From 28428de8767c004303887e1188dfcfdf32c80224 Mon Sep 17 00:00:00 2001
From: Zhi Guan <guanzhi1980@gmail.com>
Date: Sat, 13 Apr 2024 23:06:38 +0800
Subject: [PATCH] Remove fp_from_bytes and fn_from_bytes

---
 include/gmssl/sm9_z256.h | 68 +++++++++++++++++--------------------
 src/sm9_z256_alg.c       | 73 ++++++++++++++++++++++++++++++++--------
 src/sm9_z256_key.c       | 17 +++++++---
 src/sm9_z256_lib.c       | 10 ++++--
 4 files changed, 110 insertions(+), 58 deletions(-)

diff --git a/include/gmssl/sm9_z256.h b/include/gmssl/sm9_z256.h
index 939901d0..4d8b203c 100644
--- a/include/gmssl/sm9_z256.h
+++ b/include/gmssl/sm9_z256.h
@@ -7,6 +7,8 @@
  *  http://www.apache.org/licenses/LICENSE-2.0
  */
 
+#ifndef GMSSL_SM9_Z256_H
+#define GMSSL_SM9_Z256_H
 
 #include <stdio.h>
 #include <string.h>
@@ -15,42 +17,37 @@
 #include <gmssl/sm3.h>
 #include <gmssl/sm2.h>
 
-
-#ifndef GMSSL_SM9_Z256_H
-#define GMSSL_SM9_Z256_H
-
 #ifdef __cplusplus
 extern "C" {
 #endif
 
+
 typedef uint64_t sm9_z256_t[4];
 
-#define SM9_Z256_HEX_SEP '\n'
-
-
-void sm9_z256_to_bits(const sm9_z256_t a, char bits[256]);
-int  sm9_z256_rand_range(sm9_z256_t r, const sm9_z256_t range);
+void sm9_z256_set_one(sm9_z256_t r);
+void sm9_z256_set_zero(sm9_z256_t r);
+void sm9_z256_copy(sm9_z256_t r, const sm9_z256_t a);
+void sm9_z256_copy_conditional(sm9_z256_t r, const sm9_z256_t a, uint64_t move);
+int  sm9_z256_cmp(const sm9_z256_t a, const sm9_z256_t b);
+uint64_t sm9_z256_is_zero(const sm9_z256_t a);
+uint64_t sm9_z256_equ(const sm9_z256_t a, const sm9_z256_t b);
+uint64_t sm9_z256_add(sm9_z256_t r, const sm9_z256_t a, const sm9_z256_t b);
+uint64_t sm9_z256_sub(sm9_z256_t r, const sm9_z256_t a, const sm9_z256_t b);
+void sm9_z256_mul(uint64_t r[8], const sm9_z256_t a, const sm9_z256_t b);
 void sm9_z256_from_bytes(sm9_z256_t r, const uint8_t in[32]);
 void sm9_z256_to_bytes(const sm9_z256_t a, uint8_t out[32]);
-void sm9_z256_copy(sm9_z256_t r, const sm9_z256_t a);
-void sm9_z256_copy_conditional(sm9_z256_t dst, const sm9_z256_t src, uint64_t move);
-void sm9_z256_set_zero(sm9_z256_t r);
-int  sm9_z256_cmp(const sm9_z256_t a, const sm9_z256_t b);
-void sm9_z256_mul(uint64_t r[8], const sm9_z256_t a, const sm9_z256_t b);
 int  sm9_z256_from_hex(sm9_z256_t r, const char *hex);
 void sm9_z256_to_hex(const sm9_z256_t r, char hex[64]);
 int  sm9_z256_equ_hex(const sm9_z256_t a, const char *hex);
+void sm9_z256_to_bits(const sm9_z256_t a, char bits[256]);
+int  sm9_z256_rand_range(sm9_z256_t r, const sm9_z256_t range);
 void sm9_z256_print_bn(const char *prefix, const sm9_z256_t a);
 int  sm9_z256_print(FILE *fp, int ind, int fmt, const char *label, const sm9_z256_t a);
-int  sm9_z512_print(FILE *fp, int ind, int fmt, const char *label, const uint64_t a[8]);
-uint64_t sm9_z256_equ(const sm9_z256_t a, const sm9_z256_t b);
-uint64_t sm9_z256_is_zero(const sm9_z256_t a);
-uint64_t sm9_z256_add(sm9_z256_t r, const sm9_z256_t a, const sm9_z256_t b);
-uint64_t sm9_z256_sub(sm9_z256_t r, const sm9_z256_t a, const sm9_z256_t b);
 
