abc/GmSSL
1
0
Fork 0
mirror of https://github.com/guanzhi/GmSSL.git synced 2026-06-13 08:23:50 +08:00
Code Issues Packages Projects Releases Wiki Activity

Adjust SM2 API and tests

Browse Source
This commit is contained in:
Zhi Guan
2024-04-19 17:32:54 +08:00
parent 725817add9
commit ab7c9a7651
7 changed files with 170 additions and 277 deletions
Download Patch File Download Diff File Expand all files Collapse all files

190
src/pbkdf2.c
View File

@@ -1,190 +0,0 @@
/*
* Copyright 2014-2022 The GmSSL Project. All Rights Reserved.
*
* Licensed under the Apache License, Version 2.0 (the License); you may
* not use this file except in compliance with the License.
*
* http://www.apache.org/licenses/LICENSE-2.0
*/
/*
PBKDF2 (P, S, c, dkLen)
Options: PRF underlying pseudorandom function (hLen
denotes the length in octets of the
pseudorandom function output)
Input: P password, an octet string
S salt, an octet string
c iteration count, a positive integer
dkLen intended length in octets of the derived
key, a positive integer, at most
(2^32 - 1) * hLen
Output: DK derived key, a dkLen-octet string
Steps:
1. If dkLen > (2^32 - 1) * hLen, output "derived key too long" and
stop.
2. Let l be the number of hLen-octet blocks in the derived key,
rounding up, and let r be the number of octets in the last
block:
l = CEIL (dkLen / hLen) ,
r = dkLen - (l - 1) * hLen .
Here, CEIL (x) is the "ceiling" function, i.e. the smallest
integer greater than, or equal to, x.
3. For each block of the derived key apply the function F defined
below to the password P, the salt S, the iteration count c, and
the block index to compute the block:
T_1 = F (P, S, c, 1) ,
T_2 = F (P, S, c, 2) ,
...
T_l = F (P, S, c, l) ,
where the function F is defined as the exclusive-or sum of the
first c iterates of the underlying pseudorandom function PRF
applied to the password P and the concatenation of the salt S
and the block index i:
F (P, S, c, i) = U_1 \xor U_2 \xor ... \xor U_c
where
U_1 = PRF (P, S || INT (i)) ,
U_2 = PRF (P, U_1) ,
...
U_c = PRF (P, U_{c-1}) .
Here, INT (i) is a four-octet encoding of the integer i, most
significant octet first.
4. Concatenate the blocks and extract the first dkLen octets to
produce a derived key DK:
DK = T_1 || T_2 || ... || T_l<0..r-1>
5. Output the derived key DK.
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <gmssl/asn1.h>
#include <gmssl/hmac.h>
#include <gmssl/digest.h>
#include <gmssl/error.h>
#include <gmssl/oid.h>
#include <gmssl/endian.h>
#include <gmssl/mem.h>
int pbkdf2_genkey(const DIGEST *digest,
const char *pass, size_t passlen,
const uint8_t *salt, size_t saltlen, size_t count,
size_t outlen, uint8_t *out)
{
HMAC_CTX ctx;
HMAC_CTX ctx_tmpl;
uint32_t iter = 1;
uint8_t iter_be[4];
uint8_t tmp_block[64];
uint8_t key_block[64];
size_t len;
hmac_init(&ctx_tmpl, digest, (uint8_t *)pass, passlen);
while (outlen > 0) {
size_t i;
PUTU32(iter_be, iter);
iter++;
ctx = ctx_tmpl;
hmac_update(&ctx, salt, saltlen);
hmac_update(&ctx, iter_be, sizeof(iter_be));
hmac_finish(&ctx, tmp_block, &len);
memcpy(key_block, tmp_block, len);
for (i = 1; i < count; i++) {
ctx = ctx_tmpl;
hmac_update(&ctx, tmp_block, len);
hmac_finish(&ctx, tmp_block, &len);
memxor(key_block, tmp_block, len);
}
if (outlen < len) {
memcpy(out, key_block, outlen);
out += outlen;
outlen = 0;
} else {
memcpy(out, key_block, len);
out += len;
outlen -= len;
}
}
memset(&ctx, 0, sizeof(ctx));
memset(key_block, 0, sizeof(key_block));
memset(tmp_block, 0, sizeof(key_block));
return 1;
}
/*
int pbkdf2_hmac_sm3_genkey(
const char *pass, size_t passlen,
const uint8_t *salt, size_t saltlen, size_t count,
size_t outlen, uint8_t *out)
{
SM3_HMAC_CTX ctx;
SM3_HMAC_CTX ctx_tmpl;
uint32_t iter = 1;
uint8_t iter_be[4];
uint8_t tmp_block[SM3_DIGEST_SIZE];
uint8_t key_block[SM3_DIGEST_SIZE];
// TODO: a bug in 3.0.0 is fixied. How to update release version 3.0.0 ? A test is also required!
sm3_hmac_init(&ctx_tmpl, (uint8_t *)pass, passlen);
while (outlen > 0) {
size_t i;
PUTU32(iter_be, iter);
iter++;
ctx = ctx_tmpl;
sm3_hmac_update(&ctx, salt, saltlen);
sm3_hmac_update(&ctx, iter_be, sizeof(iter_be));
sm3_hmac_finish(&ctx, tmp_block);
memcpy(key_block, tmp_block, SM3_DIGEST_SIZE);
for (i = 1; i < count; i++) {
ctx = ctx_tmpl;
sm3_hmac_update(&ctx, tmp_block, SM3_DIGEST_SIZE);
sm3_hmac_finish(&ctx, tmp_block);
memxor(key_block, tmp_block, SM3_DIGEST_SIZE);
}
if (outlen < SM3_DIGEST_SIZE) {
memcpy(out, key_block, outlen);
out += outlen;
outlen = 0;
} else {
memcpy(out, key_block, SM3_DIGEST_SIZE);
out += SM3_DIGEST_SIZE;
outlen -= SM3_DIGEST_SIZE;
}
}
memset(&ctx, 0, sizeof(ctx));
memset(key_block, 0, sizeof(key_block));
memset(tmp_block, 0, sizeof(key_block));
return 1;
}
*/

