abc/GmSSL
1
0
Fork 0
mirror of https://github.com/guanzhi/GmSSL.git synced 2026-05-06 16:36:16 +08:00
Code Issues Packages Projects Releases Wiki Activity

Re-organize SM2 files

Browse Source
This commit is contained in:
Zhi Guan
2024-04-17 22:43:04 +08:00
parent 2a5dc640bd
commit 549c68d2df
9 changed files with 1031 additions and 1030 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
CMakeLists.txt
View File

@@ -40,9 +40,9 @@ set(src
src/sm2_z256.c
src/sm2_z256_table.c
src/sm2_key.c
src/sm2_enc.c
src/sm2_exch.c
src/sm2_sign.c
src/sm2_lib.c
src/sm2_ctx.c
src/sm9_z256.c
src/sm9_z256_table.c
src/sm9_key.c

2
include/gmssl/sm2.h
View File

@@ -34,7 +34,7 @@ typedef struct {
#define sm2_point_set_infinity(P) sm2_point_init(P)
int sm2_point_from_octets(SM2_POINT *P, const uint8_t *in, size_t inlen);
int sm2_point_from_octets(SM2_POINT *P, const uint8_t *in, size_t inlen);
void sm2_point_to_compressed_octets(const SM2_POINT *P, uint8_t out[33]);
void sm2_point_to_uncompressed_octets(const SM2_POINT *P, uint8_t out[65]);

3
include/gmssl/sm2_z256.h
View File

@@ -63,6 +63,7 @@ void sm2_z256_modn_sqr(uint64_t r[4], const uint64_t a[4]);
void sm2_z256_modn_exp(uint64_t r[4], const uint64_t a[4], const uint64_t e[4]);
void sm2_z256_modn_inv(uint64_t r[4], const uint64_t a[4]);
// 这些函数可能没有必要因为mont几乎只需要用于modn_inv
void sm2_z256_modn_to_mont(const uint64_t a[4], uint64_t r[4]);
void sm2_z256_modn_from_mont(uint64_t r[4], const uint64_t a[4]);
void sm2_z256_modn_mont_mul(uint64_t r[4], const uint64_t a[4], const uint64_t b[4]);
@@ -86,6 +87,7 @@ int sm2_z256_point_is_on_curve(const SM2_Z256_POINT *P);
int sm2_z256_point_equ(const SM2_Z256_POINT *P, const SM2_Z256_POINT *Q); // 这个要声明一下Jacobian坐标系上一个点有不同的表示
void sm2_z256_point_get_xy(const SM2_Z256_POINT *P, uint64_t x[4], uint64_t y[4]);
void sm2_z256_point_dbl(SM2_Z256_POINT *R, const SM2_Z256_POINT *A);
void sm2_z256_point_add(SM2_Z256_POINT *r, const SM2_Z256_POINT *a, const SM2_Z256_POINT *b);
void sm2_z256_point_neg(SM2_Z256_POINT *R, const SM2_Z256_POINT *P);
@@ -127,7 +129,6 @@ enum {
int sm2_z256_point_from_x_bytes(SM2_Z256_POINT *P, const uint8_t x_bytes[32], int y_is_odd);
int sm2_z256_point_from_hash(SM2_Z256_POINT *R, const uint8_t *data, size_t datalen, int y_is_odd);
int sm2_z256_point_from_octets(SM2_Z256_POINT *P, const uint8_t *in, size_t inlen);

369
src/sm2_ctx.c
View File

@@ -1,369 +0,0 @@
/*
* Copyright 2014-2024 The GmSSL Project. All Rights Reserved.
*
* Licensed under the Apache License, Version 2.0 (the License); you may
* not use this file except in compliance with the License.
*
* http://www.apache.org/licenses/LICENSE-2.0
*/
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <gmssl/mem.h>
#include <gmssl/sm2.h>
#include <gmssl/sm2_z256.h>
#include <gmssl/sm3.h>
#include <gmssl/asn1.h>
#include <gmssl/error.h>
#include <gmssl/endian.h>
int sm2_sign_init(SM2_SIGN_CTX *ctx, const SM2_KEY *key, const char *id, size_t idlen)
{
size_t i;
if (!ctx || !key) {
error_print();
return -1;
}
ctx->key = *key;
// d' = (d + 1)^-1 (mod n)
sm2_z256_from_bytes(ctx->sign_key, key->private_key);
sm2_z256_modn_add(ctx->sign_key, ctx->sign_key, sm2_z256_one());
sm2_z256_modn_inv(ctx->sign_key, ctx->sign_key);
sm3_init(&ctx->sm3_ctx);
if (id) {
uint8_t z[SM3_DIGEST_SIZE];
if (idlen <= 0 || idlen > SM2_MAX_ID_LENGTH) {
error_print();
return -1;
}
sm2_compute_z(z, &key->public_key, id, idlen);
sm3_update(&ctx->sm3_ctx, z, sizeof(z));
}
ctx->inited_sm3_ctx = ctx->sm3_ctx;
// pre compute (k, x = [k]G.x)
for (i = 0; i < 32; i++) {
if (sm2_do_sign_pre_compute(ctx->pre_comp[i].k, ctx->pre_comp[i].x1) != 1) {
error_print();
return -1;
}
}
ctx->num_pre_comp = 32;
return 1;
}
int sm2_sign_ctx_reset(SM2_SIGN_CTX *ctx)
{
ctx->sm3_ctx = ctx->inited_sm3_ctx;
return 1;
}
int sm2_sign_update(SM2_SIGN_CTX *ctx, const uint8_t *data, size_t datalen)
{
if (!ctx) {
error_print();
return -1;
}
if (data && datalen > 0) {
sm3_update(&ctx->sm3_ctx, data, datalen);
}
return 1;
}
int sm2_sign_finish(SM2_SIGN_CTX *ctx, uint8_t *sig, size_t *siglen)
{
uint8_t dgst[SM3_DIGEST_SIZE];
SM2_SIGNATURE signature;
if (!ctx || !sig || !siglen) {
error_print();
return -1;
}
sm3_finish(&ctx->sm3_ctx, dgst);
if (ctx->num_pre_comp == 0) {
size_t i;
for (i = 0; i < 32; i++) {
if (sm2_do_sign_pre_compute(ctx->pre_comp[i].k, ctx->pre_comp[i].x1) != 1) {
error_print();
return -1;
}
}
ctx->num_pre_comp = 32;
}
ctx->num_pre_comp--;
if (sm2_do_sign_fast_ex(ctx->sign_key,
ctx->pre_comp[ctx->num_pre_comp].k, ctx->pre_comp[ctx->num_pre_comp].x1,
dgst, &signature) != 1) {
error_print();
return -1;
}
*siglen = 0;
if (sm2_signature_to_der(&signature, &sig, siglen) != 1) {
error_print();
return -1;
}
return 1;
}
int sm2_sign_finish_fixlen(SM2_SIGN_CTX *ctx, size_t siglen, uint8_t *sig)
{
uint8_t dgst[SM3_DIGEST_SIZE];
if (!ctx || !sig || !siglen) {
error_print();
return -1;
}
sm3_finish(&ctx->sm3_ctx, dgst);
if (sm2_sign_fixlen(&ctx->key, dgst, siglen, sig) != 1) {
error_print();
return -1;
}
return 1;
}
int sm2_verify_init(SM2_SIGN_CTX *ctx, const SM2_KEY *key, const char *id, size_t idlen)
{
if (!ctx || !key) {
error_print();
return -1;
}
memset(ctx, 0, sizeof(*ctx));
ctx->key.public_key = key->public_key;
sm2_z256_point_from_bytes((SM2_Z256_POINT *)&ctx->public_key, (const uint8_t *)&key->public_key);
sm3_init(&ctx->sm3_ctx);
if (id) {
uint8_t z[SM3_DIGEST_SIZE];
if (idlen <= 0 || idlen > SM2_MAX_ID_LENGTH) {
error_print();
return -1;
}
sm2_compute_z(z, &key->public_key, id, idlen);
sm3_update(&ctx->sm3_ctx, z, sizeof(z));
}
ctx->inited_sm3_ctx = ctx->sm3_ctx;
return 1;
}
int sm2_verify_update(SM2_SIGN_CTX *ctx, const uint8_t *data, size_t datalen)
{
if (!ctx) {
error_print();
return -1;
}
if (data && datalen > 0) {
sm3_update(&ctx->sm3_ctx, data, datalen);
}
return 1;
}
int sm2_verify_finish(SM2_SIGN_CTX *ctx, const uint8_t *sig, size_t siglen)
{
uint8_t dgst[SM3_DIGEST_SIZE];
if (!ctx || !sig) {
error_print();
return -1;
}
sm3_finish(&ctx->sm3_ctx, dgst);
if (sm2_verify(&ctx->key, dgst, sig, siglen) != 1) {
error_print();
return -1;
}
return 1;
}
int sm2_encrypt_init(SM2_ENC_CTX *ctx, const SM2_KEY *sm2_key)
{
if (!ctx || !sm2_key) {
error_print();
return -1;
}
memset(ctx, 0, sizeof(*ctx));
ctx->sm2_key = *sm2_key;
return 1;
}
int sm2_encrypt_update(SM2_ENC_CTX *ctx, const uint8_t *in, size_t inlen, uint8_t *out, size_t *outlen)
{
if (!ctx || !outlen) {
error_print();
return -1;
}
if (ctx->buf_size > SM2_MAX_PLAINTEXT_SIZE) {
error_print();
return -1;
}
if (!out) {
*outlen = 0;
return 1;
}
if (in) {
if (inlen > SM2_MAX_PLAINTEXT_SIZE - ctx->buf_size) {
error_print();
return -1;
}
memcpy(ctx->buf + ctx->buf_size, in, inlen);
ctx->buf_size += inlen;
}
*outlen = 0;
return 1;
}
int sm2_encrypt_finish(SM2_ENC_CTX *ctx, const uint8_t *in, size_t inlen, uint8_t *out, size_t *outlen)
{
if (!ctx || !outlen) {
error_print();
return -1;
}
if (ctx->buf_size > SM2_MAX_PLAINTEXT_SIZE) {
error_print();
return -1;
}
if (!out) {
*outlen = SM2_MAX_CIPHERTEXT_SIZE;
return 1;
}
if (ctx->buf_size) {
if (in) {
if (inlen > SM2_MAX_PLAINTEXT_SIZE - ctx->buf_size) {
error_print();
return -1;
}
memcpy(ctx->buf + ctx->buf_size, in, inlen);
ctx->buf_size += inlen;
}
if (sm2_encrypt(&ctx->sm2_key, ctx->buf, ctx->buf_size, out, outlen) != 1) {
error_print();
return -1;
}
} else {
if (!in || !inlen || inlen > SM2_MAX_PLAINTEXT_SIZE) {
error_print();
return -1;
}
if (sm2_encrypt(&ctx->sm2_key, in, inlen, out, outlen) != 1) {
error_print();
return -1;
}
}
return 1;
}
int sm2_decrypt_init(SM2_ENC_CTX *ctx, const SM2_KEY *sm2_key)
{
if (!ctx || !sm2_key) {
error_print();
return -1;
}
memset(ctx, 0, sizeof(*ctx));
ctx->sm2_key = *sm2_key;
return 1;
}
int sm2_decrypt_update(SM2_ENC_CTX *ctx, const uint8_t *in, size_t inlen, uint8_t *out, size_t *outlen)
{
if (!ctx || !outlen) {
error_print();
return -1;
}
if (ctx->buf_size > SM2_MAX_CIPHERTEXT_SIZE) {
error_print();
return -1;
}
if (!out) {
*outlen = 0;
return 1;
}
if (in) {
if (inlen > SM2_MAX_CIPHERTEXT_SIZE - ctx->buf_size) {
error_print();
return -1;
}
memcpy(ctx->buf + ctx->buf_size, in, inlen);
ctx->buf_size += inlen;
}
*outlen = 0;
return 1;
}
int sm2_decrypt_finish(SM2_ENC_CTX *ctx, const uint8_t *in, size_t inlen, uint8_t *out, size_t *outlen)
{
if (!ctx || !outlen) {
error_print();
return -1;
}
if (ctx->buf_size > SM2_MAX_CIPHERTEXT_SIZE) {
error_print();
return -1;
}
if (!out) {
*outlen = SM2_MAX_PLAINTEXT_SIZE;
return 1;
}
if (ctx->buf_size) {
if (in) {
if (inlen > SM2_MAX_CIPHERTEXT_SIZE - ctx->buf_size) {
error_print();
return -1;
}
memcpy(ctx->buf + ctx->buf_size, in, inlen);
ctx->buf_size += inlen;
}
if (sm2_decrypt(&ctx->sm2_key, ctx->buf, ctx->buf_size, out, outlen) != 1) {
error_print();
return -1;
}
} else {
if (!in || !inlen || inlen > SM2_MAX_CIPHERTEXT_SIZE) {
error_print();
return -1;
}
if (sm2_decrypt(&ctx->sm2_key, in, inlen, out, outlen) != 1) {
error_print();
return -1;
}
}
return 1;
}

