Update sm2 sign/enc with z256 implementation

CMakeLists.txt

@@ -20,7 +20,7 @@ set(src
 	src/sm3_digest.c
 	src/sm2_alg.c
 	src/sm2_key.c
-	src/sm2_sign.c
+	src/sm2_z256_sign.c
 	src/sm2_lib.c
 	src/sm2_ctx.c
 	src/sm9_alg.c
@@ -123,6 +123,8 @@ set(tests
 	sm4
 	sm3
 	sm2
+	sm2_sign
+	sm2_enc
 	sm9
 	zuc
 	hash_drbg

include/gmssl/sm2.h

@@ -356,6 +356,9 @@ _gmssl_export int sm2_decrypt_init(SM2_ENC_CTX *ctx, const SM2_KEY *sm2_key);
 _gmssl_export int sm2_decrypt_update(SM2_ENC_CTX *ctx, const uint8_t *in, size_t inlen, uint8_t *out, size_t *outlen);
 _gmssl_export int sm2_decrypt_finish(SM2_ENC_CTX *ctx, const uint8_t *in, size_t inlen, uint8_t *out, size_t *outlen);
 
+const uint64_t *sm2_bn_prime(void);
+const uint64_t *sm2_bn_order(void);
+const uint64_t *sm2_bn_one(void);
 
 #ifdef __cplusplus
 }

include/gmssl/sm2_z256.h

@@ -22,11 +22,13 @@ extern "C" {
 
 typedef uint64_t SM2_Z256[4];
 
+int sm2_z256_rand_range(uint64_t r[4], const uint64_t range[4]);
 void sm2_z256_copy(uint64_t r[4], const uint64_t a[4]);
 void sm2_z256_copy_conditional(uint64_t dst[4], const uint64_t src[4], uint64_t move);
 void sm2_z256_from_bytes(uint64_t r[4], const uint8_t in[32]);
 void sm2_z256_to_bytes(const uint64_t a[4], uint8_t out[32]);
 int sm2_z256_cmp(const uint64_t a[4], const uint64_t b[4]);
+uint64_t sm2_z256_is_zero(const uint64_t a[4]);
 uint64_t sm2_z256_equ(const uint64_t a[4], const uint64_t b[4]);
 uint64_t sm2_z256_add(uint64_t r[4], const uint64_t a[4], const uint64_t b[4]);
 uint64_t sm2_z256_sub(uint64_t r[4], const uint64_t a[4], const uint64_t b[4]);
@@ -34,6 +36,7 @@ void sm2_z256_mul(uint64_t r[8], const uint64_t a[4], const uint64_t b[4]);
 uint64_t sm2_z512_add(uint64_t r[8], const uint64_t a[8], const uint64_t b[8]);
 int sm2_z256_get_booth(const uint64_t a[4], unsigned int window_size, int i);
 void sm2_z256_from_hex(uint64_t r[4], const char *hex);
+int sm2_z256_equ_hex(const uint64_t a[4], const char *hex);
 int sm2_z256_print(FILE *fp, int ind, int fmt, const char *label, const uint64_t a[4]);
 int sm2_z512_print(FILE *fp, int ind, int fmt, const char *label, const uint64_t a[8]);
 
@@ -52,9 +55,14 @@ void sm2_z256_modp_mont_exp(uint64_t r[4], const uint64_t a[4], const uint64_t e
 void sm2_z256_modp_mont_inv(uint64_t r[4], const uint64_t a[4]);
 int sm2_z256_modp_mont_print(FILE *fp, int ind, int fmt, const char *label, const uint64_t a[4]);
 
+int sm2_z256_modn_rand(uint64_t r[4]);
 void sm2_z256_modn_add(uint64_t r[4], const uint64_t a[4], const uint64_t b[4]);
 void sm2_z256_modn_sub(uint64_t r[4], const uint64_t a[4], const uint64_t b[4]);
 void sm2_z256_modn_neg(uint64_t r[4], const uint64_t a[4]);
+void sm2_z256_modn_mul(uint64_t r[4], const uint64_t a[4], const uint64_t b[4]);
+void sm2_z256_modn_sqr(uint64_t r[4], const uint64_t a[4]);
+void sm2_z256_modn_exp(uint64_t r[4], const uint64_t a[4], const uint64_t e[4]);
+void sm2_z256_modn_inv(uint64_t r[4], const uint64_t a[4]);
 
 void sm2_z256_modn_to_mont(const uint64_t a[4], uint64_t r[4]);
 void sm2_z256_modn_from_mont(uint64_t r[4], const uint64_t a[4]);
@@ -71,7 +79,13 @@ typedef struct {
 	uint64_t Z[4];
 } SM2_Z256_POINT;
 
+void sm2_z256_point_from_bytes(SM2_Z256_POINT *P, const uint8_t in[64]);
 void sm2_z256_point_to_bytes(const SM2_Z256_POINT *P, uint8_t out[64]);
+
+int sm2_z256_point_is_at_infinity(const SM2_Z256_POINT *P);
+int sm2_z256_point_is_on_curve(const SM2_Z256_POINT *P);
+void sm2_z256_point_get_xy(const SM2_Z256_POINT *P, uint64_t x[4], uint64_t y[4]);
+
 void sm2_z256_point_dbl(SM2_Z256_POINT *R, const SM2_Z256_POINT *A);
 void sm2_z256_point_add(SM2_Z256_POINT *r, const SM2_Z256_POINT *a, const SM2_Z256_POINT *b);
 void sm2_z256_point_neg(SM2_Z256_POINT *R, const SM2_Z256_POINT *P);
@@ -91,9 +105,16 @@ void sm2_z256_point_sub_affine(SM2_Z256_POINT *R, const SM2_Z256_POINT *A, const
 int sm2_z256_point_affine_print(FILE *fp, int fmt, int ind, const char *label, const SM2_Z256_POINT_AFFINE *P);
 
 void sm2_z256_point_mul_generator(SM2_Z256_POINT *R, const uint64_t k[4]);
-void sm2_z256_point_mul(SM2_Z256_POINT *R, const SM2_Z256_POINT *P, const uint64_t k[4]);
+void sm2_z256_point_mul(SM2_Z256_POINT *R, const uint64_t k[4], const SM2_Z256_POINT *P);
 void sm2_z256_point_mul_sum(SM2_Z256_POINT *R, const uint64_t t[4], const SM2_Z256_POINT *P, const uint64_t s[4]);
 
+const uint64_t *sm2_z256_prime(void);
+const uint64_t *sm2_z256_order(void);
+const uint64_t *sm2_z256_one(void);
+
+void sm2_z256_point_from_hex(SM2_Z256_POINT *P, const char *hex);
+int sm2_z256_point_equ_hex(const SM2_Z256_POINT *P, const char *hex);
+
 
 #ifdef __cplusplus
 }

src/sm2_alg.c

@@ -1343,3 +1343,17 @@ int sm2_point_from_hash(SM2_POINT *R, const uint8_t *data, size_t datalen)
 	return 1;
 }
 
+const uint64_t *sm2_bn_prime(void) {
+	return &SM2_P[0];
+}
+
+const uint64_t *sm2_bn_order(void) {
+	return &SM2_N[0];
+}
+
+const uint64_t *sm2_bn_one(void) {
+	return &SM2_ONE[0];
+}
+
+
+

src/sm2_sign.c

@@ -19,9 +19,6 @@
 #include <gmssl/endian.h>
 
 
-extern const SM2_BN SM2_N;
-extern const SM2_BN SM2_ONE;
-
 int sm2_do_sign(const SM2_KEY *key, const uint8_t dgst[32], SM2_SIGNATURE *sig)
 {
 	SM2_JACOBIAN_POINT _P, *P = &_P;
@@ -34,11 +31,14 @@ int sm2_do_sign(const SM2_KEY *key, const uint8_t dgst[32], SM2_SIGNATURE *sig)
 	SM2_BN r;
 	SM2_BN s;
 
+	const uint64_t *one = sm2_bn_one();
+	const uint64_t *order = sm2_bn_order();
+
 	//fprintf(stderr, "sm2_do_sign\n");
 	sm2_bn_from_bytes(d, key->private_key);
 
 	// compute (d + 1)^-1 (mod n)
-	sm2_fn_add(d_inv, d, SM2_ONE);	//sm2_bn_print(stderr, 0, 4, "(1+d)", d_inv);
+	sm2_fn_add(d_inv, d, one);	//sm2_bn_print(stderr, 0, 4, "(1+d)", d_inv);
 	if (sm2_bn_is_zero(d_inv)) {
 		error_print();
 		return -1;
@@ -63,17 +63,17 @@ retry:
 					//sm2_bn_print(stderr, 0, 4, "x", x);
 
 	// r = e + x (mod n)
-	if (sm2_bn_cmp(e, SM2_N) >= 0) {
-		sm2_bn_sub(e, e, SM2_N);
+	if (sm2_bn_cmp(e, order) >= 0) {
+		sm2_bn_sub(e, e, order);
 	}
-	if (sm2_bn_cmp(x, SM2_N) >= 0) {
-		sm2_bn_sub(x, x, SM2_N);
+	if (sm2_bn_cmp(x, order) >= 0) {
+		sm2_bn_sub(x, x, order);
 	}
 	sm2_fn_add(r, e, x);		//sm2_bn_print(stderr, 0, 4, "r = e + x (mod n)", r);
 
 	// if r == 0 or r + k == n re-generate k
 	sm2_bn_add(t, r, k);
-	if (sm2_bn_is_zero(r) || sm2_bn_cmp(t, SM2_N) == 0) {
+	if (sm2_bn_is_zero(r) || sm2_bn_cmp(t, order) == 0) {
 					//sm2_bn_print(stderr, 0, 4, "r + k", t);
 		goto retry;
 	}
@@ -113,10 +113,12 @@ int sm2_do_sign_fast(const SM2_Fn d, const uint8_t dgst[32], SM2_SIGNATURE *sig)
 	SM2_BN r;
 	SM2_BN s;
 
+	const uint64_t *order = sm2_bn_order();
+
 	// e = H(M)
 	sm2_bn_from_bytes(e, dgst);
-	if (sm2_bn_cmp(e, SM2_N) >= 0) {
-		sm2_bn_sub(e, e, SM2_N);
+	if (sm2_bn_cmp(e, order) >= 0) {
+		sm2_bn_sub(e, e, order);
 	}
 
 	// rand k in [1, n - 1]
@@ -154,6 +156,8 @@ int sm2_do_verify(const SM2_KEY *key, const uint8_t dgst[32], const SM2_SIGNATUR
 	SM2_BN x;
 	SM2_BN t;
 
+	const uint64_t *order = sm2_bn_order();
+
 	// parse public key
 	sm2_jacobian_point_from_bytes(P, (const uint8_t *)&key->public_key);
 					//sm2_jacobian_point_print(stderr, 0, 4, "P", P);
@@ -164,9 +168,9 @@ int sm2_do_verify(const SM2_KEY *key, const uint8_t dgst[32], const SM2_SIGNATUR
 
 	// check r, s in [1, n-1]
 	if (sm2_bn_is_zero(r) == 1
-		|| sm2_bn_cmp(r, SM2_N) >= 0
+		|| sm2_bn_cmp(r, order) >= 0
 		|| sm2_bn_is_zero(s) == 1
-		|| sm2_bn_cmp(s, SM2_N) >= 0) {
+		|| sm2_bn_cmp(s, order) >= 0) {
 		error_print();
 		return -1;
 	}
@@ -187,11 +191,11 @@ int sm2_do_verify(const SM2_KEY *key, const uint8_t dgst[32], const SM2_SIGNATUR
 					//sm2_bn_print(stderr, 0, 4, "x", x);
 
 	// r' = e + x (mod n)
-	if (sm2_bn_cmp(e, SM2_N) >= 0) {
-		sm2_bn_sub(e, e, SM2_N);
+	if (sm2_bn_cmp(e, order) >= 0) {
+		sm2_bn_sub(e, e, order);
 	}
-	if (sm2_bn_cmp(x, SM2_N) >= 0) {
-		sm2_bn_sub(x, x, SM2_N);
+	if (sm2_bn_cmp(x, order) >= 0) {
+		sm2_bn_sub(x, x, order);
 	}
 	sm2_fn_add(e, e, x);		//sm2_bn_print(stderr, 0, 4, "e + x (mod n)", e);
 

src/sm2_z256.c

@@ -49,6 +49,7 @@
 #include <stdint.h>
 #include <gmssl/error.h>
 #include <gmssl/hex.h>
+#include <gmssl/rand.h>
 #include <gmssl/endian.h>
 #include <gmssl/sm2_z256.h>
 
@@ -66,6 +67,23 @@ h = 0x1
 
 const uint64_t SM2_Z256_ONE[4] = { 1,0,0,0 };
 
+const uint64_t *sm2_z256_one(void) {
+	return &SM2_Z256_ONE[0];
+}
+
+
+
+int sm2_z256_rand_range(uint64_t r[4], const uint64_t range[4])
+{
+	do {
+		if (rand_bytes((uint8_t *)r, 32) != 1) {
+			error_print();
+			return -1;
+		}
+	} while (sm2_z256_cmp(r, range) >= 0);
+	return 1;
+}
+
 void sm2_z256_from_bytes(uint64_t r[4], const uint8_t in[32])
 {
 	r[3] = GETU64(in);
@@ -134,6 +152,15 @@ int sm2_z256_cmp(const uint64_t a[4], const uint64_t b[4])
 	return 0;
 }
 
+uint64_t sm2_z256_is_zero(const uint64_t a[4])
+{
+	return
+		is_zero(a[0]) &
+		is_zero(a[1]) &
+		is_zero(a[2]) &
+		is_zero(a[3]);
+}
+
 uint64_t sm2_z256_add(uint64_t r[4], const uint64_t a[4], const uint64_t b[4])
 {
 	uint64_t t, c = 0;
@@ -292,6 +319,18 @@ void sm2_z256_from_hex(uint64_t r[4], const char *hex)
 	sm2_z256_from_bytes(r, bytes);
 }
 
+int sm2_z256_equ_hex(const uint64_t a[4], const char *hex)
+{
+	uint64_t b[4];
+	sm2_z256_from_hex(b, hex);
+	if (sm2_z256_cmp(a, b) == 0) {
+		return 1;
+	} else {
+		return 0;
+	}
+}
+
+
 int sm2_z256_print(FILE *fp, int ind, int fmt, const char *label, const uint64_t a[4])
 {
 	format_print(fp, ind, fmt, "%s: %016llx%016llx%016llx%016llx\n", label, a[3], a[2], a[1], a[0]);
@@ -313,6 +352,11 @@ const uint64_t SM2_Z256_P[4] = {
 	0xffffffffffffffff, 0xffffffff00000000, 0xffffffffffffffff, 0xfffffffeffffffff,
 };
 
+const uint64_t *sm2_z256_prime(void) {
+	return &SM2_Z256_P[0];
+}
+
+
 // 2^256 - p = 2^224 + 2^96 - 2^64 + 1
 const uint64_t SM2_Z256_NEG_P[4] = {
 	1, ((uint64_t)1 << 32) - 1, 0, ((uint64_t)1 << 32),
@@ -582,6 +626,15 @@ const uint64_t SM2_Z256_NEG_N[4] = {
 	0xac440bf6c62abedd, 0x8dfc2094de39fad4, 0x0000000000000000, 0x0000000100000000,
 };
 
+int sm2_z256_modn_rand(uint64_t r[4])
+{
+	if (sm2_z256_rand_range(r, SM2_Z256_N) != 1) {
+		error_print();
+		return -1;
+	}
+	return 1;
+}
+
 void sm2_z256_modn_add(uint64_t r[4], const uint64_t a[4], const uint64_t b[4])
 {
 	uint64_t c;
@@ -623,6 +676,11 @@ const uint64_t SM2_Z256_N_PRIME[4] = {
 	0x327f9e8872350975, 0xdf1e8d34fc8319a5, 0x2b0068d3b08941d4, 0x6f39132f82e4c7bc,
 };
 
+const uint64_t *sm2_z256_order(void) {
+	return &SM2_Z256_N[0];
+}
+
+
 // mont(1) (mod n) = 2^256 - n
 const uint64_t *SM2_Z256_MODN_MONT_ONE = SM2_Z256_NEG_N;
 
@@ -665,11 +723,31 @@ void sm2_z256_modn_mont_mul(uint64_t r[4], const uint64_t a[4], const uint64_t b
 	}
 }
 
+void sm2_z256_modn_mul(uint64_t r[4], const uint64_t a[4], const uint64_t b[4])
+{
+	uint64_t mont_a[4];
+	uint64_t mont_b[4];
+
+	sm2_z256_modn_to_mont(a, mont_a);
+	sm2_z256_modn_to_mont(b, mont_b);
+	sm2_z256_modn_mont_mul(r, mont_a, mont_b);
+	sm2_z256_modn_from_mont(r, r);
+}
+
 void sm2_z256_modn_mont_sqr(uint64_t r[4], const uint64_t a[4])
 {
 	sm2_z256_modn_mont_mul(r, a, a);
 }
 
+void sm2_z256_modn_sqr(uint64_t r[4], const uint64_t a[4])
+{
+	uint64_t mont_a[4];
+
+	sm2_z256_modn_to_mont(a, mont_a);
+	sm2_z256_modn_mont_sqr(r, mont_a);
+	sm2_z256_modn_from_mont(r, r);
+}
+
 void sm2_z256_modn_mont_exp(uint64_t r[4], const uint64_t a[4], const uint64_t e[4])
 {
 	uint64_t t[4];
@@ -693,6 +771,15 @@ void sm2_z256_modn_mont_exp(uint64_t r[4], const uint64_t a[4], const uint64_t e
 	sm2_z256_copy(r, t);
 }
 
+void sm2_z256_modn_exp(uint64_t r[4], const uint64_t a[4], const uint64_t e[4])
+{
+	uint64_t mont_a[4];
+
+	sm2_z256_modn_to_mont(a, mont_a);
+	sm2_z256_modn_mont_exp(r, mont_a, e);
+	sm2_z256_modn_from_mont(r, r);
+}
+
 // n - 2 = 0xfffffffeffffffffffffffffffffffff7203df6b21c6052b53bbf40939d54121
 const uint64_t SM2_Z256_N_MINUS_TWO[4] = {
 	0x53bbf40939d54121, 0x7203df6b21c6052b, 0xffffffffffffffff, 0xfffffffeffffffff,
@@ -703,6 +790,15 @@ void sm2_z256_modn_mont_inv(uint64_t r[4], const uint64_t a[4])
 	sm2_z256_modn_mont_exp(r, a, SM2_Z256_N_MINUS_TWO);
 }
 
+void sm2_z256_modn_inv(uint64_t r[4], const uint64_t a[4])
+{
+	uint64_t mont_a[4];
+
+	sm2_z256_modn_to_mont(a, mont_a);
+	sm2_z256_modn_mont_inv(r, mont_a);
+	sm2_z256_modn_from_mont(r, r);
+}
+
 // mont(mont(a), 1) = aR * 1 * R^-1 (mod n) = a (mod p)
 void sm2_z256_modn_from_mont(uint64_t r[4], const uint64_t a[4])
 {
@@ -732,6 +828,85 @@ int sm2_z256_modn_mont_print(FILE *fp, int ind, int fmt, const char *label, cons
 
 // Jacobian Point with Montgomery coordinates
 
+
+// 这里还应该检查X == Y == mont(1)
+int sm2_z256_point_is_at_infinity(const SM2_Z256_POINT *P)
+{
+	if (sm2_z256_is_zero(P->Z)) {
+		return 1;
+	} else {
+		return 0;
+	}
+}
+
+// mont(b), b = 0x28e9fa9e9d9f5e344d5a9e4bcf6509a7f39789f515ab8f92ddbcbd414d940e93
+const uint64_t SM2_Z256_MODP_MONT_B[4] = {
+	0x90d230632bc0dd42, 0x71cf379ae9b537ab, 0x527981505ea51c3c, 0x240fe188ba20e2c8,
+};
+
+int sm2_z256_point_is_on_curve(const SM2_Z256_POINT *P)
+{
+	uint64_t t0[4];
+	uint64_t t1[4];
+	uint64_t t2[4];
+
+	if (sm2_z256_cmp(P->Z, SM2_Z256_MODP_MONT_ONE) == 0) {
+		// if Z == 1, check y^2 + 3*x == x^3 + b
+		sm2_z256_modp_mont_sqr(t0, P->Y);
+		sm2_z256_modp_add(t0, t0, P->X);
+		sm2_z256_modp_add(t0, t0, P->X);
+		sm2_z256_modp_add(t0, t0, P->X);
+		sm2_z256_modp_mont_sqr(t1, P->X);
+		sm2_z256_modp_mont_mul(t1, t1, P->X);
+		sm2_z256_modp_add(t1, t1, SM2_Z256_MODP_MONT_B);
+	} else {
+		// check Y^2 + 3 * X * Z^4 == X^3 + b * Z^6
+		// if Z == 0, Y^2 == X^3, i.e. Y == X is checked
+		sm2_z256_modp_mont_sqr(t0, P->Y);
+		sm2_z256_modp_mont_sqr(t1, P->Z);
+		sm2_z256_modp_mont_sqr(t2, t1);
+		sm2_z256_modp_mont_mul(t1, t1, t2);
+		sm2_z256_modp_mont_mul(t1, t1, SM2_Z256_MODP_MONT_B);
+		sm2_z256_modp_mont_mul(t2, t2, P->X);
+		sm2_z256_modp_add(t0, t0, t2);
+		sm2_z256_modp_add(t0, t0, t2);
+		sm2_z256_modp_add(t0, t0, t2);
+		sm2_z256_modp_mont_sqr(t2, P->X);
+		sm2_z256_modp_mont_mul(t2, t2, P->X);
+		sm2_z256_modp_add(t1, t1, t2);
+	}
+
+	if (sm2_z256_cmp(t0, t1) != 0) {
+		error_print();
+		return -1;
+	}
+	return 1;
+}
+
+// 当Z == 0时会怎么样
+void sm2_z256_point_get_xy(const SM2_Z256_POINT *P, uint64_t x[4], uint64_t y[4])
+{
+	if (sm2_z256_cmp(P->Z, SM2_Z256_MODP_MONT_ONE) == 0) {
+		sm2_z256_modp_from_mont(x, P->X);
+		if (y) {
+			sm2_z256_modp_from_mont(y, P->Y);
+		}
+	} else {
+		uint64_t z_inv[4];
+		sm2_z256_modp_mont_inv(z_inv, P->Z);
+		if (y) {
+			sm2_z256_modp_mont_mul(y, P->Y, z_inv);
+		}
+		sm2_z256_modp_mont_sqr(z_inv, z_inv);
+		sm2_z256_modp_mont_mul(x, P->X, z_inv);
+		sm2_z256_modp_from_mont(x, x);
+		if (y) {
+			sm2_z256_modp_mont_mul(y, y, z_inv);
+			sm2_z256_modp_from_mont(y, y);
+		}
+	}
+}
+
 void sm2_z256_point_dbl(SM2_Z256_POINT *R, const SM2_Z256_POINT *A)
 {
 	const uint64_t *X1 = A->X;
@@ -918,6 +1093,7 @@ void sm2_z256_point_neg(SM2_Z256_POINT *R, const SM2_Z256_POINT *P)
 	sm2_z256_copy(R->Z, P->Z);
 }
 
+// point_mul 中用到
 void sm2_z256_point_sub(SM2_Z256_POINT *R, const SM2_Z256_POINT *A, const SM2_Z256_POINT *B)
 {
 	SM2_Z256_POINT neg_B;
@@ -925,34 +1101,76 @@ void sm2_z256_point_sub(SM2_Z256_POINT *R, const SM2_Z256_POINT *A, const SM2_Z2
 	sm2_z256_point_add(R, A, &neg_B);
 }
 
-void sm2_z256_point_get_affine(const SM2_Z256_POINT *P, uint64_t x[4], uint64_t y[4])
+void sm2_z256_point_mul(SM2_Z256_POINT *R, const uint64_t k[4], const SM2_Z256_POINT *P)
 {
-	uint64_t z_inv[4];
-	uint64_t x_out[4];
-	uint64_t y_out[4];
+	int window_size = 5;
+	SM2_Z256_POINT T[16];
+	int R_infinity = 1;
+	int n = (256 + window_size - 1)/window_size;
+	int i;
 
-	// z_inv = 1/Z
-	sm2_z256_modp_mont_inv(z_inv, P->Z);
+	// T[i] = (i + 1) * P
+	memcpy(&T[0], P, sizeof(SM2_Z256_POINT));
+	sm2_z256_point_dbl(&T[ 1], &T[ 0]);
+	sm2_z256_point_add(&T[ 2], &T[ 1], P);
+	sm2_z256_point_dbl(&T[ 3], &T[ 1]);
+	sm2_z256_point_add(&T[ 4], &T[ 3], P);
+	sm2_z256_point_dbl(&T[ 5], &T[ 2]);
+	sm2_z256_point_add(&T[ 6], &T[ 5], P);
+	sm2_z256_point_dbl(&T[ 7], &T[ 3]);
+	sm2_z256_point_add(&T[ 8], &T[ 7], P);
+	sm2_z256_point_dbl(&T[ 9], &T[ 4]);
+	sm2_z256_point_add(&T[10], &T[ 9], P);
+	sm2_z256_point_dbl(&T[11], &T[ 5]);
+	sm2_z256_point_add(&T[12], &T[11], P);
+	sm2_z256_point_dbl(&T[13], &T[ 6]);
+	sm2_z256_point_add(&T[14], &T[13], P);
+	sm2_z256_point_dbl(&T[15], &T[ 7]);
 
-	// y_out = Y/Z
-	if (y) {
-		sm2_z256_modp_mont_mul(y_out, P->Y, z_inv);
+	for (i = n - 1; i >= 0; i--) {
+		int booth = sm2_z256_get_booth(k, window_size, i);
+
+		if (R_infinity) {
+			if (booth != 0) {
+				*R = T[booth - 1];
+				R_infinity = 0;
+			}
+		} else {
+			sm2_z256_point_dbl(R, R);
+			sm2_z256_point_dbl(R, R);
+			sm2_z256_point_dbl(R, R);
+			sm2_z256_point_dbl(R, R);
+			sm2_z256_point_dbl(R, R);
+
+			if (booth > 0) {
+				sm2_z256_point_add(R, R, &T[booth - 1]);
+			} else if (booth < 0) {
+				sm2_z256_point_sub(R, R, &T[-booth - 1]);
+			}
+		}
 	}
 
-	// z_inv = 1/Z^2
-	sm2_z256_modp_mont_sqr(z_inv, z_inv);
-
-	// x_out = X/Z^2
-	sm2_z256_modp_mont_mul(x_out, P->X, z_inv);
-	sm2_z256_modp_from_mont(x, x_out);
-
-	if (y) {
-		// y_out = Y/Z^3
-		sm2_z256_modp_mont_mul(y_out, y_out, z_inv);
-		sm2_z256_modp_from_mont(y, y_out);
+	if (R_infinity) {
+		memset(R, 0, sizeof(*R));
 	}
 }
 
+// 这个函数对吗？这个似乎是不对的
+int sm2_z256_point_print(FILE *fp, int fmt, int ind, const char *label, const SM2_Z256_POINT *P)
+{
+	uint64_t x[4];
+	uint64_t y[4];
+	uint8_t affine[64];
+
+	sm2_z256_point_get_xy(P, x, y);
+	sm2_z256_to_bytes(x, affine);
+	sm2_z256_to_bytes(y, affine + 32);
+
+	format_bytes(fp, fmt, ind, label, affine, 64);
+	return 1;
+}
+
+
 void sm2_z256_point_copy_affine(SM2_Z256_POINT *R, const SM2_Z256_POINT_AFFINE *P)
 {
 	memcpy(R, P, sizeof(SM2_Z256_POINT_AFFINE));
@@ -1051,20 +1269,6 @@ void sm2_z256_point_sub_affine(SM2_Z256_POINT *R,
 	sm2_z256_point_add_affine(R, A, &neg_B);
 }
 
-int sm2_z256_point_print(FILE *fp, int fmt, int ind, const char *label, const SM2_Z256_POINT *P)
-{
-	uint64_t x[4];
-	uint64_t y[4];
-	uint8_t affine[64];
-
-	sm2_z256_point_get_affine(P, x, y);
-	sm2_z256_to_bytes(x, affine);
-	sm2_z256_to_bytes(y, affine + 32);
-
-	format_bytes(fp, fmt, ind, label, affine, 64);
-	return 1;
-}
-
 int sm2_z256_point_affine_print(FILE *fp, int fmt, int ind, const char *label, const SM2_Z256_POINT_AFFINE *P)
 {
 	uint8_t affine[64];
@@ -1112,75 +1316,71 @@ void sm2_z256_point_mul_generator(SM2_Z256_POINT *R, const uint64_t k[4])
 	}
 }
 
-void sm2_z256_point_mul(SM2_Z256_POINT *R, const SM2_Z256_POINT *P, const uint64_t k[4])
-{
-	int window_size = 5;
-	SM2_Z256_POINT T[16];
-	int R_infinity = 1;
-	int n = (256 + window_size - 1)/window_size;
-	int i;
 
-	// T[i] = (i + 1) * P
-	memcpy(&T[0], P, sizeof(SM2_Z256_POINT));
-	sm2_z256_point_dbl(&T[ 1], &T[ 0]);
-	sm2_z256_point_add(&T[ 2], &T[ 1], P);
-	sm2_z256_point_dbl(&T[ 3], &T[ 1]);
-	sm2_z256_point_add(&T[ 4], &T[ 3], P);
-	sm2_z256_point_dbl(&T[ 5], &T[ 2]);
-	sm2_z256_point_add(&T[ 6], &T[ 5], P);
-	sm2_z256_point_dbl(&T[ 7], &T[ 3]);
-	sm2_z256_point_add(&T[ 8], &T[ 7], P);
-	sm2_z256_point_dbl(&T[ 9], &T[ 4]);
-	sm2_z256_point_add(&T[10], &T[ 9], P);
-	sm2_z256_point_dbl(&T[11], &T[ 5]);
-	sm2_z256_point_add(&T[12], &T[11], P);
-	sm2_z256_point_dbl(&T[13], &T[ 6]);
-	sm2_z256_point_add(&T[14], &T[13], P);
-	sm2_z256_point_dbl(&T[15], &T[ 7]);
 
-	for (i = n - 1; i >= 0; i--) {
-		int booth = sm2_z256_get_booth(k, window_size, i);
 
-		if (R_infinity) {
-			if (booth != 0) {
-				*R = T[booth - 1];
-				R_infinity = 0;
-			}
-		} else {
-			sm2_z256_point_dbl(R, R);
-			sm2_z256_point_dbl(R, R);
-			sm2_z256_point_dbl(R, R);
-			sm2_z256_point_dbl(R, R);
-			sm2_z256_point_dbl(R, R);
 
-			if (booth > 0) {
-				sm2_z256_point_add(R, R, &T[booth - 1]);
-			} else if (booth < 0) {
-				sm2_z256_point_sub(R, R, &T[-booth - 1]);
-			}
-		}
-	}
 
-	if (R_infinity) {
-		memset(R, 0, sizeof(*R));
-	}
-}
+
+
+
 
 // R = t*P + s*G
 void sm2_z256_point_mul_sum(SM2_Z256_POINT *R, const uint64_t t[4], const SM2_Z256_POINT *P, const uint64_t s[4])
 {
 	SM2_Z256_POINT Q;
 	sm2_z256_point_mul_generator(R, s);
-	sm2_z256_point_mul(&Q, P, t);
+	sm2_z256_point_mul(&Q, t, P);
 	sm2_z256_point_add(R, R, &Q);
 }
 
+
+// 这个是否要检查点是否在曲线上？			
+void sm2_z256_point_from_bytes(SM2_Z256_POINT *P, const uint8_t in[64])
+{
+	sm2_z256_from_bytes(P->X, in);
+	sm2_z256_from_bytes(P->Y, in + 32);
+	sm2_z256_modp_to_mont(P->X, P->X);
+	sm2_z256_modp_to_mont(P->Y, P->Y);
+	sm2_z256_copy(P->Z, SM2_Z256_MODP_MONT_ONE);
+}
+
+void sm2_z256_point_from_hex(SM2_Z256_POINT *P, const char *hex)
+{
+	uint8_t bytes[64];
+	size_t len;
+
+	hex_to_bytes(hex, 128, bytes, &len);
+	sm2_z256_point_from_bytes(P, bytes);
+}
+
 void sm2_z256_point_to_bytes(const SM2_Z256_POINT *P, uint8_t out[64])
 {
 	uint64_t x[4];
 	uint64_t y[4];
 
-	sm2_z256_point_get_affine(P, x, y);
+	sm2_z256_point_get_xy(P, x, y);
 	sm2_z256_to_bytes(x, out);
 	sm2_z256_to_bytes(y, out + 32);
 }
+
+
+int sm2_z256_point_equ_hex(const SM2_Z256_POINT *P, const char *hex)
+{
+	uint8_t P_bytes[64];
+	uint8_t hex_bytes[64];
+	size_t len;
+
+	sm2_z256_point_to_bytes(P, P_bytes);
+	hex_to_bytes(hex, 128, hex_bytes, &len);
+
+	if (memcmp(P_bytes, hex_bytes, 64) != 0) {
+		error_print();
+		return 0;
+	}
+	return 1;
+
+}
+
+
+

src/sm2_z256_sign.c

@@ -0,0 +1,485 @@
+/*
+ *  Copyright 2014-2024 The GmSSL Project. All Rights Reserved.
+ *
+ *  Licensed under the Apache License, Version 2.0 (the License); you may
+ *  not use this file except in compliance with the License.
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ */
+
+
+#include <stdio.h>
+#include <string.h>
+#include <stdlib.h>
+#include <gmssl/mem.h>
+#include <gmssl/sm2.h>
+#include <gmssl/sm2_z256.h>
+#include <gmssl/sm3.h>
+#include <gmssl/asn1.h>
+#include <gmssl/error.h>
+#include <gmssl/endian.h>
+
+
+
+typedef SM2_Z256 SM2_U256;
+
+#define sm2_u256_one()				sm2_z256_one()
+#define sm2_u256_order()			sm2_z256_order()
+#define sm2_u256_from_bytes(a,in)		sm2_z256_from_bytes(a,in)
+#define sm2_u256_to_bytes(a,out)		sm2_z256_to_bytes(a,out)
+#define sm2_u256_print(fp,fmt,ind,label,a)	sm2_z256_print(fp,fmt,ind,label,a)
+
+#define sm2_u256_is_zero(a)			sm2_z256_is_zero(a)
+#define sm2_u256_cmp(a,b)			sm2_z256_cmp(a,b)
+#define sm2_u256_add(r,a,b)			sm2_z256_add(r,a,b)
+#define sm2_u256_sub(r,a,b)			sm2_z256_sub(r,a,b)
+
+#define sm2_u256_modn_add(r,a,b)		sm2_z256_modn_add(r,a,b)
+#define sm2_u256_modn_sub(r,a,b)		sm2_z256_modn_sub(r,a,b)
+#define sm2_u256_modn_mul(r,a,b)		sm2_z256_modn_mul(r,a,b)
+#define sm2_u256_modn_inv(r,a)			sm2_z256_modn_inv(r,a)
+#define sm2_u256_modn_rand(r)			sm2_z256_modn_rand(r)
+
+
+typedef SM2_Z256_POINT SM2_U256_POINT;
+
+#define sm2_u256_point_from_bytes(P,in)		sm2_z256_point_from_bytes((P),(in))
+#define sm2_u256_point_to_bytes(P,out)		sm2_z256_point_to_bytes((P),(out))
+#define sm2_u256_point_is_on_curve(P)		sm2_z256_point_is_on_curve(P)
+#define sm2_u256_point_mul_generator(R,k)	sm2_z256_point_mul_generator((R),(k))
+#define sm2_u256_point_mul(R,k,P)		sm2_z256_point_mul((R),(k),(P))
+#define sm2_u256_point_mul_sum(R,t,P,s)		sm2_z256_point_mul_sum((R),(t),(P),(s))
+#define sm2_u256_point_get_xy(P,x,y)		sm2_z256_point_get_xy((P),(x),(y))
+
+
+
+int sm2_do_sign(const SM2_KEY *key, const uint8_t dgst[32], SM2_SIGNATURE *sig)
+{
+	SM2_U256_POINT _P, *P = &_P;
+	SM2_U256 d;
+	SM2_U256 d_inv;
+	SM2_U256 e;
+	SM2_U256 k;
+	SM2_U256 x;
+	SM2_U256 t;
+	SM2_U256 r;
+	SM2_U256 s;
+
+	const uint64_t *one = sm2_u256_one();
+	const uint64_t *order = sm2_u256_order();
+
+	sm2_u256_from_bytes(d, key->private_key);
+
+	// compute (d + 1)^-1 (mod n)
+	sm2_u256_modn_add(d_inv, d, one);	//sm2_bn_print(stderr, 0, 4, "(1+d)", d_inv);
+	if (sm2_u256_is_zero(d_inv)) {
+		error_print();
+		return -1;
+	}
+	sm2_u256_modn_inv(d_inv, d_inv);	//sm2_bn_print(stderr, 0, 4, "(1+d)^-1", d_inv);
+
+	// e = H(M)
+	sm2_u256_from_bytes(e, dgst);	//sm2_bn_print(stderr, 0, 4, "e", e);
+
+retry:
+	// rand k in [1, n - 1]
+	do {
+		if (sm2_u256_modn_rand(k) != 1) {
+			error_print();
+			return -1;
+		}
+	} while (sm2_u256_is_zero(k));	//sm2_bn_print(stderr, 0, 4, "k", k);
+
+	// (x, y) = kG
+	sm2_u256_point_mul_generator(P, k);
+	sm2_u256_point_get_xy(P, x, NULL);
+					//sm2_bn_print(stderr, 0, 4, "x", x);
+
+
+	// r = e + x (mod n)
+	if (sm2_u256_cmp(e, order) >= 0) {
+		sm2_u256_sub(e, e, order);
+	}
+	if (sm2_u256_cmp(x, order) >= 0) {
+		sm2_u256_sub(x, x, order);
+	}
+	sm2_u256_modn_add(r, e, x);		//sm2_bn_print(stderr, 0, 4, "r = e + x (mod n)", r);
+
+	// if r == 0 or r + k == n re-generate k
+	sm2_u256_add(t, r, k);
+	if (sm2_u256_is_zero(r) || sm2_u256_cmp(t, order) == 0) {
+					//sm2_bn_print(stderr, 0, 4, "r + k", t);
+		goto retry;
+	}
+
+	// s = ((1 + d)^-1 * (k - r * d)) mod n
+	sm2_u256_modn_mul(t, r, d);		//sm2_bn_print(stderr, 0, 4, "r*d", t);
+	sm2_u256_modn_sub(k, k, t);		//sm2_bn_print(stderr, 0, 4, "k-r*d", k);
+	sm2_u256_modn_mul(s, d_inv, k);	//sm2_bn_print(stderr, 0, 4, "s = ((1 + d)^-1 * (k - r * d)) mod n", s);
+
+	// check s != 0
+	if (sm2_u256_is_zero(s)) {
+		goto retry;
+	}
+
+	sm2_u256_to_bytes(r, sig->r);	//sm2_bn_print_bn(stderr, 0, 4, "r", r);
+	sm2_u256_to_bytes(s, sig->s);	//sm2_bn_print_bn(stderr, 0, 4, "s", s);
+
+	gmssl_secure_clear(d, sizeof(d));
+	gmssl_secure_clear(d_inv, sizeof(d_inv ));
+	gmssl_secure_clear(k, sizeof(k));
+	gmssl_secure_clear(t, sizeof(t));
+	return 1;
+}
+
+// (x1, y1) = k * G
+// r = e + x1
+// s = (k - r * d)/(1 + d) = (k +r - r * d - r)/(1 + d) = (k + r - r(1 +d))/(1 + d) = (k + r)/(1 + d) - r
+//	= -r + (k + r)*(1 + d)^-1
+//	= -r + (k + r) * d'
+
+int sm2_do_sign_fast(const SM2_Fn d, const uint8_t dgst[32], SM2_SIGNATURE *sig)
+{
+	SM2_U256_POINT R;
+	SM2_U256 e;
+	SM2_U256 k;
+	SM2_U256 x1;
+	SM2_U256 r;
+	SM2_U256 s;
+
+	const uint64_t *order = sm2_u256_order();
+
+	// e = H(M)
+	sm2_u256_from_bytes(e, dgst);
+	if (sm2_u256_cmp(e, order) >= 0) {
+		sm2_u256_sub(e, e, order);
+	}
+
+	// rand k in [1, n - 1]
+	do {
+		if (sm2_u256_modn_rand(k) != 1) {
+			error_print();
+			return -1;
+		}
+	} while (sm2_u256_is_zero(k));
+
+	// (x1, y1) = kG
+	sm2_u256_point_mul_generator(&R, k);
+	sm2_u256_point_get_xy(&R, x1, NULL);
+
+	// r = e + x1 (mod n)
+	sm2_u256_modn_add(r, e, x1);
+
+	// 对于快速实现来说，只需要一次乘法
+
+	// s = (k + r) * d' - r
+	sm2_u256_add(s, k, r);
+	sm2_u256_modn_mul(s, s, d);
+	sm2_u256_modn_sub(s, s, r);
+
+	sm2_u256_to_bytes(r, sig->r);
+	sm2_u256_to_bytes(s, sig->s);
+	return 1;
+}
+
+int sm2_do_verify(const SM2_KEY *key, const uint8_t dgst[32], const SM2_SIGNATURE *sig)
+{
+	SM2_U256_POINT _P, *P = &_P;
+	SM2_U256_POINT _R, *R = &_R;
+	SM2_U256 r;
+	SM2_U256 s;
+	SM2_U256 e;
+	SM2_U256 x;
+	SM2_U256 t;
+
+	const uint64_t *order = sm2_u256_order();
+
+	sm2_u256_print(stderr, 0, 4, "n", order);
+
+	// parse public key
+	sm2_u256_point_from_bytes(P, (const uint8_t *)&key->public_key);
+	//sm2_u256_point_from_bytes(P, (const uint8_t *)&key->public_key);
+					//sm2_jacobian_point_print(stderr, 0, 4, "P", P);
+
+	// parse signature values
+	sm2_u256_from_bytes(r, sig->r);	sm2_u256_print(stderr, 0, 4, "r", r);
+	sm2_u256_from_bytes(s, sig->s);	sm2_u256_print(stderr, 0, 4, "s", s);
+
+	// check r, s in [1, n-1]
+	if (sm2_u256_is_zero(r) == 1) {
+		error_print();
+		return -1;
+	}
+	if (sm2_u256_cmp(r, order) >= 0) {
+		sm2_u256_print(stderr, 0, 4, "err: r", r);
+		sm2_u256_print(stderr, 0, 4, "err: order", order);
+		error_print();
+		return -1;
+	}
+	if (sm2_u256_is_zero(s) == 1) {
+		error_print();
+		return -1;
+	}
+	if (sm2_u256_cmp(s, order) >= 0) {
+
+		sm2_u256_print(stderr, 0, 4, "err: s", s);
+		sm2_u256_print(stderr, 0, 4, "err: order", order);
+
+		printf(">>>>>\n");
+		int r = sm2_u256_cmp(s, order);
+		fprintf(stderr, "cmp ret = %d\n", r);
+		printf(">>>>>\n");
+
+		error_print();
+		return -1;
+	}
+
+	// e = H(M)
+	sm2_u256_from_bytes(e, dgst);	//sm2_bn_print(stderr, 0, 4, "e = H(M)", e);
+
+	// t = r + s (mod n), check t != 0
+	sm2_u256_modn_add(t, r, s);		//sm2_bn_print(stderr, 0, 4, "t = r + s (mod n)", t);
+	if (sm2_u256_is_zero(t)) {
+		error_print();
+		return -1;
+	}
+
+	// Q = s * G + t * P
+	sm2_u256_point_mul_sum(R, t, P, s);
+	sm2_u256_point_get_xy(R, x, NULL);
+					//sm2_bn_print(stderr, 0, 4, "x", x);
+
+	// r' = e + x (mod n)
+	if (sm2_u256_cmp(e, order) >= 0) {
+		sm2_u256_sub(e, e, order);
+	}
+	if (sm2_u256_cmp(x, order) >= 0) {
+		sm2_u256_sub(x, x, order);
+	}
+	sm2_u256_modn_add(e, e, x);		//sm2_bn_print(stderr, 0, 4, "e + x (mod n)", e);
+
+	// check if r == r'
+	if (sm2_u256_cmp(e, r) != 0) {
+		error_print();
+		return -1;
+	}
+	return 1;
+}
+
+static int all_zero(const uint8_t *buf, size_t len)
+{
+	size_t i;
+	for (i = 0; i < len; i++) {
+		if (buf[i]) {
+			return 0;
+		}
+	}
+	return 1;
+}
+
+int sm2_do_encrypt(const SM2_KEY *key, const uint8_t *in, size_t inlen, SM2_CIPHERTEXT *out)
+{
+	SM2_U256 k;
+	SM2_U256_POINT _P, *P = &_P;
+	SM2_U256_POINT _C1, *C1 = &_C1;
+	SM2_U256_POINT _kP, *kP = &_kP;
+	uint8_t x2y2[64];
+	SM3_CTX sm3_ctx;
+
+	if (!(SM2_MIN_PLAINTEXT_SIZE <= inlen && inlen <= SM2_MAX_PLAINTEXT_SIZE)) {
+		error_print();
+		return -1;
+	}
+
+	sm2_u256_point_from_bytes(P, (uint8_t *)&key->public_key);
+
+	// S = h * P, check S != O
+	// for sm2 curve, h == 1 and S == P
+	// SM2_POINT can not present point at infinity, do do nothing here
+
+retry:
+	// rand k in [1, n - 1]
+	// TODO: set rand_bytes output for testing		
+	do {
+		if (sm2_u256_modn_rand(k) != 1) {
+			error_print();
+			return -1;
+		}
+	} while (sm2_u256_is_zero(k));	//sm2_bn_print(stderr, 0, 4, "k", k);
+
+	// output C1 = k * G = (x1, y1)
+	sm2_u256_point_mul_generator(C1, k);
+	sm2_u256_point_to_bytes(C1, (uint8_t *)&out->point);
+
+	// k * P = (x2, y2)
+	sm2_u256_point_mul(kP, k, P);
+	sm2_u256_point_to_bytes(kP, x2y2);
+
+	// t = KDF(x2 || y2, inlen)
+	sm2_kdf(x2y2, 64, inlen, out->ciphertext);
+
+	// if t is all zero, retry
+	if (all_zero(out->ciphertext, inlen)) {
+		goto retry;
+	}
+
+	// output C2 = M xor t
+	gmssl_memxor(out->ciphertext, out->ciphertext, in, inlen);
+	out->ciphertext_size = (uint32_t)inlen;
+
+	// output C3 = Hash(x2 || m || y2)
+	sm3_init(&sm3_ctx);
+	sm3_update(&sm3_ctx, x2y2, 32);
+	sm3_update(&sm3_ctx, in, inlen);
+	sm3_update(&sm3_ctx, x2y2 + 32, 32);
+	sm3_finish(&sm3_ctx, out->hash);
+
+	gmssl_secure_clear(k, sizeof(k));
+	gmssl_secure_clear(kP, sizeof(SM2_U256_POINT));
+	gmssl_secure_clear(x2y2, sizeof(x2y2));
+	return 1;
+}
+
+int sm2_do_encrypt_fixlen(const SM2_KEY *key, const uint8_t *in, size_t inlen, int point_size, SM2_CIPHERTEXT *out)
+{
+	unsigned int trys = 200;
+	SM2_U256 k;
+	SM2_U256_POINT _P, *P = &_P;
+	SM2_U256_POINT _C1, *C1 = &_C1;
+	SM2_U256_POINT _kP, *kP = &_kP;
+	uint8_t x2y2[64];
+	SM3_CTX sm3_ctx;
+
+	if (!(SM2_MIN_PLAINTEXT_SIZE <= inlen && inlen <= SM2_MAX_PLAINTEXT_SIZE)) {
+		error_print();
+		return -1;
+	}
+
+	switch (point_size) {
+	case SM2_ciphertext_compact_point_size:
+	case SM2_ciphertext_typical_point_size:
+	case SM2_ciphertext_max_point_size:
+		break;
+	default:
+		error_print();
+		return -1;
+	}
+
+	sm2_u256_point_from_bytes(P, (uint8_t *)&key->public_key);
+
+	// S = h * P, check S != O
+	// for sm2 curve, h == 1 and S == P
+	// SM2_POINT can not present point at infinity, do do nothing here
+
+retry:
+	// rand k in [1, n - 1]
+	do {
+		if (sm2_u256_modn_rand(k) != 1) {
+			error_print();
+			return -1;
+		}
+	} while (sm2_u256_is_zero(k));	//sm2_bn_print(stderr, 0, 4, "k", k);
+
+	// output C1 = k * G = (x1, y1)
+	sm2_u256_point_mul_generator(C1, k);
+	sm2_u256_point_to_bytes(C1, (uint8_t *)&out->point);
+
+	// check fixlen
+	if (trys) {
+		size_t len = 0;
+		asn1_integer_to_der(out->point.x, 32, NULL, &len);
+		asn1_integer_to_der(out->point.y, 32, NULL, &len);
+		if (len != point_size) {
+			trys--;
+			goto retry;
+		}
+	} else {
+		gmssl_secure_clear(k, sizeof(k));
+		error_print();
+		return -1;
+	}
+
+	// k * P = (x2, y2)
+	sm2_u256_point_mul(kP, k, P);
+	sm2_u256_point_to_bytes(kP, x2y2);
+
+	// t = KDF(x2 || y2, inlen)
+	sm2_kdf(x2y2, 64, inlen, out->ciphertext);
+
+	// if t is all zero, retry
+	if (all_zero(out->ciphertext, inlen)) {
+		goto retry;
+	}
+
+	// output C2 = M xor t
+	gmssl_memxor(out->ciphertext, out->ciphertext, in, inlen);
+	out->ciphertext_size = (uint32_t)inlen;
+
+	// output C3 = Hash(x2 || m || y2)
+	sm3_init(&sm3_ctx);
+	sm3_update(&sm3_ctx, x2y2, 32);
+	sm3_update(&sm3_ctx, in, inlen);
+	sm3_update(&sm3_ctx, x2y2 + 32, 32);
+	sm3_finish(&sm3_ctx, out->hash);
+
+	gmssl_secure_clear(k, sizeof(k));
+	gmssl_secure_clear(kP, sizeof(SM2_U256_POINT));
+	gmssl_secure_clear(x2y2, sizeof(x2y2));
+	return 1;
+}
+
+int sm2_do_decrypt(const SM2_KEY *key, const SM2_CIPHERTEXT *in, uint8_t *out, size_t *outlen)
+{
+	int ret = -1;
+	SM2_U256 d;
+	SM2_U256_POINT _C1, *C1 = &_C1;
+	uint8_t x2y2[64];
+	SM3_CTX sm3_ctx;
+	uint8_t hash[32];
+
+	// check C1 is on sm2 curve
+	sm2_u256_point_from_bytes(C1, (uint8_t *)&in->point);
+	if (!sm2_u256_point_is_on_curve(C1)) {
+		error_print();
+		return -1;
+	}
+
+	// check if S = h * C1 is point at infinity
+	// this will not happen, as SM2_POINT can not present point at infinity
+
+	// d * C1 = (x2, y2)
+	sm2_u256_from_bytes(d, key->private_key);
+	sm2_u256_point_mul(C1, d, C1);
+
+	// t = KDF(x2 || y2, klen) and check t is not all zeros
+	sm2_u256_point_to_bytes(C1, x2y2);
+	sm2_kdf(x2y2, 64, in->ciphertext_size, out);
+	if (all_zero(out, in->ciphertext_size)) {
+		error_print();
+		goto end;
+	}
+
+	// M = C2 xor t
+	gmssl_memxor(out, out, in->ciphertext, in->ciphertext_size);
+	*outlen = in->ciphertext_size;
+
+	// u = Hash(x2 || M || y2)
+	sm3_init(&sm3_ctx);
+	sm3_update(&sm3_ctx, x2y2, 32);
+	sm3_update(&sm3_ctx, out, in->ciphertext_size);
+	sm3_update(&sm3_ctx, x2y2 + 32, 32);
+	sm3_finish(&sm3_ctx, hash);
+
+	// check if u == C3
+	if (memcmp(in->hash, hash, sizeof(hash)) != 0) {
+		error_print();
+		goto end;
+	}
+	ret = 1;
+
+end:
+	gmssl_secure_clear(d, sizeof(d));
+	gmssl_secure_clear(C1, sizeof(SM2_U256_POINT));
+	gmssl_secure_clear(x2y2, sizeof(x2y2));
+	return ret;
+}

tests/sm2_enctest.c

@@ -0,0 +1,341 @@
+/*
+ *  Copyright 2014-2024 The GmSSL Project. All Rights Reserved.
+ *
+ *  Licensed under the Apache License, Version 2.0 (the License); you may
+ *  not use this file except in compliance with the License.
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ */
+
+#include <stdio.h>
+#include <string.h>
+#include <stdlib.h>
+#include <gmssl/rand.h>
+#include <gmssl/asn1.h>
+#include <gmssl/error.h>
+#include <gmssl/sm2.h>
+#include <gmssl/pkcs8.h>
+
+
+
+// 由于当前Ciphertext中椭圆曲线点数据不正确，因此无法通过测试
+static int test_sm2_ciphertext(void)
+{
+	SM2_CIPHERTEXT C;
+	uint8_t buf[1024];
+	uint8_t *p = buf;
+	const uint8_t *cp = buf;
+	size_t len = 0;
+
+	memset(&C, 0, sizeof(SM2_CIPHERTEXT));
+
+	cp = p = buf; len = 0;
+	if (sm2_ciphertext_to_der(&C, &p, &len) != 1) {
+		error_print();
+		return -1;
+	}
+	format_print(stderr, 0, 4, "SM2_NULL_CIPHERTEXT_SIZE: %zu\n", len);
+	format_bytes(stderr, 0, 4, "", buf, len);
+
+
+	if (sm2_ciphertext_from_der(&C, &cp, &len) != 1
+		|| asn1_length_is_zero(len) != 1) {
+		error_print();
+		return -1;
+	}
+
+
+	// {0, 0, Hash, MinLen}
+	C.ciphertext_size = SM2_MIN_PLAINTEXT_SIZE;
+	cp = p = buf; len = 0;
+	if (sm2_ciphertext_to_der(&C, &p, &len) != 1) {
+		error_print();
+		return -1;
+	}
+	format_print(stderr, 0, 4, "SM2_MIN_PLAINTEXT_SIZE: %zu\n", SM2_MIN_PLAINTEXT_SIZE);
+	format_print(stderr, 0, 4, "SM2_MIN_CIPHERTEXT_SIZE: %zu\n", len);
+	format_bytes(stderr, 0, 4, "", buf, len);
+	if (len != SM2_MIN_CIPHERTEXT_SIZE) {
+		error_print();
+		return -1;
+	}
+	if (sm2_ciphertext_from_der(&C, &cp, &len) != 1
+		|| asn1_length_is_zero(len) != 1) {
+		error_print();
+		return -1;
+	}
+
+	// { 33, 33, Hash, NULL }
+	memset(&C, 0x80, sizeof(SM2_POINT));
+	cp = p = buf; len = 0;
+	if (sm2_ciphertext_to_der(&C, &p, &len) != 1) {
+		error_print();
+		return -1;
+	}
+	format_print(stderr, 0, 4, "ciphertext len: %zu\n", len);
+	format_bytes(stderr, 0, 4, "", buf, len);
+	if (sm2_ciphertext_from_der(&C, &cp, &len) != 1
+		|| asn1_length_is_zero(len) != 1) {
+		error_print();
+		return -1;
+	}
+
+	// { 33, 33, Hash, MaxLen }
+	C.ciphertext_size = SM2_MAX_PLAINTEXT_SIZE;//SM2_MAX_PLAINTEXT_SIZE;
+	cp = p = buf; len = 0;
+	if (sm2_ciphertext_to_der(&C, &p, &len) != 1) {
+		error_print();
+		return -1;
+	}
+	format_print(stderr, 0, 4, "SM2_MAX_PLAINTEXT_SIZE: %zu\n", SM2_MAX_PLAINTEXT_SIZE);
+	format_print(stderr, 0, 4, "SM2_MAX_CIPHERTEXT_SIZE: %zu\n", len);
+	format_bytes(stderr, 0, 4, "", buf, len);
+	if (len != SM2_MAX_CIPHERTEXT_SIZE) {
+		error_print();
+		return -1;
+	}
+	if (sm2_ciphertext_from_der(&C, &cp, &len) != 1
+		|| asn1_length_is_zero(len) != 1) {
+		error_print();
+		return -1;
+	}
+
+	printf("%s() ok\n", __FUNCTION__);
+	return 1;
+}
+
+#define TEST_COUNT 20
+
+static int test_sm2_do_encrypt(void)
+{
+	SM2_KEY sm2_key;
+	uint8_t plaintext[] = "Hello World!";
+	SM2_CIPHERTEXT ciphertext;
+
+	uint8_t plainbuf[SM2_MAX_PLAINTEXT_SIZE] = {0};
+	size_t plainlen = 0;
+	int r = 0;
+
+	size_t i = 0;
+
+	for (i = 0; i < TEST_COUNT; i++) {
+
+		if (sm2_key_generate(&sm2_key) != 1) {
+			error_print();
+			return -1;
+		}
+
+		if (sm2_do_encrypt(&sm2_key, plaintext, sizeof(plaintext), &ciphertext) != 1) {
+			error_print();
+			return -1;
+		}
+
+		if (sm2_do_decrypt(&sm2_key, &ciphertext, plainbuf, &plainlen) != 1) {
+			error_print();
+			return -1;
+		}
+		if (plainlen != sizeof(plaintext)
+			|| memcmp(plainbuf, plaintext, sizeof(plaintext)) != 0) {
+			error_print();
+			return -1;
+		}
+	}
+
+	printf("%s() ok\n", __FUNCTION__);
+	return 1;
+}
+
+static int test_sm2_do_encrypt_fixlen(void)
+{
+	struct {
+		int point_size;
+		size_t plaintext_len;
+	} tests[] = {
+		{ SM2_ciphertext_compact_point_size, 10 },
+		{ SM2_ciphertext_typical_point_size, 10 },
+		{ SM2_ciphertext_max_point_size, 10 },
+	};
+
+	SM2_KEY sm2_key;
+	uint8_t plaintext[SM2_MAX_PLAINTEXT_SIZE];
+	SM2_CIPHERTEXT ciphertext;
+	uint8_t decrypted[SM2_MAX_PLAINTEXT_SIZE];
+	size_t decrypted_len;
+
+	size_t i;
+
+	if (sm2_key_generate(&sm2_key) != 1) {
+		error_print();
+		return -1;
+	}
+
+	rand_bytes(plaintext, sizeof(plaintext));
+
+	for (i = 0; i < sizeof(tests)/sizeof(tests[0]); i++) {
+
+		if (sm2_do_encrypt_fixlen(&sm2_key, plaintext, tests[i].plaintext_len, tests[i].point_size, &ciphertext) != 1) {
+			error_print();
+			return -1;
+		}
+
+		if (sm2_do_decrypt(&sm2_key, &ciphertext, decrypted, &decrypted_len) != 1) {
+			error_print();
+			return -1;
+		}
+
+		if (decrypted_len != tests[i].plaintext_len) {
+			error_print();
+			return -1;
+		}
+		if (memcmp(decrypted, plaintext, decrypted_len) != 0) {
+			error_print();
+			return -1;
+		}
+	}
+
+	printf("%s() ok\n", __FUNCTION__);
+	return 1;
+}
+
+
+static int test_sm2_encrypt_fixlen(void)
+{
+	struct {
+		int point_size;
+		size_t plaintext_len;
+	} tests[] = {
+		{ SM2_ciphertext_compact_point_size, 1 },
+		{ SM2_ciphertext_typical_point_size, 64 },
+		{ SM2_ciphertext_max_point_size, SM2_MAX_PLAINTEXT_SIZE },
+	};
+
+	SM2_KEY sm2_key;
+	size_t point_size;
+	uint8_t plaintext[SM2_MAX_PLAINTEXT_SIZE];
+	uint8_t encrypted[SM2_MAX_CIPHERTEXT_SIZE];
+	uint8_t decrypted[SM2_MAX_PLAINTEXT_SIZE];
+	size_t encrypted_len, encrypted_fixlen, decrypted_len;
+	size_t i, j;
+
+	if (sm2_key_generate(&sm2_key) != 1) {
+		error_print();
+		return -1;
+	}
+	rand_bytes(plaintext, sizeof(plaintext));
+
+	for (i = 0; i < sizeof(tests)/sizeof(tests[0]); i++) {
+
+		if (sm2_encrypt_fixlen(&sm2_key, plaintext, tests[i].plaintext_len, tests[i].point_size,
+			encrypted, &encrypted_len) != 1) {
+			error_print();
+			return -1;
+		}
+
+		if (sm2_decrypt(&sm2_key, encrypted, encrypted_len, decrypted, &decrypted_len) != 1) {
+			error_print();
+			return -1;
+		}
+		if (decrypted_len != tests[i].plaintext_len) {
+			error_print();
+			return -1;
+		}
+		if (memcmp(decrypted, plaintext, tests[i].plaintext_len) != 0) {
+			error_print();
+			return -1;
+		}
+
+		// check if sm2_encrypt_fixlen always output fixed length ciphertext
+		encrypted_fixlen = encrypted_len;
+		for (j = 0; j < 10; j++) {
+			if (sm2_encrypt_fixlen(&sm2_key, plaintext, tests[i].plaintext_len, tests[i].point_size,
+				encrypted, &encrypted_len) != 1) {
+				error_print();
+				return -1;
+			}
+			printf("plaintext len = %zu, ciphertext len = %zu\n", tests[i].plaintext_len, encrypted_len);
+			if (encrypted_len != encrypted_fixlen) {
+				error_print();
+				return -1;
+			}
+		}
+	}
+
+	printf("%s() ok\n", __FUNCTION__);
+	return 1;
+}
+
+
+
+// 应该生成不同情况下的密文！
+			
+
+
+
+
+
+static int test_sm2_encrypt(void)
+{
+	SM2_KEY sm2_key;
+	uint8_t msg[SM2_MAX_PLAINTEXT_SIZE];
+	uint8_t cbuf[SM2_MAX_CIPHERTEXT_SIZE+100];
+	uint8_t mbuf[SM2_MAX_CIPHERTEXT_SIZE];
+	size_t lens[] = {
+//		0,
+		1,
+		16,
+		SM2_MAX_PLAINTEXT_SIZE,
+	};
+	size_t clen, mlen;
+	int i;
+
+	if (sm2_key_generate(&sm2_key) != 1) {
+		error_print();
+		return -1;
+	}
+
+	for (i = 0; i < sizeof(msg); i++) {
+		msg[i] = (uint8_t)i;
+	}
+
+	for (i = 0; i < sizeof(lens)/sizeof(lens[0]); i++) {
+		format_print(stderr, 0, 0, "test %d\n", i + 1);
+		format_bytes(stderr, 0, 4, "plaintext", msg, lens[i]);
+		if (sm2_encrypt(&sm2_key, msg, lens[i], cbuf, &clen) != 1) {
+			error_print();
+			return -1;
+		}
+		format_bytes(stderr, 0, 4, "ciphertext", cbuf, clen);
+		sm2_ciphertext_print(stderr, 0, 4, "Ciphertext", cbuf, clen);
+		format_print(stderr, 0, 0, "\n");
+
+		if (sm2_decrypt(&sm2_key, cbuf, clen, mbuf, &mlen) != 1) {
+			error_print();
+			return -1;
+		}
+		if (mlen != lens[i]
+			|| memcmp(mbuf, msg, lens[i]) != 0) {
+			error_print();
+			return -1;
+		}
+	}
+
+	printf("%s() ok\n", __FUNCTION__);
+	return 1;
+}
+
+
+
+int main(void)
+{
+	//if (test_sm2_ciphertext() != 1) goto err; // 需要正确的Ciphertext数据
+	if (test_sm2_do_encrypt() != 1) goto err;
+	if (test_sm2_do_encrypt_fixlen() != 1) goto err;
+	if (test_sm2_encrypt() != 1) goto err;
+	if (test_sm2_encrypt_fixlen() != 1) goto err;
+	printf("%s all tests passed\n", __FILE__);
+	return 0;
+err:
+	error_print();
+	return -1;
+}
+

tests/sm2_signtest.c

@@ -0,0 +1,224 @@
+/*
+ *  Copyright 2014-2024 The GmSSL Project. All Rights Reserved.
+ *
+ *  Licensed under the Apache License, Version 2.0 (the License); you may
+ *  not use this file except in compliance with the License.
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ */
+
+#include <stdio.h>
+#include <string.h>
+#include <stdlib.h>
+#include <gmssl/asn1.h>
+#include <gmssl/rand.h>
+#include <gmssl/error.h>
+#include <gmssl/sm2.h>
+#include <gmssl/sm2_z256.h>
+#include <gmssl/pkcs8.h>
+
+
+static int test_sm2_signature(void)
+{
+	SM2_SIGNATURE sig;
+	uint8_t buf[512];
+	uint8_t *p = buf;
+	const uint8_t *cp = buf;
+	size_t len = 0;
+
+	// MinLen
+	memset(&sig, 0x00, sizeof(sig));
+	cp = p = buf; len = 0;
+	if (sm2_signature_to_der(&sig, &p, &len) != 1) {
+		error_print();
+		return -1;
+	}
+	format_print(stderr, 0, 4, "SM2_MIN_SIGNATURE_SIZE: %zu\n", len);
+	format_bytes(stderr, 0, 4, "", buf, len);
+	sm2_signature_print(stderr, 0, 4, "signature", buf, len);
+	if (len != SM2_MIN_SIGNATURE_SIZE) {
+		error_print();
+		return -1;
+	}
+	if (sm2_signature_from_der(&sig, &cp, &len) != 1
+		|| asn1_length_is_zero(len) != 1) {
+		error_print();
+		return -1;
+	}
+
+
+	// MaxLen
+	memset(&sig, 0x80, sizeof(sig));
+	cp = p = buf; len = 0;
+	if (sm2_signature_to_der(&sig, &p, &len) != 1) {
+		error_print();
+		return -1;
+	}
+	format_print(stderr, 0, 4, "SM2_MAX_SIGNATURE_SIZE: %zu\n", len);
+	format_bytes(stderr, 0, 4, "", buf, len);
+	sm2_signature_print(stderr, 0, 4, "signature", buf, len);
+	if (len != SM2_MAX_SIGNATURE_SIZE) {
+		error_print();
+		return -1;
+	}
+	if (sm2_signature_from_der(&sig, &cp, &len) != 1
+		|| asn1_length_is_zero(len) != 1) {
+		error_print();
+		return -1;
+	}
+
+	printf("%s() ok\n", __FUNCTION__);
+	return 1;
+}
+
+#define TEST_COUNT 20
+
+static int test_sm2_do_sign(void)
+{
+	SM2_KEY sm2_key;
+	uint8_t dgst[32];
+	SM2_SIGNATURE sig;
+	size_t i;
+
+	for (i = 0; i < TEST_COUNT; i++) {
+
+		if (sm2_key_generate(&sm2_key) != 1) {
+			error_print();
+			return -1;
+		}
+		rand_bytes(dgst, 32);
+
+		if (sm2_do_sign(&sm2_key, dgst, &sig) != 1) {
+			error_print();
+			return -1;
+		}
+		if (sm2_do_verify(&sm2_key, dgst, &sig) != 1) {
+			error_print();
+			return -1;
+		}
+	}
+
+	printf("%s() ok\n", __FUNCTION__);
+	return 1;
+}
+
+#define SM2_U256		SM2_Z256
+#define sm2_u256_one		sm2_z256_one
+#define sm2_u256_is_zero	sm2_z256_is_zero
+#define sm2_u256_from_bytes	sm2_z256_from_bytes
+#define sm2_u256_modn_add	sm2_z256_modn_add
+#define sm2_u256_modn_inv	sm2_z256_modn_inv
+
+static int test_sm2_do_sign_fast(void)
+{
+	SM2_KEY sm2_key;
+	SM2_U256 d;
+	uint8_t dgst[32];
+	SM2_SIGNATURE sig;
+	size_t i;
+
+	// d' = (d + 1)^-1 (mod n)
+	const uint64_t *one = sm2_u256_one();
+	do {
+		sm2_key_generate(&sm2_key);
+		sm2_u256_from_bytes(d, sm2_key.private_key);
+		sm2_u256_modn_add(d, d, one);
+		sm2_u256_modn_inv(d, d);
+	} while (sm2_u256_is_zero(d));
+
+	for (i = 0; i < TEST_COUNT; i++) {
+		if (sm2_do_sign_fast(d, dgst, &sig) != 1) {
+			error_print();
+			return -1;
+		}
+		if (sm2_do_verify(&sm2_key, dgst, &sig) != 1) {
+			error_print();
+			return -1;
+		}
+	}
+
+	printf("%s() ok\n", __FUNCTION__);
+	return 1;
+}
+
+static int test_sm2_sign(void)
+{
+	SM2_KEY sm2_key;
+	uint8_t dgst[32];
+	uint8_t sig[SM2_MAX_SIGNATURE_SIZE];
+	size_t siglen;
+	size_t i;
+
+	for (i = 0; i < TEST_COUNT; i++) {
+
+		if (sm2_key_generate(&sm2_key) != 1) {
+			error_print();
+			return -1;
+		}
+		rand_bytes(dgst, 32);
+
+		if (sm2_sign(&sm2_key, dgst, sig, &siglen) != 1) {
+			error_print();
+			return -1;
+		}
+		if (sm2_verify(&sm2_key, dgst, sig, siglen) != 1) {
+			error_print();
+			return -1;
+		}
+	}
+
+	printf("%s() ok\n", __FUNCTION__);
+	return 1;
+}
+
+static int test_sm2_sign_ctx(void)
+{
+	int ret;
+	SM2_KEY sm2_key;
+	SM2_SIGN_CTX sign_ctx;
+	uint8_t msg[] = "Hello World!";
+	uint8_t sig[SM2_MAX_SIGNATURE_SIZE] = {0};
+	size_t siglen;
+
+	if (sm2_key_generate(&sm2_key) != 1) {
+		error_print();
+		return -1;
+	}
+	sm2_key_print(stderr, 0, 4, "SM2_KEY", &sm2_key);
+
+	if (sm2_sign_init(&sign_ctx, &sm2_key, SM2_DEFAULT_ID, SM2_DEFAULT_ID_LENGTH) != 1
+		|| sm2_sign_update(&sign_ctx, msg, sizeof(msg)) != 1
+		|| sm2_sign_finish(&sign_ctx, sig, &siglen) != 1) {
+		error_print();
+		return -1;
+	}
+	format_bytes(stderr, 0, 4, "signature", sig, siglen);
+	sm2_signature_print(stderr, 0, 4, "signature", sig, siglen);
+
+	if (sm2_verify_init(&sign_ctx, &sm2_key, SM2_DEFAULT_ID, SM2_DEFAULT_ID_LENGTH) != 1
+		|| sm2_verify_update(&sign_ctx, msg, sizeof(msg)) != 1
+		|| (ret = sm2_verify_finish(&sign_ctx, sig, siglen)) != 1) {
+		error_print();
+		return -1;
+	}
+	format_print(stderr, 0, 4, "verification: %s\n", ret ? "success" : "failed");
+
+	// FIXME: 还应该增加验证不通过的测试
+	// 还应该增加底层的参数
+	printf("%s() ok\n", __FUNCTION__);
+	return 1;
+}
+
+int main(void)
+{
+	if (test_sm2_signature() != 1) goto err;
+	if (test_sm2_do_sign() != 1) goto err;
+	if (test_sm2_sign() != 1) goto err;
+	if (test_sm2_sign_ctx() != 1) goto err;
+	printf("%s all tests passed\n", __FILE__);
+	return 0;
+err:
+	error_print();
+	return -1;
+}
+

tests/sm2_z256test.c

@@ -19,6 +19,7 @@
 
 enum {
 	OP_ADD,
+	OP_DBL,
 	OP_SUB,
 	OP_NEG,
 	OP_MUL,
@@ -240,25 +241,16 @@ static int test_sm2_z256_modn(void)
 			sm2_z256_modn_neg(c, a);
 			break;
 		case OP_MUL:
-			sm2_z256_modn_to_mont(a, a);
-			sm2_z256_modn_to_mont(b, b);
-			sm2_z256_modn_mont_mul(c, a, b);
-			sm2_z256_modn_from_mont(c, c);
+			sm2_z256_modn_mul(c, a, b);
 			break;
 		case OP_SQR:
-			sm2_z256_modn_to_mont(a, a);
-			sm2_z256_modn_mont_sqr(c, a);
-			sm2_z256_modn_from_mont(c, c);
+			sm2_z256_modn_sqr(c, a);
 			break;
 		case OP_EXP:
-			sm2_z256_modn_to_mont(a, a);
-			sm2_z256_modn_mont_exp(c, a, b);
-			sm2_z256_modn_from_mont(c, c);
+			sm2_z256_modn_exp(c, a, b);
 			break;
 		case OP_INV:
-			sm2_z256_modn_to_mont(a, a);
-			sm2_z256_modn_mont_inv(c, a);
-			sm2_z256_modn_from_mont(c, c);
+			sm2_z256_modn_inv(c, a);
 			break;
 		default:
 			error_print();
@@ -285,6 +277,219 @@ static int test_sm2_z256_modn(void)
 	return 1;
 }
 
+static int test_sm2_z256_point_is_on_curve(void)
+{
+
+	struct {
+		char *label;
+		char *mont_X;
+		char *mont_Y;
+		char *mont_Z;
+	} tests[] = {
+		{
+		"Point at Infinity (1:1:0)",
+		"0000000100000000000000000000000000000000ffffffff0000000000000001", // mont(1)
+		"0000000100000000000000000000000000000000ffffffff0000000000000001", // mont(1)
+		"0000000000000000000000000000000000000000000000000000000000000000", // 0
+		},
+		{
+		"Affine Point [1]G with Montgomery Coordinates",
+		"91167a5ee1c13b05d6a1ed99ac24c3c33e7981eddca6c05061328990f418029e", // mont(x)
+		"63cd65d481d735bd8d4cfb066e2a48f8c1f5e5788d3295fac1354e593c2d0ddd", // mont(y)
+		"0000000100000000000000000000000000000000ffffffff0000000000000001", // mont(1)
+		},
+		{
+		"Jacobian Point [2]G with Montgomery Coordinates",
+		"398874c476a3b1f77aef3e862601440903243d78d5b614a62eda8381e63c48d6",
+		"1fbbdfdddaf4fd475a86a7ae64921d4829f04a88f6cf4dc128385681c1a73e40",
+		"c79acba903ae6b7b1a99f60cdc5491f183ebcaf11a652bf5826a9cb2785a1bba",
+		},
+	};
+
+	SM2_Z256_POINT P;
+	size_t i;
+
+	for (i = 0; i < sizeof(tests)/sizeof(tests[0]); i++) {
+
+		sm2_z256_from_hex(P.X, tests[i].mont_X);
+		sm2_z256_from_hex(P.Y, tests[i].mont_Y);
+		sm2_z256_from_hex(P.Z, tests[i].mont_Z);
+
+		if (sm2_z256_point_is_on_curve(&P) != 1) {
+			error_print();
+			return -1;
+		}
+	}
+
+	printf("%s() ok\n", __FUNCTION__);
+	return 1;
+}
+
+static int test_sm2_z256_point_get_xy(void)
+{
+	struct {
+		char *label;
+		char *mont_X;
+		char *mont_Y;
+		char *mont_Z;
+		char *x;
+		char *y;
+	} tests[] = {
+		{
+		"Point at Infinity (1:1:0)",
+		"0000000100000000000000000000000000000000ffffffff0000000000000001", // mont(1)
+		"0000000100000000000000000000000000000000ffffffff0000000000000001", // mont(1)
+		"0000000000000000000000000000000000000000000000000000000000000000", // 0
+		"0000000000000000000000000000000000000000000000000000000000000000", // 0
+		"0000000000000000000000000000000000000000000000000000000000000000", // 0
+		},
+		{
+		"Affine Point [1]G with Montgomery Coordinates",
+		"91167a5ee1c13b05d6a1ed99ac24c3c33e7981eddca6c05061328990f418029e", // mont(x)
+		"63cd65d481d735bd8d4cfb066e2a48f8c1f5e5788d3295fac1354e593c2d0ddd", // mont(y)
+		"0000000100000000000000000000000000000000ffffffff0000000000000001", // mont(1)
+		"32c4ae2c1f1981195f9904466a39c9948fe30bbff2660be1715a4589334c74c7", // x
+		"bc3736a2f4f6779c59bdcee36b692153d0a9877cc62a474002df32e52139f0a0", // y
+		},
+		{
+		"Jacobian Point [2]G with Montgomery Coordinates",
+		"398874c476a3b1f77aef3e862601440903243d78d5b614a62eda8381e63c48d6",
+		"1fbbdfdddaf4fd475a86a7ae64921d4829f04a88f6cf4dc128385681c1a73e40",
+		"c79acba903ae6b7b1a99f60cdc5491f183ebcaf11a652bf5826a9cb2785a1bba",
+		"56cefd60d7c87c000d58ef57fa73ba4d9c0dfa08c08a7331495c2e1da3f2bd52",
+		"31b7e7e6cc8189f668535ce0f8eaf1bd6de84c182f6c8e716f780d3a970a23c3",
+		},
+	};
+
+	SM2_Z256_POINT P;
+	uint64_t x[4];
+	uint64_t y[4];
+	size_t i;
+
+	for (i = 0; i < sizeof(tests)/sizeof(tests[0]); i++) {
+
+		sm2_z256_from_hex(P.X, tests[i].mont_X);
+		sm2_z256_from_hex(P.Y, tests[i].mont_Y);
+		sm2_z256_from_hex(P.Z, tests[i].mont_Z);
+
+		sm2_z256_point_get_xy(&P, x, NULL);
+		if (sm2_z256_equ_hex(x, tests[i].x) != 1) {
+			error_print();
+			return -1;
+		}
+
+		sm2_z256_point_get_xy(&P, x, y);
+		if (sm2_z256_equ_hex(y, tests[i].y) != 1) {
+			error_print();
+			return -1;
+		}
+	};
+
+	printf("%s() ok\n", __FUNCTION__);
+	return 1;
+}
+
+static int test_sm2_z256_point_ops(void)
+{
+	char *hex_G =
+		"32c4ae2c1f1981195f9904466a39c9948fe30bbff2660be1715a4589334c74c7"
+		"bc3736a2f4f6779c59bdcee36b692153d0a9877cc62a474002df32e52139f0a0";
+	char *hex_2G =
+		"56cefd60d7c87c000d58ef57fa73ba4d9c0dfa08c08a7331495c2e1da3f2bd52"
+		"31b7e7e6cc8189f668535ce0f8eaf1bd6de84c182f6c8e716f780d3a970a23c3";
+	char *hex_3G =
+		"a97f7cd4b3c993b4be2daa8cdb41e24ca13f6bd945302244e26918f1d0509ebf"
+		"530b5dd88c688ef5ccc5cec08a72150f7c400ee5cd045292aaacdd037458f6e6";
+	char *hex_negG =
+		"32c4ae2c1f1981195f9904466a39c9948fe30bbff2660be1715a4589334c74c7"
+		"43c8c95c0b098863a642311c9496deac2f56788239d5b8c0fd20cd1adec60f5f";
+	char *hex_10G =
+		"d3f94862519621c121666061f65c3e32b2d0d065cd219e3284a04814db522756"
+		"4b9030cf676f6a742ebd57d146dca428f6b743f64d1482d147d46fb2bab82a14";
+	char *hex_bG =
+		"528470bc74a6ebc663c06fc4cfa1b630d1e9d4a80c0a127b47f73c324c46c0ba"
+		"832cf9c5a15b997e60962b4cf6e2c9cee488faaec98d20599d323d4cabfc1bf4";
+	char *hex_10 =
+		"000000000000000000000000000000000000000000000000000000000000000A";
+	char *hex_b =
+		"28e9fa9e9d9f5e344d5a9e4bcf6509a7f39789f515ab8f92ddbcbd414d940e93";
+
+	struct {
+		char *label;
+		int op;
+		char *R;
+		char *k;
+		char *A;
+		char *B;
+	} tests[] = {
+		{"[2]G", OP_DBL, hex_2G, NULL, hex_G, NULL,},
+		{"[2]G + G", OP_ADD, hex_3G, NULL, hex_2G, hex_G,},
+		{"[3]G - G", OP_SUB, hex_2G, NULL, hex_3G, hex_G,},
+		{"-G", OP_NEG, hex_negG, NULL, hex_G, NULL,},
+		{"[10]G", OP_MUL, hex_10G, hex_10, hex_G, NULL,},
+		{"[b]G", OP_MUL, hex_bG, hex_b, hex_G, NULL,},
+	};
+
+	size_t i;
+
+	SM2_Z256_POINT P;
+	SM2_Z256_POINT R;
+	uint64_t k[4];
+	SM2_Z256_POINT A;
+	SM2_Z256_POINT B;
+
+
+	for (i = 0; i < sizeof(tests)/sizeof(tests[0]); i++) {
+
+		sm2_z256_point_from_hex(&R, tests[i].R);
+		if (tests[i].k) {
+			sm2_z256_from_hex(k, tests[i].k);
+		}
+
+		sm2_z256_point_from_hex(&A, tests[i].A);
+		if (tests[i].B) {
+			sm2_z256_point_from_hex(&B, tests[i].B);
+		}
+
+		switch (tests[i].op) {
+		case OP_ADD:
+			sm2_z256_point_add(&P, &A, &B);
+			break;
+		case OP_DBL:
+			sm2_z256_point_dbl(&P, &A);
+			break;
+		case OP_SUB:
+			sm2_z256_point_sub(&P, &A, &B);
+			break;
+		case OP_NEG:
+			sm2_z256_point_neg(&P, &A);
+			break;
+		case OP_MUL:
+			sm2_z256_point_mul(&P, k, &A);
+			break;
+		default:
+			error_print();
+			return -1;
+		}
+
+			fprintf(stderr, "%s\n", tests[i].label);
+			sm2_z256_point_print(stderr, 0, 4, "R", &P);
+			fprintf(stderr, "   R: %s\n", tests[i].R);
+			fprintf(stderr, "   k: %s\n", tests[i].k);
+			fprintf(stderr, "   A: %s\n", tests[i].A);
+			fprintf(stderr, "   B: %s\n", tests[i].B);
+
+		if (sm2_z256_point_equ_hex(&P, tests[i].R) != 1) {
+
+			error_print();
+			return -1;
+		}
+	}
+
+	printf("%s() ok\n", __FUNCTION__);
+	return 1;
+}
+
 static int test_sm2_z256_point_mul_generator(void)
 {
 	struct {
@@ -340,7 +545,6 @@ static int test_sm2_z256_point_mul_generator(void)
 		"DDF092555409C19DFDBE86A75C139906A80198337744EE78CD27E384D9FCAF15"
 		"847D18FFB38E87065CD6B6E9C12D2922037937707D6A49A2223B949657E52BC1",
 		},
-		// k = G.x
 		{
 		"[x]G",
 		"32C4AE2C1F1981195F9904466A39C9948FE30BBFF2660BE1715A4589334C74C7",
@@ -414,6 +618,9 @@ int main(void)
 {
 	if (test_sm2_z256_modp() != 1) goto err;
 	if (test_sm2_z256_modn() != 1) goto err;
+	if (test_sm2_z256_point_is_on_curve() != 1) goto err;
+	if (test_sm2_z256_point_get_xy() != 1) goto err;
+	if (test_sm2_z256_point_ops() != 1) goto err;
 	if (test_sm2_z256_point_mul_generator() != 1) goto err;
 	printf("%s all tests passed\n", __FILE__);
 	return 0;

tests/sm2test.c

@@ -1,4 +1,4 @@
-/*
+/*
  *  Copyright 2014-2022 The GmSSL Project. All Rights Reserved.
  *
  *  Licensed under the Apache License, Version 2.0 (the License); you may
@@ -444,267 +444,8 @@ static int test_sm2_point_from_x(void)
 	return 1;
 }
 
-static int test_sm2_signature(void)
-{
-	SM2_SIGNATURE sig;
-	uint8_t buf[512];
-	uint8_t *p = buf;
-	const uint8_t *cp = buf;
-	size_t len = 0;
-
-	// MinLen
-	memset(&sig, 0x00, sizeof(sig));
-	cp = p = buf; len = 0;
-	if (sm2_signature_to_der(&sig, &p, &len) != 1) {
-		error_print();
-		return -1;
-	}
-	format_print(stderr, 0, 4, "SM2_MIN_SIGNATURE_SIZE: %zu\n", len);
-	format_bytes(stderr, 0, 4, "", buf, len);
-	sm2_signature_print(stderr, 0, 4, "signature", buf, len);
-	if (len != SM2_MIN_SIGNATURE_SIZE) {
-		error_print();
-		return -1;
-	}
-	if (sm2_signature_from_der(&sig, &cp, &len) != 1
-		|| asn1_length_is_zero(len) != 1) {
-		error_print();
-		return -1;
-	}
 
 
-	// MaxLen
-	memset(&sig, 0x80, sizeof(sig));
-	cp = p = buf; len = 0;
-	if (sm2_signature_to_der(&sig, &p, &len) != 1) {
-		error_print();
-		return -1;
-	}
-	format_print(stderr, 0, 4, "SM2_MAX_SIGNATURE_SIZE: %zu\n", len);
-	format_bytes(stderr, 0, 4, "", buf, len);
-	sm2_signature_print(stderr, 0, 4, "signature", buf, len);
-	if (len != SM2_MAX_SIGNATURE_SIZE) {
-		error_print();
-		return -1;
-	}
-	if (sm2_signature_from_der(&sig, &cp, &len) != 1
-		|| asn1_length_is_zero(len) != 1) {
-		error_print();
-		return -1;
-	}
-
-
-	printf("%s() ok\n", __FUNCTION__);
-	return 1;
-}
-
-static int test_sm2_sign(void)
-{
-	int ret;
-	SM2_KEY sm2_key;
-	SM2_SIGN_CTX sign_ctx;
-	uint8_t msg[] = "Hello World!";
-	uint8_t sig[SM2_MAX_SIGNATURE_SIZE] = {0};
-	size_t siglen;
-
-	if (sm2_key_generate(&sm2_key) != 1) {
-		error_print();
-		return -1;
-	}
-	sm2_key_print(stderr, 0, 4, "SM2_KEY", &sm2_key);
-
-	if (sm2_sign_init(&sign_ctx, &sm2_key, SM2_DEFAULT_ID, SM2_DEFAULT_ID_LENGTH) != 1
-		|| sm2_sign_update(&sign_ctx, msg, sizeof(msg)) != 1
-		|| sm2_sign_finish(&sign_ctx, sig, &siglen) != 1) {
-		error_print();
-		return -1;
-	}
-	format_bytes(stderr, 0, 4, "signature", sig, siglen);
-	sm2_signature_print(stderr, 0, 4, "signature", sig, siglen);
-
-	if (sm2_verify_init(&sign_ctx, &sm2_key, SM2_DEFAULT_ID, SM2_DEFAULT_ID_LENGTH) != 1
-		|| sm2_verify_update(&sign_ctx, msg, sizeof(msg)) != 1
-		|| (ret = sm2_verify_finish(&sign_ctx, sig, siglen)) != 1) {
-		error_print();
-		return -1;
-	}
-	format_print(stderr, 0, 4, "verification: %s\n", ret ? "success" : "failed");
-
-
-	// FIXME: 还应该增加验证不通过的测试
-	// 还应该增加底层的参数
-	printf("%s() ok\n", __FUNCTION__);
-	return 1;
-}
-
-// 由于当前Ciphertext中椭圆曲线点数据不正确，因此无法通过测试
-static int test_sm2_ciphertext(void)
-{
-	SM2_CIPHERTEXT C;
-	uint8_t buf[1024];
-	uint8_t *p = buf;
-	const uint8_t *cp = buf;
-	size_t len = 0;
-
-	memset(&C, 0, sizeof(SM2_CIPHERTEXT));
-
-	cp = p = buf; len = 0;
-	if (sm2_ciphertext_to_der(&C, &p, &len) != 1) {
-		error_print();
-		return -1;
-	}
-	format_print(stderr, 0, 4, "SM2_NULL_CIPHERTEXT_SIZE: %zu\n", len);
-	format_bytes(stderr, 0, 4, "", buf, len);
-
-
-	if (sm2_ciphertext_from_der(&C, &cp, &len) != 1
-		|| asn1_length_is_zero(len) != 1) {
-		error_print();
-		return -1;
-	}
-
-
-	// {0, 0, Hash, MinLen}
-	C.ciphertext_size = SM2_MIN_PLAINTEXT_SIZE;
-	cp = p = buf; len = 0;
-	if (sm2_ciphertext_to_der(&C, &p, &len) != 1) {
-		error_print();
-		return -1;
-	}
-	format_print(stderr, 0, 4, "SM2_MIN_PLAINTEXT_SIZE: %zu\n", SM2_MIN_PLAINTEXT_SIZE);
-	format_print(stderr, 0, 4, "SM2_MIN_CIPHERTEXT_SIZE: %zu\n", len);
-	format_bytes(stderr, 0, 4, "", buf, len);
-	if (len != SM2_MIN_CIPHERTEXT_SIZE) {
-		error_print();
-		return -1;
-	}
-	if (sm2_ciphertext_from_der(&C, &cp, &len) != 1
-		|| asn1_length_is_zero(len) != 1) {
-		error_print();
-		return -1;
-	}
-
-	// { 33, 33, Hash, NULL }
-	memset(&C, 0x80, sizeof(SM2_POINT));
-	cp = p = buf; len = 0;
-	if (sm2_ciphertext_to_der(&C, &p, &len) != 1) {
-		error_print();
-		return -1;
-	}
-	format_print(stderr, 0, 4, "ciphertext len: %zu\n", len);
-	format_bytes(stderr, 0, 4, "", buf, len);
-	if (sm2_ciphertext_from_der(&C, &cp, &len) != 1
-		|| asn1_length_is_zero(len) != 1) {
-		error_print();
-		return -1;
-	}
-
-	// { 33, 33, Hash, MaxLen }
-	C.ciphertext_size = SM2_MAX_PLAINTEXT_SIZE;//SM2_MAX_PLAINTEXT_SIZE;
-	cp = p = buf; len = 0;
-	if (sm2_ciphertext_to_der(&C, &p, &len) != 1) {
-		error_print();
-		return -1;
-	}
-	format_print(stderr, 0, 4, "SM2_MAX_PLAINTEXT_SIZE: %zu\n", SM2_MAX_PLAINTEXT_SIZE);
-	format_print(stderr, 0, 4, "SM2_MAX_CIPHERTEXT_SIZE: %zu\n", len);
-	format_bytes(stderr, 0, 4, "", buf, len);
-	if (len != SM2_MAX_CIPHERTEXT_SIZE) {
-		error_print();
-		return -1;
-	}
-	if (sm2_ciphertext_from_der(&C, &cp, &len) != 1
-		|| asn1_length_is_zero(len) != 1) {
-		error_print();
-		return -1;
-	}
-
-	printf("%s() ok\n", __FUNCTION__);
-	return 1;
-}
-
-
-static int test_sm2_do_encrypt(void)
-{
-	SM2_KEY sm2_key;
-	uint8_t plaintext[] = "Hello World!";
-	SM2_CIPHERTEXT ciphertext;
-
-	uint8_t plainbuf[SM2_MAX_PLAINTEXT_SIZE] = {0};
-	size_t plainlen = 0;
-	int r = 0;
-
-	if (sm2_key_generate(&sm2_key) != 1) {
-		error_print();
-		return -1;
-	}
-
-	if (sm2_do_encrypt(&sm2_key, plaintext, sizeof(plaintext), &ciphertext) != 1
-		|| sm2_do_decrypt(&sm2_key, &ciphertext, plainbuf, &plainlen) != 1) {
-		error_print();
-		return -1;
-	}
-
-	if (plainlen != sizeof(plaintext)
-		|| memcmp(plainbuf, plaintext, sizeof(plaintext)) != 0) {
-		error_print();
-		return -1;
-	}
-
-	printf("%s() ok\n", __FUNCTION__);
-	return 1;
-}
-
-
-static int test_sm2_encrypt(void)
-{
-	SM2_KEY sm2_key;
-	uint8_t msg[SM2_MAX_PLAINTEXT_SIZE];
-	uint8_t cbuf[SM2_MAX_CIPHERTEXT_SIZE+100];
-	uint8_t mbuf[SM2_MAX_CIPHERTEXT_SIZE];
-	size_t lens[] = {
-//		0,
-		1,
-		16,
-		SM2_MAX_PLAINTEXT_SIZE,
-	};
-	size_t clen, mlen;
-	int i;
-
-	if (sm2_key_generate(&sm2_key) != 1) {
-		error_print();
-		return -1;
-	}
-
-	for (i = 0; i < sizeof(msg); i++) {
-		msg[i] = (uint8_t)i;
-	}
-
-	for (i = 0; i < sizeof(lens)/sizeof(lens[0]); i++) {
-		format_print(stderr, 0, 0, "test %d\n", i + 1);
-		format_bytes(stderr, 0, 4, "plaintext", msg, lens[i]);
-		if (sm2_encrypt(&sm2_key, msg, lens[i], cbuf, &clen) != 1) {
-			error_print();
-			return -1;
-		}
-		format_bytes(stderr, 0, 4, "ciphertext", cbuf, clen);
-		sm2_ciphertext_print(stderr, 0, 4, "Ciphertext", cbuf, clen);
-		format_print(stderr, 0, 0, "\n");
-
-		if (sm2_decrypt(&sm2_key, cbuf, clen, mbuf, &mlen) != 1) {
-			error_print();
-			return -1;
-		}
-		if (mlen != lens[i]
-			|| memcmp(mbuf, msg, lens[i]) != 0) {
-			error_print();
-			return -1;
-		}
-	}
-
-	printf("%s() ok\n", __FUNCTION__);
-	return 1;
-}
 
 
 
@@ -873,11 +614,6 @@ int main(void)
 	if (test_sm2_private_key() != 1) goto err;
 	if (test_sm2_private_key_info() != 1) goto err;
 	if (test_sm2_enced_private_key_info() != 1) goto err;
-	if (test_sm2_signature() != 1) goto err;
-	if (test_sm2_sign() != 1) goto err;
-	//if (test_sm2_ciphertext() != 1) goto err; // 需要正确的Ciphertext数据
-	if (test_sm2_do_encrypt() != 1) goto err;
-	if (test_sm2_encrypt() != 1) goto err;
 	printf("%s all tests passed\n", __FILE__);
 	return 0;
 err: