diff --git a/CMakeLists.txt b/CMakeLists.txt index 78ed605b..231e0f51 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -533,12 +533,6 @@ if (ENABLE_XMSS) list(APPEND tools tools/xmsskeygen.c tools/xmsssign.c tools/xmssverify.c) list(APPEND tools tools/xmssmtkeygen.c tools/xmssmtsign.c tools/xmssmtverify.c) list(APPEND tests xmss) - - option(ENABLE_XMSS_CROSSCHECK "Enable XMSS SHA-256 cross-check" ON) - if (ENABLE_XMSS_CROSSCHECK) - message(STATUS "ENABLE_XMSS_CROSSCHECK is ON") - add_definitions(-DENABLE_XMSS_CROSSCHECK) - endif() endif() @@ -548,12 +542,6 @@ if (ENABLE_SPHINCS) list(APPEND src src/sphincs.c) list(APPEND tools tools/sphincskeygen.c tools/sphincssign.c tools/sphincsverify.c) list(APPEND tests sphincs) - - option(ENABLE_SPHINCS_CROSSCHECK "Enable SPHINCS SHA-256 cross-check" ON) - if (ENABLE_SPHINCS_CROSSCHECK) - message(STATUS "ENABLE_SPHINCS_CROSSCHECK is ON") - add_definitions(-DENABLE_SPHINCS_CROSSCHECK) - endif() endif() @@ -931,7 +919,7 @@ endif() # set(CPACK_PACKAGE_NAME "GmSSL") set(CPACK_PACKAGE_VENDOR "GmSSL develop team") -set(CPACK_PACKAGE_VERSION "3.3.0-dev.1158") +set(CPACK_PACKAGE_VERSION "3.3.0-dev.1159") set(CPACK_PACKAGE_DESCRIPTION_FILE ${PROJECT_SOURCE_DIR}/README.md) set(CPACK_NSIS_MODIFY_PATH ON) include(CPack) diff --git a/include/gmssl/sphincs.h b/include/gmssl/sphincs.h index 3c39f420..2457a718 100644 --- a/include/gmssl/sphincs.h +++ b/include/gmssl/sphincs.h @@ -15,9 +15,6 @@ #include #include #include -#ifdef ENABLE_SHA2 -#include -#endif #ifdef __cplusplus @@ -47,7 +44,7 @@ extern "C" { #define SPHINCS_TBS_SIZE (SPHINCS_TBS_FORS_SIZE + SPHINCS_TBS_TREE_ADDRESS_SIZE + SPHINCS_TBS_KEYPAIR_ADDRESS_SIZE) // = 30 -// sizeof(sphincs_hash128_t) == n, when sm3/sha256, n == 16 +// sizeof(sphincs_hash128_t) == n, when sm3, n == 16 #define SPHINCS_DIGEST_SIZE 16 // only support w = 16, w_bits = 4 @@ -60,29 +57,7 @@ extern "C" { typedef uint8_t sphincs_hash128_t[16]; -typedef uint8_t sphincs_hash256_t[32]; - -#if defined(ENABLE_SPHINCS_CROSSCHECK) && defined(ENABLE_SHA2) && !defined(SPHINCS_HASH256_CTX) -# define SPHINCS_HASH256_CTX SHA256_CTX -# define sphincs_hash256_init sha256_init -# define sphincs_hash256_update sha256_update -# define sphincs_hash256_finish sha256_finish -# define SPHINCS_HASH256_BLOCK_SIZE SHA256_BLOCK_SIZE -# define SPHINCS_HMAC256_CTX SHA256_HMAC_CTX -# define sphincs_hmac256_init sha256_hmac_init -# define sphincs_hmac256_update sha256_hmac_update -# define sphincs_hmac256_finish sha256_hmac_finish -#else -# define SPHINCS_HASH256_CTX SM3_CTX -# define sphincs_hash256_init sm3_init -# define sphincs_hash256_update sm3_update -# define sphincs_hash256_finish sm3_finish -# define SPHINCS_HASH256_BLOCK_SIZE SM3_BLOCK_SIZE -# define SPHINCS_HMAC256_CTX SM3_HMAC_CTX -# define sphincs_hmac256_init sm3_hmac_init -# define sphincs_hmac256_update sm3_hmac_update -# define sphincs_hmac256_finish sm3_hmac_finish -#endif +typedef uint8_t sphincs_sm3_digest_t[32]; // ADRS scheme @@ -351,8 +326,8 @@ int sphincs_signature_print_ex(FILE *fp, int fmt, int ind, const char *label, co int sphincs_signature_print(FILE *fp, int fmt, int ind, const char *label, const uint8_t *sig, size_t siglen); typedef struct { - SPHINCS_HMAC256_CTX hmac_ctx; - SPHINCS_HASH256_CTX hash_ctx; + SM3_HMAC_CTX hmac_ctx; + SM3_CTX hash_ctx; SPHINCS_SIGNATURE sig; int state; // after init 0, after prepare 1, after update 2 size_t round1_msglen; diff --git a/include/gmssl/version.h b/include/gmssl/version.h index 48fa5f1e..1594fa02 100644 --- a/include/gmssl/version.h +++ b/include/gmssl/version.h @@ -18,7 +18,7 @@ extern "C" { #define GMSSL_VERSION_NUM 30300 -#define GMSSL_VERSION_STR "GmSSL 3.3.0-dev.1158" +#define GMSSL_VERSION_STR "GmSSL 3.3.0-dev.1159" int gmssl_version_num(void); const char *gmssl_version_str(void); diff --git a/include/gmssl/xmss.h b/include/gmssl/xmss.h index e176c8bd..cb325441 100644 --- a/include/gmssl/xmss.h +++ b/include/gmssl/xmss.h @@ -15,33 +15,13 @@ #include #include #include -#ifdef ENABLE_SHA2 -#include -#endif #ifdef __cplusplus extern "C" { #endif -typedef uint8_t xmss_hash256_t[32]; - - -// Crosscheck with data from xmss-reference (SHA-256), except the XMSS signature. -#if defined(ENABLE_XMSS_CROSSCHECK) && defined(ENABLE_SHA2) && !defined(HASH256_CTX) -# define XMSS_HASH256_CTX SHA256_CTX -# define xmss_hash256_init sha256_init -# define xmss_hash256_update sha256_update -# define xmss_hash256_finish sha256_finish -# define XMSS_HASH256_BLOCK_SIZE SHA256_BLOCK_SIZE -#else -# define XMSS_HASH256_CTX SM3_CTX -# define xmss_hash256_init sm3_init -# define xmss_hash256_update sm3_update -# define xmss_hash256_finish sm3_finish -# define XMSS_HASH256_BLOCK_SIZE SM3_BLOCK_SIZE -#endif - +typedef uint8_t xmss_sm3_digest_t[32]; // ADRS scheme @@ -112,50 +92,41 @@ void xmss_adrs_set_hash_address(xmss_adrs_t adrs, uint32_t address); void xmss_adrs_set_tree_index(xmss_adrs_t adrs, uint32_t index); void xmss_adrs_set_key_and_mask(xmss_adrs_t adrs, uint32_t key_and_mask); -int xmss_adrs_print(FILE *fp, int fmt, int ind, const char *label, const xmss_hash256_t adrs); +int xmss_adrs_print(FILE *fp, int fmt, int ind, const char *label, const xmss_sm3_digest_t adrs); -// WOTS+ with SM3/SHA256 +// WOTS+ with SM3 #define XMSS_WOTS_WINTERNITZ_W 16 // rfc 8391 named algors only support w = 2^4 = 16 #define XMSS_WOTS_NUM_CHAINS 67 -typedef xmss_hash256_t xmss_wots_key_t[XMSS_WOTS_NUM_CHAINS]; -typedef xmss_hash256_t xmss_wots_sig_t[XMSS_WOTS_NUM_CHAINS]; +typedef xmss_sm3_digest_t xmss_wots_key_t[XMSS_WOTS_NUM_CHAINS]; +typedef xmss_sm3_digest_t xmss_wots_sig_t[XMSS_WOTS_NUM_CHAINS]; -void xmss_wots_derive_sk(const xmss_hash256_t secret, - const xmss_hash256_t seed, const xmss_adrs_t adrs, +void xmss_wots_derive_sk(const xmss_sm3_digest_t secret, + const xmss_sm3_digest_t seed, const xmss_adrs_t adrs, xmss_wots_key_t sk); -void xmss_wots_chain(const xmss_hash256_t x, - const xmss_hash256_t seed, const xmss_adrs_t adrs, - int start, int steps, xmss_hash256_t y); +void xmss_wots_chain(const xmss_sm3_digest_t x, + const xmss_sm3_digest_t seed, const xmss_adrs_t adrs, + int start, int steps, xmss_sm3_digest_t y); void xmss_wots_sk_to_pk(const xmss_wots_key_t sk, - const xmss_hash256_t seed, const xmss_adrs_t adrs, + const xmss_sm3_digest_t seed, const xmss_adrs_t adrs, xmss_wots_key_t pk); void xmss_wots_sign(const xmss_wots_key_t sk, - const xmss_hash256_t seed, const xmss_adrs_t adrs, - const xmss_hash256_t dgst, xmss_wots_sig_t sig); + const xmss_sm3_digest_t seed, const xmss_adrs_t adrs, + const xmss_sm3_digest_t dgst, xmss_wots_sig_t sig); void xmss_wots_sig_to_pk(const xmss_wots_sig_t sig, - const xmss_hash256_t seed, const xmss_adrs_t adrs, - const xmss_hash256_t dgst, xmss_wots_key_t pk); + const xmss_sm3_digest_t seed, const xmss_adrs_t adrs, + const xmss_sm3_digest_t dgst, xmss_wots_key_t pk); void xmss_wots_pk_to_root(const xmss_wots_key_t pk, - const xmss_hash256_t seed, const xmss_adrs_t adrs, - xmss_hash256_t wots_root); -void xmss_wots_derive_root(const xmss_hash256_t secret, - const xmss_hash256_t seed, const xmss_adrs_t adrs, - xmss_hash256_t wots_root); -int xmss_wots_verify(const xmss_hash256_t wots_root, - const xmss_hash256_t seed, const xmss_adrs_t adrs, - const xmss_hash256_t dgst, const xmss_wots_sig_t sig); - - - -// from RFC 8391 table 7 -enum { - XMSS_SHA2_10_256 = 0x00000001, - XMSS_SHA2_16_256 = 0x00000002, - XMSS_SHA2_20_256 = 0x00000003, -}; + const xmss_sm3_digest_t seed, const xmss_adrs_t adrs, + xmss_sm3_digest_t wots_root); +void xmss_wots_derive_root(const xmss_sm3_digest_t secret, + const xmss_sm3_digest_t seed, const xmss_adrs_t adrs, + xmss_sm3_digest_t wots_root); +int xmss_wots_verify(const xmss_sm3_digest_t wots_root, + const xmss_sm3_digest_t seed, const xmss_adrs_t adrs, + const xmss_sm3_digest_t dgst, const xmss_wots_sig_t sig); enum { XMSS_SM3_10_256 = 0x10000001, // height = 10, sigs = 2^10 @@ -165,22 +136,9 @@ enum { #define XMSS_MAX_HEIGHT 20 -// Crosscheck with data from xmss-reference (SHA-256), except the XMSS signature. -#if defined(ENABLE_XMSS_CROSSCHECK) && defined(ENABLE_SHA2) -# define XMSS_HASH256_10_256 XMSS_SHA2_10_256 -# define XMSS_HASH256_16_256 XMSS_SHA2_16_256 -# define XMSS_HASH256_20_256 XMSS_SHA2_20_256 -# define XMSS_HASH256_10_256_NAME "XMSS_SHA2_10_256" -# define XMSS_HASH256_16_256_NAME "XMSS_SHA2_16_256" -# define XMSS_HASH256_20_256_NAME "XMSS_SHA2_20_256" -#else -# define XMSS_HASH256_10_256 XMSS_SM3_10_256 -# define XMSS_HASH256_16_256 XMSS_SM3_16_256 -# define XMSS_HASH256_20_256 XMSS_SM3_20_256 -# define XMSS_HASH256_10_256_NAME "XMSS_SM3_10_256" -# define XMSS_HASH256_16_256_NAME "XMSS_SM3_16_256" -# define XMSS_HASH256_20_256_NAME "XMSS_SM3_20_256" -#endif +#define XMSS_SM3_10_256_NAME "XMSS_SM3_10_256" +#define XMSS_SM3_16_256_NAME "XMSS_SM3_16_256" +#define XMSS_SM3_20_256_NAME "XMSS_SM3_20_256" char *xmss_type_name(uint32_t xmss_type); uint32_t xmss_type_from_name(const char *name); @@ -188,21 +146,21 @@ uint32_t xmss_type_from_name(const char *name); int xmss_type_to_height(uint32_t xmss_type, size_t *height); size_t xmss_num_tree_nodes(size_t height); -void xmss_build_tree(const xmss_hash256_t secret, - const xmss_hash256_t seed, const xmss_adrs_t adrs, - size_t height, xmss_hash256_t *tree); // tree[xmss_num_tree_nodes(height)] -void xmss_build_auth_path(const xmss_hash256_t *tree, size_t height, - uint32_t index, xmss_hash256_t *auth_path); // auth_path[height] -void xmss_build_root(const xmss_hash256_t wots_root, uint32_t index, - const xmss_hash256_t seed, const xmss_adrs_t adrs, - const xmss_hash256_t *auth_path, size_t height, - xmss_hash256_t xmss_root); +void xmss_build_tree(const xmss_sm3_digest_t secret, + const xmss_sm3_digest_t seed, const xmss_adrs_t adrs, + size_t height, xmss_sm3_digest_t *tree); // tree[xmss_num_tree_nodes(height)] +void xmss_build_auth_path(const xmss_sm3_digest_t *tree, size_t height, + uint32_t index, xmss_sm3_digest_t *auth_path); // auth_path[height] +void xmss_build_root(const xmss_sm3_digest_t wots_root, uint32_t index, + const xmss_sm3_digest_t seed, const xmss_adrs_t adrs, + const xmss_sm3_digest_t *auth_path, size_t height, + xmss_sm3_digest_t xmss_root); typedef struct { uint32_t xmss_type; - xmss_hash256_t seed; - xmss_hash256_t root; + xmss_sm3_digest_t seed; + xmss_sm3_digest_t root; } XMSS_PUBLIC_KEY; #define XMSS_PUBLIC_KEY_SIZE (4 + 32 + 32) // = 68 @@ -214,16 +172,16 @@ typedef int (*xmss_key_update_callback)(XMSS_KEY *key); typedef struct XMSS_KEY_st { XMSS_PUBLIC_KEY public_key; uint32_t index; - xmss_hash256_t secret; - xmss_hash256_t sk_prf; - xmss_hash256_t *tree; // xmss_hash256_t[2^(h + 1) - 1] + xmss_sm3_digest_t secret; + xmss_sm3_digest_t sk_prf; + xmss_sm3_digest_t *tree; // xmss_sm3_digest_t[2^(h + 1) - 1] xmss_key_update_callback update_callback; void *update_param; } XMSS_KEY; -// XMSS_SHA2_10_256: 65,640 -// XMSS_SHA2_16_256: 4,194,408 -// XMSS_SHA2_20_256: 67,108,968 +// XMSS_SM3_10_256: 65,640 +// XMSS_SM3_16_256: 4,194,408 +// XMSS_SM3_20_256: 67,108,968 int xmss_private_key_size(uint32_t xmss_type, size_t *keysize); //#define XMSS_PRIVATE_KEY_SIZE (XMSS_PUBLIC_KEY_SIZE + 32 + 32 + 4) // = 136 @@ -245,9 +203,9 @@ int xmss_private_key_print(FILE *fp, int fmt, int ind, const char *label, const typedef struct { uint32_t index; // < 2^(XMSS_MAX_HEIGHT) = 2^20, always encode to 4 bytes - xmss_hash256_t random; + xmss_sm3_digest_t random; xmss_wots_sig_t wots_sig; - xmss_hash256_t auth_path[XMSS_MAX_HEIGHT]; + xmss_sm3_digest_t auth_path[XMSS_MAX_HEIGHT]; } XMSS_SIGNATURE; // XMSS_SM3_10_256 2500 bytes @@ -265,7 +223,7 @@ int xmss_signature_print_ex(FILE *fp, int fmt, int ind, const char *label, const typedef struct { XMSS_PUBLIC_KEY xmss_public_key; XMSS_SIGNATURE xmss_sig; - XMSS_HASH256_CTX hash256_ctx; + SM3_CTX sm3_ctx; } XMSS_SIGN_CTX; int xmss_sign_init(XMSS_SIGN_CTX *ctx, XMSS_KEY *key); @@ -289,55 +247,14 @@ enum { XMSSMT_SM3_60_12_256 = 0x00000008, }; -// from rfc 8391 table 8 -enum { - XMSSMT_RESERVED = 0x00000000, - XMSSMT_SHA2_20_2_256 = 0x00000001, - XMSSMT_SHA2_20_4_256 = 0x00000002, - XMSSMT_SHA2_40_2_256 = 0x00000003, - XMSSMT_SHA2_40_4_256 = 0x00000004, - XMSSMT_SHA2_40_8_256 = 0x00000005, - XMSSMT_SHA2_60_3_256 = 0x00000006, - XMSSMT_SHA2_60_6_256 = 0x00000007, - XMSSMT_SHA2_60_12_256 = 0x00000008, -}; - - -#if defined(ENABLE_XMSS_CROSSCHECK) && defined(ENABLE_SHA2) -# define XMSSMT_HASH256_20_2_256 XMSSMT_SHA2_20_2_256 -# define XMSSMT_HASH256_20_4_256 XMSSMT_SHA2_20_4_256 -# define XMSSMT_HASH256_40_2_256 XMSSMT_SHA2_40_2_256 -# define XMSSMT_HASH256_40_4_256 XMSSMT_SHA2_40_4_256 -# define XMSSMT_HASH256_40_8_256 XMSSMT_SHA2_40_8_256 -# define XMSSMT_HASH256_60_3_256 XMSSMT_SHA2_60_3_256 -# define XMSSMT_HASH256_60_6_256 XMSSMT_SHA2_60_6_256 -# define XMSSMT_HASH256_60_12_256 XMSSMT_SHA2_60_12_256 -# define XMSSMT_HASH256_20_2_256_NAME "XMSSMT_SHA2_20_2_256" -# define XMSSMT_HASH256_20_4_256_NAME "XMSSMT_SHA2_20_4_256" -# define XMSSMT_HASH256_40_2_256_NAME "XMSSMT_SHA2_40_2_256" -# define XMSSMT_HASH256_40_4_256_NAME "XMSSMT_SHA2_40_4_256" -# define XMSSMT_HASH256_40_8_256_NAME "XMSSMT_SHA2_40_8_256" -# define XMSSMT_HASH256_60_3_256_NAME "XMSSMT_SHA2_60_3_256" -# define XMSSMT_HASH256_60_6_256_NAME "XMSSMT_SHA2_60_6_256" -# define XMSSMT_HASH256_60_12_256_NAME "XMSSMT_SHA2_60_12_256" -#else -# define XMSSMT_HASH256_20_2_256 XMSSMT_SM3_20_2_256 -# define XMSSMT_HASH256_20_4_256 XMSSMT_SM3_20_4_256 -# define XMSSMT_HASH256_40_2_256 XMSSMT_SM3_40_2_256 -# define XMSSMT_HASH256_40_4_256 XMSSMT_SM3_40_4_256 -# define XMSSMT_HASH256_40_8_256 XMSSMT_SM3_40_8_256 -# define XMSSMT_HASH256_60_3_256 XMSSMT_SM3_60_3_256 -# define XMSSMT_HASH256_60_6_256 XMSSMT_SM3_60_6_256 -# define XMSSMT_HASH256_60_12_256 XMSSMT_SM3_60_12_256 -# define XMSSMT_HASH256_20_2_256_NAME "XMSSMT_SM3_20_2_256" -# define XMSSMT_HASH256_20_4_256_NAME "XMSSMT_SM3_20_4_256" -# define XMSSMT_HASH256_40_2_256_NAME "XMSSMT_SM3_40_2_256" -# define XMSSMT_HASH256_40_4_256_NAME "XMSSMT_SM3_40_4_256" -# define XMSSMT_HASH256_40_8_256_NAME "XMSSMT_SM3_40_8_256" -# define XMSSMT_HASH256_60_3_256_NAME "XMSSMT_SM3_60_3_256" -# define XMSSMT_HASH256_60_6_256_NAME "XMSSMT_SM3_60_6_256" -# define XMSSMT_HASH256_60_12_256_NAME "XMSSMT_SM3_60_12_256" -#endif +#define XMSSMT_SM3_20_2_256_NAME "XMSSMT_SM3_20_2_256" +#define XMSSMT_SM3_20_4_256_NAME "XMSSMT_SM3_20_4_256" +#define XMSSMT_SM3_40_2_256_NAME "XMSSMT_SM3_40_2_256" +#define XMSSMT_SM3_40_4_256_NAME "XMSSMT_SM3_40_4_256" +#define XMSSMT_SM3_40_8_256_NAME "XMSSMT_SM3_40_8_256" +#define XMSSMT_SM3_60_3_256_NAME "XMSSMT_SM3_60_3_256" +#define XMSSMT_SM3_60_6_256_NAME "XMSSMT_SM3_60_6_256" +#define XMSSMT_SM3_60_12_256_NAME "XMSSMT_SM3_60_12_256" char *xmssmt_type_name(uint32_t xmssmt_type); uint32_t xmssmt_type_from_name(const char *name); @@ -350,11 +267,11 @@ size_t xmssmt_num_trees_nodes(size_t height, size_t layers); typedef struct { uint32_t xmssmt_type; - xmss_hash256_t seed; - xmss_hash256_t root; + xmss_sm3_digest_t seed; + xmss_sm3_digest_t root; } XMSSMT_PUBLIC_KEY; -#define XMSSMT_PUBLIC_KEY_SIZE (4 + sizeof(xmss_hash256_t) + sizeof(xmss_hash256_t)) // = 68 bytes +#define XMSSMT_PUBLIC_KEY_SIZE (4 + sizeof(xmss_sm3_digest_t) + sizeof(xmss_sm3_digest_t)) // = 68 bytes typedef struct XMSSMT_KEY_st XMSSMT_KEY; @@ -363,9 +280,9 @@ typedef int (*xmssmt_key_update_callback)(XMSSMT_KEY *key); typedef struct XMSSMT_KEY_st { XMSSMT_PUBLIC_KEY public_key; uint64_t index; // in [0, 2^60 - 1] - xmss_hash256_t secret; - xmss_hash256_t sk_prf; - xmss_hash256_t *trees; + xmss_sm3_digest_t secret; + xmss_sm3_digest_t sk_prf; + xmss_sm3_digest_t *trees; xmss_wots_sig_t wots_sigs[XMSSMT_MAX_LAYERS - 1]; xmssmt_key_update_callback update_callback; void *update_param; @@ -382,7 +299,7 @@ typedef struct XMSSMT_KEY_st { XMSSMT_SM3_60_12_256: 47,916 bytes */ int xmssmt_private_key_size(uint32_t xmssmt_type, size_t *len); -int xmssmt_build_auth_path(const xmss_hash256_t *tree, size_t height, size_t layers, uint64_t index, xmss_hash256_t *auth_path); +int xmssmt_build_auth_path(const xmss_sm3_digest_t *tree, size_t height, size_t layers, uint64_t index, xmss_sm3_digest_t *auth_path); int xmssmt_key_generate(XMSSMT_KEY *key, uint32_t xmssmt_type); int xmssmt_key_set_update_callback(XMSSMT_KEY *key, xmssmt_key_update_callback update_cb, void *param); @@ -399,9 +316,9 @@ void xmssmt_key_cleanup(XMSSMT_KEY *key); typedef struct { uint64_t index; - xmss_hash256_t random; + xmss_sm3_digest_t random; xmss_wots_sig_t