->curlen++;
}
/* since all messages are under 2^32 bits we mark the top bits zero */
for (i = 56; i < 60; i++)
{
md->buf[i] = 0;
}
/* append length */
md->buf[63] = md->length & 0xff;
md->buf[62] = (md->length >> 8) & 0xff;
md->buf[61] = (md->length >> 16) & 0xff;
md->buf[60] = (md->length >> 24) & 0xff;
SM3_compress(md);
/* copy output */
memcpy(hash, md->state, SM3_len / 8);
BigEndian(hash, SM3_len / 8, hash);//if CPU uses little-endian, BigEndian function is a necessary call
}
/******************************************************************************
Function: SM3_256
Description: calculate a hash value from a given message
Calls: SM3_init
SM3_process
SM3_done
Called By:
Input: unsigned char buf[len] //the input message
int len //bytelen of the message
Output: unsigned char hash[32]
Return: null
Others:
*******************************************************************************/
void SM3_256(unsigned char buf[], int len, unsigned char hash[])
{
SM3_STATE md;
SM3_init(&md);
SM3_process(&md, buf, len);
SM3_done(&md, hash);
}

View File

@@ -1,42 +0,0 @@
#include <string.h>
#define SM3_len 256
#define SM3_T1 0x79CC4519
#define SM3_T2 0x7A879D8A
#define SM3_IVA 0x7380166f
#define SM3_IVB 0x4914b2b9
#define SM3_IVC 0x172442d7
#define SM3_IVD 0xda8a0600
#define SM3_IVE 0xa96f30bc
#define SM3_IVF 0x163138aa
#define SM3_IVG 0xe38dee4d
#define SM3_IVH 0xb0fb0e4e
/* Various logical functions */
#define SM3_p1(x) (x^SM3_rotl32(x,15)^SM3_rotl32(x,23))
#define SM3_p0(x) (x^SM3_rotl32(x,9)^SM3_rotl32(x,17))
#define SM3_ff0(a,b,c) (a^b^c)
#define SM3_ff1(a,b,c) ((a&b)|(a&c)|(b&c))
#define SM3_gg0(e,f,g) (e^f^g)
#define SM3_gg1(e,f,g) ((e&f)|((~e)&g))
#define SM3_rotl32(x,n) ((((unsigned int) x) << n) | (((unsigned int) x) >> (32 - n)))
#define SM3_rotr32(x,n) ((((unsigned int) x) >> n) | (((unsigned int) x) << (32 - n)))
typedef struct {
unsigned int state[8];
unsigned int length;
unsigned int curlen;
unsigned char buf[64];
} SM3_STATE;
void BiToWj(unsigned int Bi[], unsigned int Wj[]);
void WjToWj1(unsigned int Wj[], unsigned int Wj1[]);
void CF(unsigned int Wj[], unsigned int Wj1[], unsigned int V[]);
void BigEndian(unsigned char src[], unsigned int bytelen, unsigned char des[]);
void SM3_init(SM3_STATE *md);
void SM3_compress(SM3_STATE * md);
void SM3_process(SM3_STATE * md, unsigned char buf[], int len);
void SM3_done(SM3_STATE *md, unsigned char *hash);
void SM3_256(unsigned char buf[], int len, unsigned char hash[]);

View File

@@ -1,9 +0,0 @@
# About SM standard implementation
This is only a standard implementation of the SM.
In the standard implementation, it uses the **MIRACL** library. **MIRACL** (Multiprecision Integer and Rational Arithmetic Crytographic Library) is a C software library. See also [About the MIRACL Crypto SDK](https://libraries.docs.miracl.com/miracl-user-manual/about).
Also, you can download the source code in the Github. Here is a reference link. [Github MIRACL](https://github.com/miracl/MIRACL).
What's more, when you want test it and compile locally, you need add *-lm* option to solve some math functions problems like *ceil* in the code.

View File

@@ -1,406 +0,0 @@
/*
* Copyright 2016 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
* in the file LICENSE in the source distribution or at
* https://www.openssl.org/source/license.html
*/
#ifndef HEADER_KDF_STANDARD_H
#define HEADER_KDF_STANDARD_H
#include <string.h>
#ifdef __cplusplus
extern "C" {
#endif
#define SM3_len 256
#define SM3_T1 0x79CC4519
#define SM3_T2 0x7A879D8A
#define SM3_IVA 0x7380166f
#define SM3_IVB 0x4914b2b9
#define SM3_IVC 0x172442d7
#define SM3_IVD 0xda8a0600
#define SM3_IVE 0xa96f30bc
#define SM3_IVF 0x163138aa
#define SM3_IVG 0xe38dee4d
#define SM3_IVH 0xb0fb0e4e
#define SM2_WORDSIZE 8
#define SM2_NUMBITS 256
#define SM2_NUMWORD (SM2_NUMBITS / SM2_WORDSIZE) //32
/* Various logical functions */
#define SM3_p1(x) (x ^ SM3_rotl32(x, 15) ^ SM3_rotl32(x, 23))
#define SM3_p0(x) (x ^ SM3_rotl32(x, 9) ^ SM3_rotl32(x, 17))
#define SM3_ff0(a, b, c) (a ^ b ^ c)
#define SM3_ff1(a, b, c) ((a & b) | (a & c) | (b & c))
#define SM3_gg0(e, f, g) (e ^ f ^ g)
#define SM3_gg1(e, f, g) ((e & f) | ((~e) & g))
#define SM3_rotl32(x, n) (((x) << n) | ((x) >> (32 - n)))
#define SM3_rotr32(x, n) (((x) >> n) | ((x) << (32 - n)))
typedef struct {
unsigned long state[8];
unsigned long length;
unsigned long curlen;
unsigned char buf[64];
} SM3_STATE;
static void BiToW(unsigned long Bi[], unsigned long W[]);
static void WToW1(unsigned long W[], unsigned long W1[]);
static void CF(unsigned long W[], unsigned long W1[], unsigned long V[]);
static void BigEndian(unsigned char src[], unsigned int bytelen, unsigned char des[]);
static void SM3_init(SM3_STATE *md);
static void SM3_compress(SM3_STATE *md);
static void SM3_process(SM3_STATE *md, unsigned char *buf, int len);
static void SM3_done(SM3_STATE *md, unsigned char hash[]);
static void SM3_256(unsigned char buf[], int len, unsigned char hash[]);
static void SM3_kdf(unsigned char Z[], unsigned short zlen, unsigned short klen, unsigned char K[]);
/* calculate W from Bi */
static void BiToW(unsigned long Bi[], unsigned long W[])
{
int i;
unsigned long tmp;
for(i = 0; i <= 15; i++)
{
W[i] = Bi[i];
}
for(i = 16;i <= 67; i++)
{
tmp = W[i - 16] ^ W[i - 9] ^ SM3_rotl32(W[i - 3], 15);
W[i] = SM3_p1(tmp) ^ (SM3_rotl32(W[i - 13], 7)) ^ W[i - 6];
}
}
/* calculate W1 from W */
static void WToW1(unsigned long W[], unsigned long W1[])
{
int i;
for(i = 0; i <= 63; i++)
{
W1[i] = W[i] ^ W[i + 4];
}
}
/* calculate the CF compress function and update V */
static void CF(unsigned long W[], unsigned long W1[], unsigned long V[])
{
unsigned long SS1;
unsigned long SS2;
unsigned long TT1;
unsigned long TT2;
unsigned long A, B, C, D, E, F, G, H;
unsigned long T = SM3_T1;
unsigned long FF;
unsigned long GG;
int j;
//reg init, set ABCDEFGH = V0
A = V[0];
B = V[1];
C = V[2];
D = V[3];
E = V[4];
F = V[5];
G = V[6];
H = V[7];
for (j = 0; j <= 63; j++)
{
//SS1
if (j == 0)
{
T = SM3_T1;
}
else if (j == 16)
{
T = SM3_rotl32(SM3_T2, 16);
}
else
{
T = SM3_rotl32(T, 1);
}
SS1 = SM3_rotl32((SM3_rotl32(A, 12) + E + T), 7);
//SS2
SS2 = SS1 ^ SM3_rotl32(A, 12);
//TT1
if (j <= 15)
{
FF = SM3_ff0(A, B, C);
}
else
{
FF = SM3_ff1(A, B, C);
}
TT1 = FF + D + SS2 + *W1;
W1++;
//TT2
if (j <= 15)
{
GG = SM3_gg0(E, F, G);
}
else
{
GG = SM3_gg1(E, F, G);
}
TT2 = GG + H + SS1 + *W;
W++;
//D
D = C;
//C
C = SM3_rotl32(B, 9);
//B
B = A;
//A
A = TT1;
//H
H = G;
//G
G = SM3_rotl32(F, 19);
//F
F = E;
//E
E = SM3_p0(TT2);
}
//update V
V[0] = A ^ V[0];
V[1] = B ^ V[1];
V[2] = C ^ V[2];
V[3] = D ^ V[3];
V[4] = E ^ V[4];
V[5] = F ^ V[5];
V[6] = G ^ V[6];
V[7] = H ^ V[7];
}
/* unsigned int endian converse. GM/T 0004-2012 requires to use big-endian.
* if CPu uses little-endian, BigEndian function is a necessary
* call to change the little-endian format into big-endian format.
*/
static void BigEndian(unsigned char src[], unsigned int bytelen, unsigned char des[])
{
unsigned char tmp = 0;
unsigned long i = 0;
for (i = 0; i < bytelen / 4; i++)
{
tmp = des[4 * i];
des[4 * i] = src[4 * i + 3];
src[4 * i + 3] = tmp;
tmp = des[4 * i + 1];
des[4 * i + 1] = src[4 * i + 2];
des[4 * i + 2] = tmp;
}
}
/* initiate SM3 state */
static void SM3_init(SM3_STATE *md)
{
md->curlen = md->length = 0;
md->state[0] = SM3_IVA;
md->state[1] = SM3_IVB;
md->state[2] = SM3_IVC;
md->state[3] = SM3_IVD;
md->state[4] = SM3_IVE;
md->state[5] = SM3_IVF;
md->state[6] = SM3_IVG;
md->state[7] = SM3_IVH;
}
/* compress a single a block of message */
static void SM3_compress(SM3_STATE *md)
{
unsigned long W[68];
unsigned long W1[64];
//if CPU uses little-endian, BigEndian function is a necessary call
BigEndian(md->buf, 64, md->buf);
BiToW((unsigned long *)md->buf, W);
WToW1(W, W1);
CF(W, W1, md->state);
}
/* compress the first(len/64) blocks of message */
static void SM3_process(SM3_STATE *md, unsigned char *buf, int len)
{
while (len--)
{
/* copy byte */
md->buf[md->curlen] = *buf++;
md->curlen++;
/* is 64 bytes full? */
if (md->curlen == 64)
{
SM3_compress(md);
md->length += 512;
md->curlen = 0;
}
}
}
/* compress the rest message that the SM3_process has left behind */
static void SM3_done(SM3_STATE *md, unsigned char hash[])
{
int i;
unsigned char tmp = 0;
/* increase the bit length of the message */
md->length += md->curlen << 3;
/* append the '1' bit */
md->buf[md->curlen] = 0x80;
md->curlen++;
/* if the length is currently above 56 bytes, appends zeros till
it reaches 64 bytes, compress the current block, creat a new
block by appending zeros and length,and then compress it
*/
if (md->curlen > 56)
{
for (; md->curlen < 64;)
{
md->buf[md->curlen] = 0;
md->curlen++;
}
SM3_compress(md);
md->curlen = 0;
}
/* if the length is less than 56 bytes, pad upto 56 bytes of zeroes */
for (; md->curlen < 56;)
{
md->buf[md->curlen] = 0;
md->curlen++;
}
/* since all messages are under 2^32 bits we mark the top bits zero */
for (i = 56; i < 60; i++)
{
md->buf[i] = 0;
}
/* append length */
md->buf[63] = md->length & 0xff;
md->buf[62] = (md->length >> 8) & 0xff;
md->buf[61] = (md->length >> 16) & 0xff;
md->buf[60] = (md->length >> 24) & 0xff;
SM3_compress(md);
/* copy output */
memcpy(hash, md->state, SM3_len / 8);
BigEndian(hash, SM3_len / 8, hash); //if CPU uses little-endian, BigEndian function is a necessary call
}
/* calculate a hash value from a given message */
static void SM3_256(unsigned char buf[], int len, unsigned char hash[])
{
SM3_STATE md;
SM3_init(&md);
SM3_process(&md, buf, len);
SM3_done(&md, hash);
}
/* key derivation function */
static void SM3_kdf(unsigned char Z[], unsigned short zlen, unsigned short klen, unsigned char K[])
{
unsigned short i, j, t;
unsigned int bitklen;
SM3_STATE md;
unsigned char Ha[SM2_NUMWORD];
unsigned char ct[4] = {0, 0, 0, 1};
bitklen = klen * 8;
if (bitklen % SM2_NUMBITS)
t = bitklen / SM2_NUMBITS + 1;
else
t = bitklen / SM2_NUMBITS;
//s4: K = Ha1 || Ha2 || ...
for (i = 1; i < t; i++)
{
//s2: Hai = Hv(Z || ct)
SM3_init(&md);
SM3_process(&md, Z, zlen);
SM3_process(&md, ct, 4);
SM3_done(&md, Ha);
memcpy((K + SM2_NUMWORD * (i - 1)), Ha, SM2_NUMWORD);
if (ct[3] == 0xff)
{
ct[3] = 0;
if (ct[2] == 0xff)
{
ct[2] = 0;
if (ct[1] == 0xff)
{
ct[1] = 0;
ct[0]++;
}
else
ct[1]++;
}
else
ct[2]++;
}
else
ct[3]++;
}
//s3
SM3_init(&md);
SM3_process(&md, Z, zlen);
SM3_process(&md, ct, 4);
SM3_done(&md, Ha);
if(bitklen % SM2_NUMBITS)
{
i = (SM2_NUMBITS - bitklen + SM2_NUMBITS * (bitklen / SM2_NUMBITS)) / 8;
j = (bitklen - SM2_NUMBITS * (bitklen / SM2_NUMBITS)) / 8;
memcpy((K + SM2_NUMWORD * (t - 1)), Ha, j);
}
else
{
memcpy((K + SM2_NUMWORD * (t - 1)), Ha, SM2_NUMWORD);
}
}
#ifdef __cplusplus
}
# endif
#endif

View File

@@ -1,517 +0,0 @@
/* ====================================================================
* Copyright (c) 2007 - 2017 The GmSSL Project. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in
* the documentation and/or other materials provided with the
* distribution.
*
* 3. All advertising materials mentioning features or use of this
* software must display the following acknowledgment:
* "This product includes software developed by the GmSSL Project.
* (http://gmssl.org/)"
*
* 4. The name "GmSSL Project" must not be used to endorse or promote
* products derived from this software without prior written
* permission. For written permission, please contact
* guanzhi1980@gmail.com.
*
* 5. Products derived from this software may not be called "GmSSL"
* nor may "GmSSL" appear in their names without prior written
* permission of the GmSSL Project.
*
* 6. Redistributions of any form whatsoever must retain the following
* acknowledgment:
* "This product includes software developed by the GmSSL Project
* (http://gmssl.org/)"
*
* THIS SOFTWARE IS PROVIDED BY THE GmSSL PROJECT ``AS IS'' AND ANY
* EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE GmSSL PROJECT OR
* ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
* STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
* OF THE POSSIBILITY OF SUCH DAMAGE.
* ====================================================================
*/
#ifndef HEADER_R_ATE_H
#define HEADER_R_ATE_H
#include "zzn12_operation.h"
#ifdef __cplusplus
extern "C"{
#endif
static zzn2 zzn2_pow(zzn2 x, big k)
{
int i, j, nb, n, nbw, nzs;
big zero;
zzn2 res, u2, t[16];
zero = mirvar(0);
res.a = mirvar(0);
res.b = mirvar(0);
u2.a = mirvar(0);
u2.b = mirvar(0);
if(zzn2_iszero(&x))
{
zzn2_zero(&res);
return res;
}
if(size(k) == 0)
{
zzn2_from_int(1, &res);
return res;
}
if(size(k) == 1)
return x;
// Prepare table for windowing
zzn2_mul(&x, &x, &u2);
t[0].a = mirvar(0);
t[0].b = mirvar(0);
zzn2_copy(&x, &t[0]);
for(i = 1; i < 16; i++)
{
t[i].a = mirvar(0);
t[i].b = mirvar(0);
zzn2_mul(&t[i - 1], &u2, &t[i]);
}
// Left to right method - with windows
zzn2_copy(&x, &res);
nb = logb2(k);
if(nb > 1)
for(i = nb - 2; i >= 0;)
{
//Note new parameter of window_size=5. Default to 5, but reduce to 4 (or even 3) to save RAM
n = mr_window(k, i, &nbw, &nzs, 5);
for(j = 0; j < nbw; j++)
zzn2_mul(&res, &res, &res);
if(n > 0)
zzn2_mul(&res, &t[n / 2], &res);
i -= nbw;
if(nzs)
{
for(j = 0; j < nzs; j++)
zzn2_mul(&res, &res, &res);
i -= nzs;
}
}
return res;
}
static void set_frobenius_constant(zzn2 *X)
{
big p, zero, one, two;
p = mirvar(0);
zero = mirvar(0);
one = mirvar(0);
two = mirvar(0);
convert(0, zero);
convert(1, one);
convert(2, two);
mip = get_mip();
copy(mip->modulus, p);
switch(get_mip()->pmod8)
{
case 5:
zzn2_from_bigs(zero, one, X);// = (sqrt(-2)^(p-1)/2
break;
case 3:
// = (1+sqrt(-1))^(p-1)/2
zzn2_from_bigs(one, one, X);
break;
case 7:
zzn2_from_bigs(two, one, X);// = (2+sqrt(-1))^(p-1)/2
default:
break;
}
decr(p, 1, p);
subdiv(p, 6, p);
*X = zzn2_pow(*X, p);
}
static void q_power_frobenius(ecn2 A, zzn2 F)
{
// Fast multiplication of A by q (for Trace-Zero group members only)
zzn2 x, y, z, w, r;
x.a = mirvar(0);
x.b = mirvar(0);
y.a = mirvar(0);
y.b = mirvar(0);
z.a = mirvar(0);
z.b = mirvar(0);
w.a = mirvar(0);
w.b = mirvar(0);
r.a = mirvar(0);
r.b = mirvar(0);
ecn2_get(&A, &x, &y, &z);
zzn2_copy(&F, &r);//r=F
if(get_mip()->TWIST == MR_SEXTIC_M)
zzn2_inv(&r); // could be precalculated
zzn2_mul(&r, &r, &w);//w=r*r
zzn2_conj(&x, &x);
zzn2_mul(&w, &x, &x);
zzn2_conj(&y, &y);
zzn2_mul(&w, &r, &w);
zzn2_mul(&w, &y, &y);
zzn2_conj(&z, &z);
ecn2_setxyz(&x, &y, &z, &A);
}
static zzn12 line(ecn2 A, ecn2 *C, ecn2 *B, zzn2 slope, zzn2 extra, BOOL Doubling, big Qx, big Qy)
{
zzn12 res;
zzn2 X, Y, Z, Z2, U, QY, CZ;
big QX;
QX = mirvar(0);
X.a = mirvar(0);
X.b = mirvar(0);
Y.a = mirvar(0);
Y.b = mirvar(0);
Z.a = mirvar(0);
Z.b = mirvar(0);
Z2.a = mirvar(0);
Z2.b = mirvar(0);
U.a = mirvar(0);
U.b = mirvar(0);
QY.a = mirvar(0);
QY.b = mirvar(0);
CZ.a = mirvar(0);
CZ.b = mirvar(0);
zzn12_init(&res);
ecn2_getz(C, &CZ);
// Thanks to A. Menezes for pointing out this optimization...
if(Doubling)
{
ecn2_get(&A, &X, &Y, &Z);
zzn2_mul(&Z, &Z, &Z2); //Z2=Z*Z
//X=slope*X-extra
zzn2_mul(&slope, &X, &X);
zzn2_sub(&X, &extra, &X);
zzn2_mul(&CZ, &Z2, &U);
//(-(Z*Z*slope)*Qx);
nres(Qx, QX);
zzn2_mul(&Z2, &slope, &Y);
zzn2_smul(&Y, QX, &Y);
zzn2_negate(&Y, &Y);
if(get_mip()->TWIST == MR_SEXTIC_M)
{
// "multiplied across" by i to simplify
zzn2_from_big(Qy, &QY);
zzn2_txx(&QY);
zzn2_mul(&U, &QY, &QY);
zzn4_from_zzn2s(&QY, &X, &res.a);
zzn2_copy(&Y, &(res.c.b));
}
if(get_mip()->TWIST == MR_SEXTIC_D)
{
zzn2_smul(&U, Qy, &QY);
zzn4_from_zzn2s(&QY, &X, &res.a);
zzn2_copy(&Y, &(res.b.b));
}
}
else
{
//slope*X-Y*Z
ecn2_getxy(B, &X, &Y);
zzn2_mul(&slope, &X, &X);
zzn2_mul(&Y, &CZ, &Y);
zzn2_sub(&X, &Y, &X);
//(-slope*Qx)
nres(Qx, QX);
zzn2_smul(&slope, QX, &Z);
zzn2_negate(&Z, &Z);
if(get_mip()->TWIST == MR_SEXTIC_M)
{
zzn2_from_big(Qy, &QY);
zzn2_txx(&QY);
zzn2_mul(&CZ, &QY, &QY);
zzn4_from_zzn2s(&QY, &X, &res.a);
zzn2_copy(&Z, &(res.c.b));
}
if(get_mip()->TWIST == MR_SEXTIC_D)
{
zzn2_smul(&CZ, Qy, &QY);
zzn4_from_zzn2s(&QY, &X, &res.a);
zzn2_copy(&Z, &(res.b.b));
}
}
return res;
}
static zzn12 g(ecn2 *A, ecn2 *B, big Qx, big Qy)
{
zzn2 lam, extra;
BOOL Doubling;
ecn2 P;
zzn12 res;
lam.a = mirvar(0);
lam.b = mirvar(0);
extra.a = mirvar(0);
extra.b = mirvar(0);
P.x.a = mirvar(0);
P.x.b = mirvar(0);
P.y.a = mirvar(0);
P.y.b = mirvar(0);
P.z.a = mirvar(0);
P.z.b = mirvar(0);
P.marker = MR_EPOINT_INFINITY;
zzn12_init(&res);
ecn2_copy(A, &P);
Doubling = ecn2_add2(B, A, &lam, &extra);
if(A->marker == MR_EPOINT_INFINITY)
{
zzn4_from_int(1, &res.a);
res.miller = FALSE;
res.unitary = TRUE;
}
else
res = line(P, A, B, lam, extra, Doubling, Qx, Qy);
return res;
}
static BOOL fast_pairing(ecn2 P, big Qx, big Qy, big x, zzn2 X, zzn12 *r)
{
int i, nb;
big n, zero, negify_x;
ecn2 A, KA;
zzn12 t0, x0, x1, x2, x3, x4, x5, res;
zero = mirvar(0);
n = mirvar(0);
negify_x = mirvar(0);
A.x.a = mirvar(0);
A.x.b = mirvar(0);
A.y.a = mirvar(0);
A.y.b = mirvar(0);
A.z.a = mirvar(0);
A.z.b = mirvar(0);
A.marker = MR_EPOINT_INFINITY;
KA.x.a = mirvar(0);
KA.x.b = mirvar(0);
KA.y.a = mirvar(0);
KA.y.b = mirvar(0);
KA.z.a = mirvar(0);
KA.z.b = mirvar(0);
KA.marker = MR_EPOINT_INFINITY;
zzn12_init(&t0);
zzn12_init(&x0);
zzn12_init(&x1);
zzn12_init(&x2);
zzn12_init(&x3);
zzn12_init(&x4);
zzn12_init(&x5);
zzn12_init(&res);
premult(x, 6, n);
incr(n, 2, n);//n=(6*x+2);
if(mr_compare(x, zero) < 0) //x<0
negify(n, n); //n=-(6*x+2);
ecn2_copy(&P, &A);
nb = logb2(n);
zzn4_from_int(1, &res.a);
res.unitary = TRUE; //res=1
// Short Miller loop
res.miller = TRUE;
for(i = nb - 2; i >= 0; i--)
{
zzn12_mul(res, res, &res);
zzn12_mul(res, g(&A, &A, Qx, Qy), &res);
if(mr_testbit(n, i))
zzn12_mul(res, g(&A, &P, Qx, Qy), &res);
}
// Combining ideas due to Longa, Aranha et al. and Naehrig
ecn2_copy(&P, &KA);
q_power_frobenius(KA, X);
if(mr_compare(x, zero) < 0)
{
ecn2_negate(&A, &A);
zzn12_conj(&res, &res);
}
zzn12_mul(res, g(&A, &KA, Qx, Qy), &res);
q_power_frobenius(KA, X);
ecn2_negate(&KA, &KA);
zzn12_mul(res, g(&A, &KA, Qx, Qy), &res);
if(zzn4_iszero(&res.a) && zzn4_iszero(&res.b) && zzn4_iszero(&res.c))
return FALSE;
// The final exponentiation
zzn12_copy(&res, &t0);//t0=r;
zzn12_conj(&res, &res);
zzn12_div(res, t0, &res);
res.miller = FALSE;
res.unitary = FALSE;
zzn12_copy(&res, &t0);//t0=r;
zzn12_powq(X, &res);
zzn12_powq(X, &res);
zzn12_mul(res, t0, &res);// r^[(p^6-1)*(p^2+1)]
res.miller = FALSE;
res.unitary = TRUE;
// Newer new idea...
// See "On the final exponentiation for calculating pairings on ordinary elliptic curves"
// Michael Scott and Naomi Benger and Manuel Charlemagne and Luis J. Dominguez Perez and Ezekiel J. Kachisa
zzn12_copy(&res, &t0);
zzn12_powq(X, &t0);
zzn12_copy(&t0, &x0);
zzn12_powq(X, &x0); //x0=t0
zzn12_mul(res, t0, &x1);
zzn12_mul(x0, x1, &x0);// x0*=(res*t0);
zzn12_powq(X, &x0);
x1 = zzn12_inverse(res);// just a conjugation!
negify(x, negify_x);
x4 = zzn12_pow(res, negify_x);//negify_x=-x x is sparse.
zzn12_copy(&x4, &x3);
zzn12_powq(X, &x3);
x2 = zzn12_pow(x4, negify_x);
x5 = zzn12_inverse(x2);
t0 = zzn12_pow(x2, negify_x);
zzn12_powq(X, &x2);
zzn12_div(x4, x2, &x4);
zzn12_powq(X, &x2);
zzn12_copy(&t0, &res);// res=t0
zzn12_powq(X, &res);
zzn12_mul(t0, res, &t0);
zzn12_mul(t0, t0, &t0);
zzn12_mul(t0, x4, &t0);
zzn12_mul(t0, x5, &t0);//t0*=t0;t0*=x4;t0*=x5;
zzn12_mul(x3, x5, &res);
zzn12_mul(res, t0, &res);//res=x3*x5;res*=t0;
zzn12_mul(t0, x2, &t0);//t0*=x2;
zzn12_mul(res, res, &res);
zzn12_mul(res, t0, &res);
zzn12_mul(res, res, &res);//res*=res; res*=t0;res*=res;
zzn12_mul(res, x1, &t0);// t0=res*x1;
zzn12_mul(res, x0, &res);//res*=x0;
zzn12_mul(t0, t0, &t0);
zzn12_mul(t0, res, &t0);//t0*=t0;t0*=res;
zzn12_copy(&t0, r);//r= t0;
return TRUE;
}
static BOOL ecap(ecn2 P, epoint *Q, big x, zzn2 X, zzn12 *r)
{
BOOL Ok;
big Qx, Qy;
Qx = mirvar(0);
Qy = mirvar(0);
ecn2_norm(&P);
epoint_get(Q, Qx, Qy);
Ok = fast_pairing(P, Qx, Qy, x, X, r);
if(Ok)
return TRUE;
return FALSE;
}
static BOOL member(zzn12 r, big x, zzn2 F)
{
zzn12 w;
big six;
six = mirvar(0);
zzn12_init(&w);
convert(6, six);
zzn12_copy(&r, &w);//w=r
zzn12_powq(F, &w);
r = zzn12_pow(r, x);
r = zzn12_pow(r, x);
r = zzn12_pow(r, six); // t-1=6x^2
if(zzn4_compare(&w.a, &r.a) && zzn4_compare(&w.a, &r.a) && zzn4_compare(&w.a, &r.a))
return TRUE;
return FALSE;
}
#ifdef __cplusplus
}
#endif
#endif

