diff --git a/CMakeLists.txt b/CMakeLists.txt index d6eac538..8318180a 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -20,7 +20,7 @@ set(src src/sm3_digest.c src/sm2_alg.c src/sm2_key.c - src/sm2_sign.c + src/sm2_z256_sign.c src/sm2_lib.c src/sm2_ctx.c src/sm9_alg.c @@ -123,6 +123,8 @@ set(tests sm4 sm3 sm2 + sm2_sign + sm2_enc sm9 zuc hash_drbg diff --git a/include/gmssl/sm2.h b/include/gmssl/sm2.h index fbc84c78..6edd229b 100644 --- a/include/gmssl/sm2.h +++ b/include/gmssl/sm2.h @@ -356,6 +356,9 @@ _gmssl_export int sm2_decrypt_init(SM2_ENC_CTX *ctx, const SM2_KEY *sm2_key); _gmssl_export int sm2_decrypt_update(SM2_ENC_CTX *ctx, const uint8_t *in, size_t inlen, uint8_t *out, size_t *outlen); _gmssl_export int sm2_decrypt_finish(SM2_ENC_CTX *ctx, const uint8_t *in, size_t inlen, uint8_t *out, size_t *outlen); +const uint64_t *sm2_bn_prime(void); +const uint64_t *sm2_bn_order(void); +const uint64_t *sm2_bn_one(void); #ifdef __cplusplus } diff --git a/include/gmssl/sm2_z256.h b/include/gmssl/sm2_z256.h index 1d5a0aa3..5d6e25ed 100644 --- a/include/gmssl/sm2_z256.h +++ b/include/gmssl/sm2_z256.h @@ -22,11 +22,13 @@ extern "C" { typedef uint64_t SM2_Z256[4]; +int sm2_z256_rand_range(uint64_t r[4], const uint64_t range[4]); void sm2_z256_copy(uint64_t r[4], const uint64_t a[4]); void sm2_z256_copy_conditional(uint64_t dst[4], const uint64_t src[4], uint64_t move); void sm2_z256_from_bytes(uint64_t r[4], const uint8_t in[32]); void sm2_z256_to_bytes(const uint64_t a[4], uint8_t out[32]); int sm2_z256_cmp(const uint64_t a[4], const uint64_t b[4]); +uint64_t sm2_z256_is_zero(const uint64_t a[4]); uint64_t sm2_z256_equ(const uint64_t a[4], const uint64_t b[4]); uint64_t sm2_z256_add(uint64_t r[4], const uint64_t a[4], const uint64_t b[4]); uint64_t sm2_z256_sub(uint64_t r[4], const uint64_t a[4], const uint64_t b[4]); @@ -34,6 +36,7 @@ void sm2_z256_mul(uint64_t r[8], const uint64_t a[4], const uint64_t b[4]); uint64_t sm2_z512_add(uint64_t r[8], const uint64_t a[8], const uint64_t b[8]); int sm2_z256_get_booth(const uint64_t a[4], unsigned int window_size, int i); void sm2_z256_from_hex(uint64_t r[4], const char *hex); +int sm2_z256_equ_hex(const uint64_t a[4], const char *hex); int sm2_z256_print(FILE *fp, int ind, int fmt, const char *label, const uint64_t a[4]); int sm2_z512_print(FILE *fp, int ind, int fmt, const char *label, const uint64_t a[8]); @@ -52,9 +55,14 @@ void sm2_z256_modp_mont_exp(uint64_t r[4], const uint64_t a[4], const uint64_t e void sm2_z256_modp_mont_inv(uint64_t r[4], const uint64_t a[4]); int sm2_z256_modp_mont_print(FILE *fp, int ind, int fmt, const char *label, const uint64_t a[4]); +int sm2_z256_modn_rand(uint64_t r[4]); void sm2_z256_modn_add(uint64_t r[4], const uint64_t a[4], const uint64_t b[4]); void sm2_z256_modn_sub(uint64_t r[4], const uint64_t a[4], const uint64_t b[4]); void sm2_z256_modn_neg(uint64_t r[4], const uint64_t a[4]); +void sm2_z256_modn_mul(uint64_t r[4], const uint64_t a[4], const uint64_t b[4]); +void sm2_z256_modn_sqr(uint64_t r[4], const uint64_t a[4]); +void sm2_z256_modn_exp(uint64_t r[4], const uint64_t a[4], const uint64_t e[4]); +void sm2_z256_modn_inv(uint64_t r[4], const uint64_t a[4]); void sm2_z256_modn_to_mont(const uint64_t a[4], uint64_t r[4]); void sm2_z256_modn_from_mont(uint64_t r[4], const uint64_t a[4]); @@ -71,7 +79,13 @@ typedef struct { uint64_t Z[4]; } SM2_Z256_POINT; +void sm2_z256_point_from_bytes(SM2_Z256_POINT *P, const uint8_t in[64]); void sm2_z256_point_to_bytes(const SM2_Z256_POINT *P, uint8_t out[64]); + +int sm2_z256_point_is_at_infinity(const SM2_Z256_POINT *P); +int sm2_z256_point_is_on_curve(const SM2_Z256_POINT *P); +void sm2_z256_point_get_xy(const SM2_Z256_POINT *P, uint64_t x[4], uint64_t y[4]); + void sm2_z256_point_dbl(SM2_Z256_POINT *R, const SM2_Z256_POINT *A); void sm2_z256_point_add(SM2_Z256_POINT *r, const SM2_Z256_POINT *a, const SM2_Z256_POINT *b); void sm2_z256_point_neg(SM2_Z256_POINT *R, const SM2_Z256_POINT *P); @@ -91,9 +105,16 @@ void sm2_z256_point_sub_affine(SM2_Z256_POINT *R, const SM2_Z256_POINT *A, const int sm2_z256_point_affine_print(FILE *fp, int fmt, int ind, const char *label, const SM2_Z256_POINT_AFFINE *P); void sm2_z256_point_mul_generator(SM2_Z256_POINT *R, const uint64_t k[4]); -void sm2_z256_point_mul(SM2_Z256_POINT *R, const SM2_Z256_POINT *P, const uint64_t k[4]); +void sm2_z256_point_mul(SM2_Z256_POINT *R, const uint64_t k[4], const SM2_Z256_POINT *P); void sm2_z256_point_mul_sum(SM2_Z256_POINT *R, const uint64_t t[4], const SM2_Z256_POINT *P, const uint64_t s[4]); +const uint64_t *sm2_z256_prime(void); +const uint64_t *sm2_z256_order(void); +const uint64_t *sm2_z256_one(void); + +void sm2_z256_point_from_hex(SM2_Z256_POINT *P, const char *hex); +int sm2_z256_point_equ_hex(const SM2_Z256_POINT *P, const char *hex); + #ifdef __cplusplus } diff --git a/src/sm2_alg.c b/src/sm2_alg.c index 5aa247a0..15681ead 100644 --- a/src/sm2_alg.c +++ b/src/sm2_alg.c @@ -1343,3 +1343,17 @@ int sm2_point_from_hash(SM2_POINT *R, const uint8_t *data, size_t datalen) return 1; } +const uint64_t *sm2_bn_prime(void) { + return &SM2_P[0]; +} + +const uint64_t *sm2_bn_order(void) { + return &SM2_N[0]; +} + +const uint64_t *sm2_bn_one(void) { + return &SM2_ONE[0]; +} + + + diff --git a/src/sm2_sign.c b/src/sm2_sign.c index 909586d6..ddf4993d 100644 --- a/src/sm2_sign.c +++ b/src/sm2_sign.c @@ -19,9 +19,6 @@ #include -extern const SM2_BN SM2_N; -extern const SM2_BN SM2_ONE; - int sm2_do_sign(const SM2_KEY *key, const uint8_t dgst[32], SM2_SIGNATURE *sig) { SM2_JACOBIAN_POINT _P, *P = &_P; @@ -34,11 +31,14 @@ int sm2_do_sign(const SM2_KEY *key, const uint8_t dgst[32], SM2_SIGNATURE *sig) SM2_BN r; SM2_BN s; + const uint64_t *one = sm2_bn_one(); + const uint64_t *order = sm2_bn_order(); + //fprintf(stderr, "sm2_do_sign\n"); sm2_bn_from_bytes(d, key->private_key); // compute (d + 1)^-1 (mod n) - sm2_fn_add(d_inv, d, SM2_ONE); //sm2_bn_print(stderr, 0, 4, "(1+d)", d_inv); + sm2_fn_add(d_inv, d, one); //sm2_bn_print(stderr, 0, 4, "(1+d)", d_inv); if (sm2_bn_is_zero(d_inv)) { error_print(); return -1; @@ -63,17 +63,17 @@ retry: //sm2_bn_print(stderr, 0, 4, "x", x); // r = e + x (mod n) - if (sm2_bn_cmp(e, SM2_N) >= 0) { - sm2_bn_sub(e, e, SM2_N); + if (sm2_bn_cmp(e, order) >= 0) { + sm2_bn_sub(e, e, order); } - if (sm2_bn_cmp(x, SM2_N) >= 0) { - sm2_bn_sub(x, x, SM2_N); + if (sm2_bn_cmp(x, order) >= 0) { + sm2_bn_sub(x, x, order); } sm2_fn_add(r, e, x); //sm2_bn_print(stderr, 0, 4, "r = e + x (mod n)", r); // if r == 0 or r + k == n re-generate k sm2_bn_add(t, r, k); - if (sm2_bn_is_zero(r) || sm2_bn_cmp(t, SM2_N) == 0) { + if (sm2_bn_is_zero(r) || sm2_bn_cmp(t, order) == 0) { //sm2_bn_print(stderr, 0, 4, "r + k", t); goto retry; } @@ -113,10 +113,12 @@ int sm2_do_sign_fast(const SM2_Fn d, const uint8_t dgst[32], SM2_SIGNATURE *sig) SM2_BN r; SM2_BN s; + const uint64_t *order = sm2_bn_order(); + // e = H(M) sm2_bn_from_bytes(e, dgst); - if (sm2_bn_cmp(e, SM2_N) >= 0) { - sm2_bn_sub(e, e, SM2_N); + if (sm2_bn_cmp(e, order) >= 0) { + sm2_bn_sub(e, e, order); } // rand k in [1, n - 1] @@ -154,6 +156,8 @@ int sm2_do_verify(const SM2_KEY *key, const uint8_t dgst[32], const SM2_SIGNATUR SM2_BN x; SM2_BN t; + const uint64_t *order = sm2_bn_order(); + // parse public key sm2_jacobian_point_from_bytes(P, (const uint8_t *)&key->public_key); //sm2_jacobian_point_print(stderr, 0, 4, "P", P); @@ -164,9 +168,9 @@ int sm2_do_verify(const SM2_KEY *key, const uint8_t dgst[32], const SM2_SIGNATUR // check r, s in [1, n-1] if (sm2_bn_is_zero(r) == 1 - || sm2_bn_cmp(r, SM2_N) >= 0 + || sm2_bn_cmp(r, order) >= 0 || sm2_bn_is_zero(s) == 1 - || sm2_bn_cmp(s, SM2_N) >= 