599
src/sm2_enc.c Normal file
View File

@@ -0,0 +1,599 @@
/*
* Copyright 2014-2024 The GmSSL Project. All Rights Reserved.
*
* Licensed under the Apache License, Version 2.0 (the License); you may
* not use this file except in compliance with the License.
*
* http://www.apache.org/licenses/LICENSE-2.0
*/
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <gmssl/mem.h>
#include <gmssl/sm2.h>
#include <gmssl/sm2_z256.h>
#include <gmssl/sm3.h>
#include <gmssl/asn1.h>
#include <gmssl/error.h>
#include <gmssl/endian.h>
static int all_zero(const uint8_t *buf, size_t len)
{
size_t i;
for (i = 0; i < len; i++) {
if (buf[i]) {
return 0;
}
}
return 1;
}
int sm2_do_encrypt_pre_compute(uint64_t k[4], uint8_t C1[64])
{
SM2_Z256_POINT P;
// rand k in [1, n - 1]
do {
if (sm2_z256_rand_range(k, sm2_z256_order()) != 1) {
error_print();
return -1;
}
} while (sm2_z256_is_zero(k));
// output C1 = k * G = (x1, y1)
sm2_z256_point_mul_generator(&P, k);
sm2_z256_point_to_bytes(&P, C1);
return 1;
}
// 和签名不一样,加密的时候要生成 (k, (x1, y1)) 也就是y坐标也是需要的
// 其中k是要参与计算的但是 (x1, y1) 不参与计算,输出为 bytes 就可以了
int sm2_do_encrypt(const SM2_KEY *key, const uint8_t *in, size_t inlen, SM2_CIPHERTEXT *out)
{
sm2_z256_t k;
SM2_Z256_POINT _P, *P = &_P;
SM2_Z256_POINT _C1, *C1 = &_C1;
SM2_Z256_POINT _kP, *kP = &_kP;
uint8_t x2y2[64];
SM3_CTX sm3_ctx;
if (!(SM2_MIN_PLAINTEXT_SIZE <= inlen && inlen <= SM2_MAX_PLAINTEXT_SIZE)) {
error_print();
return -1;
}
sm2_z256_point_from_bytes(P, (uint8_t *)&key->public_key);
// S = h * P, check S != O
// for sm2 curve, h == 1 and S == P
// SM2_POINT can not present point at infinity, do do nothing here
retry:
// rand k in [1, n - 1]
// TODO: set rand_bytes output for testing
do {
if (sm2_z256_rand_range(k, sm2_z256_order()) != 1) {
error_print();
return -1;
}
} while (sm2_z256_is_zero(k)); //sm2_bn_print(stderr, 0, 4, "k", k);
// output C1 = k * G = (x1, y1)
sm2_z256_point_mul_generator(C1, k);
sm2_z256_point_to_bytes(C1, (uint8_t *)&out->point);
// k * P = (x2, y2)
sm2_z256_point_mul(kP, k, P);
sm2_z256_point_to_bytes(kP, x2y2);
// t = KDF(x2 || y2, inlen)
sm2_kdf(x2y2, 64, inlen, out->ciphertext);
// if t is all zero, retry
if (all_zero(out->ciphertext, inlen)) {
goto retry;
}
// output C2 = M xor t
gmssl_memxor(out->ciphertext, out->ciphertext, in, inlen);
out->ciphertext_size = (uint32_t)inlen;
// output C3 = Hash(x2 || m || y2)
sm3_init(&sm3_ctx);
sm3_update(&sm3_ctx, x2y2, 32);
sm3_update(&sm3_ctx, in, inlen);
sm3_update(&sm3_ctx, x2y2 + 32, 32);
sm3_finish(&sm3_ctx, out->hash);
gmssl_secure_clear(k, sizeof(k));
gmssl_secure_clear(kP, sizeof(SM2_Z256_POINT));
gmssl_secure_clear(x2y2, sizeof(x2y2));
return 1;
}
int sm2_do_encrypt_fixlen(const SM2_KEY *key, const uint8_t *in, size_t inlen, int point_size, SM2_CIPHERTEXT *out)
{
unsigned int trys = 200;
sm2_z256_t k;
SM2_Z256_POINT _P, *P = &_P;
SM2_Z256_POINT _C1, *C1 = &_C1;
SM2_Z256_POINT _kP, *kP = &_kP;
uint8_t x2y2[64];
SM3_CTX sm3_ctx;
if (!(SM2_MIN_PLAINTEXT_SIZE <= inlen && inlen <= SM2_MAX_PLAINTEXT_SIZE)) {
error_print();
return -1;
}
switch (point_size) {
case SM2_ciphertext_compact_point_size:
case SM2_ciphertext_typical_point_size:
case SM2_ciphertext_max_point_size:
break;
default:
error_print();
return -1;
}
sm2_z256_point_from_bytes(P, (uint8_t *)&key->public_key);
// S = h * P, check S != O
// for sm2 curve, h == 1 and S == P
// SM2_POINT can not present point at infinity, do do nothing here
retry:
// rand k in [1, n - 1]
do {
if (sm2_z256_rand_range(k, sm2_z256_order()) != 1) {
error_print();
return -1;
}
} while (sm2_z256_is_zero(k)); //sm2_bn_print(stderr, 0, 4, "k", k);
// output C1 = k * G = (x1, y1)
sm2_z256_point_mul_generator(C1, k);
sm2_z256_point_to_bytes(C1, (uint8_t *)&out->point);
// check fixlen
if (trys) {
size_t len = 0;
asn1_integer_to_der(out->point.x, 32, NULL, &len);
asn1_integer_to_der(out->point.y, 32, NULL, &len);
if (len != point_size) {
trys--;
goto retry;
}
} else {
gmssl_secure_clear(k, sizeof(k));
error_print();
return -1;
}
// k * P = (x2, y2)
sm2_z256_point_mul(kP, k, P);
sm2_z256_point_to_bytes(kP, x2y2);
// t = KDF(x2 || y2, inlen)
sm2_kdf(x2y2, 64, inlen, out->ciphertext);
// if t is all zero, retry
if (all_zero(out->ciphertext, inlen)) {
goto retry;
}
// output C2 = M xor t
gmssl_memxor(out->ciphertext, out->ciphertext, in, inlen);
out->ciphertext_size = (uint32_t)inlen;
// output C3 = Hash(x2 || m || y2)
sm3_init(&sm3_ctx);
sm3_update(&sm3_ctx, x2y2, 32);
sm3_update(&sm3_ctx, in, inlen);
sm3_update(&sm3_ctx, x2y2 + 32, 32);
sm3_finish(&sm3_ctx, out->hash);
gmssl_secure_clear(k, sizeof(k));
gmssl_secure_clear(kP, sizeof(SM2_Z256_POINT));
gmssl_secure_clear(x2y2, sizeof(x2y2));
return 1;
}
int sm2_do_decrypt(const SM2_KEY *key, const SM2_CIPHERTEXT *in, uint8_t *out, size_t *outlen)
{
int ret = -1;
sm2_z256_t d;
SM2_Z256_POINT _C1, *C1 = &_C1;
uint8_t x2y2[64];
SM3_CTX sm3_ctx;
uint8_t hash[32];
// check C1 is on sm2 curve
sm2_z256_point_from_bytes(C1, (uint8_t *)&in->point);
if (!sm2_z256_point_is_on_curve(C1)) {
error_print();
return -1;
}
// check if S = h * C1 is point at infinity
// this will not happen, as SM2_POINT can not present point at infinity
// d * C1 = (x2, y2)
sm2_z256_from_bytes(d, key->private_key);
sm2_z256_point_mul(C1, d, C1);
// t = KDF(x2 || y2, klen) and check t is not all zeros
sm2_z256_point_to_bytes(C1, x2y2);
sm2_kdf(x2y2, 64, in->ciphertext_size, out);
if (all_zero(out, in->ciphertext_size)) {
error_print();
goto end;
}
// M = C2 xor t
gmssl_memxor(out, out, in->ciphertext, in->ciphertext_size);
*outlen = in->ciphertext_size;
// u = Hash(x2 || M || y2)
sm3_init(&sm3_ctx);
sm3_update(&sm3_ctx, x2y2, 32);
sm3_update(&sm3_ctx, out, in->ciphertext_size);
sm3_update(&sm3_ctx, x2y2 + 32, 32);
sm3_finish(&sm3_ctx, hash);
// check if u == C3
if (memcmp(in->hash, hash, sizeof(hash)) != 0) {
error_print();
goto end;
}
ret = 1;
end:
gmssl_secure_clear(d, sizeof(d));
gmssl_secure_clear(C1, sizeof(SM2_Z256_POINT));
gmssl_secure_clear(x2y2, sizeof(x2y2));
return ret;
}
int sm2_ciphertext_to_der(const SM2_CIPHERTEXT *C, uint8_t **out, size_t *outlen)
{
size_t len = 0;
if (!C) {
return 0;
}
if (asn1_integer_to_der(C->point.x, 32, NULL, &len) != 1
|| asn1_integer_to_der(C->point.y, 32, NULL, &len) != 1
|| asn1_octet_string_to_der(C->hash, 32, NULL, &len) != 1
|| asn1_octet_string_to_der(C->ciphertext, C->ciphertext_size, NULL, &len) != 1