View File

@@ -1,188 +0,0 @@
/* ====================================================================
* Copyright (c) 2016 The GmSSL Project. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in
* the documentation and/or other materials provided with the
* distribution.
*
* 3. All advertising materials mentioning features or use of this
* software must display the following acknowledgment:
* "This product includes software developed by the GmSSL Project.
* (http://gmssl.org/)"
*
* 4. The name "GmSSL Project" must not be used to endorse or promote
* products derived from this software without prior written
* permission. For written permission, please contact
* guanzhi1980@gmail.com.
*
* 5. Products derived from this software may not be called "GmSSL"
* nor may "GmSSL" appear in their names without prior written
* permission of the GmSSL Project.
*
* 6. Redistributions of any form whatsoever must retain the following
* acknowledgment:
* "This product includes software developed by the GmSSL Project
* (http://gmssl.org/)"
*
* THIS SOFTWARE IS PROVIDED BY THE GmSSL PROJECT ``AS IS'' AND ANY
* EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE GmSSL PROJECT OR
* ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
* STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
* OF THE POSSIBILITY OF SUCH DAMAGE.
* ====================================================================
*/
#ifndef HEADER_SM4_STANDARD_H
#define HEADER_SM4_STANDARD_H
#include <stdio.h>
#ifdef __cplusplus
extern "C"{
#endif
//rotate n bits to the left in a 32bit buffer
#define SM4_rotl32(buf, n) (((buf) << n) | ((buf) >> (32 - n)))
static unsigned int SM4_CK[32] = {0x00070e15, 0x1c232a31, 0x383f464d, 0x545b6269,
0x70777e85, 0x8c939aa1, 0xa8afb6bd, 0xc4cbd2d9,
0xe0e7eef5, 0xfc030a11, 0x181f262d, 0x343b4249,
0x50575e65, 0x6c737a81, 0x888f969d, 0xa4abb2b9,
0xc0c7ced5, 0xdce3eaf1, 0xf8ff060d, 0x141b2229,
0x30373e45, 0x4c535a61, 0x686f767d, 0x848b9299,
0xa0a7aeb5, 0xbcc3cad1, 0xd8dfe6ed, 0xf4fb0209,
0x10171e25, 0x2c333a41, 0x484f565d, 0x646b7279};
unsigned char SM4_Sbox[256] = {0xd6, 0x90, 0xe9, 0xfe, 0xcc, 0xe1, 0x3d, 0xb7, 0x16, 0xb6, 0x14, 0xc2, 0x28, 0xfb, 0x2c, 0x05,
0x2b, 0x67, 0x9a, 0x76, 0x2a, 0xbe, 0x04, 0xc3, 0xaa, 0x44, 0x13, 0x26, 0x49, 0x86, 0x06, 0x99,
0x9c, 0x42, 0x50, 0xf4, 0x91, 0xef, 0x98, 0x7a, 0x33, 0x54, 0x0b, 0x43, 0xed, 0xcf, 0xac, 0x62,
0xe4, 0xb3, 0x1c, 0xa9, 0xc9, 0x08, 0xe8, 0x95, 0x80, 0xdf, 0x94, 0xfa, 0x75, 0x8f, 0x3f, 0xa6,
0x47, 0x07, 0xa7, 0xfc, 0xf3, 0x73, 0x17, 0xba, 0x83, 0x59, 0x3c, 0x19, 0xe6, 0x85, 0x4f, 0xa8,
0x68, 0x6b, 0x81, 0xb2, 0x71, 0x64, 0xda, 0x8b, 0xf8, 0xeb, 0x0f, 0x4b, 0x70, 0x56, 0x9d, 0x35,
0x1e, 0x24, 0x0e, 0x5e, 0x63, 0x58, 0xd1, 0xa2, 0x25, 0x22, 0x7c, 0x3b, 0x01, 0x21, 0x78, 0x87,
0xd4, 0x00, 0x46, 0x57, 0x9f, 0xd3, 0x27, 0x52, 0x4c, 0x36, 0x02, 0xe7, 0xa0, 0xc4, 0xc8, 0x9e,
0xea, 0xbf, 0x8a, 0xd2, 0x40, 0xc7, 0x38, 0xb5, 0xa3, 0xf7, 0xf2, 0xce, 0xf9, 0x61, 0x15, 0xa1,
0xe0, 0xae, 0x5d, 0xa4, 0x9b, 0x34, 0x1a, 0x55, 0xad, 0x93, 0x32, 0x30, 0xf5, 0x8c, 0xb1, 0xe3,
0x1d, 0xf6, 0xe2, 0x2e, 0x82, 0x66, 0xca, 0x60, 0xc0, 0x29, 0x23, 0xab, 0x0d, 0x53, 0x4e, 0x6f,
0xd5, 0xdb, 0x37, 0x45, 0xde, 0xfd, 0x8e, 0x2f, 0x03, 0xff, 0x6a, 0x72, 0x6d, 0x6c, 0x5b, 0x51,
0x8d, 0x1b, 0xaf, 0x92, 0xbb, 0xdd, 0xbc, 0x7f, 0x11, 0xd9, 0x5c, 0x41, 0x1f, 0x10, 0x5a, 0xd8,
0x0a, 0xc1, 0x31, 0x88, 0xa5, 0xcd, 0x7b, 0xbd, 0x2d, 0x74, 0xd0, 0x12, 0xb8, 0xe5, 0xb4, 0xb0,
0x89, 0x69, 0x97, 0x4a, 0x0c, 0x96, 0x77, 0x7e, 0x65, 0xb9, 0xf1, 0x09, 0xc5, 0x6e, 0xc6, 0x84,
0x18, 0xf0, 0x7d, 0xec, 0x3a, 0xdc, 0x4d, 0x20, 0x79, 0xee, 0x5f, 0x3e, 0xd7, 0xcb, 0x39, 0x48};
static unsigned int SM4_FK[4] = {0xA3B1BAC6, 0x56AA3350, 0x677D9197, 0xB27022DC};
void SM4_keyschedule(unsigned char MK[], unsigned int rk[])
{
unsigned int tmp, buf, K[36];
int i;
for(i = 0; i < 4; i++)
{
K[i] = SM4_FK[i] ^ ((MK[4 * i] << 24) | (MK[4 * i + 1] << 16)
| (MK[4 * i + 2] << 8) | (MK[4 * i + 3]));
}
for(i = 0; i < 32; i++)
{
tmp = K[i + 1] ^ K[i + 2] ^ K[i + 3] ^ SM4_CK[i];
//nonlinear operation
buf = (SM4_Sbox[(tmp >> 24) & 0xFF]) << 24
| (SM4_Sbox[(tmp >> 16) & 0xFF]) << 16
| (SM4_Sbox[(tmp >> 8) & 0xFF]) << 8
| (SM4_Sbox[tmp & 0xFF]);
//linear operation
K[i + 4] = K[i] ^ ((buf) ^ (SM4_rotl32((buf), 13)) ^ (SM4_rotl32((buf), 23)));
rk[i] = K[i + 4];
}
}
void SM4_encrypt(unsigned char MK[], unsigned char PlainText[], unsigned char CipherText[])
{
unsigned int rk[32], X[36], tmp, buf;
int i, j;
SM4_keyschedule(MK, rk);
for(j = 0; j < 4; j++)
{
X[j] = (PlainText[j * 4] << 24) | (PlainText[j * 4 + 1] << 16)
| (PlainText[j * 4 + 2] << 8) | (PlainText[j * 4 + 3]);
}
for(i = 0; i < 32; i++)
{
tmp = X[i + 1] ^ X[i + 2] ^ X[i + 3] ^ rk[i];
//nonlinear operation
buf = (SM4_Sbox[(tmp >> 24) & 0xFF]) << 24
| (SM4_Sbox[(tmp >> 16) & 0xFF]) << 16
| (SM4_Sbox[(tmp >> 8) & 0xFF]) << 8
| (SM4_Sbox[tmp & 0xFF]);
//linear operation
X[i + 4] = X[i] ^ (buf ^ SM4_rotl32((buf), 2) ^ SM4_rotl32((buf), 10)
^ SM4_rotl32((buf), 18) ^ SM4_rotl32((buf), 24));
}
for(j = 0; j < 4; j++)
{
CipherText[4 * j] = (X[35 - j] >> 24) & 0xFF;
CipherText[4 * j + 1] = (X[35 - j] >> 16) & 0xFF;
CipherText[4 * j + 2]= (X[35 - j] >> 8) & 0xFF;
CipherText[4 * j + 3] = (X[35 - j]) & 0xFF;
}
}
void SM4_decrypt(unsigned char MK[], unsigned char CipherText[], unsigned char PlainText[])
{
unsigned int rk[32], X[36], tmp, buf;
int i, j;
SM4_keyschedule(MK, rk);
for(j = 0; j < 4; j++)
{
X[j] = (CipherText[j * 4] << 24) | (CipherText[j * 4 + 1] << 16) |
(CipherText[j * 4 + 2] << 8) | (CipherText[j * 4 + 3]);
}
for(i = 0; i < 32; i++)
{
tmp = X[i + 1] ^ X[i + 2] ^ X[i + 3] ^ rk[31 - i];
//nonlinear operation
buf = (SM4_Sbox[(tmp >> 24) & 0xFF]) << 24
| (SM4_Sbox[(tmp >> 16) & 0xFF]) << 16
| (SM4_Sbox[(tmp >> 8) & 0xFF]) << 8
| (SM4_Sbox[tmp & 0xFF]);
//linear operation
X[i + 4] = X[i] ^ (buf ^ SM4_rotl32((buf), 2) ^ SM4_rotl32((buf), 10)
^ SM4_rotl32((buf), 18) ^ SM4_rotl32((buf), 24));
}
for(j = 0; j < 4; j++)
{
PlainText[4 * j] = (X[35 - j] >> 24) & 0xFF;
PlainText[4 * j + 1] = (X[35 - j] >> 16) & 0xFF;
PlainText[4 * j + 2] = (X[35 - j] >> 8) & 0xFF;
PlainText[4 * j + 3] = (X[35 - j]) & 0xFF;
}
}
#ifdef __cplusplus
}
#endif
#endif

View File

@@ -1,482 +0,0 @@
/* ====================================================================
* Copyright (c) 2016 The GmSSL Project. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in
* the documentation and/or other materials provided with the
* distribution.
*
* 3. All advertising materials mentioning features or use of this
* software must display the following acknowledgment:
* "This product includes software developed by the GmSSL Project.
* (http://gmssl.org/)"
*
* 4. The name "GmSSL Project" must not be used to endorse or promote
* products derived from this software without prior written
* permission. For written permission, please contact
* guanzhi1980@gmail.com.
*
* 5. Products derived from this software may not be called "GmSSL"
* nor may "GmSSL" appear in their names without prior written
* permission of the GmSSL Project.
*
* 6. Redistributions of any form whatsoever must retain the following
* acknowledgment:
* "This product includes software developed by the GmSSL Project
* (http://gmssl.org/)"
*
* THIS SOFTWARE IS PROVIDED BY THE GmSSL PROJECT ``AS IS'' AND ANY
* EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE GmSSL PROJECT OR
* ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
* STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
* OF THE POSSIBILITY OF SUCH DAMAGE.
* ====================================================================
*/
#ifndef HEADER_SM9_STANDARD_H
#define HEADER_SM9_STANDARD_H
#include <stdlib.h>
#include <stdio.h>
#include <math.h>
#ifdef __cplusplus
extern "C"{
#endif
#include "miracl.h"
#include "r-ate.h"
#include "kdf_standard.h"
#define BNLEN 32 //BN curve with 256bit is used in SM9 algorithm
#define SM9_ASK_MEMORY_ERR 0x00000001 //ask for memory fail(申请内存失败)
#define SM9_MEMBER_ERR 0x00000002 //the order of group G error(群的阶错误)
#define SM9_MY_ECAP_12A_ERR 0x00000003 //R-ate pairing generated error(R-ate对计算出现错误)
#define SM9_NOT_VALID_G1 0x00000004 //not valid element of G1
#define SM9_G1BASEPOINT_SET_ERR 0x00000005 //base point of G1 seted error(G1基点设置错误)
#define SM9_G2BASEPOINT_SET_ERR 0x00000006 //base point of G2 seted error(G2基点设置错误)
#define SM9_GEPUB_ERR 0x00000007 //pubkey error(生成公钥错误)
#define SM9_GEPRI_ERR 0x00000008 //privare key error(生成私钥错误)
#define SM9_ERR_CMP_S1SB 0x00000009 //S1!=SB
#define SM9_ERR_CMP_S2SA 0x0000000A //S2!=SA
#define SM9_ERR_RA 0x0000000B //RA error
#define SM9_ERR_RB 0x0000000C //RB error
#define SM9_ERR_SA 0x0000000D //SA error
#define SM9_ERR_SB 0x0000000E //SB error
#define SM9_C1_NOT_VALID_G1 0x0000000F //C1不属于群G1
#define SM9_ENCRYPT_ERR 0x00000010 //加密错误
#define SM9_ERR_K1_ZERO 0x00000011 //K1 equals 0(K1全0)
#define SM9_C3_MEMCMP_ERR 0x00000012 //C3对比不一致
#define SM9_DECRYPT_ERR 0x00000013 //解密错误
#define SM9_ERR_Encap_C 0x00000014 //cipher error in key encapsulation
#define SM9_ERR_Encap_K 0x00000015 //key to be encapsulated
#define SM9_ERR_Decap_K 0x00000016 //key generated by decapsulation
#define SM9_H_OUTRANGE 0x00000017 //签名H不属于[1,N-1]
#define SM9_DATA_MEMCMP_ERR 0x00000018 //数据对比不一致
#define SM9_S_NOT_VALID_G1 0x00000019 //S不属于群G1
#define SM9_L_error 0x0000001A //参数L错误
#define SM9_SIGN_ERR 0x0000001B //签名错误
static unsigned char SM9_q[32] = {0xB6, 0x40, 0x00, 0x00, 0x02, 0xA3, 0xA6, 0xF1, 0xD6, 0x03, 0xAB, 0x4F, 0xF5, 0x8E, 0xC7, 0x45,
0x21, 0xF2, 0x93, 0x4B, 0x1A, 0x7A, 0xEE, 0xDB, 0xE5, 0x6F, 0x9B, 0x27, 0xE3, 0x51, 0x45, 0x7D};
static unsigned char SM9_N[32] = {0xB6, 0x40, 0x00, 0x00, 0x02, 0xA3, 0xA6, 0xF1, 0xD6, 0x03, 0xAB, 0x4F, 0xF5, 0x8E, 0xC7, 0x44,
0x49, 0xF2, 0x93, 0x4B, 0x18, 0xEA, 0x8B, 0xEE, 0xE5, 0x6E, 0xE1, 0x9C, 0xD6, 0x9E, 0xCF, 0x25};
static unsigned char SM9_P1x[32] = {0x93, 0xDE, 0x05, 0x1D, 0x62, 0xBF, 0x71, 0x8F, 0xF5, 0xED, 0x07, 0x04, 0x48, 0x7D, 0x01, 0xD6,
0xE1, 0xE4, 0x08, 0x69, 0x09, 0xDC, 0x32, 0x80, 0xE8, 0xC4, 0xE4, 0x81, 0x7C, 0x66, 0xDD, 0xDD};
static unsigned char SM9_P1y[32] = {0x21, 0xFE, 0x8D, 0xDA, 0x4F, 0x21, 0xE6, 0x07, 0x63, 0x10, 0x65, 0x12, 0x5C, 0x39, 0x5B, 0xBC,
0x1C, 0x1C, 0x00, 0xCB, 0xFA, 0x60, 0x24, 0x35, 0x0C, 0x46, 0x4C, 0xD7, 0x0A, 0x3E, 0xA6, 0x16};
static unsigned char SM9_P2[128] = {0x85, 0xAE, 0xF3, 0xD0, 0x78, 0x64, 0x0C, 0x98, 0x59, 0x7B, 0x60, 0x27, 0xB4, 0x41, 0xA0, 0x1F,
0xF1, 0xDD, 0x2C, 0x19, 0x0F, 0x5E, 0x93, 0xC4, 0x54, 0x80, 0x6C, 0x11, 0xD8, 0x80, 0x61, 0x41,
0x37, 0x22, 0x75, 0x52, 0x92, 0x13, 0x0B, 0x08, 0xD2, 0xAA, 0xB9, 0x7F, 0xD3, 0x4E, 0xC1, 0x20,
0xEE, 0x26, 0x59, 0x48, 0xD1, 0x9C, 0x17, 0xAB, 0xF9, 0xB7, 0x21, 0x3B, 0xAF, 0x82, 0xD6, 0x5B,
0x17, 0x50, 0x9B, 0x09, 0x2E, 0x84, 0x5C, 0x12, 0x66, 0xBA, 0x0D, 0x26, 0x2C, 0xBE, 0xE6, 0xED,
0x07, 0x36, 0xA9, 0x6F, 0xA3, 0x47, 0xC8, 0xBD, 0x85, 0x6D, 0xC7, 0x6B, 0x84, 0xEB, 0xEB, 0x96,
0xA7, 0xCF, 0x28, 0xD5, 0x19, 0xBE, 0x3D, 0xA6, 0x5F, 0x31, 0x70, 0x15, 0x3D, 0x27, 0x8F, 0xF2,
0x47, 0xEF, 0xBA, 0x98, 0xA7, 0x1A, 0x08, 0x11, 0x62, 0x15, 0xBB, 0xA5, 0xC9, 0x99, 0xA7, 0xC7};
static unsigned char SM9_t[32] = {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,0x00,0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x00, 0x58, 0xF9, 0x8A};
static unsigned char SM9_a[32] = {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00};
static unsigned char SM9_b[32] = {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x05};
epoint *P1;
ecn2 P2;
big N; //order of group, N(t)
big para_a, para_b, para_t, para_q;
static BOOL bytes128_to_ecn2(unsigned char Ppubs[], ecn2 *res);
static void zzn12_ElementPrint(zzn12 x);
static void ecn2_Bytes128_Print(ecn2 x);
static void LinkCharZzn12(unsigned char *message, int len, zzn12 w, unsigned char *Z, int Zlen);
static int Test_Point(epoint* point);
void SM4_standard_block_encrypt(unsigned char key[], unsigned char * message, int mlen, unsigned char *cipher, int * cipher_len);
void SM4_standard_block_decrypt(unsigned char key[], unsigned char *cipher, int len, unsigned char *plain, int *plain_len);
int SM9_standard_keyex_kdf(unsigned char *IDA, unsigned char *IDB, epoint *RA, epoint *RB, zzn12 g1, zzn12 g2, zzn12 g3, int klen, unsigned char K[]);
int SM9_standard_keyex_hash(unsigned char hashid[], unsigned char *IDA, unsigned char *IDB, epoint *RA, epoint *RB, zzn12 g1, zzn12 g2, zzn12 g3, unsigned char hash[]);
static int SM9_standard_h1(unsigned char Z[], int Zlen, big n, big h1);
int SM9_standard_enc_mac(unsigned char *K, int Klen, unsigned char *M, int Mlen, unsigned char C[]);
static int SM9_standard_init();
static int SM9_standard_generateencryptkey(unsigned char hid[], unsigned char *ID, int IDlen, big ke, unsigned char Ppubs[], unsigned char deB[]);
int SM9_standard_keyex_inita_i(unsigned char hid[], unsigned char *IDB, unsigned char randA[],
unsigned char Ppub[], unsigned char deA[], epoint *RA);
int SM9_standard_keyex_reb_i(unsigned char hid[], unsigned char *IDA, unsigned char *IDB, unsigned char randB[], unsigned char Ppub[], unsigned char deB[], epoint *RA, epoint *RB, unsigned char SB[], zzn12 *g1, zzn12 *g2, zzn12 *g3);
int SM9_standard_keyex_inita_ii(unsigned char *IDA, unsigned char *IDB, unsigned char randA[], unsigned char Ppub[], unsigned char deA[], epoint *RA, epoint *RB, unsigned char SB[], unsigned char SA[]);
int SM9_standard_keyex_reb_ii(unsigned char *IDA, unsigned char *IDB, zzn12 g1, zzn12 g2, zzn12 g3, epoint *RA, epoint *RB, unsigned char SA[]);
int SM9_standard_exch_selfcheck();
int SM9_standard_enc_selfcheck();
int SM9_standard_encrypt(unsigned char hid[], unsigned char *IDB, unsigned char *message, int mlen, unsigned char rand[],
int EncID, int k1_len, int k2_len, unsigned char Ppub[], unsigned char C[], int *C_len);
int SM9_standard_decrypt(unsigned char C[], int C_len, unsigned char deB[], unsigned char *IDB, int EncID,
int k1_len, int k2_len, unsigned char M[], int * Mlen);
int SM9_standard_key_encap(unsigned char hid[], unsigned char *IDB, unsigned char rand[], unsigned char Ppub[], unsigned char C[], unsigned char K[], int Klen);
int SM9_standard_key_decap(unsigned char *IDB, unsigned char deB[], unsigned char C[], int Klen, unsigned char K[]);
int SM9_standard_encap_selfcheck();
static int Test_Range(big x);
int SM9_standard_h2(unsigned char Z[], int Zlen, big n, big h2);
int SM9_standard_generatesignkey(unsigned char hid[], unsigned char *ID, int IDlen, big ks, unsigned char Ppubs[], unsigned char dsa[]);
int SM9_standard_sign(unsigned char hid[], unsigned char *IDA, unsigned char *message, int len, unsigned char rand[], unsigned char dsa[], unsigned char Ppub[], unsigned char H[], unsigned char S[]);
int SM9_standard_verify(unsigned char H[], unsigned char S[], unsigned char hid[], unsigned char *IDA, unsigned char *message, int len, unsigned char Ppub[]);
int SM9_standard_sv_selfcheck();
static BOOL bytes128_to_ecn2(unsigned char Ppubs[], ecn2 *res)
{
zzn2 x, y;
big a, b;
ecn2 r;
r.x.a = mirvar(0);
r.x.b = mirvar(0);
r.y.a = mirvar(0);
r.y.b = mirvar(0);
r.z.a = mirvar(0);
r.z.b = mirvar(0);
r.marker = MR_EPOINT_INFINITY;
x.a = mirvar(0);
x.b = mirvar(0);
y.a = mirvar(0);
y.b = mirvar(0);
a = mirvar(0);
b = mirvar(0);
bytes_to_big(BNLEN, Ppubs, b);
bytes_to_big(BNLEN, Ppubs + BNLEN, a);
zzn2_from_bigs(a, b, &x);
bytes_to_big(BNLEN, Ppubs + BNLEN * 2, b);
bytes_to_big(BNLEN, Ppubs + BNLEN * 3, a);
zzn2_from_bigs(a, b, &y);
return ecn2_set(&x, &y, res);
}
static void ecn2_Bytes128_Print(ecn2 x)
{
big tmp;
tmp = mirvar(0);
redc(x.x.b, tmp);
cotnum(tmp, stdout);
redc(x.x.a, tmp);
cotnum(tmp, stdout);
redc(x.y.b, tmp);
cotnum(tmp, stdout);
redc(x.y.a, tmp);
cotnum(tmp, stdout);
}
static void zzn12_ElementPrint(zzn12 x)
{
big tmp;
tmp = mirvar(0);
redc(x.c.b.b, tmp);
cotnum(tmp, stdout);
redc(x.c.b.a, tmp);
cotnum(tmp, stdout);
redc(x.c.a.b, tmp);
cotnum(tmp, stdout);
redc(x.c.a.a, tmp);
cotnum(tmp,stdout);
redc(x.b.b.b, tmp);
cotnum(tmp, stdout);
redc(x.b.b.a, tmp);
cotnum(tmp, stdout);
redc(x.b.a.b, tmp);
cotnum(tmp, stdout);
redc(x.b.a.a, tmp);
cotnum(tmp, stdout);
redc(x.a.b.b, tmp);
cotnum(tmp, stdout);
redc(x.a.b.a, tmp);
cotnum(tmp, stdout);
redc(x.a.a.b, tmp);
cotnum(tmp, stdout);
redc(x.a.a.a, tmp);
cotnum(tmp, stdout);
}
static void LinkCharZzn12(unsigned char *message, int len, zzn12 w, unsigned char *Z, int Zlen)
{
big tmp;
tmp = mirvar(0);
memcpy(Z, message, len);
redc(w.c.b.b, tmp);
big_to_bytes(BNLEN, tmp, Z + len, 1);
redc(w.c.b.a, tmp);
big_to_bytes(BNLEN, tmp, Z + len + BNLEN, 1);
redc(w.c.a.b, tmp);
big_to_bytes(BNLEN, tmp, Z + len + BNLEN * 2, 1);
redc(w.c.a.a, tmp);
big_to_bytes(BNLEN, tmp, Z + len + BNLEN * 3, 1);
redc(w.b.b.b, tmp);
big_to_bytes(BNLEN, tmp, Z + len + BNLEN * 4, 1);
redc(w.b.b.a, tmp);
big_to_bytes(BNLEN, tmp, Z + len + BNLEN * 5, 1);
redc(w.b.a.b, tmp);
big_to_bytes(BNLEN, tmp, Z + len + BNLEN * 6, 1);
redc(w.b.a.a, tmp);
big_to_bytes(BNLEN, tmp, Z + len + BNLEN * 7, 1);
redc(w.a.b.b, tmp);
big_to_bytes(BNLEN, tmp, Z + len + BNLEN * 8, 1);
redc(w.a.b.a, tmp);
big_to_bytes(BNLEN, tmp, Z + len + BNLEN * 9, 1);
redc(w.a.a.b, tmp);
big_to_bytes(BNLEN, tmp, Z + len + BNLEN * 10, 1);
redc(w.a.a.a, tmp);
big_to_bytes(BNLEN, tmp, Z + len + BNLEN * 11, 1);
}
static int Test_Point(epoint* point)
{
big x, y, x_3, tmp;
epoint *buf;
x = mirvar(0);
y = mirvar(0);
x_3 = mirvar(0);
tmp = mirvar(0);
buf = epoint_init();
//test if y^2=x^3+b
epoint_get(point, x, y);
power(x, 3, para_q, x_3); //x_3=x^3 mod p
multiply(x, para_a, x);
divide(x, para_q, tmp);
add(x_3, x, x); //x=x^3+ax+b
add(x, para_b, x);
divide(x, para_q, tmp); //x=x^3+ax+b mod p
power(y, 2, para_q, y); //y=y^2 mod p
if(mr_compare(x, y) != 0)
return 1;
//test infinity
ecurve_mult(N, point, buf);
if(point_at_infinity(buf) == FALSE)
return 1;
return 0;
}
static int SM9_standard_h1(unsigned char Z[], int Zlen, big n, big h1)
{
int hlen, i, ZHlen;
big hh, i256, tmp, n1;
unsigned char *ZH = NULL,*ha = NULL;
hh = mirvar(0);
i256 = mirvar(0);
tmp = mirvar(0);
n1 = mirvar(0);
convert(1, i256);
ZHlen = Zlen + 1;
hlen = (int)ceil((5.0 * logb2(n)) / 32.0);
decr(n, 1, n1);
ZH = (char *)malloc(sizeof(char)*(ZHlen + 1));
if(ZH == NULL)
return SM9_ASK_MEMORY_ERR;
memcpy(ZH + 1, Z, Zlen);
ZH[0] = 0x01;
ha = (char *)malloc(sizeof(char)*(hlen + 1));
if(ha == NULL)
return SM9_ASK_MEMORY_ERR;
SM3_kdf(ZH, ZHlen, hlen, ha);
for(i = hlen - 1; i >= 0; i--)//key[从大到小]
{
premult(i256, ha[i], tmp);
add(hh, tmp, hh);
premult(i256, 256, i256);
divide(i256, n1, tmp);
divide(hh, n1, tmp);
}
incr(hh, 1, h1);
free(ZH);
free(ha);
return 0;
}
static int SM9_standard_init()
{
big P1_x, P1_y;
para_q = mirvar(0);
N = mirvar(0);
P1_x = mirvar(0);
P1_y = mirvar(0);
para_a = mirvar(0);
para_b = mirvar(0);
para_t = mirvar(0);
X.a = mirvar(0);
X.b = mirvar(0);
P2.x.a = mirvar(0);
P2.x.b = mirvar(0);
P2.y.a = mirvar(0);
P2.y.b = mirvar(0);
P2.z.a = mirvar(0);
P2.z.b = mirvar(0);
P2.marker = MR_EPOINT_INFINITY;
P1 = epoint_init();
bytes_to_big(BNLEN, SM9_q, para_q);
bytes_to_big(BNLEN, SM9_P1x, P1_x);
bytes_to_big(BNLEN, SM9_P1y, P1_y);
bytes_to_big(BNLEN, SM9_a, para_a);
bytes_to_big(BNLEN, SM9_b, para_b);
bytes_to_big(BNLEN, SM9_N, N);
bytes_to_big(BNLEN, SM9_t, para_t);
mip->TWIST = MR_SEXTIC_M;
ecurve_init(para_a, para_b, para_q, MR_PROJECTIVE); //Initialises GF(q) elliptic curve
//MR_PROJECTIVE specifying projective coordinates
if(!epoint_set(P1_x, P1_y, 0, P1))
return SM9_G1BASEPOINT_SET_ERR;
if(!(bytes128_to_ecn2(SM9_P2, &P2)))
return SM9_G2BASEPOINT_SET_ERR;
set_frobenius_constant(&X);
return 0;
}
static int SM9_standard_generateencryptkey(unsigned char hid[], unsigned char *ID, int IDlen, big ke, unsigned char Ppubs[], unsigned char deB[])
{
big h1, t1, t2, rem, xPpub, yPpub, tmp;
unsigned char *Z = NULL;
int Zlen = IDlen + 1, buf;
ecn2 dEB;
epoint *Ppub;
h1 = mirvar(0);
t1 = mirvar(0);
t2 = mirvar(0);
rem = mirvar(0);
tmp = mirvar(0);
xPpub = mirvar(0);
yPpub = mirvar(0);
Ppub = epoint_init();
dEB.x.a = mirvar(0);
dEB.x.b = mirvar(0);
dEB.y.a = mirvar(0);
dEB.y.b = mirvar(0);
dEB.z.a = mirvar(0);
dEB.z.b = mirvar(0);
dEB.marker = MR_EPOINT_INFINITY;
Z = (char *)malloc(sizeof(char)*(Zlen + 1));
memcpy(Z, ID, IDlen);
memcpy(Z + IDlen, hid, 1);
buf = SM9_standard_h1(Z, Zlen, N, h1);
if(buf != 0)
return buf;
add(h1, ke, t1);//t1=H1(IDA||hid,N)+ks
xgcd(t1, N, t1, t1, t1);//t1=t1(-1)
multiply(ke, t1, t2);
divide(t2, N, rem);//t2=ks*t1(-1)
//Ppub=[ke]P2
ecurve_mult(ke, P1, Ppub);
//deB=[t2]P2
ecn2_copy(&P2, &dEB);
ecn2_mul(t2, &dEB);
printf("\n**************The private key deB = (xdeB, ydeB)*********************\n");
ecn2_Bytes128_Print(dEB);
printf("\n**********************PublicKey Ppubs=[ke]P1*************************\n");
epoint_get(Ppub, xPpub, yPpub);
cotnum(xPpub, stdout);
cotnum(yPpub, stdout);
epoint_get(Ppub, xPpub, yPpub);
big_to_bytes(BNLEN, xPpub, Ppubs, 1);
big_to_bytes(BNLEN, yPpub, Ppubs + BNLEN, 1);
redc(dEB.x.b, tmp);
big_to_bytes(BNLEN, tmp, deB, 1);
redc(dEB.x.a, tmp);
big_to_bytes(BNLEN, tmp, deB + BNLEN, 1);
redc(dEB.y.b, tmp);
big_to_bytes(BNLEN, tmp, deB + BNLEN * 2, 1);
redc(dEB.y.a, tmp);
big_to_bytes(BNLEN, tmp, deB + BNLEN * 3, 1);
free(Z);
return 0;
}
static int Test_Range(big x)
{
big one, decr_n;
one = mirvar(0);
decr_n = mirvar(0);
convert(1, one);
decr(N, 1, decr_n);
if((mr_compare(x, one) < 0) | (mr_compare(x, decr_n) > 0))
return 1;
return 0;
}
#ifdef __cplusplus
}
#endif
#endif