wots_sigs[XMSSMT_MAX_LAYERS]; - xmss_hash256_t auth_path[XMSSMT_MAX_HEIGHT]; + xmss_sm3_digest_t auth_path[XMSSMT_MAX_HEIGHT]; } XMSSMT_SIGNATURE; int xmssmt_index_to_bytes(uint64_t index, uint32_t xmssmt_type, uint8_t **out, size_t *outlen); @@ -420,7 +337,7 @@ int xmssmt_signature_print(FILE *fp, int fmt, int ind, const char *label, const typedef struct { XMSSMT_PUBLIC_KEY xmssmt_public_key; XMSSMT_SIGNATURE xmssmt_sig; - XMSS_HASH256_CTX hash256_ctx; + SM3_CTX sm3_ctx; } XMSSMT_SIGN_CTX; int xmssmt_sign_init(XMSSMT_SIGN_CTX *ctx, XMSSMT_KEY *key); diff --git a/src/ecdh.c b/src/ecdh.c index 2db63807..c23a1b4c 100644 --- a/src/ecdh.c +++ b/src/ecdh.c @@ -26,9 +26,13 @@ int secp256r1_do_ecdh(const SECP256R1_KEY *key, const SECP256R1_KEY *peer_key, u error_print(); return -1; } - secp256r1_point_mul(&point, key->private_key, &peer_key->public_key); - secp256r1_point_get_xy(&point, x, y); - secp256r1_to_32bytes(x, out); + if (secp256r1_point_mul(&point, key->private_key, &peer_key->public_key) != 1 + || secp256r1_point_get_xy(&point, x, y) != 1 + || secp256r1_to_32bytes(x, out) != 1) { + error_print(); + gmssl_secure_clear(&point, sizeof(SECP256R1_POINT)); + return -1; + } gmssl_secure_clear(&point, sizeof(SECP256R1_POINT)); gmssl_secure_clear(x, sizeof(secp256r1_t)); @@ -50,9 +54,13 @@ int secp256r1_ecdh(const SECP256R1_KEY *key, const uint8_t uncompressed_point[65 error_print(); return -1; } - secp256r1_point_mul(&point, key->private_key, &point); - secp256r1_point_get_xy(&point, x,y); - secp256r1_to_32bytes(x, out); + if (secp256r1_point_mul(&point, key->private_key, &point) != 1 + || secp256r1_point_get_xy(&point, x,y) != 1 + || secp256r1_to_32bytes(x, out) != 1) { + error_print(); + gmssl_secure_clear(&point, sizeof(SECP256R1_POINT)); + return -1; + } gmssl_secure_clear(&point, sizeof(SECP256R1_POINT)); gmssl_secure_clear(x, sizeof(secp256r1_t)); diff --git a/src/ecdsa.c b/src/ecdsa.c index 0b7fd6d4..2af79dd8 100644 --- a/src/ecdsa.c +++ b/src/ecdsa.c @@ -23,8 +23,11 @@ int ecdsa_signature_print_ex(FILE *fp, int fmt, int ind, const char *label, cons { format_print(fp, fmt, ind, "%s\n", label); ind += 4; - secp256r1_print(fp, fmt, ind, "r", sig->r); - secp256r1_print(fp, fmt, ind, "s", sig->s); + if (secp256r1_print(fp, fmt, ind, "r", sig->r) != 1 + || secp256r1_print(fp, fmt, ind, "s", sig->s) != 1) { + error_print(); + return -1; + } return 1; } @@ -53,21 +56,33 @@ int ecdsa_do_sign_ex(const SECP256R1_KEY *key, const secp256r1_t k, const uint8_ SECP256R1_POINT P; // e = hash(m) - secp256r1_from_32bytes(e, dgst); - secp256r1_modn(e, e); + if (secp256r1_from_32bytes(e, dgst) != 1 + || secp256r1_modn(e, e) != 1) { + error_print(); + return -1; + } // (x1, y1) = k*G - secp256r1_point_mul_generator(&P, k); - secp256r1_point_get_xy(&P, x1, y1); + if (secp256r1_point_mul_generator(&P, k) != 1 + || secp256r1_point_get_xy(&P, x1, y1) != 1) { + error_print(); + return -1; + } // r = x1 mod n - secp256r1_modn(sig->r, x1); + if (secp256r1_modn(sig->r, x1) != 1) { + error_print(); + return -1; + } // s = k^-1 * (e + d * r) mod n - secp256r1_modn_inv(k_inv, k); - secp256r1_modn_mul(sig->s, key->private_key, sig->r); - secp256r1_modn_add(sig->s, sig->s, e); - secp256r1_modn_mul(sig->s, sig->s, k_inv); + if (secp256r1_modn_inv(k_inv, k) != 1 + || secp256r1_modn_mul(sig->s, key->private_key, sig->r) != 1 + || secp256r1_modn_add(sig->s, sig->s, e) != 1 + || secp256r1_modn_mul(sig->s, sig->s, k_inv) != 1) { + error_print(); + return -1; + } return 1; } @@ -114,26 +129,46 @@ int ecdsa_do_verify(const SECP256R1_KEY *key, const uint8_t dgst[32], const ECDS } // e = hash(m) - secp256r1_from_32bytes(e, dgst); - secp256r1_modn(e, e); + if (secp256r1_from_32bytes(e, dgst) != 1 + || secp256r1_modn(e, e) != 1) { + error_print(); + return -1; + } // w = s^-1 (mod n) - secp256r1_modn_inv(w, sig->s); + if (secp256r1_modn_inv(w, sig->s) != 1) { + error_print(); + return -1; + } // u1 = e * w (mod n) - secp256r1_modn_mul(u1, e, w); + if (secp256r1_modn_mul(u1, e, w) != 1) { + error_print(); + return -1; + } // u2 = r * w (mod n) - secp256r1_modn_mul(u2, sig->r, w); + if (secp256r1_modn_mul(u2, sig->r, w) != 1) { + error_print(); + return -1; + } // (x1, y1) = u1*G + u2*Q - secp256r1_point_mul_generator(&P, u1); - secp256r1_point_mul(&Q, u2, &key->public_key); - secp256r1_point_add(&R, &P, &Q); - secp256r1_point_get_xy(&R, x1, y1); + if (secp256r1_point_mul_generator(&P, u1) != 1 + || secp256r1_point_mul(&Q, u2, &key->public_key) != 1 + || secp256r1_point_add(&R, &P, &Q) != 1) { + error_print(); + return -1; + } + if (secp256r1_point_get_xy(&R, x1, y1) != 1) { + return 0; + } // x1 = x1 mod n - secp256r1_modn(x1, x1); + if (secp256r1_modn(x1, x1) != 1) { + error_print(); + return -1; + } if (secp256r1_cmp(x1, sig->r) != 0) { return 0; @@ -151,8 +186,11 @@ int ecdsa_signature_to_der(const ECDSA_SIGNATURE *sig, uint8_t **out, size_t *ou return 0; } - secp256r1_to_32bytes(sig->r, r); - secp256r1_to_32bytes(sig->s, s); + if (secp256r1_to_32bytes(sig->r, r) != 1 + || secp256r1_to_32bytes(sig->s, s) != 1) { + error_print(); + return -1; + } if (asn1_integer_to_der(r, 32, NULL, &len) != 1 || asn1_integer_to_der(s, 32, NULL, &len) != 1 @@ -186,8 +224,11 @@ int ecdsa_signature_from_der(ECDSA_SIGNATURE *sig, const uint8_t **in, size_t *i return -1; } - secp256r1_from_32bytes(sig->r, r); - secp256r1_from_32bytes(sig->s, s); + if (secp256r1_from_32bytes(sig->r, r) != 1 + || secp256r1_from_32bytes(sig->s, s) != 1) { + error_print(); + return -1; + } return 1; } diff --git a/src/secp256r1.c b/src/secp256r1.c index 1fd82c45..05ea73cc 100644 --- a/src/secp256r1.c +++ b/src/secp256r1.c @@ -256,11 +256,15 @@ const SECP256R1_POINT *secp256r1_generator(void) return &secp256r1_generator_point; } -void secp256r1_point_set_infinity(SECP256R1_POINT *R) +int secp256r1_point_set_infinity(SECP256R1_POINT *R) { - secp256r1_set_one(R->X); - secp256r1_set_one(R->Y); - secp256r1_set_zero(R->Z); + if (secp256r1_set_one(R->X) != 1 + || secp256r1_set_one(R->Y) != 1 + || secp256r1_set_zero(R->Z) != 1) { + error_print(); + return -1; + } + return 1; } int secp256r1_point_is_at_infinity(const SECP256R1_POINT *P) @@ -284,48 +288,55 @@ int secp256r1_point_is_on_curve(const SECP256R1_POINT *P) // check Y^2 + 3 * X * Z^4 == X^3 + b * Z^6 // t0 = Y^2 - secp256r1_modp_sqr(t0, P->Y); + if (secp256r1_modp_sqr(t0, P->Y) != 1) goto err; // t1 = Z^2 - secp256r1_modp_sqr(t1, P->Z); + if (secp256r1_modp_sqr(t1, P->Z) != 1) goto err; // t2 = Z^4 - secp256r1_modp_sqr(t2, t1); + if (secp256r1_modp_sqr(t2, t1) != 1) goto err; // t1 = Z^6 - secp256r1_modp_mul(t1, t1, t2); + if (secp256r1_modp_mul(t1, t1, t2) != 1) goto err; // t1 = b * Z^6 - secp256r1_modp_mul(t1, t1, SECP256R1_B); + if (secp256r1_modp_mul(t1, t1, SECP256R1_B) != 1) goto err; // t2 = X * Z^4 - secp256r1_modp_mul(t2, t2, P->X); + if (secp256r1_modp_mul(t2, t2, P->X) != 1) goto err; // t0 = Y^2 + 3 * X * Z^4 - secp256r1_modp_add(t0, t0, t2); - secp256r1_modp_add(t0, t0, t2); - secp256r1_modp_add(t0, t0, t2); + if (secp256r1_modp_add(t0, t0, t2) != 1 + || secp256r1_modp_add(t0, t0, t2) != 1 + || secp256r1_modp_add(t0, t0, t2) != 1) goto err; // t2 = X^2 - secp256r1_modp_sqr(t2, P->X); + if (secp256r1_modp_sqr(t2, P->X) != 1) goto err; // t2 = X^3 - secp256r1_modp_mul(t2, t2, P->X); + if (secp256r1_modp_mul(t2, t2, P->X) != 1) goto err; // t1 = b * Z^6 + X^3 - secp256r1_modp_add(t1, t1, t2); + if (secp256r1_modp_add(t1, t1, t2) != 1) goto err; if (secp256r1_cmp(t0, t1) != 0) { return 0; } return 1; +err: + error_print(); + return -1; } -void secp256r1_point_copy(SECP256R1_POINT *R, const SECP256R1_POINT *P) +int secp256r1_point_copy(SECP256R1_POINT *R, const SECP256R1_POINT *P) { - secp256r1_copy(R->X, P->X); - secp256r1_copy(R->Y, P->Y); - secp256r1_copy(R->Z, P->Z); + if (secp256r1_copy(R->X, P->X) != 1 + || secp256r1_copy(R->Y, P->Y) != 1 + || secp256r1_copy(R->Z, P->Z) != 1) { + error_print(); + return -1; + } + return 1; } int secp256r1_point_set_xy(SECP256R1_POINT *R, const secp256r1_t x, const secp256r1_t y) @@ -338,12 +349,15 @@ int secp256r1_point_set_xy(SECP256R1_POINT *R, const secp256r1_t x, const secp25 error_print(); return -1; } - secp256r1_copy(R->X, x); - secp256r1_copy(R->Y, y); - secp256r1_set_one(R->Z); + if (secp256r1_copy(R->X, x) != 1 + || secp256r1_copy(R->Y, y) != 1 + || secp256r1_set_one(R->Z) != 1) { + error_print(); + return -1; + } - if (!secp256r1_point_is_on_curve(R)) { + if (secp256r1_point_is_on_curve(R) != 1) { error_print(); return -1; } @@ -355,17 +369,21 @@ int secp256r1_point_get_xy(const SECP256R1_POINT *P, secp256r1_t x, secp256r1_t secp256r1_t Z_inv; if (secp256r1_point_is_at_infinity(P)) { - return 0; + error_print(); + return -1; + } + if (secp256r1_modp_inv(Z_inv, P->Z) != 1 + || secp256r1_modp_mul(y, P->Y, Z_inv) != 1 + || secp256r1_modp_sqr(Z_inv, Z_inv) != 1 + || secp256r1_modp_mul(x, P->X, Z_inv) != 1 + || secp256r1_modp_mul(y, y, Z_inv) != 1) { + error_print(); + return -1; } - secp256r1_modp_inv(Z_inv, P->Z); - secp256r1_modp_mul(y, P->Y, Z_inv); - secp256r1_modp_sqr(Z_inv, Z_inv); - secp256r1_modp_mul(x, P->X, Z_inv); - secp256r1_modp_mul(y, y, Z_inv); return 1; } -void secp256r1_point_dbl(SECP256R1_POINT *R, const SECP256R1_POINT *P) +int secp256r1_point_dbl(SECP256R1_POINT *R, const SECP256R1_POINT *P) { /* secp256r1_t T_0; @@ -413,62 +431,71 @@ void secp256r1_point_dbl(SECP256R1_POINT *R, const SECP256R1_POINT *P) secp256r1_t Zsqr; secp256r1_t tmp0; + if (secp256r1_point_is_at_infinity(P)) { + return secp256r1_point_set_infinity(R); + } + // 1. S = 2Y - secp256r1_modp_dbl(S, Y1); + if (secp256r1_modp_dbl(S, Y1) != 1) goto err; // 2. Zsqr = Z^2 - secp256r1_modp_sqr(Zsqr, Z1); + if (secp256r1_modp_sqr(Zsqr, Z1) != 1) goto err; // 3. S = S^2 = 4Y^2 - secp256r1_modp_sqr(S, S); + if (secp256r1_modp_sqr(S, S) != 1) goto err; // 4. Z = Z*Y - secp256r1_modp_mul(Z3, Z1, Y1); + if (secp256r1_modp_mul(Z3, Z1, Y1) != 1) goto err; // 5. Z = 2*Z = 2*Y*Z ===> Z3 - secp256r1_modp_dbl(Z3, Z3); + if (secp256r1_modp_dbl(Z3, Z3) != 1) goto err; // 6. M = X + Zsqr = X + Z^2 - secp256r1_modp_add(M, X1, Zsqr); + if (secp256r1_modp_add(M, X1, Zsqr) != 1) goto err; // 7. Zsqr = X - Zsqr = X - Z^2 - secp256r1_modp_sub(Zsqr, X1, Zsqr); + if (secp256r1_modp_sub(Zsqr, X1, Zsqr) != 1) goto err; // 8. Y = S^2 = 16Y^4 - secp256r1_modp_sqr(Y3, S); + if (secp256r1_modp_sqr(Y3, S) != 1) goto err; // 9. Y = Y/2 = 8Y^4 - secp256r1_modp_haf(Y3, Y3); + if (secp256r1_modp_haf(Y3, Y3) != 1) goto err; // 10. M = M * Zsqr = (X + Z^2)*(X - Z^2) = X^2 - Z^4 - secp256r1_modp_mul(M, M, Zsqr); + if (secp256r1_modp_mul(M, M, Zsqr) != 1) goto err; // 11. M = 3M = 3X^2 - 3Z^4 - secp256r1_modp_tri(M, M); + if (secp256r1_modp_tri(M, M) != 1) goto err; // 12. S = S * X = 4X*Y^2 - secp256r1_modp_mul(S, S, X1); + if (secp256r1_modp_mul(S, S, X1) != 1) goto err; // 13. tmp0 = 2 * S = 8X*Y^2 - secp256r1_modp_dbl(tmp0, S); + if (secp256r1_modp_dbl(tmp0, S) != 1) goto err; // 14. X = M^2 = (3X^2 - 3Z^4)^2 - secp256r1_modp_sqr(X3, M); + if (secp256r1_modp_sqr(X3, M) != 1) goto err; // 15. X = X - tmp0 = (3X^2 - 3Z^4)^2 - 8X*Y^2 ===> X3 - secp256r1_modp_sub(X3, X3, tmp0); + if (secp256r1_modp_sub(X3, X3, tmp0) != 1) goto err; // 16. S = S - X3 = 4X*Y^2 - X3 - secp256r1_modp_sub(S, S, X3); + if (secp256r1_modp_sub(S, S, X3) != 1) goto err; // 17. S = S * M = (3X^2 - 3Z^4)*(4X*Y^2 - X3) - secp256r1_modp_mul(S, S, M); + if (secp256r1_modp_mul(S, S, M) != 1) goto err; // 18. Y = S - Y = (3X^2 - 3Z^4)*(4X*Y^2 - X3) - 8Y^4 ===> Y3 - secp256r1_modp_sub(Y3, S, Y3); + if (secp256r1_modp_sub(Y3, S, Y3) != 1) goto err; + + return 1; +err: + error_print(); + return -1; } -void secp256r1_point_add(SECP256R1_POINT *R, const SECP256R1_POINT *P, const SECP256R1_POINT *Q) +int secp256r1_point_add(SECP256R1_POINT *R, const SECP256R1_POINT *P, const SECP256R1_POINT *Q) { secp256r1_t T_1; secp256r1_t T_2; @@ -480,101 +507,126 @@ void secp256r1_point_add(SECP256R1_POINT *R, const SECP256R1_POINT *P, const SEC secp256r1_t T_8; if (secp256r1_point_is_at_infinity(P)) { - *R = *Q; - return; + return secp256r1_point_copy(R, Q); } if (secp256r1_point_is_at_infinity(Q)) { - *R = *P; - return; + return secp256r1_point_copy(R, P); } - // 这里的代码是来自zkrypt的,不确定是否有问题 - secp256r1_modp_sqr(T_1, P->Z); // T_1 = Z_1^2 - secp256r1_modp_sqr(T_2, Q->Z); // T_2 = Z_2^2 - secp256r1_modp_mul(T_3, Q->X, T_1); // T_3 = X_2 * Z_1^2 - secp256r1_modp_mul(T_4, P->X, T_2); // T_4 = X_1 * Z_2^2 - secp256r1_modp_add(T_5, T_3, T_4); // T_5 = X_2 * Z_1^2 + X_1 * Z_2^2 = C - secp256r1_modp_sub(T_3, T_3, T_4); // T_3 = X_2 * Z_1^2 - X_1 * Z_2^2 = B - secp256r1_modp_mul(T_1, T_1, P->Z); // T_1 = Z_1^3 - secp256r1_modp_mul(T_1, T_1, Q->Y); // T_1 = Y_2 * Z_1^3 - secp256r1_modp_mul(T_2, T_2, Q->Z); // T_2 = Z_2^3 - secp256r1_modp_mul(T_2, T_2, P->Y); // T_2 = Y_1 * Z_2^3 - secp256r1_modp_add(T_6, T_1, T_2); // T_6 = Y_2 * Z_1^3 + Y_1 * Z_2^3 = D - secp256r1_modp_sub(T_1, T_1, T_2); // T_1 = Y_2 * Z_1^3 - Y_1 * Z_2^3 = A + if (secp256r1_modp_sqr(T_1, P->Z) != 1 // T_1 = Z_1^2 + || secp256r1_modp_sqr(T_2, Q->Z) != 1 // T_2 = Z_2^2 + || secp256r1_modp_mul(T_3, Q->X, T_1) != 1 // T_3 = X_2 * Z_1^2 + || secp256r1_modp_mul(T_4, P->X, T_2) != 1 // T_4 = X_1 * Z_2^2 + || secp256r1_modp_add(T_5, T_3, T_4) != 1 // T_5 = X_2 * Z_1^2 + X_1 * Z_2^2 = C + || secp256r1_modp_sub(T_3, T_3, T_4) != 1 // T_3 = X_2 * Z_1^2 - X_1 * Z_2^2 = B + || secp256r1_modp_mul(T_1, T_1, P->Z) != 1 // T_1 = Z_1^3 + || secp256r1_modp_mul(T_1, T_1, Q->Y) != 1 // T_1 = Y_2 * Z_1^3 + || secp256r1_modp_mul(T_2, T_2, Q->Z) != 1 // T_2 = Z_2^3 + || secp256r1_modp_mul(T_2, T_2, P->Y) != 1 // T_2 = Y_1 * Z_2^3 + || secp256r1_modp_add(T_6, T_1, T_2) != 1 // T_6 = Y_2 * Z_1^3 + Y_1 * Z_2^3 = D + || secp256r1_modp_sub(T_1, T_1, T_2) != 1) { // T_1 = Y_2 * Z_1^3 - Y_1 * Z_2^3 = A + error_print(); + return -1; + } if (secp256r1_is_zero(T_1) && secp256r1_is_zero(T_3)) { - secp256r1_point_dbl(R, P); - return; + return secp256r1_point_dbl(R, P); } - if (secp256r1_is_one(T_1) && secp256r1_is_zero(T_6)) { - secp256r1_point_set_infinity(R); - return; + if (secp256r1_is_zero(T_3) && secp256r1_is_zero(T_6)) { + return secp256r1_point_set_infinity(R); } - secp256r1_modp_sqr(T_6, T_1); // T_6 = A^2 - secp256r1_modp_mul(T_7, T_3, P->Z); // T_7 = B * Z_1 - secp256r1_modp_mul(T_7, T_7, Q->Z); // T_7 = B * Z_1 * Z_2 = Z_3 - secp256r1_modp_sqr(T_8, T_3); // T_8 = B^2 - secp256r1_modp_mul(T_5, T_5, T_8); // T_5 = B^2 * C - secp256r1_modp_mul(T_3, T_3, T_8); // T_3 = B^3 - secp256r1_modp_mul(T_4, T_4, T_8); // T_4 = B^2 * X_1 * Z_2^2 - secp256r1_modp_sub(T_6, T_6, T_5); // T_6 = A^2 - B^2 * C = X_3 - secp256r1_modp_sub(T_4, T_4, T_6); // T_4 = B^2 * X_1 * Z_2^2 - X_3 - secp256r1_modp_mul(T_1, T_1, T_4); // T_1 = A * (B^2 * X_1 * Z_2^2 - X_3) - secp256r1_modp_mul(T_2, T_2, T_3); // T_2 = B^3 * Y_1 * Z_1^3 - secp256r1_modp_sub(T_1, T_1, T_2); // T_1 = A * (B^2 * X_1 * Z_2^2 - X_3) - B^3 * Y_1 * Z_1^3 = Y_3 + if (secp256r1_modp_sqr(T_6, T_1) != 1 // T_6 = A^2 + || secp256r1_modp_mul(T_7, T_3, P->Z) != 1 // T_7 = B * Z_1 + || secp256r1_modp_mul(T_7, T_7, Q->Z) != 1 // T_7 = B * Z_1 * Z_2 = Z_3 + || secp256r1_modp_sqr(T_8, T_3) != 1 // T_8 = B^2 + || secp256r1_modp_mul(T_5, T_5, T_8) != 1 // T_5 = B^2 * C + || secp256r1_modp_mul(T_3, T_3, T_8) != 1 // T_3 = B^3 + || secp256r1_modp_mul(T_4, T_4, T_8) != 1 // T_4 = B^2 * X_1 * Z_2^2 + || secp256r1_modp_sub(T_6, T_6, T_5) != 1 // T_6 = A^2 - B^2 * C = X_3 + || secp256r1_modp_sub(T_4, T_4, T_6) != 1 // T_4 = B^2 * X_1 * Z_2^2 - X_3 + || secp256r1_modp_mul(T_1, T_1, T_4) != 1 // T_1 = A * (B^2 * X_1 * Z_2^2 - X_3) + || secp256r1_modp_mul(T_2, T_2, T_3) != 1 // T_2 = B^3 * Y_1 * Z_1^3 + || secp256r1_modp_sub(T_1, T_1, T_2) != 1) { // T_1 = A * (B^2 * X_1 * Z_2^2 - X_3) - B^3 * Y_1 * Z_1^3 = Y_3 + error_print(); + return -1; + } - secp256r1_copy(R->X, T_6); - secp256r1_copy(R->Y, T_1); - secp256r1_copy(R->Z, T_7); + if (secp256r1_copy(R->X, T_6) != 1 + || secp256r1_copy(R->Y, T_1) != 1 + || secp256r1_copy(R->Z, T_7) != 1) { + error_print(); + return -1; + } + return 1; } -void secp256r1_point_neg(SECP256R1_POINT *R, const SECP256R1_POINT *P) +int secp256r1_point_neg(SECP256R1_POINT *R, const SECP256R1_POINT *P) { if (secp256r1_point_is_at_infinity(P)) { - secp256r1_point_set_infinity(R); - return; + return secp256r1_point_set_infinity(R); } - secp256r1_copy(R->X, P->X); - secp256r1_modp_neg(R->Y, P->Y); - secp256r1_copy(R->Z, P->Z); + if (secp256r1_copy(R->X, P->X) != 1 + || secp256r1_modp_neg(R->Y, P->Y) != 1 + || secp256r1_copy(R->Z, P->Z) != 