|| asn1_sequence_header_to_der(len, out, outlen) != 1
|| asn1_integer_to_der(C->point.x, 32, out, outlen) != 1
|| asn1_integer_to_der(C->point.y, 32, out, outlen) != 1
|| asn1_octet_string_to_der(C->hash, 32, out, outlen) != 1
|| asn1_octet_string_to_der(C->ciphertext, C->ciphertext_size, out, outlen) != 1) {
error_print();
return -1;
}
return 1;
}
int sm2_ciphertext_from_der(SM2_CIPHERTEXT *C, const uint8_t **in, size_t *inlen)
{
int ret;
const uint8_t *d;
size_t dlen;
const uint8_t *x;
const uint8_t *y;
const uint8_t *hash;
const uint8_t *c;
size_t xlen, ylen, hashlen, clen;
if ((ret = asn1_sequence_from_der(&d, &dlen, in, inlen)) != 1) {
if (ret < 0) error_print();
return ret;
}
if (asn1_integer_from_der(&x, &xlen, &d, &dlen) != 1
|| asn1_length_le(xlen, 32) != 1) {
error_print();
return -1;
}
if (asn1_integer_from_der(&y, &ylen, &d, &dlen) != 1
|| asn1_length_le(ylen, 32) != 1) {
error_print();
return -1;
}
if (asn1_octet_string_from_der(&hash, &hashlen, &d, &dlen) != 1
|| asn1_check(hashlen == 32) != 1) {
error_print();
return -1;
}
if (asn1_octet_string_from_der(&c, &clen, &d, &dlen) != 1
// || asn1_length_is_zero(clen) == 1
|| asn1_length_le(clen, SM2_MAX_PLAINTEXT_SIZE) != 1) {
error_print();
return -1;
}
if (asn1_length_is_zero(dlen) != 1) {
error_print();
return -1;
}
memset(C, 0, sizeof(SM2_CIPHERTEXT));
memcpy(C->point.x + 32 - xlen, x, xlen);
memcpy(C->point.y + 32 - ylen, y, ylen);
if (sm2_point_is_on_curve(&C->point) != 1) {
error_print();
return -1;
}
memcpy(C->hash, hash, hashlen);
memcpy(C->ciphertext, c, clen);
C->ciphertext_size = (uint8_t)clen;
return 1;
}
int sm2_ciphertext_print(FILE *fp, int fmt, int ind, const char *label, const uint8_t *a, size_t alen)
{
uint8_t buf[512] = {0};
SM2_CIPHERTEXT *c = (SM2_CIPHERTEXT *)buf;
if (sm2_ciphertext_from_der(c, &a, &alen) != 1
|| asn1_length_is_zero(alen) != 1) {
error_print();
return -1;
}
format_print(fp, fmt, ind, "%s\n", label);
ind += 4;
format_bytes(fp, fmt, ind, "XCoordinate", c->point.x, 32);
format_bytes(fp, fmt, ind, "YCoordinate", c->point.y, 32);
format_bytes(fp, fmt, ind, "HASH", c->hash, 32);
format_bytes(fp, fmt, ind, "CipherText", c->ciphertext, c->ciphertext_size);
return 1;
}
int sm2_encrypt(const SM2_KEY *key, const uint8_t *in, size_t inlen, uint8_t *out, size_t *outlen)
{
SM2_CIPHERTEXT C;
if (!key || !in || !out || !outlen) {
error_print();
return -1;
}
if (!inlen) {
error_print();
return -1;
}
if (sm2_do_encrypt(key, in, inlen, &C) != 1) {
error_print();
return -1;
}
*outlen = 0;
if (sm2_ciphertext_to_der(&C, &out, outlen) != 1) {
error_print();
return -1;
}
return 1;
}
int sm2_encrypt_fixlen(const SM2_KEY *key, const uint8_t *in, size_t inlen, int point_size, uint8_t *out, size_t *outlen)
{
SM2_CIPHERTEXT C;
if (!key || !in || !out || !outlen) {
error_print();
return -1;
}
if (!inlen) {
error_print();
return -1;
}
if (sm2_do_encrypt_fixlen(key, in, inlen, point_size, &C) != 1) {
error_print();
return -1;
}
*outlen = 0;
if (sm2_ciphertext_to_der(&C, &out, outlen) != 1) {
error_print();
return -1;
}
return 1;
}
int sm2_decrypt(const SM2_KEY *key, const uint8_t *in, size_t inlen, uint8_t *out, size_t *outlen)
{
SM2_CIPHERTEXT C;
if (!key || !in || !out || !outlen) {
error_print();
return -1;
}
if (sm2_ciphertext_from_der(&C, &in, &inlen) != 1
|| asn1_length_is_zero(inlen) != 1) {
error_print();
return -1;
}
if (sm2_do_decrypt(key, &C, out, outlen) != 1) {
error_print();
return -1;
}
return 1;
}
int sm2_encrypt_init(SM2_ENC_CTX *ctx, const SM2_KEY *sm2_key)
{
if (!ctx || !sm2_key) {
error_print();
return -1;
}
memset(ctx, 0, sizeof(*ctx));
ctx->sm2_key = *sm2_key;
return 1;
}
int sm2_encrypt_update(SM2_ENC_CTX *ctx, const uint8_t *in, size_t inlen, uint8_t *out, size_t *outlen)
{
if (!ctx || !outlen) {
error_print();
return -1;
}
if (ctx->buf_size > SM2_MAX_PLAINTEXT_SIZE) {
error_print();
return -1;
}
if (!out) {
*outlen = 0;
return 1;
}
if (in) {
if (inlen > SM2_MAX_PLAINTEXT_SIZE - ctx->buf_size) {
error_print();
return -1;
}
memcpy(ctx->buf + ctx->buf_size, in, inlen);
ctx->buf_size += inlen;
}
*outlen = 0;
return 1;
}
int sm2_encrypt_finish(SM2_ENC_CTX *ctx, const uint8_t *in, size_t inlen, uint8_t *out, size_t *outlen)
{
if (!ctx || !outlen) {
error_print();
return -1;
}
if (ctx->buf_size > SM2_MAX_PLAINTEXT_SIZE) {
error_print();
return -1;
}
if (!out) {
*outlen = SM2_MAX_CIPHERTEXT_SIZE;
return 1;
}
if (ctx->buf_size) {
if (in) {
if (inlen > SM2_MAX_PLAINTEXT_SIZE - ctx->buf_size) {
error_print();
return -1;
}
memcpy(ctx->buf + ctx->buf_size, in, inlen);
ctx->buf_size += inlen;
}
if (sm2_encrypt(&ctx->sm2_key, ctx->buf, ctx->buf_size, out, outlen) != 1) {
error_print();
return -1;
}
} else {
if (!in || !inlen || inlen > SM2_MAX_PLAINTEXT_SIZE) {
error_print();
return -1;
}
if (sm2_encrypt(&ctx->sm2_key, in, inlen, out, outlen) != 1) {
error_print();
return -1;
}
}
return 1;
}
int sm2_decrypt_init(SM2_ENC_CTX *ctx, const SM2_KEY *sm2_key)
{
if (!ctx || !sm2_key) {
error_print();
return -1;
}
memset(ctx, 0, sizeof(*ctx));
ctx->sm2_key = *sm2_key;
return 1;
}
int sm2_decrypt_update(SM2_ENC_CTX *ctx, const uint8_t *in, size_t inlen, uint8_t *out, size_t *outlen)
{
if (!ctx || !outlen) {
error_print();
return -1;
}
if (ctx->buf_size > SM2_MAX_CIPHERTEXT_SIZE) {
error_print();
return -1;
}
if (!out) {
*outlen = 0;
return 1;
}
if (in) {
if (inlen > SM2_MAX_CIPHERTEXT_SIZE - ctx->buf_size) {
error_print();
return -1;
}
memcpy(ctx->buf + ctx->buf_size, in, inlen);
ctx->buf_size += inlen;
}
*outlen = 0;
return 1;
}
int sm2_decrypt_finish(SM2_ENC_CTX *ctx, const uint8_t *in, size_t inlen, uint8_t *out, size_t *outlen)
{
if (!ctx || !outlen) {
error_print();
return -1;
}
if (ctx->buf_size > SM2_MAX_CIPHERTEXT_SIZE) {
error_print();
return -1;
}
if (!out) {
*outlen = SM2_MAX_PLAINTEXT_SIZE;
return 1;
}
if (ctx->buf_size) {
if (in) {
if (inlen > SM2_MAX_CIPHERTEXT_SIZE - ctx->buf_size) {
error_print();
return -1;
}
memcpy(ctx->buf + ctx->buf_size, in, inlen);
ctx->buf_size += inlen;
}
if (sm2_decrypt(&ctx->sm2_key, ctx->buf, ctx->buf_size, out, outlen) != 1) {
error_print();
return -1;
}
} else {
if (!in || !inlen || inlen > SM2_MAX_CIPHERTEXT_SIZE) {
error_print();
return -1;
}
if (sm2_decrypt(&ctx->sm2_key, in, inlen, out, outlen) != 1) {
error_print();
return -1;
}
}
return 1;
}