View File

@@ -1,477 +0,0 @@
/* ====================================================================
* Copyright (c) 2016 The GmSSL Project. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in
* the documentation and/or other materials provided with the
* distribution.
*
* 3. All advertising materials mentioning features or use of this
* software must display the following acknowledgment:
* "This product includes software developed by the GmSSL Project.
* (http://gmssl.org/)"
*
* 4. The name "GmSSL Project" must not be used to endorse or promote
* products derived from this software without prior written
* permission. For written permission, please contact
* guanzhi1980@gmail.com.
*
* 5. Products derived from this software may not be called "GmSSL"
* nor may "GmSSL" appear in their names without prior written
* permission of the GmSSL Project.
*
* 6. Redistributions of any form whatsoever must retain the following
* acknowledgment:
* "This product includes software developed by the GmSSL Project
* (http://gmssl.org/)"
*
* THIS SOFTWARE IS PROVIDED BY THE GmSSL PROJECT ``AS IS'' AND ANY
* EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE GmSSL PROJECT OR
* ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
* STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
* OF THE POSSIBILITY OF SUCH DAMAGE.
* ====================================================================
*/
#include "sm9_standard.h"
#include "sm4_standard.h"
#include "miracl.h"
#include "mirdef.h"
void SM4_standard_block_encrypt(unsigned char key[], unsigned char * message, int mlen, unsigned char *cipher, int * cipher_len)
{
unsigned char mess[16];
int i, rem = mlen % 16;
for(i = 0; i < mlen / 16; i++)
SM4_encrypt(key, &message[i * 16], &cipher[i * 16]);
//encrypt the last block
memset(mess, 16 - rem, 16);
if(rem)
memcpy(mess, &message[i * 16], rem);
SM4_encrypt(key, mess, &cipher[i*16]);
}
void SM4_standard_block_decrypt(unsigned char key[], unsigned char *cipher, int len, unsigned char *plain, int *plain_len)
{
int i;
for(i = 0; i < len / 16; i++)
SM4_decrypt(key, cipher + i * 16, plain + i * 16);
*plain_len = len - plain[len - 1];
}
int SM9_standard_enc_mac(unsigned char *K, int Klen, unsigned char *M, int Mlen, unsigned char C[])
{
unsigned char *Z = NULL;
int len = Klen + Mlen;
Z = (char *)malloc(sizeof(char)*(len + 1));
if(Z == NULL)
return SM9_ASK_MEMORY_ERR;
memcpy(Z, M, Mlen);
memcpy(Z + Mlen, K, Klen);
SM3_256(Z, len, C);
free(Z);
return 0;
}
int SM9_standard_encrypt(unsigned char hid[], unsigned char *IDB, unsigned char *message, int mlen, unsigned char rand[],
int EncID, int k1_len, int k2_len, unsigned char Ppub[], unsigned char C[], int *C_len)
{
big h, x, y, r;
zzn12 g, w;
epoint *Ppube, *QB, *C1;
unsigned char *Z = NULL, *K = NULL, *C2 = NULL, C3[SM3_len / 8];
int i = 0, j = 0, Zlen, buf, klen, C2_len;
//initiate
h = mirvar(0);
r = mirvar(0);
x = mirvar(0);
y = mirvar(0);
QB = epoint_init();
Ppube = epoint_init();
C1 = epoint_init();
zzn12_init(&g);
zzn12_init(&w);
bytes_to_big(BNLEN, Ppub, x);
bytes_to_big(BNLEN, Ppub + BNLEN, y);
epoint_set(x, y, 0, Ppube);
//Step1:calculate QB=[H1(IDB||hid,N)]P1+Ppube
Zlen = strlen(IDB) + 1;
Z = (char *)malloc(sizeof(char)*(Zlen + 1));
if(Z == NULL)
return SM9_ASK_MEMORY_ERR;
memcpy(Z, IDB, strlen(IDB));
memcpy(Z + strlen(IDB), hid, 1);
buf = SM9_standard_h1(Z, Zlen, N, h);
if(buf)
return buf;
ecurve_mult(h, P1, QB);
ecurve_add(Ppube, QB);
printf("\n*******************QB:=[H1(IDB||hid,N)]P1+Ppube*****************\n");
epoint_get(QB, x, y);
cotnum(x, stdout);
cotnum(y, stdout);
//Step2:randnom
bytes_to_big(BNLEN, rand, r);
printf("\n***********************randnum r:********************************\n");
cotnum(r, stdout);
//Step3:C1=[r]QB
ecurve_mult(r, QB, C1);
printf("\n*************************:C1=[r]QB*******************************\n");
epoint_get(C1, x, y);
cotnum(x, stdout);
cotnum(y, stdout);
big_to_bytes(BNLEN, x, C, 1);
big_to_bytes(BNLEN, y, C + BNLEN, 1);
//Step4:g = e(P2, Ppub-e)
if(!ecap(P2, Ppube, para_t, X, &g))
return SM9_MY_ECAP_12A_ERR;
//test if a ZZn12 element is of order q
if(!member(g, para_t, X))
return SM9_MEMBER_ERR;
printf("\n***********************g=e(P2,Ppube):****************************\n");
zzn12_ElementPrint(g);
//Step5:calculate w=g^r
w = zzn12_pow(g, r);
printf("\n***************************w=g^r:**********************************\n");
zzn12_ElementPrint(w);
free(Z);
//Step6:calculate C2
if(EncID == 0)
{
C2_len = mlen;
*C_len = BNLEN * 2 + SM3_len / 8 + C2_len;
//Step:6-1: calculate K=KDF(C1||w||IDB,klen)
klen = mlen + k2_len;
Zlen = strlen(IDB) + BNLEN * 14;
Z = (char *)malloc(sizeof(char)*(Zlen + 1));
K = (char *)malloc(sizeof(char)*(klen + 1));
C2 = (char *)malloc(sizeof(char)*(mlen + 1));
if(Z == NULL || K == NULL || C2 == NULL)
return SM9_ASK_MEMORY_ERR;
LinkCharZzn12( C, BNLEN * 2, w, Z, (Zlen - strlen(IDB)));
memcpy(Z + BNLEN * 14, IDB, strlen(IDB));
SM3_kdf(Z, Zlen, klen, K);
printf("\n*****************K=KDF(C1||w||IDB,klen):***********************\n");
for(i = 0; i < klen; i++)
printf("%02x", K[i]);
//Step:6-2: calculate C2=M^K1,and test if K1==0?
for(i = 0; i < mlen; i++)
{
if(K[i] == 0)
j = j + 1;
C2[i] = message[i] ^ K[i];
}
if(j == mlen)
return SM9_ERR_K1_ZERO;
printf("\n************************* C2=M^K1 :***************************\n");
for(i = 0; i < C2_len; i++)
printf("%02x", C2[i]);
//Step7:calculate C3=MAC(K2,C2)
SM9_standard_enc_mac(K + mlen, k2_len, C2, mlen, C3);
printf("\n********************** C3=MAC(K2,C2):*************************\n");
for(i = 0; i < 32; i++)
printf("%02x", C3[i]);
memcpy(C + BNLEN * 2, C3, SM3_len / 8);
memcpy(C + BNLEN * 2 + SM3_len / 8, C2, C2_len);
free(Z);
free(K);
free(C2);
}
else
{
C2_len = (mlen / 16 + 1) * 16;
*C_len = BNLEN * 2 + SM3_len / 8 + C2_len;
//Step:6-1: calculate K=KDF(C1||w||IDB,klen)
klen = k1_len + k2_len;
Zlen = strlen(IDB) + BNLEN * 14;
Z = (char *)malloc(sizeof(char)*(Zlen + 1));
K = (char *)malloc(sizeof(char)*(klen + 1));
C2 = (char *)malloc(sizeof(char)*(C2_len + 1));
if(Z == NULL || K == NULL || C2 == NULL)
return SM9_ASK_MEMORY_ERR;
LinkCharZzn12(C, BNLEN * 2, w, Z, Zlen - strlen(IDB));
memcpy(Z + BNLEN * 14, IDB, strlen(IDB));
SM3_kdf(Z, Zlen, klen, K);
printf("\n*****************K=KDF(C1||w||IDB,klen):***********************\n");
for(i = 0; i < klen; i++)
printf("%02x", K[i]);
//Step:6-2: calculate C2=Enc(K1,M),and also test if K1==0?
for(i = 0; i < k1_len; i++)
{
if(K[i] == 0)
j = j + 1;
}
if(j == k1_len)
return SM9_ERR_K1_ZERO;
SM4_standard_block_encrypt(K, message, mlen, C2, &C2_len);
printf("\n*********************** C2=Enc(K1,M) :*************************\n");
for(i = 0; i < C2_len; i++)
printf("%02x", C2[i]);
//Step7:calculate C3=MAC(K2,C2)
SM9_standard_enc_mac(K + k1_len, k2_len, C2, C2_len, C3);
printf("\n********************** C3=MAC(K2,C2):*************************\n");
for(i = 0; i < 32; i++)
printf("%02x", C3[i]);
memcpy(C + BNLEN * 2, C3, SM3_len / 8);
memcpy(C + BNLEN * 2 + SM3_len / 8, C2, C2_len);
free(Z);
free(K);
free(C2);
}
return 0;
}
int SM9_standard_decrypt (unsigned char C[], int C_len, unsigned char deB[], unsigned char *IDB, int EncID,
int k1_len, int k2_len, unsigned char M[], int * Mlen)
{
big x, y;
epoint *C1;
zzn12 w;
ecn2 dEB;
int mlen, klen, Zlen, i, number = 0;
unsigned char *Z = NULL, *K = NULL, *K1 = NULL, u[SM3_len / 8];
x = mirvar(0);
y = mirvar(0);
dEB.x.a = mirvar(0);
dEB.x.b = mirvar(0);
dEB.y.a = mirvar(0);
dEB.y.b = mirvar(0);
dEB.z.a = mirvar(0);
dEB.z.b = mirvar(0);
dEB.marker = MR_EPOINT_INFINITY;
C1 = epoint_init();
zzn12_init(&w);
bytes_to_big(BNLEN, C, x);
bytes_to_big(BNLEN, C + BNLEN, y);
bytes128_to_ecn2(deB, &dEB);
//Step1:get C1,and test if C1 is on G1
epoint_set(x, y, 1, C1);
if(Test_Point(C1))
return SM9_C1_NOT_VALID_G1;
//Step2:w = e(C1, deB)
if(!ecap(dEB, C1, para_t, X, &w))
return SM9_MY_ECAP_12A_ERR;
//test if a ZZn12 element is of order q
if(!member(w, para_t, X)) return
SM9_MEMBER_ERR;
printf("\n*********************** w = e(C1, deB):****************************\n");
zzn12_ElementPrint(w);
//Step3:Calculate plaintext
mlen = C_len - BNLEN * 2 - SM3_len / 8;
if(EncID == 0)
{
//Step3-1:calculate K=KDF(C1||w||IDB,klen)
klen = mlen + k2_len;
Zlen = strlen(IDB) + BNLEN * 14;
Z = (char *)malloc(sizeof(char)*(Zlen + 1));
K = (char *)malloc(sizeof(char)*(klen + 1));
if(Z == NULL || K == NULL)
return SM9_ASK_MEMORY_ERR;
LinkCharZzn12(C, BNLEN * 2, w, Z, Zlen - strlen(IDB));
memcpy(Z + BNLEN * 14, IDB, strlen(IDB));
SM3_kdf(Z, Zlen, klen, K);
printf("\n*****************K=KDF(C1||w||IDB,klen):***********************\n");
for(i = 0; i < klen; i++)
printf("%02x", K[i]);
//Step:3-2: calculate M=C2^K1,and test if K1==0?
for(i = 0; i < mlen; i++)
{
if(K[i] == 0)
number += 1;
M[i] = C[i + C_len - mlen] ^ K[i];
}
if(number == mlen)
return SM9_ERR_K1_ZERO;
*Mlen = mlen;
//Step4:calculate u=MAC(K2,C2)
SM9_standard_enc_mac(K + mlen, k2_len, &C[C_len - mlen], mlen, u);
if(memcmp(u, &C[BNLEN * 2], SM3_len / 8))
return SM9_C3_MEMCMP_ERR;
printf("\n****************************** M:******************************\n");
for(i = 0; i < mlen; i++)
printf("%02x", M[i]);
free(Z);
free(K);
}
else
{
//Step:3-1: calculate K=KDF(C1||w||IDB,klen)
klen = k1_len + k2_len;
Zlen = strlen(IDB) + BNLEN * 14;
Z = (char *)malloc(sizeof(char)*(Zlen + 1));
K = (char *)malloc(sizeof(char)*(klen + 1));
K1 = (char *)malloc(sizeof(char)*(k1_len + 1));
if(Z == NULL || K == NULL || K1 == NULL)
return SM9_ASK_MEMORY_ERR;
LinkCharZzn12(C, BNLEN * 2, w, Z, Zlen - strlen(IDB));
memcpy(Z + BNLEN * 14, IDB, strlen(IDB));
SM3_kdf(Z, Zlen, klen, K);
printf("\n*****************K=KDF(C1||w||IDB,klen):***********************\n");
for(i = 0; i < klen; i++)
printf("%02x", K[i]);
//Step:3-2: calculate M=dec(K1,C2),and test if K1==0?
for(i = 0; i < k1_len; i++)
{
if(K[i] == 0)
number += 1;
K1[i] = K[i];
}
if(number == k1_len)
return SM9_ERR_K1_ZERO;
SM4_standard_block_decrypt(K1, &C[C_len - mlen], mlen, M, Mlen);
//Step4:calculate u=MAC(K2,C2)
SM9_standard_enc_mac(K + k1_len, k2_len, &C[C_len - mlen], mlen, u);
if(memcmp(u, &C[BNLEN * 2], SM3_len / 8))
return SM9_C3_MEMCMP_ERR;
free(Z);
free(K);
free(K1);
}
return 0;
}
int SM9_standard_enc_selfcheck()
{
//the master private key
unsigned char KE[32] = {0x00, 0x01, 0xED, 0xEE, 0x37, 0x78, 0xF4, 0x41, 0xF8, 0xDE, 0xA3, 0xD9, 0xFA, 0x0A, 0xCC, 0x4E,
0x07, 0xEE, 0x36, 0xC9, 0x3F, 0x9A, 0x08, 0x61, 0x8A, 0xF4, 0xAD, 0x85, 0xCE, 0xDE, 0x1C, 0x22};
unsigned char rand[32] = {0x00, 0x00, 0xAA, 0xC0, 0x54, 0x17, 0x79, 0xC8, 0xFC, 0x45, 0xE3, 0xE2, 0xCB, 0x25, 0xC1, 0x2B,
0x5D, 0x25, 0x76, 0xB2, 0x12, 0x9A, 0xE8, 0xBB, 0x5E, 0xE2, 0xCB, 0xE5, 0xEC, 0x9E, 0x78, 0x5C};
//standard datas
unsigned char std_Ppub[64] = {0x78, 0x7E, 0xD7, 0xB8, 0xA5, 0x1F, 0x3A, 0xB8, 0x4E, 0x0A, 0x66, 0x00, 0x3F, 0x32, 0xDA, 0x5C,
0x72, 0x0B, 0x17, 0xEC, 0xA7, 0x13, 0x7D, 0x39, 0xAB, 0xC6, 0x6E, 0x3C, 0x80, 0xA8, 0x92, 0xFF,
0x76, 0x9D, 0xE6, 0x17, 0x91, 0xE5, 0xAD, 0xC4, 0xB9, 0xFF, 0x85, 0xA3, 0x13, 0x54, 0x90, 0x0B,
0x20, 0x28, 0x71, 0x27, 0x9A, 0x8C, 0x49, 0xDC, 0x3F, 0x22, 0x0F, 0x64, 0x4C, 0x57, 0xA7, 0xB1};
unsigned char std_deB[128] = {0x94, 0x73, 0x6A, 0xCD, 0x2C, 0x8C, 0x87, 0x96, 0xCC, 0x47, 0x85, 0xE9, 0x38, 0x30, 0x1A, 0x13,
0x9A, 0x05, 0x9D, 0x35, 0x37, 0xB6, 0x41, 0x41, 0x40, 0xB2, 0xD3, 0x1E, 0xEC, 0xF4, 0x16, 0x83,
0x11, 0x5B, 0xAE, 0x85, 0xF5, 0xD8, 0xBC, 0x6C, 0x3D, 0xBD, 0x9E, 0x53, 0x42, 0x97, 0x9A, 0xCC,
0xCF, 0x3C, 0x2F, 0x4F, 0x28, 0x42, 0x0B, 0x1C, 0xB4, 0xF8, 0xC0, 0xB5, 0x9A, 0x19, 0xB1, 0x58,
0x7A, 0xA5, 0xE4, 0x75, 0x70, 0xDA, 0x76, 0x00, 0xCD, 0x76, 0x0A, 0x0C, 0xF7, 0xBE, 0xAF, 0x71,
0xC4, 0x47, 0xF3, 0x84, 0x47, 0x53, 0xFE, 0x74, 0xFA, 0x7B, 0xA9, 0x2C, 0xA7, 0xD3, 0xB5, 0x5F,
0x27, 0x53, 0x8A, 0x62, 0xE7, 0xF7, 0xBF, 0xB5, 0x1D, 0xCE, 0x08, 0x70, 0x47, 0x96, 0xD9, 0x4C,
0x9D, 0x56, 0x73, 0x4F, 0x11, 0x9E, 0xA4, 0x47, 0x32, 0xB5, 0x0E, 0x31, 0xCD, 0xEB, 0x75, 0xC1};
unsigned char std_C_stream[116] = {0x24, 0x45, 0x47, 0x11, 0x64, 0x49, 0x06, 0x18, 0xE1, 0xEE, 0x20, 0x52, 0x8F, 0xF1, 0xD5, 0x45,
0xB0, 0xF1, 0x4C, 0x8B, 0xCA, 0xA4, 0x45, 0x44, 0xF0, 0x3D, 0xAB, 0x5D, 0xAC, 0x07, 0xD8, 0xFF,
0x42, 0xFF, 0xCA, 0x97, 0xD5, 0x7C, 0xDD, 0xC0, 0x5E, 0xA4, 0x05, 0xF2, 0xE5, 0x86, 0xFE, 0xB3,
0xA6, 0x93, 0x07, 0x15, 0x53, 0x2B, 0x80, 0x00, 0x75, 0x9F, 0x13, 0x05, 0x9E, 0xD5, 0x9A, 0xC0,
0xBA, 0x67, 0x23, 0x87, 0xBC, 0xD6, 0xDE, 0x50, 0x16, 0xA1, 0x58, 0xA5, 0x2B, 0xB2, 0xE7, 0xFC,
0x42, 0x91, 0x97, 0xBC, 0xAB, 0x70, 0xB2, 0x5A, 0xFE, 0xE3, 0x7A, 0x2B, 0x9D, 0xB9, 0xF3, 0x67,
0x1B, 0x5F, 0x5B, 0x0E, 0x95, 0x14, 0x89, 0x68, 0x2F, 0x3E, 0x64, 0xE1, 0x37, 0x8C, 0xDD, 0x5D,
0xA9, 0x51, 0x3B, 0x1C};
unsigned char std_C_cipher[128] = {0x24, 0x45, 0x47, 0x11, 0x64, 0x49, 0x06, 0x18, 0xE1, 0xEE, 0x20, 0x52, 0x8F, 0xF1, 0xD5, 0x45,
0xB0, 0xF1, 0x4C, 0x8B, 0xCA, 0xA4, 0x45, 0x44, 0xF0, 0x3D, 0xAB, 0x5D, 0xAC, 0x07, 0xD8, 0xFF,
0x42, 0xFF, 0xCA, 0x97, 0xD5, 0x7C, 0xDD, 0xC0, 0x5E, 0xA4, 0x05, 0xF2, 0xE5, 0x86, 0xFE, 0xB3,
0xA6, 0x93, 0x07, 0x15, 0x53, 0x2B, 0x80, 0x00, 0x75, 0x9F, 0x13, 0x05, 0x9E, 0xD5, 0x9A, 0xC0,
0xFD, 0x3C, 0x98, 0xDD, 0x92, 0xC4, 0x4C, 0x68, 0x33, 0x26, 0x75, 0xA3, 0x70, 0xCC, 0xEE, 0xDE,
0x31, 0xE0, 0xC5, 0xCD, 0x20, 0x9C, 0x25, 0x76, 0x01, 0x14, 0x9D, 0x12, 0xB3, 0x94, 0xA2, 0xBE,
0xE0, 0x5B, 0x6F, 0xAC, 0x6F, 0x11, 0xB9, 0x65, 0x26, 0x8C, 0x99, 0x4F, 0x00, 0xDB, 0xA7, 0xA8,
0xBB, 0x00, 0xFD, 0x60, 0x58, 0x35, 0x46, 0xCB, 0xDF, 0x46, 0x49, 0x25, 0x08, 0x63, 0xF1, 0x0A};
unsigned char *std_message = "Chinese IBE standard";
unsigned char hid[] = {0x03};
unsigned char *IDB = "Bob";
unsigned char Ppub[64], deB[128];
unsigned char message[1000], C[1000];
int M_len, C_len;//M_len the length of message //C_len the length of C
int k1_len = 16, k2_len = 32;
int EncID = 0;//0,stream //1 block
int tmp, i;
big ke;
tmp = SM9_standard_init();
if(tmp != 0)
return tmp;
ke = mirvar(0);
bytes_to_big(32, KE, ke);
printf("\n*********************** SM9 key Generation ***************************\n");
tmp = SM9_standard_generateencryptkey(hid, IDB, strlen(IDB), ke, Ppub, deB);
if(tmp != 0)
return tmp;
if(memcmp(Ppub, std_Ppub, 64) != 0)
return SM9_GEPUB_ERR;
if(memcmp(deB, std_deB, 128) !=0)
return SM9_GEPRI_ERR;
printf("\n*********************** SM9 encrypt algorithm **************************\n");
tmp = SM9_standard_encrypt(hid, IDB, std_message, strlen(std_message), rand, EncID, k1_len, k2_len, Ppub, C, &C_len);
if(tmp != 0)
return tmp;
printf("\n******************************Cipher:************************************\n");
for(i = 0; i < C_len; i++)
printf("%02x", C[i]);
if(EncID == 0)
tmp = memcmp(C, std_C_stream, C_len);
else
tmp = memcmp(C, std_C_cipher, C_len);
if(tmp)
return SM9_ENCRYPT_ERR;
printf("\n********************** SM9 Decrypt algorithm **************************\n");
tmp = SM9_standard_decrypt(std_C_cipher, 128, deB, IDB, 2, k1_len, k2_len, message, &M_len);
printf("\n**************************** Message:***********************************\n");
for(i = 0; i < M_len; i++)
printf("%02x", message[i]);
if(tmp != 0)
return tmp;
if(memcmp(message, std_message, M_len) != 0)
return SM9_DECRYPT_ERR;
return 0;
}

View File

@@ -1,307 +0,0 @@
/* ====================================================================
* Copyright (c) 2016 The GmSSL Project. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in
* the documentation and/or other materials provided with the
* distribution.
*
* 3. All advertising materials mentioning features or use of this
* software must display the following acknowledgment:
* "This product includes software developed by the GmSSL Project.
* (http://gmssl.org/)"
*
* 4. The name "GmSSL Project" must not be used to endorse or promote
* products derived from this software without prior written
* permission. For written permission, please contact
* guanzhi1980@gmail.com.
*
* 5. Products derived from this software may not be called "GmSSL"
* nor may "GmSSL" appear in their names without prior written
* permission of the GmSSL Project.
*
* 6. Redistributions of any form whatsoever must retain the following
* acknowledgment:
* "This product includes software developed by the GmSSL Project
* (http://gmssl.org/)"
*
* THIS SOFTWARE IS PROVIDED BY THE GmSSL PROJECT ``AS IS'' AND ANY
* EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE GmSSL PROJECT OR
* ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
* STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
* OF THE POSSIBILITY OF SUCH DAMAGE.
* ====================================================================
*/
#include "sm9_standard.h"
#include "miracl.h"
#include "mirdef.h"
int SM9_standard_key_encap(unsigned char hid[], unsigned char *IDB, unsigned char rand[],
unsigned char Ppub[], unsigned char C[], unsigned char K[], int Klen)
{
big h, x, y, r;
epoint *Ppube, *QB, *Cipher;
unsigned char *Z = NULL;
int Zlen, buf, i, num = 0;
zzn12 g, w;
//initiate
h = mirvar(0);
r = mirvar(0);
x = mirvar(0);
y = mirvar(0);
QB = epoint_init();
Ppube = epoint_init();
Cipher = epoint_init();
zzn12_init(&g);
zzn12_init(&w);
bytes_to_big(BNLEN, Ppub, x);
bytes_to_big(BNLEN, Ppub + BNLEN, y);
epoint_set(x, y, 0, Ppube);
//----------Step1:calculate QB=[H1(IDB||hid,N)]P1+Ppube----------
Zlen = strlen(IDB) + 1;
Z = (char *)malloc(sizeof(char)*(Zlen + 1));
if(Z == NULL)
return SM9_ASK_MEMORY_ERR;
memcpy(Z, IDB, strlen(IDB));
memcpy(Z + strlen(IDB), hid, 1);
buf = SM9_standard_h1(Z, Zlen, N, h);
free(Z);
if(buf)
return buf;
printf("\n************************ H1(IDB||hid,N) ************************\n");
cotnum(h, stdout);
ecurve_mult(h, P1, QB);
ecurve_add(Ppube, QB);
printf("\n*******************QB:=[H1(IDB||hid,N)]P1+Ppube*****************\n");
epoint_get(QB, x, y);
cotnum(x, stdout);
cotnum(y, stdout);
//-------------------- Step2:randnom -------------------
bytes_to_big(BNLEN, rand, r);
printf("\n***********************randnum r: ******************************\n");
cotnum(r, stdout);
//----------------Step3:C=[r]QB------------------------
ecurve_mult(r, QB, Cipher);
epoint_get(Cipher, x, y);
printf("\n*********************** C=[r]QB: ******************************\n");
cotnum(x, stdout);
cotnum(y, stdout);
big_to_bytes(BNLEN, x, C, 1);
big_to_bytes(BNLEN, y, C + BNLEN, 1);
//----------------Step4:g=e(Ppube,P2)------------------------
if(!ecap(P2, Ppube, para_t, X, &g))
return SM9_MY_ECAP_12A_ERR;
//test if a ZZn12 element is of order q
if(!member(g, para_t, X))
return SM9_MEMBER_ERR;
printf("\n***********************g=e(Ppube,P2):****************************\n");
zzn12_ElementPrint(g);
//----------------Step5:w=g^r------------------------
w = zzn12_pow(g, r);
printf("\n************************* w=g^r:*********************************\n");
zzn12_ElementPrint(w);
//----------------Step6:K=KDF(C||w||IDB,klen)------------------------
Zlen = strlen(IDB) + BNLEN * 14;
Z = (char *)malloc(sizeof(char)*(Zlen + 1));
if(Z == NULL)
return SM9_ASK_MEMORY_ERR;
LinkCharZzn12(C, BNLEN * 2, w, Z, BNLEN * 14);
memcpy(Z + BNLEN * 14, IDB, strlen(IDB));
SM3_kdf(Z, Zlen, Klen, K);
free(Z);
//----------------test if K equals 0------------------------
printf("\n******************* K=KDF(C||w||IDB,klen):***********************\n");
for(i = 0; i < Klen; i++)
{
if(K[i] == 0)
num += 1;
printf("%02x", K[i]);
}
if(num == Klen)
return SM9_ERR_K1_ZERO;
return 0;
}
int SM9_standard_key_decap(unsigned char *IDB, unsigned char deB[], unsigned char C[], int Klen, unsigned char K[])
{
big h, x, y;
epoint *Cipher;
unsigned char *Z = NULL;
int Zlen, i, num = 0;
zzn12 w;
ecn2 dEB;
//initiate
h = mirvar(0);
x = mirvar(0);
y = mirvar(0);
Cipher = epoint_init();
zzn12_init(&w);
dEB.x.a = mirvar(0);
dEB.x.b = mirvar(0);
dEB.y.a = mirvar(0);
dEB.y.b = mirvar(0);
dEB.z.a = mirvar(0);
dEB.z.b = mirvar(0);
dEB.marker = MR_EPOINT_INFINITY;
bytes_to_big(BNLEN, C, x);
bytes_to_big(BNLEN, C + BNLEN, y);
epoint_set(x, y, 0, Cipher);
bytes128_to_ecn2(deB, &dEB);
//----------Step1:test if C is on G1-----------------
if(Test_Point(Cipher))
return SM9_NOT_VALID_G1;
//----------Step2:calculate w=e(C,deB)-----------------
if(!ecap(dEB, Cipher, para_t, X, &w))
return SM9_MY_ECAP_12A_ERR;
//test if a ZZn12 element is of order q
if(!member(w, para_t, X))
return SM9_MEMBER_ERR;
printf("\n***********************w=e(C,deB):****************************\n");
zzn12_ElementPrint(w);
//----------Step3:K=KDF(C||w'||IDB,klen)------------------------
Zlen = strlen(IDB) + BNLEN * 14;
Z = (char *)malloc(sizeof(char)*(Zlen + 1));
if(Z == NULL)
return SM9_ASK_MEMORY_ERR;
LinkCharZzn12(C, BNLEN * 2, w, Z, BNLEN * 14);
memcpy(Z + BNLEN * 14, IDB, strlen(IDB));
SM3_kdf(Z, Zlen, Klen, K);
//----------------test if K equals 0------------------------
printf("\n******************* K=KDF(C||w||IDB,klen):***********************\n");
for(i = 0; i < Klen; i++)
{
if(K[i] == 0)
num += 1;
printf("%02x", K[i]);
}
if(num == Klen)
return SM9_ERR_K1_ZERO;
free(Z);
return 0;
}
int SM9_standard_encap_selfcheck()
{
//the master private key
unsigned char KE[32] = {0x00, 0x01, 0xED, 0xEE, 0x37, 0x78, 0xF4, 0x41, 0xF8, 0xDE, 0xA3, 0xD9, 0xFA, 0x0A, 0xCC, 0x4E,
0x07, 0xEE, 0x36, 0xC9, 0x3F, 0x9A, 0x08, 0x61, 0x8A, 0xF4, 0xAD, 0x85, 0xCE, 0xDE, 0x1C, 0x22};
unsigned char rand[32] = {0x00, 0x00, 0x74, 0x01, 0x5F, 0x84, 0x89, 0xC0, 0x1E, 0xF4, 0x27, 0x04, 0x56, 0xF9, 0xE6, 0x47,
0x5B, 0xFB, 0x60, 0x2B, 0xDE, 0x7F, 0x33, 0xFD, 0x48, 0x2A, 0xB4, 0xE3, 0x68, 0x4A, 0x67, 0x22};
//standard datas
unsigned char std_Ppub[64] = {0x78, 0x7E, 0xD7, 0xB8, 0xA5, 0x1F, 0x3A, 0xB8, 0x4E, 0x0A, 0x66, 0x00, 0x3F, 0x32, 0xDA, 0x5C,
0x72, 0x0B, 0x17, 0xEC, 0xA7, 0x13, 0x7D, 0x39, 0xAB, 0xC6, 0x6E, 0x3C, 0x80, 0xA8, 0x92, 0xFF,
0x76, 0x9D, 0xE6, 0x17, 0x91, 0xE5, 0xAD, 0xC4, 0xB9, 0xFF, 0x85, 0xA3, 0x13, 0x54, 0x90, 0x0B,
0x20, 0x28, 0x71, 0x27, 0x9A, 0x8C, 0x49, 0xDC, 0x3F, 0x22, 0x0F, 0x64, 0x4C, 0x57, 0xA7, 0xB1};
unsigned char std_deB[128] = {0x94, 0x73, 0x6A, 0xCD, 0x2C, 0x8C, 0x87, 0x96, 0xCC, 0x47, 0x85, 0xE9, 0x38, 0x30, 0x1A, 0x13,
0x9A, 0x05, 0x9D, 0x35, 0x37, 0xB6, 0x41, 0x41, 0x40, 0xB2, 0xD3, 0x1E, 0xEC, 0xF4, 0x16, 0x83,
0x11, 0x5B, 0xAE, 0x85, 0xF5, 0xD8, 0xBC, 0x6C, 0x3D, 0xBD, 0x9E, 0x53, 0x42, 0x97, 0x9A, 0xCC,
0xCF, 0x3C, 0x2F, 0x4F, 0x28, 0x42, 0x0B, 0x1C, 0xB4, 0xF8, 0xC0, 0xB5, 0x9A, 0x19, 0xB1, 0x58,
0x7A, 0xA5, 0xE4, 0x75, 0x70, 0xDA, 0x76, 0x00, 0xCD, 0x76, 0x0A, 0x0C, 0xF7, 0xBE, 0xAF, 0x71,
0xC4, 0x47, 0xF3, 0x84, 0x47, 0x53, 0xFE, 0x74, 0xFA, 0x7B, 0xA9, 0x2C, 0xA7, 0xD3, 0xB5, 0x5F,
0x27, 0x53, 0x8A, 0x62, 0xE7, 0xF7, 0xBF, 0xB5, 0x1D, 0xCE, 0x08, 0x70, 0x47, 0x96, 0xD9, 0x4C,
0x9D, 0x56, 0x73, 0x4F, 0x11, 0x9E, 0xA4, 0x47, 0x32, 0xB5, 0x0E, 0x31, 0xCD, 0xEB, 0x75, 0xC1};
unsigned char std_K[64] = {0x4F, 0xF5, 0xCF, 0x86, 0xD2, 0xAD, 0x40, 0xC8, 0xF4, 0xBA, 0xC9, 0x8D, 0x76, 0xAB, 0xDB, 0xDE,
0x0C, 0x0E, 0x2F, 0x0A, 0x82, 0x9D, 0x3F, 0x91, 0x1E, 0xF5, 0xB2, 0xBC, 0xE0, 0x69, 0x54, 0x80};
unsigned char std_C[64] = {0x1E, 0xDE, 0xE2, 0xC3, 0xF4, 0x65, 0x91, 0x44, 0x91, 0xDE, 0x44, 0xCE, 0xFB, 0x2C, 0xB4, 0x34,
0xAB, 0x02, 0xC3, 0x08, 0xD9, 0xDC, 0x5E, 0x20, 0x67, 0xB4, 0xFE, 0xD5, 0xAA, 0xAC, 0x8A, 0x0F,
0x1C, 0x9B, 0x4C, 0x43, 0x5E, 0xCA, 0x35, 0xAB, 0x83, 0xBB, 0x73, 0x41, 0x74, 0xC0, 0xF7, 0x8F,
0xDE, 0x81, 0xA5, 0x33, 0x74, 0xAF, 0xF3, 0xB3, 0x60, 0x2B, 0xBC, 0x5E, 0x37, 0xBE, 0x9A, 0x4C};
unsigned char hid[] = {0x03}, *IDB = "Bob";
unsigned char Ppub[64], deB[128], C[64], K[32], K_decap[32];
big ke;
int tmp, i;
int Klen = 32;
mip = mirsys(1000, 16);
mip->IOBASE = 16;
ke = mirvar(0);
bytes_to_big(32, KE, ke);
tmp = SM9_standard_init();
if(tmp != 0)
return tmp;
printf("\n*********************** SM9 key Generation ***************************\n");
tmp = SM9_standard_generateencryptkey(hid, IDB, strlen(IDB), ke, Ppub, deB);
if(tmp != 0)
return tmp;
if(memcmp(Ppub, std_Ppub, 64) != 0)
return SM9_GEPUB_ERR;
if(memcmp(deB, std_deB, 128) != 0)
return SM9_GEPRI_ERR;
printf("\n**********************PublicKey Ppubs=[ke]P1*************************\n");
for(i = 0; i < 64; i++)
{
if(i == 32)
printf("\n");
printf("%02x", Ppub[i]);
}
printf("\n**************The private key deB = (xdeB, ydeB)*********************\n");
for(i = 0; i < 128; i++)
{
if(i == 64)
printf("\n");
printf("%02x", deB[i]);
}
printf("\n///////////////////SM9 Key encapsulation mechanism//////////////////////\n");
tmp = SM9_standard_key_encap(hid, IDB, rand, Ppub, C, K, Klen);
if(tmp != 0)
return tmp;
if(memcmp(C, std_C, 64) != 0)
return SM9_ERR_Encap_C;
if(memcmp(K, std_K, Klen) != 0)
return SM9_ERR_Encap_K;
printf("\n///////////////////SM9 Key decapsulation mechanism//////////////////////\n");
tmp = SM9_standard_key_decap(IDB, deB, C, Klen, K_decap);
if(tmp != 0)
return tmp;
if(memcmp(K_decap, std_K, 32) != 0)
return SM9_ERR_Decap_K;
return 0;
}