1) { + error_print(); + return -1; + } + return 1; } -void secp256r1_point_sub(SECP256R1_POINT *R, const SECP256R1_POINT *P, const SECP256R1_POINT *Q) +int secp256r1_point_sub(SECP256R1_POINT *R, const SECP256R1_POINT *P, const SECP256R1_POINT *Q) { SECP256R1_POINT T; - secp256r1_point_neg(&T, Q); - secp256r1_point_add(R, P, &T); + if (secp256r1_point_neg(&T, Q) != 1 + || secp256r1_point_add(R, P, &T) != 1) { + error_print(); + return -1; + } + return 1; } -void secp256r1_point_mul(SECP256R1_POINT *R, const secp256r1_t k, const SECP256R1_POINT *P) +int secp256r1_point_mul(SECP256R1_POINT *R, const secp256r1_t k, const SECP256R1_POINT *P) { SECP256R1_POINT T; uint32_t bits; int nbits; int i; - secp256r1_point_set_infinity(&T); + if (secp256r1_point_set_infinity(&T) != 1) { + error_print(); + return -1; + } for (i = 7; i >= 0; i--) { bits = k[i]; nbits = 32; while (nbits-- > 0) { - secp256r1_point_dbl(&T, &T); + if (secp256r1_point_dbl(&T, &T) != 1) { + error_print(); + return -1; + } if (bits & 0x80000000) { - secp256r1_point_add(&T, &T, P); + if (secp256r1_point_add(&T, &T, P) != 1) { + error_print(); + return -1; + } } bits <<= 1; } } - secp256r1_point_copy(R, &T); + if (secp256r1_point_copy(R, &T) != 1) { + error_print(); + return -1; + } + return 1; } -void secp256r1_point_mul_generator(SECP256R1_POINT *R, const secp256r1_t k) +int secp256r1_point_mul_generator(SECP256R1_POINT *R, const secp256r1_t k) { - secp256r1_point_mul(R, k, secp256r1_generator()); + return secp256r1_point_mul(R, k, secp256r1_generator()); } int secp256r1_point_print(FILE *fp, int fmt, int ind, const char *label, const SECP256R1_POINT *P) @@ -583,11 +635,20 @@ int secp256r1_point_print(FILE *fp, int fmt, int ind, const char *label, const S format_print(fp, fmt, ind, "%s\n", label); ind += 4; - secp256r1_to_32bytes(P->X, bytes); + if (secp256r1_to_32bytes(P->X, bytes) != 1) { + error_print(); + return -1; + } format_bytes(fp, fmt, ind, "X", bytes, 32); - secp256r1_to_32bytes(P->Y, bytes); + if (secp256r1_to_32bytes(P->Y, bytes) != 1) { + error_print(); + return -1; + } format_bytes(fp, fmt, ind, "Y", bytes, 32); - secp256r1_to_32bytes(P->Z, bytes); + if (secp256r1_to_32bytes(P->Z, bytes) != 1) { + error_print(); + return -1; + } format_bytes(fp, fmt, ind, "Z", bytes, 32); return 1; } @@ -602,8 +663,11 @@ int secp256r1_point_to_uncompressed_octets(const SECP256R1_POINT *P, uint8_t oct return -1; } octets[0] = 0x04; - secp256r1_to_32bytes(x, octets + 1); - secp256r1_to_32bytes(y, octets + 33); + if (secp256r1_to_32bytes(x, octets + 1) != 1 + || secp256r1_to_32bytes(y, octets + 33) != 1) { + error_print(); + return -1; + } return 1; } @@ -616,8 +680,11 @@ int secp256r1_point_from_uncompressed_octets(SECP256R1_POINT *P, const uint8_t o error_print(); return -1; } - secp256r1_from_32bytes(x, octets + 1); - secp256r1_from_32bytes(y, octets + 33); + if (secp256r1_from_32bytes(x, octets + 1) != 1 + || secp256r1_from_32bytes(y, octets + 33) != 1) { + error_print(); + return -1; + } if (secp256r1_point_set_xy(P, x, y) != 1) { error_print(); @@ -628,15 +695,36 @@ int secp256r1_point_from_uncompressed_octets(SECP256R1_POINT *P, const uint8_t o int secp256r1_point_equ(const SECP256R1_POINT *P, const SECP256R1_POINT *Q) { - uint8_t p_octets[65]; - uint8_t q_octets[65]; + secp256r1_t t0; + secp256r1_t t1; + secp256r1_t t2; + secp256r1_t t3; - (void)secp256r1_point_to_uncompressed_octets(P, p_octets); - (void)secp256r1_point_to_uncompressed_octets(Q, q_octets); - - if (memcmp(p_octets, q_octets, 65) == 0) { - return 1; - } else { + if (secp256r1_point_is_at_infinity(P)) { + return secp256r1_point_is_at_infinity(Q); + } + if (secp256r1_point_is_at_infinity(Q)) { return 0; } + + if (secp256r1_modp_sqr(t0, P->Z) != 1 // t0 = Z1^2 + || secp256r1_modp_sqr(t1, Q->Z) != 1 // t1 = Z2^2 + || secp256r1_modp_mul(t2, Q->X, t0) != 1 // t2 = X2 * Z1^2 + || secp256r1_modp_mul(t3, P->X, t1) != 1) { // t3 = X1 * Z2^2 + error_print(); + return -1; + } + if (secp256r1_cmp(t2, t3) != 0) { + return 0; + } + + if (secp256r1_modp_mul(t0, t0, P->Z) != 1 // t0 = Z1^3 + || secp256r1_modp_mul(t0, t0, Q->Y) != 1 // t0 = Y2 * Z1^3 + || secp256r1_modp_mul(t1, t1, Q->Z) != 1 // t1 = Z2^3 + || secp256r1_modp_mul(t1, t1, P->Y) != 1) { // t1 = Y1 * Z2^3 + error_print(); + return -1; + } + + return secp256r1_cmp(t0, t1) == 0; } diff --git a/src/secp256r1_key.c b/src/secp256r1_key.c index 6455aa88..0eb2a605 100644 --- a/src/secp256r1_key.c +++ b/src/secp256r1_key.c @@ -34,7 +34,10 @@ int secp256r1_key_generate(SECP256R1_KEY *key) } } while (secp256r1_is_zero(key->private_key) || secp256r1_cmp(key->private_key, SECP256R1_N) >= 0); - secp256r1_point_mul_generator(&key->public_key, key->private_key); + if (secp256r1_point_mul_generator(&key->public_key, key->private_key) != 1) { + error_print(); + return -1; + } return 1; } @@ -51,8 +54,11 @@ int secp256r1_key_set_private_key(SECP256R1_KEY *key, const secp256r1_t private_ } memset(key, 0, sizeof(SECP256R1_KEY)); - secp256r1_copy(key->private_key, private_key); - secp256r1_point_mul_generator(&key->public_key, key->private_key); + if (secp256r1_copy(key->private_key, private_key) != 1 + || secp256r1_point_mul_generator(&key->public_key, key->private_key) != 1) { + error_print(); + return -1; + } return 1; } @@ -114,13 +120,19 @@ int secp256r1_public_key_print(FILE *fp, int fmt, int ind, const char *label, co format_print(fp, fmt, ind, "%s\n", label); ind += 4; - secp256r1_print(fp, fmt, ind, "X", key->public_key.X); - secp256r1_print(fp, fmt, ind, "Y", key->public_key.Y); - secp256r1_print(fp, fmt, ind, "Z", key->public_key.Z); + if (secp256r1_print(fp, fmt, ind, "X", key->public_key.X) != 1 + || secp256r1_print(fp, fmt, ind, "Y", key->public_key.Y) != 1 + || secp256r1_print(fp, fmt, ind, "Z", key->public_key.Z) != 1) { + error_print(); + return -1; + } - secp256r1_point_get_xy(&key->public_key, x, y); - secp256r1_print(fp, fmt, ind, "x", x); - secp256r1_print(fp, fmt, ind, "y", y); + if (secp256r1_point_get_xy(&key->public_key, x, y) != 1 + || secp256r1_print(fp, fmt, ind, "x", x) != 1 + || secp256r1_print(fp, fmt, ind, "y", y) != 1) { + error_print(); + return -1; + } return 1; } @@ -128,7 +140,10 @@ int secp256r1_private_key_print(FILE *fp, int fmt, int ind, const char *label, c { uint8_t buf[32]; - secp256r1_to_32bytes(key->private_key, buf); + if (secp256r1_to_32bytes(key->private_key, buf) != 1) { + error_print(); + return -1; + } format_print(fp, fmt, ind, "%s\n", label); ind += 4; @@ -229,7 +244,10 @@ int secp256r1_private_key_to_der(const SECP256R1_KEY *key, uint8_t **out, size_t } // fprintf(stderr, "%s %d: params_len = %zu\n", params_len); // fprintf(stderr, "%s %d: pubkey_len = %zu\n", pubkey_len); - secp256r1_to_32bytes(key->private_key, prikey); + if (secp256r1_to_32bytes(key->private_key, prikey) != 1) { + error_print(); + return -1; + } if (asn1_int_to_der(EC_private_key_version, NULL, &len) != 1 || asn1_octet_string_to_der(prikey, 32, NULL, &len) != 1 || asn1_explicit_to_der(0, params, params_len, NULL, &len) != 1 @@ -297,7 +315,10 @@ int secp256r1_private_key_from_der(SECP256R1_KEY *key, const uint8_t **in, size_ error_print(); return -1; } - secp256r1_from_32bytes(private_key, prikey); + if (secp256r1_from_32bytes(private_key, prikey) != 1) { + error_print(); + return -1; + } if (secp256r1_key_set_private_key(key, private_key) != 1) { gmssl_secure_clear(private_key, 32); error_print(); diff --git a/src/sphincs.c b/src/sphincs.c index 61adc54f..a1f5c66f 100644 --- a/src/sphincs.c +++ b/src/sphincs.c @@ -267,11 +267,11 @@ void sphincs_wots_derive_sk(const sphincs_hash128_t secret, const sphincs_hash128_t seed, const sphincs_adrs_t in_adrs, sphincs_wots_key_t sk) { - uint8_t block[SPHINCS_HASH256_BLOCK_SIZE] = {0}; + uint8_t block[SM3_BLOCK_SIZE] = {0}; sphincs_adrs_t adrs; sphincs_adrsc_t adrsc; - SPHINCS_HASH256_CTX ctx; - sphincs_hash256_t dgst; + SM3_CTX ctx; + sphincs_sm3_digest_t dgst; int i; memcpy(block, seed, sizeof(sphincs_hash128_t)); @@ -287,11 +287,11 @@ void sphincs_wots_derive_sk(const sphincs_hash128_t secret, sphincs_adrs_compress(adrs, adrsc); // sk[i] = prf(secret, adrs) - sphincs_hash256_init(&ctx); - sphincs_hash256_update(&ctx, block, sizeof(block)); - sphincs_hash256_update(&ctx, adrsc, sizeof(adrsc)); - sphincs_hash256_update(&ctx, secret, sizeof(sphincs_hash128_t)); - sphincs_hash256_finish(&ctx, dgst); + sm3_init(&ctx); + sm3_update(&ctx, block, sizeof(block)); + sm3_update(&ctx, adrsc, sizeof(adrsc)); + sm3_update(&ctx, secret, sizeof(sphincs_hash128_t)); + sm3_finish(&ctx, dgst); memcpy(sk[i], dgst, sizeof(sphincs_hash128_t)); } @@ -303,11 +303,11 @@ void sphincs_wots_chain(const sphincs_hash128_t x, int start, int steps, sphincs_hash128_t y) { const uint8_t uint32_zero[4] = {0}; - uint8_t block[SPHINCS_HASH256_BLOCK_SIZE] = {0}; + uint8_t block[SM3_BLOCK_SIZE] = {0}; sphincs_adrs_t adrs; sphincs_adrsc_t adrsc; - SPHINCS_HASH256_CTX ctx; - sphincs_hash256_t dgst; + SM3_CTX ctx; + sphincs_sm3_digest_t dgst; int i; memcpy(block, seed, sizeof(sphincs_hash128_t)); @@ -324,12 +324,12 @@ void sphincs_wots_chain(const sphincs_hash128_t x, sphincs_adrs_set_hash_address(adrs, start + i); sphincs_adrs_compress(adrs, adrsc); - // y = hash256(blockpad(seed) || adrsc || y) - sphincs_hash256_init(&ctx); - sphincs_hash256_update(&ctx, block, sizeof(block)); - sphincs_hash256_update(&ctx, adrsc, sizeof(sphincs_adrsc_t)); - sphincs_hash256_update(&ctx, y, sizeof(sphincs_hash128_t)); - sphincs_hash256_finish(&ctx, dgst); + // y = block_hash(blockpad(seed) || adrsc || y) + sm3_init(&ctx); + sm3_update(&ctx, block, sizeof(block)); + sm3_update(&ctx, adrsc, sizeof(sphincs_adrsc_t)); + sm3_update(&ctx, y, sizeof(sphincs_hash128_t)); + sm3_finish(&ctx, dgst); memcpy(y, dgst, sizeof(sphincs_hash128_t)); } @@ -438,11 +438,11 @@ void sphincs_wots_pk_to_root(const sphincs_wots_key_t pk, const sphincs_hash128_t seed, const sphincs_adrs_t in_adrs, sphincs_hash128_t root) { - uint8_t block[SPHINCS_HASH256_BLOCK_SIZE] = {0}; + uint8_t block[SM3_BLOCK_SIZE] = {0}; sphincs_adrs_t adrs = {0}; sphincs_adrsc_t adrsc; - SPHINCS_HASH256_CTX ctx; - sphincs_hash256_t dgst; + SM3_CTX ctx; + sphincs_sm3_digest_t dgst; memcpy(block, seed, sizeof(sphincs_hash128_t)); @@ -452,11 +452,11 @@ void sphincs_wots_pk_to_root(const sphincs_wots_key_t pk, sphincs_adrs_copy_keypair_address(adrs, in_adrs); sphincs_adrs_compress(adrs, adrsc); - sphincs_hash256_init(&ctx); - sphincs_hash256_update(&ctx, block, sizeof(block)); - sphincs_hash256_update(&ctx, adrsc, sizeof(adrsc)); - sphincs_hash256_update(&ctx, pk[0], sizeof(sphincs_wots_key_t)); - sphincs_hash256_finish(&ctx, dgst); + sm3_init(&ctx); + sm3_update(&ctx, block, sizeof(block)); + sm3_update(&ctx, adrsc, sizeof(adrsc)); + sm3_update(&ctx, pk[0], sizeof(sphincs_wots_key_t)); + sm3_finish(&ctx, dgst); memcpy(root, dgst, sizeof(sphincs_hash128_t)); } @@ -465,15 +465,15 @@ void sphincs_tree_hash(const sphincs_hash128_t left_child, const sphincs_hash128 const sphincs_hash128_t seed, const sphincs_adrs_t adrs, sphincs_hash128_t parent) { - SPHINCS_HASH256_CTX ctx; - sphincs_hash256_t dgst; + SM3_CTX ctx; + sphincs_sm3_digest_t dgst; - sphincs_hash256_init(&ctx); - sphincs_hash256_update(&ctx, seed, sizeof(sphincs_hash128_t)); - sphincs_hash256_update(&ctx, adrs, sizeof(sphincs_adrs_t)); - sphincs_hash256_update(&ctx, left_child, sizeof(sphincs_hash128_t)); - sphincs_hash256_update(&ctx, right_child, sizeof(sphincs_hash128_t)); - sphincs_hash256_finish(&ctx, dgst); + sm3_init(&ctx); + sm3_update(&ctx, seed, sizeof(sphincs_hash128_t)); + sm3_update(&ctx, adrs, sizeof(sphincs_adrs_t)); + sm3_update(&ctx, left_child, sizeof(sphincs_hash128_t)); + sm3_update(&ctx, right_child, sizeof(sphincs_hash128_t)); + sm3_finish(&ctx, dgst); memcpy(parent, dgst, sizeof(sphincs_hash128_t)); } @@ -801,11 +801,11 @@ void sphincs_fors_derive_sk(const sphincs_hash128_t secret, const sphincs_hash128_t seed, const sphincs_adrs_t in_adrs, uint32_t fors_index, sphincs_hash128_t sk) { - uint8_t block[SPHINCS_HASH256_BLOCK_SIZE] = {0}; + uint8_t block[SM3_BLOCK_SIZE] = {0}; sphincs_adrs_t adrs; sphincs_adrsc_t adrsc; - SPHINCS_HASH256_CTX ctx; - sphincs_hash256_t dgst; + SM3_CTX ctx; + sphincs_sm3_digest_t dgst; // blockpad(seed) memcpy(block, seed, sizeof(sphincs_hash128_t)); @@ -820,12 +820,12 @@ void sphincs_fors_derive_sk(const sphincs_hash128_t secret, // compress adrs sphincs_adrs_compress(adrs, adrsc); - // sk = prf(seed, secret, adrs) = hash256(blockpad(seed)||adrsc||secret) - sphincs_hash256_init(&ctx); - sphincs_hash256_update(&ctx, block, sizeof(block)); - sphincs_hash256_update(&ctx, adrsc, sizeof(adrsc)); - sphincs_hash256_update(&ctx, secret, sizeof(sphincs_hash128_t)); - sphincs_hash256_finish(&ctx, dgst); + // sk = prf(seed, secret, adrs) = block_hash(blockpad(seed)||adrsc||secret) + sm3_init(&ctx); + sm3_update(&ctx, block, sizeof(block)); + sm3_update(&ctx, adrsc, sizeof(adrsc)); + sm3_update(&ctx, secret, sizeof(sphincs_hash128_t)); + sm3_finish(&ctx, dgst); memcpy(sk, dgst, sizeof(sphincs_hash128_t)); gmssl_secure_clear(dgst, sizeof(dgst)); @@ -840,8 +840,8 @@ void sphincs_fors_build_tree(const sphincs_hash128_t secret, sphincs_adrsc_t adrsc; uint32_t n = 1 << SPHINCS_FORS_TREE_HEIGHT; uint32_t tree_index; - SPHINCS_HASH256_CTX ctx; - sphincs_hash256_t dgst; + SM3_CTX ctx; + sphincs_sm3_digest_t dgst; sphincs_hash128_t *children; sphincs_hash128_t *parents; uint32_t h; @@ -864,11 +864,11 @@ void sphincs_fors_build_tree(const sphincs_hash128_t secret, sphincs_adrs_compress(adrs, adrsc); - sphincs_hash256_init(&ctx); - sphincs_hash256_update(&ctx, block, sizeof(block)); - sphincs_hash256_update(&ctx, adrsc, sizeof(adrsc)); - sphincs_hash256_update(&ctx, tree[i], sizeof(sphincs_hash128_t)); - sphincs_hash256_finish(&ctx, dgst); + sm3_init(&ctx); + sm3_update(&ctx, block, sizeof(block)); + sm3_update(&ctx, adrsc, sizeof(adrsc)); + sm3_update(&ctx, tree[i], sizeof(sphincs_hash128_t)); + sm3_finish(&ctx, dgst); memcpy(tree[i], dgst, sizeof(sphincs_hash128_t)); } @@ -898,8 +898,8 @@ void sphincs_fors_derive_root(const sphincs_hash128_t secret, sphincs_adrsc_t adrsc; sphincs_hash128_t tree[SPHINCS_FORS_TREE_NUM_NODES]; sphincs_hash128_t roots[SPHINCS_FORS_NUM_TREES]; - SPHINCS_HASH256_CTX ctx; - sphincs_hash256_t dgst; + SM3_CTX ctx; + sphincs_sm3_digest_t dgst; int i; memcpy(block, seed, sizeof(sphincs_hash128_t)); @@ -917,11 +917,11 @@ void sphincs_fors_derive_root(const sphincs_hash128_t secret, memcpy(roots[i], tree[SPHINCS_FORS_TREE_NUM_NODES - 1], sizeof(sphincs_hash128_t)); } - sphincs_hash256_init(&ctx); - sphincs_hash256_update(&ctx, block, sizeof(block)); - sphincs_hash256_update(&ctx, adrsc, sizeof(adrsc)); - sphincs_hash256_update(&ctx, roots[0], sizeof(roots)); - sphincs_hash256_finish(&ctx, dgst); + sm3_init(&ctx); + sm3_update(&ctx, block, sizeof(block)); + sm3_update(&ctx, adrsc, sizeof(adrsc)); + sm3_update(&ctx, roots[0], sizeof(roots)); + sm3_finish(&ctx, dgst); memcpy(root, dgst, sizeof(sphincs_hash128_t)); } @@ -1013,8 +1013,8 @@ void sphincs_fors_sign(const sphincs_hash128_t secret, uint8_t block[64] = {0}; sphincs_adrs_t adrs; sphincs_adrsc_t adrsc; - SPHINCS_HASH256_CTX ctx; - sphincs_hash256_t root; + SM3_CTX ctx; + sphincs_sm3_digest_t root; tree_index = index[0]; @@ -1027,11 +1027,11 @@ void sphincs_fors_sign(const sphincs_hash128_t secret, sphincs_adrs_compress(adrs, adrsc); - sphincs_hash256_init(&ctx); - sphincs_hash256_update(&ctx, block, sizeof(block)); - sphincs_hash256_update(&ctx, adrsc, sizeof(adrsc)); - sphincs_hash256_update(&ctx, sig->fors_sk[0], sizeof(sphincs_hash128_t)); - sphincs_hash256_finish(&ctx, root); + sm3_init(&ctx); + sm3_update(&ctx, block, sizeof(block)); + sm3_update(&ctx, adrsc, sizeof(adrsc)); + sm3_update(&ctx, sig->fors_sk[0], sizeof(sphincs_hash128_t)); + sm3_finish(&ctx, root); format_bytes(stderr, 0, 4, "fors_tree[0]", root, 16); @@ -1072,8 +1072,8 @@ void sphincs_fors_sig_to_root(const SPHINCS_FORS_SIGNATURE *sig, uint8_t block[64] = {0}; sphincs_adrs_t adrs; sphincs_adrsc_t adrsc; - SPHINCS_HASH256_CTX ctx; - sphincs_hash256_t dgst; + SM3_CTX ctx; + sphincs_sm3_digest_t dgst; uint32_t index[14]; uint32_t tree_index; @@ -1103,11 +1103,11 @@ void sphincs_fors_sig_to_root(const SPHINCS_FORS_SIGNATURE *sig, sphincs_adrs_compress(adrs, adrsc); - sphincs_hash256_init(&ctx); - sphincs_hash256_update(&ctx, block, sizeof(block)); - sphincs_hash256_update(&ctx, adrsc, sizeof(adrsc)); - sphincs_hash256_update(&ctx, sig->fors_sk[i], sizeof(sphincs_hash128_t)); - sphincs_hash256_finish(&ctx, dgst); + sm3_init(&ctx); + sm3_update(&ctx, block, sizeof(block)); + sm3_update(&ctx, adrsc, sizeof(adrsc)); + sm3_update(&ctx, sig->fors_sk[i], sizeof(sphincs_hash128_t)); + sm3_finish(&ctx, dgst); memcpy(root, dgst, 