0) { + || sm2_bn_cmp(s, order) >= 0) { error_print(); return -1; } @@ -187,11 +191,11 @@ int sm2_do_verify(const SM2_KEY *key, const uint8_t dgst[32], const SM2_SIGNATUR //sm2_bn_print(stderr, 0, 4, "x", x); // r' = e + x (mod n) - if (sm2_bn_cmp(e, SM2_N) >= 0) { - sm2_bn_sub(e, e, SM2_N); + if (sm2_bn_cmp(e, order) >= 0) { + sm2_bn_sub(e, e, order); } - if (sm2_bn_cmp(x, SM2_N) >= 0) { - sm2_bn_sub(x, x, SM2_N); + if (sm2_bn_cmp(x, order) >= 0) { + sm2_bn_sub(x, x, order); } sm2_fn_add(e, e, x); //sm2_bn_print(stderr, 0, 4, "e + x (mod n)", e); diff --git a/src/sm2_z256.c b/src/sm2_z256.c index 042d9eaf..dd2ae29d 100644 --- a/src/sm2_z256.c +++ b/src/sm2_z256.c @@ -49,6 +49,7 @@ #include #include #include +#include #include #include @@ -66,6 +67,23 @@ h = 0x1 const uint64_t SM2_Z256_ONE[4] = { 1,0,0,0 }; +const uint64_t *sm2_z256_one(void) { + return &SM2_Z256_ONE[0]; +} + + + +int sm2_z256_rand_range(uint64_t r[4], const uint64_t range[4]) +{ + do { + if (rand_bytes((uint8_t *)r, 32) != 1) { + error_print(); + return -1; + } + } while (sm2_z256_cmp(r, range) >= 0); + return 1; +} + void sm2_z256_from_bytes(uint64_t r[4], const uint8_t in[32]) { r[3] = GETU64(in); @@ -134,6 +152,15 @@ int sm2_z256_cmp(const uint64_t a[4], const uint64_t b[4]) return 0; } +uint64_t sm2_z256_is_zero(const uint64_t a[4]) +{ + return + is_zero(a[0]) & + is_zero(a[1]) & + is_zero(a[2]) & + is_zero(a[3]); +} + uint64_t sm2_z256_add(uint64_t r[4], const uint64_t a[4], const uint64_t b[4]) { uint64_t t, c = 0; @@ -292,6 +319,18 @@ void sm2_z256_from_hex(uint64_t r[4], const char *hex) sm2_z256_from_bytes(r, bytes); } +int sm2_z256_equ_hex(const uint64_t a[4], const char *hex) +{ + uint64_t b[4]; + sm2_z256_from_hex(b, hex); + if (sm2_z256_cmp(a, b) == 0) { + return 1; + } else { + return 0; + } +} + + int sm2_z256_print(FILE *fp, int ind, int fmt, const char *label, const uint64_t a[4]) { format_print(fp, ind, fmt, "%s: %016llx%016llx%016llx%016llx\n", label, a[3], a[2], a[1], a[0]); @@ -313,6 +352,11 @@ const uint64_t SM2_Z256_P[4] = { 0xffffffffffffffff, 0xffffffff00000000, 0xffffffffffffffff, 0xfffffffeffffffff, }; +const uint64_t *sm2_z256_prime(void) { + return &SM2_Z256_P[0]; +} + + // 2^256 - p = 2^224 + 2^96 - 2^64 + 1 const uint64_t SM2_Z256_NEG_P[4] = { 1, ((uint64_t)1 << 32) - 1, 0, ((uint64_t)1 << 32), @@ -582,6 +626,15 @@ const uint64_t SM2_Z256_NEG_N[4] = { 0xac440bf6c62abedd, 0x8dfc2094de39fad4, 0x0000000000000000, 0x0000000100000000, }; +int sm2_z256_modn_rand(uint64_t r[4]) +{ + if (sm2_z256_rand_range(r, SM2_Z256_N) != 1) { + error_print(); + return -1; + } + return 1; +} + void sm2_z256_modn_add(uint64_t r[4], const uint64_t a[4], const uint64_t b[4]) { uint64_t c; @@ -623,6 +676,11 @@ const uint64_t SM2_Z256_N_PRIME[4] = { 0x327f9e8872350975, 0xdf1e8d34fc8319a5, 0x2b0068d3b08941d4, 0x6f39132f82e4c7bc, }; +const uint64_t *sm2_z256_order(void) { + return &SM2_Z256_N[0]; +} + + // mont(1) (mod n) = 2^256 - n const uint64_t *SM2_Z256_MODN_MONT_ONE = SM2_Z256_NEG_N; @@ -665,11 +723,31 @@ void sm2_z256_modn_mont_mul(uint64_t r[4], const uint64_t a[4], const uint64_t b } } +void sm2_z256_modn_mul(uint64_t r[4], const uint64_t a[4], const uint64_t b[4]) +{ + uint64_t mont_a[4]; + uint64_t mont_b[4]; + + sm2_z256_modn_to_mont(a, mont_a); + sm2_z256_modn_to_mont(b, mont_b); + sm2_z256_modn_mont_mul(r, mont_a, mont_b); + sm2_z256_modn_from_mont(r, r); +} + void sm2_z256_modn_mont_sqr(uint64_t r[4], const uint64_t a[4]) { sm2_z256_modn_mont_mul(r, a, a); } +void sm2_z256_modn_sqr(uint64_t r[4], const uint64_t a[4]) +{ + uint64_t mont_a[4]; + + sm2_z256_modn_to_mont(a, mont_a); + sm2_z256_modn_mont_sqr(r, mont_a); + sm2_z256_modn_from_mont(r, r); +} + void sm2_z256_modn_mont_exp(uint64_t r[4], const uint64_t a[4], const uint64_t e[4]) { uint64_t t[4]; @@ -693,6 +771,15 @@ void sm2_z256_modn_mont_exp(uint64_t r[4], const uint64_t a[4], const uint64_t e sm2_z256_copy(r, t); } +void sm2_z256_modn_exp(uint64_t r[4], const uint64_t a[4], const uint64_t e[4]) +{ + uint64_t mont_a[4]; + + sm2_z256_modn_to_mont(a, mont_a); + sm2_z256_modn_mont_exp(r, mont_a, e); + sm2_z256_modn_from_mont(r, r); +} + // n - 2 = 0xfffffffeffffffffffffffffffffffff7203df6b21c6052b53bbf40939d54121 const uint64_t SM2_Z256_N_MINUS_TWO[4] = { 0x53bbf40939d54121, 0x7203df6b21c6052b, 0xffffffffffffffff, 0xfffffffeffffffff, @@ -703,6 +790,15 @@ void sm2_z256_modn_mont_inv(uint64_t r[4], const uint64_t a[4]) sm2_z256_modn_mont_exp(r, a, SM2_Z256_N_MINUS_TWO); } +void sm2_z256_modn_inv(uint64_t r[4], const uint64_t a[4]) +{ + uint64_t mont_a[4]; + + sm2_z256_modn_to_mont(a, mont_a); + sm2_z256_modn_mont_inv(r, mont_a); + sm2_z256_modn_from_mont(r, r); +} + // mont(mont(a), 1) = aR * 1 * R^-1 (mod n) = a (mod p) void sm2_z256_modn_from_mont(uint64_t r[4], const uint64_t a[4]) { @@ -732,6 +828,85 @@ int sm2_z256_modn_mont_print(FILE *fp, int ind, int fmt, const char *label, cons // Jacobian Point with Montgomery coordinates + +// 这里还应该检查X == Y == mont(1) +int sm2_z256_point_is_at_infinity(const SM2_Z256_POINT *P) +{ + if (sm2_z256_is_zero(P->Z)) { + return 1; + } else { + return 0; + } +} + +// mont(b), b = 0x28e9fa9e9d9f5e344d5a9e4bcf6509a7f39789f515ab8f92ddbcbd414d940e93 +const uint64_t SM2_Z256_MODP_MONT_B[4] = { + 0x90d230632bc0dd42, 0x71cf379ae9b537ab, 0x527981505ea51c3c, 0x240fe188ba20e2c8, +}; + +int sm2_z256_point_is_on_curve(const SM2_Z256_POINT *P) +{ + uint64_t t0[4]; + uint64_t t1[4]; + uint64_t t2[4]; + + if (sm2_z256_cmp(P->Z, SM2_Z256_MODP_MONT_ONE) == 0) { + // if Z == 1, check y^2 + 3*x == x^3 + b + sm2_z256_modp_mont_sqr(t0, P->Y); + sm2_z256_modp_add(t0, t0, P->X); + sm2_z256_modp_add(t0, t0, P->X); + sm2_z256_modp_add(t0, t0, P->X); + sm2_z256_modp_mont_sqr(t1, P->X); + sm2_z256_modp_mont_mul(t1, t1, P->X); + sm2_z256_modp_add(t1, t1, SM2_Z256_MODP_MONT_B); + } else { + // check Y^2 + 3 * X * Z^4 == X^3 + b * Z^6 + // if Z == 0, Y^2 == X^3, i.e. Y == X is checked + sm2_z256_modp_mont_sqr(t0, P->Y); + sm2_z256_modp_mont_sqr(t1, P->Z); + sm2_z256_modp_mont_sqr(t2, t1); + sm2_z256_modp_mont_mul(t1, t1, t2); + sm2_z256_modp_mont_mul(t1, t1, SM2_Z256_MODP_MONT_B); + sm2_z256_modp_mont_mul(t2, t2, P->X); + sm2_z256_modp_add(t0, t0, t2); + sm2_z256_modp_add(t0, t0, t2); + sm2_z256_modp_add(t0, t0, t2); + sm2_z256_modp_mont_sqr(t2, P->X); + sm2_z256_modp_mont_mul(t2, t2, P->X); + sm2_z256_modp_add(t1, t1, t2); + } + + if (sm2_z256_cmp(t0, t1) != 0) { + error_print(); + return -1; + } + return 1; +} + +// 当Z == 0时会怎么样 +void sm2_z256_point_get_xy(const SM2_Z256_POINT *P, uint64_t x[4], uint64_t y[4]) +{ + if (sm2_z256_cmp(P->Z, SM2_Z256_MODP_MONT_ONE) == 0) { + sm2_z256_modp_from_mont(x, P->X); + if (y) { + sm2_z256_modp_from_mont(y, P->Y); + } + } else { + uint64_t z_inv[4]; + sm2_z256_modp_mont_inv(z_inv, P->Z); + if (y) { + sm2_z256_modp_mont_mul(y, P->Y, z_inv); + } + sm2_z256_modp_mont_sqr(z_inv, z_inv); + sm2_z256_modp_mont_mul(x, P->X, z_inv); + sm2_z256_modp_from_mont(x, x); + if (y) { + sm2_z256_modp_mont_mul(y, y, z_inv); + sm2_z256_modp_from_mont(y, y); + } + } +} + void sm2_z256_point_dbl(SM2_Z256_POINT *R, const SM2_Z256_POINT *A) { const uint64_t *X1 = A->X; @@ -918,6 +1093,7 @@ void sm2_z256_point_neg(SM2_Z256_POINT *R, const SM2_Z256_POINT *P) sm2_z256_copy(R->Z, P->Z); } +// point_mul 中用到 void sm2_z256_point_sub(SM2_Z256_POINT *R, const SM2_Z256_POINT *A, const SM2_Z256_POINT *B) { SM2_Z256_POINT neg_B; @@ -925,34 +1101,76 @@ void sm2_z256_point_sub(SM2_Z256_POINT *R, const SM2_Z256_POINT *A, const SM2_Z2 sm2_z256_point_add(R, A, &neg_B); } -void sm2_z256_point_get_affine(const SM2_Z256_POINT *P, uint64_t x[4], uint64_t y[4]) +void sm2_z256_point_mul(SM2_Z256_POINT *R, const uint64_t