55
src/sm2_exch.c Normal file
View File

@@ -0,0 +1,55 @@
/*
* Copyright 2014-2024 The GmSSL Project. All Rights Reserved.
*
* Licensed under the Apache License, Version 2.0 (the License); you may
* not use this file except in compliance with the License.
*
* http://www.apache.org/licenses/LICENSE-2.0
*/
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <gmssl/mem.h>
#include <gmssl/sm2.h>
#include <gmssl/sm3.h>
#include <gmssl/asn1.h>
#include <gmssl/error.h>
#include <gmssl/endian.h>
int sm2_do_ecdh(const SM2_KEY *key, const SM2_POINT *peer_public, SM2_POINT *out)
{
/*
if (sm2_point_is_on_curve(peer_public) != 1) {
error_print();
return -1;
}
*/
if (sm2_point_mul(out, key->private_key, peer_public) != 1) {
error_print();
return -1;
}
return 1;
}
int sm2_ecdh(const SM2_KEY *key, const uint8_t *peer_public, size_t peer_public_len, SM2_POINT *out)
{
SM2_POINT point;
if (!key || !peer_public || !peer_public_len || !out) {
error_print();
return -1;
}
if (sm2_point_from_octets(&point, peer_public, peer_public_len) != 1) {
error_print();
return -1;
}
if (sm2_do_ecdh(key, &point, out) != 1) {
error_print();
return -1;
}
return 1;
}