32
src/sm2_enc.c
View File

@@ -11,10 +11,9 @@
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <gmssl/mem.h>
#include <gmssl/sm2.h>
#include <gmssl/sm2_z256.h>
#include <gmssl/sm3.h>
#include <gmssl/mem.h>
#include <gmssl/asn1.h>
#include <gmssl/error.h>
#include <gmssl/endian.h>
@@ -31,6 +30,34 @@ static int all_zero(const uint8_t *buf, size_t len)
return 1;
}
int sm2_kdf(const uint8_t *in, size_t inlen, size_t outlen, uint8_t *out)
{
SM3_CTX ctx;
uint8_t counter_be[4];
uint8_t dgst[SM3_DIGEST_SIZE];
uint32_t counter = 1;
size_t len;
while (outlen) {
PUTU32(counter_be, counter);
counter++;
sm3_init(&ctx);
sm3_update(&ctx, in, inlen);
sm3_update(&ctx, counter_be, sizeof(counter_be));
sm3_finish(&ctx, dgst);
len = outlen < SM3_DIGEST_SIZE ? outlen : SM3_DIGEST_SIZE;
memcpy(out, dgst, len);
out += len;
outlen -= len;
}
memset(&ctx, 0, sizeof(SM3_CTX));
memset(dgst, 0, sizeof(dgst));
return 1;
}
int sm2_do_encrypt_pre_compute(sm2_z256_t k, uint8_t C1[64])
{
SM2_Z256_POINT P;
@@ -50,7 +77,6 @@ int sm2_do_encrypt_pre_compute(sm2_z256_t k, uint8_t C1[64])
return 1;
}
// key->public_key will not be point_at_infinity when decoded from_bytes/octets/der
int sm2_do_encrypt(const SM2_KEY *key, const uint8_t *in, size_t inlen, SM2_CIPHERTEXT *out)
{