k[4], const SM2_Z256_POINT *P) { - uint64_t z_inv[4]; - uint64_t x_out[4]; - uint64_t y_out[4]; + int window_size = 5; + SM2_Z256_POINT T[16]; + int R_infinity = 1; + int n = (256 + window_size - 1)/window_size; + int i; - // z_inv = 1/Z - sm2_z256_modp_mont_inv(z_inv, P->Z); + // T[i] = (i + 1) * P + memcpy(&T[0], P, sizeof(SM2_Z256_POINT)); + sm2_z256_point_dbl(&T[ 1], &T[ 0]); + sm2_z256_point_add(&T[ 2], &T[ 1], P); + sm2_z256_point_dbl(&T[ 3], &T[ 1]); + sm2_z256_point_add(&T[ 4], &T[ 3], P); + sm2_z256_point_dbl(&T[ 5], &T[ 2]); + sm2_z256_point_add(&T[ 6], &T[ 5], P); + sm2_z256_point_dbl(&T[ 7], &T[ 3]); + sm2_z256_point_add(&T[ 8], &T[ 7], P); + sm2_z256_point_dbl(&T[ 9], &T[ 4]); + sm2_z256_point_add(&T[10], &T[ 9], P); + sm2_z256_point_dbl(&T[11], &T[ 5]); + sm2_z256_point_add(&T[12], &T[11], P); + sm2_z256_point_dbl(&T[13], &T[ 6]); + sm2_z256_point_add(&T[14], &T[13], P); + sm2_z256_point_dbl(&T[15], &T[ 7]); - // y_out = Y/Z - if (y) { - sm2_z256_modp_mont_mul(y_out, P->Y, z_inv); + for (i = n - 1; i >= 0; i--) { + int booth = sm2_z256_get_booth(k, window_size, i); + + if (R_infinity) { + if (booth != 0) { + *R = T[booth - 1]; + R_infinity = 0; + } + } else { + sm2_z256_point_dbl(R, R); + sm2_z256_point_dbl(R, R); + sm2_z256_point_dbl(R, R); + sm2_z256_point_dbl(R, R); + sm2_z256_point_dbl(R, R); + + if (booth > 0) { + sm2_z256_point_add(R, R, &T[booth - 1]); + } else if (booth < 0) { + sm2_z256_point_sub(R, R, &T[-booth - 1]); + } + } } - // z_inv = 1/Z^2 - sm2_z256_modp_mont_sqr(z_inv, z_inv); - - // x_out = X/Z^2 - sm2_z256_modp_mont_mul(x_out, P->X, z_inv); - sm2_z256_modp_from_mont(x, x_out); - - if (y) { - // y_out = Y/Z^3 - sm2_z256_modp_mont_mul(y_out, y_out, z_inv); - sm2_z256_modp_from_mont(y, y_out); + if (R_infinity) { + memset(R, 0, sizeof(*R)); } } +// 这个函数对吗?这个似乎是不对的 +int sm2_z256_point_print(FILE *fp, int fmt, int ind, const char *label, const SM2_Z256_POINT *P) +{ + uint64_t x[4]; + uint64_t y[4]; + uint8_t affine[64]; + + sm2_z256_point_get_xy(P, x, y); + sm2_z256_to_bytes(x, affine); + sm2_z256_to_bytes(y, affine + 32); + + format_bytes(fp, fmt, ind, label, affine, 64); + return 1; +} + + void sm2_z256_point_copy_affine(SM2_Z256_POINT *R, const SM2_Z256_POINT_AFFINE *P) { memcpy(R, P, sizeof(SM2_Z256_POINT_AFFINE)); @@ -1051,20 +1269,6 @@ void sm2_z256_point_sub_affine(SM2_Z256_POINT *R, sm2_z256_point_add_affine(R, A, &neg_B); } -int sm2_z256_point_print(FILE *fp, int fmt, int ind, const char *label, const SM2_Z256_POINT *P) -{ - uint64_t x[4]; - uint64_t y[4]; - uint8_t affine[64]; - - sm2_z256_point_get_affine(P, x, y); - sm2_z256_to_bytes(x, affine); - sm2_z256_to_bytes(y, affine + 32); - - format_bytes(fp, fmt, ind, label, affine, 64); - return 1; -} - int sm2_z256_point_affine_print(FILE *fp, int fmt, int ind, const char *label, const SM2_Z256_POINT_AFFINE *P) { uint8_t affine[64]; @@ -1112,75 +1316,71 @@ void sm2_z256_point_mul_generator(SM2_Z256_POINT *R, const uint64_t k[4]) } } -void sm2_z256_point_mul(SM2_Z256_POINT *R, const SM2_Z256_POINT *P, const uint64_t k[4]) -{ - int window_size = 5; - SM2_Z256_POINT T[16]; - int R_infinity = 1; - int n = (256 + window_size - 1)/window_size; - int i; - // T[i] = (i + 1) * P - memcpy(&T[0], P, sizeof(SM2_Z256_POINT)); - sm2_z256_point_dbl(&T[ 1], &T[ 0]); - sm2_z256_point_add(&T[ 2], &T[ 1], P); - sm2_z256_point_dbl(&T[ 3], &T[ 1]); - sm2_z256_point_add(&T[ 4], &T[ 3], P); - sm2_z256_point_dbl(&T[ 5], &T[ 2]); - sm2_z256_point_add(&T[ 6], &T[ 5], P); - sm2_z256_point_dbl(&T[ 7], &T[ 3]); - sm2_z256_point_add(&T[ 8], &T[ 7], P); - sm2_z256_point_dbl(&T[ 9], &T[ 4]); - sm2_z256_point_add(&T[10], &T[ 9], P); - sm2_z256_point_dbl(&T[11], &T[ 5]); - sm2_z256_point_add(&T[12], &T[11], P); - sm2_z256_point_dbl(&T[13], &T[ 6]); - sm2_z256_point_add(&T[14], &T[13], P); - sm2_z256_point_dbl(&T[15], &T[ 7]); - for (i = n - 1; i >= 0; i--) { - int booth = sm2_z256_get_booth(k, window_size, i); - if (R_infinity) { - if (booth != 0) { - *R = T[booth - 1]; - R_infinity = 0; - } - } else { - sm2_z256_point_dbl(R, R); - sm2_z256_point_dbl(R, R); - sm2_z256_point_dbl(R, R); - sm2_z256_point_dbl(R, R); - sm2_z256_point_dbl(R, R); - if (booth > 0) { - sm2_z256_point_add(R, R, &T[booth - 1]); - } else if (booth < 0) { - sm2_z256_point_sub(R, R, &T[-booth - 1]); - } - } - } - if (R_infinity) { - memset(R, 0, sizeof(*R)); - } -} + + + // R = t*P + s*G void sm2_z256_point_mul_sum(SM2_Z256_POINT *R, const uint64_t t[4], const SM2_Z256_POINT *P, const uint64_t s[4]) { SM2_Z256_POINT Q; sm2_z256_point_mul_generator(R, s); - sm2_z256_point_mul(&Q, P, t); + sm2_z256_point_mul(&Q, t, P); sm2_z256_point_add(R, R, &Q); } + +// 这个是否要检查点是否在曲线上? +void sm2_z256_point_from_bytes(SM2_Z256_POINT *P, const uint8_t in[64]) +{ + sm2_z256_from_bytes(P->X, in); + sm2_z256_from_bytes(P->Y, in + 32); + sm2_z256_modp_to_mont(P->X, P->X); + sm2_z256_modp_to_mont(P->Y, P->Y); + sm2_z256_copy(P->Z, SM2_Z256_MODP_MONT_ONE); +} + +void sm2_z256_point_from_hex(SM2_Z256_POINT *P, const char *hex) +{ + uint8_t bytes[64]; + size_t len; + + hex_to_bytes(hex, 128, bytes, &len); + sm2_z256_point_from_bytes(P, bytes); +} + void sm2_z256_point_to_bytes(const SM2_Z256_POINT *P, uint8_t out[64]) { uint64_t x[4]; uint64_t y[4]; - sm2_z256_point_get_affine(P, x, y); + sm2_z256_point_get_xy(P, x, y); sm2_z256_to_bytes(x, out); sm2_z256_to_bytes(y, out + 32); } + + +int sm2_z256_point_equ_hex(const SM2_Z256_POINT *P, const char *hex) +{ + uint8_t P_bytes[64]; + uint8_t hex_bytes[64]; + size_t len; + + sm2_z256_point_to_bytes(P, P_bytes); + hex_to_bytes(hex, 128, hex_bytes, &len); + + if (memcmp(P_bytes, hex_bytes, 64) != 0) { + error_print(); + return 0; + } + return 1; + +} + + + diff --git a/src/sm2_z256_sign.c b/src/sm2_z256_sign.c new file mode 100644 index 00000000..49d1d488 --- /dev/null +++ b/src/sm2_z256_sign.c @@ -0,0 +1,485 @@ +/* + * Copyright 2014-2024 The GmSSL Project. All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the License); you may + * not use this file except in compliance with the License. + * + * http://www.apache.org/licenses/LICENSE-2.0 + */ + + +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + + + +typedef SM2_Z256 SM2_U256; + +#define sm2_u256_one() sm2_z256_one() +#define sm2_u256_order() sm2_z256_order() +#define sm2_u256_from_bytes(a,in) sm2_z256_from_bytes(a,in) +#define sm2_u256_to_bytes(a,out) sm2_z256_to_bytes(a,out) +#define sm2_u256_print(fp,fmt,ind,label,a) sm2_z256_print(fp,fmt,ind,label,a) + +#define sm2_u256_is_zero(a) sm2_z256_is_zero(a) +#define sm2_u256_cmp(a,b) sm2_z256_cmp(a,b) +#define sm2_u256_add(r,a,b) sm2_z256_add(r,a,b) +#define sm2_u256_sub(r,a,b) sm2_z256_sub(r,a,b) + +#define sm2_u256_modn_add(r,a,b) sm2_z256_modn_add(r,a,b) +#define sm2_u256_modn_sub(r,a,b) sm2_z256_modn_sub(r,a,b) +#define sm2_u256_modn_mul(r,a,b) sm2_z256_modn_mul(r,a,b) +#define sm2_u256_modn_inv(r,a) sm2_z256_modn_inv(r,a) +#define sm2_u256_modn_rand(r) sm2_z256_modn_rand(r) + + +typedef SM2_Z256_POINT SM2_U256_POINT; + +#define sm2_u256_point_from_bytes(P,in) sm2_z256_point_from_bytes((P),(in)) +#define sm2_u256_point_to_bytes(P,out) sm2_z256_point_to_bytes((P),(out)) +#define sm2_u256_point_is_on_curve(P) sm2_z256_point_is_on_curve(P) +#define sm2_u256_point_mul_generator(R,k) sm2_z256_point_mul_generator((R),(k)) +#define sm2_u256_point_mul(R,k,P) sm2_z256_point_mul((R),(k),(P)) +#define sm2_u256_point_mul_sum(R,t,P,s) sm2_z256_point_mul_sum((R),(t),(P),(s)) +#define sm2_u256_point_get_xy(P,x,y) sm2_z256_point_get_xy((P),(x),(y)) + + + +int sm2_do_sign(const SM2_KEY *key, const uint8_t dgst[32], SM2_SIGNATURE *sig) +{ + SM2_U256_POINT _P, *P = &_P; + SM2_U256 d; + SM2_U256 d_inv; + SM2_U256 