16); @@ -1148,11 +1148,11 @@ void sphincs_fors_sig_to_root(const SPHINCS_FORS_SIGNATURE *sig, sphincs_adrs_compress(adrs, adrsc); - sphincs_hash256_init(&ctx); - sphincs_hash256_update(&ctx, block, sizeof(block)); - sphincs_hash256_update(&ctx, adrsc, sizeof(adrsc)); - sphincs_hash256_update(&ctx, fors_tree_roots[0], sizeof(fors_tree_roots)); - sphincs_hash256_finish(&ctx, dgst); + sm3_init(&ctx); + sm3_update(&ctx, block, sizeof(block)); + sm3_update(&ctx, adrsc, sizeof(adrsc)); + sm3_update(&ctx, fors_tree_roots[0], sizeof(fors_tree_roots)); + sm3_finish(&ctx, dgst); memcpy(root, dgst, 16); @@ -1419,10 +1419,10 @@ int sphincs_sign_init_ex(SPHINCS_SIGN_CTX *ctx, const SPHINCS_KEY *key, const sp ctx->key = *key; // R = PRF_msg(sk_prf, optrand, M) = HMAC(sk_prf, opt_rand|M) - sphincs_hmac256_init(&ctx->hmac_ctx, key->sk_prf, sizeof(sphincs_hash128_t)); + sm3_hmac_init(&ctx->hmac_ctx, key->sk_prf, sizeof(sphincs_hash128_t)); if (opt_rand) - sphincs_hmac256_update(&ctx->hmac_ctx, opt_rand, sizeof(sphincs_hash128_t)); - else sphincs_hmac256_update(&ctx->hmac_ctx, key->public_key.seed, sizeof(sphincs_hash128_t)); + sm3_hmac_update(&ctx->hmac_ctx, opt_rand, sizeof(sphincs_hash128_t)); + else sm3_hmac_update(&ctx->hmac_ctx, key->public_key.seed, sizeof(sphincs_hash128_t)); // state ctx->state = 1; @@ -1463,7 +1463,7 @@ int sphincs_sign_prepare(SPHINCS_SIGN_CTX *ctx, const uint8_t *data, size_t data if (data && datalen) { // R = PRF_msg(sk_prf, optrand, M) = HMAC(sk_prf, opt_rand|M...) - sphincs_hmac256_update(&ctx->hmac_ctx, data, datalen); + sm3_hmac_update(&ctx->hmac_ctx, data, datalen); // sum datalen ctx->round1_msglen += datalen; } @@ -1480,17 +1480,17 @@ int sphincs_sign_update(SPHINCS_SIGN_CTX *ctx, const uint8_t *data, size_t datal // state if (ctx->state == 2) { - sphincs_hash256_t dgst; + sphincs_sm3_digest_t dgst; // R = PRF_msg(sk_prf, optrand, M) = HMAC(sk_prf, opt_rand|M) - sphincs_hmac256_finish(&ctx->hmac_ctx, dgst); + sm3_hmac_finish(&ctx->hmac_ctx, dgst); memcpy(ctx->sig.random, dgst, sizeof(sphincs_hash128_t)); - // dgst = HASH256(R|seed|root|M...) - sphincs_hash256_init(&ctx->hash_ctx); - sphincs_hash256_update(&ctx->hash_ctx, ctx->sig.random, sizeof(sphincs_hash128_t)); - sphincs_hash256_update(&ctx->hash_ctx, ctx->key.public_key.seed, sizeof(sphincs_hash128_t)); - sphincs_hash256_update(&ctx->hash_ctx, ctx->key.public_key.root, sizeof(sphincs_hash128_t)); + // dgst = SM3(R|seed|root|M...) + sm3_init(&ctx->hash_ctx); + sm3_update(&ctx->hash_ctx, ctx->sig.random, sizeof(sphincs_hash128_t)); + sm3_update(&ctx->hash_ctx, ctx->key.public_key.seed, sizeof(sphincs_hash128_t)); + sm3_update(&ctx->hash_ctx, ctx->key.public_key.root, sizeof(sphincs_hash128_t)); ctx->state = 3; } @@ -1500,8 +1500,8 @@ int sphincs_sign_update(SPHINCS_SIGN_CTX *ctx, const uint8_t *data, size_t datal } if (data && datalen) { - // dgst = HASH256(R|seed|root|M...) - sphincs_hash256_update(&ctx->hash_ctx, data, datalen); + // dgst = SM3(R|seed|root|M...) + sm3_update(&ctx->hash_ctx, data, datalen); // sum datalen ctx->round2_msglen += datalen; } @@ -1511,7 +1511,7 @@ int sphincs_sign_update(SPHINCS_SIGN_CTX *ctx, const uint8_t *data, size_t datal int sphincs_sign_finish_ex(SPHINCS_SIGN_CTX *ctx, SPHINCS_SIGNATURE *sig) { - sphincs_hash256_t dgst; + sphincs_sm3_digest_t dgst; uint8_t tbs[SPHINCS_TBS_SIZE]; uint32_t i; uint8_t tree_address_buf[8] = {0}; @@ -1534,22 +1534,22 @@ int sphincs_sign_finish_ex(SPHINCS_SIGN_CTX *ctx, SPHINCS_SIGNATURE *sig) return -1; } - // dgst = HASH256(R|seed|root|M) - sphincs_hash256_finish(&ctx->hash_ctx, dgst); + // dgst = SM3(R|seed|root|M) + sm3_finish(&ctx->hash_ctx, dgst); // tbs = H_msg(R, seed, root, M) = MGF1(R|seed|dgst, tbs_len) for (i = 0; i < (SPHINCS_TBS_SIZE + 31)/32; i++) { uint8_t count[4]; - sphincs_hash256_t h_msg; + sphincs_sm3_digest_t h_msg; size_t left; PUTU32(count, i); - sphincs_hash256_init(&ctx->hash_ctx); - sphincs_hash256_update(&ctx->hash_ctx, ctx->sig.random, sizeof(sphincs_hash128_t)); - sphincs_hash256_update(&ctx->hash_ctx, ctx->key.public_key.seed, sizeof(sphincs_hash128_t)); - sphincs_hash256_update(&ctx->hash_ctx, dgst, sizeof(dgst)); - sphincs_hash256_update(&ctx->hash_ctx, count, sizeof(count)); - sphincs_hash256_finish(&ctx->hash_ctx, h_msg); + sm3_init(&ctx->hash_ctx); + sm3_update(&ctx->hash_ctx, ctx->sig.random, sizeof(sphincs_hash128_t)); + sm3_update(&ctx->hash_ctx, ctx->key.public_key.seed, sizeof(sphincs_hash128_t)); + sm3_update(&ctx->hash_ctx, dgst, sizeof(dgst)); + sm3_update(&ctx->hash_ctx, count, sizeof(count)); + sm3_finish(&ctx->hash_ctx, h_msg); left = SPHINCS_TBS_SIZE - sizeof(dgst) * i; left = left < sizeof(dgst) ? left : sizeof(dgst); @@ -1626,11 +1626,11 @@ int sphincs_verify_init_ex(SPHINCS_SIGN_CTX *ctx, const SPHINCS_KEY *key, const ctx->sig = *sig; } - // dgst = HASH256(R|seed|root|M) - sphincs_hash256_init(&ctx->hash_ctx); - sphincs_hash256_update(&ctx->hash_ctx, sig->random, sizeof(sphincs_hash128_t)); - sphincs_hash256_update(&ctx->hash_ctx, key->public_key.seed, sizeof(sphincs_hash128_t)); - sphincs_hash256_update(&ctx->hash_ctx, key->public_key.root, sizeof(sphincs_hash128_t)); + // dgst = SM3(R|seed|root|M) + sm3_init(&ctx->hash_ctx); + sm3_update(&ctx->hash_ctx, sig->random, sizeof(sphincs_hash128_t)); + sm3_update(&ctx->hash_ctx, key->public_key.seed, sizeof(sphincs_hash128_t)); + sm3_update(&ctx->hash_ctx, key->public_key.root, sizeof(sphincs_hash128_t)); return 1; } @@ -1661,8 +1661,8 @@ int sphincs_verify_update(SPHINCS_SIGN_CTX *ctx, const uint8_t *data, size_t dat } if (data && datalen) { - // dgst = HASH256(R|seed|root|M) - sphincs_hash256_update(&ctx->hash_ctx, data, datalen); + // dgst = SM3(R|seed|root|M) + sm3_update(&ctx->hash_ctx, data, datalen); ctx->round1_msglen += datalen; } @@ -1671,7 +1671,7 @@ int sphincs_verify_update(SPHINCS_SIGN_CTX *ctx, const uint8_t *data, size_t dat int sphincs_verify_finish(SPHINCS_SIGN_CTX *ctx) { - sphincs_hash256_t dgst; + sphincs_sm3_digest_t dgst; uint8_t tbs[SPHINCS_TBS_SIZE]; uint8_t tree_address_buf[8] = {0}; uint8_t keypair_address_buf[4] = {0}; @@ -1686,22 +1686,22 @@ int sphincs_verify_finish(SPHINCS_SIGN_CTX *ctx) return -1; } - // dgst = HASH256(R|seed|root|M) - sphincs_hash256_finish(&ctx->hash_ctx, dgst); + // dgst = SM3(R|seed|root|M) + sm3_finish(&ctx->hash_ctx, dgst); // tbs = H_msg(R, seed, root, M) = MGF1(R|seed|dgst, tbs_len) for (i = 0; i < (SPHINCS_TBS_SIZE + 31)/32; i++) { uint8_t count[4]; - sphincs_hash256_t h_msg; + sphincs_sm3_digest_t h_msg; size_t left; PUTU32(count, i); - sphincs_hash256_init(&ctx->hash_ctx); - sphincs_hash256_update(&ctx->hash_ctx, ctx->sig.random, sizeof(sphincs_hash128_t)); - sphincs_hash256_update(&ctx->hash_ctx, ctx->key.public_key.seed, sizeof(sphincs_hash128_t)); - sphincs_hash256_update(&ctx->hash_ctx, dgst, sizeof(dgst)); - sphincs_hash256_update(&ctx->hash_ctx, count, sizeof(count)); - sphincs_hash256_finish(&ctx->hash_ctx, h_msg); + sm3_init(&ctx->hash_ctx); + sm3_update(&ctx->hash_ctx, ctx->sig.random, sizeof(sphincs_hash128_t)); + sm3_update(&ctx->hash_ctx, ctx->key.public_key.seed, sizeof(sphincs_hash128_t)); + sm3_update(&ctx->hash_ctx, dgst, sizeof(dgst)); + sm3_update(&ctx->hash_ctx, count, sizeof(count)); + sm3_finish(&ctx->hash_ctx, h_msg); left = SPHINCS_TBS_SIZE - sizeof(dgst) * i; left = left < sizeof(dgst) ? left : sizeof(dgst); diff --git a/src/x509_key.c b/src/x509_key.c index a4155a9f..8387a242 100644 --- a/src/x509_key.c +++ b/src/x509_key.c @@ -1049,7 +1049,10 @@ int ec_private_key_to_der(const X509_KEY *key, int encode_params, int encode_pub } pubkey = pubkey_buf; } - secp256r1_to_32bytes(key->u.secp256r1_key.private_key, prikey); + if (secp256r1_to_32bytes(key->u.secp256r1_key.private_key, prikey) != 1) { + error_print(); + return -1; + } break; #endif default: @@ -1159,7 +1162,10 @@ int ec_private_key_from_der(X509_KEY *key, int opt_curve, const uint8_t **in, si secp256r1_t p256_private; SECP256R1_KEY p256_pub; - secp256r1_from_32bytes(p256_private, prikey); + if (secp256r1_from_32bytes(p256_private, prikey) != 1) { + error_print(); + return -1; + } if (secp256r1_key_set_private_key(&key->u.secp256r1_key, p256_private) != 1) { gmssl_secure_clear(p256_private, sizeof(secp256r1_t)); error_print(); diff --git a/src/xmss.c b/src/xmss.c index ec4f4a62..2b0f39d0 100644 --- a/src/xmss.c +++ b/src/xmss.c @@ -22,14 +22,14 @@ #include -static const uint8_t xmss_hash256_two[] = { +static const uint8_t xmss_sm3_digest_two[] = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, }; -static const uint8_t xmss_hash256_three[] = { +static const uint8_t xmss_sm3_digest_three[] = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, @@ -53,7 +53,7 @@ static void uint32_from_bytes(uint32_t *a, const uint8_t **in, size_t *inlen) *inlen -= 4; } -static void xmss_hash256_to_bytes(const xmss_hash256_t hash, uint8_t **out, size_t *outlen) +static void xmss_sm3_digest_to_bytes(const xmss_sm3_digest_t hash, uint8_t **out, size_t *outlen) { if (out && *out) { memcpy(*out, hash, 32); @@ -62,7 +62,7 @@ static void xmss_hash256_to_bytes(const xmss_hash256_t hash, uint8_t **out, size *outlen += 32; } -static void hash256_from_bytes(xmss_hash256_t hash, const uint8_t **in, size_t *inlen) +static void sm3_digest_from_bytes(xmss_sm3_digest_t hash, const uint8_t **in, size_t *inlen) { memcpy(hash, *in, 32); *in += 32; @@ -234,17 +234,17 @@ int xmss_adrs_print(FILE *fp, int fmt, int ind, const char *label, const xmss_ad return 1; } -void xmss_wots_derive_sk(const xmss_hash256_t secret, - const xmss_hash256_t seed, const xmss_adrs_t ots_adrs, +void xmss_wots_derive_sk(const xmss_sm3_digest_t secret, + const xmss_sm3_digest_t seed, const xmss_adrs_t ots_adrs, xmss_wots_key_t sk) { - static const uint8_t hash256_four[] = { + static const uint8_t sm3_domain_four[] = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x04, }; - XMSS_HASH256_CTX ctx; + SM3_CTX ctx; xmss_adrs_t adrs; int chain; @@ -258,28 +258,28 @@ void xmss_wots_derive_sk(const xmss_hash256_t secret, xmss_adrs_set_hash_address(adrs, 0); xmss_adrs_set_key_and_mask(adrs, XMSS_ADRS_GENERATE_KEY); - xmss_hash256_init(&ctx); - xmss_hash256_update(&ctx, hash256_four, sizeof(xmss_hash256_t)); - xmss_hash256_update(&ctx, secret, sizeof(xmss_hash256_t)); - xmss_hash256_update(&ctx, seed, sizeof(xmss_hash256_t)); - xmss_hash256_update(&ctx, adrs, sizeof(xmss_adrs_t)); - xmss_hash256_finish(&ctx, sk[chain]); + sm3_init(&ctx); + sm3_update(&ctx, sm3_domain_four, sizeof(xmss_sm3_digest_t)); + sm3_update(&ctx, secret, sizeof(xmss_sm3_digest_t)); + sm3_update(&ctx, seed, sizeof(xmss_sm3_digest_t)); + sm3_update(&ctx, adrs, sizeof(xmss_adrs_t)); + sm3_finish(&ctx, sk[chain]); } } -void xmss_wots_chain(const xmss_hash256_t x, - const xmss_hash256_t seed, const xmss_adrs_t ots_adrs, - int start, int steps, xmss_hash256_t y) +void xmss_wots_chain(const xmss_sm3_digest_t x, + const xmss_sm3_digest_t seed, const xmss_adrs_t ots_adrs, + int start, int steps, xmss_sm3_digest_t y) { - const xmss_hash256_t hash256_zero = {0}; - XMSS_HASH256_CTX ctx; + const xmss_sm3_digest_t sm3_domain_zero = {0}; + SM3_CTX ctx; xmss_adrs_t adrs; - xmss_hash256_t key; - xmss_hash256_t bitmask; + xmss_sm3_digest_t key; + xmss_sm3_digest_t bitmask; int i; // tmp = x - memcpy(y, x, sizeof(xmss_hash256_t)); + memcpy(y, x, sizeof(xmss_sm3_digest_t)); xmss_adrs_copy_layer_address(adrs, ots_adrs); xmss_adrs_copy_tree_address(adrs, ots_adrs); @@ -292,33 +292,33 @@ void xmss_wots_chain(const xmss_hash256_t x, // key = prf(seed, adrs) xmss_adrs_set_key_and_mask(adrs, XMSS_ADRS_GENERATE_KEY); - xmss_hash256_init(&ctx); - xmss_hash256_update(&ctx, xmss_hash256_three, sizeof(xmss_hash256_t)); - xmss_hash256_update(&ctx, seed, sizeof(xmss_hash256_t)); - xmss_hash256_update(&ctx, adrs, sizeof(xmss_adrs_t)); - xmss_hash256_finish(&ctx, key); + sm3_init(&ctx); + sm3_update(&ctx, xmss_sm3_digest_three, sizeof(xmss_sm3_digest_t)); + sm3_update(&ctx, seed, sizeof(xmss_sm3_digest_t)); + sm3_update(&ctx, adrs, sizeof(xmss_adrs_t)); + sm3_finish(&ctx, key); // bitmask = prf(seed, adrs) xmss_adrs_set_key_and_mask(adrs, XMSS_ADRS_GENERATE_BITMASK); - xmss_hash256_init(&ctx); - xmss_hash256_update(&ctx, xmss_hash256_three, sizeof(xmss_hash256_t)); - xmss_hash256_update(&ctx, seed, sizeof(xmss_hash256_t)); - xmss_hash256_update(&ctx, adrs, sizeof(xmss_adrs_t)); - xmss_hash256_finish(&ctx, bitmask); + sm3_init(&ctx); + sm3_update(&ctx, xmss_sm3_digest_three, sizeof(xmss_sm3_digest_t)); + sm3_update(&ctx, seed, sizeof(xmss_sm3_digest_t)); + sm3_update(&ctx, adrs, sizeof(xmss_adrs_t)); + sm3_finish(&ctx, bitmask); // tmp = f(key, tmp xor bitmask) - gmssl_memxor(y, y, bitmask, sizeof(xmss_hash256_t)); - xmss_hash256_init(&ctx); - xmss_hash256_update(&ctx, hash256_zero, sizeof(xmss_hash256_t)); - xmss_hash256_update(&ctx, key, sizeof(xmss_hash256_t)); - xmss_hash256_update(&ctx, y, sizeof(xmss_hash256_t)); - xmss_hash256_finish(&ctx, y); + gmssl_memxor(y, y, bitmask, sizeof(xmss_sm3_digest_t)); + sm3_init(&ctx); + sm3_update(&ctx, sm3_domain_zero, sizeof(xmss_sm3_digest_t)); + sm3_update(&ctx, key, sizeof(xmss_sm3_digest_t)); + sm3_update(&ctx, y, sizeof(xmss_sm3_digest_t)); + sm3_finish(&ctx, y); } } void xmss_wots_sk_to_pk(const xmss_wots_key_t sk, - const xmss_hash256_t seed, const xmss_adrs_t ots_adrs, + const xmss_sm3_digest_t seed, const xmss_adrs_t ots_adrs, xmss_wots_key_t pk) { const int start = 0; @@ -339,8 +339,8 @@ void xmss_wots_sk_to_pk(const xmss_wots_key_t sk, // separate 256 bit digest into 256/4 = 64 step values, generate 3 checksum step values // output steps[i] in [0, w-1] = [0, 16-1] -// this implementation is for hash256 and w=16 only! -static void base_w_and_checksum(const xmss_hash256_t dgst, int steps[67]) +// this implementation is for SM3 and w=16 only! +static void base_w_and_checksum(const xmss_sm3_digest_t dgst, int steps[67]) { int csum = 0; int sbits; @@ -368,8 +368,8 @@ static void base_w_and_checksum(const xmss_hash256_t dgst, int steps[67]) } void xmss_wots_sign(const xmss_wots_key_t sk, - const xmss_hash256_t seed, const xmss_adrs_t ots_adrs, - const xmss_hash256_t dgst, xmss_wots_key_t sig) + const xmss_sm3_digest_t seed, const xmss_adrs_t ots_adrs, + const xmss_sm3_digest_t dgst, xmss_wots_key_t sig) { xmss_adrs_t adrs; const int start = 0; @@ -390,10 +390,10 @@ void xmss_wots_sign(const xmss_wots_key_t sk, } void xmss_wots_sig_to_pk(const xmss_wots_sig_t sig, - const xmss_hash256_t seed, const xmss_adrs_t ots_adrs, - const xmss_hash256_t dgst, xmss_wots_key_t pk) + const xmss_sm3_digest_t seed, const xmss_adrs_t ots_adrs, + const xmss_sm3_digest_t dgst, xmss_wots_key_t pk) { - xmss_hash256_t adrs; + xmss_sm3_digest_t adrs; int steps[67]; int chain; @@ -411,21 +411,21 @@ void xmss_wots_sig_to_pk(const xmss_wots_sig_t sig, } // TODO: need test and test vector -static void xmss_tree_hash(const xmss_hash256_t left_child, const xmss_hash256_t right_child, - const xmss_hash256_t seed, const xmss_adrs_t tree_adrs, - xmss_hash256_t parent) +static void xmss_tree_hash(const xmss_sm3_digest_t left_child, const xmss_sm3_digest_t right_child, + const xmss_sm3_digest_t seed, const xmss_adrs_t tree_adrs, + xmss_sm3_digest_t parent) { - static const uint8_t hash256_one[] = { + static const uint8_t sm3_domain_one[] = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, }; - XMSS_HASH256_CTX ctx; + SM3_CTX ctx; xmss_adrs_t adrs; - xmss_hash256_t key; - xmss_hash256_t bm0; - xmss_hash256_t bm1; + xmss_sm3_digest_t key; + xmss_sm3_digest_t bm0; + xmss_sm3_digest_t bm1; // copy adrs (and set the last key_and_mask) xmss_adrs_copy_layer_address(adrs, tree_adrs); @@ -437,43 +437,43 @@ static void xmss_tree_hash(const xmss_hash256_t left_child, const xmss_hash256_t // key = prf(seed, adrs) xmss_adrs_set_key_and_mask(adrs, 0); - xmss_hash256_init(&ctx); - xmss_hash256_update(&ctx, xmss_hash256_three, sizeof(xmss_hash256_t)); - xmss_hash256_update(&ctx, seed, sizeof(xmss_hash256_t)); - xmss_hash256_update(&ctx, adrs, sizeof(xmss_adrs_t)); - xmss_hash256_finish(&ctx, key); + sm3_init(&ctx); + sm3_update(&ctx, xmss_sm3_digest_three, sizeof(xmss_sm3_digest_t)); + sm3_update(&ctx, seed, sizeof(xmss_sm3_digest_t)); + sm3_update(&ctx, adrs, sizeof(xmss_adrs_t)); + sm3_finish(&ctx, key); // bm_0 = prf(seed, adrs) xmss_adrs_set_key_and_mask(adrs, 1); - xmss_hash256_init(&ctx); - xmss_hash256_update(&ctx, xmss_hash256_three, sizeof(xmss_hash256_t)); - xmss_hash256_update(&ctx, seed, sizeof(xmss_hash256_t)); - xmss_hash256_update(&ctx, adrs, sizeof(xmss_adrs_t)); - xmss_hash256_finish(&ctx, bm0); + sm3_init(&ctx); + sm3_update(&ctx, xmss_sm3_digest_three, sizeof(xmss_sm3_digest_t)); + sm3_update(&ctx, seed, sizeof(xmss_sm3_digest_t)); + sm3_update(&ctx, adrs, sizeof(xmss_adrs_t)); + sm3_finish(&ctx, bm0); // bm_1 = prf(seed, adrs) xmss_adrs_set_key_and_mask(adrs, 2); - xmss_hash256_init(&ctx); - xmss_hash256_update(&ctx, xmss_hash256_three, sizeof(xmss_hash256_t)); - xmss_hash256_update(&ctx, seed, sizeof(xmss_hash256_t)); - xmss_hash256_update(&ctx, adrs, sizeof(xmss_adrs_t)); - xmss_hash256_finish(&ctx, bm1); + sm3_init(&ctx); + sm3_update(&ctx, xmss_sm3_digest_three, sizeof(xmss_sm3_digest_t)); + sm3_update(&ctx, seed, sizeof(xmss_sm3_digest_t)); + sm3_update(&ctx, adrs, sizeof(xmss_adrs_t)); + sm3_finish(&ctx, bm1); // parent = Hash( tobyte(1, 32) || key || (left xor bm_0) || (right xor bm_1) ) - gmssl_memxor(bm0, bm0, left_child, sizeof(xmss_hash256_t)); - gmssl_memxor(bm1, bm1, right_child, sizeof(xmss_hash256_t)); - xmss_hash256_init(&ctx); - xmss_hash256_update(&ctx, hash256_one, sizeof(xmss_hash256_t)); - xmss_hash256_update(&ctx, key, sizeof(xmss_hash256_t)); - xmss_hash256_update(&ctx, bm0, sizeof(xmss_hash256_t)); - xmss_hash256_update(&ctx, bm1, sizeof(xmss_hash256_t)); - xmss_hash256_finish(&ctx, parent); + gmssl_memxor(bm0, bm0, left_child, sizeof(xmss_sm3_digest_t)); + gmssl_memxor(bm1, bm1, right_child, sizeof(xmss_sm3_digest_t)); + sm3_init(&ctx); + sm3_update(&ctx, sm3_domain_one, sizeof(xmss_sm3_digest_t)); + sm3_update(&ctx, key, sizeof(xmss_sm3_digest_t)); + sm3_update(&ctx, bm0, sizeof(xmss_sm3_digest_t)); + sm3_update(&ctx, bm1, sizeof(xmss_sm3_digest_t)); + sm3_finish(&ctx, parent); } // ltree is wots+ leaf tree, (un-balanced) merkle tree from the 67 wots+ hashs void xmss_wots_pk_to_root(const xmss_wots_key_t in_pk, - const xmss_hash256_t seed, const xmss_adrs_t in_adrs, - xmss_hash256_t wots_root) + const xmss_sm3_digest_t seed, const xmss_adrs_t in_adrs, + xmss_sm3_digest_t wots_root) { xmss_wots_key_t pk; xmss_adrs_t adrs; @@ -507,13 +507,13 @@ void xmss_wots_pk_to_root(const xmss_wots_key_t in_pk, memcpy(wots_root, pk[0], 32); } -int xmss_wots_verify(const xmss_hash256_t wots_root, - const xmss_hash256_t seed, const xmss_adrs_t ots_adrs, - const xmss_hash256_t dgst, const xmss_wots_sig_t sig) +int xmss_wots_verify(const xmss_sm3_digest_t wots_root, + const xmss_sm3_digest_t seed, const xmss_adrs_t ots_adrs, + const xmss_sm3_digest_t dgst, const xmss_wots_sig_t sig) { xmss_adrs_t adrs; xmss_wots_key_t pk; - xmss_hash256_t root; + xmss_sm3_digest_t root; xmss_adrs_copy_layer_address(adrs, ots_adrs); xmss_adrs_copy_tree_address(adrs, ots_adrs); @@ -525,16 +525,16 @@ int xmss_wots_verify(const xmss_hash256_t wots_root, xmss_adrs_copy_ltree_address(adrs, ots_adrs); // ltree_address offset is same as ots_address xmss_wots_pk_to_root(pk, seed, adrs, root); - if (memcmp(root, wots_root, sizeof(xmss_hash256_t)) != 0) { + if (memcmp(root, wots_root, sizeof(xmss_sm3_digest_t)) != 0) { //error_print(); return 0; } return 1; } -void xmss_wots_derive_root(const xmss_hash256_t secret, - const xmss_hash256_t seed, const xmss_adrs_t ots_adrs, - xmss_hash256_t wots_root) +void xmss_wots_derive_root(const xmss_sm3_digest_t secret, + const xmss_sm3_digest_t seed, const xmss_adrs_t ots_adrs, + xmss_sm3_digest_t wots_root) { xmss_adrs_t adrs; xmss_wots_key_t wots_key; @@ -561,13 +561,13 @@ size_t xmss_num_tree_nodes(size_t height) { return (1 << (height + 1)) - 1; } -void xmss_build_tree(const xmss_hash256_t secret, - const xmss_hash256_t seed, const xmss_adrs_t xmss_adrs, - size_t height, xmss_hash256_t *tree) +void xmss_build_tree(const xmss_sm3_digest_t secret, + const xmss_sm3_digest_t seed, const xmss_adrs_t xmss_adrs, + size_t height, xmss_sm3_digest_t *tree) { xmss_adrs_t adrs; - xmss_hash256_t *children; - xmss_hash256_t *parents; + xmss_sm3_digest_t *children; + xmss_sm3_digest_t *parents; size_t n = 1 << height; uint32_t h; // as tree_height uint32_t i; // as tree_index @@ -600,20 +600,20 @@ void xmss_build_tree(const xmss_hash256_t secret, } } -void xmss_build_auth_path(const xmss_hash256_t *tree, size_t height, uint32_t tree_index, xmss_hash256_t *auth_path) +void xmss_build_auth_path(const xmss_sm3_digest_t *tree, size_t height, uint32_t tree_index, xmss_sm3_digest_t *auth_path) { size_t h; for (h = 0; h < height; h++) { - memcpy(auth_path[h], tree[tree_index ^ 1], sizeof(xmss_hash256_t)); + memcpy(auth_path[h], tree[tree_index ^ 1], sizeof(xmss_sm3_digest_t)); tree += (1 << (height - h)); tree_index >>= 1; } } -void xmss_build_root(const xmss_hash256_t wots_root, uint32_t tree_index, - const xmss_hash256_t seed, const xmss_adrs_t xmss_adrs, - const xmss_hash256_t *auth_path, size_t height, - xmss_hash256_t root) +void xmss_build_root(const xmss_sm3_digest_t wots_root, uint32_t tree_index, + const xmss_sm3_digest_t seed, const xmss_adrs_t xmss_adrs, + const xmss_sm3_digest_t *auth_path, size_t height, + xmss_sm3_digest_t root) { xmss_adrs_t adrs; uint32_t h; @@ -623,7 +623,7 @@ void xmss_build_root(const xmss_hash256_t wots_root, uint32_t tree_index, xmss_adrs_set_type(adrs, XMSS_ADRS_TYPE_HASHTREE); xmss_adrs_set_padding(adrs, 0); - memcpy(root, wots_root, sizeof(xmss_hash256_t)); + memcpy(root, wots_root, sizeof(xmss_sm3_digest_t)); for (h = 0; h < height; h++) { int right_child = tree_index & 1; @@ -640,9 +640,9 @@ void xmss_build_root(const xmss_hash256_t wots_root, uint32_t tree_index, int xmss_type_to_height(uint32_t xmss_type, size_t *height) { switch (xmss_type) { - case XMSS_HASH256_10_256: *height = 10; break; - case XMSS_HASH256_16_256: *height = 16; break; - case XMSS_HASH256_20_256: *height = 20; break; + case XMSS_SM3_10_256: *height = 10; break; + case XMSS_SM3_16_256: *height = 16; break; + case XMSS_SM3_20_256: *height = 20; break; default: error_print(); return -1; @@ -653,21 +653,21 @@ int xmss_type_to_height(uint32_t xmss_type, size_t *height) char *xmss_type_name(uint32_t type) { switch (type) { - case XMSS_HASH256_10_256: return XMSS_HASH256_10_256_NAME; - case XMSS_HASH256_16_256: return XMSS_HASH256_16_256_NAME; - case XMSS_HASH256_20_256: return XMSS_HASH256_20_256_NAME; + case XMSS_SM3_10_256: return XMSS_SM3_10_256_NAME; + case XMSS_SM3_16_256: return XMSS_SM3_16_256_NAME; + case XMSS_SM3_20_256: return XMSS_SM3_20_256_NAME; } return NULL; } uint32_t xmss_type_from_name(const char *name) { - if (!strcmp(name, XMSS_HASH256_10_256_NAME)) { - return XMSS_HASH256_10_256; - } else if (!strcmp(name, XMSS_HASH256_16_256_NAME)) { - return XMSS_HASH256_16_256; - } else if (!strcmp(name, XMSS_HASH256_20_256_NAME)) { - return XMSS_HASH256_20_256; + if (!strcmp(name, XMSS_SM3_10_256_NAME)) { + return XMSS_SM3_10_256; + } else if (!strcmp(name, XMSS_SM3_16_256_NAME)) { + return XMSS_SM3_16_256; + } else if (!strcmp(name, XMSS_SM3_20_256_NAME)) { + return XMSS_SM3_20_256; } return 0; } @@ -685,15 +685,15 @@ int xmss_private_key_size(uint32_t xmss_type, size_t *keysize) return -1; } *keysize = XMSS_PUBLIC_KEY_SIZE - + sizeof(xmss_hash256_t) - + sizeof(xmss_hash256_t) + + sizeof(xmss_sm3_digest_t) + + sizeof(xmss_sm3_digest_t) + sizeof(uint32_t) - + sizeof(xmss_hash256_t) * xmss_num_tree_nodes(height); + + sizeof(xmss_sm3_digest_t) * xmss_num_tree_nodes(height); return 1; } int xmss_key_generate_ex(XMSS_KEY *key, uint32_t xmss_type, - const xmss_hash256_t seed, const xmss_hash256_t secret, const xmss_hash256_t sk_prf) + const xmss_sm3_digest_t seed, const xmss_sm3_digest_t secret, const xmss_sm3_digest_t sk_prf) { size_t height; xmss_adrs_t adrs; @@ -707,20 +707,20 @@ int xmss_key_generate_ex(XMSS_KEY *key, uint32_t xmss_type, return -1; } memset(key, 0, sizeof(*key)); - if (!(key->tree = malloc(sizeof(xmss_hash256_t) * xmss_num_tree_nodes(height)))) { + if (!(key->tree = malloc(sizeof(xmss_sm3_digest_t) * xmss_num_tree_nodes(height)))) { error_print(); return -1; } key->public_key.xmss_type = xmss_type; - memcpy(key->public_key.seed, seed, sizeof(xmss_hash256_t)); - memcpy(key->secret, secret, sizeof(xmss_hash256_t)); - memcpy(key->sk_prf, sk_prf, sizeof(xmss_hash256_t)); + memcpy(key->public_key.seed, seed, sizeof(xmss_sm3_digest_t)); + memcpy(key->secret, secret, sizeof(xmss_sm3_digest_t)); + memcpy(key->sk_prf, sk_prf, sizeof(xmss_sm3_digest_t)); xmss_adrs_set_layer_address(adrs, 0); xmss_adrs_set_tree_address(adrs, 0); xmss_build_tree(key->secret, key->public_key.seed, adrs, height, key->tree); - memcpy(key->public_key.root, key->tree[xmss_tree_root_offset(height)], sizeof(xmss_hash256_t)); + memcpy(key->public_key.root, key->tree[xmss_tree_root_offset(height)], sizeof(xmss_sm3_digest_t)); key->index = 0; return 1; } @@ -728,17 +728,17 @@ int xmss_key_generate_ex(XMSS_KEY *key, uint32_t xmss_type, int xmss_key_generate(XMSS_KEY *key, uint32_t xmss_type) { int ret = -1; - xmss_hash256_t seed; - xmss_hash256_t secret; - xmss_hash256_t sk_prf; + xmss_sm3_digest_t seed; + xmss_sm3_digest_t secret; + xmss_sm3_digest_t sk_prf; if (!key) { error_print(); return -1; } - if (rand_bytes(seed, sizeof(xmss_hash256_t)) != 1 - || rand_bytes(secret, sizeof(xmss_hash256_t)) != 1 - || rand_bytes(sk_prf, sizeof(xmss_hash256_t)) != 1) { + if (rand_bytes(seed, sizeof(xmss_sm3_digest_t)) != 1 + || rand_bytes(secret, sizeof(xmss_sm3_digest_t)) != 1 + || rand_bytes(sk_prf, sizeof(xmss_sm3_digest_t)) != 1) { error_print(); goto end; } @@ -820,9 +820,9 @@ int xmss_key_remaining_signs(const XMSS_KEY *key, size_t *count) void xmss_key_cleanup(XMSS_KEY *key) { if (key) { - gmssl_secure_clear(key->public_key.seed, sizeof(xmss_hash256_t)); // clear all RNG outputs - gmssl_secure_clear(key->secret, sizeof(xmss_hash256_t)); - gmssl_secure_clear(key->sk_prf, sizeof(xmss_hash256_t)); + gmssl_secure_clear(key->public_key.seed, sizeof(xmss_sm3_digest_t)); // clear all RNG outputs + gmssl_secure_clear(key->secret, sizeof(xmss_sm3_digest_t)); + gmssl_secure_clear(key->sk_prf, sizeof(xmss_sm3_digest_t)); if (key->tree) { free(key->tree); key->tree = NULL; @@ -837,8 +837,8 @@ int xmss_public_key_to_bytes(const XMSS_KEY *key, uint8_t **out, size_t *outlen) return -1; } uint32_to_bytes(key->public_key.xmss_type, out, outlen); - xmss_hash256_to_bytes(key->public_key.root, out, outlen); - xmss_hash256_to_bytes(key->public_key.seed, out, outlen); + xmss_sm3_digest_to_bytes(key->public_key.root, out, outlen); + xmss_sm3_digest_to_bytes(key->public_key.seed, out, outlen); return 1; } @@ -859,8 +859,8 @@ int xmss_public_key_from_bytes(XMSS_KEY *key, const uint8_t **in, size_t *inlen) error_print(); return -1; } - hash256_from_bytes(key->public_key.root, in, inlen); - hash256_from_bytes(key->public_key.seed, in, inlen); + sm3_digest_from_bytes(key->public_key.root, in, inlen); + sm3_digest_from_bytes(key->public_key.seed, in, inlen); return 1; } @@ -869,8 +869,8 @@ int xmss_public_key_print(FILE *fp, int fmt, int ind, const char *label, const X format_print(fp, fmt, ind, "%s\n", label); ind += 4; format_print(fp, fmt, ind, "type: %s\n", xmss_type_name(key->public_key.xmss_type)); - format_bytes(fp, fmt, ind, "seed", key->public_key.seed, sizeof(xmss_hash256_t)); - format_bytes(fp, fmt, ind, "root", key->public_key.root, sizeof(xmss_hash256_t)); + format_bytes(fp, fmt, ind, "seed", key->public_key.seed, sizeof(xmss_sm3_digest_t)); + format_bytes(fp, fmt, ind, "root", key->public_key.root, sizeof(xmss_sm3_digest_t)); return 1; } @@ -888,8 +888,8 @@ int xmss_private_key_to_bytes(const XMSS_KEY *key, uint8_t **out, size_t *outlen return -1; } uint32_to_bytes(key->index, out, outlen); - xmss_hash256_to_bytes(key->secret, out, outlen); - xmss_hash256_to_bytes(key->sk_prf, out, outlen); + xmss_sm3_digest_to_bytes(key->secret, out, outlen); + xmss_sm3_digest_to_bytes(key->sk_prf, out, outlen); if (key->tree == NULL) { error_print(); @@ -899,7 +899,7 @@ int xmss_private_key_to_bytes(const XMSS_KEY *key, uint8_t **out, size_t *outlen error_print(); return -1; } - tree_size = sizeof(xmss_hash256_t) * xmss_num_tree_nodes(height); + tree_size = sizeof(xmss_sm3_digest_t) * xmss_num_tree_nodes(height); if (out && *out) { memcpy(*out, key->tree, tree_size); *out += tree_size; @@ -923,7 +923,7 @@ int xmss_private_key_from_bytes(XMSS_KEY *key, const uint8_t **in, size_t *inlen return -1; } // check inlen without tree - if (*inlen < sizeof(uint32_t) + sizeof(xmss_hash256_t)*2) { + if (*inlen < sizeof(uint32_t) + sizeof(xmss_sm3_digest_t)*2) { error_print(); return -1; } @@ -932,7 +932,7 @@ int xmss_private_key_from_bytes(XMSS_KEY *key, const uint8_t **in, size_t *inlen error_print(); return -1; } - tree_size = sizeof(xmss_hash256_t) * xmss_num_tree_nodes(height); + tree_size = sizeof(xmss_sm3_digest_t) * xmss_num_tree_nodes(height); // prepare buffer (might failure ops) before load secrets if (!(key->tree = malloc(tree_size))) { @@ -946,8 +946,8 @@ int xmss_private_key_from_bytes(XMSS_KEY *key, const uint8_t **in, size_t *inlen error_print(); return -1; } - hash256_from_bytes(key->secret, in, inlen); - hash256_from_bytes(key->sk_prf, in, inlen); + sm3_digest_from_bytes(key->secret, in, inlen); + sm3_digest_from_bytes(key->sk_prf, in, inlen); if (*inlen) { // load tree @@ -967,7 +967,7 @@ int xmss_private_key_from_bytes(XMSS_KEY *key, const uint8_t **in, size_t *inlen // check if (memcmp(key->tree[xmss_tree_root_offset(height)], - key->public_key.root, sizeof(xmss_hash256_t)) != 0) { + key->public_key.root, sizeof(xmss_sm3_digest_t)) != 0) { xmss_key_cleanup(key); error_print(); return -1; @@ -980,8 +980,8 @@ int xmss_private_key_print(FILE *fp, int fmt, int ind, const char *label, const format_print(fp, fmt, ind, "%s\n", label); ind += 4; xmss_public_key_print(fp, fmt, ind, "public_key", key); - format_bytes(fp, fmt, ind, "secret", key->secret, sizeof(xmss_hash256_t)); - format_bytes(fp, fmt, ind, "sk_prf", key->sk_prf, sizeof(xmss_hash256_t)); + format_bytes(fp, fmt, ind, "secret", key->secret, sizeof(xmss_sm3_digest_t)); + format_bytes(fp, fmt, ind, "sk_prf", key->sk_prf, sizeof(xmss_sm3_digest_t)); format_print(fp, fmt, ind, "index: %"PRIu32"\n", key->index); return 1; } @@ -1002,7 +1002,7 @@ int xmss_signature_size(uint32_t xmss_type, size_t *siglen) *siglen = sizeof(sig.index) + sizeof(sig.random) + sizeof(sig.wots_sig) - + sizeof(xmss_hash256_t) * height; + + sizeof(xmss_sm3_digest_t) * height; return 1; } @@ -1039,12 +1039,12 @@ int xmss_signature_from_bytes(XMSS_SIGNATURE *sig, uint32_t xmss_type, const uin } uint32_from_bytes(&sig->index, in, inlen); - hash256_from_bytes(sig->random, in, inlen); + sm3_digest_from_bytes(sig->random, in, inlen); for (i = 0; i < XMSS_WOTS_NUM_CHAINS; i++) { - hash256_from_bytes(sig->wots_sig[i], in, inlen); + sm3_digest_from_bytes(sig->wots_sig[i], in, inlen); } for (i = 0; i < height; i++) { - hash256_from_bytes(sig->auth_path[i], in, inlen); + sm3_digest_from_bytes(sig->auth_path[i], in, inlen); } return 1; } @@ -1063,12 +1063,12 @@ int xmss_signature_to_bytes(const XMSS_SIGNATURE *sig, uint32_t xmss_type, uint8 return -1; } uint32_to_bytes(sig->index, out, outlen); - xmss_hash256_to_bytes(sig->random, out, outlen); + xmss_sm3_digest_to_bytes(sig->random, out, outlen); for (i = 0; i < XMSS_WOTS_NUM_CHAINS; i++) { - xmss_hash256_to_bytes(sig->wots_sig[i], out, outlen); + xmss_sm3_digest_to_bytes(sig->wots_sig[i], out, outlen); } for (i = 0; i < height; i++) { - xmss_hash256_to_bytes(sig->auth_path[i], out, outlen); + xmss_sm3_digest_to_bytes(sig->auth_path[i], out, outlen); } return 1; } @@ -1155,7 +1155,7 @@ int xmss_signature_print(FILE *fp, int fmt, int ind, const char *label, const ui int xmss_sign_init(XMSS_SIGN_CTX *ctx, XMSS_KEY *key) { - xmss_hash256_t hash256_index = {0}; + xmss_sm3_digest_t sm3_digest_index = {0}; xmss_adrs_t adrs; size_t height; @@ -1181,13 +1181,13 @@ int xmss_sign_init(XMSS_SIGN_CTX *ctx, XMSS_KEY *key) ctx->xmss_sig.index = key->index; // derive ctx->xmss_sig.random - PUTU32(hash256_index + 28, key->index); + PUTU32(sm3_digest_index + 28, key->index); // r = PRF(SK_PRF, toByte(idx_sig, 32)); - xmss_hash256_init(&ctx->hash256_ctx); - xmss_hash256_update(&ctx->hash256_ctx, xmss_hash256_three, sizeof(xmss_hash256_t)); - xmss_hash256_update(&ctx->hash256_ctx, key->sk_prf, sizeof(xmss_hash256_t)); - xmss_hash256_update(&ctx->hash256_ctx, hash256_index, sizeof(xmss_hash256_t)); - xmss_hash256_finish(&ctx->hash256_ctx, ctx->xmss_sig.random); + sm3_init(&ctx->sm3_ctx); + sm3_update(&ctx->sm3_ctx, xmss_sm3_digest_three, sizeof(xmss_sm3_digest_t)); + sm3_update(&ctx->sm3_ctx, key->sk_prf, sizeof(xmss_sm3_digest_t)); + sm3_update(&ctx->sm3_ctx, sm3_digest_index, sizeof(xmss_sm3_digest_t)); + sm3_finish(&ctx->sm3_ctx, ctx->xmss_sig.random); // wots_sk => ctx->xmss_sig.wots_sig xmss_adrs_set_layer_address(adrs, 0); @@ -1207,12 +1207,12 @@ int xmss_sign_init(XMSS_SIGN_CTX *ctx, XMSS_KEY *key) } - // H_msg(M) := HASH256(toByte(2, 32) || r || XMSS_ROOT || toByte(idx_sig, 32) || M) - xmss_hash256_init(&ctx->hash256_ctx); - xmss_hash256_update(&ctx->hash256_ctx, xmss_hash256_two, sizeof(xmss_hash256_t)); - xmss_hash256_update(&ctx->hash256_ctx, ctx->xmss_sig.random, sizeof(xmss_hash256_t)); - xmss_hash256_update(&ctx->hash256_ctx, key->public_key.root, sizeof(xmss_hash256_t)); - xmss_hash256_update(&ctx->hash256_ctx, hash256_index, sizeof(xmss_hash256_t)); + // H_msg(M) := SM3(toByte(2, 32) || r || XMSS_ROOT || toByte(idx_sig, 32) || M) + sm3_init(&ctx->sm3_ctx); + sm3_update(&ctx->sm3_ctx, xmss_sm3_digest_two, sizeof(xmss_sm3_digest_t)); + sm3_update(&ctx->sm3_ctx, ctx->xmss_sig.random, sizeof(xmss_sm3_digest_t)); + sm3_update(&ctx->sm3_ctx, key->public_key.root, sizeof(xmss_sm3_digest_t)); + sm3_update(&ctx->sm3_ctx, sm3_digest_index, sizeof(xmss_sm3_digest_t)); return 1; } @@ -1224,7 +1224,7 @@ int xmss_sign_update(XMSS_SIGN_CTX *ctx, const uint8_t *data, size_t datalen) return -1; } if (data && datalen) { - xmss_hash256_update(&ctx->hash256_ctx, data, datalen); + sm3_update(&ctx->sm3_ctx, data, datalen); } return 1; } @@ -1232,14 +1232,14 @@ int xmss_sign_update(XMSS_SIGN_CTX *ctx, const uint8_t *data, size_t datalen) int xmss_sign_finish_ex(XMSS_SIGN_CTX *ctx, XMSS_SIGNATURE *sig) { xmss_adrs_t adrs; - xmss_hash256_t dgst; + xmss_sm3_digest_t dgst; if (!ctx || !sig) { error_print(); return -1; } - xmss_hash256_finish(&ctx->hash256_ctx, dgst); + sm3_finish(&ctx->sm3_ctx, dgst); xmss_adrs_set_layer_address(adrs, 0); xmss_adrs_set_tree_address(adrs, 0); @@ -1257,14 +1257,14 @@ int xmss_sign_finish_ex(XMSS_SIGN_CTX *ctx, XMSS_SIGNATURE *sig) int xmss_sign_finish(XMSS_SIGN_CTX *ctx, uint8_t *sig, size_t *siglen) { xmss_adrs_t adrs; - xmss_hash256_t dgst; + xmss_sm3_digest_t dgst; if (!ctx || !sig || !siglen) { error_print(); return -1; } - xmss_hash256_finish(&ctx->hash256_ctx, dgst); + sm3_finish(&ctx->sm3_ctx, dgst); xmss_adrs_set_layer_address(adrs, 0); xmss_adrs_set_tree_address(adrs, 0); @@ -1284,7 +1284,7 @@ int xmss_sign_finish(XMSS_SIGN_CTX *ctx, uint8_t *sig, size_t *siglen) int xmss_verify_init_ex(XMSS_SIGN_CTX *ctx, const XMSS_KEY *key, const XMSS_SIGNATURE *sig) { - xmss_hash256_t hash256_index = {0}; + xmss_sm3_digest_t sm3_digest_index = {0}; if (!ctx || !key || !sig) { error_print(); @@ -1296,19 +1296,19 @@ int xmss_verify_init_ex(XMSS_SIGN_CTX *ctx, const XMSS_KEY *key, const XMSS_SIGN // cache xmss_sig ctx->xmss_sig = *sig; - // xmss_hash256_init - PUTU32(hash256_index + 28, ctx->xmss_sig.index); - xmss_hash256_init(&ctx->hash256_ctx); - xmss_hash256_update(&ctx->hash256_ctx, xmss_hash256_two, sizeof(xmss_hash256_t)); - xmss_hash256_update(&ctx->hash256_ctx, ctx->xmss_sig.random, sizeof(xmss_hash256_t)); - xmss_hash256_update(&ctx->hash256_ctx, key->public_key.root, sizeof(xmss_hash256_t)); - xmss_hash256_update(&ctx->hash256_ctx, hash256_index, sizeof(xmss_hash256_t)); + // sm3_init + PUTU32(sm3_digest_index + 28, ctx->xmss_sig.index); + sm3_init(&ctx->sm3_ctx); + sm3_update(&ctx->sm3_ctx, xmss_sm3_digest_two, sizeof(xmss_sm3_digest_t)); + sm3_update(&ctx->sm3_ctx, ctx->xmss_sig.random, sizeof(xmss_sm3_digest_t)); + sm3_update(&ctx->sm3_ctx, key->public_key.root, sizeof(xmss_sm3_digest_t)); + sm3_update(&ctx->sm3_ctx, sm3_digest_index, sizeof(xmss_sm3_digest_t)); return 1; } int xmss_verify_init(XMSS_SIGN_CTX *ctx, const XMSS_KEY *key, const uint8_t *sig, size_t siglen) { - xmss_hash256_t hash256_index = {0}; + xmss_sm3_digest_t sm3_digest_index = {0}; if (!ctx || !key || !sig || !siglen) { error_print(); @@ -1323,13 +1323,13 @@ int xmss_verify_init(XMSS_SIGN_CTX *ctx, const XMSS_KEY *key, const uint8_t *sig return -1; } - // xmss_hash256_init - PUTU32(hash256_index + 28, ctx->xmss_sig.index); - xmss_hash256_init(&ctx->hash256_ctx); - xmss_hash256_update(&ctx->hash256_ctx, xmss_hash256_two, sizeof(xmss_hash256_t)); - xmss_hash256_update(&ctx->hash256_ctx, ctx->xmss_sig.random, sizeof(xmss_hash256_t)); - xmss_hash256_update(&ctx->hash256_ctx, key->public_key.root, sizeof(xmss_hash256_t)); - xmss_hash256_update(&ctx->hash256_ctx, hash256_index, sizeof(xmss_hash256_t)); + // sm3_init + PUTU32(sm3_digest_index + 28, ctx->xmss_sig.index); + sm3_init(&ctx->sm3_ctx); + sm3_update(&ctx->sm3_ctx, xmss_sm3_digest_two, sizeof(xmss_sm3_digest_t)); + sm3_update(&ctx->sm3_ctx, ctx->xmss_sig.random, sizeof(xmss_sm3_digest_t)); + sm3_update(&ctx->sm3_ctx, key->public_key.root, sizeof(xmss_sm3_digest_t)); + sm3_update(&ctx->sm3_ctx, sm3_digest_index, sizeof(xmss_sm3_digest_t)); return 1; } @@ -1340,7 +1340,7 @@ int xmss_verify_update(XMSS_SIGN_CTX *ctx, const uint8_t *data, size_t datalen) return -1; } if (data && datalen) { - xmss_hash256_update(&ctx->hash256_ctx, data, datalen); + sm3_update(&ctx->sm3_ctx, data, datalen); } return 1; } @@ -1349,9 +1349,9 @@ int xmss_verify_finish(XMSS_SIGN_CTX *ctx) { size_t height; uint32_t index; - xmss_hash256_t dgst; + xmss_sm3_digest_t dgst; xmss_adrs_t adrs; - xmss_hash256_t root; + xmss_sm3_digest_t root; if (!ctx) { error_print(); @@ -1368,7 +1368,7 @@ int xmss_verify_finish(XMSS_SIGN_CTX *ctx) index = ctx->xmss_sig.index; // dgst - xmss_hash256_finish(&ctx->hash256_ctx, dgst); + sm3_finish(&ctx->sm3_ctx, dgst); // wots_sig => wots_pk xmss_adrs_set_layer_address(adrs, 0); @@ -1409,36 +1409,36 @@ int xmss_verify_finish(XMSS_SIGN_CTX *ctx) char *xmssmt_type_name(uint32_t xmssmt_type) { switch (xmssmt_type) { - case XMSSMT_HASH256_20_2_256: return XMSSMT_HASH256_20_2_256_NAME; - case XMSSMT_HASH256_20_4_256: return XMSSMT_HASH256_20_4_256_NAME; - case XMSSMT_HASH256_40_2_256: return XMSSMT_HASH256_40_2_256_NAME; - case XMSSMT_HASH256_40_4_256: return XMSSMT_HASH256_40_4_256_NAME; - case XMSSMT_HASH256_40_8_256: return XMSSMT_HASH256_40_8_256_NAME; - case XMSSMT_HASH256_60_3_256: return XMSSMT_HASH256_60_3_256_NAME; - case XMSSMT_HASH256_60_6_256: return XMSSMT_HASH256_60_6_256_NAME; - case XMSSMT_HASH256_60_12_256: return XMSSMT_HASH256_60_12_256_NAME; + case XMSSMT_SM3_20_2_256: return XMSSMT_SM3_20_2_256_NAME; + case XMSSMT_SM3_20_4_256: return XMSSMT_SM3_20_4_256_NAME; + case XMSSMT_SM3_40_2_256: return XMSSMT_SM3_40_2_256_NAME; + case XMSSMT_SM3_40_4_256: return XMSSMT_SM3_40_4_256_NAME; + case XMSSMT_SM3_40_8_256: return XMSSMT_SM3_40_8_256_NAME; + case XMSSMT_SM3_60_3_256: return XMSSMT_SM3_60_3_256_NAME; + case XMSSMT_SM3_60_6_256: return XMSSMT_SM3_60_6_256_NAME; + case XMSSMT_SM3_60_12_256: return XMSSMT_SM3_60_12_256_NAME; } return NULL; } uint32_t xmssmt_type_from_name(const char *name) { - if (!strcmp(name, XMSSMT_HASH256_20_2_256_NAME)) { - return XMSSMT_HASH256_20_2_256; - } else if (!strcmp(name, XMSSMT_HASH256_20_4_256_NAME)) { - return XMSSMT_HASH256_20_4_256; - } else if (!strcmp(name, XMSSMT_HASH256_40_2_256_NAME)) { - return XMSSMT_HASH256_40_2_256; - } else if (!strcmp(name, XMSSMT_HASH256_40_4_256_NAME)) { - return XMSSMT_HASH256_40_4_256; - } else if (!strcmp(name, XMSSMT_HASH256_40_8_256_NAME)) { - return XMSSMT_HASH256_40_8_256; - } else if (!strcmp(name, XMSSMT_HASH256_60_3_256_NAME)) { - return XMSSMT_HASH256_60_3_256; - } else if (!strcmp(name, XMSSMT_HASH256_60_6_256_NAME)) { - return XMSSMT_HASH256_60_6_256; - } else if (!strcmp(name, XMSSMT_HASH256_60_12_256_NAME)) { - return XMSSMT_HASH256_60_12_256; + if (!strcmp(name, XMSSMT_SM3_20_2_256_NAME)) { + return XMSSMT_SM3_20_2_256; + } else if (!strcmp(name, XMSSMT_SM3_20_4_256_NAME)) { + return XMSSMT_SM3_20_4_256; + } else if (!strcmp(name, XMSSMT_SM3_40_2_256_NAME)) { + return XMSSMT_SM3_40_2_256; + } else if (!strcmp(name, XMSSMT_SM3_40_4_256_NAME)) { + return XMSSMT_SM3_40_4_256; + } else if (!strcmp(name, XMSSMT_SM3_40_8_256_NAME)) { + return XMSSMT_SM3_40_8_256; + } else if (!strcmp(name, XMSSMT_SM3_60_3_256_NAME)) { + return XMSSMT_SM3_60_3_256; + } else if (!strcmp(name, XMSSMT_SM3_60_6_256_NAME)) { + return XMSSMT_SM3_60_6_256; + } else if (!strcmp(name, XMSSMT_SM3_60_12_256_NAME)) { + return XMSSMT_SM3_60_12_256; } return 0; } @@ -1450,14 +1450,14 @@ int xmssmt_type_to_height_and_layers(uint32_t xmssmt_type, size_t *height, size_ return -1; } switch (xmssmt_type) { - case XMSSMT_HASH256_20_2_256: *height = 20; *layers = 2; break; - case XMSSMT_HASH256_20_4_256: *height = 20; *layers = 4; break; - case XMSSMT_HASH256_40_2_256: *height = 40; *layers = 2; break; - case XMSSMT_HASH256_40_4_256: *height = 40; *layers = 4; break; - case XMSSMT_HASH256_40_8_256: *height = 40; *layers = 8; break; - case XMSSMT_HASH256_60_3_256: *height = 60; *layers = 3; break; - case XMSSMT_HASH256_60_6_256: *height = 60; *layers = 6; break; - case XMSSMT_HASH256_60_12_256: *height = 60; *layers = 12; break; + case XMSSMT_SM3_20_2_256: *height = 20; *layers = 2; break; + case XMSSMT_SM3_20_4_256: *height = 20; *layers = 4; break; + case XMSSMT_SM3_40_2_256: *height = 40; *layers = 2; break; + case XMSSMT_SM3_40_4_256: *height = 40; *layers = 4; break; + case XMSSMT_SM3_40_8_256: *height = 40; *layers = 8; break; + case XMSSMT_SM3_60_3_256: *height = 60; *layers = 3; break; + case XMSSMT_SM3_60_6_256: *height = 60; *layers = 6; break; + case XMSSMT_SM3_60_12_256: *height = 60; *layers = 12; break; default: error_print(); return -1; @@ -1485,8 +1485,8 @@ int xmssmt_public_key_to_bytes(const XMSSMT_KEY *key, uint8_t **out, size_t *out return -1; } uint32_to_bytes(key->public_key.xmssmt_type, out, outlen); - xmss_hash256_to_bytes(key->public_key.root, out, outlen); - xmss_hash256_to_bytes(key->public_key.seed, out, outlen); + xmss_sm3_digest_to_bytes(key->public_key.root, out, outlen); + xmss_sm3_digest_to_bytes(key->public_key.seed, out, outlen); return 1; } @@ -1507,8 +1507,8 @@ int xmssmt_public_key_from_bytes(XMSSMT_KEY *key, const uint8_t **in, size_t *in error_print(); return -1; } - hash256_from_bytes(key->public_key.root, in, inlen); - hash256_from_bytes(key->public_key.seed, in, inlen); + sm3_digest_from_bytes(key->public_key.root, in, inlen); + sm3_digest_from_bytes(key->public_key.seed, in, inlen); return 1; } @@ -1523,10 +1523,10 @@ int xmssmt_private_key_size(uint32_t xmssmt_type, size_t *len) return -1; } *len = XMSSMT_PUBLIC_KEY_SIZE; - *len += sizeof(xmss_hash256_t); - *len += sizeof(xmss_hash256_t); + *len += sizeof(xmss_sm3_digest_t); + *len += sizeof(xmss_sm3_digest_t); xmssmt_index_to_bytes(index, xmssmt_type, NULL, len); - *len += sizeof(xmss_hash256_t) * xmssmt_num_trees_nodes(height, layers); + *len += sizeof(xmss_sm3_digest_t) * xmssmt_num_trees_nodes(height, layers); *len += sizeof(xmss_wots_sig_t) * (layers - 1); return 1; } @@ -1551,10 +1551,10 @@ int xmssmt_private_key_to_bytes(const XMSSMT_KEY *key, uint8_t **out, size_t *ou return -1; } xmssmt_index_to_bytes(key->index, key->public_key.xmssmt_type, out, outlen); - xmss_hash256_to_bytes(key->secret, out, outlen); - xmss_hash256_to_bytes(key->sk_prf, out, outlen); + xmss_sm3_digest_to_bytes(key->secret, out, outlen); + xmss_sm3_digest_to_bytes(key->sk_prf, out, outlen); - treeslen = sizeof(xmss_hash256_t) * xmssmt_num_trees_nodes(height, layers); + treeslen = sizeof(xmss_sm3_digest_t) * xmssmt_num_trees_nodes(height, layers); if (out && *out) { memcpy(*out, key->trees, treeslen); *out += treeslen; @@ -1596,14 +1596,14 @@ int xmssmt_private_key_from_bytes(XMSSMT_KEY *key, const uint8_t **in, size_t *i error_print(); return -1; } - hash256_from_bytes(key->secret, in, inlen); - hash256_from_bytes(key->sk_prf, in, inlen); + sm3_digest_from_bytes(key->secret, in, inlen); + sm3_digest_from_bytes(key->sk_prf, in, inlen); if (xmssmt_type_to_height_and_layers(key->public_key.xmssmt_type, &height, &layers) != 1) { error_print(); return -1; } - treeslen = sizeof(xmss_hash256_t) * xmssmt_num_trees_nodes(height, layers); + treeslen = sizeof(xmss_sm3_digest_t) * xmssmt_num_trees_nodes(height, layers); if (!(key->trees = malloc(treeslen))) { error_print(); return -1; @@ -1634,10 +1634,10 @@ int xmssmt_key_update(XMSSMT_KEY *key) size_t height; size_t layers; size_t layer; - xmss_hash256_t *tree; + xmss_sm3_digest_t *tree; uint64_t next_index; xmss_adrs_t adrs; - uint8_t *xmss_root; // FIXME: use xmss_hash256_t* + uint8_t *xmss_root; // FIXME: use xmss_sm3_digest_t* if (!key) { error_print(); @@ -1694,9 +1694,9 @@ int xmssmt_key_update(XMSSMT_KEY *key) void xmssmt_key_cleanup(XMSSMT_KEY *key) { if (key) { - gmssl_secure_clear(key->public_key.seed, sizeof(xmss_hash256_t)); // clear all RNG outputs - gmssl_secure_clear(key->secret, sizeof(xmss_hash256_t)); - gmssl_secure_clear(key->sk_prf, sizeof(xmss_hash256_t)); + gmssl_secure_clear(key->public_key.seed, sizeof(xmss_sm3_digest_t)); // clear all RNG outputs + gmssl_secure_clear(key->secret, sizeof(xmss_sm3_digest_t)); + gmssl_secure_clear(key->sk_prf, sizeof(xmss_sm3_digest_t)); if (key->trees) { free(key->trees); } @@ -1705,13 +1705,13 @@ void xmssmt_key_cleanup(XMSSMT_KEY *key) } int xmssmt_key_generate_ex(XMSSMT_KEY *key, uint32_t xmssmt_type, - const xmss_hash256_t seed, const xmss_hash256_t secret, const xmss_hash256_t sk_prf) + const xmss_sm3_digest_t seed, const xmss_sm3_digest_t secret, const xmss_sm3_digest_t sk_prf) { size_t height; size_t layers; uint32_t layer; xmss_adrs_t adrs; - xmss_hash256_t *tree; + xmss_sm3_digest_t *tree; uint8_t *xmss_root; @@ -1735,9 +1735,9 @@ int xmssmt_key_generate_ex(XMSSMT_KEY *key, uint32_t xmssmt_type, key->public_key.xmssmt_type = xmssmt_type; - memcpy(key->public_key.seed, seed, sizeof(xmss_hash256_t)); - memcpy(key->secret, secret, sizeof(xmss_hash256_t)); - memcpy(key->sk_prf, sk_prf, sizeof(xmss_hash256_t)); + memcpy(key->public_key.seed, seed, sizeof(xmss_sm3_digest_t)); + memcpy(key->secret, secret, sizeof(xmss_sm3_digest_t)); + memcpy(key->sk_prf, sk_prf, sizeof(xmss_sm3_digest_t)); @@ -1745,7 +1745,7 @@ int xmssmt_key_generate_ex(XMSSMT_KEY *key, uint32_t xmssmt_type, key->index = 0; // malloc tress - if (!(key->trees = malloc(xmssmt_num_trees_nodes(height, layers) * sizeof(xmss_hash256_t)))) { + if (!(key->trees = malloc(xmssmt_num_trees_nodes(height, layers) * sizeof(xmss_sm3_digest_t)))) { error_print(); return -1; } @@ -1774,8 +1774,8 @@ int xmssmt_key_generate_ex(XMSSMT_KEY *key, uint32_t xmssmt_type, /* - xmss_hash256_t *tree2 = key->trees + xmss_num_tree_nodes(height/layers) * layer; - xmss_hash256_t xmss_root2 = tree2[xmss_tree_root_offset(height/layers)]; + xmss_sm3_digest_t *tree2 = key->trees + xmss_num_tree_nodes(height/layers) * layer; + xmss_sm3_digest_t xmss_root2 = tree2[xmss_tree_root_offset(height/layers)]; fprintf(stderr, "%p %p\n", tree, tree2); @@ -1788,12 +1788,12 @@ int xmssmt_key_generate_ex(XMSSMT_KEY *key, uint32_t xmssmt_type, } // copy the top-level root - memcpy(key->public_key.root, xmss_root, sizeof(xmss_hash256_t)); + memcpy(key->public_key.root, xmss_root, sizeof(xmss_sm3_digest_t)); tree = key->trees; - xmss_hash256_t root; + xmss_sm3_digest_t root; xmss_wots_key_t wots_pk; @@ -1831,21 +1831,21 @@ int xmssmt_key_generate_ex(XMSSMT_KEY *key, uint32_t xmssmt_type, int xmssmt_key_generate(XMSSMT_KEY *key, uint32_t xmssmt_type) { - xmss_hash256_t seed; - xmss_hash256_t secret; - xmss_hash256_t sk_prf; + xmss_sm3_digest_t seed; + xmss_sm3_digest_t secret; + xmss_sm3_digest_t sk_prf; - if (rand_bytes(seed, sizeof(xmss_hash256_t)) != 1) { + if (rand_bytes(seed, sizeof(xmss_sm3_digest_t)) != 1) { error_print(); return -1; } - if (rand_bytes(secret, sizeof(xmss_hash256_t)) != 1) { + if (rand_bytes(secret, sizeof(xmss_sm3_digest_t)) != 1) { error_print(); return -1; } - if (rand_bytes(sk_prf, sizeof(xmss_hash256_t)) != 1) { + if (rand_bytes(sk_prf, sizeof(xmss_sm3_digest_t)) != 1) { error_print(); return -1; } @@ -1859,7 +1859,7 @@ int xmssmt_key_generate(XMSSMT_KEY *key, uint32_t xmssmt_type) } // not checked -int xmssmt_build_auth_path(const xmss_hash256_t *tree, size_t height, size_t layers, uint64_t index, xmss_hash256_t *auth_path) +int xmssmt_build_auth_path(const xmss_sm3_digest_t *tree, size_t height, size_t layers, uint64_t index, xmss_sm3_digest_t *auth_path) { size_t i; @@ -1893,7 +1893,7 @@ int xmssmt_private_key_print(FILE *fp, int fmt, int ind, const char *label, cons { size_t height; size_t layers; - xmss_hash256_t *tree; + xmss_sm3_digest_t *tree; size_t i; format_print(fp, fmt, ind, "%s\n", label); @@ -1912,7 +1912,7 @@ int xmssmt_private_key_print(FILE *fp, int fmt, int ind, const char *label, cons size_t j; format_print(fp, fmt, ind, "wots_sig\n"); for (j = 0; j < 67; j++) { - format_bytes(stderr, 0, ind+4, "", key->wots_sigs[i][j], sizeof(xmss_hash256_t)); + format_bytes(stderr, 0, ind+4, "", key->wots_sigs[i][j], sizeof(xmss_sm3_digest_t)); } } */ @@ -2012,9 +2012,9 @@ int xmssmt_signature_size(uint32_t xmssmt_type, size_t *siglen) error_print(); return -1; } - *siglen += sizeof(xmss_hash256_t); + *siglen += sizeof(xmss_sm3_digest_t); *siglen += sizeof(xmss_wots_sig_t) * layers; - *siglen += sizeof(xmss_hash256_t) * height; + *siglen += sizeof(xmss_sm3_digest_t) * height; return 1; } @@ -2051,15 +2051,15 @@ int xmssmt_signature_to_bytes(const XMSSMT_SIGNATURE *sig, uint32_t xmssmt_type, error_print(); return -1; } - xmss_hash256_to_bytes(sig->random, out, outlen); + xmss_sm3_digest_to_bytes(sig->random, out, outlen); size_t layer; for (layer = 0; layer < layers; layer++) { for (i = 0; i < 67; i++) { - xmss_hash256_to_bytes(sig->wots_sigs[layer][i], out, outlen); + xmss_sm3_digest_to_bytes(sig->wots_sigs[layer][i], out, outlen); } for (i = 0; i < height/layers; i++) { - xmss_hash256_to_bytes(sig->auth_path[(height/layers) * layer + i], out, outlen); + xmss_sm3_digest_to_bytes(sig->auth_path[(height/layers) * layer + i], out, outlen); } } } @@ -2099,17 +2099,17 @@ int xmssmt_signature_from_bytes(XMSSMT_SIGNATURE *sig, uint32_t xmssmt_type, con } // random - hash256_from_bytes(sig->random, in, inlen); + sm3_digest_from_bytes(sig->random, in, inlen); for (layer = 0; layer < layers; layer++) { size_t i; // wots_sig for (i = 0; i < 67; i++) { - hash256_from_bytes(sig->wots_sigs[layer][i], in, inlen); + sm3_digest_from_bytes(sig->wots_sigs[layer][i], in, inlen); } // auth_path for (i = 0; i < height/layers; i++) { - hash256_from_bytes(sig->auth_path[(height/layers) * layer + i], in, inlen); + sm3_digest_from_bytes(sig->auth_path[(height/layers) * layer + i], in, inlen); } } @@ -2174,37 +2174,37 @@ int xmssmt_signature_print(FILE *fp, int fmt, int ind, const char *label, const //format_print(fp, fmt, ind, "index: %u"PRIu64"\n", index); format_print(fp, fmt, ind, "index: %llu\n", (unsigned long long)index); - if (siglen < sizeof(xmss_hash256_t)) { + if (siglen < sizeof(xmss_sm3_digest_t)) { error_print(); return -1; } - format_bytes(fp, fmt, ind, "random", sig, sizeof(xmss_hash256_t)); - sig += sizeof(xmss_hash256_t); - siglen -= sizeof(xmss_hash256_t); + format_bytes(fp, fmt, ind, "random", sig, sizeof(xmss_sm3_digest_t)); + sig += sizeof(xmss_sm3_digest_t); + siglen -= sizeof(xmss_sm3_digest_t); for (layer = 0; layer < layers; layer++) { format_print(fp, fmt, ind, "redurced_xmss_signature[%zu]\n", layer); format_print(fp, fmt, ind+4, "wots_sig\n"); for (i = 0; i < 67; i++) { format_print(fp, fmt, ind+4, "%zu ", i); - if (siglen < sizeof(xmss_hash256_t)) { + if (siglen < sizeof(xmss_sm3_digest_t)) { error_print(); return -1; } - format_bytes(fp, fmt, 0, "", sig, sizeof(xmss_hash256_t)); - sig += sizeof(xmss_hash256_t); - siglen -= sizeof(xmss_hash256_t); + format_bytes(fp, fmt, 0, "", sig, sizeof(xmss_sm3_digest_t)); + sig += sizeof(xmss_sm3_digest_t); + siglen -= sizeof(xmss_sm3_digest_t); } format_print(fp, fmt, ind+4, "auth_path\n"); for (i = 0; i < height/layers; i++) { format_print(fp, fmt, ind+8, "%zu ", i); - if (siglen < sizeof(xmss_hash256_t)) { + if (siglen < sizeof(xmss_sm3_digest_t)) { error_print(); return -1; } - format_bytes(fp, fmt, 0, "", sig, sizeof(xmss_hash256_t)); - sig += sizeof(xmss_hash256_t); - siglen -= sizeof(xmss_hash256_t); + format_bytes(fp, fmt, 0, "", sig, sizeof(xmss_sm3_digest_t)); + sig += sizeof(xmss_sm3_digest_t); + siglen -= sizeof(xmss_sm3_digest_t); } } if (siglen) { @@ -2221,7 +2221,7 @@ int xmssmt_sign_init(XMSSMT_SIGN_CTX *ctx, XMSSMT_KEY *key) size_t layer; uint64_t tree_address; uint32_t tree_index; - xmss_hash256_t hash256_index; + xmss_sm3_digest_t sm3_digest_index; xmss_adrs_t adrs; if (!ctx || !key) { @@ -2254,8 +2254,8 @@ int xmssmt_sign_init(XMSSMT_SIGN_CTX *ctx, XMSSMT_KEY *key) // build auth_path for (layer = 0; layer < layers; layer++) { - xmss_hash256_t *tree; - xmss_hash256_t *auth_path; + xmss_sm3_digest_t *tree; + xmss_sm3_digest_t *auth_path; tree = key->trees + xmss_num_tree_nodes(height/layers) * layer; tree_index = (uint32_t)xmssmt_tree_index(ctx->xmssmt_sig.index, height, layers, layer); auth_path = ctx->xmssmt_sig.auth_path + (height/layers) * layer; @@ -2263,13 +2263,13 @@ int xmssmt_sign_init(XMSSMT_SIGN_CTX *ctx, XMSSMT_KEY *key) } // derive ctx->xmssmt_sig.random - memset(hash256_index, 0, 24); - PUTU64(hash256_index + 24, ctx->xmssmt_sig.index); - xmss_hash256_init(&ctx->hash256_ctx); - xmss_hash256_update(&ctx->hash256_ctx, xmss_hash256_three, sizeof(xmss_hash256_t)); - xmss_hash256_update(&ctx->hash256_ctx, key->sk_prf, sizeof(xmss_hash256_t)); - xmss_hash256_update(&ctx->hash256_ctx, hash256_index, sizeof(xmss_hash256_t)); - xmss_hash256_finish(&ctx->hash256_ctx, ctx->xmssmt_sig.random); + memset(sm3_digest_index, 0, 24); + PUTU64(sm3_digest_index + 24, ctx->xmssmt_sig.index); + sm3_init(&ctx->sm3_ctx); + sm3_update(&ctx->sm3_ctx, xmss_sm3_digest_three, sizeof(xmss_sm3_digest_t)); + sm3_update(&ctx->sm3_ctx, key->sk_prf, sizeof(xmss_sm3_digest_t)); + sm3_update(&ctx->sm3_ctx, sm3_digest_index, sizeof(xmss_sm3_digest_t)); + sm3_finish(&ctx->sm3_ctx, ctx->xmssmt_sig.random); // derive wots_sk and save to wots_sigs[0] layer = 0; @@ -2281,12 +2281,12 @@ int xmssmt_sign_init(XMSSMT_SIGN_CTX *ctx, XMSSMT_KEY *key) xmss_adrs_set_ots_address(adrs, tree_index); xmss_wots_derive_sk(key->secret, key->public_key.seed, adrs, ctx->xmssmt_sig.wots_sigs[0]); - // H_msg(M) := HASH256(toByte(2, 32) || r || XMSS_ROOT || toByte(idx_sig, 32) || M) - xmss_hash256_init(&ctx->hash256_ctx); - xmss_hash256_update(&ctx->hash256_ctx, xmss_hash256_two, sizeof(xmss_hash256_t)); - xmss_hash256_update(&ctx->hash256_ctx, ctx->xmssmt_sig.random, sizeof(xmss_hash256_t)); - xmss_hash256_update(&ctx->hash256_ctx, key->public_key.root, sizeof(xmss_hash256_t)); - xmss_hash256_update(&ctx->hash256_ctx, hash256_index, sizeof(xmss_hash256_t)); + // H_msg(M) := SM3(toByte(2, 32) || r || XMSS_ROOT || toByte(idx_sig, 32) || M) + sm3_init(&ctx->sm3_ctx); + sm3_update(&ctx->sm3_ctx, xmss_sm3_digest_two, sizeof(xmss_sm3_digest_t)); + sm3_update(&ctx->sm3_ctx, ctx->xmssmt_sig.random, sizeof(xmss_sm3_digest_t)); + sm3_update(&ctx->sm3_ctx, key->public_key.root, sizeof(xmss_sm3_digest_t)); + sm3_update(&ctx->sm3_ctx, sm3_digest_index, sizeof(xmss_sm3_digest_t)); xmssmt_key_update(key); @@ -2301,7 +2301,7 @@ int xmssmt_sign_update(XMSSMT_SIGN_CTX *ctx, const uint8_t *data, size_t datalen return -1; } if (data && datalen) { - xmss_hash256_update(&ctx->hash256_ctx, data, datalen); + sm3_update(&ctx->sm3_ctx, data, datalen); } return 1; } @@ -2315,14 +2315,14 @@ int xmssmt_sign_finish_ex(XMSSMT_SIGN_CTX *ctx, XMSSMT_SIGNATURE *sig) uint64_t tree_address; uint32_t tree_index; xmss_adrs_t adrs; - xmss_hash256_t dgst; + xmss_sm3_digest_t dgst; if (!ctx || !sig) { error_print(); return -1; } - xmss_hash256_finish(&ctx->hash256_ctx, dgst); + sm3_finish(&ctx->sm3_ctx, dgst); if (xmssmt_type_to_height_and_layers(ctx->xmssmt_public_key.xmssmt_type, &height, &layers) != 1) { error_print(); @@ -2368,7 +2368,7 @@ int xmssmt_sign_finish(XMSSMT_SIGN_CTX *ctx, uint8_t *sig, size_t *siglen) int xmssmt_verify_init_ex(XMSSMT_SIGN_CTX *ctx, const XMSSMT_KEY *key, const XMSSMT_SIGNATURE *sig) { - xmss_hash256_t hash256_index; + xmss_sm3_digest_t sm3_digest_index; if (!ctx || !key || !sig) { error_print(); @@ -2384,15 +2384,15 @@ int xmssmt_verify_init_ex(XMSSMT_SIGN_CTX *ctx, const XMSSMT_KEY *key, const XMS // copy ctx->xmssmt_sig ctx->xmssmt_sig = *sig; - memset(hash256_index, 0, 24); - PUTU64(hash256_index + 24, ctx->xmssmt_sig.index); + memset(sm3_digest_index, 0, 24); + PUTU64(sm3_digest_index + 24, ctx->xmssmt_sig.index); - // H_msg(M) := HASH256(toByte(2, 32) || r || XMSS_ROOT || toByte(idx_sig, 32) || M) - xmss_hash256_init(&ctx->hash256_ctx); - xmss_hash256_update(&ctx->hash256_ctx, xmss_hash256_two, sizeof(xmss_hash256_t)); - xmss_hash256_update(&ctx->hash256_ctx, ctx->xmssmt_sig.random, sizeof(xmss_hash256_t)); - xmss_hash256_update(&ctx->hash256_ctx, key->public_key.root, sizeof(xmss_hash256_t)); - xmss_hash256_update(&ctx->hash256_ctx, hash256_index, sizeof(xmss_hash256_t)); + // H_msg(M) := SM3(toByte(2, 32) || r || XMSS_ROOT || toByte(idx_sig, 32) || M) + sm3_init(&ctx->sm3_ctx); + sm3_update(&ctx->sm3_ctx, xmss_sm3_digest_two, sizeof(xmss_sm3_digest_t)); + sm3_update(&ctx->sm3_ctx, ctx->xmssmt_sig.random, sizeof(xmss_sm3_digest_t)); + sm3_update(&ctx->sm3_ctx, key->public_key.root, sizeof(xmss_sm3_digest_t)); + sm3_update(&ctx->sm3_ctx, sm3_digest_index, sizeof(xmss_sm3_digest_t)); return 1; } @@ -2400,7 +2400,7 @@ int xmssmt_verify_init_ex(XMSSMT_SIGN_CTX *ctx, const XMSSMT_KEY *key, const XMS // check compatible publickey and sig int xmssmt_verify_init(XMSSMT_SIGN_CTX *ctx, const XMSSMT_KEY *key, const uint8_t *sig, size_t siglen) { - xmss_hash256_t hash256_index; + xmss_sm3_digest_t sm3_digest_index; if (!ctx || !key || !sig) { error_print(); return -1; @@ -2423,15 +2423,15 @@ int xmssmt_verify_init(XMSSMT_SIGN_CTX *ctx, const XMSSMT_KEY *key, const uint8_ } - memset(hash256_index, 0, 24); - PUTU64(hash256_index + 24, ctx->xmssmt_sig.index); + memset(sm3_digest_index, 0, 24); + PUTU64(sm3_digest_index + 24, ctx->xmssmt_sig.index); - // H_msg(M) := HASH256(toByte(2, 32) || r || XMSS_ROOT || toByte(idx_sig, 32) || M) - xmss_hash256_init(&ctx->hash256_ctx); - xmss_hash256_update(&ctx->hash256_ctx, xmss_hash256_two, sizeof(xmss_hash256_t)); - xmss_hash256_update(&ctx->hash256_ctx, ctx->xmssmt_sig.random, sizeof(xmss_hash256_t)); - xmss_hash256_update(&ctx->hash256_ctx, key->public_key.root, sizeof(xmss_hash256_t)); - xmss_hash256_update(&ctx->hash256_ctx, hash256_index, sizeof(xmss_hash256_t)); + // H_msg(M) := SM3(toByte(2, 32) || r || XMSS_ROOT || toByte(idx_sig, 32) || M) + sm3_init(&ctx->sm3_ctx); + sm3_update(&ctx->sm3_ctx, xmss_sm3_digest_two, sizeof(xmss_sm3_digest_t)); + sm3_update(&ctx->sm3_ctx, ctx->xmssmt_sig.random, sizeof(xmss_sm3_digest_t)); + sm3_update(&ctx->sm3_ctx, key->public_key.root, sizeof(xmss_sm3_digest_t)); + sm3_update(&ctx->sm3_ctx, sm3_digest_index, sizeof(xmss_sm3_digest_t)); return 1; } @@ -2443,7 +2443,7 @@ int xmssmt_verify_update(XMSSMT_SIGN_CTX *ctx, const uint8_t *data, size_t datal return -1; } if (data && datalen) { - xmss_hash256_update(&ctx->hash256_ctx, data, datalen); + sm3_update(&ctx->sm3_ctx, data, datalen); } return 1; } @@ -2454,9 +2454,9 @@ int xmssmt_verify_finish(XMSSMT_SIGN_CTX *ctx) size_t layers; size_t layer; xmss_adrs_t adrs; - xmss_hash256_t dgst; + xmss_sm3_digest_t dgst; - xmss_hash256_finish(&ctx->hash256_ctx, dgst); + sm3_finish(&ctx->sm3_ctx, dgst); if (xmssmt_type_to_height_and_layers(ctx->xmssmt_public_key.xmssmt_type, &height, &layers) != 1) { error_print(); @@ -2490,7 +2490,7 @@ int xmssmt_verify_finish(XMSSMT_SIGN_CTX *ctx) } // verify xmssmt_root (save in dgst) - if (memcmp(dgst, ctx->xmssmt_public_key.root, sizeof(xmss_hash256_t)) != 0) { + if (memcmp(dgst, ctx->xmssmt_public_key.root, sizeof(xmss_sm3_digest_t)) != 0) { error_print(); return -1; } diff --git a/tests/ecdsatest.c b/tests/ecdsatest.c index 0d46e726..be98230a 100644 --- a/tests/ecdsatest.c +++ b/tests/ecdsatest.c @@ -80,9 +80,42 @@ static int test_ecdsa(void) return 1; } +static int test_ecdsa_verify_infinity(void) +{ + SECP256R1_KEY key; + ECDSA_SIGNATURE sig; + secp256r1_t d; + uint8_t dgst[32]; + size_t dgstlen; + + if (secp256r1_set_one(d) != 1 + || secp256r1_key_set_private_key(&key, d) != 1 + || secp256r1_set_one(sig.r) != 1 + || secp256r1_set_one(sig.s) != 1) { + error_print(); + return -1; + } + + // e = n - 1, so u1 * G + u2 * Q = (n - 1)G + G = O for Q = G + if (hex_to_bytes("FFFFFFFF00000000FFFFFFFFFFFFFFFFBCE6FAADA7179E84F3B9CAC2FC632550", + 64, dgst, &dgstlen) != 1 + || dgstlen != sizeof(dgst)) { + error_print(); + return -1; + } + if (ecdsa_do_verify(&key, dgst, &sig) != 0) { + error_print(); + return -1; + } + + printf("%s() ok\n", __FUNCTION__); + return 1; +} + int main(void) { if (test_ecdsa() != 1) goto err; + if (test_ecdsa_verify_infinity() != 1) goto err; printf("%s all tests passed\n", __FILE__); return 0; diff --git a/tests/secp256r1test.c b/tests/secp256r1test.c index 1aec70be..e1ace387 100644 --- a/tests/secp256r1test.c +++ b/tests/secp256r1test.c @@ -165,6 +165,36 @@ static int test_secp256r1_modp(void) return 1; } +static int test_secp256r1_mod_zero(void) +{ + secp256r1_t zero; + secp256r1_t r; + + if (secp256r1_set_zero(zero) != 1) { + error_print(); + return -1; + } + if (secp256r1_modp_neg(r, zero) != 1 || !secp256r1_is_zero(r)) { + error_print(); + return -1; + } + if (secp256r1_modn_neg(r, zero) != 1 || !secp256r1_is_zero(r)) { + error_print(); + return -1; + } + if (secp256r1_modp_inv(r, zero) != -1) { + error_print(); + return -1; + } + if (secp256r1_modn_inv(r, zero) != -1) { + error_print(); + return -1; + } + + printf("%s() ok\n", __FUNCTION__); + return 1; +} + static int test_secp256r1_modn(void) { @@ -278,7 +308,10 @@ static int test_secp256r1_modn(void) static int test_secp256r1_point_at_infinity(void) { SECP256R1_POINT P; - secp256r1_point_set_infinity(&P); + if (secp256r1_point_set_infinity(&P) != 1) { + error_print(); + return -1; + } if (!secp256r1_point_is_at_infinity(&P)) { error_print(); @@ -316,7 +349,10 @@ static int test_secp256r1_point_set_xy(void) return -1; } - secp256r1_point_get_xy(&P, x1, y1); + if (secp256r1_point_get_xy(&P, x1, y1) != 1) { + error_print(); + return -1; + } if (secp256r1_cmp(x, x1) != 0 || secp256r1_cmp(y, y1) != 0) { @@ -353,8 +389,11 @@ static int test_secp256r1_point_dbl_add(void) size_t len; // test 2*G - secp256r1_point_dbl(&P, &SECP256R1_POINT_G); - secp256r1_point_get_xy(&P, x, y); + if (secp256r1_point_dbl(&P, &SECP256R1_POINT_G) != 1 + || secp256r1_point_get_xy(&P, x, y) != 1) { + error_print(); + return -1; + } secp256r1_point_print(stderr, 0, 4, "2*G", &P); @@ -369,8 +408,11 @@ static int test_secp256r1_point_dbl_add(void) } // test 2*G + G - secp256r1_point_add(&Q, &P, &SECP256R1_POINT_G); - secp256r1_point_get_xy(&Q, x, y); + if (secp256r1_point_add(&Q, &P, &SECP256R1_POINT_G) != 1 + || secp256r1_point_get_xy(&Q, x, y) != 1) { + error_print(); + return -1; + } hex_to_bytes("5ecbe4d1a6330a44c8f7ef951d4bf165e6c6b721efada985fb41661bc6e7fd6c", 64, bytes, &len); secp256r1_from_32bytes(x1, bytes); @@ -407,8 +449,11 @@ static int test_secp256r1_point_mul(void) bytes[31] = 3; secp256r1_from_32bytes(k, bytes); - secp256r1_point_mul_generator(&P, k); - secp256r1_point_get_xy(&P, x, y); // 这个必须返回错误啊,否则没办法判断是否为无穷远点呢! + if (secp256r1_point_mul_generator(&P, k) != 1 + || secp256r1_point_get_xy(&P, x, y) != 1) { + error_print(); + return -1; + } hex_to_bytes(secp256r1_x_3G, 64, bytes, &len); secp256r1_from_32bytes(x1, bytes); @@ -424,7 +469,10 @@ static int test_secp256r1_point_mul(void) hex_to_bytes(secp256r1_n, 64, bytes, &len); secp256r1_from_32bytes(k, bytes); - secp256r1_point_mul_generator(&P, k); + if (secp256r1_point_mul_generator(&P, k) != 1) { + error_print(); + return -1; + } if (secp256r1_point_is_at_infinity(&P) != 1) { error_print(); @@ -442,7 +490,10 @@ static int test_secp256r1_point_to_uncompressed_octets(void) uint8_t octets[65]; - secp256r1_point_copy(&P, &SECP256R1_POINT_G); + if (secp256r1_point_copy(&P, &SECP256R1_POINT_G) != 1) { + error_print(); + return -1; + } if (secp256r1_point_to_uncompressed_octets(&P, octets) != 1) { error_print(); @@ -458,18 +509,58 @@ static int test_secp256r1_point_to_uncompressed_octets(void) return 1; } +static int test_secp256r1_point_infinity_edges(void) +{ + SECP256R1_POINT P; + SECP256R1_POINT Q; + SECP256R1_POINT R; + secp256r1_t x; + secp256r1_t y; + uint8_t octets[65]; + + if (secp256r1_point_neg(&Q, &SECP256R1_POINT_G) != 1 + || secp256r1_point_add(&R, &SECP256R1_POINT_G, &Q) != 1) { + error_print(); + return -1; + } + if (secp256r1_point_is_at_infinity(&R) != 1) { + error_print(); + return -1; + } + if (secp256r1_point_get_xy(&R, x, y) != -1) { + error_print(); + return -1; + } + if (secp256r1_point_to_uncompressed_octets(&R, octets) != -1) { + error_print(); + return -1; + } + + if (secp256r1_point_set_infinity(&P) != 1 + || secp256r1_point_equ(&P, &R) != 1 + || secp256r1_point_equ(&P, &SECP256R1_POINT_G) != 0) { + error_print(); + return -1; + } + + printf("%s() ok\n", __FUNCTION__); + return 1; +} + int main(void) { if (test_secp256r1() != 1) goto err; if (test_secp256r1_modp() != 1) goto err; if (test_secp256r1_modn() != 1) goto err; + if (test_secp256r1_mod_zero() != 1) goto err; if (test_secp256r1_point_at_infinity() != 1) goto err; if (test_secp256r1_point_is_on_curve() != 1) goto err; if (test_secp256r1_point_set_xy() != 1) goto err; if (test_secp256r1_point_dbl_add() != 1) goto err; if (test_secp256r1_point_mul() != 1) goto err; if (test_secp256r1_point_to_uncompressed_octets() != 1) goto err; + if (test_secp256r1_point_infinity_edges() != 1) goto err; printf("%s all tests passed\n", __FILE__); diff --git a/tests/sphincstest.c b/tests/sphincstest.c index bfab4304..b8419c5e 100644 --- a/tests/sphincstest.c +++ b/tests/sphincstest.c @@ -512,9 +512,9 @@ static int test_sphincs_sign(void) uint8_t msg[100] = {1, 2, 3, 0}; SPHINCS_SIGNATURE _sig; SPHINCS_SIGNATURE *sig = &_sig; - SPHINCS_HASH256_CTX hash_ctx; - SPHINCS_HMAC256_CTX hmac_ctx; - sphincs_hash256_t dgst; + SM3_CTX hash_ctx; + SM3_HMAC_CTX hmac_ctx; + sphincs_sm3_digest_t dgst; sphincs_hash128_t opt_rand; @@ -553,30 +553,30 @@ static int test_sphincs_sign(void) // 如果R是用M生成的,这意味着M要读取2遍,这就没办法用init/update范式了 // R = PRF_msg(sk_prf, optrand, M) = HMAC(sk_prf, opt_rand|M) - sphincs_hmac256_init(&hmac_ctx, key->sk_prf, sizeof(sphincs_hash128_t)); - sphincs_hmac256_update(&hmac_ctx, opt_rand, sizeof(sphincs_hash128_t)); - sphincs_hmac256_update(&hmac_ctx, msg, sizeof(msg)); - sphincs_hmac256_finish(&hmac_ctx, dgst); + sm3_hmac_init(&hmac_ctx, key->sk_prf, sizeof(sphincs_hash128_t)); + sm3_hmac_update(&hmac_ctx, opt_rand, sizeof(sphincs_hash128_t)); + sm3_hmac_update(&hmac_ctx, msg, sizeof(msg)); + sm3_hmac_finish(&hmac_ctx, dgst); memcpy(sig->random, dgst, sizeof(sphincs_hash128_t)); - // dgst = HASH256(R|seed|root|M) - sphincs_hash256_init(&hash_ctx); - sphincs_hash256_update(&hash_ctx, sig->random, sizeof(sphincs_hash128_t)); - sphincs_hash256_update(&hash_ctx, key->public_key.seed, sizeof(sphincs_hash128_t)); - sphincs_hash256_update(&hash_ctx, key->public_key.root, sizeof(sphincs_hash128_t)); - sphincs_hash256_update(&hash_ctx, msg, sizeof(msg)); - sphincs_hash256_finish(&hash_ctx, dgst); + // dgst = SM3(R|seed|root|M) + sm3_init(&hash_ctx); + sm3_update(&hash_ctx, sig->random, sizeof(sphincs_hash128_t)); + sm3_update(&hash_ctx, key->public_key.seed, sizeof(sphincs_hash128_t)); + sm3_update(&hash_ctx, key->public_key.root, sizeof(sphincs_hash128_t)); + sm3_update(&hash_ctx, msg, sizeof(msg)); + sm3_finish(&hash_ctx, dgst); // tbs = H_msg(R, seed, root, M) = MGF1(R|seed|dgst, tbs_len) for (i = 0; i < (SPHINCS_TBS_SIZE + 31)/32; i++) { uint8_t count[4]; PUTU32(count, i); - sphincs_hash256_init(&hash_ctx); - sphincs_hash256_update(&hash_ctx, sig->random, sizeof(sphincs_hash128_t)); - sphincs_hash256_update(&hash_ctx, key->public_key.seed, sizeof(sphincs_hash128_t)); - sphincs_hash256_update(&hash_ctx, dgst, sizeof(dgst)); - sphincs_hash256_update(&hash_ctx, count, sizeof(count)); - sphincs_hash256_finish(&hash_ctx, tbs + sizeof(dgst) * i); + sm3_init(&hash_ctx); + sm3_update(&hash_ctx, sig->random, sizeof(sphincs_hash128_t)); + sm3_update(&hash_ctx, key->public_key.seed, sizeof(sphincs_hash128_t)); + sm3_update(&hash_ctx, dgst, sizeof(dgst)); + sm3_update(&hash_ctx, count, sizeof(count)); + sm3_finish(&hash_ctx, tbs + sizeof(dgst) * i); } diff --git a/tests/x509_keytest.c b/tests/x509_keytest.c index 06e97f6c..876c4035 100644 --- a/tests/x509_keytest.c +++ b/tests/x509_keytest.c @@ -21,9 +21,9 @@ #ifdef ENABLE_LMS static int lms_types[] = { - LMS_HASH256_M32_H5, - LMS_HASH256_M32_H5, - LMS_HASH256_M32_H5, + LMS_SM3_M32_H5, + LMS_SM3_M32_H5, + LMS_SM3_M32_H5, }; #endif @@ -36,12 +36,12 @@ struct { { OID_ec_public_key, OID_secp256r1 }, #endif #ifdef ENABLE_LMS - { OID_lms_hashsig, LMS_HASH256_M32_H5 }, + { OID_lms_hashsig, LMS_SM3_M32_H5 }, { OID_hss_lms_hashsig, OID_undef }, // use lms_types[] #endif #ifdef ENABLE_XMSS - { OID_xmss_hashsig, XMSS_HASH256_10_256 }, - { OID_xmssmt_hashsig, XMSSMT_HASH256_20_4_256 }, + { OID_xmss_hashsig, XMSS_SM3_10_256 }, + { OID_xmssmt_hashsig, XMSSMT_SM3_20_4_256 }, #endif #ifdef ENABLE_SPHINCS { OID_sphincs_hashsig, OID_undef }, diff --git a/tests/xmsstest.c b/tests/xmsstest.c index 7f897e1c..ad56c668 100644 --- a/tests/xmsstest.c +++ b/tests/xmsstest.c @@ -45,237 +45,31 @@ static int test_xmss_adrs(void) } -#if defined(ENABLE_XMSS_CROSSCHECK) && defined(ENABLE_SHA2) -static int test_wots_derive_sk(void) -{ - xmss_hash256_t secret = {0}; - xmss_hash256_t seed = {0}; - xmss_adrs_t adrs = {0}; - xmss_wots_key_t wots_sk; - xmss_wots_key_t test_sk; - size_t len; - - // sha256 test 1 - memset(secret, 0, sizeof(secret)); - memset(seed, 0, sizeof(seed)); - memset(adrs, 0, sizeof(adrs)); - hex_to_bytes("0cb52ea67abd5da0328099db02de310e4ab01ac39d0bbeb71e97eb7e83c467b5", 64, test_sk[0], &len); - hex_to_bytes("382c16f94b77905d4a6f78e1f38faf5ef914ac42324e356aeede056d356a5eeb", 64, test_sk[1], &len); - hex_to_bytes("ab08e768529903e533c9bf8b3ea8c69d36aedcee5ac78801f92d23ef758cfe03", 64, test_sk[66], &len); - - xmss_wots_derive_sk(secret, seed, adrs, wots_sk); - - if (memcmp(wots_sk[0], test_sk[0], 32) - || memcmp(wots_sk[1], test_sk[1], 32) - || memcmp(wots_sk[66], test_sk[66], 32)) { - error_print(); - return -1; - } - - // sha256 test 2 - memset(secret, 0x12, sizeof(secret)); - memset(seed, 0xab, sizeof(seed)); - memset(adrs, 0, sizeof(adrs)); - hex_to_bytes("1a50a39a53e6ef2480db612cef9456d0f33222f934c58bcba9d04fa91108faf6", 64, test_sk[0], &len); - hex_to_bytes("e45dad76c1b23975e898a365b8c73d13695a887ba2ba2377f840d3a3b7bf806c", 64, test_sk[1], &len); - hex_to_bytes("aaad735aa51662b8a48258561fb857b3f2b12a5802593522145b3b68355abf3b", 64, test_sk[66], &len); - - xmss_wots_derive_sk(secret, seed, adrs, wots_sk); - - if (memcmp(wots_sk[0], test_sk[0], 32) - || memcmp(wots_sk[1], test_sk[1], 32) - || memcmp(wots_sk[66], test_sk[66], 32)) { - error_print(); - return -1; - } - - printf("%s() ok\n", __FUNCTION__); - return 1; -} - -static int test_wots_sk_to_pk(void) -{ - xmss_hash256_t secret = {0}; - xmss_hash256_t seed = {0}; - xmss_adrs_t adrs = {0}; - xmss_wots_key_t wots_sk; - xmss_wots_key_t wots_pk; - xmss_wots_key_t test_pk; - size_t len; - - // sha256 test 2 - memset(secret, 0x12, sizeof(secret)); - memset(seed, 0xab, sizeof(seed)); - memset(adrs, 0, sizeof(adrs)); - hex_to_bytes("0c74a626695831994961641c487b70da83cd2aba2ba5c63c38ce72479b8a0ab9", 64, test_pk[0], &len); - hex_to_bytes("acf6be724d4b074d67330559ec24b3d42c9b9d87fa103e7f6be402ec3a2d41c1", 64, test_pk[1], &len); - hex_to_bytes("98691d83a657840d4b6f410e25fcd9a6480670ac9c090d3b79bc904ba7e131aa", 64, test_pk[66], &len); - - xmss_wots_derive_sk(secret, seed, adrs, wots_sk); - - xmss_wots_sk_to_pk(wots_sk, seed, adrs, wots_pk); - - if (memcmp(wots_pk[0], test_pk[0], 32) - || memcmp(wots_pk[1], test_pk[1], 32) - || memcmp(wots_pk[66], test_pk[66], 32)) { - error_print(); - return -1; - } - - printf("%s() ok\n", __FUNCTION__); - return 1; -} - -static int test_wots_sign(void) -{ - xmss_hash256_t secret = {0}; - xmss_hash256_t seed = {0}; - xmss_adrs_t adrs = {0}; - xmss_hash256_t dgst = {0}; - xmss_wots_key_t wots_sk; - xmss_wots_key_t wots_pk; - xmss_wots_sig_t wots_sig; - xmss_wots_sig_t test_sig; - xmss_wots_key_t sig_pk; - size_t len; - int i; - clock_t start = clock(); - - memset(secret, 0x12, sizeof(secret)); - memset(seed, 0xab, sizeof(seed)); - memset(adrs, 0, sizeof(adrs)); - for (i = 0; i < 32; i++) { - dgst[i] = i; // try different dgst, check base_w and checksum - } - hex_to_bytes("1a50a39a53e6ef2480db612cef9456d0f33222f934c58bcba9d04fa91108faf6", 64, test_sig[0], &len); - hex_to_bytes("e45dad76c1b23975e898a365b8c73d13695a887ba2ba2377f840d3a3b7bf806c", 64, test_sig[1], &len); - hex_to_bytes("75d2cfddd6ca9773fb9d0d17efe5c731c1a44f4b31352e26767623abf52911f9", 64, test_sig[15], &len); - hex_to_bytes("aaad735aa51662b8a48258561fb857b3f2b12a5802593522145b3b68355abf3b", 64, test_sig[66], &len); - - xmss_wots_derive_sk(secret, seed, adrs, wots_sk); - - xmss_wots_sk_to_pk(wots_sk, seed, adrs, wots_pk); - - xmss_wots_sign(wots_sk, seed, adrs, dgst, wots_sig); - - if (memcmp(wots_sig[0], test_sig[0], sizeof(xmss_hash256_t)) - || memcmp(wots_sig[1], test_sig[1], sizeof(xmss_hash256_t)) - || memcmp(wots_sig[15], test_sig[15], sizeof(xmss_hash256_t)) - || memcmp(wots_sig[66], test_sig[66], sizeof(xmss_hash256_t))) { - error_print(); - return -1; - } - - xmss_wots_sig_to_pk(wots_sig, seed, adrs, dgst, sig_pk); - - if (memcmp(sig_pk ,wots_pk, sizeof(xmss_wots_key_t))) { - error_print(); - return -1; - } - - test_print_elapsed(__FUNCTION__, start); - printf("%s() ok\n", __FUNCTION__); - return 1; -} - -static int test_wots_derive_root(void) -{ - xmss_hash256_t secret; - xmss_hash256_t seed; - xmss_adrs_t adrs; - xmss_hash256_t root; - xmss_hash256_t wots_0_root; - xmss_hash256_t wots_1023_root; - size_t len; - - memset(secret, 0x12, sizeof(xmss_hash256_t)); - memset(seed, 0xab, sizeof(xmss_hash256_t)); - hex_to_bytes("7A968C5F9AE4D2B781872B4E6EE851D55CC02F0AB9196701580D6F503D35DB68", 64, wots_0_root, &len); - hex_to_bytes("939E10CD44769D4D9853F7CF5612D6D83B3AA140A8867CCF34A1DBCC66FC4333", 64, wots_1023_root, &len); - - // wots index is 0 - xmss_adrs_set_layer_address(adrs, 0); - xmss_adrs_set_tree_address(adrs, 0); - xmss_adrs_set_ots_address(adrs, 0); - - xmss_wots_derive_root(secret, seed, adrs, root); - - if (memcmp(root, wots_0_root, sizeof(xmss_hash256_t)) != 0) { - error_print(); - return -1; - } - - // wots index is 1023 - xmss_adrs_set_layer_address(adrs, 0); - xmss_adrs_set_tree_address(adrs, 0); - xmss_adrs_set_ots_address(adrs, 1023); - - xmss_wots_derive_root(secret, seed, adrs, root); - - if (memcmp(root, wots_1023_root, sizeof(xmss_hash256_t)) != 0) { - error_print(); - return -1; - } - - printf("%s() ok\n", __FUNCTION__); - return 1; -} - -static int test_wots_verify(void) -{ - uint32_t index = 0; - xmss_hash256_t secret; - xmss_hash256_t seed; - xmss_adrs_t adrs; - xmss_wots_key_t sk; - xmss_hash256_t dgst; - xmss_wots_sig_t sig; - xmss_hash256_t root; - - - xmss_adrs_set_layer_address(adrs, 0); - xmss_adrs_set_tree_address(adrs, 0); - xmss_adrs_set_type(adrs, XMSS_ADRS_TYPE_OTS); - xmss_adrs_set_ots_address(adrs, index); - - xmss_wots_derive_sk(secret, seed, adrs, sk); - xmss_wots_sign(sk, seed, adrs, dgst, sig); - xmss_wots_derive_root(secret, seed, adrs, root); - - if (xmss_wots_verify(root, seed, adrs, dgst, sig) != 1) { - error_print(); - return -1; - } - - printf("%s() ok\n", __FUNCTION__); - return 1; -} -#endif static int test_xmss_build_tree(void) { - xmss_hash256_t xmss_secret; - xmss_hash256_t seed; + xmss_sm3_digest_t xmss_secret; + xmss_sm3_digest_t seed; xmss_adrs_t adrs; int height = 10; - xmss_hash256_t *tree = malloc(32 * (1<xmssmt_sig.index = key->index; @@ -986,19 +780,19 @@ static int test_xmssmt_sign(void) // build auth_path for (layer = 0; layer < layers; layer++) { uint32_t tree_index = xmssmt_tree_index(ctx->xmssmt_sig.index, height, layers, layer); - xmss_hash256_t *tree = key->trees + xmss_num_tree_nodes(height/layers) * layer; - xmss_hash256_t *auth_path = ctx->xmssmt_sig.auth_path + (height/layers) * layer; + xmss_sm3_digest_t *tree = key->trees + xmss_num_tree_nodes(height/layers) * layer; + xmss_sm3_digest_t *auth_path = ctx->xmssmt_sig.auth_path + (height/layers) * layer; xmss_build_auth_path(tree, height/layers, tree_index, auth_path); } // derive ctx->xmssmt_sig.random - memset(hash256_index, 0, 24); - PUTU64(hash256_index + 24, ctx->xmssmt_sig.index); - xmss_hash256_init(&ctx->hash256_ctx); - xmss_hash256_update(&ctx->hash256_ctx, xmss_hash256_three, sizeof(xmss_hash256_t)); - xmss_hash256_update(&ctx->hash256_ctx, key->sk_prf, sizeof(xmss_hash256_t)); - xmss_hash256_update(&ctx->hash256_ctx, hash256_index, sizeof(xmss_hash256_t)); - xmss_hash256_finish(&ctx->hash256_ctx, ctx->xmssmt_sig.random); + memset(sm3_digest_index, 0, 24); + PUTU64(sm3_digest_index + 24, ctx->xmssmt_sig.index); + sm3_init(&ctx->sm3_ctx); + sm3_update(&ctx->sm3_ctx, xmss_sm3_digest_three, sizeof(xmss_sm3_digest_t)); + sm3_update(&ctx->sm3_ctx, key->sk_prf, sizeof(xmss_sm3_digest_t)); + sm3_update(&ctx->sm3_ctx, sm3_digest_index, sizeof(xmss_sm3_digest_t)); + sm3_finish(&ctx->sm3_ctx, ctx->xmssmt_sig.random); // derive wots_sk and save to wots_sigs[0] layer = 0; @@ -1010,14 +804,14 @@ static int test_xmssmt_sign(void) xmss_adrs_set_ots_address(adrs, tree_index); xmss_wots_derive_sk(key->secret, key->public_key.seed, adrs, ctx->xmssmt_sig.wots_sigs[0]); - // H_msg(M) := HASH256(toByte(2, 32) || r || XMSS_ROOT || toByte(idx_sig, 32) || M) - xmss_hash256_init(&ctx->hash256_ctx); - xmss_hash256_update(&ctx->hash256_ctx, xmss_hash256_two, sizeof(xmss_hash256_t)); - xmss_hash256_update(&ctx->hash256_ctx, ctx->xmssmt_sig.random, sizeof(xmss_hash256_t)); - xmss_hash256_update(&ctx->hash256_ctx, key->public_key.root, sizeof(xmss_hash256_t)); - xmss_hash256_update(&ctx->hash256_ctx, hash256_index, sizeof(xmss_hash256_t)); - xmss_hash256_update(&ctx->hash256_ctx, msg, sizeof(msg)); - xmss_hash256_finish(&ctx->hash256_ctx, dgst); + // H_msg(M) := SM3(toByte(2, 32) || r || XMSS_ROOT || toByte(idx_sig, 32) || M) + sm3_init(&ctx->sm3_ctx); + sm3_update(&ctx->sm3_ctx, xmss_sm3_digest_two, sizeof(xmss_sm3_digest_t)); + sm3_update(&ctx->sm3_ctx, ctx->xmssmt_sig.random, sizeof(xmss_sm3_digest_t)); + sm3_update(&ctx->sm3_ctx, key->public_key.root, sizeof(xmss_sm3_digest_t)); + sm3_update(&ctx->sm3_ctx, sm3_digest_index, sizeof(xmss_sm3_digest_t)); + sm3_update(&ctx->sm3_ctx, msg, sizeof(msg)); + sm3_finish(&ctx->sm3_ctx, dgst); // generate message wots_sig as wots_sigs[0] layer = 0; @@ -1061,7 +855,7 @@ static int test_xmssmt_sign(void) } // verify xmssmt_root (save in dgst) - if (memcmp(dgst, ctx->xmssmt_public_key.root, sizeof(xmss_hash256_t)) != 0) { + if (memcmp(dgst, ctx->xmssmt_public_key.root, sizeof(xmss_sm3_digest_t)) != 0) { error_print(); return -1; } @@ -1073,7 +867,7 @@ static int test_xmssmt_sign(void) static int test_xmssmt_sign_update(void) { - uint32_t xmssmt_type = XMSSMT_HASH256_20_4_256; + uint32_t xmssmt_type = XMSSMT_SM3_20_4_256; XMSSMT_KEY key; XMSSMT_SIGN_CTX ctx; XMSSMT_SIGNATURE sig; @@ -1160,13 +954,6 @@ static int test_xmssmt_sign_update(void) int main(void) { -#if defined(ENABLE_LMS_CROSSCHECK) && defined(ENABLE_SHA2) - if (test_wots_derive_sk() != 1) goto err; - if (test_wots_sk_to_pk() != 1) goto err; - if (test_wots_sign() != 1) goto err; - if (test_wots_derive_root() != 1) goto err; - if (test_wots_verify() != 1) goto err; -#endif if (test_xmss_adrs() != 1) goto err; if (test_xmss_build_tree() != 1) goto err; if (test_xmss_build_root() != 1) goto err; diff --git a/tools/xmsskeygen.c b/tools/xmsskeygen.c index 5dff4eac..1f6cdb1f 100644 --- a/tools/xmsskeygen.c +++ b/tools/xmsskeygen.c @@ -22,9 +22,9 @@ static const char *usage = "-xmss_type type -out file [-pubout file] [-verbose]\ static const char *options = "Options\n" " -xmss_type type XMSS Algorithm Type\n" -" "XMSS_HASH256_10_256_NAME"\n" -" "XMSS_HASH256_16_256_NAME"\n" -" "XMSS_HASH256_20_256_NAME"\n" +" "XMSS_SM3_10_256_NAME"\n" +" "XMSS_SM3_16_256_NAME"\n" +" "XMSS_SM3_20_256_NAME"\n" " -out file Output private key\n" " -pubout file Output public key\n" " -verbose Print public key\n" diff --git a/tools/xmssmtkeygen.c b/tools/xmssmtkeygen.c index 8a2aae90..5a1c6bf3 100644 --- a/tools/xmssmtkeygen.c +++ b/tools/xmssmtkeygen.c @@ -22,14 +22,14 @@ static const char *usage = "-xmssmt_type type -out file [-pubout file] [-verbose static const char *options = "Options\n" " -xmssmt_type type XMSSMT Algorithm Type\n" -" "XMSSMT_HASH256_20_2_256_NAME"\n" -" "XMSSMT_HASH256_20_4_256_NAME"\n" -" "XMSSMT_HASH256_40_2_256_NAME"\n" -" "XMSSMT_HASH256_40_4_256_NAME"\n" -" "XMSSMT_HASH256_40_8_256_NAME"\n" -" "XMSSMT_HASH256_60_3_256_NAME"\n" -" "XMSSMT_HASH256_60_6_256_NAME"\n" -" "XMSSMT_HASH256_60_12_256_NAME"\n" +" "XMSSMT_SM3_20_2_256_NAME"\n" +" "XMSSMT_SM3_20_4_256_NAME"\n" +" "XMSSMT_SM3_40_2_256_NAME"\n" +" "XMSSMT_SM3_40_4_256_NAME"\n" +" "XMSSMT_SM3_40_8_256_NAME"\n" +" "XMSSMT_SM3_60_3_256_NAME"\n" +" "XMSSMT_SM3_60_6_256_NAME"\n" +" "XMSSMT_SM3_60_12_256_NAME"\n" " -out file Output private key\n" " -pubout file Output public key\n" " -verbose Print public key\n"