30
src/sm2_sign.c
View File

@@ -13,7 +13,6 @@
#include <stdlib.h>
#include <gmssl/mem.h>
#include <gmssl/sm2.h>
#include <gmssl/sm2_z256.h>
#include <gmssl/sm3.h>
#include <gmssl/asn1.h>
#include <gmssl/error.h>
@@ -391,35 +390,6 @@ int sm2_compute_z(uint8_t z[32], const SM2_Z256_POINT *pub, const char *id, size
return 1;
}
int sm2_kdf(const uint8_t *in, size_t inlen, size_t outlen, uint8_t *out)
{
SM3_CTX ctx;
uint8_t counter_be[4];
uint8_t dgst[SM3_DIGEST_SIZE];
uint32_t counter = 1;
size_t len;
while (outlen) {
PUTU32(counter_be, counter);
counter++;
sm3_init(&ctx);
sm3_update(&ctx, in, inlen);
sm3_update(&ctx, counter_be, sizeof(counter_be));
sm3_finish(&ctx, dgst);
len = outlen < SM3_DIGEST_SIZE ? outlen : SM3_DIGEST_SIZE;
memcpy(out, dgst, len);
out += len;
outlen -= len;
}
memset(&ctx, 0, sizeof(SM3_CTX));
memset(dgst, 0, sizeof(dgst));
return 1;
}
int sm2_sign_init(SM2_SIGN_CTX *ctx, const SM2_KEY *key, const char *id, size_t idlen)
{
size_t i;

83
src/sm2_z256.c
View File

@@ -569,6 +569,7 @@ void sm2_z256_modp_mont_exp(uint64_t r[4], const uint64_t a[4], const uint64_t e
sm2_z256_copy(r, t);
}
// caller should check a != 0
void sm2_z256_modp_mont_inv(uint64_t r[4], const uint64_t a[4])
{
uint64_t a1[4];
@@ -997,9 +998,16 @@ int sm2_z256_point_is_on_curve(const SM2_Z256_POINT *P)
return 1;
}
// 当Z == 0时会怎么样
void sm2_z256_point_get_xy(const SM2_Z256_POINT *P, uint64_t x[4], uint64_t y[4])
int sm2_z256_point_get_xy(const SM2_Z256_POINT *P, uint64_t x[4], uint64_t y[4])
{
if (sm2_z256_point_is_at_infinity(P) == 1) {
sm2_z256_set_zero(x);
if (y) {
sm2_z256_set_zero(y);
}
return 0;
}
if (sm2_z256_cmp(P->Z, SM2_Z256_MODP_MONT_ONE) == 0) {
sm2_z256_modp_from_mont(x, P->X);
if (y) {
@@ -1019,6 +1027,8 @@ void sm2_z256_point_get_xy(const SM2_Z256_POINT *P, uint64_t x[4], uint64_t y[4]
sm2_z256_modp_from_mont(y, y);
}
}
return 1;
}
// impl with modified jacobian coordinates
@@ -1032,23 +1042,6 @@ void sm2_z256_point_dbl_x5(SM2_Z256_POINT *R, const SM2_Z256_POINT *A)
sm2_z256_point_dbl(R, R);
}
void sm2_z256_point_multi_dbl(SM2_Z256_POINT *R, const SM2_Z256_POINT *P, unsigned int i)
{
const uint64_t *X1 = P->X;
const uint64_t *Y1 = P->Y;
const uint64_t *Z1 = P->Z;
uint64_t *X3 = R->X;
uint64_t *Y3 = R->Y;
uint64_t *Z3 = R->Z;
uint64_t A[4];
uint64_t B[4];
uint64_t C[4];
uint64_t D[4];
uint64_t E[4];
// A = Z1^2
}
#ifndef ENABLE_SM2_Z256_ARMV8
void sm2_z256_point_dbl(SM2_Z256_POINT *R, const SM2_Z256_POINT *A)
{
@@ -1337,15 +1330,17 @@ int sm2_z256_point_print(FILE *fp, int fmt, int ind, const char *label, const SM
uint64_t y[4];
uint8_t affine[64];
sm2_z256_point_get_xy(P, x, y);
sm2_z256_to_bytes(x, affine);
sm2_z256_to_bytes(y, affine + 32);
format_bytes(fp, fmt, ind, label, affine, 64);
if (sm2_z256_point_is_at_infinity(P) == 1) {
format_print(fp, fmt, ind, "%s: point_at_infinity\n", label);
} else {
uint8_t bytes[64];
sm2_z256_point_to_bytes(P, bytes);
format_bytes(fp, fmt, ind, label, bytes, 64);
}
return 1;
}
void sm2_z256_point_copy_affine(SM2_Z256_POINT *R, const SM2_Z256_AFFINE_POINT *P)
{
memcpy(R, P, sizeof(SM2_Z256_AFFINE_POINT));
@@ -1516,6 +1511,13 @@ int sm2_z256_point_from_bytes(SM2_Z256_POINT *P, const uint8_t in[64])
error_print();
return -1;
}
// point_at_infinity
if (sm2_z256_is_zero(P->X) == 1 && sm2_z256_is_zero(P->Y) == 1) {
sm2_z256_point_set_infinity(P);
return 0;
}
sm2_z256_modp_to_mont(P->X, P->X);
sm2_z256_modp_to_mont(P->Y, P->Y);
sm2_z256_copy(P->Z, SM2_Z256_MODP_MONT_ONE);
@@ -1533,7 +1535,6 @@ int sm2_z256_point_set_xy(SM2_Z256_POINT *R, const sm2_z256_t x, const sm2_z256_
error_print();
return -1;
}
if (sm2_z256_cmp(y, sm2_z256_prime()) >= 0) {
error_print();
return -1;
@@ -1550,23 +1551,34 @@ int sm2_z256_point_set_xy(SM2_Z256_POINT *R, const sm2_z256_t x, const sm2_z256_
return 1;
}
void sm2_z256_point_from_hex(SM2_Z256_POINT *P, const char *hex)
int sm2_z256_point_from_hex(SM2_Z256_POINT *P, const char *hex)
{
uint8_t bytes[64];
size_t len;
int ret;
hex_to_bytes(hex, 128, bytes, &len);
sm2_z256_point_from_bytes(P, bytes);
if ((ret = sm2_z256_point_from_bytes(P, bytes)) < 0) {
error_print();
return -1;
}
return ret;
}
void sm2_z256_point_to_bytes(const SM2_Z256_POINT *P, uint8_t out[64])
// point_at_infinity should not to_bytes
int sm2_z256_point_to_bytes(const SM2_Z256_POINT *P, uint8_t out[64])
{
uint64_t x[4];
uint64_t y[4];
int ret;
sm2_z256_point_get_xy(P, x, y);
if ((ret = sm2_z256_point_get_xy(P, x, y)) < 0) {
error_print();
return -1;
}
sm2_z256_to_bytes(x, out);
sm2_z256_to_bytes(y, out + 32);
return ret;
}
int sm2_z256_point_equ(const SM2_Z256_POINT *P, const SM2_Z256_POINT *Q)
@@ -1603,11 +1615,14 @@ int sm2_z256_point_equ_hex(const SM2_Z256_POINT *P, const char *hex)
uint8_t hex_bytes[64];
size_t len;
sm2_z256_point_to_bytes(P, P_bytes);
if (sm2_z256_point_to_bytes(P, P_bytes) < 0) {
error_print();
return 0;
}
hex_to_bytes(hex, 128, hex_bytes, &len);
if (memcmp(P_bytes, hex_bytes, 64) != 0) {
error_print();
return 0;
}
return 1;
@@ -1710,13 +1725,11 @@ int sm2_z256_point_to_compressed_octets(const SM2_Z256_POINT *P, uint8_t out[33]
sm2_z256_t x;
sm2_z256_t y;
if (sm2_z256_point_is_at_infinity(P)) {
if (sm2_z256_point_get_xy(P, x, y) != 1) {
error_print();
return -1;
}
sm2_z256_point_get_xy(P, x, y);
if (sm2_z256_is_odd(y)) {
out[0] = SM2_point_compressed_y_odd;
} else {
@@ -1735,7 +1748,7 @@ int sm2_z256_point_to_uncompressed_octets(const SM2_Z256_POINT *P, uint8_t out[6
return -1;
}
out[0] = SM2_point_uncompressed;
sm2_z256_point_to_bytes(P, out + 1);
(void)sm2_z256_point_to_bytes(P, out + 1);
return 1;
}