View File

@@ -1,525 +0,0 @@
/* ====================================================================
* Copyright (c) 2016 The GmSSL Project. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in
* the documentation and/or other materials provided with the
* distribution.
*
* 3. All advertising materials mentioning features or use of this
* software must display the following acknowledgment:
* "This product includes software developed by the GmSSL Project.
* (http://gmssl.org/)"
*
* 4. The name "GmSSL Project" must not be used to endorse or promote
* products derived from this software without prior written
* permission. For written permission, please contact
* guanzhi1980@gmail.com.
*
* 5. Products derived from this software may not be called "GmSSL"
* nor may "GmSSL" appear in their names without prior written
* permission of the GmSSL Project.
*
* 6. Redistributions of any form whatsoever must retain the following
* acknowledgment:
* "This product includes software developed by the GmSSL Project
* (http://gmssl.org/)"
*
* THIS SOFTWARE IS PROVIDED BY THE GmSSL PROJECT ``AS IS'' AND ANY
* EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE GmSSL PROJECT OR
* ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
* STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
* OF THE POSSIBILITY OF SUCH DAMAGE.
* ====================================================================
*/
#include "sm9_standard.h"
#include "miracl.h"
#include "mirdef.h"
int SM9_standard_keyex_kdf(unsigned char *IDA, unsigned char *IDB, epoint *RA, epoint *RB, zzn12 g1, zzn12 g2, zzn12 g3, int klen, unsigned char K[])
{
unsigned char *Z = NULL;
int Zlen;
int IDALen = strlen(IDA), IDBLen = strlen(IDB);
big x1, y1, x2, y2;
x1 = mirvar(0);
y1 = mirvar(0);
x2 = mirvar(0);
y2 = mirvar(0);
epoint_get(RA, x1, y1);
epoint_get(RB, x2, y2);
Zlen = IDALen + IDBLen + BNLEN * 40;
Z = (char *)malloc(sizeof(char)*(Zlen + 1));
if(Z == NULL)
return SM9_ASK_MEMORY_ERR;
memcpy(Z, IDA, IDALen);
memcpy(Z + IDALen, IDB, IDBLen);
big_to_bytes(BNLEN, x1, Z + IDALen + IDBLen, 1);
big_to_bytes(BNLEN, y1, Z + IDALen + IDBLen + BNLEN, 1);
big_to_bytes(BNLEN, x2, Z + IDALen + IDBLen + BNLEN * 2, 1);
big_to_bytes(BNLEN, y2, Z + IDALen + IDBLen + BNLEN * 3, 1);
LinkCharZzn12(Z, 0, g1, Z + IDALen + IDBLen + BNLEN * 4, BNLEN * 12);
LinkCharZzn12(Z, 0, g2, Z + IDALen + IDBLen + BNLEN * 16, BNLEN * 12);
LinkCharZzn12(Z, 0, g3, Z + IDALen + IDBLen + BNLEN * 28, BNLEN * 12);
SM3_kdf(Z, Zlen, klen, K);
free(Z);
return 0;
}
int SM9_standard_keyex_hash(unsigned char hashid[], unsigned char *IDA, unsigned char *IDB, epoint *RA, epoint *RB, zzn12 g1, zzn12 g2, zzn12 g3, unsigned char hash[])
{
int Zlen;
int IDALen = strlen(IDA), IDBLen = strlen(IDB);
unsigned char *Z = NULL;
big x1, y1, x2, y2;
x1 = mirvar(0);
y1 = mirvar(0);
x2 = mirvar(0);
y2 = mirvar(0);
epoint_get(RA, x1, y1);
epoint_get(RB, x2, y2);
Zlen = IDALen + IDBLen + BNLEN * 28;
Z = (char *)malloc(sizeof(char)*(Zlen + 1));
if(Z == NULL)
return SM9_ASK_MEMORY_ERR;
LinkCharZzn12(Z, 0, g2, Z, BNLEN * 12);
LinkCharZzn12(Z, 0, g3, Z + BNLEN * 12, BNLEN * 12);
memcpy(Z + BNLEN * 24, IDA, IDALen);
memcpy(Z + BNLEN * 24 + IDALen, IDB, IDBLen);
big_to_bytes(BNLEN, x1, Z + BNLEN * 24 + IDALen + IDBLen, 1);
big_to_bytes(BNLEN, y1, Z + BNLEN * 25 + IDALen + IDBLen, 1);
big_to_bytes(BNLEN, x2, Z + BNLEN * 26 + IDALen + IDBLen, 1);
big_to_bytes(BNLEN, y2, Z + BNLEN * 27 + IDALen + IDBLen, 1);
SM3_256(Z, Zlen, hash);
Zlen = 1 + BNLEN * 12 + SM3_len / 8;
memcpy(Z, hashid, 1);
LinkCharZzn12(Z, 1, g1, Z, 1 + BNLEN * 12);
memcpy(Z + 1 + BNLEN * 12, hash, SM3_len / 8);
SM3_256(Z, Zlen, hash);
free(Z);
return 0;
}
int SM9_standard_keyex_inita_i(unsigned char hid[], unsigned char *IDB, unsigned char randA[],
unsigned char Ppub[], unsigned char deA[], epoint *RA)
{
big h, x, y, rA;
epoint *Ppube, *QB;
unsigned char *Z = NULL;
int Zlen, buf;
//initiate
h = mirvar(0);
rA = mirvar(0);
x = mirvar(0);
y = mirvar(0);
QB = epoint_init();
Ppube = epoint_init();
bytes_to_big(BNLEN, Ppub, x);
bytes_to_big(BNLEN, Ppub + BNLEN, y);
epoint_set(x, y, 0, Ppube);
//----------A1:calculate QB=[H1(IDB||hid,N)]P1+Ppube----------
Zlen = strlen(IDB) + 1;
Z = (char *)malloc(sizeof(char)*(Zlen + 1));
if(Z == NULL)
return SM9_ASK_MEMORY_ERR;
memcpy(Z, IDB, strlen(IDB));
memcpy(Z + strlen(IDB), hid, 1);
buf = SM9_standard_h1(Z, Zlen, N, h);
if(buf)
return buf;
ecurve_mult(h, P1, QB);
ecurve_add(Ppube, QB);
printf("\n*******************QB:=[H1(IDB||hid,N)]P1+Ppube*****************\n");
epoint_get(QB, x, y);
cotnum(x, stdout);
cotnum(y, stdout);
//--------------- Step A2:randnom -------------------
bytes_to_big(BNLEN, randA, rA);
printf("\n***********************randnum rA:******************************\n");
cotnum(rA, stdout);
//----------------Step A3:RA=[r]QB
ecurve_mult(rA, QB, RA);
free(Z);
return 0;
}
int SM9_standard_keyex_reb_i(unsigned char hid[], unsigned char *IDA, unsigned char *IDB, unsigned char randB[], unsigned char Ppub[],
unsigned char deB[], epoint *RA, epoint *RB, unsigned char SB[], zzn12 *g1, zzn12 *g2, zzn12 *g3)
{
big h, x, y, rB;
epoint *Ppube, *QA;
unsigned char *Z = NULL, hashid[] = {0x82};
unsigned char SKB[16];
ecn2 dEB;
int Zlen, buf, i;
//initiate
h = mirvar(0);
rB = mirvar(0);
x = mirvar(0);
y = mirvar(0);
QA = epoint_init();
Ppube = epoint_init();
dEB.x.a = mirvar(0);
dEB.x.b = mirvar(0);
dEB.y.a = mirvar(0);
dEB.y.b = mirvar(0);
dEB.z.a = mirvar(0);
dEB.z.b = mirvar(0);
dEB.marker = MR_EPOINT_INFINITY;
bytes_to_big(BNLEN, Ppub, x);
bytes_to_big(BNLEN, Ppub + BNLEN, y);
bytes128_to_ecn2(deB, &dEB);
epoint_set(x, y, 0, Ppube);
//----------B1:calculate QA=[H1(IDA||hid,N)]P1+Ppube----------
Zlen = strlen(IDA) + 1;
Z = (char *)malloc(sizeof(char)*(Zlen + 1));
if(Z == NULL)
return SM9_ASK_MEMORY_ERR;
memcpy(Z, IDA, strlen(IDA));
memcpy(Z + strlen(IDA), hid, 1);
buf = SM9_standard_h1(Z, Zlen, N, h);
if(buf)
return buf;
ecurve_mult(h, P1, QA);
ecurve_add(Ppube, QA);
printf("\n*******************QA:=[H1(IDA||hid,N)]P1+Ppube*****************\n");
epoint_get(QA, x, y);
cotnum(x, stdout);
cotnum(y, stdout);
//--------------- Step B2:randnom -------------------
bytes_to_big(BNLEN, randB, rB);
printf("\n***********************randnum rB:********************************\n");
cotnum(rB, stdout);
//----------------Step B3:RB=[rB]QA------------------
ecurve_mult(rB, QA, RB);
printf("\n*************************:RB=[rB]QA*******************************\n");
epoint_get(RB, x, y);
cotnum(x, stdout);
cotnum(y, stdout);
//test if RA is on G1
if(Test_Point(RA))
return SM9_NOT_VALID_G1;
//----------------Step B4:g1=e(deB,RA),g2=(e(P2,Ppube))^rB,g3=g1^rB
if(!ecap(dEB, RA, para_t, X, g1))
return SM9_MY_ECAP_12A_ERR;
if(!ecap(P2, Ppube, para_t, X, g2))
return SM9_MY_ECAP_12A_ERR;
//test if a ZZn12 element is of order q
if((!member(*g1, para_t, X)) || (!member(*g2, para_t, X)))
return SM9_MEMBER_ERR;
*g2 = zzn12_pow(*g2, rB);
*g3 = zzn12_pow(*g1, rB);
printf("\n***********************g1=e(RA,deB):****************************\n");
zzn12_ElementPrint(*g1);
printf("\n*******************g2=(e(P2,Ppub3))^rB:*************************\n");
zzn12_ElementPrint(*g2);
printf("\n***********************g3=g1^rB:********************************\n");
zzn12_ElementPrint(*g3);
//---------------- B5:SKB=KDF(IDA||IDB||RA||RB||g1||g2||g3,klen)----------
buf = SM9_standard_keyex_kdf(IDA, IDB, RA, RB, *g1, *g2, *g3, 16, SKB);
if(buf)
return buf;
printf("\n***********SKB=KDF(IDA||IDB||RA||RB||g1||g2||g3,klen):***********\n");
for(i = 0; i < 16; i++)
printf("%02x", SKB[i]);
//---------------- B6(optional):SB=Hash(0x82||g1||Hash(g2||g3||IDA||IDB||RA||RB))----------
buf = SM9_standard_keyex_hash(hashid, IDA, IDB, RA, RB, *g1, *g2, *g3, SB);
if(buf)
return buf;
printf("\n********SB=Hash(0x82||g1||Hash(g2||g3||IDA||IDB||RA||RB))********\n");
for(i = 0; i < SM3_len / 8; i++)
printf("%02x", SB[i]);
free(Z);
return 0;
}
int SM9_standard_keyex_inita_ii(unsigned char *IDA, unsigned char *IDB, unsigned char randA[], unsigned char Ppub[],
unsigned char deA[], epoint *RA, epoint *RB, unsigned char SB[], unsigned char SA[])
{
big h, x, y, rA;
epoint *Ppube;
unsigned char hashid[] = {0x82};
unsigned char S1[SM3_len / 8], SKA[16];
zzn12 g1, g2, g3;
ecn2 dEA;
int buf, i;
//initiate
h = mirvar(0);
rA = mirvar(0);
x = mirvar(0);
y = mirvar(0);
Ppube = epoint_init();
dEA.x.a = mirvar(0);
dEA.x.b = mirvar(0);
dEA.y.a = mirvar(0);
dEA.y.b = mirvar(0);
dEA.z.a = mirvar(0);
dEA.z.b = mirvar(0);
dEA.marker = MR_EPOINT_INFINITY;
zzn12_init(&g1);
zzn12_init(&g2);
zzn12_init(&g3);
bytes_to_big(BNLEN, Ppub, x);
bytes_to_big(BNLEN, Ppub + BNLEN, y);
bytes_to_big(BNLEN, randA, rA);
bytes128_to_ecn2(deA, &dEA);
epoint_set(x, y, 0, Ppube);
//test if RB is on G1
if(Test_Point(RB))
return SM9_NOT_VALID_G1;
//----------------Step A5:g1=(e(P2,Ppube))^rA,g2=e(deA,RB),g3=g2^rA---------
if(!ecap(P2, Ppube, para_t, X, &g1))
return SM9_MY_ECAP_12A_ERR;
if(!ecap(dEA, RB, para_t, X, &g2))
return SM9_MY_ECAP_12A_ERR;
//test if a ZZn12 element is of order q
if((!member(g1, para_t, X)) || (!member(g2, para_t, X)))
return SM9_MEMBER_ERR;
g1 = zzn12_pow(g1, rA);
g3 = zzn12_pow(g2, rA);
printf("\n***********************g1=e(Ppub,P2):****************************\n");
zzn12_ElementPrint(g1);
printf("\n*******************g2=(e(RB,deA))^rB:*************************\n");
zzn12_ElementPrint(g2);
printf("\n***********************g3=g2^rB:********************************\n");
zzn12_ElementPrint(g3);
//------------------ A6:S1=Hash(0x82||g1||Hash(g2||g3||IDA||IDB||RA||RB))----------
buf = SM9_standard_keyex_hash(hashid, IDA, IDB, RA, RB, g1, g2, g3, S1);
if(buf)
return buf;
printf("\n*********S1=Hash(0x82||g1||Hash(g2||g3||IDA||IDB||RA||RB))********\n");
for(i = 0; i < SM3_len / 8; i++)
printf("%02x", S1[i]);
if(memcmp(S1, SB, SM3_len / 8))
return SM9_ERR_CMP_S1SB;
//---------- A7: SKA=KDF(IDA||IDB||RA||RB||g1||g2||g3,klen)----------
buf = SM9_standard_keyex_kdf(IDA, IDB, RA, RB, g1, g2, g3, 16, SKA);
if(buf)
return buf;
printf("\n************SKA=KDF(IDA||IDB||RA||RB||g1||g2||g3,klen)************\n");
for(i = 0; i < 16; i++)
printf("%02x", SKA[i]);
//--------- A8(optional):SA=Hash(0x83||g1||Hash(g2||g3||IDA||IDB||RA||RB))----------
hashid[0] = (unsigned char)0x83;
buf = SM9_standard_keyex_hash(hashid, IDA, IDB, RA, RB, g1, g2, g3, SA);
if(buf)
return buf;
printf("\n*********SA=Hash(0x83||g1||Hash(g2||g3||IDA||IDB||RA||RB))********\n");
for(i = 0; i < SM3_len / 8; i++)
printf("%02x", SA[i]);
return 0;
}
int SM9_standard_keyex_reb_ii(unsigned char *IDA, unsigned char *IDB, zzn12 g1, zzn12 g2, zzn12 g3, epoint *RA, epoint *RB, unsigned char SA[])
{
unsigned char hashid[] = {0x83};
unsigned char S2[SM3_len / 8];
int buf, i;
//---------------- B8(optional):S2=Hash(0x83||g1||Hash(g2||g3||IDA||IDB||RA||RB))----------
buf = SM9_standard_keyex_hash(hashid, IDA, IDB, RA, RB, g1, g2, g3, S2);
if(buf)
return buf;
printf("\n*************** S2=Hash(0x83||g1||Hash(g2||g3||IDA||IDB||RA||RB))****************\n");
for(i = 0; i < SM3_len / 8; i++)
printf("%02x", S2[i]);
if(memcmp(S2, SA, SM3_len / 8))
return SM9_ERR_CMP_S2SA;
return 0;
}
int SM9_standard_exch_selfcheck()
{
//the master private key
unsigned char KE[32] = {0x00, 0x02, 0xE6, 0x5B, 0x07, 0x62, 0xD0, 0x42, 0xF5, 0x1F, 0x0D, 0x23, 0x54, 0x2B, 0x13, 0xED,
0x8C, 0xFA, 0x2E, 0x9A, 0x0E, 0x72, 0x06, 0x36, 0x1E, 0x01, 0x3A, 0x28, 0x39, 0x05, 0xE3, 0x1F};
unsigned char randA[32] = {0x00, 0x00, 0x58, 0x79, 0xDD, 0x1D, 0x51, 0xE1, 0x75, 0x94, 0x6F, 0x23, 0xB1, 0xB4, 0x1E, 0x93,
0xBA, 0x31, 0xC5, 0x84, 0xAE, 0x59, 0xA4, 0x26, 0xEC, 0x10, 0x46, 0xA4, 0xD0, 0x3B, 0x06, 0xC8};
unsigned char randB[32] = {0x00, 0x01, 0x8B, 0x98, 0xC4, 0x4B, 0xEF, 0x9F, 0x85, 0x37, 0xFB, 0x7D, 0x07, 0x1B, 0x2C, 0x92,
0x8B, 0x3B, 0xC6, 0x5B, 0xD3, 0xD6, 0x9E, 0x1E, 0xEE, 0x21, 0x35, 0x64, 0x90, 0x56, 0x34, 0xFE};
//standard datas
unsigned char std_Ppub[64] = {0x91, 0x74, 0x54, 0x26, 0x68, 0xE8, 0xF1, 0x4A, 0xB2, 0x73, 0xC0, 0x94, 0x5C, 0x36, 0x90, 0xC6,
0x6E, 0x5D, 0xD0, 0x96, 0x78, 0xB8, 0x6F, 0x73, 0x4C, 0x43, 0x50, 0x56, 0x7E, 0xD0, 0x62, 0x83,
0x54, 0xE5, 0x98, 0xC6, 0xBF, 0x74, 0x9A, 0x3D, 0xAC, 0xC9, 0xFF, 0xFE, 0xDD, 0x9D, 0xB6, 0x86,
0x6C, 0x50, 0x45, 0x7C, 0xFC, 0x7A, 0xA2, 0xA4, 0xAD, 0x65, 0xC3, 0x16, 0x8F, 0xF7, 0x42, 0x10};
unsigned char std_deA[128] = {0x0F, 0xE8, 0xEA, 0xB3, 0x95, 0x19, 0x9B, 0x56, 0xBF, 0x1D, 0x75, 0xBD, 0x2C, 0xD6, 0x10, 0xB6,
0x42, 0x4F, 0x08, 0xD1, 0x09, 0x29, 0x22, 0xC5, 0x88, 0x2B, 0x52, 0xDC, 0xD6, 0xCA, 0x83, 0x2A,
0x7D, 0xA5, 0x7B, 0xC5, 0x02, 0x41, 0xF9, 0xE5, 0xBF, 0xDD, 0xC0, 0x75, 0xDD, 0x9D, 0x32, 0xC7,
0x77, 0x71, 0x00, 0xD7, 0x36, 0x91, 0x6C, 0xFC, 0x16, 0x5D, 0x8D, 0x36, 0xE0, 0x63, 0x4C, 0xD7,
0x83, 0xA4, 0x57, 0xDA, 0xF5, 0x2C, 0xAD, 0x46, 0x4C, 0x90, 0x3B, 0x26, 0x06, 0x2C, 0xAF, 0x93,
0x7B, 0xB4, 0x0E, 0x37, 0xDA, 0xDE, 0xD9, 0xED, 0xA4, 0x01, 0x05, 0x0E, 0x49, 0xC8, 0xAD, 0x0C,
0x69, 0x70, 0x87, 0x6B, 0x9A, 0xAD, 0x1B, 0x7A, 0x50, 0xBB, 0x48, 0x63, 0xA1, 0x1E, 0x57, 0x4A,
0xF1, 0xFE, 0x3C, 0x59, 0x75, 0x16, 0x1D, 0x73, 0xDE, 0x4C, 0x3A, 0xF6, 0x21, 0xFB, 0x1E, 0xFB};
unsigned char std_deB[128] = {0x74, 0xCC, 0xC3, 0xAC, 0x9C, 0x38, 0x3C, 0x60, 0xAF, 0x08, 0x39, 0x72, 0xB9, 0x6D, 0x05, 0xC7,
0x5F, 0x12, 0xC8, 0x90, 0x7D, 0x12, 0x8A, 0x17, 0xAD, 0xAF, 0xBA, 0xB8, 0xC5, 0xA4, 0xAC, 0xF7,
0x01, 0x09, 0x2F, 0xF4, 0xDE, 0x89, 0x36, 0x26, 0x70, 0xC2, 0x17, 0x11, 0xB6, 0xDB, 0xE5, 0x2D,
0xCD, 0x5F, 0x8E, 0x40, 0xC6, 0x65, 0x4B, 0x3D, 0xEC, 0xE5, 0x73, 0xC2, 0xAB, 0x3D, 0x29, 0xB2,
0x44, 0xB0, 0x29, 0x4A, 0xA0, 0x42, 0x90, 0xE1, 0x52, 0x4F, 0xF3, 0xE3, 0xDA, 0x8C, 0xFD, 0x43,
0x2B, 0xB6, 0x4D, 0xE3, 0xA8, 0x04, 0x0B, 0x5B, 0x88, 0xD1, 0xB5, 0xFC, 0x86, 0xA4, 0xEB, 0xC1,
0x8C, 0xFC, 0x48, 0xFB, 0x4F, 0xF3, 0x7F, 0x1E, 0x27, 0x72, 0x74, 0x64, 0xF3, 0xC3, 0x4E, 0x21,
0x53, 0x86, 0x1A, 0xD0, 0x8E, 0x97, 0x2D, 0x16, 0x25, 0xFC, 0x1A, 0x7B, 0xD1, 0x8D, 0x55, 0x39};
unsigned char std_RA[64] = {0x7C, 0xBA, 0x5B, 0x19, 0x06, 0x9E, 0xE6, 0x6A, 0xA7, 0x9D, 0x49, 0x04, 0x13, 0xD1, 0x18, 0x46,
0xB9, 0xBA, 0x76, 0xDD, 0x22, 0x56, 0x7F, 0x80, 0x9C, 0xF2, 0x3B, 0x6D, 0x96, 0x4B, 0xB2, 0x65,
0xA9, 0x76, 0x0C, 0x99, 0xCB, 0x6F, 0x70, 0x63, 0x43, 0xFE, 0xD0, 0x56, 0x37, 0x08, 0x58, 0x64,
0x95, 0x8D, 0x6C, 0x90, 0x90, 0x2A, 0xBA, 0x7D, 0x40, 0x5F, 0xBE, 0xDF, 0x7B, 0x78, 0x15, 0x99};
unsigned char std_RB[64] = {0x86, 0x1E, 0x91, 0x48, 0x5F, 0xB7, 0x62, 0x3D, 0x27, 0x94, 0xF4, 0x95, 0x03, 0x1A, 0x35, 0x59,
0x8B, 0x49, 0x3B, 0xD4, 0x5B, 0xE3, 0x78, 0x13, 0xAB, 0xC7, 0x10, 0xFC, 0xC1, 0xF3, 0x44, 0x82,
0x32, 0xD9, 0x06, 0xA4, 0x69, 0xEB, 0xC1, 0x21, 0x6A, 0x80, 0x2A, 0x70, 0x52, 0xD5, 0x61, 0x7C,
0xD4, 0x30, 0xFB, 0x56, 0xFB, 0xA7, 0x29, 0xD4, 0x1D, 0x9B, 0xD6, 0x68, 0xE9, 0xEB, 0x96, 0x00};
unsigned char std_SA[32] = {0x19, 0x5D, 0x1B, 0x72, 0x56, 0xBA, 0x7E, 0x0E, 0x67, 0xC7, 0x12, 0x02, 0xA2, 0x5F, 0x8C, 0x94,
0xFF, 0x82, 0x41, 0x70, 0x2C, 0x2F, 0x55, 0xD6, 0x13, 0xAE, 0x1C, 0x6B, 0x98, 0x21, 0x51, 0x72};
unsigned char std_SB[32] = {0x3B, 0xB4, 0xBC, 0xEE, 0x81, 0x39, 0xC9, 0x60, 0xB4, 0xD6, 0x56, 0x6D, 0xB1, 0xE0, 0xD5, 0xF0,
0xB2, 0x76, 0x76, 0x80, 0xE5, 0xE1, 0xBF, 0x93, 0x41, 0x03, 0xE6, 0xC6, 0x6E, 0x40, 0xFF, 0xEE};
unsigned char hid[] = {0x02}, *IDA = "Alice", *IDB = "Bob";
unsigned char Ppub[64], deA[128], deB[128];
unsigned char xy[64], SA[SM3_len / 8], SB[SM3_len / 8];
epoint *RA, *RB;
big ke, x, y;
zzn12 g1, g2, g3;
int tmp, i;
mip = mirsys(1000, 16);
mip->IOBASE = 16;
x = mirvar(0);
y = mirvar(0);
ke = mirvar(0);
bytes_to_big(32, KE, ke);
RA = epoint_init();
RB = epoint_init();
zzn12_init(&g1);
zzn12_init(&g2);
zzn12_init(&g3);
tmp = SM9_standard_init();
if(tmp != 0)
return tmp;
printf("\n*********************** SM9 key Generation ***************************\n");
tmp = SM9_standard_generateencryptkey(hid, IDA, strlen(IDA), ke, Ppub, deA);
if(tmp != 0)
return tmp;
tmp = SM9_standard_generateencryptkey(hid, IDB, strlen(IDB), ke, Ppub, deB);
if(tmp != 0)
return tmp;
if(memcmp(Ppub, std_Ppub, 64) != 0)
return SM9_GEPUB_ERR;
if(memcmp(deA, std_deA, 128) != 0)
return SM9_GEPRI_ERR;
if(memcmp(deB, std_deB, 128) != 0)
return SM9_GEPRI_ERR;
printf("\n**********************PublicKey Ppubs=[ke]P1*************************\n");
for(i = 0; i < 64; i++)
printf("%02x", Ppub[i]);
printf("\n**************The private key deA = (xdeA, ydeA)*********************\n");
for(i = 0; i < 128; i++)
printf("%02x", deA[i]);
printf("\n**************The private key deB = (xdeB, ydeB)*********************\n");
for(i = 0; i < 128; i++)
printf("%02x", deB[i]);
printf("\n//////////////////// SM9 Key exchange A1-A4://////////////////////////\n");
tmp = SM9_standard_keyex_inita_i(hid, IDB, randA, Ppub, deA, RA);
if(tmp != 0)
return tmp;
printf("\n ////////////////////////////:RA=[r]QB //////////////////////////////\n");
epoint_get(RA, x, y);
cotnum(x, stdout);
cotnum(y, stdout);
big_to_bytes(BNLEN, x, xy, 1);
big_to_bytes(BNLEN, y, xy + BNLEN, 1);
if(memcmp(xy, std_RA, BNLEN * 2) != 0)
return SM9_ERR_RA;
printf("\n//////////////////////// SM9 Key exchange B1-B7:///////////////////////\n");
tmp = SM9_standard_keyex_reb_i(hid, IDA, IDB, randB, Ppub, deB, RA, RB, SB, &g1, &g2, &g3);
if(tmp != 0)
return tmp;
epoint_get(RB, x, y);
big_to_bytes(BNLEN, x, xy, 1);
big_to_bytes(BNLEN, y, xy + BNLEN, 1);
if(memcmp(xy, std_RB, BNLEN * 2) != 0)
return SM9_ERR_RB;
if(memcmp(SB, std_SB, SM3_len / 8) != 0)
return SM9_ERR_SB;
printf("\n//////////////////////// SM9 Key exchange A5-A8:///////////////////////\n");
tmp = SM9_standard_keyex_inita_ii(IDA, IDB, randA, Ppub, deA, RA, RB, SB, SA);
if(tmp!=0)
return tmp;
if(memcmp(SA, std_SA, SM3_len / 8) != 0)
return SM9_ERR_SA;
printf("\n//////////////////////// SM9 Key exchange B8:///////////////////////\n");
tmp = SM9_standard_keyex_reb_ii(IDA, IDB, g1, g2, g3, RA, RB, SA);
if(tmp != 0)
return tmp;
return 0;
}