-extern const sm9_z256_t SM9_Z256_P;
-extern const sm9_z256_t SM9_Z256_N;
 
+// 从逻辑上讲，fp元素模式还是一个z256的值，需要显示的被转换为mont格式
+// 因此在计算上是需要区分mont_mul,也提供了to_mont, from_mont的计算
+// 因此这里最好不要用fp来表示，而是用modp来表示，这样逻辑更正确
 
 void sm9_z256_fp_add(sm9_z256_t r, const sm9_z256_t a, const sm9_z256_t b);
 void sm9_z256_fp_sub(sm9_z256_t r, const sm9_z256_t a, const sm9_z256_t b);
@@ -58,21 +55,13 @@ void sm9_z256_fp_dbl(sm9_z256_t r, const sm9_z256_t a);
 void sm9_z256_fp_tri(sm9_z256_t r, const sm9_z256_t a);
 void sm9_z256_fp_div2(sm9_z256_t r, const sm9_z256_t a);
 void sm9_z256_fp_neg(sm9_z256_t r, const sm9_z256_t a);
-void sm9_z256_fp_mont_mul(sm9_z256_t r, const sm9_z256_t a, const sm9_z256_t b);
 void sm9_z256_fp_to_mont(sm9_z256_t r, const sm9_z256_t a);
 void sm9_z256_fp_from_mont(sm9_z256_t r, const sm9_z256_t a);
+void sm9_z256_fp_mont_mul(sm9_z256_t r, const sm9_z256_t a, const sm9_z256_t b);
 void sm9_z256_fp_mont_sqr(sm9_z256_t r, const sm9_z256_t a);
 void sm9_z256_fp_pow(sm9_z256_t r, const sm9_z256_t a, const sm9_z256_t e);
 void sm9_z256_fp_inv(sm9_z256_t r, const sm9_z256_t a);
-int  sm9_z256_fp_from_bytes(sm9_z256_t r, const uint8_t buf[32]);
-void sm9_z256_fp_to_bytes(const sm9_z256_t r, uint8_t out[32]);
-int  sm9_z256_fp_from_hex(sm9_z256_t r, const char hex[64]);
-void sm9_z256_fp_to_hex(const sm9_z256_t r, char hex[64]);
-int sm9_z256_fp_rand(sm9_z256_t r);
-
-
-
-int sm9_z256_fn_rand(sm9_z256_t r);
+int  sm9_z256_fp_rand(sm9_z256_t r);
 
 void sm9_z256_fn_add(sm9_z256_t r, const sm9_z256_t a, const sm9_z256_t b);
 void sm9_z256_fn_sub(sm9_z256_t r, const sm9_z256_t a, const sm9_z256_t b);
@@ -80,11 +69,14 @@ void sm9_z256_fn_mul(sm9_z256_t r, const sm9_z256_t a, const sm9_z256_t b);
 void sm9_z256_fn_pow(sm9_z256_t r, const sm9_z256_t a, const sm9_z256_t e);
 void sm9_z256_fn_inv(sm9_z256_t r, const sm9_z256_t a);
 void sm9_z256_fn_from_hash(sm9_z256_t h, const uint8_t Ha[40]);
-int  sm9_z256_fn_from_bytes(sm9_z256_t a, const uint8_t in[32]);
+int  sm9_z256_fn_from_bytes(sm9_z256_t a, const uint8_t in[32]); // 这个就比较特殊了，应该支持这个函数吗？我觉得不应该支持，这个太奇怪了
+int  sm9_z256_fn_rand(sm9_z256_t r);
+
+
+// 但是在GF(p^2)
 
 
 typedef sm9_z256_t sm9_z256_fp2_t[2];
-extern const sm9_z256_fp2_t SM9_FP2_ZERO;
 