e; + SM2_U256 k; + SM2_U256 x; + SM2_U256 t; + SM2_U256 r; + SM2_U256 s; + + const uint64_t *one = sm2_u256_one(); + const uint64_t *order = sm2_u256_order(); + + sm2_u256_from_bytes(d, key->private_key); + + // compute (d + 1)^-1 (mod n) + sm2_u256_modn_add(d_inv, d, one); //sm2_bn_print(stderr, 0, 4, "(1+d)", d_inv); + if (sm2_u256_is_zero(d_inv)) { + error_print(); + return -1; + } + sm2_u256_modn_inv(d_inv, d_inv); //sm2_bn_print(stderr, 0, 4, "(1+d)^-1", d_inv); + + // e = H(M) + sm2_u256_from_bytes(e, dgst); //sm2_bn_print(stderr, 0, 4, "e", e); + +retry: + // rand k in [1, n - 1] + do { + if (sm2_u256_modn_rand(k) != 1) { + error_print(); + return -1; + } + } while (sm2_u256_is_zero(k)); //sm2_bn_print(stderr, 0, 4, "k", k); + + // (x, y) = kG + sm2_u256_point_mul_generator(P, k); + sm2_u256_point_get_xy(P, x, NULL); + //sm2_bn_print(stderr, 0, 4, "x", x); + + + // r = e + x (mod n) + if (sm2_u256_cmp(e, order) >= 0) { + sm2_u256_sub(e, e, order); + } + if (sm2_u256_cmp(x, order) >= 0) { + sm2_u256_sub(x, x, order); + } + sm2_u256_modn_add(r, e, x); //sm2_bn_print(stderr, 0, 4, "r = e + x (mod n)", r); + + // if r == 0 or r + k == n re-generate k + sm2_u256_add(t, r, k); + if (sm2_u256_is_zero(r) || sm2_u256_cmp(t, order) == 0) { + //sm2_bn_print(stderr, 0, 4, "r + k", t); + goto retry; + } + + // s = ((1 + d)^-1 * (k - r * d)) mod n + sm2_u256_modn_mul(t, r, d); //sm2_bn_print(stderr, 0, 4, "r*d", t); + sm2_u256_modn_sub(k, k, t); //sm2_bn_print(stderr, 0, 4, "k-r*d", k); + sm2_u256_modn_mul(s, d_inv, k); //sm2_bn_print(stderr, 0, 4, "s = ((1 + d)^-1 * (k - r * d)) mod n", s); + + // check s != 0 + if (sm2_u256_is_zero(s)) { + goto retry; + } + + sm2_u256_to_bytes(r, sig->r); //sm2_bn_print_bn(stderr, 0, 4, "r", r); + sm2_u256_to_bytes(s, sig->s); //sm2_bn_print_bn(stderr, 0, 4, "s", s); + + gmssl_secure_clear(d, sizeof(d)); + gmssl_secure_clear(d_inv, sizeof(d_inv )); + gmssl_secure_clear(k, sizeof(k)); + gmssl_secure_clear(t, sizeof(t)); + return 1; +} + +// (x1, y1) = k * G +// r = e + x1 +// s = (k - r * d)/(1 + d) = (k +r - r * d - r)/(1 + d) = (k + r - r(1 +d))/(1 + d) = (k + r)/(1 + d) - r +// = -r + (k + r)*(1 + d)^-1 +// = -r + (k + r) * d' + +int sm2_do_sign_fast(const SM2_Fn d, const uint8_t dgst[32], SM2_SIGNATURE *sig) +{ + SM2_U256_POINT R; + SM2_U256 e; + SM2_U256 k; + SM2_U256 x1; + SM2_U256 r; + SM2_U256 s; + + const uint64_t *order = sm2_u256_order(); + + // e = H(M) + sm2_u256_from_bytes(e, dgst); + if (sm2_u256_cmp(e, order) >= 0) { + sm2_u256_sub(e, e, order); + } + + // rand k in [1, n - 1] + do { + if (sm2_u256_modn_rand(k) != 1) { + error_print(); + return -1; + } + } while (sm2_u256_is_zero(k)); + + // (x1, y1) = kG + sm2_u256_point_mul_generator(&R, k); + sm2_u256_point_get_xy(&R, x1, NULL); + + // r = e + x1 (mod n) + sm2_u256_modn_add(r, e, x1); + + // 对于快速实现来说,只需要一次乘法 + + // s = (k + r) * d' - r + sm2_u256_add(s, k, r); + sm2_u256_modn_mul(s, s, d); + sm2_u256_modn_sub(s, s, r); + + sm2_u256_to_bytes(r, sig->r); + sm2_u256_to_bytes(s, sig->s); + return 1; +} + +int sm2_do_verify(const SM2_KEY *key, const uint8_t dgst[32], const SM2_SIGNATURE *sig) +{ + SM2_U256_POINT _P, *P = &_P; + SM2_U256_POINT _R, *R = &_R; + SM2_U256 r; + SM2_U256 s; + SM2_U256 e; + SM2_U256 x; + SM2_U256 t; + + const uint64_t *order = sm2_u256_order(); + + sm2_u256_print(stderr, 0, 4, "n", order); + + // parse public key + sm2_u256_point_from_bytes(P, (const uint8_t *)&key->public_key); + //sm2_u256_point_from_bytes(P, (const uint8_t *)&key->public_key); + //sm2_jacobian_point_print(stderr, 0, 4, "P", P); + + // parse signature values + sm2_u256_from_bytes(r, sig->r); sm2_u256_print(stderr, 0, 4, "r", r); + sm2_u256_from_bytes(s, sig->s); sm2_u256_print(stderr, 0, 4, "s", s); + + // check r, s in [1, n-1] + if (sm2_u256_is_zero(r) == 1) { + error_print(); + return -1; + } + if (sm2_u256_cmp(r, order) >= 0) { + sm2_u256_print(stderr, 0, 4, "err: r", r); + sm2_u256_print(stderr, 0, 4, "err: order", order); + error_print(); + return -1; + } + if (sm2_u256_is_zero(s) == 1) { + error_print(); + return -1; + } + if (sm2_u256_cmp(s, order) >= 0) { + + sm2_u256_print(stderr, 0, 4, "err: s", s); + sm2_u256_print(stderr, 0, 4, "err: order", order); + + printf(">>>>>\n"); + int r = sm2_u256_cmp(s, order); + fprintf(stderr, "cmp ret = %d\n", r); + printf(">>>>>\n"); + + error_print(); + return -1; + } + + // e = H(M) + sm2_u256_from_bytes(e, dgst); //sm2_bn_print(stderr, 0, 4, "e = H(M)", e); + + // t = r + s (mod n), check t != 0 + sm2_u256_modn_add(t, r, s); //sm2_bn_print(stderr, 0, 4, "t = r + s (mod n)", t); + if (sm2_u256_is_zero(t)) { + error_print(); + return -1; + } + + // Q = s * G + t * P + sm2_u256_point_mul_sum(R, t, P, s); + sm2_u256_point_get_xy(R, x, NULL); + //sm2_bn_print(stderr, 0, 4, "x", x); + + // r' = e + x (mod n) + if (sm2_u256_cmp(e, order) >= 0) { + sm2_u256_sub(e, e, order); + } + if (sm2_u256_cmp(x, order) >= 0) { + sm2_u256_sub(x, x, order); + } + sm2_u256_modn_add(e, e, x); //sm2_bn_print(stderr, 0, 4, "e + x (mod n)", e); + + // check if r == r' + if (sm2_u256_cmp(e, r) != 0) { + error_print(); + return -1; + } + return 1; +} + +static int all_zero(const uint8_t *buf, size_t len) +{ + size_t i; + for (i = 0; i < len; i++) { + if (buf[i]) { + return 0; + } + } + return 1; +} + +int sm2_do_encrypt(const SM2_KEY *key, const uint8_t *in, size_t inlen, SM2_CIPHERTEXT *out) +{ + SM2_U256 k; + SM2_U256_POINT _P, *P = &_P; + SM2_U256_POINT _C1, *C1 = &_C1; + SM2_U256_POINT _kP, *kP = &_kP; + uint8_t x2y2[64]; + SM3_CTX sm3_ctx; + + if (!(SM2_MIN_PLAINTEXT_SIZE <= inlen && inlen <= SM2_MAX_PLAINTEXT_SIZE)) { + error_print(); + return -1; + } + + sm2_u256_point_from_bytes(P, (uint8_t *)&key->public_key); + + // S = h * P, check S != O + // for sm2 curve, h == 1 and S == P + // SM2_POINT can not present point at infinity, do do nothing here + +retry: + // rand k in [1, n - 1] + // TODO: set rand_bytes output for testing + do { + if (sm2_u256_modn_rand(k) != 1) { + error_print(); + return -1; + } + } while (sm2_u256_is_zero(k)); //sm2_bn_print(stderr, 0, 4, "k", k); + + // output C1 = k * G = (x1, y1) + sm2_u256_point_mul_generator(C1, k); + sm2_u256_point_to_bytes(C1, (uint8_t *)&out->point); + + // k * P = (x2, y2) + sm2_u256_point_mul(kP, k, P); + sm2_u256_point_to_bytes(kP, x2y2); + + // t = KDF(x2 || y2, inlen) + sm2_kdf(x2y2, 64, inlen, out->ciphertext); + + // if t is all zero, retry + if (all_zero(out->ciphertext, inlen)) { + goto retry; + } + + // output C2 = M xor t + gmssl_memxor(out->ciphertext, out->ciphertext, in, inlen); + out->ciphertext_size = (uint32_t)inlen; + + // output C3 = Hash(x2 || m || y2) + sm3_init(&sm3_ctx); + sm3_update(&sm3_ctx, x2y2, 32); + sm3_update(&sm3_ctx, in, inlen); + sm3_update(&sm3_ctx, x2y2 + 32, 32); + sm3_finish(&sm3_ctx, out->hash); + + gmssl_secure_clear(k, sizeof(k)); + gmssl_secure_clear(kP, sizeof(SM2_U256_POINT)); + gmssl_secure_clear(x2y2, sizeof(x2y2)); + return 1; +} + +int sm2_do_encrypt_fixlen(const SM2_KEY *key, const uint8_t *in, size_t inlen, int point_size, SM2_CIPHERTEXT *out) +{ + unsigned int trys = 200; + SM2_U256 k; + SM2_U256_POINT _P, *P = &_P; + SM2_U256_POINT _C1, *C1 = &_C1; + SM2_U256_POINT _kP, *kP = &_kP; + uint8_t x2y2[64]; + SM3_CTX sm3_ctx; + + if (!