View File

@@ -1,446 +0,0 @@
/* ====================================================================
* Copyright (c) 2016 The GmSSL Project. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in
* the documentation and/or other materials provided with the
* distribution.
*
* 3. All advertising materials mentioning features or use of this
* software must display the following acknowledgment:
* "This product includes software developed by the GmSSL Project.
* (http://gmssl.org/)"
*
* 4. The name "GmSSL Project" must not be used to endorse or promote
* products derived from this software without prior written
* permission. For written permission, please contact
* guanzhi1980@gmail.com.
*
* 5. Products derived from this software may not be called "GmSSL"
* nor may "GmSSL" appear in their names without prior written
* permission of the GmSSL Project.
*
* 6. Redistributions of any form whatsoever must retain the following
* acknowledgment:
* "This product includes software developed by the GmSSL Project
* (http://gmssl.org/)"
*
* THIS SOFTWARE IS PROVIDED BY THE GmSSL PROJECT ``AS IS'' AND ANY
* EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE GmSSL PROJECT OR
* ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
* STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
* OF THE POSSIBILITY OF SUCH DAMAGE.
* ====================================================================
*/
#include "sm9_standard.h"
#include "miracl.h"
#include "mirdef.h"
#include <math.h>
int SM9_standard_h2(unsigned char Z[], int Zlen, big n, big h2)
{
int hlen, ZHlen, i;
big hh, i256, tmp, n1;
unsigned char *ZH = NULL, *ha = NULL;
hh = mirvar(0);
i256 = mirvar(0);
tmp = mirvar(0);
n1 = mirvar(0);
convert(1, i256);
ZHlen = Zlen + 1;
hlen = (int)ceil((5.0 * logb2(n)) / 32.0);
decr(n, 1, n1);
ZH = (char *)malloc(sizeof(char)*(ZHlen + 1));
if(ZH == NULL)
return SM9_ASK_MEMORY_ERR;
memcpy(ZH + 1, Z, Zlen);
ZH[0] = 0x02;
ha = (char *)malloc(sizeof(char)*(hlen + 1));
if(ha == NULL)
return SM9_ASK_MEMORY_ERR;
SM3_kdf(ZH, ZHlen, hlen, ha);
for(i = hlen - 1; i >= 0; i--)//key[从大到小]
{
premult(i256, ha[i], tmp);
add(hh, tmp, hh);
premult(i256, 256, i256);
divide(i256, n1, tmp);
divide(hh, n1, tmp);
}
incr(hh, 1, h2);
free(ZH);
free(ha);
return 0;
}
int SM9_standard_generatesignkey(unsigned char hid[], unsigned char *ID, int IDlen, big ks, unsigned char Ppubs[], unsigned char dsa[])
{
big h1, t1, t2, rem, xdSA, ydSA, tmp;
unsigned char *Z = NULL;
int Zlen = IDlen + 1, buf;
ecn2 Ppub;
epoint *dSA;
h1 = mirvar(0);
t1 = mirvar(0);
t2 = mirvar(0);
rem = mirvar(0);
tmp = mirvar(0);
xdSA = mirvar(0);
ydSA = mirvar(0);
dSA = epoint_init();
Ppub.x.a = mirvar(0);
Ppub.x.b = mirvar(0);
Ppub.y.a = mirvar(0);
Ppub.y.b = mirvar(0);
Ppub.z.a = mirvar(0);
Ppub.z.b = mirvar(0);
Ppub.marker = MR_EPOINT_INFINITY;
Z = (char *)malloc(sizeof(char)*(Zlen + 1));
memcpy(Z, ID, IDlen);
memcpy(Z + IDlen, hid, 1);
buf = SM9_standard_h1(Z, Zlen, N, h1);
if(buf != 0)
return buf;
add(h1, ks, t1);//t1=H1(IDA||hid,N)+ks
xgcd(t1, N, t1, t1, t1);//t1=t1(-1)
multiply(ks, t1, t2);
divide(t2, N, rem);//t2=ks*t1(-1)
//dSA=[t2]P1
ecurve_mult(t2, P1, dSA);
//Ppub=[ks]P2
ecn2_copy(&P2, &Ppub);
ecn2_mul(ks, &Ppub);
printf("\n*********************The signed key = (xdA, ydA)*********************\n");
epoint_get(dSA, xdSA, ydSA);
cotnum(xdSA, stdout);
cotnum(ydSA, stdout);
printf("\n**********************PublicKey Ppubs=[ks]P2*************************\n");
ecn2_Bytes128_Print(Ppub);
epoint_get(dSA, xdSA, ydSA);
big_to_bytes(BNLEN, xdSA, dsa, 1);
big_to_bytes(BNLEN, ydSA, dsa + BNLEN, 1);
redc(Ppub.x.b, tmp);
big_to_bytes(BNLEN, tmp, Ppubs, 1);
redc(Ppub.x.a, tmp);
big_to_bytes(BNLEN, tmp, Ppubs + BNLEN, 1);
redc(Ppub.y.b, tmp);
big_to_bytes(BNLEN, tmp, Ppubs + BNLEN * 2, 1);
redc(Ppub.y.a, tmp);
big_to_bytes(BNLEN, tmp, Ppubs + BNLEN * 3, 1);
free(Z);
return 0;
}
int SM9_standard_sign(unsigned char hid[], unsigned char *IDA, unsigned char *message, int len, unsigned char rand[], unsigned char dsa[], unsigned char Ppub[], unsigned char H[], unsigned char S[])
{
big h1, r, h, l, xdSA, ydSA;
big xS, yS, tmp, zero;
zzn12 g, w;
epoint *s, *dSA;
ecn2 Ppubs;
int Zlen, buf;
unsigned char *Z = NULL;
//initiate
h1 = mirvar(0);
r = mirvar(0);
h = mirvar(0);
l = mirvar(0);
tmp = mirvar(0);
zero = mirvar(0);
xS = mirvar(0);
yS = mirvar(0);
xdSA = mirvar(0);
ydSA = mirvar(0);
s = epoint_init();
dSA = epoint_init();
Ppubs.x.a = mirvar(0);
Ppubs.x.b = mirvar(0);
Ppubs.y.a = mirvar(0);
Ppubs.y.b = mirvar(0);
Ppubs.z.a = mirvar(0);
Ppubs.z.b = mirvar(0);
Ppubs.marker = MR_EPOINT_INFINITY;
zzn12_init(&g);
zzn12_init(&w);
bytes_to_big(BNLEN, rand, r);
bytes_to_big(BNLEN, dsa, xdSA);
bytes_to_big(BNLEN, dsa + BNLEN, ydSA);
epoint_set(xdSA, ydSA, 0, dSA);
bytes128_to_ecn2(Ppub, &Ppubs);
//Step1:g = e(P1, Ppub-s)
if(!ecap(Ppubs, P1, para_t, X, &g))
return SM9_MY_ECAP_12A_ERR;
//test if a ZZn12 element is of order q
if(!member(g, para_t, X))
return SM9_MEMBER_ERR;
printf("\n***********************g=e(P1,Ppubs):****************************\n");
zzn12_ElementPrint(g);
//Step2:calculate w=g(r)
printf("\n***********************randnum r:********************************\n");
cotnum(r, stdout);
w = zzn12_pow(g, r);
printf("\n***************************w=gr:**********************************\n");
zzn12_ElementPrint(w);
//Step3:calculate h=H2(M||w,N)
Zlen = len + 32 * 12;
Z = (char *)malloc(sizeof(char)*(Zlen + 1));
if(Z == NULL)
return SM9_ASK_MEMORY_ERR;
LinkCharZzn12(message, len, w, Z, Zlen);
buf = SM9_standard_h2(Z, Zlen, N, h);
if(buf != 0)
return buf;
printf("\n****************************h:*************************************\n");
cotnum(h, stdout);
//Step4:l=(r-h)mod N
subtract(r, h, l);
divide(l, N, tmp);
while(mr_compare(l, zero) < 0)
add(l, N, l);
if(mr_compare(l, zero) == 0)
return SM9_L_error;
printf("\n**************************l=(r-h)mod N:****************************\n");
cotnum(l, stdout);
//Step5:S=[l]dSA=(xS,yS)
ecurve_mult(l, dSA, s);
epoint_get(s, xS, yS);
printf("\n**************************S=[l]dSA=(xS,yS):*************************\n");
cotnum(xS, stdout);
cotnum(yS, stdout);
big_to_bytes(32, h, H, 1);
big_to_bytes(32, xS, S, 1);
big_to_bytes(32, yS, S + 32, 1);
free(Z);
return 0;
}
int SM9_standard_verify(unsigned char H[], unsigned char S[], unsigned char hid[], unsigned char *IDA, unsigned char *message, int len, unsigned char Ppub[])
{
big h, xS, yS, h1, h2;
epoint *S1;
zzn12 g, t, u, w;
ecn2 P, Ppubs;
int Zlen1, Zlen2, buf;
unsigned char * Z1 = NULL, *Z2 = NULL;
h = mirvar(0);
h1 = mirvar(0);
h2 = mirvar(0);
xS = mirvar(0);
yS = mirvar(0);
P.x.a = mirvar(0);
P.x.b = mirvar(0);
P.y.a = mirvar(0);
P.y.b = mirvar(0);
P.z.a = mirvar(0);
P.z.b = mirvar(0);
P.marker = MR_EPOINT_INFINITY;
Ppubs.x.a = mirvar(0);
Ppubs.x.b = mirvar(0);
Ppubs.y.a = mirvar(0);
Ppubs.y.b = mirvar(0);
Ppubs.z.a = mirvar(0);
Ppubs.z.b = mirvar(0);
Ppubs.marker = MR_EPOINT_INFINITY;
S1 = epoint_init();
zzn12_init(&g);
zzn12_init(&t);
zzn12_init(&u);
zzn12_init(&w);
bytes_to_big(BNLEN, H, h);
bytes_to_big(BNLEN, S, xS);
bytes_to_big(BNLEN, S + BNLEN, yS);
bytes128_to_ecn2(Ppub, &Ppubs);
//Step 1:test if h in the rangge [1,N-1]
if(Test_Range(h))
return SM9_H_OUTRANGE;
//Step 2:test if S is on G1
epoint_set(xS, yS, 0, S1);
if(Test_Point(S1))
return SM9_S_NOT_VALID_G1;
//Step3:g = e(P1, Ppub-s)
if(!ecap(Ppubs, P1, para_t, X, &g))
return SM9_MY_ECAP_12A_ERR;
//test if a ZZn12 element is of order q
if(!member(g, para_t, X))
return SM9_MEMBER_ERR;
printf("\n***********************g=e(P1,Ppubs):****************************\n");
zzn12_ElementPrint(g);
//Step4:calculate t=g(h)
t = zzn12_pow(g, h);
printf("\n***************************w=gh:**********************************\n");
zzn12_ElementPrint(t);
//Step5:calculate h1=H1(IDA||hid,N)
Zlen1 = strlen(IDA) + 1;
Z1 = (char *)malloc(sizeof(char)*(Zlen1 + 1));
if(Z1 == NULL)
return SM9_ASK_MEMORY_ERR;
memcpy(Z1, IDA, strlen(IDA));
memcpy(Z1 + strlen(IDA), hid, 1);
buf = SM9_standard_h1(Z1, Zlen1, N, h1);
if(buf != 0)
return buf;
printf("\n****************************h1:**********************************\n");
cotnum(h1, stdout);
//Step6:P=[h1]P2+Ppubs
ecn2_copy(&P2, &P);
ecn2_mul(h1, &P);
ecn2_add(&Ppubs, &P);
//Step7:u=e(S1,P)
if(!ecap(P, S1, para_t, X, &u))
return SM9_MY_ECAP_12A_ERR;
//test if a ZZn12 element is of order q
if(!member(u, para_t, X))
return SM9_MEMBER_ERR;
printf("\n************************** u=e(S1,P):*****************************\n");
zzn12_ElementPrint(u);
//Step8:w=u*t
zzn12_mul(u, t, &w);
printf("\n************************* w=u*t: **********************************\n");
zzn12_ElementPrint(w);
//Step9:h2=H2(M||w,N)
Zlen2 = len + 32 * 12;
Z2 = (char *)malloc(sizeof(char)*(Zlen2 + 1));
if(Z2 == NULL)
return SM9_ASK_MEMORY_ERR;
LinkCharZzn12(message, len, w, Z2, Zlen2);
buf = SM9_standard_h2(Z2, Zlen2, N, h2);
if(buf != 0)
return buf;
printf("\n**************************** h2:***********************************\n");
cotnum(h2, stdout);
free(Z1);
free(Z2);
if(mr_compare(h2, h) != 0)
return SM9_DATA_MEMCMP_ERR;
return 0;
}
int SM9_standard_sv_selfcheck()
{
//the master private key
unsigned char dA[32] = {0x00, 0x01, 0x30, 0xE7, 0x84, 0x59, 0xD7, 0x85, 0x45, 0xCB, 0x54, 0xC5, 0x87, 0xE0, 0x2C, 0xF4,
0x80, 0xCE, 0x0B, 0x66, 0x34, 0x0F, 0x31, 0x9F, 0x34, 0x8A, 0x1D, 0x5B, 0x1F, 0x2D, 0xC5, 0xF4};
unsigned char rand[32] = {0x00, 0x03, 0x3C, 0x86, 0x16, 0xB0, 0x67, 0x04, 0x81, 0x32, 0x03, 0xDF, 0xD0, 0x09, 0x65, 0x02,
0x2E, 0xD1, 0x59, 0x75, 0xC6, 0x62, 0x33, 0x7A, 0xED, 0x64, 0x88, 0x35, 0xDC, 0x4B, 0x1C, 0xBE};
unsigned char h[32], S[64];// Signature
unsigned char Ppub[128], dSA[64];
unsigned char std_h[32] = {0x82, 0x3C, 0x4B, 0x21, 0xE4, 0xBD, 0x2D, 0xFE, 0x1E, 0xD9, 0x2C, 0x60, 0x66, 0x53, 0xE9, 0x96,
0x66, 0x85, 0x63, 0x15, 0x2F, 0xC3, 0x3F, 0x55, 0xD7, 0xBF, 0xBB, 0x9B, 0xD9, 0x70, 0x5A, 0xDB};
unsigned char std_S[64] = {0x73, 0xBF, 0x96, 0x92, 0x3C, 0xE5, 0x8B, 0x6A, 0xD0, 0xE1, 0x3E, 0x96, 0x43, 0xA4, 0x06, 0xD8,
0xEB, 0x98, 0x41, 0x7C, 0x50, 0xEF, 0x1B, 0x29, 0xCE, 0xF9, 0xAD, 0xB4, 0x8B, 0x6D, 0x59, 0x8C,
0x85, 0x67, 0x12, 0xF1, 0xC2, 0xE0, 0x96, 0x8A, 0xB7, 0x76, 0x9F, 0x42, 0xA9, 0x95, 0x86, 0xAE,
0xD1, 0x39, 0xD5, 0xB8, 0xB3, 0xE1, 0x58, 0x91, 0x82, 0x7C, 0xC2, 0xAC, 0xED, 0x9B, 0xAA, 0x05};
unsigned char std_Ppub[128] = {0x9F, 0x64, 0x08, 0x0B, 0x30, 0x84, 0xF7, 0x33, 0xE4, 0x8A, 0xFF, 0x4B, 0x41, 0xB5, 0x65, 0x01,
0x1C, 0xE0, 0x71, 0x1C, 0x5E, 0x39, 0x2C, 0xFB, 0x0A, 0xB1, 0xB6, 0x79, 0x1B, 0x94, 0xC4, 0x08,
0x29, 0xDB, 0xA1, 0x16, 0x15, 0x2D, 0x1F, 0x78, 0x6C, 0xE8, 0x43, 0xED, 0x24, 0xA3, 0xB5, 0x73,
0x41, 0x4D, 0x21, 0x77, 0x38, 0x6A, 0x92, 0xDD, 0x8F, 0x14, 0xD6, 0x56, 0x96, 0xEA, 0x5E, 0x32,
0x69, 0x85, 0x09, 0x38, 0xAB, 0xEA, 0x01, 0x12, 0xB5, 0x73, 0x29, 0xF4, 0x47, 0xE3, 0xA0, 0xCB,
0xAD, 0x3E, 0x2F, 0xDB, 0x1A, 0x77, 0xF3, 0x35, 0xE8, 0x9E, 0x14, 0x08, 0xD0, 0xEF, 0x1C, 0x25,
0x41, 0xE0, 0x0A, 0x53, 0xDD, 0xA5, 0x32, 0xDA, 0x1A, 0x7C, 0xE0, 0x27, 0xB7, 0xA4, 0x6F, 0x74,
0x10, 0x06, 0xE8,0x5F,0x5C,0xDF,0xF0,0x73,0x0E,0x75,0xC0,0x5F,0xB4,0xE3,0x21, 0x6D};
unsigned char std_dSA[64] = {0xA5, 0x70, 0x2F, 0x05, 0xCF, 0x13, 0x15, 0x30, 0x5E, 0x2D, 0x6E, 0xB6, 0x4B, 0x0D, 0xEB, 0x92,
0x3D, 0xB1, 0xA0, 0xBC, 0xF0, 0xCA, 0xFF, 0x90, 0x52, 0x3A, 0xC8, 0x75, 0x4A, 0xA6, 0x98, 0x20,
0x78, 0x55, 0x9A, 0x84, 0x44, 0x11, 0xF9, 0x82, 0x5C, 0x10, 0x9F, 0x5E, 0xE3, 0xF5, 0x2D, 0x72,
0x0D, 0xD0, 0x17, 0x85, 0x39, 0x2A, 0x72, 0x7B, 0xB1, 0x55, 0x69, 0x52, 0xB2, 0xB0, 0x13, 0xD3};
unsigned char hid[] = {0x01};
unsigned char *IDA = "Alice";
unsigned char *message = "Chinese IBS standard";//the message to be signed
int mlen = strlen(message), tmp;//the length of message
big ks;
tmp = SM9_standard_init();
if(tmp != 0)
return tmp;
ks = mirvar(0);
bytes_to_big(32, dA, ks);
printf("\n*********************** SM9 key Generation ***************************\n");
tmp = SM9_standard_generatesignkey(hid, IDA, strlen(IDA), ks, Ppub, dSA);
if(tmp != 0)
return tmp;
if(memcmp(Ppub, std_Ppub, 128) != 0)
return SM9_GEPUB_ERR;
if(memcmp(dSA, std_dSA, 64) != 0)
return SM9_GEPRI_ERR;
printf("\n********************** SM9 signature algorithm***************************\n");
tmp = SM9_standard_sign(hid, IDA, message, mlen, rand, dSA, Ppub, h, S);
if(tmp != 0)
return tmp;
if(memcmp(h, std_h, 32) != 0)
return SM9_SIGN_ERR;
if(memcmp(S, std_S, 64) != 0)
return SM9_SIGN_ERR;
printf("\n******************* SM9 verification algorithm *************************\n");
tmp = SM9_standard_verify(h, S, hid, IDA, message, mlen, Ppub);
if(tmp != 0)
return tmp;
return 0;
}

View File

@@ -1,462 +0,0 @@
/* ====================================================================
* Copyright (c) 2016 The GmSSL Project. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in
* the documentation and/or other materials provided with the
* distribution.
*
* 3. All advertising materials mentioning features or use of this
* software must display the following acknowledgment:
* "This product includes software developed by the GmSSL Project.
* (http://gmssl.org/)"
*
* 4. The name "GmSSL Project" must not be used to endorse or promote
* products derived from this software without prior written
* permission. For written permission, please contact
* guanzhi1980@gmail.com.
*
* 5. Products derived from this software may not be called "GmSSL"
* nor may "GmSSL" appear in their names without prior written
* permission of the GmSSL Project.
*
* 6. Redistributions of any form whatsoever must retain the following
* acknowledgment:
* "This product includes software developed by the GmSSL Project
* (http://gmssl.org/)"
*
* THIS SOFTWARE IS PROVIDED BY THE GmSSL PROJECT ``AS IS'' AND ANY
* EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE GmSSL PROJECT OR
* ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
* STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
* OF THE POSSIBILITY OF SUCH DAMAGE.
* ====================================================================
*/
#ifndef HEADER_ZZN12_OPERATION_H
#define HEADER_ZZN12_OPERATION_H
#include "miracl.h"
#ifdef __cplusplus
extern "C"{
#endif
miracl* mip;
zzn2 X; //Frobniues constant
typedef struct
{
zzn4 a, b, c;
BOOL unitary; // "unitary property means that fast squaring can be used, and inversions are just conjugates
BOOL miller; // "miller" property means that arithmetic on this instance can ignore multiplications
// or divisions by constants - as instance will eventually be raised to (p-1).
} zzn12;
static void zzn12_init(zzn12 *x)
{
x->a.a.a = mirvar(0);
x->a.a.b = mirvar(0);
x->a.b.a = mirvar(0);
x->a.b.b = mirvar(0);
x->a.unitary = FALSE;
x->b.a.a = mirvar(0);
x->b.a.b = mirvar(0);
x->b.b.a = mirvar(0);
x->b.b.b = mirvar(0);
x->b.unitary = FALSE;
x->c.a.a = mirvar(0);
x->c.a.b = mirvar(0);
x->c.b.a = mirvar(0);
x->c.b.b = mirvar(0);
x->c.unitary = FALSE;
x->miller = FALSE;
x->unitary = FALSE;
}
static void zzn12_copy(zzn12 *x, zzn12 *y)
{
zzn4_copy(&x->a, &y->a);
zzn4_copy(&x->b, &y->b);
zzn4_copy(&x->c, &y->c);
y->miller = x->miller;
y->unitary = x->unitary;
}
static void zzn12_mul(zzn12 x, zzn12 y, zzn12 *z)
{
// Karatsuba
zzn4 Z0, Z1, Z2, Z3, T0, T1;
BOOL zero_c, zero_b;
Z0.a.a = mirvar(0);
Z0.a.b = mirvar(0);
Z0.b.a = mirvar(0);
Z0.b.b = mirvar(0);
Z0.unitary = FALSE;
Z1.a.a = mirvar(0);
Z1.a.b = mirvar(0);
Z1.b.a = mirvar(0);
Z1.b.b = mirvar(0);
Z1.unitary = FALSE;
Z2.a.a = mirvar(0);
Z2.a.b = mirvar(0);
Z2.b.a = mirvar(0);
Z2.b.b = mirvar(0);
Z2.unitary = FALSE;
Z3.a.a = mirvar(0);
Z3.a.b = mirvar(0);
Z3.b.a = mirvar(0);
Z3.b.b = mirvar(0);
Z3.unitary = FALSE;
T0.a.a = mirvar(0);
T0.a.b = mirvar(0);
T0.b.a = mirvar(0);
T0.b.b = mirvar(0);
T0.unitary = FALSE;
T1.a.a = mirvar(0);
T1.a.b = mirvar(0);
T1.b.a = mirvar(0);
T1.b.b = mirvar(0);
T1.unitary = FALSE;
zzn12_copy(&x, z);
if(zzn4_compare(&x.a, &y.a) && zzn4_compare(&x.a, &y.a) && zzn4_compare(&x.a, &y.a))
{
if(x.unitary == TRUE)
{
zzn4_copy(&x.a, &Z0);
zzn4_mul(&x.a, &x.a, &z->a);
zzn4_copy(&z->a, &Z3);
zzn4_add(&z->a, &z->a, &z->a);
zzn4_add(&z->a, &Z3, &z->a);
zzn4_conj(&Z0, &Z0);
zzn4_add(&Z0, &Z0, &Z0);
zzn4_sub(&z->a, &Z0, &z->a);
zzn4_copy(&x.c, &Z1);
zzn4_mul(&Z1, &Z1, &Z1);
zzn4_tx(&Z1);
zzn4_copy(&Z1, &Z3);
zzn4_add(&Z1, &Z1, &Z1);
zzn4_add(&Z1, &Z3, &Z1);
zzn4_copy(&x.b, &Z2);
zzn4_mul(&Z2, &Z2, &Z2);
zzn4_copy(&Z2, &Z3);
zzn4_add(&Z2, &Z2, &Z2);
zzn4_add(&Z2, &Z3, &Z2);
zzn4_conj(&x.b, &z->b);
zzn4_add(&z->b, &z->b, &z->b);
zzn4_conj(&x.c, &z->c);
zzn4_add(&z->c, &z->c, &z->c);
zzn4_negate(&z->c, &z->c);
zzn4_add(&z->b, &Z1, &z->b);
zzn4_add(&z->c, &Z2, &z->c);
}
else
{
if(!x.miller)
{ // Chung-Hasan SQR2
zzn4_copy(&x.a, &Z0);
zzn4_mul(&Z0, &Z0, &Z0);
zzn4_mul(&x.b, &x.c, &Z1);
zzn4_add(&Z1, &Z1, &Z1);
zzn4_copy(&x.c, &Z2);
zzn4_mul(&Z2, &Z2, &Z2);
zzn4_mul(&x.a, &x.b, &Z3);
zzn4_add(&Z3, &Z3, &Z3);
zzn4_add(&x.a, &x.b, &z->c);
zzn4_add(&z->c, &x.c, &z->c);
zzn4_mul(&z->c, &z->c, &z->c);
zzn4_tx(&Z1);
zzn4_add(&Z0, &Z1, &z->a);
zzn4_tx(&Z2);
zzn4_add(&Z3, &Z2, &z->b);
zzn4_add(&Z0, &Z1, &T0);
zzn4_add(&T0, &Z2, &T0);
zzn4_add(&T0, &Z3, &T0);
zzn4_sub(&z->c, &T0, &z->c);
}
else
{ // Chung-Hasan SQR3 - actually calculate 2x^2 !
// Slightly dangerous - but works as will be raised to p^{k/2}-1
// which wipes out the 2.
zzn4_copy(&x.a, &Z0);
zzn4_mul(&Z0, &Z0, &Z0); // a0^2 = S0
zzn4_copy(&x.c, &Z2);
zzn4_mul(&Z2, &x.b, &Z2);
zzn4_add(&Z2, &Z2, &Z2); // 2a1.a2 = S3
zzn4_copy(&x.c, &Z3);
zzn4_mul(&Z3, &Z3, &Z3); // a2^2 = S4
zzn4_add(&x.c, &x.a, &z->c); // a0+a2
zzn4_copy(&x.b, &Z1);
zzn4_add(&Z1, &z->c, &Z1);
zzn4_mul(&Z1, &Z1, &Z1); // (a0+a1+a2)^2 =S1
zzn4_sub(&z->c, &x.b, &z->c);
zzn4_mul(&z->c, &z->c, &z->c); // (a0-a1+a2)^2 =S2
zzn4_add(&Z2, &Z2, &Z2);
zzn4_add(&Z0, &Z0, &Z0);
zzn4_add(&Z3, &Z3, &Z3);
zzn4_sub(&Z1, &z->c, &T0);
zzn4_sub(&T0, &Z2, &T0);
zzn4_sub(&Z1, &Z0, &T1);
zzn4_sub(&T1, &Z3, &T1);
zzn4_add(&z->c, &T1, &z->c);
zzn4_tx(&Z3);
zzn4_add(&T0, &Z3, &z->b);
zzn4_tx(&Z2);
zzn4_add(&Z0, &Z2, &z->a);
}
}
}
else
{
// Karatsuba
zero_b = zzn4_iszero(&y.b);
zero_c = zzn4_iszero(&y.c);
zzn4_mul(&x.a, &y.a, &Z0); //9
if(!zero_b)
zzn4_mul(&x.b, &y.b, &Z2); //+6
zzn4_add(&x.a, &x.b, &T0);
zzn4_add(&y.a, &y.b, &T1);
zzn4_mul(&T0, &T1, &Z1); //+9
zzn4_sub(&Z1, &Z0, &Z1);
if(!zero_b)
zzn4_sub(&Z1, &Z2, &Z1);
zzn4_add(&x.b, &x.c, &T0);
zzn4_add(&y.b, &y.c, &T1);
zzn4_mul(&T0, &T1, &Z3);//+6
if(!zero_b)
zzn4_sub(&Z3, &Z2, &Z3);
zzn4_add(&x.a, &x.c, &T0);
zzn4_add(&y.a, &y.c, &T1);
zzn4_mul(&T0, &T1, &T0);//+9=39 for "special case"
if(!zero_b)
zzn4_add(&Z2, &T0, &Z2);
else
zzn4_copy(&T0, &Z2);
zzn4_sub(&Z2, &Z0, &Z2);
zzn4_copy(&Z1, &z->b);
if(!zero_c)
{
// exploit special form of BN curve line function
zzn4_mul(&x.c, &y.c, &T0);
zzn4_sub(&Z2, &T0, &Z2);
zzn4_sub(&Z3, &T0, &Z3);
zzn4_tx(&T0);
zzn4_add(&z->b, &T0, &z->b);
}
zzn4_tx(&Z3);
zzn4_add(&Z0, &Z3, &z->a);
zzn4_copy(&Z2, &z->c);
if(!y.unitary)
z->unitary = FALSE;
}
}
static void zzn12_conj(zzn12 *x, zzn12 *y)
{
zzn4_conj(&x->a, &y->a);
zzn4_conj(&x->b, &y->b);
zzn4_negate(&y->b, &y->b);
zzn4_conj(&x->c, &y->c);
y->miller = x->miller;
y->unitary = x->unitary;
}
static zzn12 zzn12_inverse(zzn12 w)
{
zzn4 tmp1, tmp2;
zzn12 res;
tmp1.a.a = mirvar(0);
tmp1.a.b = mirvar(0);
tmp1.b.a = mirvar(0);
tmp1.b.b = mirvar(0);
tmp1.unitary = FALSE;
tmp2.a.a = mirvar(0);
tmp2.a.b = mirvar(0);
tmp2.b.a = mirvar(0);
tmp2.b.b = mirvar(0);
tmp2.unitary = FALSE;
zzn12_init(&res);
if(w.unitary)
{
zzn12_conj(&w, &res);
return res;
}
//res.a=w.a*w.a-tx(w.b*w.c);
zzn4_mul(&w.a, &w.a, &res.a);
zzn4_mul(&w.b, &w.c, &res.b);
zzn4_tx(&res.b);
zzn4_sub(&res.a, &res.b, &res.a);
//res.b=tx(w.c*w.c)-w.a*w.b;
zzn4_mul(&w.c, &w.c, &res.c);
zzn4_tx(&res.c);
zzn4_mul(&w.a, &w.b, &res.b);
zzn4_sub(&res.c, &res.b, &res.b);
//res.c=w.b*w.b-w.a*w.c;
zzn4_mul(&w.b, &w.b, &res.c);
zzn4_mul(&w.a, &w.c, &tmp1);
zzn4_sub(&res.c, &tmp1, &res.c);
//tmp1=tx(w.b*res.c)+w.a*res.a+tx(w.c*res.b);
zzn4_mul(&w.b, &res.c, &tmp1);
zzn4_tx(&tmp1);
zzn4_mul(&w.a, &res.a, &tmp2);
zzn4_add(&tmp1, &tmp2, &tmp1);
zzn4_mul(&w.c, &res.b, &tmp2);
zzn4_tx(&tmp2);
zzn4_add(&tmp1, &tmp2, &tmp1);
zzn4_inv(&tmp1);
zzn4_mul(&res.a, &tmp1, &res.a);
zzn4_mul(&res.b, &tmp1, &res.b);
zzn4_mul(&res.c, &tmp1, &res.c);
return res;
}
static void zzn12_powq(zzn2 F, zzn12 *y)
{
zzn2 X2, X3;
X2.a = mirvar(0);
X2.b = mirvar(0);
X3.a = mirvar(0);
X3.b = mirvar(0);
zzn2_mul(&F, &F, &X2);
zzn2_mul(&X2, &F, &X3);
zzn4_powq(&X3, &y->a);
zzn4_powq(&X3, &y->b);
zzn4_powq(&X3, &y->c);
zzn4_smul(&y->b, &X, &y->b);
zzn4_smul(&y->c, &X2, &y->c);
}
static void zzn12_div(zzn12 x, zzn12 y, zzn12 *z)
{
y=zzn12_inverse(y);
zzn12_mul(x, y, z);
}
static zzn12 zzn12_pow(zzn12 x, big k)
{
big zero, tmp, tmp1;
int nb, i;
BOOL invert_it;
zzn12 res;
zero = mirvar(0);
tmp = mirvar(0);
tmp1 = mirvar(0);
zzn12_init(&res);
copy(k, tmp1);
invert_it = FALSE;
if(mr_compare(tmp1, zero) == 0)
{
tmp = get_mip()->one;
zzn4_from_big(tmp, &res.a);
return res;
}
if(mr_compare(tmp1, zero) < 0)
{
negify(tmp1, tmp1);
invert_it = TRUE;
}
nb = logb2(k);
zzn12_copy(&x, &res);
if(nb > 1)
for(i = nb - 2; i >= 0; i--)
{
zzn12_mul(res, res, &res);
if(mr_testbit(k, i))
zzn12_mul(res, x, &res);
}
if(invert_it)
res = zzn12_inverse(res);
return res;
}
#ifdef __cplusplus
}
#endif
#endif

View File

@@ -1,182 +0,0 @@
/* ====================================================================
* Copyright (c) 2014 - 2017 The GmSSL Project. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in
* the documentation and/or other materials provided with the
* distribution.
*
* 3. All advertising materials mentioning features or use of this
* software must display the following acknowledgment:
* "This product includes software developed by the GmSSL Project.
* (http://gmssl.org/)"
*
* 4. The name "GmSSL Project" must not be used to endorse or promote
* products derived from this software without prior written
* permission. For written permission, please contact
* guanzhi1980@gmail.com.
*
* 5. Products derived from this software may not be called "GmSSL"
* nor may "GmSSL" appear in their names without prior written
* permission of the GmSSL Project.
*
* 6. Redistributions of any form whatsoever must retain the following
* acknowledgment:
* "This product includes software developed by the GmSSL Project
* (http://gmssl.org/)"
*
* THIS SOFTWARE IS PROVIDED BY THE GmSSL PROJECT ``AS IS'' AND ANY
* EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE GmSSL PROJECT OR
* ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
* STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
* OF THE POSSIBILITY OF SUCH DAMAGE.
* ====================================================================
*/
#include "sms4_standard.h"
//rotate n bits to the left in a 32bit buffer
#define SM4_ROTL32(buf, n) (((buf)<<n)|((buf)>>(32-n)))
uint32_t SM4_CK[32] = {0x00070e15, 0x1c232a31, 0x383f464d, 0x545b6269,
0x70777e85, 0x8c939aa1, 0xa8afb6bd, 0xc4cbd2d9,
0xe0e7eef5, 0xfc030a11, 0x181f262d, 0x343b4249,
0x50575e65, 0x6c737a81, 0x888f969d, 0xa4abb2b9,
0xc0c7ced5, 0xdce3eaf1, 0xf8ff060d, 0x141b2229,
0x30373e45, 0x4c535a61, 0x686f767d, 0x848b9299,
0xa0a7aeb5, 0xbcc3cad1, 0xd8dfe6ed, 0xf4fb0209,
0x10171e25, 0x2c333a41, 0x484f565d, 0x646b7279
};
uint8_t SM4_SBOX[256] =
{ 0xd6, 0x90, 0xe9, 0xfe, 0xcc, 0xe1, 0x3d, 0xb7, 0x16, 0xb6, 0x14, 0xc2, 0x28, 0xfb, 0x2c, 0x05,
0x2b, 0x67, 0x9a, 0x76, 0x2a, 0xbe, 0x04, 0xc3, 0xaa, 0x44, 0x13, 0x26, 0x49, 0x86, 0x06, 0x99,
0x9c, 0x42, 0x50, 0xf4, 0x91, 0xef, 0x98, 0x7a, 0x33, 0x54, 0x0b, 0x43, 0xed, 0xcf, 0xac, 0x62,
0xe4, 0xb3, 0x1c, 0xa9, 0xc9, 0x08, 0xe8, 0x95, 0x80, 0xdf, 0x94, 0xfa, 0x75, 0x8f, 0x3f, 0xa6,
0x47, 0x07, 0xa7, 0xfc, 0xf3, 0x73, 0x17, 0xba, 0x83, 0x59, 0x3c, 0x19, 0xe6, 0x85, 0x4f, 0xa8,
0x68, 0x6b, 0x81, 0xb2, 0x71, 0x64, 0xda, 0x8b, 0xf8, 0xeb, 0x0f, 0x4b, 0x70, 0x56, 0x9d, 0x35,
0x1e, 0x24, 0x0e, 0x5e, 0x63, 0x58, 0xd1, 0xa2, 0x25, 0x22, 0x7c, 0x3b, 0x01, 0x21, 0x78, 0x87,
0xd4, 0x00, 0x46, 0x57, 0x9f, 0xd3, 0x27, 0x52, 0x4c, 0x36, 0x02, 0xe7, 0xa0, 0xc4, 0xc8, 0x9e,
0xea, 0xbf, 0x8a, 0xd2, 0x40, 0xc7, 0x38, 0xb5, 0xa3, 0xf7, 0xf2, 0xce, 0xf9, 0x61, 0x15, 0xa1,
0xe0, 0xae, 0x5d, 0xa4, 0x9b, 0x34, 0x1a, 0x55, 0xad, 0x93, 0x32, 0x30, 0xf5, 0x8c, 0xb1, 0xe3,
0x1d, 0xf6, 0xe2, 0x2e, 0x82, 0x66, 0xca, 0x60, 0xc0, 0x29, 0x23, 0xab, 0x0d, 0x53, 0x4e, 0x6f,
0xd5, 0xdb, 0x37, 0x45, 0xde, 0xfd, 0x8e, 0x2f, 0x03, 0xff, 0x6a, 0x72, 0x6d, 0x6c, 0x5b, 0x51,
0x8d, 0x1b, 0xaf, 0x92, 0xbb, 0xdd, 0xbc, 0x7f, 0x11, 0xd9, 0x5c, 0x41, 0x1f, 0x10, 0x5a, 0xd8,
0x0a, 0xc1, 0x31, 0x88, 0xa5, 0xcd, 0x7b, 0xbd, 0x2d, 0x74, 0xd0, 0x12, 0xb8, 0xe5, 0xb4, 0xb0,
0x89, 0x69, 0x97, 0x4a, 0x0c, 0x96, 0x77, 0x7e, 0x65, 0xb9, 0xf1, 0x09, 0xc5, 0x6e, 0xc6, 0x84,
0x18, 0xf0, 0x7d, 0xec, 0x3a, 0xdc, 0x4d, 0x20, 0x79, 0xee, 0x5f, 0x3e, 0xd7, 0xcb, 0x39, 0x48
};
uint32_t SM4_FK[4] = {0xA3B1BAC6, 0x56AA3350, 0x677D9197, 0xB27022DC};
void sm4_standard_key_schedule(const unsigned char *key, uint32_t *rk)
{
uint32_t tmp, buf, K[36];
uint32_t i;
for (i = 0; i < 4; i++)
{
K[i] = SM4_FK[i] ^ ( (key[4 * i] << 24) | (key[4 * i + 1] << 16)
| (key[4 * i + 2] << 8) | (key[4 * i + 3]) );
}
for (i = 0; i < 32; i++)
{
tmp = K[i + 1] ^ K[i + 2] ^ K[i + 3] ^ SM4_CK[i];
//nonlinear operation
buf = (SM4_SBOX[(tmp >> 24) & 0xFF]) << 24
| (SM4_SBOX[(tmp >> 16) & 0xFF]) << 16
| (SM4_SBOX[(tmp >> 8) & 0xFF]) << 8
| (SM4_SBOX[tmp & 0xFF]);
//linear operation
K[i + 4] = K[i] ^ ((buf) ^ (SM4_ROTL32((buf), 13)) ^ (SM4_ROTL32((buf), 23)));
rk[i] = K[i + 4];
}
}
void sms4_standard_encrypt(const unsigned char *in, unsigned char *out, const unsigned char *key)
{
uint32_t rk[32], X[36], tmp, buf;
uint32_t i, j;
sm4_standard_key_schedule(key, rk);
for (j = 0; j < 4; j++)
{
X[j] = (in[j * 4] << 24) | (in[j * 4 + 1] << 16)
| (in[j * 4 + 2] << 8) | (in[j * 4 + 3]);
}
for (i = 0; i < 32; i++)
{
tmp = X[i + 1] ^ X[i + 2] ^ X[i + 3] ^ rk[i];
//nonlinear operation
buf = ( SM4_SBOX[(tmp >> 24) & 0xFF]) << 24
| (SM4_SBOX[(tmp >> 16) & 0xFF]) << 16
| (SM4_SBOX[(tmp >> 8) & 0xFF]) << 8
| (SM4_SBOX[tmp & 0xFF]);
//linear operation
X[i + 4] = X[i] ^ (buf ^ SM4_ROTL32((buf), 2)^ SM4_ROTL32((buf), 10)
^ SM4_ROTL32((buf), 18)^ SM4_ROTL32((buf), 24));
}
for (j = 0; j < 4; j++)
{
out[4 * j] = (X[35 - j] >> 24) & 0xFF;
out[4 * j + 1] = (X[35 - j] >> 16) & 0xFF;
out[4 * j + 2] = (X[35 - j] >> 8) & 0xFF;
out[4 * j + 3] = (X[35 - j]) & 0xFF;
}
}
void sms4_standard_decrypt(const unsigned char *in, unsigned char *out, const unsigned char *key)
{
uint32_t rk[32], X[36], tmp, buf;
uint32_t i, j;
sm4_standard_key_schedule(key, rk);
for (j = 0; j < 4; j++)
{
X[j] = (in[j * 4] << 24) | (in[j * 4 + 1] << 16) |
(in[j * 4 + 2] << 8) | (in[j * 4 + 3]);
}
for (i = 0; i < 32; i++)
{
tmp = X[i + 1] ^ X[i + 2] ^ X[i + 3] ^ rk[31 - i];
//nonlinear operation
buf = (SM4_SBOX[(tmp >> 24) & 0xFF]) << 24
| (SM4_SBOX[(tmp >> 16) & 0xFF]) << 16
| (SM4_SBOX[(tmp >> 8) & 0xFF]) << 8
| (SM4_SBOX[tmp & 0xFF]);
//linear operation
X[i + 4] = X[i] ^ (buf ^ SM4_ROTL32((buf), 2)^ SM4_ROTL32((buf), 10)
^ SM4_ROTL32((buf), 18)^ SM4_ROTL32((buf), 24));
}
for (j = 0; j < 4; j++)
{
out[4 * j] = (X[35 - j] >> 24) & 0xFF;
out[4 * j + 1] = (X[35 - j] >> 16) & 0xFF;
out[4 * j + 2] = (X[35 - j] >> 8) & 0xFF;
out[4 * j + 3] = (X[35 - j]) & 0xFF;
}
}

View File

@@ -1,74 +0,0 @@
/* ====================================================================
* Copyright (c) 2014 - 2017 The GmSSL Project. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in
* the documentation and/or other materials provided with the
* distribution.
*
* 3. All advertising materials mentioning features or use of this
* software must display the following acknowledgment:
* "This product includes software developed by the GmSSL Project.
* (http://gmssl.org/)"
*
* 4. The name "GmSSL Project" must not be used to endorse or promote
* products derived from this software without prior written
* permission. For written permission, please contact
* guanzhi1980@gmail.com.
*
* 5. Products derived from this software may not be called "GmSSL"
* nor may "GmSSL" appear in their names without prior written
* permission of the GmSSL Project.
*
* 6. Redistributions of any form whatsoever must retain the following
* acknowledgment:
* "This product includes software developed by the GmSSL Project
* (http://gmssl.org/)"
*
* THIS SOFTWARE IS PROVIDED BY THE GmSSL PROJECT ``AS IS'' AND ANY
* EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE GmSSL PROJECT OR
* ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
* STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
* OF THE POSSIBILITY OF SUCH DAMAGE.
* ====================================================================
*/
#ifndef HEADER_SMS4_STANDARD_H
#define HEADER_SMS4_STANDARD_H
#include <openssl/opensslconf.h>
#ifndef NO_GMSSL
#include <sys/types.h>
#include <openssl/e_os2.h>
#include <string.h>
#ifdef __cplusplus
extern "C" {
#endif
void sms4_standard_encrypt(const unsigned char *in, unsigned char *out, const unsigned char *key);
void sms4_standard_decrypt(const unsigned char *in, unsigned char *out, const unsigned char *key);
#ifdef __cplusplus
}
#endif
#endif
#endif

View File

@@ -1,107 +0,0 @@
/* ====================================================================
* Copyright (c) 2015 - 2017 The GmSSL Project. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in
* the documentation and/or other materials provided with the
* distribution.
*
* 3. All advertising materials mentioning features or use of this
* software must display the following acknowledgment:
* "This product includes software developed by the GmSSL Project.
* (http://gmssl.org/)"
*
* 4. The name "GmSSL Project" must not be used to endorse or promote
* products derived from this software without prior written
* permission. For written permission, please contact
* guanzhi1980@gmail.com.
*
* 5. Products derived from this software may not be called "GmSSL"
* nor may "GmSSL" appear in their names without prior written
* permission of the GmSSL Project.
*
* 6. Redistributions of any form whatsoever must retain the following
* acknowledgment:
* "This product includes software developed by the GmSSL Project
* (http://gmssl.org/)"
*
* THIS SOFTWARE IS PROVIDED BY THE GmSSL PROJECT ``AS IS'' AND ANY
* EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE GmSSL PROJECT OR
* ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
* STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
* OF THE POSSIBILITY OF SUCH DAMAGE.
* ====================================================================
*/
unsigned char ZUC_S0[256] =
{ 0x3e, 0x72, 0x5b, 0x47, 0xca, 0xe0, 0x00, 0x33, 0x04, 0xd1, 0x54, 0x98, 0x09, 0xb9, 0x6d, 0xcb,
0x7b, 0x1b, 0xf9, 0x32, 0xaf, 0x9d, 0x6a, 0xa5, 0xb8, 0x2d, 0xfc, 0x1d, 0x08, 0x53, 0x03, 0x90,
0x4d, 0x4e, 0x84, 0x99, 0xe4, 0xce, 0xd9, 0x91, 0xdd, 0xb6, 0x85, 0x48, 0x8b, 0x29, 0x6e, 0xac,
0xcd, 0xc1, 0xf8, 0x1e, 0x73, 0x43, 0x69, 0xc6, 0xb5, 0xbd, 0xfd, 0x39, 0x63, 0x20, 0xd4, 0x38,
0x76, 0x7d, 0xb2, 0xa7, 0xcf, 0xed, 0x57, 0xc5, 0xf3, 0x2c, 0xbb, 0x14, 0x21, 0x06, 0x55, 0x9b,
0xe3, 0xef, 0x5e, 0x31, 0x4f, 0x7f, 0x5a, 0xa4, 0x0d, 0x82, 0x51, 0x49, 0x5f, 0xba, 0x58, 0x1c,
0x4a, 0x16, 0xd5, 0x17, 0xa8, 0x92, 0x24, 0x1f, 0x8c, 0xff, 0xd8, 0xae, 0x2e, 0x01, 0xd3, 0xad,
0x3b, 0x4b, 0xda, 0x46, 0xeb, 0xc9, 0xde, 0x9a, 0x8f, 0x87, 0xd7, 0x3a, 0x80, 0x6f, 0x2f, 0xc8,
0xb1, 0xb4, 0x37, 0xf7, 0x0a, 0x22, 0x13, 0x28, 0x7c, 0xcc, 0x3c, 0x89, 0xc7, 0xc3, 0x96, 0x56,
0x07, 0xbf, 0x7e, 0xf0, 0x0b, 0x2b, 0x97, 0x52, 0x35, 0x41, 0x79, 0x61, 0xa6, 0x4c, 0x10, 0xfe,
0xbc, 0x26, 0x95, 0x88, 0x8a, 0xb0, 0xa3, 0xfb, 0xc0, 0x18, 0x94, 0xf2, 0xe1, 0xe5, 0xe9, 0x5d,
0xd0, 0xdc, 0x11, 0x66, 0x64, 0x5c, 0xec, 0x59, 0x42, 0x75, 0x12, 0xf5, 0x74, 0x9c, 0xaa, 0x23,
0x0e, 0x86, 0xab, 0xbe, 0x2a, 0x02, 0xe7, 0x67, 0xe6, 0x44, 0xa2, 0x6c, 0xc2, 0x93, 0x9f, 0xf1,
0xf6, 0xfa, 0x36, 0xd2, 0x50, 0x68, 0x9e, 0x62, 0x71, 0x15, 0x3d, 0xd6, 0x40, 0xc4, 0xe2, 0x0f,
0x8e, 0x83, 0x77, 0x6b, 0x25, 0x05, 0x3f, 0x0c, 0x30, 0xea, 0x70, 0xb7, 0xa1, 0xe8, 0xa9, 0x65,
0x8d, 0x27, 0x1a, 0xdb, 0x81, 0xb3, 0xa0, 0xf4, 0x45, 0x7a, 0x19, 0xdf, 0xee, 0x78, 0x34, 0x60
};
unsigned char ZUC_S1[256] =
{ 0x55, 0xc2, 0x63, 0x71, 0x3b, 0xc8, 0x47, 0x86, 0x9f, 0x3c, 0xda, 0x5b, 0x29, 0xaa, 0xfd, 0x77,
0x8c, 0xc5, 0x94, 0x0c, 0xa6, 0x1a, 0x13, 0x00, 0xe3, 0xa8, 0x16, 0x72, 0x40, 0xf9, 0xf8, 0x42,
0x44, 0x26, 0x68, 0x96, 0x81, 0xd9, 0x45, 0x3e, 0x10, 0x76, 0xc6, 0xa7, 0x8b, 0x39, 0x43, 0xe1,
0x3a, 0xb5, 0x56, 0x2a, 0xc0, 0x6d, 0xb3, 0x05, 0x22, 0x66, 0xbf, 0xdc, 0x0b, 0xfa, 0x62, 0x48,
0xdd, 0x20, 0x11, 0x06, 0x36, 0xc9, 0xc1, 0xcf, 0xf6, 0x27, 0x52, 0xbb, 0x69, 0xf5, 0xd4, 0x87,
0x7f, 0x84, 0x4c, 0xd2, 0x9c, 0x57, 0xa4, 0xbc, 0x4f, 0x9a, 0xdf, 0xfe, 0xd6, 0x8d, 0x7a, 0xeb,
0x2b, 0x53, 0xd8, 0x5c, 0xa1, 0x14, 0x17, 0xfb, 0x23, 0xd5, 0x7d, 0x30, 0x67, 0x73, 0x08, 0x09,
0xee, 0xb7, 0x70, 0x3f, 0x61, 0xb2, 0x19, 0x8e, 0x4e, 0xe5, 0x4b, 0x93, 0x8f, 0x5d, 0xdb, 0xa9,
0xad, 0xf1, 0xae, 0x2e, 0xcb, 0x0d, 0xfc, 0xf4, 0x2d, 0x46, 0x6e, 0x1d, 0x97, 0xe8, 0xd1, 0xe9,
0x4d, 0x37, 0xa5, 0x75, 0x5e, 0x83, 0x9e, 0xab, 0x82, 0x9d, 0xb9, 0x1c, 0xe0, 0xcd, 0x49, 0x89,
0x01, 0xb6, 0xbd, 0x58, 0x24, 0xa2, 0x5f, 0x38, 0x78, 0x99, 0x15, 0x90, 0x50, 0xb8, 0x95, 0xe4,
0xd0, 0x91, 0xc7, 0xce, 0xed, 0x0f, 0xb4, 0x6f, 0xa0, 0xcc, 0xf0, 0x02, 0x4a, 0x79, 0xc3, 0xde,
0xa3, 0xef, 0xea, 0x51, 0xe6, 0x6b, 0x18, 0xec, 0x1b, 0x2c, 0x80, 0xf7, 0x74, 0xe7, 0xff, 0x21,
0x5a, 0x6a, 0x54, 0x1e, 0x41, 0x31, 0x92, 0x35, 0xc4, 0x33, 0x07, 0x0a, 0xba, 0x7e, 0x0e, 0x34,
0x88, 0xb1, 0x98, 0x7c, 0xf3, 0x3d, 0x60, 0x6c, 0x7b, 0xca, 0xd3, 0x1f, 0x32, 0x65, 0x04, 0x28,
0x64, 0xbe, 0x85, 0x9b, 0x2f, 0x59, 0x8a, 0xd7, 0xb0, 0x25, 0xac, 0xaf, 0x12, 0x03, 0xe2, 0xf2
};
//D value in key loading
uint32_t ZUC_D[16] = {0x44D7, 0x26BC, 0x626B, 0x135E, 0x5789, 0x35E2, 0x7135, 0x09AF,
0x4D78, 0x2F13, 0x6BC4, 0x1AF1, 0x5E26, 0x3C4D, 0x789A, 0x47AC
};
//rotate n bits to the left in a 32bit buffer
#define ZUC_ROTL32(x, k) (((x) << k) | ((x) >> (32 - k)))
//si = ki¡¬ di¡¬ ivi,in key loading
#define ZUC_LINK_TO_S(a, b, c) (((uint32_t)(a) << 23)|((uint32_t)(b) << 8)|(uint32_t)(c))
uint32_t add_mod(uint32_t a, uint32_t b);
uint32_t pow_mod(uint32_t x, uint32_t k);
uint32_t l1(uint32_t X);
uint32_t l2(uint32_t X);
unsigned char bit_value(uint32_t M[], uint32_t i);
uint32_t get_word(uint32_t k[], uint32_t i);
void lfsr_with_init_mode(uint32_t LFSR_S[], uint32_t u) ;
void lfsr_with_work_mode(uint32_t LFSR_S[]) ;
void br(uint32_t LFSR_S[], uint32_t BR_X[]);
uint32_t f(uint32_t BR_X[], uint32_t F_R[]);

View File

@@ -1,530 +0,0 @@
/* ====================================================================
* Copyright (c) 2015 - 2016 The GmSSL Project. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in
* the documentation and/or other materials provided with the
* distribution.
*
* 3. All advertising materials mentioning features or use of this
* software must display the following acknowledgment:
* "This product includes software developed by the GmSSL Project.
* (http://gmssl.org/)"
*
* 4. The name "GmSSL Project" must not be used to endorse or promote
* products derived from this software without prior written
* permission. For written permission, please contact
* guanzhi1980@gmail.com.
*
* 5. Products derived from this software may not be called "GmSSL"
* nor may "GmSSL" appear in their names without prior written
* permission of the GmSSL Project.
*
* 6. Redistributions of any form whatsoever must retain the following
* acknowledgment:
* "This product includes software developed by the GmSSL Project
* (http://gmssl.org/)"
*
* THIS SOFTWARE IS PROVIDED BY THE GmSSL PROJECT ``AS IS'' AND ANY
* EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE GmSSL PROJECT OR
* ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
* STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
* OF THE POSSIBILITY OF SUCH DAMAGE.
* ====================================================================
*/
#include "zuc_standard.h"
#include "zuc.h"
/************************************************************
Function: add_mod
Description: calculate a+b mod 2^31-1
Calls:
Called By: lfsr_with_init_mode
Input: a,b: uint32_t(32bit)
Output:
Return: c, c=a+b mod 2^31-1
Others:
************************************************************/
uint32_t add_mod(uint32_t a, uint32_t b)
{
uint32_t c = a + b;
if (c >> 31)
{
c = (c & 0x7fffffff) + 1;
}
return c;
}
/************************************************************
Function: pow_mod
Description: calculate x*2^k mod 2^31-1
Calls: Called By: lfsr_with_init_mode
Input: x: input
k: exponential
Output:
Return: x*2^k mod 2^31-1
Others:
************************************************************/
uint32_t pow_mod(uint32_t x, uint32_t k)
{
return (((x << k) | (x >> (31 - k))) & 0x7fffffff);
}
/************************************************************
Function: l1
Description: linear transformation l1
Calls:
Called By: f
Input: X: input
Output:
Return: X^(X<<< 2)^(X<<<10)^(X<<<18)^(X<<<24)
Others:
************************************************************/
uint32_t l1(uint32_t X)
{
return X ^ ZUC_ROTL32(X, 2) ^ ZUC_ROTL32(X, 10) ^ ZUC_ROTL32(X, 18) ^ ZUC_ROTL32(X, 24);
}
/************************************************************
Function: l2
Description: linear transformation l2
Calls:
Called By: f
Input: X: input
Output:
Return: X^(X<<< 8)^(X<<<14)^(X<<<22)^(X<<<30)
Others:
************************************************************/
uint32_t l2(uint32_t X)
{
return X ^ ZUC_ROTL32(X, 8) ^ ZUC_ROTL32(X, 14) ^ ZUC_ROTL32(X, 22) ^ ZUC_ROTL32(X, 30);
}
/************************************************************
Function: bit_value
Description: test if the value of M at the position i equals 0
Calls:
Called By: zuc_integrity
Input: M: message
i: the position i
Output:
Return: 0:the value of M at the position i equals 0
1:the value of M at the position i equals 1
Others:
************************************************************/
unsigned char bit_value(uint32_t M[], uint32_t i)
{
int j, k;
j = i >> 5;
k = i & 0x1f;
if (M[j] & (0x1 << (31 - k)))
return 1;
else
return 0;
}
/************************************************************
Function: get_word
Description: get a 32bit word ki from bit strings k[i],k[i+1]...,namely
ki=k[i]||k[i+1]||…||k[i+31]
Calls:
Called By: zuc_integrity
Input: k[]:
i: the position i
Output:
Return: ki=k[i]||k[i+1]||…||k[i+31]
Others:
************************************************************/
uint32_t get_word(uint32_t k[], uint32_t i)
{
int j, m;
uint32_t word;
j = i >> 5;
m = i & 0x1f;
if (m == 0)
word = k[j];
else
word = (k[j] << m) | (k[j + 1] >> (32 - m));
return word;
}
/************************************************************
Function: lfsr_with_init_mode
Description: Initialisation mode,refresh the current state of LFSR
Calls: add_mod,pow_mod
Called By: zuc_standard_init
Input: LFSR_S:current state of LFSR
u:u=W>>1
Output: Null
Return: Null
Others:
************************************************************/
void lfsr_with_init_mode(uint32_t LFSR_S[], uint32_t u)
{
uint32_t v = LFSR_S[0], i;
v = add_mod(v, pow_mod(LFSR_S[15], 15));
v = add_mod(v, pow_mod(LFSR_S[13], 17));
v = add_mod(v, pow_mod(LFSR_S[10], 21));
v = add_mod(v, pow_mod(LFSR_S[4] , 20));
v = add_mod(v, pow_mod(LFSR_S[0] , 8));
for (i = 0; i < 15; i++)
{
LFSR_S[i] = LFSR_S[i + 1];
}
LFSR_S[15] = add_mod(v, u);
if (!LFSR_S[15])
{
LFSR_S[15] = 0x7fffffff;
}
};
/************************************************************
Function: lfsr_with_work_mode
Description: working mode,refresh the current state of LFSR
Calls: add_mod,pow_mod
Called By: zuc_standard_work
Input: LFSR_S:current state of LFSR
Output: Null
Return: Null
Others:
************************************************************/
void lfsr_with_work_mode(uint32_t LFSR_S[])
{
uint32_t v = LFSR_S[0], i;
v = add_mod(v, pow_mod(LFSR_S[15], 15));
v = add_mod(v, pow_mod(LFSR_S[13], 17));
v = add_mod(v, pow_mod(LFSR_S[10], 21));
v = add_mod(v, pow_mod(LFSR_S[4] , 20));
v = add_mod(v, pow_mod(LFSR_S[0] , 8));
for (i = 0; i < 15; i++)
{
LFSR_S[i] = LFSR_S[i + 1];
}
LFSR_S[15] = v;
if (!LFSR_S[15])
{
LFSR_S[15] = 0x7fffffff;
}
};
/************************************************************
Function: br
Description: Bit Reconstruction
Calls:
Called By: zuc_standard_init,zuc_standard_work
Input: LFSR_S:current state of LFSR
Output: BR_X[]:achieve X0,X1,X2,X3
Return: Null
Others:
************************************************************/
void br(uint32_t LFSR_S[], uint32_t BR_X[])
{
BR_X[0] = ((LFSR_S[15] & 0x7fff8000) << 1) | (LFSR_S[14] & 0x0000ffff);
BR_X[1] = ((LFSR_S[11] & 0x0000ffff) << 16) | ((LFSR_S[9] & 0x7fff8000) >> 15);
BR_X[2] = ((LFSR_S[7] & 0x0000ffff) << 16) | ((LFSR_S[5] & 0x7fff8000) >> 15);
BR_X[3] = ((LFSR_S[2] & 0x0000ffff) << 16) | ((LFSR_S[0] & 0x7fff8000) >> 15);
}
/************************************************************
Function: f
Description: nonlinear function
Calls:
Called By: zuc_standard_init,zuc_standard_work
Input: BR_X[]:words X0,X1,X2,X3 from br
F_R[]:F_R[0]=R1,F_R[1]=R2
Output:
Return: W
Others:
************************************************************/
uint32_t f(uint32_t BR_X[], uint32_t F_R[])
{
uint32_t W, W1, W2;
W = (BR_X[0] ^ F_R[0]) + F_R[1];
W1 = F_R[0] + BR_X[1];
W2 = F_R[1] ^ BR_X[2];
F_R[0] = l1((W1 << 16) | (W2 >> 16));
F_R[0] = (ZUC_S0[(F_R[0] >> 24) & 0xFF]) << 24
| (ZUC_S1[(F_R[0] >> 16) & 0xFF]) << 16
| (ZUC_S0[(F_R[0] >> 8) & 0xFF]) << 8
| (ZUC_S1[F_R[0] & 0xFF]);
F_R[1] = l2((W2 << 16) | (W1 >> 16));
F_R[1] = (ZUC_S0[(F_R[1] >> 24) & 0xFF]) << 24
| (ZUC_S1[(F_R[1] >> 16) & 0xFF]) << 16
| (ZUC_S0[(F_R[1] >> 8) & 0xFF]) << 8
| (ZUC_S1[F_R[1] & 0xFF]);
return W;
};
/************************************************************
Function: zuc_standard_init
Description: Initialisation process of ZUC
Calls: ZUC_LINK_TO_S,br,f,lfsr_with_init_mode
Called By: zuc_genkeystream
Input: k:initial key
iv:initial vector
Output: LFSR_S[]:the state of LFSR after initialisation:s0,s1,s2,..s15
BR_X[] : the current value:X0,X1,X2,X3
F_R[]:the current value:R1,R2,F_R[0]=R1,F_R[1]=R2
Return: Null
Others:
************************************************************/
void zuc_standard_init(unsigned char k[], unsigned char iv[], uint32_t LFSR_S[], uint32_t
BR_X[], uint32_t F_R[])
{
unsigned char count = 32;
int i;
//loading key to the LFSR s0,s1,s2....s15
printf("\ninitial state of LFSR: S[0]-S[15]\n");
for (i = 0; i < 16; i++)
{
LFSR_S[i] = ZUC_LINK_TO_S(k[i], ZUC_D[i], iv[i]);
printf("%08x ", LFSR_S[i]);
}
F_R[0] = 0x00; //R1
F_R[1] = 0x00; //R2
while (count) //32 times
{
uint32_t W;
br( LFSR_S, BR_X); //BitReconstruction
W = f(BR_X, F_R); //nonlinear function
lfsr_with_init_mode(LFSR_S, W >> 1);
count--;
}
}
/************************************************************
Function: zuc_standard_work
Description: working stage of ZUC
Calls: br,f,lfsr_with_work_mode
Called By: zuc_genkeystream
Input: LFSR_S[]:the state of LFSR after initialisation:s0,s1,s2,..s15
BR_X[] : X0,X1,X2,X3
F_R[]:R1,R2
Output: pKeyStream[]:key stream
KeyStreamLen:the length of KeyStream,exporting 32bit for a beat
Return: Null
Others:
************************************************************/
void zuc_standard_work(uint32_t LFSR_S[], uint32_t BR_X[], uint32_t F_R[], uint32_t
pKeyStream[], int KeyStreamLen)
{
int i = 0;
br(LFSR_S, BR_X);
f(BR_X, F_R);
lfsr_with_work_mode(LFSR_S);
while (i < KeyStreamLen)
{
br( LFSR_S, BR_X);
pKeyStream[i] = f(BR_X, F_R) ^ BR_X[3];
lfsr_with_work_mode(LFSR_S);
i++;
}
}
/****************************************************************
Function: zuc_genkeystream
Description: generate key stream
Calls: zuc_standard_init,zuc_standard_work
Called By: ZUC_SelfCheck
Input: k[] //initial key,128bit
iv[] //initial iv,128bit
KeyStreamLen //the byte length of KeyStream,exporting 32bit for a beat
Output: KeyStream[] // key strem to be outputed
Return: null
Others:
****************************************************************/
void zuc_genkeystream(unsigned char k[], unsigned char iv[], uint32_t KeyStream[], int
KeyStreamLen)
{
uint32_t LFSR_S[16]; //LFSR state s0,s1,s2,...s15
uint32_t BR_X[4]; //Bit Reconstruction X0,X1,X2,X3
uint32_t F_R[2]; //R1,R2,variables of nonlinear function f
int i;
//Initialisation
zuc_standard_init(k, iv, LFSR_S, BR_X, F_R);
printf("\nstate of LFSR after executing initialization: S[0]-S[15]\n");
for (i = 0; i < 16; i++)
{
printf("%08x ", LFSR_S[i]);
}
printf("\ninternal state of Finite State Machine:\n");
printf("R1=%08x\n", F_R[0]);
printf("R2=%08x\n", F_R[1]);
//Working
zuc_standard_work(LFSR_S, BR_X, F_R, KeyStream, KeyStreamLen);
}
/****************************************************************
Function: zuc_confidentiality
Description: the ZUC-based condifentiality algorithm
Calls: zuc_genkeystream
Called By: ZUC_SelfCheck
Input: CK[] //initial key,128bit,uesed to gain the key of ZUC KeyStream
generation algorithm
COUNT //128bit
BEARER //5bit,bearing layer identification,
DIRECTION //1bit
IBS[] //input bit stream,
LENGTH //the bit length of IBS
Output: OBS[] //output bit stream,
Return: null
Others:
****************************************************************/
void zuc_confidentiality(unsigned char CK[], uint32_t COUNT, unsigned char BEARER, unsigned
char DIRECTION, uint32_t IBS[], int LENGTH, uint32_t OBS[])
{
uint32_t *k;
int L, i, t;
unsigned char iv[16];
//generate vector iv1,iv2,...iv15
iv[0] = (unsigned char)(COUNT >> 24);
iv[1] = (unsigned char)((COUNT >> 16) & 0xff);
iv[2] = (unsigned char)((COUNT >> 8) & 0xff);
iv[3] = (unsigned char)(COUNT & 0xff);
iv[4] = (((BEARER << 3) | (DIRECTION << 2)) & 0xfc);
iv[5] = 0x00;
iv[6] = 0x00;
iv[7] = 0x00;
iv[8] = iv[0];
iv[9] = iv[1];
iv[10] = iv[2];
iv[11] = iv[3];
iv[12] = iv[4];
iv[13] = iv[5];
iv[14] = iv[6];
iv[15] = iv[7];
//L,the length of key stream,taking 32bit as a unit
L = (LENGTH + 31) / 32;
k = malloc(sizeof(uint32_t) * L);
//generate key stream k
zuc_genkeystream(CK, iv, k, L); //generate key stream
//OBS=IBS^k
for (i = 0; i < L; i++)
{
OBS[i] = IBS[i] ^ k[i];
}
t = LENGTH % 32;
if (t)
{
OBS[L - 1] = ((OBS[L - 1] >> (32 - t)) << (32 - t));
}
free(k);
}
/****************************************************************
Function: zuc_integrity
Description: the ZUC-based integrity algorithm
Calls: zuc_genkeystream,bit_value,get_word
Called By: ZUC_SelfCheck
Input: IK[] //integrity key,128bit,uesed to gain the key of ZUC KeyStream
generation algorithm
COUNT //128bit
BEARER //5bit,bearing layer identification,
DIRECTION //1bit
M[] //message
LENGTH //the bit length of M
Output:
Return: MAC //message authentication code
Others:
****************************************************************/
uint32_t zuc_integrity(unsigned char IK[], uint32_t COUNT, unsigned char BEARER, unsigned
char DIRECTION, uint32_t M[], int LENGTH)
{
uint32_t *k, ki, MAC;
int L, i;
unsigned char iv[16];
uint32_t T = 0;
//generate vector iv1,iv2,...iv15
iv[0] = (unsigned char)(COUNT >> 24);
iv[1] = (unsigned char)((COUNT >> 16) & 0xff);
iv[2] = (unsigned char)((COUNT >> 8) & 0xff);
iv[3] = (unsigned char)(COUNT & 0xff);
iv[4] = BEARER << 3;
iv[5] = 0x00;
iv[6] = 0x00;
iv[7] = 0x00;
iv[8] = iv[0] ^ (DIRECTION << 7);
iv[9] = iv[1];
iv[10] = iv[2];
iv[11] = iv[3];
iv[12] = iv[4];
iv[13] = iv[5];
iv[14] = iv[6] ^ (DIRECTION << 7);
iv[15] = iv[7];
//L,the length of key stream,taking 32bit as a unit
L = (LENGTH + 31) / 32 + 2;
k = malloc(sizeof(uint32_t) * L);
//generate key stream k
zuc_genkeystream(IK, iv, k, L);
//T=T^ki
for (i = 0; i < LENGTH; i++)
{
if (bit_value(M, i))
{
ki = get_word(k, i);
T = T ^ ki;
}
}
//T=T^kLENGTH
ki = get_word(k, LENGTH);
T = T ^ ki;
//MAC=T^k(32*(L-1))
ki = get_word(k, 32 * (L - 1));
MAC = T ^ ki;
free(k);
return MAC;
}