 
 void sm9_z256_fp2_set_one(sm9_z256_fp2_t r);
@@ -96,8 +88,10 @@ void sm9_z256_fp2_copy(sm9_z256_fp2_t r, const sm9_z256_fp2_t a);
 int  sm9_z256_fp2_rand(sm9_z256_fp2_t r);
 void sm9_z256_fp2_to_bytes(const sm9_z256_fp2_t a, uint8_t buf[64]);
 int  sm9_z256_fp2_from_bytes(sm9_z256_fp2_t r, const uint8_t buf[64]);
+
 int  sm9_z256_fp2_from_hex(sm9_z256_fp2_t r, const char hex[129]);
 void sm9_z256_fp2_to_hex(const sm9_z256_fp2_t a, char hex[129]);
+
 void sm9_z256_fp2_add(sm9_z256_fp2_t r, const sm9_z256_fp2_t a, const sm9_z256_fp2_t b);
 void sm9_z256_fp2_dbl(sm9_z256_fp2_t r, const sm9_z256_fp2_t a);
 void sm9_z256_fp2_tri(sm9_z256_fp2_t r, const sm9_z256_fp2_t a);
@@ -115,12 +109,8 @@ void sm9_z256_fp2_div2(sm9_z256_fp2_t r, const sm9_z256_fp2_t a);
 
 
 typedef sm9_z256_fp2_t sm9_z256_fp4_t[2];
-extern const sm9_z256_fp4_t SM9_FP4_ZERO;
-extern const sm9_z256_fp4_t SM9_FP4_ONE;
-extern const sm9_z256_fp4_t SM9_FP4_U;
-extern const sm9_z256_fp4_t SM9_FP4_V;
 
-int sm9_z256_fp4_is_zero(const sm9_z256_fp4_t a);
+int  sm9_z256_fp4_is_zero(const sm9_z256_fp4_t a);
 int  sm9_z256_fp4_equ(const sm9_z256_fp4_t a, const sm9_z256_fp4_t b);
 int  sm9_z256_fp4_rand(sm9_z256_fp4_t r);
 void sm9_z256_fp4_copy(sm9_z256_fp4_t r, const sm9_z256_fp4_t a);
@@ -180,6 +170,8 @@ void sm9_z256_fp12_frobenius3(sm9_z256_fp12_t r, const sm9_z256_fp12_t x);
 void sm9_z256_fp12_frobenius6(sm9_z256_fp12_t r, const sm9_z256_fp12_t x);
 
 
+// E(F_p): y^2 = x^3 + 5
+
 typedef struct {
 	sm9_z256_t X;
 	sm9_z256_t Y;
diff --git a/src/sm9_z256_alg.c b/src/sm9_z256_alg.c
index 61265843..b876080e 100644
--- a/src/sm9_z256_alg.c
+++ b/src/sm9_z256_alg.c
@@ -1,5 +1,5 @@
 /*
- *  Copyright 2014-2022 The GmSSL Project. All Rights Reserved.
+ *  Copyright 2014-2024 The GmSSL Project. All Rights Reserved.
  *
  *  Licensed under the Apache License, Version 2.0 (the License); you may
  *  not use this file except in compliance with the License.
@@ -21,6 +21,9 @@
 #include <gmssl/rand.h>
 
 
+#define SM9_Z256_HEX_SEP '\n'
+
+
 const sm9_z256_t SM9_Z256_ZERO = {0,0,0,0};
 const sm9_z256_t SM9_Z256_ONE = {1,0,0,0};
 const sm9_z256_t SM9_Z256_TWO = {2,0,0,0};
@@ -190,9 +193,21 @@ void sm9_z256_copy_conditional(sm9_z256_t dst, const sm9_z256_t src, uint64_t mo
 	dst[3] = (src[3] & mask1) ^ (dst[3] & mask2);
 }
 
+
+void sm9_z256_set_one(sm9_z256_t r)
+{
+	r[0] = 1;
+	r[1] = 0;
+	r[2] = 0;
+	r[3] = 0;
+}
+
 void sm9_z256_set_zero(sm9_z256_t r)
 {
-	sm9_z256_copy(r, SM9_Z256_ZERO);
+	r[0] = 0;
+	r[1] = 0;
+	r[2] = 0;
+	r[3] = 0;
 }
 
 static uint64_t is_zero(uint64_t in)
@@ -386,12 +401,14 @@ int sm9_z256_print(FILE *fp, int ind, int fmt, const char *label, const sm9_z256
 	return 1;
 }
 
+/*
 int sm9_z512_print(FILE *fp, int ind, int fmt, const char *label, const uint64_t a[8])
 {
 	format_print(fp, ind, fmt, "%s: %016lx%016lx%016lx%016lx%016lx%016lx%016lx%016lx\n",
 		label, a[7], a[6], a[5], a[4], a[3], a[2], a[1], a[0]);
 	return 1;
 }
+*/
 
 #ifndef ENABLE_SM9_Z256_ARMV8
 void sm9_z256_fp_add(sm9_z256_t r, const sm9_z256_t a, const sm9_z256_t b)
@@ -717,6 +734,9 @@ void sm9_z256_fp_inv(sm9_z256_t r, const sm9_z256_t a)
 	sm9_z256_fp_pow(r, a, SM9_Z256_P_MINUS_TWO);
 }
 
+// 这个函数不合适，而且这个实现也不正确啊
+// 但是对于SM9的Fp2，Fp4等而言，必须一开始就转换到Montgomery上面，因为没有
+/*
 int sm9_z256_fp_from_bytes(sm9_z256_t r, const uint8_t buf[32])
 {
 	sm9_z256_from_bytes(r, buf);
@@ -727,6 +747,7 @@ int sm9_z256_fp_from_bytes(sm9_z256_t r, const uint8_t buf[32])
 	}
 	return 1;
 }
+*/
 
 void sm9_z256_fp_to_bytes(const sm9_z256_t r, uint8_t out[32])
 {
@@ -760,9 +781,9 @@ void sm9_z256_fp_to_hex(const sm9_z256_t r, char hex[64])
 }
 
 
-const sm9_z256_fp2_t SM9_Z256_FP2_ZERO = {{0,0,0,0},{0,0,0,0}};
-const sm9_z256_fp2_t SM9_Z256_FP2_ONE = {{1,0,0,0},{0,0,0,0}};
-const sm9_z256_fp2_t SM9_Z256_FP2_U = {{0,0,0,0},{1,0,0,0}};
+//const sm9_z256_fp2_t SM9_Z256_FP2_ZERO = {{0,0,0,0},{0,0,0,0}};
+//const sm9_z256_fp2_t SM9_Z256_FP2_ONE = {{1,0,0,0},{0,0,0,0}};
+//const sm9_z256_fp2_t SM9_Z256_FP2_U = {{0,0,0,0},{1,0,0,0}};
 static const sm9_z256_fp2_t SM9_Z256_FP2_MONT_5U = {{0,0,0,0},{0xb9f2c1e8c8c71995, 0x125df8f246a377fc, 0x25e650d049188d1c, 0x43fffffed866f63}};
 
 
@@ -817,11 +838,28 @@ void sm9_z256_fp2_to_bytes(const sm9_z256_fp2_t a, uint8_t buf[64])
 
 int sm9_z256_fp2_from_bytes(sm9_z256_fp2_t r, const uint8_t buf[64])
 {
+	sm9_z256_from_bytes(r[1], buf);
+	if (sm9_z256_cmp(r[1], SM9_Z256_P) >= 0) {
+		error_print();
+		return -1;
+	}
+
+	sm9_z256_from_bytes(r[0], buf + 32);
+	if (sm9_z256_cmp(r[0], SM9_Z256_P) >= 0) {
+		error_print();
+		return -1;
+	}
+
+	sm9_z256_fp_to_mont(r[1], r[1]);
+	sm9_z256_fp_to_mont(r[0], r[0]);
+
+	/*
 	if (sm9_z256_fp_from_bytes(r[1], buf) != 1
 		|| sm9_z256_fp_from_bytes(r[0], buf + 32) != 1) {
 		error_print();
 		return -1;
 	}
+	*/
 	return 1;
 }
 
@@ -1801,7 +1839,6 @@ int sm9_z256_point_is_on_curve(const SM9_Z256_POINT *P)
 	return 1;
 }
 
-// E(F_p): y^2 = x^3 + b， 计算公式和SM2不同
 void sm9_z256_point_dbl(SM9_Z256_POINT *R, const SM9_Z256_POINT *P)
 {
 	const uint64_t *X1 = P->X;
@@ -2690,11 +2727,6 @@ void sm9_z256_fn_inv(sm9_z256_t r, const sm9_z256_t a)
 	sm9_z256_fn_pow(r, a, e);
 }
 