(SM2_MIN_PLAINTEXT_SIZE <= inlen && inlen <= SM2_MAX_PLAINTEXT_SIZE)) { + error_print(); + return -1; + } + + switch (point_size) { + case SM2_ciphertext_compact_point_size: + case SM2_ciphertext_typical_point_size: + case SM2_ciphertext_max_point_size: + break; + default: + error_print(); + return -1; + } + + sm2_u256_point_from_bytes(P, (uint8_t *)&key->public_key); + + // S = h * P, check S != O + // for sm2 curve, h == 1 and S == P + // SM2_POINT can not present point at infinity, do do nothing here + +retry: + // rand k in [1, n - 1] + do { + if (sm2_u256_modn_rand(k) != 1) { + error_print(); + return -1; + } + } while (sm2_u256_is_zero(k)); //sm2_bn_print(stderr, 0, 4, "k", k); + + // output C1 = k * G = (x1, y1) + sm2_u256_point_mul_generator(C1, k); + sm2_u256_point_to_bytes(C1, (uint8_t *)&out->point); + + // check fixlen + if (trys) { + size_t len = 0; + asn1_integer_to_der(out->point.x, 32, NULL, &len); + asn1_integer_to_der(out->point.y, 32, NULL, &len); + if (len != point_size) { + trys--; + goto retry; + } + } else { + gmssl_secure_clear(k, sizeof(k)); + error_print(); + return -1; + } + + // k * P = (x2, y2) + sm2_u256_point_mul(kP, k, P); + sm2_u256_point_to_bytes(kP, x2y2); + + // t = KDF(x2 || y2, inlen) + sm2_kdf(x2y2, 64, inlen, out->ciphertext); + + // if t is all zero, retry + if (all_zero(out->ciphertext, inlen)) { + goto retry; + } + + // output C2 = M xor t + gmssl_memxor(out->ciphertext, out->ciphertext, in, inlen); + out->ciphertext_size = (uint32_t)inlen; + + // output C3 = Hash(x2 || m || y2) + sm3_init(&sm3_ctx); + sm3_update(&sm3_ctx, x2y2, 32); + sm3_update(&sm3_ctx, in, inlen); + sm3_update(&sm3_ctx, x2y2 + 32, 32); + sm3_finish(&sm3_ctx, out->hash); + + gmssl_secure_clear(k, sizeof(k)); + gmssl_secure_clear(kP, sizeof(SM2_U256_POINT)); + gmssl_secure_clear(x2y2, sizeof(x2y2)); + return 1; +} + +int sm2_do_decrypt(const SM2_KEY *key, const SM2_CIPHERTEXT *in, uint8_t *out, size_t *outlen) +{ + int ret = -1; + SM2_U256 d; + SM2_U256_POINT _C1, *C1 = &_C1; + uint8_t x2y2[64]; + SM3_CTX sm3_ctx; + uint8_t hash[32]; + + // check C1 is on sm2 curve + sm2_u256_point_from_bytes(C1, (uint8_t *)&in->point); + if (!sm2_u256_point_is_on_curve(C1)) { + error_print(); + return -1; + } + + // check if S = h * C1 is point at infinity + // this will not happen, as SM2_POINT can not present point at infinity + + // d * C1 = (x2, y2) + sm2_u256_from_bytes(d, key->private_key); + sm2_u256_point_mul(C1, d, C1); + + // t = KDF(x2 || y2, klen) and check t is not all zeros + sm2_u256_point_to_bytes(C1, x2y2); + sm2_kdf(x2y2, 64, in->ciphertext_size, out); + if (all_zero(out, in->ciphertext_size)) { + error_print(); + goto end; + } + + // M = C2 xor t + gmssl_memxor(out, out, in->ciphertext, in->ciphertext_size); + *outlen = in->ciphertext_size; + + // u = Hash(x2 || M || y2) + sm3_init(&sm3_ctx); + sm3_update(&sm3_ctx, x2y2, 32); + sm3_update(&sm3_ctx, out, in->ciphertext_size); + sm3_update(&sm3_ctx, x2y2 + 32, 32); + sm3_finish(&sm3_ctx, hash); + + // check if u == C3 + if (memcmp(in->hash, hash, sizeof(hash)) != 0) { + error_print(); + goto end; + } + ret = 1; + +end: + gmssl_secure_clear(d, sizeof(d)); + gmssl_secure_clear(C1, sizeof(SM2_U256_POINT)); + gmssl_secure_clear(x2y2, sizeof(x2y2)); + return ret; +} diff --git a/tests/sm2_enctest.c b/tests/sm2_enctest.c new file mode 100644 index 00000000..c4c64851 --- /dev/null +++ b/tests/sm2_enctest.c @@ -0,0 +1,341 @@ +/* + * Copyright 2014-2024 The GmSSL Project. All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the License); you may + * not use this file except in compliance with the License. + * + * http://www.apache.org/licenses/LICENSE-2.0 + */ + +#include +#include +#include +#include +#include +#include +#include +#include + + + +// 由于当前Ciphertext中椭圆曲线点数据不正确,因此无法通过测试 +static int test_sm2_ciphertext(void) +{ + SM2_CIPHERTEXT C; + uint8_t buf[1024]; + uint8_t *p = buf; + const uint8_t *cp = buf; + size_t len = 0; + + memset(&C, 0, sizeof(SM2_CIPHERTEXT)); + + cp = p = buf; len = 0; + if (sm2_ciphertext_to_der(&C, &p, &len) != 1) { + error_print(); + return -1; + } + format_print(stderr, 0, 4, "SM2_NULL_CIPHERTEXT_SIZE: %zu\n", len); + format_bytes(stderr, 0, 4, "", buf, len); + + + if (sm2_ciphertext_from_der(&C, &cp, &len) != 1 + || asn1_length_is_zero(len) != 1) { + error_print(); + return -1; + } + + + // {0, 0, Hash, MinLen} + C.ciphertext_size = SM2_MIN_PLAINTEXT_SIZE; + cp = p = buf; len = 0; + if (sm2_ciphertext_to_der(&C, &p, &len) != 1) { + error_print(); + return -1; + } + format_print(stderr, 0, 4, "SM2_MIN_PLAINTEXT_SIZE: %zu\n", SM2_MIN_PLAINTEXT_SIZE); + format_print(stderr, 0, 4, "SM2_MIN_CIPHERTEXT_SIZE: %zu\n", len); + format_bytes(stderr, 0, 4, "", buf, len); + if (len != SM2_MIN_CIPHERTEXT_SIZE) { + error_print(); + return -1; + } + if (sm2_ciphertext_from_der(&C, &cp, &len) != 1 + || asn1_length_is_zero(len) != 1) { + error_print(); + return -1; + } + + // { 33, 33, Hash, NULL } + memset(&C, 0x80, sizeof(SM2_POINT)); + cp = p = buf; len = 0; + if (sm2_ciphertext_to_der(&C, &p, &len) != 1) { + error_print(); + return -1; + } + format_print(stderr, 0, 4, "ciphertext len: %zu\n", len); + format_bytes(stderr, 0, 4, "", buf, len); + if (sm2_ciphertext_from_der(&C, &cp, &len) != 1 + || asn1_length_is_zero(len) != 1) { + error_print(); + return -1; + } + + // { 33, 33, Hash, MaxLen } + C.ciphertext_size = SM2_MAX_PLAINTEXT_SIZE;//SM2_MAX_PLAINTEXT_SIZE; + cp = p = buf; len = 0; + if (sm2_ciphertext_to_der(&C, &p, &len) != 1) { + error_print(); + return -1; + } + format_print(stderr, 0, 4, "SM2_MAX_PLAINTEXT_SIZE: %zu\n", SM2_MAX_PLAINTEXT_SIZE); + format_print(stderr, 0, 4, "SM2_MAX_CIPHERTEXT_SIZE: %zu\n", len); + format_bytes(stderr, 0, 4, "", buf, len); + if (len != SM2_MAX_CIPHERTEXT_SIZE) { + error_print(); + return -1; + } + if (sm2_ciphertext_from_der(&C, &cp, &len) != 1 + || asn1_length_is_zero(len) != 1) { + error_print(); + return -1; + } + + printf("%s() ok\n", __FUNCTION__); + return 1; +} + +#define TEST_COUNT 20 + +static int test_sm2_do_encrypt(void) +{ + SM2_KEY sm2_key; + uint8_t plaintext[] = "Hello World!"; + SM2_CIPHERTEXT ciphertext; + + uint8_t plainbuf[SM2_MAX_PLAINTEXT_SIZE] = {0}; + size_t plainlen = 0; + int r = 0; + + size_t i = 0; + + for (i = 0; i < TEST_COUNT; i++) { + + if (sm2_key_generate(&sm2_key) != 1) { + error_print(); + return -1; + } + + if (sm2_do_encrypt(&sm2_key, plaintext, sizeof(plaintext), &ciphertext) != 1) { + error_print(); + return -1; + } + + if (sm2_do_decrypt(&sm2_key, &ciphertext, plainbuf, &plainlen) != 1) { + error_print(); + return -1; + } + if (plainlen != sizeof(plaintext) + || memcmp(plainbuf, plaintext, sizeof(plaintext)) != 0) { + error_print(); + return -1; + } + } + + printf("%s() ok\n", __FUNCTION__); + return 1; +} + +static int test_sm2_do_encrypt_fixlen(void) +{ + struct { + int point_size; + size_t plaintext_len; + } tests[] = { + { SM2_ciphertext_compact_point_size, 10 }, + { SM2_ciphertext_typical_point_size, 10 }, + { SM2_ciphertext_max_point_size, 10 }, + }; + + SM2_KEY sm2_key; + uint8_t plaintext[SM2_MAX_PLAINTEXT_SIZE]; + SM2_CIPHERTEXT ciphertext; + uint8_t decrypted[SM2_MAX_PLAINTEXT_SIZE]; + size_t decrypted_len; + + size_t i; + + if (sm2_key_generate(&sm2_key) != 1) { + error_print(); + return -1; + } + + rand_bytes(plaintext, sizeof(plaintext)); + + for (i = 0; i < sizeof(tests)/sizeof(tests[0]); i++) { + + if (sm2_do_encrypt_fixlen(&sm2_key, plaintext, tests[i].plaintext_len, tests[i].point_size, &ciphertext) != 1) { + error_print(); + return -1; + } + + if (sm2_do_decrypt(&sm2_key, &ciphertext, decrypted, &decrypted_len) != 1) { + error_print(); + return -1; + } + + if (decrypted_len != tests[i].plaintext_len) { + error_print(); + return -1; + } + if (memcmp(decrypted, plaintext, decrypted_len) != 0) { + error_print(); + return -1; + } + } + + printf("%s() ok\n", __FUNCTION__); + return 1; +} + + +static int test_sm2_encrypt_fixlen(void) +{ + struct { + int point_size; + size_t plaintext_len; + } tests[] = { + { SM2_ciphertext_compact_point_size, 1 }, + { SM2_ciphertext_typical_point_size, 