420
src/sm2_lib.c
View File

@@ -1,420 +0,0 @@
/*
* Copyright 2014-2024 The GmSSL Project. All Rights Reserved.
*
* Licensed under the Apache License, Version 2.0 (the License); you may
* not use this file except in compliance with the License.
*
* http://www.apache.org/licenses/LICENSE-2.0
*/
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <gmssl/mem.h>
#include <gmssl/sm2.h>
#include <gmssl/sm3.h>
#include <gmssl/asn1.h>
#include <gmssl/error.h>
#include <gmssl/endian.h>
int sm2_signature_to_der(const SM2_SIGNATURE *sig, uint8_t **out, size_t *outlen)
{
size_t len = 0;
if (!sig) {
return 0;
}
if (asn1_integer_to_der(sig->r, 32, NULL, &len) != 1
|| asn1_integer_to_der(sig->s, 32, NULL, &len) != 1
|| asn1_sequence_header_to_der(len, out, outlen) != 1
|| asn1_integer_to_der(sig->r, 32, out, outlen) != 1
|| asn1_integer_to_der(sig->s, 32, out, outlen) != 1) {
error_print();
return -1;
}
return 1;
}
int sm2_signature_from_der(SM2_SIGNATURE *sig, const uint8_t **in, size_t *inlen)
{
int ret;
const uint8_t *d;
size_t dlen;
const uint8_t *r;
size_t rlen;
const uint8_t *s;
size_t slen;
if ((ret = asn1_sequence_from_der(&d, &dlen, in, inlen)) != 1) {
if (ret < 0) error_print();
return ret;
}
if (asn1_integer_from_der(&r, &rlen, &d, &dlen) != 1
|| asn1_integer_from_der(&s, &slen, &d, &dlen) != 1
|| asn1_length_le(rlen, 32) != 1
|| asn1_length_le(slen, 32) != 1
|| asn1_length_is_zero(dlen) != 1) {
error_print();
return -1;
}
memset(sig, 0, sizeof(*sig));
memcpy(sig->r + 32 - rlen, r, rlen);
memcpy(sig->s + 32 - slen, s, slen);
return 1;
}
int sm2_signature_print(FILE *fp, int fmt, int ind, const char *label, const uint8_t *a, size_t alen)
{
SM2_SIGNATURE sig;
format_print(fp, fmt, ind, "%s\n", label);
ind += 4;
if (sm2_signature_from_der(&sig, &a, &alen) != 1
|| asn1_length_is_zero(alen) != 1) {
error_print();
return -1;
}
format_bytes(fp, fmt, ind, "r", sig.r, 32);
format_bytes(fp, fmt, ind, "s", sig.s, 32);
return 1;
}
int sm2_sign(const SM2_KEY *key, const uint8_t dgst[32], uint8_t *sigbuf, size_t *siglen)
{
SM2_SIGNATURE sig;
if (!key || !dgst || !sigbuf || !siglen) {
error_print();
return -1;
}
if (sm2_do_sign(key, dgst, &sig) != 1) {
error_print();
return -1;
}
*siglen = 0;
if (sm2_signature_to_der(&sig, &sigbuf, siglen) != 1) {
error_print();
return -1;
}
return 1;
}
int sm2_sign_fixlen(const SM2_KEY *key, const uint8_t dgst[32], size_t siglen, uint8_t *sig)
{
unsigned int trys = 200; // 200 trys is engouh
uint8_t buf[SM2_MAX_SIGNATURE_SIZE];
size_t len;
switch (siglen) {
case SM2_signature_compact_size:
case SM2_signature_typical_size:
case SM2_signature_max_size:
break;
default:
error_print();
return -1;
}
while (trys--) {
if (sm2_sign(key, dgst, buf, &len) != 1) {
error_print();
return -1;
}
if (len == siglen) {
memcpy(sig, buf, len);
return 1;
}
}
// might caused by bad randomness
error_print();
return -1;
}
int sm2_verify(const SM2_KEY *key, const uint8_t dgst[32], const uint8_t *sigbuf, size_t siglen)
{
SM2_SIGNATURE sig;
if (!key || !dgst || !sigbuf || !siglen) {
error_print();
return -1;
}
if (sm2_signature_from_der(&sig, &sigbuf, &siglen) != 1
|| asn1_length_is_zero(siglen) != 1) {
error_print();
return -1;
}
if (sm2_do_verify(key, dgst, &sig) != 1) {
error_print();
return -1;
}
return 1;
}
int sm2_compute_z(uint8_t z[32], const SM2_POINT *pub, const char *id, size_t idlen)
{
SM3_CTX ctx;
uint8_t zin[18 + 32 * 6] = {
0x00, 0x80,
0x31,0x32,0x33,0x34,0x35,0x36,0x37,0x38,0x31,0x32,0x33,0x34,0x35,0x36,0x37,0x38,
0xFF,0xFF,0xFF,0xFE,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,
0xFF,0xFF,0xFF,0xFF,0x00,0x00,0x00,0x00,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFC,
0x28,0xE9,0xFA,0x9E,0x9D,0x9F,0x5E,0x34,0x4D,0x5A,0x9E,0x4B,0xCF,0x65,0x09,0xA7,
0xF3,0x97,0x89,0xF5,0x15,0xAB,0x8F,0x92,0xDD,0xBC,0xBD,0x41,0x4D,0x94,0x0E,0x93,
0x32,0xC4,0xAE,0x2C,0x1F,0x19,0x81,0x19,0x5F,0x99,0x04,0x46,0x6A,0x39,0xC9,0x94,
0x8F,0xE3,0x0B,0xBF,0xF2,0x66,0x0B,0xE1,0x71,0x5A,0x45,0x89,0x33,0x4C,0x74,0xC7,
0xBC,0x37,0x36,0xA2,0xF4,0xF6,0x77,0x9C,0x59,0xBD,0xCE,0xE3,0x6B,0x69,0x21,0x53,
0xD0,0xA9,0x87,0x7C,0xC6,0x2A,0x47,0x40,0x02,0xDF,0x32,0xE5,0x21,0x39,0xF0,0xA0,
};
if (!z || !pub || !id) {
error_print();
return -1;
}
memcpy(&zin[18 + 32 * 4], pub->x, 32);
memcpy(&zin[18 + 32 * 5], pub->y, 32);
sm3_init(&ctx);
if (strcmp(id, SM2_DEFAULT_ID) == 0) {
sm3_update(&ctx, zin, sizeof(zin));
} else {
uint8_t idbits[2];
idbits[0] = (uint8_t)(idlen >> 5);
idbits[1] = (uint8_t)(idlen << 3);
sm3_update(&ctx, idbits, 2);
sm3_update(&ctx, (uint8_t *)id, idlen);
sm3_update(&ctx, zin + 18, 32 * 6);
}
sm3_finish(&ctx, z);
return 1;
}
int sm2_kdf(const uint8_t *in, size_t inlen, size_t outlen, uint8_t *out)
{
SM3_CTX ctx;
uint8_t counter_be[4];
uint8_t dgst[SM3_DIGEST_SIZE];
uint32_t counter = 1;
size_t len;
while (outlen) {
PUTU32(counter_be, counter);
counter++;
sm3_init(&ctx);
sm3_update(&ctx, in, inlen);
sm3_update(&ctx, counter_be, sizeof(counter_be));
sm3_finish(&ctx, dgst);
len = outlen < SM3_DIGEST_SIZE ? outlen : SM3_DIGEST_SIZE;
memcpy(out, dgst, len);
out += len;
outlen -= len;
}
memset(&ctx, 0, sizeof(SM3_CTX));
memset(dgst, 0, sizeof(dgst));
return 1;
}
int sm2_ciphertext_to_der(const SM2_CIPHERTEXT *C, uint8_t **out, size_t *outlen)
{
size_t len = 0;
if (!C) {
return 0;
}
if (asn1_integer_to_der(C->point.x, 32, NULL, &len) != 1
|| asn1_integer_to_der(C->point.y, 32, NULL, &len) != 1
|| asn1_octet_string_to_der(C->hash, 32, NULL, &len) != 1
|| asn1_octet_string_to_der(C->ciphertext, C->ciphertext_size, NULL, &len) != 1
|| asn1_sequence_header_to_der(len, out, outlen) != 1
|| asn1_integer_to_der(C->point.x, 32, out, outlen) != 1
|| asn1_integer_to_der(C->point.y, 32, out, outlen) != 1
|| asn1_octet_string_to_der(C->hash, 32, out, outlen) != 1
|| asn1_octet_string_to_der(C->ciphertext, C->ciphertext_size, out, outlen) != 1) {
error_print();
return -1;
}
return 1;
}
int sm2_ciphertext_from_der(SM2_CIPHERTEXT *C, const uint8_t **in, size_t *inlen)
{
int ret;
const uint8_t *d;
size_t dlen;
const uint8_t *x;
const uint8_t *y;
const uint8_t *hash;
const uint8_t *c;
size_t xlen, ylen, hashlen, clen;
if ((ret = asn1_sequence_from_der(&d, &dlen, in, inlen)) != 1) {
if (ret < 0) error_print();
return ret;
}
if (asn1_integer_from_der(&x, &xlen, &d, &dlen) != 1
|| asn1_length_le(xlen, 32) != 1) {
error_print();
return -1;
}
if (asn1_integer_from_der(&y, &ylen, &d, &dlen) != 1
|| asn1_length_le(ylen, 32) != 1) {
error_print();
return -1;
}
if (asn1_octet_string_from_der(&hash, &hashlen, &d, &dlen) != 1
|| asn1_check(hashlen == 32) != 1) {
error_print();
return -1;
}
if (asn1_octet_string_from_der(&c, &clen, &d, &dlen) != 1
// || asn1_length_is_zero(clen) == 1
|| asn1_length_le(clen, SM2_MAX_PLAINTEXT_SIZE) != 1) {
error_print();
return -1;
}
if (asn1_length_is_zero(dlen) != 1) {
error_print();
return -1;
}
memset(C, 0, sizeof(SM2_CIPHERTEXT));
memcpy(C->point.x + 32 - xlen, x, xlen);
memcpy(C->point.y + 32 - ylen, y, ylen);
if (sm2_point_is_on_curve(&C->point) != 1) {
error_print();
return -1;
}
memcpy(C->hash, hash, hashlen);
memcpy(C->ciphertext, c, clen);
C->ciphertext_size = (uint8_t)clen;
return 1;
}
int sm2_ciphertext_print(FILE *fp, int fmt, int ind, const char *label, const uint8_t *a, size_t alen)
{
uint8_t buf[512] = {0};
SM2_CIPHERTEXT *c = (SM2_CIPHERTEXT *)buf;
if (sm2_ciphertext_from_der(c, &a, &alen) != 1
|| asn1_length_is_zero(alen) != 1) {
error_print();
return -1;
}
format_print(fp, fmt, ind, "%s\n", label);
ind += 4;
format_bytes(fp, fmt, ind, "XCoordinate", c->point.x, 32);
format_bytes(fp, fmt, ind, "YCoordinate", c->point.y, 32);
format_bytes(fp, fmt, ind, "HASH", c->hash, 32);
format_bytes(fp, fmt, ind, "CipherText", c->ciphertext, c->ciphertext_size);
return 1;
}
int sm2_encrypt(const SM2_KEY *key, const uint8_t *in, size_t inlen, uint8_t *out, size_t *outlen)
{
SM2_CIPHERTEXT C;
if (!key || !in || !out || !outlen) {
error_print();
return -1;
}
if (!inlen) {
error_print();
return -1;
}
if (sm2_do_encrypt(key, in, inlen, &C) != 1) {
error_print();
return -1;
}
*outlen = 0;
if (sm2_ciphertext_to_der(&C, &out, outlen) != 1) {
error_print();
return -1;
}
return 1;
}
int sm2_encrypt_fixlen(const SM2_KEY *key, const uint8_t *in, size_t inlen, int point_size, uint8_t *out, size_t *outlen)
{
SM2_CIPHERTEXT C;
if (!key || !in || !out || !outlen) {
error_print();
return -1;
}
if (!inlen) {
error_print();
return -1;
}
if (sm2_do_encrypt_fixlen(key, in, inlen, point_size, &C) != 1) {
error_print();
return -1;
}
*outlen = 0;
if (sm2_ciphertext_to_der(&C, &out, outlen) != 1) {
error_print();
return -1;
}
return 1;
}
int sm2_decrypt(const SM2_KEY *key, const uint8_t *in, size_t inlen, uint8_t *out, size_t *outlen)
{
SM2_CIPHERTEXT C;
if (!key || !in || !out || !outlen) {
error_print();
return -1;
}
if (sm2_ciphertext_from_der(&C, &in, &inlen) != 1
|| asn1_length_is_zero(inlen) != 1) {
error_print();
return -1;
}
if (sm2_do_decrypt(key, &C, out, outlen) != 1) {
error_print();
return -1;
}
return 1;
}
int sm2_do_ecdh(const SM2_KEY *key, const SM2_POINT *peer_public, SM2_POINT *out)
{
/*
if (sm2_point_is_on_curve(peer_public) != 1) {
error_print();
return -1;
}
*/
if (sm2_point_mul(out, key->private_key, peer_public) != 1) {
error_print();
return -1;
}
return 1;
}
int sm2_ecdh(const SM2_KEY *key, const uint8_t *peer_public, size_t peer_public_len, SM2_POINT *out)
{
SM2_POINT point;
if (!key || !peer_public || !peer_public_len || !out) {
error_print();
return -1;
}
if (sm2_point_from_octets(&point, peer_public, peer_public_len) != 1) {
error_print();
return -1;
}
if (sm2_do_ecdh(key, &point, out) != 1) {
error_print();
return -1;
}
return 1;
}