-int sm9_z256_fn_from_bytes(sm9_z256_t a, const uint8_t in[32])
-{
-	sm9_z256_from_bytes(a, in);
-	return 1;
-}
 
 const sm9_z256_t SM9_Z256_N_MINUS_ONE_BARRETT_MU = {0x74df4fd4dfc97c31,
 		0x9c95d85ec9c073b0, 0x55f73aebdcd1312c, 0x67980e0beb5759a6}; // , 0x1};
@@ -2745,10 +2777,23 @@ int sm9_z256_point_from_uncompressed_octets(SM9_Z256_POINT *P, const uint8_t oct
 		error_print();
 		return -1;
 	}
-	memset(P, 0, sizeof(*P));
-	sm9_z256_fp_from_bytes(P->X, octets + 1); // fp_from_bytes include to_mont
-	sm9_z256_fp_from_bytes(P->Y, octets + 32 + 1);
+
+	sm9_z256_from_bytes(P->X, octets + 1);
+	if (sm9_z256_cmp(P->X, SM9_Z256_P) >= 0) {
+		error_print();
+		return -1;
+	}
+	sm9_z256_fp_to_mont(P->X, P->X);
+
+	sm9_z256_from_bytes(P->Y, octets + 32 + 1);
+	if (sm9_z256_cmp(P->X, SM9_Z256_P) >= 0) {
+		error_print();
+		return -1;
+	}
+	sm9_z256_fp_to_mont(P->Y, P->Y);
+
 	sm9_z256_copy(P->Z, SM9_Z256_MODP_MONT_ONE);
+
 	if (!sm9_z256_point_is_on_curve(P)) {
 		error_print();
 		return -1;
diff --git a/src/sm9_z256_key.c b/src/sm9_z256_key.c
index eb7213a0..4cfcd4f7 100644
--- a/src/sm9_z256_key.c
+++ b/src/sm9_z256_key.c
@@ -98,8 +98,12 @@ int sm9_sign_master_key_from_der(SM9_SIGN_MASTER_KEY *msk, const uint8_t **in, s
 		return -1;
 	}
 	memset(msk, 0, sizeof(*msk));
-	if (sm9_z256_fn_from_bytes(msk->ks, ks) != 1
-		|| sm9_z256_twist_point_from_uncompressed_octets(&msk->Ppubs, Ppubs) != 1) {
+	sm9_z256_from_bytes(msk->ks, ks);
+	if (sm9_z256_cmp(msk->ks, SM9_Z256_N) >= 0) {
+		error_print();
+		return -1;
+	}
+	if (sm9_z256_twist_point_from_uncompressed_octets(&msk->Ppubs, Ppubs) != 1) {
 		error_print();
 		return -1;
 	}
@@ -245,8 +249,13 @@ int sm9_enc_master_key_from_der(SM9_ENC_MASTER_KEY *msk, const uint8_t **in, siz
 		return -1;
 	}
 	memset(msk, 0, sizeof(*msk));
-	if (sm9_z256_fn_from_bytes(msk->ke, ke) != 1
-		|| sm9_z256_point_from_uncompressed_octets(&msk->Ppube, Ppube) != 1) {
+
+	sm9_z256_from_bytes(msk->ke, ke);
+	if (sm9_z256_cmp(msk->ke, SM9_Z256_N) >= 0) {
+		error_print();
+		return -1;
+	}
+	if (sm9_z256_point_from_uncompressed_octets(&msk->Ppube, Ppube) != 1) {
 		error_print();
 		return -1;
 	}
diff --git a/src/sm9_z256_lib.c b/src/sm9_z256_lib.c
index f5a6cd91..713b1be7 100644
--- a/src/sm9_z256_lib.c
+++ b/src/sm9_z256_lib.c
@@ -67,8 +67,14 @@ int sm9_signature_from_der(SM9_SIGNATURE *sig, const uint8_t **in, size_t *inlen
 		error_print();
 		return -1;
 	}
-	if (sm9_z256_fn_from_bytes(sig->h, h) != 1
-		|| sm9_z256_point_from_uncompressed_octets(&sig->S, S) != 1) {
+
+	sm9_z256_from_bytes(sig->h, h);
+	if (sm9_z256_cmp(sig->h, SM9_Z256_N) >= 0) {
+		error_print();
+		return -1;
+	}
+
+	if (sm9_z256_point_from_uncompressed_octets(&sig->S, S) != 1) {
 		error_print();
 		return -1;
 	}