View File

@@ -1,73 +0,0 @@
/* ====================================================================
* Copyright (c) 2015 - 2016 The GmSSL Project. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in
* the documentation and/or other materials provided with the
* distribution.
*
* 3. All advertising materials mentioning features or use of this
* software must display the following acknowledgment:
* "This product includes software developed by the GmSSL Project.
* (http://gmssl.org/)"
*
* 4. The name "GmSSL Project" must not be used to endorse or promote
* products derived from this software without prior written
* permission. For written permission, please contact
* guanzhi1980@gmail.com.
*
* 5. Products derived from this software may not be called "GmSSL"
* nor may "GmSSL" appear in their names without prior written
* permission of the GmSSL Project.
*
* 6. Redistributions of any form whatsoever must retain the following
* acknowledgment:
* "This product includes software developed by the GmSSL Project
* (http://gmssl.org/)"
*
* THIS SOFTWARE IS PROVIDED BY THE GmSSL PROJECT ``AS IS'' AND ANY
* EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE GmSSL PROJECT OR
* ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
* STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
* OF THE POSSIBILITY OF SUCH DAMAGE.
* ====================================================================
*/
#ifndef HEADER_ZUC_STANDARD_H
#define HEADER_ZUC_STANDARD_H
#include <openssl/opensslconf.h>
#ifndef NO_GMSSL
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <openssl/e_os2.h>
# ifdef __cplusplus
extern "C" {
# endif
void zuc_standard_init(unsigned char k[], unsigned char iv[], uint32_t LFSR_S[], uint32_t BR_X[], uint32_t F_R[]);
void zuc_standard_work(uint32_t LFSR_S[], uint32_t BR_X[], uint32_t F_R[], uint32_t pKeyStream[], int KeyStreamLen);
void zuc_genkeystream(unsigned char k[], unsigned char iv[], uint32_t KeyStream[], int KeyStreamLen);
void zuc_confidentiality(unsigned char CK[], uint32_t COUNT, unsigned char BEARER, unsigned
char DIRECTION, uint32_t IBS[], int LENGTH, uint32_t OBS[]);
uint32_t zuc_integrity(unsigned char IK[], uint32_t COUNT, unsigned char BEARER, unsigned
char DIRECTION, uint32_t M[], int LENGTH);
# ifdef __cplusplus
}
# endif
# endif
# endif

File diff suppressed because it is too large Load Diff

View File

@@ -1,30 +0,0 @@
/*
* MIRACL compiler/hardware definitions - mirdef.h
* For C++ build of library
*/
#ifndef HEADER_MIRDEF_H
#define HEADER_MIRDEF_H
#ifdef __cplusplus
extern "C"{
#endif
#define MR_LITTLE_ENDIAN
#define MIRACL 64
#define mr_utype long
#define mr_dltype long long
#define mr_unsign64 unsigned long
#define MR_IBITS 32
#define MR_LBITS 64
#define mr_unsign32 unsigned int
#define MR_FLASH 52
#define MAXBASE ((mr_small)1<<(MIRACL-1))
#define MR_BITSINCHAR 8
#define MR_CPP
#ifdef __cplusplus
}
#endif
#endif

View File

@@ -1,265 +0,0 @@
#include <stdio.h>
#include <string.h>
#include <openssl/crypto.h>
#include <openssl/pem.h>
#include <openssl/dso.h>
#include <openssl/engine.h>
#include <openssl/ui.h>
#include <openssl/rand.h>
#ifndef OPENSSL_NO_RSA
#include <openssl/rsa.h>
#endif
#include <openssl/bn.h>
#include <openssl/ecdh.h>
#include "ec2m_kern.h"
struct ecdh_method
{
const char *name;
int (*compute_key)(void *key, size_t outlen, const EC_POINT *pub_key, EC_KEY *ecdh,
void *(*KDF)(const void *in, size_t inlen, void *out, size_t *outlen));
int flags;
char *app_data;
};
#ifndef OPENSSL_NO_HW
/* the header file of vender */
//#include "hwdevice.h"
/* Constants used when creating the ENGINE */
static const char *engine_hwdev_id = "cba_ecdh";
static const char *engine_hwdev_name = "cold boot resistant ECDH";
#ifndef OPENSSL_NO_DYNAMIC_ENGINE
/* Compatibility hack, the dynamic library uses this form in the path */
static const char *engine_hwdev_id_alt = "cba_ecdh";
#endif
static int compute_key(void *out, size_t outlen,
const EC_POINT *pub_key, EC_KEY *ecdh,
void *(*KDF)(const void *in, size_t inlen, void *out, size_t *outlen))
{
const EC_GROUP* group;
int ret;
group = EC_KEY_get0_group(ecdh);
// only use our solution if the curve name is SECT163K1
if (EC_GROUP_get_curve_name(group) == NID_sect163k1) {
const BIGNUM* rkey;
BN_CTX *ctx;
BIGNUM* x, *y;
mm256_point_t p, q;
mm_256 mkey;
int r;
ctx = BN_CTX_new();
BN_CTX_start(ctx);
x = BN_CTX_get(ctx);
y = BN_CTX_get(ctx);
rkey = EC_KEY_get0_private_key(ecdh);
memset(&mkey, 0, sizeof(mkey));
memcpy(&mkey, rkey->d, sizeof(rkey->d[0]) * rkey->top);
ec2m_import_key(&mkey);
r = EC_POINT_get_affine_coordinates_GF2m(group, pub_key, x, y, ctx);
memset(&p, 0, sizeof(p));
memcpy(&p.x, x->d, sizeof(x->d[0]) * x->top);
memcpy(&p.y, y->d, sizeof(y->d[0]) * y->top);
p.z.iv[0] = 1;
r = ec2m_private_operation(&p, &q);
if (r < 0) {
fprintf(stderr, "invalid result: %d\n", r);
}
int xlen = (163 + 7) / 8;
if (KDF != 0)
{
if (KDF(&q.x, xlen, out, &outlen) == NULL)
{
return -1;
}
ret = outlen;
}
else
{
/* no KDF, just copy as much as we can */
if (outlen > xlen)
outlen = xlen;
memcpy(out, &q.x, outlen);
ret = outlen;
}
BN_CTX_end(ctx);
BN_CTX_free(ctx);
} else {
// use the default method
const ECDH_METHOD* meth = ECDH_OpenSSL();
return meth->compute_key(out, outlen, pub_key, ecdh, KDF);
}
return ret;
}
static ECDH_METHOD ecdh_meth = {
"CBA resistant ECDH method",
compute_key,
0,
NULL
};
static int hwdev_destroy(ENGINE *e)
{
fprintf(stderr, "arrive at hwdev_destroy\n");
return 1;
}
static int hwdev_init(ENGINE *e)
{
fprintf(stderr, "arrive at hwdev_init\n");
ec2m_kern_init();
return 1;
}
static int hwdev_finish(ENGINE *e)
{
fprintf(stderr, "arrive at hwdev_finish\n");
ec2m_kern_clean();
return 1;
}
/* The definitions for control commands specific to this engine */
#define HWDEV_CMD_INIT (ENGINE_CMD_BASE)
#define HWDEV_CMD_EXIT (ENGINE_CMD_BASE + 1)
#define HWDEV_CMD_TEST (ENGINE_CMD_BASE + 2)
static const ENGINE_CMD_DEFN hwdev_cmd_defns[] = {
{HWDEV_CMD_INIT,
"INIT",
"init the hardware device before using",
ENGINE_CMD_FLAG_STRING}, /* may be the password */
{HWDEV_CMD_EXIT,
"EXIT",
"exit the hardware device after using",
ENGINE_CMD_FLAG_NO_INPUT},
{HWDEV_CMD_TEST,
"TEST",
"run the test case of the hardware device",
ENGINE_CMD_FLAG_NUMERIC}, /* may be the number of test case */
{0, NULL, NULL, 0}
};
/* This internal function is used by ENGINE_chil() and possibly by the
* "dynamic" ENGINE support too */
static int hwdev_ctrl(ENGINE *e, int cmd, long i, void *p, void (*f)(void))
{
int to_return = 1;
switch(cmd) {
case HWDEV_CMD_INIT:
fprintf(stderr, "arrive at HWDEV_CMD_INIT, password: %s\n",
(const char *)p);
break;
case HWDEV_CMD_EXIT:
fprintf(stderr, "arrive at HWDEV_CMD_EXIT, no parameters\n");
break;
case HWDEV_CMD_TEST:
fprintf(stderr, "arrive at HWDEV_CMD_TEST, case id: %ld\n",
i);
break;
/* The command isn't understood by this engine */
default:
to_return = 0;
break;
}
return to_return;
}
static EVP_PKEY *hwdev_load_privkey(ENGINE *eng, const char *key_id,
UI_METHOD *ui_method, void *callback_data)
{
fprintf(stderr, "arrive at hwdev_load_privkey\n");
EVP_PKEY *res = NULL;
return res;
}
static EVP_PKEY *hwdev_load_pubkey(ENGINE *eng, const char *key_id,
UI_METHOD *ui_method, void *callback_data)
{
fprintf(stderr, "arrive at hwdev_load_pubkey\n");
EVP_PKEY *res = NULL;
return res;
}
static int bind_helper(ENGINE *e)
{
fprintf(stderr, "arrive at bind_helper\n");
if(!ENGINE_set_id(e, engine_hwdev_id) ||
!ENGINE_set_name(e, engine_hwdev_name) ||
!ENGINE_set_ECDH(e, &ecdh_meth) ||
!ENGINE_set_destroy_function(e, hwdev_destroy) ||
!ENGINE_set_init_function(e, hwdev_init) ||
!ENGINE_set_finish_function(e, hwdev_finish) ||
!ENGINE_set_ctrl_function(e, hwdev_ctrl) ||
!ENGINE_set_load_privkey_function(e, hwdev_load_privkey) ||
!ENGINE_set_load_pubkey_function(e, hwdev_load_pubkey) ||
!ENGINE_set_cmd_defns(e, hwdev_cmd_defns))
return 0;
return 1;
}
static ENGINE *engine_hwdev(void)
{
fprintf(stderr, "arrive at engine_test\n");
ENGINE *ret = ENGINE_new();
if(!ret) {
return NULL;
}
if(!bind_helper(ret)) {
ENGINE_free(ret);
return NULL;
}
return ret;
}
void ENGINE_load_test(void)
{
fprintf(stderr, "arrive at ENGINE_load_test\n");
/* Copied from eng_[openssl|dyn].c */
ENGINE *toadd = engine_hwdev();
if(!toadd) return;
ENGINE_add(toadd);
ENGINE_free(toadd);
ERR_clear_error();
}
//#endif
/* This stuff is needed if this ENGINE is being compiled into a self-contained
* shared-library. */
#ifndef OPENSSL_NO_DYNAMIC_ENGINE
static int bind_fn(ENGINE *e, const char *id)
{
fprintf(stderr, "arrive at bind_fn\n");
if(id && (strcmp(id, engine_hwdev_id) != 0) &&
(strcmp(id, engine_hwdev_id_alt) != 0))
return 0;
if(!bind_helper(e))
return 0;
return 1;
}
IMPLEMENT_DYNAMIC_CHECK_FN()
IMPLEMENT_DYNAMIC_BIND_FN(bind_fn)
#endif /* OPENSSL_NO_DYNAMIC_ENGINE */
#endif /* !OPENSSL_NO_HW */

View File

@@ -1,49 +0,0 @@
#ifndef _EC_H_
#define _EC_H_
#ifdef EC_DEV
#include <stdint.h>
#else
#include <linux/types.h>
#endif
//extern unsigned int sqr_table[1 << 16];
typedef struct _struct_mm_128{
union{
float fv[4];
double dv[2];
uint64_t iv[2];
uint8_t bv[16];
};
} mm_128;
typedef struct _struct_mm_256{
union{
float fv[8];
double dv[4];
uint64_t iv[4];
uint8_t bv[32];
};
} mm_256;
typedef struct {
mm_256 x;
mm_256 y;
mm_256 z;
} mm256_point_t;
extern void gf2_add(mm_256* a, mm_256* b, mm_256* r);
extern void gf2_mul(mm_256* a, mm_256* b, mm_256* r1, mm_256* r2);
extern void gf2_mod(mm_256* a1, mm_256* a2, mm_256* r);
extern void gf2_sqr(mm_256* a, mm_256* r1, mm_256* r2);
extern void gf2_mod_mul(mm_256* a, mm_256* b, mm_256* r);
extern void gf2_mod_sqr(mm_256* a, mm_256* r);
extern void gf2m_inv(mm_256* a, mm_256 *r);
extern void gf2m_inv_asm(mm_256* a, mm_256 *r);
extern void gf2_point_dbl(mm256_point_t* pa, mm256_point_t* pr, int a, int b);
extern void gf2_point_add(mm256_point_t* pa, mm256_point_t* pb, mm256_point_t* pr, int a, int b);
extern void gf2_point_mul(mm256_point_t* p, mm_256* k, mm256_point_t* q, int a, int b);
extern void gf2_point_mul_with_preset_key(mm256_point_t* p, mm256_point_t* q, int a, int b);
#endif

View File

@@ -1,174 +0,0 @@
#include "ec2m_kern.h"
#include <string.h>
#include <stdint.h>
#include <stdio.h>
#include <assert.h>
#include <sys/socket.h>
#include <linux/netlink.h>
#include <unistd.h>
#include <malloc.h>
#include "util.h"
int sock_fd;
int init_netlink(int unit, int portId){
struct sockaddr_nl src_addr;
sock_fd=socket(PF_NETLINK, SOCK_RAW, unit);
if(sock_fd<0)
return -1;
memset(&src_addr, 0, sizeof(src_addr));
src_addr.nl_family = AF_NETLINK;
src_addr.nl_pid = portId; /* self pid */
/* interested in group 1<<0 */
bind(sock_fd, (struct sockaddr*)&src_addr,
sizeof(src_addr)); //绑定netlink
if(sock_fd < 0)
return -1;
return 0;
}
int send_request(const int func, const void* msg, int mlen)
{
struct nlmsghdr *nlh = NULL;
struct iovec iov;
struct msghdr mhdr;
struct sockaddr_nl dest_addr;
struct ec2m_request_st req;
const int len = mlen + sizeof(struct ec2m_request_st);
req.func = func;
req.len = len;
memset(&dest_addr, 0, sizeof(dest_addr));
dest_addr.nl_family = AF_NETLINK;
dest_addr.nl_pid = 0; /* For Linux Kernel */
dest_addr.nl_groups = 0; /* unicast */
memset(&mhdr, 0, sizeof(mhdr));
nlh = (struct nlmsghdr *)malloc(NLMSG_SPACE(len));
memset(nlh, 0, NLMSG_SPACE(len));
nlh->nlmsg_len = NLMSG_SPACE(len);
nlh->nlmsg_pid = getpid();
nlh->nlmsg_flags = 0;
memcpy((void*)NLMSG_DATA(nlh), &req, sizeof(req));
memcpy((void*)NLMSG_DATA(nlh) + sizeof(req), msg, mlen);
iov.iov_base = (void *)nlh;
iov.iov_len = nlh->nlmsg_len;
mhdr.msg_name = (void *)&dest_addr;
mhdr.msg_namelen = sizeof(dest_addr);
mhdr.msg_iov = &iov;
mhdr.msg_iovlen = 1;
sendmsg(sock_fd,&mhdr,0); //通过netlink发送消息
return OK;
}
int recv_response(void* buf, int len)
{
struct ec2m_response_st resp;
struct nlmsghdr *nlh = NULL;
struct iovec iov;
struct msghdr mhdr;
struct sockaddr_nl dest_addr;
int buflen;
memset(&dest_addr, 0, sizeof(dest_addr));
dest_addr.nl_family = AF_NETLINK;
dest_addr.nl_pid = 0; /* For Linux Kernel */
dest_addr.nl_groups = 0; /* unicast */
memset(&mhdr, 0, sizeof(mhdr));
nlh = (struct nlmsghdr *)malloc(NLMSG_SPACE(MAX_PAYLOAD));
memset(nlh, 0, NLMSG_SPACE(MAX_PAYLOAD));
nlh->nlmsg_len = NLMSG_SPACE(MAX_PAYLOAD);
nlh->nlmsg_pid = getpid();
nlh->nlmsg_flags = 0;
iov.iov_base = (void *)nlh;
iov.iov_len = nlh->nlmsg_len;
mhdr.msg_name = (void *)&dest_addr;
mhdr.msg_namelen = sizeof(dest_addr);
mhdr.msg_iov = &iov;
mhdr.msg_iovlen = 1;
buflen = recvmsg(sock_fd, &mhdr, 0);
if(buflen < 0){
fprintf(stderr, "invalid retval of recvmsg %d\n", buflen);
return buflen;
}
buflen -= NLMSG_HDRLEN;
assert(buflen >= sizeof(resp));
memcpy(&resp, NLMSG_DATA(nlh), sizeof(resp));
buflen -= sizeof(resp);
assert(buflen == len);
if (buflen > 0 && buf != NULL) {
memcpy(buf, NLMSG_DATA(nlh) + sizeof(resp), buflen);
}
/* printf("resp: %d, len: %d\n", resp.result, buflen); */
return resp.result;
}
int ec2m_kern_init()
{
int r;
r = init_netlink(NETLINK_ECC, getpid());
if (r < 0)
return r;
return 0;
}
void ec2m_kern_clean()
{
close(sock_fd);
}
int ec2m_import_key(mm_256* key)
{
int r;
/* printf("key: %016lx%016lx%016lx\n", key->iv[2], key->iv[1], key->iv[0]); */
r = send_request(REQ_IMPORT_KEY, key, sizeof(mm_256));
if (r < 0)
return r;
r = recv_response(NULL, 0);
if (r < 0)
return r;
return 0;
}
int ec2m_private_operation(mm256_point_t*p, mm256_point_t*q)
{
int r;
r = send_request(REQ_PRIVATE_OP, p, sizeof(mm256_point_t));
if (r < 0)
return r;
r = recv_response(q, sizeof(mm256_point_t));
if (r < 0)
return r;
return 0;
}

View File

@@ -1,36 +0,0 @@
#ifndef _EC2M_KERN_H_
#define _EC2M_KERN_H_
#define NETLINK_ECC 31
#define MAX_PAYLOAD 1024
#define REQ_IMPORT_KEY 1
#define REQ_PRIVATE_OP 2
#define OK 0
#define FAIL -1
#ifdef __KERNEL__
#include <linux/types.h>
#else
#include <stdint.h>
#endif
#include "ec.h"
struct ec2m_request_st {
int func;
int len;
};
struct ec2m_response_st
{
int result;
};
extern int ec2m_kern_init(void);
extern void ec2m_kern_clean(void);
extern int ec2m_import_key(mm_256 *key);
extern int ec2m_private_operation(mm256_point_t*p, mm256_point_t*q);
#endif

View File

@@ -1,104 +0,0 @@
#include "ec.h"
#include "string.h"
#include "stdio.h"
int is_one(mm_256* a)
{
int i;
if (a->iv[0] != 1)
return 0;
for (i = 1; i < 4; i++) {
if (a->iv[i] != 0)
return 0;
}
return 1;
}
void shift_right(mm_256* a)
{
int i;
for (i = 0; i < 3; i++) {
a->iv[i] = (a->iv[i] >> 1) | (a->iv[i + 1] << 63);
}
a->iv[3] >>= 1;
}
void add(mm_256* a, mm_256*b)
{
int i;
for (i = 0; i < 4; i++) {
b->iv[i] = b->iv[i] ^ a->iv[i];
}
}
int deg(mm_256* a)
{
int cnt = 0;
int i;
uint64_t c;
for (i = 3; i >= 0; i--) {
if (a->iv[i] != 0) {
break;
}
}
cnt = i * 64;
c = a->iv[i];
while (c != 0) {
cnt ++;
c >>= 1;
}
return cnt;
}
void gf2m_inv(mm_256* a, mm_256 *r)
{
mm_256 b, c, u, v, f, t;
// b = 1
memset(&b, 0, sizeof(b));
b.iv[0] = 1;
// c = 0
memset(&c, 0, sizeof(c));
// u = a
u = *a;
// v = f
memset(&v, 0, sizeof(v));
memset(&f, 0, sizeof(f));
f.bv[0] = 0xc9;
f.bv[20] = 0x8;
v = f;
while (1) {
while ((u.bv[0] & 0x1) == 0) {
shift_right(&u);
if ((b.iv[0] & 0x1) != 0) {
add(&f, &b);
}
shift_right(&b);
}
if (is_one(&u))
break;
if (deg(&u) < deg(&v)) {
t = u;
u = v;
v = t;
t = b;
b = c;
c = t;
}
add(&v, &u);
add(&c, &b);
/* break; */
}
*r = b;
}

View File

@@ -1,37 +0,0 @@
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include "ec.h"
#include "test.h"
int main(int argc, char** argv){
/*
int i;
for(i = 0; i < argc; i++){
printf("arg %d: %s\n", i, argv[i]);
}
*/
char* cmd = argv[1];
if(!initDomainParameters(argc, argv)){
return 1;
}
if(strcmp(cmd, "testFieldArithmetic") == 0){
return testFieldArithmetic();
} else if(strcmp(cmd, "testPointArithmetic") == 0){
return testPointArithmetic();
} else if(strcmp(cmd, "testAES") == 0){
return testAES();
} else if(strcmp(cmd, "benchmark_ec2") == 0){
return benchmark_EC2();
} else if(strcmp(cmd, "testKernelEc2m") == 0){
return testKernelEc2m();
} else if(strcmp(cmd, "testMisc") == 0){
return testMisc();
} else if(strcmp(cmd, "testCycles") == 0){
return benchmark_cycles();
}
return 1;
}

View File

@@ -1,260 +0,0 @@
#include <stdio.h>
#include <string.h>
#include <openssl/ecdh.h>
#include <openssl/err.h>
#include <openssl/evp.h>
#include <openssl/bn.h>
#include <openssl/engine.h>
#include "myengine.h"
#include "../ec.h"
#include "../util.h"
int get_affine(const EC_GROUP* group, const EC_POINT* point, BIGNUM* x, BIGNUM* y, BN_CTX *ctx){
int ret = 0;
if(EC_POINT_is_at_infinity(group, point)){
return 0;
}
if(x == NULL || y == NULL)
return 0;
if(BN_cmp(&point->Z, BN_value_one()) == 0){
if(!BN_copy(x, &point->X) || !BN_copy(y, &point->Y))
return 0;
BN_set_negative(x, 0);
BN_set_negative(y, 0);
} else {
BIGNUM* z = BN_new();
if(!BN_GF2m_mod_inv(z, &point->Z, &group->field, ctx)){
printf("could not get the inv\n");
return 0;
}
if(!BN_GF2m_mod_mul(x, &point->X, z, &group->field, ctx)){
return 0;
}
if(!BN_GF2m_mod_sqr(z, z, &group->field, ctx)){
return 0;
}
if(!BN_GF2m_mod_mul(y, &point->Y, z, &group->field, ctx)){
return 0;
}
}
return 1;
}
static int my_ecdh_compute_key(void *out, size_t outlen, const EC_POINT *pub_key,
EC_KEY *ecdh, void *(*KDF)(const void *in, size_t inlen, void *out, size_t *outlen))
{
BN_CTX *ctx;
EC_POINT *tmp=NULL;
BIGNUM *x=NULL, *y=NULL;
const BIGNUM *priv_key;
const EC_GROUP* group;
int ret= -1;
size_t buflen, len;
unsigned char *buf=NULL;
mm256_point_t mPK;
mm_256 mUK;
mm256_point_t mR;
group = EC_KEY_get0_group(ecdh);
printf("curve_name: %d, field type: %d, degree: %d, a: %x, b: %x\n", EC_GROUP_get_curve_name(group), EC_METHOD_get_field_type(EC_GROUP_method_of(group)), EC_GROUP_get_degree(group), BN_get_word(&group->a), BN_get_word(&group->b));
// compute with the syscall only when the filetype is NID_X9_62_characteristic_two_field and the degree is 163
if (!(
EC_METHOD_get_field_type(EC_GROUP_method_of(group)) == NID_X9_62_characteristic_two_field
&& EC_GROUP_get_degree(group) == 163
))
{
ECDH_METHOD* temp = ECDH_get_default_method();
return temp->compute_key(out, len, pub_key, ecdh, KDF);
}
if (outlen > INT_MAX)
{
ECDHerr(ECDH_F_ECDH_COMPUTE_KEY,ERR_R_MALLOC_FAILURE); /* sort of, anyway */
return -1;
}
if ((ctx = BN_CTX_new()) == NULL) goto err;
BN_CTX_start(ctx);
x = BN_CTX_get(ctx);
y = BN_CTX_get(ctx);
priv_key = EC_KEY_get0_private_key(ecdh);
if (priv_key == NULL)
{
ECDHerr(ECDH_F_ECDH_COMPUTE_KEY,ECDH_R_NO_PRIVATE_VALUE);
goto err;
}
if ((tmp=EC_POINT_new(group)) == NULL)
{
ECDHerr(ECDH_F_ECDH_COMPUTE_KEY,ERR_R_MALLOC_FAILURE);
goto err;
}
bn_to_mm256(priv_key, &mUK);
printf("%s\n", BN_bn2hex(priv_key));
print_mm_256(&mUK);
printf("\n");
EC_POINT_to_mm_point(pub_key, &mPK);
print_EC_POINT(pub_key);
printf("\n");
print_mm_point(&mPK);
printf("\n");
init_sqr_table();
gf2_point_mul(&mPK, &mUK, &mR, BN_get_word(&group->a), BN_get_word(&group->b));
print_mm_point(&mR);
printf("\n");
if (!EC_POINT_mul(group, tmp, NULL, pub_key, priv_key, ctx))
{
ECDHerr(ECDH_F_ECDH_COMPUTE_KEY,ECDH_R_POINT_ARITHMETIC_FAILURE);
goto err;
}
print_EC_POINT(tmp);
printf("\n");
if (!get_affine(group, tmp, x, y, ctx))
{
ECDHerr(ECDH_F_ECDH_COMPUTE_KEY,ECDH_R_POINT_ARITHMETIC_FAILURE);
goto err;
}
buflen = (EC_GROUP_get_degree(group) + 7)/8;
len = BN_num_bytes(x);
if (len > buflen)
{
ECDHerr(ECDH_F_ECDH_COMPUTE_KEY,ERR_R_INTERNAL_ERROR);
goto err;
}
if ((buf = OPENSSL_malloc(buflen)) == NULL)
{
ECDHerr(ECDH_F_ECDH_COMPUTE_KEY,ERR_R_MALLOC_FAILURE);
goto err;
}
memset(buf, 0, buflen - len);
if (len != (size_t)BN_bn2bin(x, buf + buflen - len))
{
ECDHerr(ECDH_F_ECDH_COMPUTE_KEY,ERR_R_BN_LIB);
goto err;
}
if (KDF != 0)
{
if (KDF(buf, buflen, out, &outlen) == NULL)
{
ECDHerr(ECDH_F_ECDH_COMPUTE_KEY,ECDH_R_KDF_FAILED);
goto err;
}
ret = outlen;
}
else
{
/* no KDF, just copy as much as we can */
if (outlen > buflen)
outlen = buflen;
memcpy(out, buf, outlen);
ret = outlen;
}
printf("ECC compute key done!\n");
err:
if (tmp) EC_POINT_free(tmp);
if (ctx) BN_CTX_end(ctx);
if (ctx) BN_CTX_free(ctx);
if (buf) OPENSSL_free(buf);
return(ret);
/* if(1){ */
/* ECDH_METHOD* temp = ECDH_get_default_method(); */
/* return temp->compute_key(out, len, pub_key, ecdh, KDF); */
/* } */
/* return 1; */
}
/****************************************************************************
* Functions to handle the engine *
*****************************************************************************/
static int bind_my(ENGINE *e)
{
//const RSA_METHOD *meth1;
if(!ENGINE_set_id(e, engine_my_id)
|| !ENGINE_set_name(e, engine_my_name)
|| !ENGINE_set_ECDH(e, &my_ecdh)
//|| !ENGINE_set_ciphers(e, my_ciphers)
//|| !ENGINE_set_digests(e, my_digests)
|| !ENGINE_set_destroy_function(e, my_destroy)
|| !ENGINE_set_init_function(e, my_init)
|| !ENGINE_set_finish_function(e, my_finish)
/* || !ENGINE_set_ctrl_function(e, my_ctrl) */
/* || !ENGINE_set_cmd_defns(e, my_cmd_defns) */)
return 0;
return 1;
}
#ifdef ENGINE_DYNAMIC_SUPPORT
static int bind_helper(ENGINE *e, const char *id)
{
if(id && (strcmp(id, engine_my_id) != 0))
return 0;
if(!bind_my(e))
return 0;
return 1;
}
IMPLEMENT_DYNAMIC_CHECK_FN()
IMPLEMENT_DYNAMIC_BIND_FN(bind_helper)
#else
static ENGINE *engine_my(void)
{
ENGINE *ret = ENGINE_new();
if(!ret)
return NULL;
if(!bind_my(ret))
{
ENGINE_free(ret);
return NULL;
}
return ret;
}
void ENGINE_load_myengine(void)
{
/* Copied from eng_[openssl|dyn].c */
ENGINE *toadd = engine_my();
if(!toadd) return;
ENGINE_add(toadd);
ENGINE_free(toadd);
ERR_clear_error();
}
#endif
static int my_init(ENGINE *e)
{
printf("my_init\n");
return 1;
}
static int my_finish(ENGINE *e)
{
printf("my_finih\n");
return 1;
}
static int my_destroy(ENGINE *e)
{
printf("my_destroy\n");
return 1;
}

View File

@@ -1,175 +0,0 @@
#define INT_MAX 32767
#include <openssl/ec.h>
typedef struct ec_extra_data_st {
struct ec_extra_data_st *next;
void *data;
void *(*dup_func)(void *);
void (*free_func)(void *);
void (*clear_free_func)(void *);
} EC_EXTRA_DATA;
typedef struct ec_key_st {
int version;
EC_GROUP *group;
EC_POINT *pub_key;
BIGNUM *priv_key;
unsigned int enc_flag;
point_conversion_form_t conv_form;
int references;
int flags;
EC_EXTRA_DATA *method_data;
} EC_KEY;
static const char *engine_my_id = "111";
static const char *engine_my_name = "myengine";
/****************************************************************************
* Functions to handle the engine *
***************************************************************************/
static int my_destroy(ENGINE *e);
static int my_init(ENGINE *e);
static int my_finish(ENGINE *e);
/****************************************************************************
* Engine commands *
*****************************************************************************/
static const ENGINE_CMD_DEFN my_cmd_defns[] =
{
{0, NULL, NULL, 0}
};
static int my_ecdh_compute_key(void *out, size_t len, const EC_POINT *pub_key,
EC_KEY *ecdh, void *(*KDF)(const void *in, size_t inlen, void *out, size_t *outlen));
/*
some definations missing in openssl header files public accessible
*/
struct ec_point_st {
const EC_METHOD *meth;
/* All members except 'meth' are handled by the method functions,
* * even if they appear generic */
BIGNUM X;
BIGNUM Y;
BIGNUM Z; /* Jacobian projective coordinates:
* (X, Y, Z) represents (X/Z^2, Y/Z^3) if Z != 0 */
int Z_is_one; /* enable optimized point arithmetics for special case */
} /* EC_POINT */;
typedef struct ec_point_st EC_POINT;
struct ec_group_st {
const EC_METHOD *meth;
EC_POINT *generator; /* optional */
BIGNUM order, cofactor;
int curve_name;/* optional NID for named curve */
int asn1_flag; /* flag to control the asn1 encoding */
point_conversion_form_t asn1_form;
unsigned char *seed; /* optional seed for parameters (appears in ASN1) */
size_t seed_len;
struct EC_EXTRA_DATA *extra_data; /* linked list */
/* The following members are handled by the method functions,
* even if they appear generic */
BIGNUM field; /* Field specification.
* For curves over GF(p), this is the modulus;
* for curves over GF(2^m), this is the
* irreducible polynomial defining the field.
*/
int poly[6]; /* Field specification for curves over GF(2^m).
* The irreducible f(t) is then of the form:
* t^poly[0] + t^poly[1] + ... + t^poly[k]
* where m = poly[0] > poly[1] > ... > poly[k] = 0.
* The array is terminated with poly[k+1]=-1.
* All elliptic curve irreducibles have at most 5
* non-zero terms.
*/
BIGNUM a, b; /* Curve coefficients.
* (Here the assumption is that BIGNUMs can be used
* or abused for all kinds of fields, not just GF(p).)
* For characteristic > 3, the curve is defined
* by a Weierstrass equation of the form
* y^2 = x^3 + a*x + b.
* For characteristic 2, the curve is defined by
* an equation of the form
* y^2 + x*y = x^3 + a*x^2 + b.
*/
int a_is_minus3; /* enable optimized point arithmetics for special case */
void *field_data1; /* method-specific (e.g., Montgomery structure) */
void *field_data2; /* method-specific */
int (*field_mod_func)(BIGNUM *, const BIGNUM *, const BIGNUM *, BN_CTX *); /* method-specific */
} /* EC_GROUP */;
struct ec_key_st {
int version;
EC_GROUP *group;
EC_POINT *pub_key;
BIGNUM *priv_key;
unsigned int enc_flag;
point_conversion_form_t conv_form;
int references;
int flags;
struct EC_EXTRA_DATA *method_data;
} /* EC_KEY */;
struct ecdh_method
{
const char *name;
int (*compute_key)(void *key, size_t outlen, const EC_POINT *pub_key, EC_KEY *ecdh,void *(*KDF)(const void *in, size_t inlen, void *out, size_t *outlen));
#if 0
int (*init)(EC_KEY *eckey);
int (*finish)(EC_KEY *eckey);
#endif
int flags;
char *app_data;
};
static ECDH_METHOD my_ecdh = {
"myengine",
my_ecdh_compute_key,
#if 0
NULL, /* init */
NULL, /* finish */
#endif
0, /* flags */
NULL /* app_data */
};
/****************************************************************************
* Symetric cipher and digest function registrars *
*****************************************************************************/
static int my_ciphers(ENGINE *e, const EVP_CIPHER **cipher,const int **nids, int nid);
static int my_digests(ENGINE *e, const EVP_MD **digest,const int **nids, int nid);
static int my_cipher_nids[] ={ NID_des_cbc, NID_des_ede3_cbc, NID_desx_cbc, 0 };
static int my_digest_nids[] ={ NID_md2, NID_md5, 0 };
/*__declspec(dllexport)*/ void ENGINE_load_myengine(void);

View File

@@ -1,106 +0,0 @@
//test.c
#include <stdio.h>
#include <string.h>
#include <openssl/err.h>
#include <openssl/evp.h>
#include <openssl/bn.h>
#include <openssl/engine.h>
static void display_engine_list()
{
ENGINE *h;
int loop;
h = ENGINE_get_first();
loop = 0;
printf("listing available engine types\n");
while(h)
{
printf("engine %i, id = \"%s\", name = \"%s\"\n",
loop++, ENGINE_get_id(h), ENGINE_get_name(h));
h = ENGINE_get_next(h);
}
printf("end of list\n");
/* ENGINE_get_first() increases the struct_ref counter, so we
must call ENGINE_free() to decrease it again */
ENGINE_free(h);
}
void test()
{
ENGINE *e = NULL;
int rv;
unsigned char buf[1024];
EVP_PKEY *evpKey;
EC_KEY *key;
EC_POINT *pubkey;
EC_GROUP *group;
EC_builtin_curve *curves;
int crv_len;
char shareKey1[10240],shareKey2[10240];
int ret,nid,size,i,sig_len;
int len1,len2;
crv_len = EC_get_builtin_curves(NULL, 0);
curves = (EC_builtin_curve *)malloc(sizeof(EC_builtin_curve) * crv_len);
EC_get_builtin_curves(curves, crv_len);
nid = NID_sect163k1;
group=EC_GROUP_new_by_curve_name(nid);
key=EC_KEY_new();
ret=EC_KEY_set_group(key,group);
ret=EC_KEY_generate_key(key);
ret=EC_KEY_check_key(key);
pubkey = EC_KEY_get0_public_key(key);
ENGINE_load_myengine();
display_engine_list();
len1=ECDH_compute_key(shareKey1, 10240, pubkey, key, NULL);
e = ENGINE_by_id("111");
printf("get myengine engine OK.name:%s\n",ENGINE_get_name(e));
ENGINE_register_ECDH(e);
//rv = ENGINE_set_default(e,ENGINE_METHOD_ALL);
len2=ECDH_compute_key(shareKey2, 10240, pubkey, key, NULL);
printf("len: %d, %d\n", len1, len2);
if(len1!=len2)
{
printf("err: %d, %d\n", len1, len2);
}
else
{
ret=memcmp(shareKey1,shareKey2,len1);
if(ret==0)
{
printf("right\n");
}
else
printf("wrong\n");
}
printf("test ok!\n");
/*ENGINE_register_RSA(e);
rv = ENGINE_set_default(e,ENGINE_METHOD_ALL);
evpKey = EVP_PKEY_new();
rsa = RSA_generate_key(1024,RSA_F4,NULL,NULL);
rv = EVP_PKEY_set1_RSA(evpKey,rsa);
rv = EVP_PKEY_encrypt(buf,buf,128,evpKey);
*/
/* rv = ENGINE_finish(e);
rv = ENGINE_free(e);
printf("test end.\n");
return;*/
}
int main()
{
test();
return 0;
}

View File

@@ -1,208 +0,0 @@
#include <linux/version.h>
#include <linux/types.h>
#include <linux/module.h>
#include <linux/smp.h>
#include <net/sock.h>
#include <linux/netlink.h>
#include <linux/skbuff.h>
#include "../ec2m_kern.h"
#include "../ec.h"
unsigned int sqr_table[1 << 16];
struct sock *sock_fd = NULL;
mm_256 gkey;
void init_sqr_table(void){
unsigned int i, j;
unsigned int t;
unsigned int n;
for(i = 0; i < sizeof(sqr_table) / sizeof(sqr_table[0]); i++){
t = 0;
j = i;
n = 16;
while(n-- > 0){
t = t << 2;
t |= ((j >> n) & 0x1);
}
sqr_table[i] = t;
}
}
void import_key(void* info) {
mm_256* key;
mm_256 tkey;
int cpu_id;
unsigned long irqs;
cpu_id = get_cpu();
local_irq_save(irqs);
//printk(KERN_INFO"%s on %d\n", __FUNCTION__, cpu_id);
key = (mm_256*)info;
// print value in dr0-3 previously
__asm__(
"movq %%dr0, %%rax\n\t"
"vmovq %%rax, %%xmm15\n\t"
"movq %%dr1, %%rax\n\t"
"vpinsrq $1, %%rax, %%xmm15, %%xmm15\n\t"
"movq %%dr2, %%rax\n\t"
"vmovq %%rax, %%xmm14\n\t"
"vinsertf128 $1, %%xmm14, %%ymm15, %%ymm15\n\t"
"vmovdqu %%ymm15, %0\n\t"
:"=m"(tkey)
:
: "rax", "memory"
);
//printk(KERN_INFO"debug regs:%016llx%016llx%016llx%016llx\n", tkey.iv[3], tkey.iv[2], tkey.iv[1], tkey.iv[0]);
//printk(KERN_INFO"key: %016llx%016llx%016llx\n", key->iv[2], key->iv[1], key->iv[0]);
gkey = *key;
__asm__(
"movq %0, %%dr0\n"
"movq %1, %%dr1\n"
"movq %2, %%dr2\n"
:
:"r"(key->iv[0]),"r"(key->iv[1]),"r"(key->iv[2])
: "memory"
);
local_irq_restore(irqs);
put_cpu();
}
int k_ec2m_import_key(mm_256* key)
{
import_key(key);
smp_call_function(import_key, key, 1);
return OK;
}
int k_ec2m_private_op(mm256_point_t* Q, mm256_point_t* P)
{
int cpu_id;
unsigned long irqs;
cpu_id = get_cpu();
local_irq_save(irqs);
//printk(KERN_INFO"%s on %d\n", __FUNCTION__, cpu_id);
__asm__ __volatile__(
"movq %%dr0, %%rax\n\t"
"vmovq %%rax, %%xmm15\n\t"
"movq %%dr1, %%rax\n\t"
"vpinsrq $1, %%rax, %%xmm15, %%xmm15\n\t"
"movq %%dr2, %%rax\n\t"
"vmovq %%rax, %%xmm14\n\t"
"vinsertf128 $1, %%xmm14, %%ymm15, %%ymm15\n\t"
:
:
: "rax", "memory"
);
gf2_point_mul_with_preset_key(P, Q, 1, 1);
local_irq_restore(irqs);
put_cpu();
return OK;
}
void nl_recv_msg(struct sk_buff* skb){
struct nlmsghdr *nlh;
struct sk_buff* out;
struct ec2m_request_st* req;
struct ec2m_response_st resp;
int pid;
int size;
char *buf;
int r;
nlh=(struct nlmsghdr*)skb->data;
size = nlmsg_len(nlh);// - NLMSG_HDRLEN;
pid = nlh->nlmsg_pid; /*pid of sending process */
/* printk(KERN_INFO "Netlink received a new msg from %d, size: %d\n", pid, size); */
buf = nlmsg_data(nlh);
req = (struct ec2m_request_st*)buf;
/* printk(KERN_INFO "got a request: %d, len: %d", req->func, req->len); */
switch (req->func) {
case REQ_IMPORT_KEY:
{
mm_256* key;
key = (mm_256*) (buf + sizeof(struct ec2m_request_st));
resp.result = k_ec2m_import_key(key);
size = sizeof(struct ec2m_response_st);
buf = kmalloc(size, GFP_KERNEL);
memcpy(buf, &resp, sizeof(resp));
break;
}
case REQ_PRIVATE_OP:
{
mm256_point_t* P;
mm256_point_t Q;
P = (mm256_point_t*) (buf + sizeof(struct ec2m_request_st));
resp.result = k_ec2m_private_op(&Q, P);
size = sizeof(struct ec2m_response_st) + sizeof(mm256_point_t);
buf = kmalloc(size, GFP_KERNEL);
memcpy(buf, &resp, sizeof(resp));
memcpy(buf + sizeof(resp), &Q, sizeof(Q));
break;
}
}
out = nlmsg_new(size, 0);
nlh = nlmsg_put(out, 0, 0, NLMSG_DONE, size, 0);
NETLINK_CB(out).dst_group = 0; /* not in mcast group */
memcpy(nlmsg_data(nlh), buf, size);
r = nlmsg_unicast(sock_fd, out, pid);
if (r < 0){
printk(KERN_INFO "forward msg to %d failed, err code %d\n", pid, r);
}
kfree(buf);
}
int init_netlink(void){
struct netlink_kernel_cfg cfg = {0};
cfg.input = nl_recv_msg;
sock_fd = netlink_kernel_create(&init_net, NETLINK_ECC, &cfg );
if(!sock_fd)
{
printk(KERN_ALERT "Error creating socket.\n");
return -1;
}
printk(KERN_ALERT "creating socket successfully.\n");
return 0;
}
int __init ecc_init(void) {
// init netlink
init_netlink();
init_sqr_table();
return 0;
}
void __exit ecc_exit(void) {
// netlink clean up
if(sock_fd != NULL)
netlink_kernel_release(sock_fd);
}
module_init(ecc_init);
module_exit(ecc_exit);
MODULE_LICENSE("GPL");

View File

@@ -1,5 +0,0 @@
#!/bin/bash
sudo rmmod ecc
sudo insmod ecc.ko
dmesg|tail

View File

@@ -1,217 +0,0 @@
#include <stdio.h>
#include <assert.h>
#include <openssl/bn.h>
#include <openssl/bio.h>
#include <openssl/ec.h>
#include <openssl/objects.h>
#include <openssl/obj_mac.h>
#include <sys/syscall.h>
#include <unistd.h>
#include <string.h>
#include "kernel_test.h"
#include "ec.h"
#include "ec2m_kern.h"
#include "util.h"
#define _NR_sse_switch 312
struct ec_point_st {
const EC_METHOD *meth;
/* All members except 'meth' are handled by the method functions,
* even if they appear generic */
BIGNUM X;
BIGNUM Y;
BIGNUM Z; /* Jacobian projective coordinates:
* (X, Y, Z) represents (X/Z^2, Y/Z^3) if Z != 0 */
int Z_is_one; /* enable optimized point arithmetics for special case */
} /* EC_POINT */;
int testSSE(){
// try perform an simple packed add operation
mm_256 a, b, c;
syscall(_NR_sse_switch, 0);
a.iv[0] = 0;
a.iv[1] = 1;
b.iv[0] = 2;
b.iv[1] = 3;
__asm__ __volatile__ ("vmovdqu %0, %%ymm0" : : "m"(a));
__asm__ __volatile__ ("vmovdqu %0, %%ymm1" : : "m"(b));
__asm__ __volatile__ ("vaddpd %ymm0, %ymm1, %ymm1");
__asm__ __volatile__ ("vmovdqu %%ymm1, %0" : "=m"(c) :);
printf("%ld, %ld\n", c.iv[0], c.iv[1]);
//syscall(_NR_sse_switch, 0);
return 1;
}
void print_num(mm_256* m)
{
int i;
int nonzero = 0;
for (i = sizeof(mm_256) - 1; i >= 0; i--) {
if (!nonzero){
if (m->bv[i] != 0)
nonzero = 1;
else
continue;
}
printf("%02x", m->bv[i]);
}
if (!nonzero)
printf("0");
}
void print_point(mm256_point_t* p)
{
print_num(&p->x);
printf(", ");
print_num(&p->y);
printf(", ");
print_num(&p->z);
}
void print_ec_point(EC_POINT* p)
{
printf("(");
BN_print_fp(stdout, &p->X);
printf(":");
BN_print_fp(stdout, &p->Y);
printf(":");
BN_print_fp(stdout, &p->Z);
printf(")");
}
int testAPI()
{
int r;
int nid;
EC_KEY *key;
BIO *bio_out;
const BIGNUM* rkey;
const EC_GROUP* group;
const EC_POINT* ukey;
const EC_POINT* G, *pr;
BIGNUM* x, *y;
BN_CTX* ctx;
mm_256 mkey;
mm256_point_t mp, mq;
mm_256 z_;
init_sqr_table();
ctx = BN_CTX_new();
BN_CTX_start(ctx);
x = BN_CTX_get(ctx);
y = BN_CTX_get(ctx);
// open stdout as bio
bio_out = BIO_new_fp(stdout, BIO_NOCLOSE);
// get curve nid
/* nid = EC_curve_nist2nid("sect163k1"); */
nid = OBJ_sn2nid(SN_sect163k1);
// generate the key
key = EC_KEY_new_by_curve_name(nid);
assert(key != NULL);
r = EC_KEY_generate_key(key);
assert(r == 1);
// print key
EC_KEY_print(bio_out, key, 0);
// get group
group = EC_KEY_get0_group(key);
// get generator
G = EC_GROUP_get0_generator(group);
// get private key
rkey = EC_KEY_get0_private_key(key);
memset(&mkey, 0, sizeof(mkey));
memcpy(&mkey, rkey->d, rkey->top * sizeof(rkey->d[0]));
print_num(&mkey);
printf("\n");
// get the public key
ukey = EC_KEY_get0_public_key(key);
// init api
r = ec2m_kern_init();
assert(r == 0);
printf("ec2m init done.\n");
// import the private key
r = ec2m_import_key(&mkey);
assert(r == 0);
// calculate r=G*k
// r should be equal to the public key
EC_POINT_get_affine_coordinates_GF2m(group, G, x, y, ctx);
memset(&mq, 0, sizeof(mq));
memset(&mp, 0, sizeof(mp));
memcpy(&mp.x, x->d, sizeof(x->d[0]) * x->top);
memcpy(&mp.y, y->d, sizeof(y->d[0]) * y->top);
mp.z.iv[0] = 1;
bn_expand2(x, 3);
bn_expand2(y, 3);
gf2_point_mul(&mp, &mkey, &mq, 1, 1);
print_mm_point(&mq);
printf("\n");
r = ec2m_private_operation(&mp, &mq);
assert(r == 0);
print_mm_point(&mq);
printf("\n");
/* printf("inv(z): "); */
/* gf2m_inv(&mq.z, &z_); */
/* print_num(&z_); */
/* printf("\n"); */
/* gf2_mod_mul(&mq.x, &z_, &mq.x); */
/* gf2_mod_mul(&mq.y, &z_, &mq.y); */
/* gf2_mod_mul(&mq.z, &z_, &mq.z); */
/* print_mm_point(&mq); */
/* printf("\n"); */
pr = EC_POINT_new(group);
EC_POINT_mul(group, pr, NULL, G, rkey, ctx);
print_ec_point(pr);
printf("\n");
EC_POINT_get_affine_coordinates_GF2m(group, pr, x, y, ctx);
ec2m_kern_clean();
BN_CTX_end(ctx);
BN_CTX_free(ctx);
return 0;
}
int main()
{
testSSE();
testAPI();
return 0;
}

View File

@@ -1,6 +0,0 @@
#ifndef _KERNEL_TEST_H_
#define _KERNEL_TEST_H_
extern int testSSE();
#endif

View File

@@ -1,22 +0,0 @@
#include <unistd.h>
#include "sys_ec2m.h"
int sys_ec2m_alloc(void)
{
return syscall(__NR_ec2m_alloc);
}
int sys_ec2m_free(int rid)
{
return syscall(__NR_ec2m_free, rid);
}
int sys_ec2m_setkey(int rid, mm_256* key, int a, int b)
{
return syscall(__NR_ec2m_setkey, rid, (void*)key, a, b);
}
int sys_ec2m_encrypt(int rid, mm256_point_t* bufin, mm256_point_t* bufout)
{
return syscall(__NR_ec2m_encrypt, rid, (void*)bufin, (void*)bufout);
}

View File

@@ -1,16 +0,0 @@
#ifndef _SYS_EC2M_H_
#define _SYS_EC2M_H_
#define __NR_ec2m_alloc 312
#define __NR_ec2m_free 313
#define __NR_ec2m_setkey 314
#define __NR_ec2m_encrypt 315
#include "ec.h"
extern int sys_ec2m_alloc(void);
extern int sys_ec2m_free(int rid);
extern int sys_ec2m_setkey(int rid, mm_256* key, int a, int b);
extern int sys_ec2m_encrypt(int rid, mm256_point_t* bufin, mm256_point_t* bufout);
#endif

File diff suppressed because it is too large Load Diff

View File

@@ -1,17 +0,0 @@
#ifndef _TEST_H_
#define _TEST_H_
extern int initDomainParameters(int argc, char** argv);
extern int testFieldArithmetic();
extern int testPointArithmetic();
extern int testAES();
extern int testKernelEc2m();
extern int testMisc();
extern int testEC2M();
extern int benchmark_cycles();
extern int benchmark_EC2();
#endif

View File

@@ -1,215 +0,0 @@
#include <stdlib.h>
#include <assert.h>
#include <stdlib.h>
#include <string.h>
#include <openssl/objects.h>
#include "util.h"
unsigned int sqr_table[1 << 16];
void print_mm_256(mm_256* m){
/* printf("(%lu, %lu, %lu, %lu)", m->iv[3], m->iv[2], m->iv[1], m->iv[0]); */
BIGNUM *bn = BN_new();
mm256_to_bn(m, bn);
printf("%s", BN_bn2hex(bn));
}
void init_sqr_table(){
unsigned int i, j;
unsigned int t;
unsigned int n;
for(i = 0; i < sizeof(sqr_table) / sizeof(sqr_table[0]); i++){
t = 0;
j = i;
n = 16;
while(n-- > 0){
t = t << 2;
t |= ((j >> n) & 0x1);
}
sqr_table[i] = t;
}
}
void ec_point_init(ec_point_t *P) {
P->X = BN_new();
P->Y = BN_new();
P->Z = BN_new();
}
void ec_point_free(ec_point_t *P){
OPENSSL_free(P->X);
OPENSSL_free(P->Y);
OPENSSL_free(P->Z);
}
void bn_to_mm256(const BIGNUM* bn, mm_256* m){
memset(m, 0, sizeof(mm_256));
assert(bn->top <= 4);
int i;
for(i = 0; i < bn->top; i++){
m->iv[i] = bn->d[i];
}
}
void mm256_to_bn(const mm_256* m, BIGNUM* bn){
BN_zero(bn);
int i = 4;
while(i-- > 0){
BN_lshift(bn, bn, 64);
BN_add_word(bn, m->iv[i]);
}
}
void bn_point_to_mm_point(const ec_point_t* src, mm256_point_t* dst){
bn_to_mm256(src->X, &dst->x);
bn_to_mm256(src->Y, &dst->y);
bn_to_mm256(src->Z, &dst->z);
}
void EC_POINT_to_mm_point(const ec_point_st* src, mm256_point_t* dst)
{
bn_to_mm256(&src->X, &dst->x);
bn_to_mm256(&src->Y, &dst->y);
bn_to_mm256(&src->Z, &dst->z);
}
void mm_point_to_EC_POINT(const mm256_point_t* src, ec_point_st* dst)
{
mm256_to_bn(&(src->x), &dst->X);
mm256_to_bn(&(src->y), &dst->Y);
mm256_to_bn(&(src->z), &dst->Z);
}
void mm_point_to_bn_point(const mm256_point_t* src, ec_point_t* dst){
mm256_to_bn(&(src->x), dst->X);
mm256_to_bn(&(src->y), dst->Y);
mm256_to_bn(&(src->z), dst->Z);
}
int cmp_mm_256_with_bn(mm_256* a, BIGNUM* bn){
mm_256 b;
bn_to_mm256(bn, &b);
return memcmp(a, &b, sizeof(mm_256));
}
int cmp_mm_point_with_bn_point(mm256_point_t* a, ec_point_t* b){
mm256_point_t t;
bn_point_to_mm_point(b, &t);
return memcmp(a, &t, sizeof(mm256_point_t));
}
void print_bn_point(ec_point_t* p){
char *px, *py, *pz;
px = BN_bn2str(p->X);
py = BN_bn2str(p->Y);
pz = BN_bn2str(p->Z);
printf("(%s: %s: %s)", px, py, pz);
OPENSSL_free(px);
OPENSSL_free(py);
OPENSSL_free(pz);
}
void print_EC_POINT(ec_point_st*p)
{
char *px, *py, *pz;
if(p->X.d)
px = BN_bn2str(&p->X);
else
px = "";
if(p->Y.d)
py = BN_bn2str(&p->Y);
else
py = "";
if(p->Z.d)
pz = BN_bn2str(&p->Z);
else
pz = "";
printf("(%s: %s: %s)", px, py, pz);
if(p->X.d)
OPENSSL_free(px);
if(p->Y.d)
OPENSSL_free(py);
if(p->Z.d)
OPENSSL_free(pz);
}
void print_mm_point(mm256_point_t* p){
ec_point_t t;
ec_point_init(&t);
mm_point_to_bn_point(p, &t);
print_bn_point(&t);
ec_point_free(&t);
}
void print_affine_bn_point(ec_point_t* p){
char *px, *py;
px = BN_bn2str(p->X);
py = BN_bn2str(p->Y);
printf("(%s, %s)", px, py);
OPENSSL_free(px);
OPENSSL_free(py);
}
void print_affine_mm_point(mm256_point_t* p){
ec_point_t t;
ec_point_init(&t);
mm_point_to_bn_point(p, &t);
print_affine_bn_point(&t);
ec_point_free(&t);
}
void printHex(uint8_t* str, uint32_t len){
uint32_t i;
for(i = 0; i < len; i++){
printf("%02x", str[i]);
}
}
void save_ymm_group(uint8_t* buf){
__asm__("vmovdqu %ymm0, (%rdi)\n\t"
"vmovdqu %ymm1, 32(%rdi)\n\t"
"vmovdqu %ymm2, 64(%rdi)\n\t"
"vmovdqu %ymm3, 96(%rdi)\n\t"
"vmovdqu %ymm4, 128(%rdi)\n\t"
"vmovdqu %ymm5, 160(%rdi)\n\t"
"vmovdqu %ymm6, 192(%rdi)\n\t"
"vmovdqu %ymm7, 224(%rdi)\n\t"
"vmovdqu %ymm8, 256(%rdi)\n\t"
"vmovdqu %ymm9, 288(%rdi)\n\t"
"vmovdqu %ymm10, 320(%rdi)\n\t"
"vmovdqu %ymm11, 352(%rdi)\n\t"
"vmovdqu %ymm12, 384(%rdi)\n\t"
"vmovdqu %ymm13, 416(%rdi)\n\t"
"vmovdqu %ymm14, 448(%rdi)\n\t"
"vmovdqu %ymm15, 480(%rdi)\n\t"
);
__asm__("" ::: "memory");
}
void load_ymm_group(uint8_t* buf){
__asm__("vmovdqu (%rdi), %ymm0\n\t"
"vmovdqu 32(%rdi), %ymm1\n\t"
"vmovdqu 64(%rdi), %ymm2\n\t"
"vmovdqu 96(%rdi), %ymm3\n\t"
"vmovdqu 128(%rdi), %ymm4\n\t"
"vmovdqu 160(%rdi), %ymm5\n\t"
"vmovdqu 192(%rdi), %ymm6\n\t"
"vmovdqu 224(%rdi), %ymm7\n\t"
"vmovdqu 256(%rdi), %ymm8\n\t"
"vmovdqu 288(%rdi), %ymm9\n\t"
"vmovdqu 320(%rdi), %ymm10\n\t"
"vmovdqu 352(%rdi), %ymm11\n\t"
"vmovdqu 384(%rdi), %ymm12\n\t"
"vmovdqu 416(%rdi), %ymm13\n\t"
"vmovdqu 448(%rdi), %ymm14\n\t"
"vmovdqu 480(%rdi), %ymm15\n\t"
);
__asm__("" ::: "memory");
}
void dummy_print(const char* format, ...){
}

View File

@@ -1,82 +0,0 @@
#ifndef _UTIL_H_
#define _UTIL_H_
#include "ec.h"
#include <openssl/bn.h>
//#define DEBUG
//#define PRINT_DEC
#ifdef PRINT_DEC
#define BN_bn2str(bn) BN_bn2dec(bn)
#else
#define BN_bn2str(bn) BN_bn2hex(bn)
#endif
extern void dummy_print(const char* format, ...);
#ifdef DEBUG
#define debug printf
#else
#define debug dummy_print
#endif
extern unsigned int sqr_table[1 << 16];
#define rdtsc_begin(hi, lo)\
asm volatile ("CPUID\n\t"\
"RDTSCP\n\t"\
"movq %%rdx, %0\n\t"\
"movq %%rax, %1\n\t" : "=r" (hi), "=r" (lo) :: "%rax", "%rbx", "%rcx", "%rdx");
#define rdtsc_end(hi, lo)\
asm volatile ("RDTSCP\n\t"\
"movq %%rdx, %0\n\t"\
"movq %%rax, %1\n\t"\
"CPUID\n\t" : "=r" (hi), "=r" (lo) :: "%rax", "%rbx", "%rcx", "%rdx");
typedef struct {
BIGNUM *X;
BIGNUM *Y;
BIGNUM *Z;
} ec_point_t;
typedef struct{
const struct EC_METHOD *meth;
/* All members except 'meth' are handled by the method functions,
* even if they appear generic */
BIGNUM X;
BIGNUM Y;
BIGNUM Z; /* Jacobian projective coordinates:
* (X, Y, Z) represents (X/Z^2, Y/Z^3) if Z != 0 */
int Z_is_one; /* enable optimized point arithmetics for special case */
} ec_point_st /* EC_POINT */;
extern void init_sqr_table();
extern void bn_to_mm256(const BIGNUM* bn, mm_256 *m);
extern void mm256_to_bn(const mm_256 *m, BIGNUM* bn);
extern void bn_point_to_mm_point(const ec_point_t* src, mm256_point_t* dst);
extern void mm_point_to_bn_point(const mm256_point_t* src, ec_point_t* dst);
extern void EC_POINT_to_mm_point(const ec_point_st* src, mm256_point_t* dst);
extern void mm_point_to_EC_POINT(const mm256_point_t* src, ec_point_st* dst);
extern void ec_point_init(ec_point_t *P);
extern void ec_point_free(ec_point_t *P);
extern int cmp_mm_256_with_bn(mm_256* a, BIGNUM* bn);
extern int cmp_mm_point_with_bn_point(mm256_point_t* a, ec_point_t* b);
extern void print_affine_bn_point(ec_point_t* p);
extern void print_affine_mm_point(mm256_point_t* p);
extern void print_bn_point(ec_point_t* p);
extern void print_mm_point(mm256_point_t* p);
extern void print_EC_POINT(ec_point_st* p);
extern void printHex(uint8_t* str, uint32_t len);
extern void save_ymm_group(uint8_t* buf);
extern void load_ymm_group(uint8_t* buf);
#endif