586
src/sm2_sign.c
View File

@@ -20,10 +20,9 @@
#include <gmssl/endian.h>
int sm2_do_sign(const SM2_KEY *key, const uint8_t dgst[32], SM2_SIGNATURE *sig)
{
SM2_Z256_POINT _P, *P = &_P;
SM2_Z256_POINT P;
sm2_z256_t d;
sm2_z256_t d_inv;
sm2_z256_t e;
@@ -33,83 +32,68 @@ int sm2_do_sign(const SM2_KEY *key, const uint8_t dgst[32], SM2_SIGNATURE *sig)
sm2_z256_t r;
sm2_z256_t s;
const uint64_t *one = sm2_z256_one();
const uint64_t *order = sm2_z256_order();
sm2_z256_from_bytes(d, key->private_key);
// compute (d + 1)^-1 (mod n)
sm2_z256_modn_add(d_inv, d, one); //sm2_bn_print(stderr, 0, 4, "(1+d)", d_inv);
sm2_z256_modn_add(d_inv, d, sm2_z256_one());
if (sm2_z256_is_zero(d_inv)) {
error_print();
return -1;
}
sm2_z256_modn_inv(d_inv, d_inv); //sm2_bn_print(stderr, 0, 4, "(1+d)^-1", d_inv);
sm2_z256_modn_inv(d_inv, d_inv);
// e = H(M)
sm2_z256_from_bytes(e, dgst); //sm2_bn_print(stderr, 0, 4, "e", e);
sm2_z256_from_bytes(e, dgst);
retry:
// >>>>>>>>>> BEGIN PRECOMP
// rand k in [1, n - 1]
do {
if (sm2_z256_rand_range(k, sm2_z256_order()) != 1) {
error_print();
return -1;
}
} while (sm2_z256_is_zero(k)); //sm2_bn_print(stderr, 0, 4, "k", k);
} while (sm2_z256_is_zero(k));
// (x, y) = kG
sm2_z256_point_mul_generator(P, k);
sm2_z256_point_get_xy(P, x, NULL);
//sm2_bn_print(stderr, 0, 4, "x", x);
// 如果我们提前计算了 (k, x) 那么我们在真正做签名的时候就可以利用到这个与计算的表了,直接从表中读取 (k, x)
// 当然这些计算都可以放在sign_fast里面
// >>>>>>>>>>> END PRECOMP
sm2_z256_point_mul_generator(&P, k);
sm2_z256_point_get_xy(&P, x, NULL);
// r = e + x (mod n)
if (sm2_z256_cmp(e, order) >= 0) {
sm2_z256_sub(e, e, order);
if (sm2_z256_cmp(e, sm2_z256_order()) >= 0) {
sm2_z256_sub(e, e, sm2_z256_order());
}
if (sm2_z256_cmp(x, order) >= 0) {
sm2_z256_sub(x, x, order);
if (sm2_z256_cmp(x, sm2_z256_order()) >= 0) {
sm2_z256_sub(x, x, sm2_z256_order());
}
sm2_z256_modn_add(r, e, x); //sm2_bn_print(stderr, 0, 4, "r = e + x (mod n)", r);
sm2_z256_modn_add(r, e, x);
// if r == 0 or r + k == n re-generate k
sm2_z256_add(t, r, k);
if (sm2_z256_is_zero(r) || sm2_z256_cmp(t, order) == 0) {
//sm2_bn_print(stderr, 0, 4, "r + k", t);
if (sm2_z256_is_zero(r) || sm2_z256_cmp(t, sm2_z256_order()) == 0) {
goto retry;
}
// s = ((1 + d)^-1 * (k - r * d)) mod n
sm2_z256_modn_mul(t, r, d); //sm2_bn_print(stderr, 0, 4, "r*d", t);
sm2_z256_modn_sub(k, k, t); //sm2_bn_print(stderr, 0, 4, "k-r*d", k);
sm2_z256_modn_mul(s, d_inv, k); //sm2_bn_print(stderr, 0, 4, "s = ((1 + d)^-1 * (k - r * d)) mod n", s);
sm2_z256_modn_mul(t, r, d);
sm2_z256_modn_sub(k, k, t);
sm2_z256_modn_mul(s, d_inv, k);
// check s != 0
if (sm2_z256_is_zero(s)) {
goto retry;
}
sm2_z256_to_bytes(r, sig->r); //sm2_bn_print_bn(stderr, 0, 4, "r", r);
sm2_z256_to_bytes(s, sig->s); //sm2_bn_print_bn(stderr, 0, 4, "s", s);
sm2_z256_to_bytes(r, sig->r);
sm2_z256_to_bytes(s, sig->s);
gmssl_secure_clear(d, sizeof(d));
gmssl_secure_clear(d_inv, sizeof(d_inv ));
gmssl_secure_clear(d_inv, sizeof(d_inv));
gmssl_secure_clear(k, sizeof(k));
gmssl_secure_clear(t, sizeof(t));
return 1;
}
// k 和 x1 都是要参与计算的,因此我们返回的是内部格式
int sm2_do_sign_pre_compute(uint64_t k[4], uint64_t x1[4])
{
SM2_Z256_POINT P;
@@ -123,26 +107,23 @@ int sm2_do_sign_pre_compute(uint64_t k[4], uint64_t x1[4])
} while (sm2_z256_is_zero(k));
// (x1, y1) = kG
sm2_z256_point_mul_generator(&P, k); // 这个函数要粗力度并行,这要怎么做?
sm2_z256_point_mul_generator(&P, k);
sm2_z256_point_get_xy(&P, x1, NULL);
return 1;
}
// 实际上这里只有一次mod n的乘法用barret就可以了
int sm2_do_sign_fast_ex(const uint64_t d[4], const uint64_t k[4], const uint64_t x1[4], const uint8_t dgst[32], SM2_SIGNATURE *sig)
{
SM2_Z256_POINT R;
uint64_t e[4];
uint64_t r[4];
uint64_t s[4];
const uint64_t *order = sm2_z256_order();
sm2_z256_t e;
sm2_z256_t r;
sm2_z256_t s;
// e = H(M)
sm2_z256_from_bytes(e, dgst);
if (sm2_z256_cmp(e, order) >= 0) {
sm2_z256_sub(e, e, order);
if (sm2_z256_cmp(e, sm2_z256_order()) >= 0) {
sm2_z256_sub(e, e, sm2_z256_order());
}
// r = e + x1 (mod n)
@@ -165,8 +146,6 @@ int sm2_do_sign_fast_ex(const uint64_t d[4], const uint64_t k[4], const uint64_t
// s = (k - r * d)/(1 + d) = (k +r - r * d - r)/(1 + d) = (k + r - r(1 +d))/(1 + d) = (k + r)/(1 + d) - r
// = -r + (k + r)*(1 + d)^-1
// = -r + (k + r) * d'
// 这个函数是我们真正要调用的,甚至可以替代原来的函数
int sm2_do_sign_fast(const uint64_t d[4], const uint8_t dgst[32], SM2_SIGNATURE *sig)
{
SM2_Z256_POINT R;
@@ -369,241 +348,374 @@ int sm2_do_verify(const SM2_KEY *key, const uint8_t dgst[32], const SM2_SIGNATUR
return 1;
}
static int all_zero(const uint8_t *buf, size_t len)
int sm2_signature_to_der(const SM2_SIGNATURE *sig, uint8_t **out, size_t *outlen)
{
size_t i;
for (i = 0; i < len; i++) {
if (buf[i]) {
return 0;
}
size_t len = 0;
if (!sig) {
return 0;
}
if (asn1_integer_to_der(sig->r, 32, NULL, &len) != 1
|| asn1_integer_to_der(sig->s, 32, NULL, &len) != 1
|| asn1_sequence_header_to_der(len, out, outlen) != 1
|| asn1_integer_to_der(sig->r, 32, out, outlen) != 1
|| asn1_integer_to_der(sig->s, 32, out, outlen) != 1) {
error_print();
return -1;
}
return 1;
}
int sm2_do_encrypt_pre_compute(uint64_t k[4], uint8_t C1[64])
int sm2_signature_from_der(SM2_SIGNATURE *sig, const uint8_t **in, size_t *inlen)
{
SM2_Z256_POINT P;
// rand k in [1, n - 1]
do {
if (sm2_z256_rand_range(k, sm2_z256_order()) != 1) {
error_print();
return -1;
}
} while (sm2_z256_is_zero(k));
// output C1 = k * G = (x1, y1)
sm2_z256_point_mul_generator(&P, k);
sm2_z256_point_to_bytes(&P, C1);
int ret;
const uint8_t *d;
size_t dlen;
const uint8_t *r;
size_t rlen;
const uint8_t *s;
size_t slen;
if ((ret = asn1_sequence_from_der(&d, &dlen, in, inlen)) != 1) {
if (ret < 0) error_print();
return ret;
}
if (asn1_integer_from_der(&r, &rlen, &d, &dlen) != 1
|| asn1_integer_from_der(&s, &slen, &d, &dlen) != 1
|| asn1_length_le(rlen, 32) != 1
|| asn1_length_le(slen, 32) != 1
|| asn1_length_is_zero(dlen) != 1) {
error_print();
return -1;
}
memset(sig, 0, sizeof(*sig));
memcpy(sig->r + 32 - rlen, r, rlen);
memcpy(sig->s + 32 - slen, s, slen);
return 1;
}
// 和签名不一样,加密的时候要生成 (k, (x1, y1)) 也就是y坐标也是需要的
// 其中k是要参与计算的但是 (x1, y1) 不参与计算,输出为 bytes 就可以了
int sm2_do_encrypt(const SM2_KEY *key, const uint8_t *in, size_t inlen, SM2_CIPHERTEXT *out)
int sm2_signature_print(FILE *fp, int fmt, int ind, const char *label, const uint8_t *a, size_t alen)
{
sm2_z256_t k;
SM2_Z256_POINT _P, *P = &_P;
SM2_Z256_POINT _C1, *C1 = &_C1;
SM2_Z256_POINT _kP, *kP = &_kP;
uint8_t x2y2[64];
SM3_CTX sm3_ctx;
SM2_SIGNATURE sig;
format_print(fp, fmt, ind, "%s\n", label);
ind += 4;
if (sm2_signature_from_der(&sig, &a, &alen) != 1
|| asn1_length_is_zero(alen) != 1) {
error_print();
return -1;
}
format_bytes(fp, fmt, ind, "r", sig.r, 32);
format_bytes(fp, fmt, ind, "s", sig.s, 32);
return 1;
}
if (!(SM2_MIN_PLAINTEXT_SIZE <= inlen && inlen <= SM2_MAX_PLAINTEXT_SIZE)) {
int sm2_sign(const SM2_KEY *key, const uint8_t dgst[32], uint8_t *sigbuf, size_t *siglen)
{
SM2_SIGNATURE sig;
if (!key || !dgst || !sigbuf || !siglen) {
error_print();
return -1;
}
sm2_z256_point_from_bytes(P, (uint8_t *)&key->public_key);
// S = h * P, check S != O
// for sm2 curve, h == 1 and S == P
// SM2_POINT can not present point at infinity, do do nothing here
retry:
// rand k in [1, n - 1]
// TODO: set rand_bytes output for testing
do {
if (sm2_z256_rand_range(k, sm2_z256_order()) != 1) {
error_print();
return -1;
}
} while (sm2_z256_is_zero(k)); //sm2_bn_print(stderr, 0, 4, "k", k);
// output C1 = k * G = (x1, y1)
sm2_z256_point_mul_generator(C1, k);
sm2_z256_point_to_bytes(C1, (uint8_t *)&out->point);
// k * P = (x2, y2)
sm2_z256_point_mul(kP, k, P);
sm2_z256_point_to_bytes(kP, x2y2);
// t = KDF(x2 || y2, inlen)
sm2_kdf(x2y2, 64, inlen, out->ciphertext);
// if t is all zero, retry
if (all_zero(out->ciphertext, inlen)) {
goto retry;
}
// output C2 = M xor t
gmssl_memxor(out->ciphertext, out->ciphertext, in, inlen);
out->ciphertext_size = (uint32_t)inlen;
// output C3 = Hash(x2 || m || y2)
sm3_init(&sm3_ctx);
sm3_update(&sm3_ctx, x2y2, 32);
sm3_update(&sm3_ctx, in, inlen);
sm3_update(&sm3_ctx, x2y2 + 32, 32);
sm3_finish(&sm3_ctx, out->hash);
gmssl_secure_clear(k, sizeof(k));
gmssl_secure_clear(kP, sizeof(SM2_Z256_POINT));
gmssl_secure_clear(x2y2, sizeof(x2y2));
return 1;
}
int sm2_do_encrypt_fixlen(const SM2_KEY *key, const uint8_t *in, size_t inlen, int point_size, SM2_CIPHERTEXT *out)
{
unsigned int trys = 200;
sm2_z256_t k;
SM2_Z256_POINT _P, *P = &_P;
SM2_Z256_POINT _C1, *C1 = &_C1;
SM2_Z256_POINT _kP, *kP = &_kP;
uint8_t x2y2[64];
SM3_CTX sm3_ctx;
if (!(SM2_MIN_PLAINTEXT_SIZE <= inlen && inlen <= SM2_MAX_PLAINTEXT_SIZE)) {
if (sm2_do_sign(key, dgst, &sig) != 1) {
error_print();
return -1;
}
switch (point_size) {
case SM2_ciphertext_compact_point_size:
case SM2_ciphertext_typical_point_size:
case SM2_ciphertext_max_point_size:
*siglen = 0;
if (sm2_signature_to_der(&sig, &sigbuf, siglen) != 1) {
error_print();
return -1;
}
return 1;
}
int sm2_sign_fixlen(const SM2_KEY *key, const uint8_t dgst[32], size_t siglen, uint8_t *sig)
{
unsigned int trys = 200; // 200 trys is engouh
uint8_t buf[SM2_MAX_SIGNATURE_SIZE];
size_t len;
switch (siglen) {
case SM2_signature_compact_size:
case SM2_signature_typical_size:
case SM2_signature_max_size:
break;
default:
error_print();
return -1;
}
sm2_z256_point_from_bytes(P, (uint8_t *)&key->public_key);
// S = h * P, check S != O
// for sm2 curve, h == 1 and S == P
// SM2_POINT can not present point at infinity, do do nothing here
retry:
// rand k in [1, n - 1]
do {
if (sm2_z256_rand_range(k, sm2_z256_order()) != 1) {
while (trys--) {
if (sm2_sign(key, dgst, buf, &len) != 1) {
error_print();
return -1;
}
} while (sm2_z256_is_zero(k)); //sm2_bn_print(stderr, 0, 4, "k", k);
// output C1 = k * G = (x1, y1)
sm2_z256_point_mul_generator(C1, k);
sm2_z256_point_to_bytes(C1, (uint8_t *)&out->point);
// check fixlen
if (trys) {
size_t len = 0;
asn1_integer_to_der(out->point.x, 32, NULL, &len);
asn1_integer_to_der(out->point.y, 32, NULL, &len);
if (len != point_size) {
trys--;
goto retry;
if (len == siglen) {
memcpy(sig, buf, len);
return 1;
}
} else {
gmssl_secure_clear(k, sizeof(k));
}
// might caused by bad randomness
error_print();
return -1;
}
int sm2_verify(const SM2_KEY *key, const uint8_t dgst[32], const uint8_t *sigbuf, size_t siglen)
{
SM2_SIGNATURE sig;
if (!key || !dgst || !sigbuf || !siglen) {
error_print();
return -1;
}
// k * P = (x2, y2)
sm2_z256_point_mul(kP, k, P);
sm2_z256_point_to_bytes(kP, x2y2);
// t = KDF(x2 || y2, inlen)
sm2_kdf(x2y2, 64, inlen, out->ciphertext);
// if t is all zero, retry
if (all_zero(out->ciphertext, inlen)) {
goto retry;
if (sm2_signature_from_der(&sig, &sigbuf, &siglen) != 1
|| asn1_length_is_zero(siglen) != 1) {
error_print();
return -1;
}
if (sm2_do_verify(key, dgst, &sig) != 1) {
error_print();
return -1;
}
// output C2 = M xor t
gmssl_memxor(out->ciphertext, out->ciphertext, in, inlen);
out->ciphertext_size = (uint32_t)inlen;
// output C3 = Hash(x2 || m || y2)
sm3_init(&sm3_ctx);
sm3_update(&sm3_ctx, x2y2, 32);
sm3_update(&sm3_ctx, in, inlen);
sm3_update(&sm3_ctx, x2y2 + 32, 32);
sm3_finish(&sm3_ctx, out->hash);
gmssl_secure_clear(k, sizeof(k));
gmssl_secure_clear(kP, sizeof(SM2_Z256_POINT));
gmssl_secure_clear(x2y2, sizeof(x2y2));
return 1;
}
int sm2_do_decrypt(const SM2_KEY *key, const SM2_CIPHERTEXT *in, uint8_t *out, size_t *outlen)
int sm2_compute_z(uint8_t z[32], const SM2_POINT *pub, const char *id, size_t idlen)
{
int ret = -1;
sm2_z256_t d;
SM2_Z256_POINT _C1, *C1 = &_C1;
uint8_t x2y2[64];
SM3_CTX sm3_ctx;
uint8_t hash[32];
SM3_CTX ctx;
uint8_t zin[18 + 32 * 6] = {
0x00, 0x80,
0x31,0x32,0x33,0x34,0x35,0x36,0x37,0x38,0x31,0x32,0x33,0x34,0x35,0x36,0x37,0x38,
0xFF,0xFF,0xFF,0xFE,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,
0xFF,0xFF,0xFF,0xFF,0x00,0x00,0x00,0x00,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFC,
0x28,0xE9,0xFA,0x9E,0x9D,0x9F,0x5E,0x34,0x4D,0x5A,0x9E,0x4B,0xCF,0x65,0x09,0xA7,
0xF3,0x97,0x89,0xF5,0x15,0xAB,0x8F,0x92,0xDD,0xBC,0xBD,0x41,0x4D,0x94,0x0E,0x93,
0x32,0xC4,0xAE,0x2C,0x1F,0x19,0x81,0x19,0x5F,0x99,0x04,0x46,0x6A,0x39,0xC9,0x94,
0x8F,0xE3,0x0B,0xBF,0xF2,0x66,0x0B,0xE1,0x71,0x5A,0x45,0x89,0x33,0x4C,0x74,0xC7,
0xBC,0x37,0x36,0xA2,0xF4,0xF6,0x77,0x9C,0x59,0xBD,0xCE,0xE3,0x6B,0x69,0x21,0x53,