64 }, + { SM2_ciphertext_max_point_size, SM2_MAX_PLAINTEXT_SIZE }, + }; + + SM2_KEY sm2_key; + size_t point_size; + uint8_t plaintext[SM2_MAX_PLAINTEXT_SIZE]; + uint8_t encrypted[SM2_MAX_CIPHERTEXT_SIZE]; + uint8_t decrypted[SM2_MAX_PLAINTEXT_SIZE]; + size_t encrypted_len, encrypted_fixlen, decrypted_len; + size_t i, j; + + if (sm2_key_generate(&sm2_key) != 1) { + error_print(); + return -1; + } + rand_bytes(plaintext, sizeof(plaintext)); + + for (i = 0; i < sizeof(tests)/sizeof(tests[0]); i++) { + + if (sm2_encrypt_fixlen(&sm2_key, plaintext, tests[i].plaintext_len, tests[i].point_size, + encrypted, &encrypted_len) != 1) { + error_print(); + return -1; + } + + if (sm2_decrypt(&sm2_key, encrypted, encrypted_len, decrypted, &decrypted_len) != 1) { + error_print(); + return -1; + } + if (decrypted_len != tests[i].plaintext_len) { + error_print(); + return -1; + } + if (memcmp(decrypted, plaintext, tests[i].plaintext_len) != 0) { + error_print(); + return -1; + } + + // check if sm2_encrypt_fixlen always output fixed length ciphertext + encrypted_fixlen = encrypted_len; + for (j = 0; j < 10; j++) { + if (sm2_encrypt_fixlen(&sm2_key, plaintext, tests[i].plaintext_len, tests[i].point_size, + encrypted, &encrypted_len) != 1) { + error_print(); + return -1; + } + printf("plaintext len = %zu, ciphertext len = %zu\n", tests[i].plaintext_len, encrypted_len); + if (encrypted_len != encrypted_fixlen) { + error_print(); + return -1; + } + } + } + + printf("%s() ok\n", __FUNCTION__); + return 1; +} + + + +// 应该生成不同情况下的密文! + + + + + + +static int test_sm2_encrypt(void) +{ + SM2_KEY sm2_key; + uint8_t msg[SM2_MAX_PLAINTEXT_SIZE]; + uint8_t cbuf[SM2_MAX_CIPHERTEXT_SIZE+100]; + uint8_t mbuf[SM2_MAX_CIPHERTEXT_SIZE]; + size_t lens[] = { +// 0, + 1, + 16, + SM2_MAX_PLAINTEXT_SIZE, + }; + size_t clen, mlen; + int i; + + if (sm2_key_generate(&sm2_key) != 1) { + error_print(); + return -1; + } + + for (i = 0; i < sizeof(msg); i++) { + msg[i] = (uint8_t)i; + } + + for (i = 0; i < sizeof(lens)/sizeof(lens[0]); i++) { + format_print(stderr, 0, 0, "test %d\n", i + 1); + format_bytes(stderr, 0, 4, "plaintext", msg, lens[i]); + if (sm2_encrypt(&sm2_key, msg, lens[i], cbuf, &clen) != 1) { + error_print(); + return -1; + } + format_bytes(stderr, 0, 4, "ciphertext", cbuf, clen); + sm2_ciphertext_print(stderr, 0, 4, "Ciphertext", cbuf, clen); + format_print(stderr, 0, 0, "\n"); + + if (sm2_decrypt(&sm2_key, cbuf, clen, mbuf, &mlen) != 1) { + error_print(); + return -1; + } + if (mlen != lens[i] + || memcmp(mbuf, msg, lens[i]) != 0) { + error_print(); + return -1; + } + } + + printf("%s() ok\n", __FUNCTION__); + return 1; +} + + + +int main(void) +{ + //if (test_sm2_ciphertext() != 1) goto err; // 需要正确的Ciphertext数据 + if (test_sm2_do_encrypt() != 1) goto err; + if (test_sm2_do_encrypt_fixlen() != 1) goto err; + if (test_sm2_encrypt() != 1) goto err; + if (test_sm2_encrypt_fixlen() != 1) goto err; + printf("%s all tests passed\n", __FILE__); + return 0; +err: + error_print(); + return -1; +} + diff --git a/tests/sm2_signtest.c b/tests/sm2_signtest.c new file mode 100644 index 00000000..1a0d10b5 --- /dev/null +++ b/tests/sm2_signtest.c @@ -0,0 +1,224 @@ +/* + * Copyright 2014-2024 The GmSSL Project. All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the License); you may + * not use this file except in compliance with the License. + * + * http://www.apache.org/licenses/LICENSE-2.0 + */ + +#include +#include +#include +#include +#include +#include +#include +#include +#include + + +static int test_sm2_signature(void) +{ + SM2_SIGNATURE sig; + uint8_t buf[512]; + uint8_t *p = buf; + const uint8_t *cp = buf; + size_t len = 0; + + // MinLen + memset(&sig, 0x00, sizeof(sig)); + cp = p = buf; len = 0; + if (sm2_signature_to_der(&sig, &p, &len) != 1) { + error_print(); + return -1; + } + format_print(stderr, 0, 4, "SM2_MIN_SIGNATURE_SIZE: %zu\n", len); + format_bytes(stderr, 0, 4, "", buf, len); + sm2_signature_print(stderr, 0, 4, "signature", buf, len); + if (len != SM2_MIN_SIGNATURE_SIZE) { + error_print(); + return -1; + } + if (sm2_signature_from_der(&sig, &cp, &len) != 1 + || asn1_length_is_zero(len) != 1) { + error_print(); + return -1; + } + + + // MaxLen + memset(&sig, 0x80, sizeof(sig)); + cp = p = buf; len = 0; + if (sm2_signature_to_der(&sig, &p, &len) != 1) { + error_print(); + return -1; + } + format_print(stderr, 0, 4, "SM2_MAX_SIGNATURE_SIZE: %zu\n", len); + format_bytes(stderr, 0, 4, "", buf, len); + sm2_signature_print(stderr, 0, 4, "signature", buf, len); + if (len != SM2_MAX_SIGNATURE_SIZE) { + error_print(); + return -1; + } + if (sm2_signature_from_der(&sig, &cp, &len) != 1 + || asn1_length_is_zero(len) != 1) { + error_print(); + return -1; + } + + printf("%s() ok\n", __FUNCTION__); + return 1; +} + +#define TEST_COUNT 20 + +static int test_sm2_do_sign(void) +{ + SM2_KEY sm2_key; + uint8_t dgst[32]; + SM2_SIGNATURE sig; + size_t i; + + for (i = 0; i < TEST_COUNT; i++) { + + if (sm2_key_generate(&sm2_key) != 1) { + error_print(); + return -1; + } + rand_bytes(dgst, 32); + + if (sm2_do_sign(&sm2_key, dgst, &sig) != 1) { + error_print(); + return -1; + } + if (sm2_do_verify(&sm2_key, dgst, &sig) != 1) { + error_print(); + return -1; + } + } + + printf("%s() ok\n", __FUNCTION__); + return 1; +} + +#define SM2_U256 SM2_Z256 +#define sm2_u256_one sm2_z256_one +#define sm2_u256_is_zero sm2_z256_is_zero +#define sm2_u256_from_bytes sm2_z256_from_bytes +#define sm2_u256_modn_add sm2_z256_modn_add +#define sm2_u256_modn_inv sm2_z256_modn_inv + +static int test_sm2_do_sign_fast(void) +{ + SM2_KEY sm2_key; + SM2_U256 d; + uint8_t dgst[32]; + SM2_SIGNATURE sig; + size_t i; + + // d' = (d + 1)^-1 (mod n) + const uint64_t *one = sm2_u256_one(); + do { + sm2_key_generate(&sm2_key); + sm2_u256_from_bytes(d, sm2_key.private_key); + sm2_u256_modn_add(d, d, one); + sm2_u256_modn_inv(d, d); + } while (sm2_u256_is_zero(d)); + + for (i = 0; i < TEST_COUNT; i++) { + if (sm2_do_sign_fast(d, dgst, &sig) != 1) { + error_print(); + return -1; + } + if (sm2_do_verify(&sm2_key, dgst, &sig) != 1) { + error_print(); + return -1; + } + } + + printf("%s() ok\n", __FUNCTION__); + return 1; +} + +static int test_sm2_sign(void) +{ + SM2_KEY sm2_key; + uint8_t dgst[32]; + uint8_t sig[SM2_MAX_SIGNATURE_SIZE]; + size_t siglen; + size_t i; + + for (i = 0; i < TEST_COUNT; i++) { + + if (sm2_key_generate(&sm2_key) != 1) { + error_print(); + return -1; + } + rand_bytes(dgst, 32); + + if (sm2_sign(&sm2_key, dgst, sig, &siglen) != 1) { + error_print(); + return -1; + } + if (sm2_verify(&sm2_key, dgst, sig, siglen) != 1) { + error_print(); + return -1; + } + } + + printf("%s() ok\n", __FUNCTION__); + return 1; +} + +static int test_sm2_sign_ctx(void) +{ + int ret; + SM2_KEY sm2_key; + SM2_SIGN_CTX sign_ctx; + uint8_t msg[] = "Hello World!"; + uint8_t sig[SM2_MAX_SIGNATURE_SIZE] = {0}; + size_t siglen; + + if (sm2_key_generate(&sm2_key) != 1) { + error_print(); + return -1; + } + sm2_key_print(stderr, 0, 4, "SM2_KEY", &sm2_key); + + if (sm2_sign_init(&sign_ctx, &sm2_key, SM2_DEFAULT_ID, SM2_DEFAULT_ID_LENGTH) != 1 + || sm2_sign_update(&sign_ctx, msg, sizeof(msg)) != 1 + || sm2_sign_finish(&sign_ctx, sig, &siglen) != 1) { + error_print(); + return -1; + } + format_bytes(stderr, 0, 4, "signature", sig, siglen); + sm2_signature_print(stderr, 0, 4, "signature", sig, siglen); + + if (sm2_verify_init(&sign_ctx, &sm2_key, SM2_DEFAULT_ID, SM2_DEFAULT_ID_LENGTH) != 1 + || sm2_verify_update(&sign_ctx, msg, sizeof(msg)) != 1 + || (ret = sm2_verify_finish(&sign_ctx, sig, siglen)) != 1) { + error_print(); + return -1; + } + format_print(stderr, 0, 4, "verification: %s\n", ret ? "success" : "failed"); + + // FIXME: 