0xD0,0xA9,0x87,0x7C,0xC6,0x2A,0x47,0x40,0x02,0xDF,0x32,0xE5,0x21,0x39,0xF0,0xA0,
};
// check C1 is on sm2 curve
sm2_z256_point_from_bytes(C1, (uint8_t *)&in->point);
if (!sm2_z256_point_is_on_curve(C1)) {
if (!z || !pub || !id) {
error_print();
return -1;
}
// check if S = h * C1 is point at infinity
// this will not happen, as SM2_POINT can not present point at infinity
memcpy(&zin[18 + 32 * 4], pub->x, 32);
memcpy(&zin[18 + 32 * 5], pub->y, 32);
// d * C1 = (x2, y2)
sm2_z256_from_bytes(d, key->private_key);
sm2_z256_point_mul(C1, d, C1);
// t = KDF(x2 || y2, klen) and check t is not all zeros
sm2_z256_point_to_bytes(C1, x2y2);
sm2_kdf(x2y2, 64, in->ciphertext_size, out);
if (all_zero(out, in->ciphertext_size)) {
error_print();
goto end;
sm3_init(&ctx);
if (strcmp(id, SM2_DEFAULT_ID) == 0) {
sm3_update(&ctx, zin, sizeof(zin));
} else {
uint8_t idbits[2];
idbits[0] = (uint8_t)(idlen >> 5);
idbits[1] = (uint8_t)(idlen << 3);
sm3_update(&ctx, idbits, 2);
sm3_update(&ctx, (uint8_t *)id, idlen);
sm3_update(&ctx, zin + 18, 32 * 6);
}
// M = C2 xor t
gmssl_memxor(out, out, in->ciphertext, in->ciphertext_size);
*outlen = in->ciphertext_size;
// u = Hash(x2 || M || y2)
sm3_init(&sm3_ctx);
sm3_update(&sm3_ctx, x2y2, 32);
sm3_update(&sm3_ctx, out, in->ciphertext_size);
sm3_update(&sm3_ctx, x2y2 + 32, 32);
sm3_finish(&sm3_ctx, hash);
// check if u == C3
if (memcmp(in->hash, hash, sizeof(hash)) != 0) {
error_print();
goto end;
}
ret = 1;
end:
gmssl_secure_clear(d, sizeof(d));
gmssl_secure_clear(C1, sizeof(SM2_Z256_POINT));
gmssl_secure_clear(x2y2, sizeof(x2y2));
return ret;
sm3_finish(&ctx, z);
return 1;
}
int sm2_kdf(const uint8_t *in, size_t inlen, size_t outlen, uint8_t *out)
{
SM3_CTX ctx;
uint8_t counter_be[4];
uint8_t dgst[SM3_DIGEST_SIZE];
uint32_t counter = 1;
size_t len;
while (outlen) {
PUTU32(counter_be, counter);
counter++;
sm3_init(&ctx);
sm3_update(&ctx, in, inlen);
sm3_update(&ctx, counter_be, sizeof(counter_be));
sm3_finish(&ctx, dgst);
len = outlen < SM3_DIGEST_SIZE ? outlen : SM3_DIGEST_SIZE;
memcpy(out, dgst, len);
out += len;
outlen -= len;
}
memset(&ctx, 0, sizeof(SM3_CTX));
memset(dgst, 0, sizeof(dgst));
return 1;
}
int sm2_sign_init(SM2_SIGN_CTX *ctx, const SM2_KEY *key, const char *id, size_t idlen)
{
size_t i;
if (!ctx || !key) {
error_print();
return -1;
}
ctx->key = *key;
// d' = (d + 1)^-1 (mod n)
sm2_z256_from_bytes(ctx->sign_key, key->private_key);
sm2_z256_modn_add(ctx->sign_key, ctx->sign_key, sm2_z256_one());
sm2_z256_modn_inv(ctx->sign_key, ctx->sign_key);
sm3_init(&ctx->sm3_ctx);
if (id) {
uint8_t z[SM3_DIGEST_SIZE];
if (idlen <= 0 || idlen > SM2_MAX_ID_LENGTH) {
error_print();
return -1;
}
sm2_compute_z(z, &key->public_key, id, idlen);
sm3_update(&ctx->sm3_ctx, z, sizeof(z));
}
ctx->inited_sm3_ctx = ctx->sm3_ctx;
// pre compute (k, x = [k]G.x)
for (i = 0; i < 32; i++) {
if (sm2_do_sign_pre_compute(ctx->pre_comp[i].k, ctx->pre_comp[i].x1) != 1) {
error_print();
return -1;
}
}
ctx->num_pre_comp = 32;
return 1;
}
int sm2_sign_ctx_reset(SM2_SIGN_CTX *ctx)
{
ctx->sm3_ctx = ctx->inited_sm3_ctx;
return 1;
}
int sm2_sign_update(SM2_SIGN_CTX *ctx, const uint8_t *data, size_t datalen)
{
if (!ctx) {
error_print();
return -1;
}
if (data && datalen > 0) {
sm3_update(&ctx->sm3_ctx, data, datalen);
}
return 1;
}
int sm2_sign_finish(SM2_SIGN_CTX *ctx, uint8_t *sig, size_t *siglen)
{
uint8_t dgst[SM3_DIGEST_SIZE];
SM2_SIGNATURE signature;
if (!ctx || !sig || !siglen) {
error_print();
return -1;
}
sm3_finish(&ctx->sm3_ctx, dgst);
if (ctx->num_pre_comp == 0) {
size_t i;
for (i = 0; i < 32; i++) {
if (sm2_do_sign_pre_compute(ctx->pre_comp[i].k, ctx->pre_comp[i].x1) != 1) {
error_print();
return -1;
}
}
ctx->num_pre_comp = 32;
}
ctx->num_pre_comp--;
if (sm2_do_sign_fast_ex(ctx->sign_key,
ctx->pre_comp[ctx->num_pre_comp].k, ctx->pre_comp[ctx->num_pre_comp].x1,
dgst, &signature) != 1) {
error_print();
return -1;
}
*siglen = 0;
if (sm2_signature_to_der(&signature, &sig, siglen) != 1) {
error_print();
return -1;
}
return 1;
}
int sm2_sign_finish_fixlen(SM2_SIGN_CTX *ctx, size_t siglen, uint8_t *sig)
{
uint8_t dgst[SM3_DIGEST_SIZE];
if (!ctx || !sig || !siglen) {
error_print();
return -1;
}
sm3_finish(&ctx->sm3_ctx, dgst);
if (sm2_sign_fixlen(&ctx->key, dgst, siglen, sig) != 1) {
error_print();
return -1;
}
return 1;
}
int sm2_verify_init(SM2_SIGN_CTX *ctx, const SM2_KEY *key, const char *id, size_t idlen)
{
if (!ctx || !key) {
error_print();
return -1;
}
memset(ctx, 0, sizeof(*ctx));
ctx->key.public_key = key->public_key;
sm2_z256_point_from_bytes((SM2_Z256_POINT *)&ctx->public_key, (const uint8_t *)&key->public_key);
sm3_init(&ctx->sm3_ctx);
if (id) {
uint8_t z[SM3_DIGEST_SIZE];
if (idlen <= 0 || idlen > SM2_MAX_ID_LENGTH) {
error_print();
return -1;
}
sm2_compute_z(z, &key->public_key, id, idlen);
sm3_update(&ctx->sm3_ctx, z, sizeof(z));
}
ctx->inited_sm3_ctx = ctx->sm3_ctx;
return 1;
}
int sm2_verify_update(SM2_SIGN_CTX *ctx, const uint8_t *data, size_t datalen)
{
if (!ctx) {
error_print();
return -1;
}
if (data && datalen > 0) {
sm3_update(&ctx->sm3_ctx, data, datalen);
}
return 1;
}
int sm2_verify_finish(SM2_SIGN_CTX *ctx, const uint8_t *sig, size_t siglen)
{
uint8_t dgst[SM3_DIGEST_SIZE];
if (!ctx || !sig) {
error_print();
return -1;
}
sm3_finish(&ctx->sm3_ctx, dgst);
if (sm2_verify(&ctx->key, dgst, sig, siglen) != 1) {
error_print();
return -1;
}
return 1;
}

23
src/sm2_z256.c
View File

@@ -1594,6 +1594,29 @@ void sm2_z256_point_from_bytes(SM2_Z256_POINT *P, const uint8_t in[64])
sm2_z256_copy(P->Z, SM2_Z256_MODP_MONT_ONE);
}
int sm2_z256_point_set_xy(SM2_Z256_POINT *R, const sm2_z256_t x, const sm2_z256_t y)
{
if (sm2_z256_cmp(x, sm2_z256_prime()) >= 0) {
error_print();
return -1;
}
if (sm2_z256_cmp(y, sm2_z256_prime()) >= 0) {
error_print();
return -1;
}
sm2_z256_modp_to_mont(x, R->X);
sm2_z256_modp_to_mont(y, R->Y);
sm2_z256_copy(R->Z, SM2_Z256_MODP_MONT_ONE);
if (sm2_z256_point_is_on_curve(R) != 1) {
error_print();
return -1;
}
return 1;
}
void sm2_z256_point_from_hex(SM2_Z256_POINT *P, const char *hex)
{
uint8_t bytes[64];