还应该增加验证不通过的测试 + // 还应该增加底层的参数 + printf("%s() ok\n", __FUNCTION__); + return 1; +} + +int main(void) +{ + if (test_sm2_signature() != 1) goto err; + if (test_sm2_do_sign() != 1) goto err; + if (test_sm2_sign() != 1) goto err; + if (test_sm2_sign_ctx() != 1) goto err; + printf("%s all tests passed\n", __FILE__); + return 0; +err: + error_print(); + return -1; +} + diff --git a/tests/sm2_z256test.c b/tests/sm2_z256test.c index d95041b2..c7016e38 100644 --- a/tests/sm2_z256test.c +++ b/tests/sm2_z256test.c @@ -19,6 +19,7 @@ enum { OP_ADD, + OP_DBL, OP_SUB, OP_NEG, OP_MUL, @@ -240,25 +241,16 @@ static int test_sm2_z256_modn(void) sm2_z256_modn_neg(c, a); break; case OP_MUL: - sm2_z256_modn_to_mont(a, a); - sm2_z256_modn_to_mont(b, b); - sm2_z256_modn_mont_mul(c, a, b); - sm2_z256_modn_from_mont(c, c); + sm2_z256_modn_mul(c, a, b); break; case OP_SQR: - sm2_z256_modn_to_mont(a, a); - sm2_z256_modn_mont_sqr(c, a); - sm2_z256_modn_from_mont(c, c); + sm2_z256_modn_sqr(c, a); break; case OP_EXP: - sm2_z256_modn_to_mont(a, a); - sm2_z256_modn_mont_exp(c, a, b); - sm2_z256_modn_from_mont(c, c); + sm2_z256_modn_exp(c, a, b); break; case OP_INV: - sm2_z256_modn_to_mont(a, a); - sm2_z256_modn_mont_inv(c, a); - sm2_z256_modn_from_mont(c, c); + sm2_z256_modn_inv(c, a); break; default: error_print(); @@ -285,6 +277,219 @@ static int test_sm2_z256_modn(void) return 1; } +static int test_sm2_z256_point_is_on_curve(void) +{ + + struct { + char *label; + char *mont_X; + char *mont_Y; + char *mont_Z; + } tests[] = { + { + "Point at Infinity (1:1:0)", + "0000000100000000000000000000000000000000ffffffff0000000000000001", // mont(1) + "0000000100000000000000000000000000000000ffffffff0000000000000001", // mont(1) + "0000000000000000000000000000000000000000000000000000000000000000", // 0 + }, + { + "Affine Point [1]G with Montgomery Coordinates", + "91167a5ee1c13b05d6a1ed99ac24c3c33e7981eddca6c05061328990f418029e", // mont(x) + "63cd65d481d735bd8d4cfb066e2a48f8c1f5e5788d3295fac1354e593c2d0ddd", // mont(y) + "0000000100000000000000000000000000000000ffffffff0000000000000001", // mont(1) + }, + { + "Jacobian Point [2]G with Montgomery Coordinates", + "398874c476a3b1f77aef3e862601440903243d78d5b614a62eda8381e63c48d6", + "1fbbdfdddaf4fd475a86a7ae64921d4829f04a88f6cf4dc128385681c1a73e40", + "c79acba903ae6b7b1a99f60cdc5491f183ebcaf11a652bf5826a9cb2785a1bba", + }, + }; + + SM2_Z256_POINT P; + size_t i; + + for (i = 0; i < sizeof(tests)/sizeof(tests[0]); i++) { + + sm2_z256_from_hex(P.X, tests[i].mont_X); + sm2_z256_from_hex(P.Y, tests[i].mont_Y); + sm2_z256_from_hex(P.Z, tests[i].mont_Z); + + if (sm2_z256_point_is_on_curve(&P) != 1) { + error_print(); + return -1; + } + } + + printf("%s() ok\n", __FUNCTION__); + return 1; +} + +static int test_sm2_z256_point_get_xy(void) +{ + struct { + char *label; + char *mont_X; + char *mont_Y; + char *mont_Z; + char *x; + char *y; + } tests[] = { + { + "Point at Infinity (1:1:0)", + "0000000100000000000000000000000000000000ffffffff0000000000000001", // mont(1) + "0000000100000000000000000000000000000000ffffffff0000000000000001", // mont(1) + "0000000000000000000000000000000000000000000000000000000000000000", // 0 + "0000000000000000000000000000000000000000000000000000000000000000", // 0 + "0000000000000000000000000000000000000000000000000000000000000000", // 0 + }, + { + "Affine Point [1]G with Montgomery Coordinates", + "91167a5ee1c13b05d6a1ed99ac24c3c33e7981eddca6c05061328990f418029e", // mont(x) + "63cd65d481d735bd8d4cfb066e2a48f8c1f5e5788d3295fac1354e593c2d0ddd", // mont(y) + "0000000100000000000000000000000000000000ffffffff0000000000000001", // mont(1) + "32c4ae2c1f1981195f9904466a39c9948fe30bbff2660be1715a4589334c74c7", // x + "bc3736a2f4f6779c59bdcee36b692153d0a9877cc62a474002df32e52139f0a0", // y + }, + { + "Jacobian Point [2]G with Montgomery Coordinates", + "398874c476a3b1f77aef3e862601440903243d78d5b614a62eda8381e63c48d6", + "1fbbdfdddaf4fd475a86a7ae64921d4829f04a88f6cf4dc128385681c1a73e40", + "c79acba903ae6b7b1a99f60cdc5491f183ebcaf11a652bf5826a9cb2785a1bba", + "56cefd60d7c87c000d58ef57fa73ba4d9c0dfa08c08a7331495c2e1da3f2bd52", + "31b7e7e6cc8189f668535ce0f8eaf1bd6de84c182f6c8e716f780d3a970a23c3", + }, + }; + + SM2_Z256_POINT P; + uint64_t x[4]; + uint64_t y[4]; + size_t i; + + for (i = 0; i < sizeof(tests)/sizeof(tests[0]); i++) { + + sm2_z256_from_hex(P.X, tests[i].mont_X); + sm2_z256_from_hex(P.Y, tests[i].mont_Y); + sm2_z256_from_hex(P.Z, tests[i].mont_Z); + + sm2_z256_point_get_xy(&P, x, NULL); + if (sm2_z256_equ_hex(x, tests[i].x) != 1) { + error_print(); + return -1; + } + + sm2_z256_point_get_xy(&P, x, y); + if (sm2_z256_equ_hex(y, tests[i].y) != 1) { + error_print(); + return -1; + } + }; + + printf("%s() ok\n", __FUNCTION__); + return 1; +} + +static int test_sm2_z256_point_ops(void) +{ + char *hex_G = + "32c4ae2c1f1981195f9904466a39c9948fe30bbff2660be1715a4589334c74c7" + "bc3736a2f4f6779c59bdcee36b692153d0a9877cc62a474002df32e52139f0a0"; + char *hex_2G = + "56cefd60d7c87c000d58ef57fa73ba4d9c0dfa08c08a7331495c2e1da3f2bd52" + "31b7e7e6cc8189f668535ce0f8eaf1bd6de84c182f6c8e716f780d3a970a23c3"; + char *hex_3G = + "a97f7cd4b3c993b4be2daa8cdb41e24ca13f6bd945302244e26918f1d0509ebf" + "530b5dd88c688ef5ccc5cec08a72150f7c400ee5cd045292aaacdd037458f6e6"; + char *hex_negG = + "32c4ae2c1f1981195f9904466a39c9948fe30bbff2660be1715a4589334c74c7" + "43c8c95c0b098863a642311c9496deac2f56788239d5b8c0fd20cd1adec60f5f"; + char *hex_10G = + "d3f94862519621c121666061f65c3e32b2d0d065cd219e3284a04814db522756" + "4b9030cf676f6a742ebd57d146dca428f6b743f64d1482d147d46fb2bab82a14"; + char *hex_bG = + "528470bc74a6ebc663c06fc4cfa1b630d1e9d4a80c0a127b47f73c324c46c0ba" + "832cf9c5a15b997e60962b4cf6e2c9cee488faaec98d20599d323d4cabfc1bf4"; + char *hex_10 = + "000000000000000000000000000000000000000000000000000000000000000A"; + char *hex_b = + "28e9fa9e9d9f5e344d5a9e4bcf6509a7f39789f515ab8f92ddbcbd414d940e93"; + + struct { + char *label; + int op; + char *R; + char *k; + char *A; + char *B; + } tests[] = { + {"[2]G", OP_DBL, hex_2G, NULL, hex_G, NULL,}, + {"[2]G + G", OP_ADD, hex_3G, NULL, hex_2G, hex_G,}, + {"[3]G - G", OP_SUB, hex_2G, NULL, hex_3G, hex_G,}, + {"-G", OP_NEG, hex_negG, NULL, hex_G, NULL,}, + {"[10]G", OP_MUL, hex_10G, hex_10, hex_G, NULL,}, + {"[b]G", OP_MUL, hex_bG, hex_b, hex_G, NULL,}, + }; + + size_t i; + + SM2_Z256_POINT P; + SM2_Z256_POINT R; + uint64_t k[4]; + SM2_Z256_POINT A; + SM2_Z256_POINT B; + + + for (i = 0; i < sizeof(tests)/sizeof(tests[0]); i++) { + + sm2_z256_point_from_hex(&R, tests[i].R); + if (tests[i].k) { + sm2_z256_from_hex(k, tests[i].k); + } + + sm2_z256_point_from_hex(&A, tests[i].A); + if (tests[i].B) { + sm2_z256_point_from_hex(&B, tests[i].B); + } + + switch (tests[i].op) { + case OP_ADD: + sm2_z256_point_add(&P, &A, &B); + break; + case OP_DBL: + sm2_z256_point_dbl(&P, &A); + break; + case OP_SUB: + sm2_z256_point_sub(&P, &A, &B); + break; + case OP_NEG: + sm2_z256_point_neg(&P, &A); + break; + case OP_MUL: + sm2_z256_point_mul(&P, k, &A); + break; + default: + error_print(); + return -1; + } + + fprintf(stderr, "%s\n", tests[i].label); + sm2_z256_point_print(stderr, 0, 4, "R", &P); + fprintf(stderr, " R: %s\n", tests[i].R); + fprintf(stderr, " k: %s\n", tests[i].k); + fprintf(stderr, " A: %s\n", tests[i].A); + fprintf(stderr, " B: %s\n", tests[i].B); + + if (sm2_z256_point_equ_hex(&P, tests[i].R) != 1) { + + error_print(); + return -1; + } + } + + printf("%s() ok\n", __FUNCTION__); + return 1; +} + static int test_sm2_z256_point_mul_generator(void) { struct { @@ -340,7 +545,6 @@ static int test_sm2_z256_point_mul_generator(void) "DDF092555409C19DFDBE86A75C139906A80198337744EE78CD27E384D9FCAF15" "847D18FFB38E87065CD6B6E9C12D2922037937707D6A49A2223B949657E52BC1", }, - // k = G.x { "[x]G", "32C4AE2C1F1981195F9904466A39C9948FE30BBFF2660BE1715A4589334C74C7", @@ -414,6 +618,9 @@ int main(void) { if (test_sm2_z256_modp() != 1) goto err; if (test_sm2_z256_modn() != 1) goto err; + if (test_sm2_z256_point_is_on_curve() != 1) goto err; + if (test_sm2_z256_point_get_xy() != 1) goto err; + if (test_sm2_z256_point_ops() != 1) goto err; if (test_sm2_z256_point_mul_generator() != 1) goto err; printf("%s all tests passed\n", __FILE__); return 0; diff --git a/tests/sm2test.c b/tests/sm2test.c index 468a6090..5d55d916 100644 --- a/tests/sm2test.c +++ b/tests/sm2test.c @@ -1,4 +1,4 @@ -/* +/* * Copyright 2014-2022 The GmSSL Project. All Rights Reserved. * * Licensed under the Apache License, Version 2.0 (the License); you may @@ -444,267 +444,8 @@ static int test_sm2_point_from_x(void) return 1; } -static int test_sm2_signature(void) -{ - SM2_SIGNATURE sig; - uint8_t buf[512]; - uint8_t *p = buf; - const uint8_t *cp = buf; - size_t len = 0; - - // MinLen - memset(&sig, 0x00, sizeof(sig)); - cp = p = buf; len = 0; - if (sm2_signature_to_der(&sig, &p, &len) != 1) { - error_print(); - return -1; - } - format_print(stderr, 0, 4, "SM2_MIN_SIGNATURE_SIZE: %zu\n", len); - format_bytes(stderr, 0, 4, "", buf, len); - sm2_signature_print(stderr, 0, 4, "signature", buf, len); - if (len != SM2_MIN_SIGNATURE_SIZE) { - error_print(); - return -1; - } - if (sm2_signature_from_der(&sig, &cp, &len) != 1 - || asn1_length_is_zero(len) != 1) { - error_print(); - return -1; - } - // MaxLen - memset(&sig, 0x80, sizeof(sig)); - cp = p = buf; len = 0; - if (sm2_signature_to_der(&sig, &p, &len) != 1) { - error_print(); - return -1; - } - format_print(stderr, 0, 4, "SM2_MAX_SIGNATURE_SIZE: %zu\n", len); - format_bytes(stderr, 0, 4, "", buf, len); - sm2_signature_print(stderr, 0, 4, "signature", buf, len); - if (len != SM2_MAX_SIGNATURE_SIZE) { - error_print(); - return -1; - } - if (sm2_signature_from_der(&sig, &cp, &len) != 1 - || asn1_length_is_zero(len) != 1) { - error_print(); - return -1; - } - - - printf("%s() ok\n", __FUNCTION__); - return 1; -} - -static int test_sm2_sign(void) -{ - int ret; - SM2_KEY sm2_key; - SM2_SIGN_CTX sign_ctx; - uint8_t msg[] = "Hello World!"; - uint8_t sig[SM2_MAX_SIGNATURE_SIZE] = {0}; - size_t siglen; - - if (sm2_key_generate(&sm2_key) != 1) { - error_print(); - return -1; - } - sm2_key_print(stderr, 0, 4, "SM2_KEY", &sm2_key); - - if (sm2_sign_init(&sign_ctx, &sm2_key, SM2_DEFAULT_ID, SM2_DEFAULT_ID_LENGTH) != 1 - || sm2_sign_update(&sign_ctx, msg, sizeof(msg)) != 1 - || sm2_sign_finish(&sign_ctx, sig, &siglen) != 1) { - error_print(); - return -1; - } - format_bytes(stderr, 0, 4, "signature", sig, siglen); - sm2_signature_print(stderr, 0, 4, "signature", sig, siglen); - - if (sm2_verify_init(&sign_ctx, &sm2_key, SM2_DEFAULT_ID, SM2_DEFAULT_ID_LENGTH) != 1 - || sm2_verify_update(&sign_ctx, msg, sizeof(msg)) != 1 - || (ret = sm2_verify_finish(&sign_ctx, sig, siglen)) != 1) { - error_print(); - return -1; - } - format_print(stderr, 0, 4, "verification: %s\n", ret ? "success" : "failed"); - - - // FIXME: 还应该增加验证不通过的测试 - // 还应该增加底层的参数 - printf("%s() ok\n", __FUNCTION__); - return 1; -} - -// 由于当前Ciphertext中椭圆曲线点数据不正确,因此无法通过测试 -static int test_sm2_ciphertext(void) -{ - SM2_CIPHERTEXT C; - uint8_t buf[1024]; - uint8_t *p = buf; - const uint8_t *cp = buf; - size_t len = 0; - - memset(&C, 0, sizeof(SM2_CIPHERTEXT)); - - cp = p = buf; len = 0; - if (sm2_ciphertext_to_der(&C, &p, &len) != 1) { - error_print(); - return -1; - } - format_print(stderr, 0, 4, "SM2_NULL_CIPHERTEXT_SIZE: %zu\n", len); - format_bytes(stderr, 0, 4, "", buf, len); - - - if (sm2_ciphertext_from_der(&C, &cp, &len) != 1 - || asn1_length_is_zero(len) != 1) { - error_print(); - return -1; - } - - - // {0, 0, Hash, MinLen} - C.ciphertext_size = SM2_MIN_PLAINTEXT_SIZE; - cp = p = buf; len = 0; - if (sm2_ciphertext_to_der(&C, &p, &len) != 1) { - error_print(); - return -1; - } - format_print(stderr, 0, 4, "SM2_MIN_PLAINTEXT_SIZE: %zu\n", SM2_MIN_PLAINTEXT_SIZE); - format_print(stderr, 0, 4, "SM2_MIN_CIPHERTEXT_SIZE: %zu\n", len); - format_bytes(stderr, 0, 4, "", buf, len); - if (len != SM2_MIN_CIPHERTEXT_SIZE) { - error_print(); - return -1; - } - if (sm2_ciphertext_from_der(&C, &cp, &len) != 1 - || asn1_length_is_zero(len) != 1) { - error_print(); - return -1; - } - - // { 33, 33, Hash, NULL } - memset(&C, 0x80, sizeof(SM2_POINT)); - cp = p = buf; len = 0; - if (sm2_ciphertext_to_der(&C, &p, &len) != 1) { - error_print(); - return -1; - } - format_print(stderr, 0, 4, "ciphertext len: %zu\n", len); - format_bytes(stderr, 0, 4, "", buf, len); - if (sm2_ciphertext_from_der(&C, &cp, &len) != 1 - || asn1_length_is_zero(len) != 1) { - error_print(); - return -1; - } - - // { 33, 33, Hash, MaxLen } - C.ciphertext_size = SM2_MAX_PLAINTEXT_SIZE;//SM2_MAX_PLAINTEXT_SIZE; - cp = p = buf; len = 0; - if (sm2_ciphertext_to_der(&C, &p, &len) != 1) { - error_print(); - return -1; - } - format_print(stderr, 0, 4, "SM2_MAX_PLAINTEXT_SIZE: %zu\n", SM2_MAX_PLAINTEXT_SIZE); - format_print(stderr, 0, 4, "SM2_MAX_CIPHERTEXT_SIZE: %zu\n", len); - format_bytes(stderr, 0, 4, "", buf, len); - if (len != SM2_MAX_CIPHERTEXT_SIZE) { - error_print(); - return -1; - } - if (sm2_ciphertext_from_der(&C, &cp, &len) != 1 - || asn1_length_is_zero(len) != 1) { - error_print(); - return -1; - } - - printf("%s() ok\n", __FUNCTION__); - return 1; -} - - -static int test_sm2_do_encrypt(void) -{ - SM2_KEY sm2_key; - uint8_t plaintext[] = "Hello World!"; - SM2_CIPHERTEXT ciphertext; - - uint8_t plainbuf[SM2_MAX_PLAINTEXT_SIZE] = {0}; - size_t plainlen = 0; - int r = 0; - - if (sm2_key_generate(&sm2_key) != 1) { - error_print(); - return -1; - } - - if (sm2_do_encrypt(&sm2_key, plaintext, sizeof(plaintext), &ciphertext) != 1 - || sm2_do_decrypt(&sm2_key, &ciphertext, plainbuf, &plainlen) != 1) { - error_print(); - return -1; - } - - if (plainlen != sizeof(plaintext) - || memcmp(plainbuf, plaintext, sizeof(plaintext)) != 0) { - error_print(); - return -1; - } - - printf("%s() ok\n", __FUNCTION__); - return 1; -} - - -static int test_sm2_encrypt(void) -{ - SM2_KEY sm2_key; - uint8_t msg[SM2_MAX_PLAINTEXT_SIZE]; - uint8_t cbuf[SM2_MAX_CIPHERTEXT_SIZE+100]; - uint8_t mbuf[SM2_MAX_CIPHERTEXT_SIZE]; - size_t lens[] = { -// 0, - 1, - 16, - SM2_MAX_PLAINTEXT_SIZE, - }; - size_t clen, mlen; - int i; - - if (sm2_key_generate(&sm2_key) != 1) { - error_print(); - return -1; - } - - for (i = 0; i < sizeof(msg); i++) { - msg[i] = (uint8_t)i; - } - - for (i = 0; i < sizeof(lens)/sizeof(lens[0]); i++) { - format_print(stderr, 0, 0, "test %d\n", i + 1); - format_bytes(stderr, 0, 4, "plaintext", msg, lens[i]); - if (sm2_encrypt(&sm2_key, msg, lens[i], cbuf, &clen) != 1) { - error_print(); - return -1; - } - format_bytes(stderr, 0, 4, "ciphertext", cbuf, clen); - sm2_ciphertext_print(stderr, 0, 4, "Ciphertext", cbuf, clen); - format_print(stderr, 0, 0, "\n"); - - if (sm2_decrypt(&sm2_key, cbuf, clen, mbuf, &mlen) != 1) { - error_print(); - return -1; - } - if (mlen != lens[i] - || memcmp(mbuf, msg, lens[i]) != 0) { - error_print(); - return -1; - } - } - - printf("%s() ok\n", __FUNCTION__); - return 1; -} @@ -873,11 +614,6 @@ int main(void) if (test_sm2_private_key() != 1) goto err; if (test_sm2_private_key_info() != 1) goto err; if (test_sm2_enced_private_key_info() != 1) goto err; - if (test_sm2_signature() != 1) goto err; - if (test_sm2_sign() != 1) goto err; - //if (test_sm2_ciphertext() != 1) goto err; // 需要正确的Ciphertext数据 - if (test_sm2_do_encrypt() != 1) goto err; - if (test_sm2_encrypt() != 1) goto err; printf("%s all tests passed\n", __FILE__); return 0; err: