[tor-commits] [tor/master] Add the SHA-3 hash functions to common/crypto.h.
nickm at torproject.org
nickm at torproject.org
Sun Dec 20 20:00:26 UTC 2015
commit 687f9b3bd7b55bcf4d984d745e978c2a03aeb4e1
Author: Yawning Angel <yawning at schwanenlied.me>
Date: Fri Dec 18 22:15:01 2015 +0000
Add the SHA-3 hash functions to common/crypto.h.
* DIGEST_SHA3_[256,512] added as supported algorithms, which do
exactly what is said on the tin.
* test/bench now benchmarks all of the supported digest algorithms,
so it's possible to see just how slow SHA-3 is, though the message
sizes could probably use tweaking since this is very dependent on
the message size vs the SHA-3 rate.
---
src/common/crypto.c | 91 +++++++++++++---
src/common/crypto.h | 4 +-
src/or/include.am | 4 +-
src/test/bench.c | 40 +++++++
src/test/include.am | 11 +-
src/test/test_crypto.c | 274 ++++++++++++++++++++++++++++++++++++++++++++++++
src/tools/include.am | 3 +
7 files changed, 405 insertions(+), 22 deletions(-)
diff --git a/src/common/crypto.c b/src/common/crypto.c
index 7f0f842..f66ae9e 100644
--- a/src/common/crypto.c
+++ b/src/common/crypto.c
@@ -64,6 +64,8 @@
#include "sandbox.h"
#include "util_format.h"
+#include "keccak-tiny/keccak-tiny.h"
+
#ifdef ANDROID
/* Android's OpenSSL seems to have removed all of its Engine support. */
#define DISABLE_ENGINES
@@ -1616,8 +1618,11 @@ crypto_digest256(char *digest, const char *m, size_t len,
{
tor_assert(m);
tor_assert(digest);
- tor_assert(algorithm == DIGEST_SHA256);
- return (SHA256((const unsigned char*)m,len,(unsigned char*)digest) == NULL);
+ tor_assert(algorithm == DIGEST_SHA256 || algorithm == DIGEST_SHA3_256);
+ if (algorithm == DIGEST_SHA256)
+ return (SHA256((const unsigned char*)m,len,(unsigned char*)digest) == NULL);
+ else
+ return (sha3_256((uint8_t *)digest, DIGEST256_LEN, (const uint8_t *)m, len) == -1);
}
/** Compute a 512-bit digest of <b>len</b> bytes in data stored in <b>m</b>,
@@ -1629,8 +1634,11 @@ crypto_digest512(char *digest, const char *m, size_t len,
{
tor_assert(m);
tor_assert(digest);
- tor_assert(algorithm == DIGEST_SHA512);
- return (SHA512((const unsigned char*)m,len,(unsigned char*)digest) == NULL);
+ tor_assert(algorithm == DIGEST_SHA512 || algorithm == DIGEST_SHA3_512);
+ if (algorithm == DIGEST_SHA512)
+ return (SHA512((const unsigned char*)m,len,(unsigned char*)digest) == NULL);
+ else
+ return (sha3_512((uint8_t*)digest, DIGEST512_LEN, (const uint8_t*)m, len) == -1);
}
/** Set the digests_t in <b>ds_out</b> to contain every digest on the
@@ -1646,11 +1654,13 @@ crypto_digest_all(digests_t *ds_out, const char *m, size_t len)
return -1;
for (i = DIGEST_SHA256; i < N_DIGEST_ALGORITHMS; ++i) {
switch (i) {
- case DIGEST_SHA256:
+ case DIGEST_SHA256: /* FALLSTHROUGH */
+ case DIGEST_SHA3_256:
if (crypto_digest256(ds_out->d[i], m, len, i) < 0)
return -1;
break;
case DIGEST_SHA512:
+ case DIGEST_SHA3_512: /* FALLSTHROUGH */
if (crypto_digest512(ds_out->d[i], m, len, i) < 0)
return -1;
break;
@@ -1672,6 +1682,10 @@ crypto_digest_algorithm_get_name(digest_algorithm_t alg)
return "sha256";
case DIGEST_SHA512:
return "sha512";
+ case DIGEST_SHA3_256:
+ return "sha3-256";
+ case DIGEST_SHA3_512:
+ return "sha3-512";
default:
tor_fragile_assert();
return "??unknown_digest??";
@@ -1689,16 +1703,41 @@ crypto_digest_algorithm_parse_name(const char *name)
return DIGEST_SHA256;
else if (!strcmp(name, "sha512"))
return DIGEST_SHA512;
+ else if (!strcmp(name, "sha3-256"))
+ return DIGEST_SHA3_256;
+ else if (!strcmp(name, "sha3-512"))
+ return DIGEST_SHA3_512;
else
return -1;
}
+/** Given an algorithm, return the digest length in bytes. */
+static inline size_t
+crypto_digest_algorithm_get_length(digest_algorithm_t alg)
+{
+ switch (alg) {
+ case DIGEST_SHA1:
+ return DIGEST_LEN;
+ case DIGEST_SHA256:
+ return DIGEST256_LEN;
+ case DIGEST_SHA512:
+ return DIGEST512_LEN;
+ case DIGEST_SHA3_256:
+ return DIGEST256_LEN;
+ case DIGEST_SHA3_512:
+ return DIGEST512_LEN;
+ default:
+ tor_assert(0);
+ }
+}
+
/** Intermediate information about the digest of a stream of data. */
struct crypto_digest_t {
union {
SHA_CTX sha1; /**< state for SHA1 */
SHA256_CTX sha2; /**< state for SHA256 */
SHA512_CTX sha512; /**< state for SHA512 */
+ keccak_state sha3; /**< state for SHA3-[256,512] */
} d; /**< State for the digest we're using. Only one member of the
* union is usable, depending on the value of <b>algorithm</b>. */
digest_algorithm_bitfield_t algorithm : 8; /**< Which algorithm is in use? */
@@ -1722,9 +1761,12 @@ crypto_digest_t *
crypto_digest256_new(digest_algorithm_t algorithm)
{
crypto_digest_t *r;
- tor_assert(algorithm == DIGEST_SHA256);
+ tor_assert(algorithm == DIGEST_SHA256 || algorithm == DIGEST_SHA3_256);
r = tor_malloc(sizeof(crypto_digest_t));
- SHA256_Init(&r->d.sha2);
+ if (algorithm == DIGEST_SHA256)
+ SHA256_Init(&r->d.sha2);
+ else
+ keccak_digest_init(&r->d.sha3, 256);
r->algorithm = algorithm;
return r;
}
@@ -1735,9 +1777,12 @@ crypto_digest_t *
crypto_digest512_new(digest_algorithm_t algorithm)
{
crypto_digest_t *r;
- tor_assert(algorithm == DIGEST_SHA512);
+ tor_assert(algorithm == DIGEST_SHA512 || algorithm == DIGEST_SHA3_512);
r = tor_malloc(sizeof(crypto_digest_t));
- SHA512_Init(&r->d.sha512);
+ if (algorithm == DIGEST_SHA512)
+ SHA512_Init(&r->d.sha512);
+ else
+ keccak_digest_init(&r->d.sha3, 512);
r->algorithm = algorithm;
return r;
}
@@ -1776,6 +1821,10 @@ crypto_digest_add_bytes(crypto_digest_t *digest, const char *data,
case DIGEST_SHA512:
SHA512_Update(&digest->d.sha512, (void*)data, len);
break;
+ case DIGEST_SHA3_256: /* FALLSTHROUGH */
+ case DIGEST_SHA3_512:
+ keccak_digest_update(&digest->d.sha3, (const uint8_t *)data, len);
+ break;
default:
tor_fragile_assert();
break;
@@ -1794,26 +1843,38 @@ crypto_digest_get_digest(crypto_digest_t *digest,
crypto_digest_t tmpenv;
tor_assert(digest);
tor_assert(out);
+ tor_assert(out_len <= crypto_digest_algorithm_get_length(digest->algorithm));
+
+ /* The SHA-3 code handles copying into a temporary ctx, and also can handle
+ * short output buffers by truncating appropriately. */
+ if (digest->algorithm == DIGEST_SHA3_256 ||
+ digest->algorithm == DIGEST_SHA3_512) {
+ keccak_digest_sum(&digest->d.sha3, (uint8_t *)out, out_len);
+ return;
+ }
+
/* memcpy into a temporary ctx, since SHA*_Final clears the context */
memcpy(&tmpenv, digest, sizeof(crypto_digest_t));
switch (digest->algorithm) {
case DIGEST_SHA1:
- tor_assert(out_len <= DIGEST_LEN);
SHA1_Final(r, &tmpenv.d.sha1);
break;
case DIGEST_SHA256:
- tor_assert(out_len <= DIGEST256_LEN);
SHA256_Final(r, &tmpenv.d.sha2);
break;
case DIGEST_SHA512:
- tor_assert(out_len <= DIGEST512_LEN);
SHA512_Final(r, &tmpenv.d.sha512);
break;
+ case DIGEST_SHA3_256: /* FALLSTHROUGH */
+ case DIGEST_SHA3_512:
+ log_warn(LD_BUG, "Handling unexpected algorithm %d", digest->algorithm);
+ tor_assert(0); /* This is fatal, because it should never happen. */
default:
log_warn(LD_BUG, "Called with unknown algorithm %d", digest->algorithm);
/* If fragile_assert is not enabled, then we should at least not
* leak anything. */
memwipe(r, 0xff, sizeof(r));
+ memwipe(&tmpenv, 0, sizeof(crypto_digest_t));
tor_fragile_assert();
break;
}
@@ -1878,10 +1939,12 @@ crypto_digest_smartlist_prefix(char *digest_out, size_t len_out,
case DIGEST_SHA1:
d = crypto_digest_new();
break;
- case DIGEST_SHA256:
+ case DIGEST_SHA256: /* FALLSTHROUGH */
+ case DIGEST_SHA3_256:
d = crypto_digest256_new(alg);
break;
- case DIGEST_SHA512:
+ case DIGEST_SHA512: /* FALLSTHROUGH */
+ case DIGEST_SHA3_512:
d = crypto_digest512_new(alg);
break;
default:
diff --git a/src/common/crypto.h b/src/common/crypto.h
index 0fba958..ff640ce 100644
--- a/src/common/crypto.h
+++ b/src/common/crypto.h
@@ -96,8 +96,10 @@ typedef enum {
DIGEST_SHA1 = 0,
DIGEST_SHA256 = 1,
DIGEST_SHA512 = 2,
+ DIGEST_SHA3_256 = 3,
+ DIGEST_SHA3_512 = 4,
} digest_algorithm_t;
-#define N_DIGEST_ALGORITHMS (DIGEST_SHA512+1)
+#define N_DIGEST_ALGORITHMS (DIGEST_SHA3_512+1)
#define digest_algorithm_bitfield_t ENUM_BF(digest_algorithm_t)
/** A set of all the digests we know how to compute, taken on a single
diff --git a/src/or/include.am b/src/or/include.am
index 5ec96e5..dab0048 100644
--- a/src/or/include.am
+++ b/src/or/include.am
@@ -109,7 +109,7 @@ src_or_libtor_testing_a_CFLAGS = $(AM_CFLAGS) $(TEST_CFLAGS)
src_or_tor_LDFLAGS = @TOR_LDFLAGS_zlib@ @TOR_LDFLAGS_openssl@ @TOR_LDFLAGS_libevent@
src_or_tor_LDADD = src/or/libtor.a src/common/libor.a \
- src/common/libor-crypto.a $(LIBDONNA) \
+ src/common/libor-crypto.a $(LIBKECCAK_TINY) $(LIBDONNA) \
src/common/libor-event.a src/trunnel/libor-trunnel.a \
@TOR_ZLIB_LIBS@ @TOR_LIB_MATH@ @TOR_LIBEVENT_LIBS@ @TOR_OPENSSL_LIBS@ \
@TOR_LIB_WS32@ @TOR_LIB_GDI@ @CURVE25519_LIBS@ @TOR_SYSTEMD_LIBS@
@@ -120,7 +120,7 @@ src_or_tor_cov_CPPFLAGS = $(AM_CPPFLAGS) $(TEST_CPPFLAGS)
src_or_tor_cov_CFLAGS = $(AM_CFLAGS) $(TEST_CFLAGS)
src_or_tor_cov_LDFLAGS = @TOR_LDFLAGS_zlib@ @TOR_LDFLAGS_openssl@ @TOR_LDFLAGS_libevent@
src_or_tor_cov_LDADD = src/or/libtor-testing.a src/common/libor-testing.a \
- src/common/libor-crypto-testing.a $(LIBDONNA) \
+ src/common/libor-crypto-testing.a $(LIBKECCAK_TINY) $(LIBDONNA) \
src/common/libor-event-testing.a src/trunnel/libor-trunnel-testing.a \
@TOR_ZLIB_LIBS@ @TOR_LIB_MATH@ @TOR_LIBEVENT_LIBS@ @TOR_OPENSSL_LIBS@ \
@TOR_LIB_WS32@ @TOR_LIB_GDI@ @CURVE25519_LIBS@ @TOR_SYSTEMD_LIBS@
diff --git a/src/test/bench.c b/src/test/bench.c
index 70ec025..1ef5404 100644
--- a/src/test/bench.c
+++ b/src/test/bench.c
@@ -443,6 +443,45 @@ bench_siphash(void)
}
static void
+bench_digest(void)
+{
+ char buf[8192];
+ char out[DIGEST512_LEN];
+ const int lens[] = { 1, 16, 32, 64, 128, 512, 1024, 2048, -1 };
+ const int N = 300000;
+ uint64_t start, end;
+ crypto_rand(buf, sizeof(buf));
+
+ for (int alg = 0; alg < N_DIGEST_ALGORITHMS; alg++) {
+ for (int i = 0; lens[i] > 0; ++i) {
+ reset_perftime();
+ start = perftime();
+ for (int j = 0; j < N; ++j) {
+ switch (alg) {
+ case DIGEST_SHA1:
+ crypto_digest(out, buf, lens[i]);
+ break;
+ case DIGEST_SHA256:
+ case DIGEST_SHA3_256:
+ crypto_digest256(out, buf, lens[i], alg);
+ break;
+ case DIGEST_SHA512:
+ case DIGEST_SHA3_512:
+ crypto_digest512(out, buf, lens[i], alg);
+ break;
+ default:
+ tor_assert(0);
+ }
+ }
+ end = perftime();
+ printf("%s(%d): %.2f ns per call\n",
+ crypto_digest_algorithm_get_name(alg),
+ lens[i], NANOCOUNT(start,end,N));
+ }
+ }
+}
+
+static void
bench_cell_ops(void)
{
const int iters = 1<<16;
@@ -589,6 +628,7 @@ typedef struct benchmark_t {
static struct benchmark_t benchmarks[] = {
ENT(dmap),
ENT(siphash),
+ ENT(digest),
ENT(aes),
ENT(onion_TAP),
ENT(onion_ntor),
diff --git a/src/test/include.am b/src/test/include.am
index d52867b..7f3e9c6 100644
--- a/src/test/include.am
+++ b/src/test/include.am
@@ -150,8 +150,9 @@ src_test_test_switch_id_LDADD = \
src_test_test_LDFLAGS = @TOR_LDFLAGS_zlib@ @TOR_LDFLAGS_openssl@ \
@TOR_LDFLAGS_libevent@
src_test_test_LDADD = src/or/libtor-testing.a src/common/libor-testing.a \
- src/common/libor-crypto-testing.a $(LIBDONNA) src/common/libor.a \
- src/common/libor-event-testing.a src/trunnel/libor-trunnel-testing.a \
+ src/common/libor-crypto-testing.a $(LIBKECCAK_TINY) $(LIBDONNA) \
+ src/common/libor.a src/common/libor-event-testing.a \
+ src/trunnel/libor-trunnel-testing.a \
@TOR_ZLIB_LIBS@ @TOR_LIB_MATH@ @TOR_LIBEVENT_LIBS@ \
@TOR_OPENSSL_LIBS@ @TOR_LIB_WS32@ @TOR_LIB_GDI@ @CURVE25519_LIBS@ \
@TOR_SYSTEMD_LIBS@
@@ -169,7 +170,7 @@ src_test_test_memwipe_LDFLAGS = $(src_test_test_LDFLAGS)
src_test_bench_LDFLAGS = @TOR_LDFLAGS_zlib@ @TOR_LDFLAGS_openssl@ \
@TOR_LDFLAGS_libevent@
src_test_bench_LDADD = src/or/libtor.a src/common/libor.a \
- src/common/libor-crypto.a $(LIBDONNA) \
+ src/common/libor-crypto.a $(LIBKECCAK_TINY) $(LIBDONNA) \
src/common/libor-event.a src/trunnel/libor-trunnel.a \
@TOR_ZLIB_LIBS@ @TOR_LIB_MATH@ @TOR_LIBEVENT_LIBS@ \
@TOR_OPENSSL_LIBS@ @TOR_LIB_WS32@ @TOR_LIB_GDI@ @CURVE25519_LIBS@ \
@@ -179,7 +180,7 @@ src_test_test_workqueue_LDFLAGS = @TOR_LDFLAGS_zlib@ @TOR_LDFLAGS_openssl@ \
@TOR_LDFLAGS_libevent@
src_test_test_workqueue_LDADD = src/or/libtor-testing.a \
src/common/libor-testing.a \
- src/common/libor-crypto-testing.a $(LIBDONNA) \
+ src/common/libor-crypto-testing.a $(LIBKECCAK_TINY) $(LIBDONNA) \
src/common/libor-event-testing.a \
@TOR_ZLIB_LIBS@ @TOR_LIB_MATH@ @TOR_LIBEVENT_LIBS@ \
@TOR_OPENSSL_LIBS@ @TOR_LIB_WS32@ @TOR_LIB_GDI@ @CURVE25519_LIBS@
@@ -201,7 +202,7 @@ noinst_PROGRAMS+= src/test/test-ntor-cl
src_test_test_ntor_cl_SOURCES = src/test/test_ntor_cl.c
src_test_test_ntor_cl_LDFLAGS = @TOR_LDFLAGS_zlib@ @TOR_LDFLAGS_openssl@
src_test_test_ntor_cl_LDADD = src/or/libtor.a src/common/libor.a \
- src/common/libor-crypto.a $(LIBDONNA) \
+ src/common/libor-crypto.a $(LIBKECCAK_TINY) $(LIBDONNA) \
@TOR_ZLIB_LIBS@ @TOR_LIB_MATH@ \
@TOR_OPENSSL_LIBS@ @TOR_LIB_WS32@ @TOR_LIB_GDI@ @CURVE25519_LIBS@
src_test_test_ntor_cl_AM_CPPFLAGS = \
diff --git a/src/test/test_crypto.c b/src/test/test_crypto.c
index a3bef2c..c50c4af 100644
--- a/src/test/test_crypto.c
+++ b/src/test/test_crypto.c
@@ -448,6 +448,279 @@ test_crypto_sha(void *arg)
tor_free(mem_op_hex_tmp);
}
+static void
+test_crypto_sha3(void *arg)
+{
+ crypto_digest_t *d1 = NULL, *d2 = NULL;
+ int i;
+ char data[DIGEST512_LEN];
+ char d_out1[DIGEST512_LEN], d_out2[DIGEST512_LEN];
+ char *mem_op_hex_tmp=NULL;
+
+ (void)arg;
+
+ /* Test SHA3-[256,512] with a test vectors from the Keccak Code Package.
+ *
+ * NB: The code package's test vectors have length expressed in bits.
+ */
+
+ /* Len = 8, Msg = CC */
+ const uint8_t keccak_kat_msg8[] = { 0xcc };
+ i = crypto_digest256(data, (const char*)keccak_kat_msg8, 1, DIGEST_SHA3_256);
+ test_memeq_hex(data, "677035391CD3701293D385F037BA3279"
+ "6252BB7CE180B00B582DD9B20AAAD7F0");
+ tt_int_op(i, OP_EQ, 0);
+ i = crypto_digest512(data, (const char*)keccak_kat_msg8, 1, DIGEST_SHA3_512);
+ test_memeq_hex(data, "3939FCC8B57B63612542DA31A834E5DC"
+ "C36E2EE0F652AC72E02624FA2E5ADEEC"
+ "C7DD6BB3580224B4D6138706FC6E8059"
+ "7B528051230B00621CC2B22999EAA205");
+ tt_int_op(i, OP_EQ, 0);
+
+ /* Len = 24, Msg = 1F877C */
+ const uint8_t keccak_kat_msg24[] = { 0x1f, 0x87, 0x7c };
+ i = crypto_digest256(data, (const char*)keccak_kat_msg24, 3, DIGEST_SHA3_256);
+ test_memeq_hex(data, "BC22345E4BD3F792A341CF18AC0789F1"
+ "C9C966712A501B19D1B6632CCD408EC5");
+ tt_int_op(i, OP_EQ, 0);
+ i = crypto_digest512(data, (const char*)keccak_kat_msg24, 3, DIGEST_SHA3_512);
+ test_memeq_hex(data, "CB20DCF54955F8091111688BECCEF48C"
+ "1A2F0D0608C3A575163751F002DB30F4"
+ "0F2F671834B22D208591CFAF1F5ECFE4"
+ "3C49863A53B3225BDFD7C6591BA7658B");
+ tt_int_op(i, OP_EQ, 0);
+
+ /* Len = 1080, Msg = B771D5CEF... ...C35AC81B5 (SHA3-256 rate - 1) */
+ const uint8_t keccak_kat_msg1080[] = {
+ 0xB7, 0x71, 0xD5, 0xCE, 0xF5, 0xD1, 0xA4, 0x1A, 0x93, 0xD1,
+ 0x56, 0x43, 0xD7, 0x18, 0x1D, 0x2A, 0x2E, 0xF0, 0xA8, 0xE8,
+ 0x4D, 0x91, 0x81, 0x2F, 0x20, 0xED, 0x21, 0xF1, 0x47, 0xBE,
+ 0xF7, 0x32, 0xBF, 0x3A, 0x60, 0xEF, 0x40, 0x67, 0xC3, 0x73,
+ 0x4B, 0x85, 0xBC, 0x8C, 0xD4, 0x71, 0x78, 0x0F, 0x10, 0xDC,
+ 0x9E, 0x82, 0x91, 0xB5, 0x83, 0x39, 0xA6, 0x77, 0xB9, 0x60,
+ 0x21, 0x8F, 0x71, 0xE7, 0x93, 0xF2, 0x79, 0x7A, 0xEA, 0x34,
+ 0x94, 0x06, 0x51, 0x28, 0x29, 0x06, 0x5D, 0x37, 0xBB, 0x55,
+ 0xEA, 0x79, 0x6F, 0xA4, 0xF5, 0x6F, 0xD8, 0x89, 0x6B, 0x49,
+ 0xB2, 0xCD, 0x19, 0xB4, 0x32, 0x15, 0xAD, 0x96, 0x7C, 0x71,
+ 0x2B, 0x24, 0xE5, 0x03, 0x2D, 0x06, 0x52, 0x32, 0xE0, 0x2C,
+ 0x12, 0x74, 0x09, 0xD2, 0xED, 0x41, 0x46, 0xB9, 0xD7, 0x5D,
+ 0x76, 0x3D, 0x52, 0xDB, 0x98, 0xD9, 0x49, 0xD3, 0xB0, 0xFE,
+ 0xD6, 0xA8, 0x05, 0x2F, 0xBB,
+ };
+ i = crypto_digest256(data, (const char*)keccak_kat_msg1080, 135, DIGEST_SHA3_256);
+ test_memeq_hex(data, "A19EEE92BB2097B64E823D597798AA18"
+ "BE9B7C736B8059ABFD6779AC35AC81B5");
+ tt_int_op(i, OP_EQ, 0);
+ i = crypto_digest512(data, (const char*)keccak_kat_msg1080, 135, DIGEST_SHA3_512);
+ test_memeq_hex(data, "7575A1FB4FC9A8F9C0466BD5FCA496D1"
+ "CB78696773A212A5F62D02D14E3259D1"
+ "92A87EBA4407DD83893527331407B6DA"
+ "DAAD920DBC46489B677493CE5F20B595");
+ tt_int_op(i, OP_EQ, 0);
+
+ /* Len = 1088, Msg = B32D95B0... ...8E380C04 (SHA3-256 rate) */
+ const uint8_t keccak_kat_msg1088[] = {
+ 0xB3, 0x2D, 0x95, 0xB0, 0xB9, 0xAA, 0xD2, 0xA8, 0x81, 0x6D,
+ 0xE6, 0xD0, 0x6D, 0x1F, 0x86, 0x00, 0x85, 0x05, 0xBD, 0x8C,
+ 0x14, 0x12, 0x4F, 0x6E, 0x9A, 0x16, 0x3B, 0x5A, 0x2A, 0xDE,
+ 0x55, 0xF8, 0x35, 0xD0, 0xEC, 0x38, 0x80, 0xEF, 0x50, 0x70,
+ 0x0D, 0x3B, 0x25, 0xE4, 0x2C, 0xC0, 0xAF, 0x05, 0x0C, 0xCD,
+ 0x1B, 0xE5, 0xE5, 0x55, 0xB2, 0x30, 0x87, 0xE0, 0x4D, 0x7B,
+ 0xF9, 0x81, 0x36, 0x22, 0x78, 0x0C, 0x73, 0x13, 0xA1, 0x95,
+ 0x4F, 0x87, 0x40, 0xB6, 0xEE, 0x2D, 0x3F, 0x71, 0xF7, 0x68,
+ 0xDD, 0x41, 0x7F, 0x52, 0x04, 0x82, 0xBD, 0x3A, 0x08, 0xD4,
+ 0xF2, 0x22, 0xB4, 0xEE, 0x9D, 0xBD, 0x01, 0x54, 0x47, 0xB3,
+ 0x35, 0x07, 0xDD, 0x50, 0xF3, 0xAB, 0x42, 0x47, 0xC5, 0xDE,
+ 0x9A, 0x8A, 0xBD, 0x62, 0xA8, 0xDE, 0xCE, 0xA0, 0x1E, 0x3B,
+ 0x87, 0xC8, 0xB9, 0x27, 0xF5, 0xB0, 0x8B, 0xEB, 0x37, 0x67,
+ 0x4C, 0x6F, 0x8E, 0x38, 0x0C, 0x04,
+ };
+ i = crypto_digest256(data, (const char*)keccak_kat_msg1088, 136, DIGEST_SHA3_256);
+ test_memeq_hex(data, "DF673F4105379FF6B755EEAB20CEB0DC"
+ "77B5286364FE16C59CC8A907AFF07732");
+ tt_int_op(i, OP_EQ, 0);
+ i = crypto_digest512(data, (const char*)keccak_kat_msg1088, 136, DIGEST_SHA3_512);
+ test_memeq_hex(data, "2E293765022D48996CE8EFF0BE54E87E"
+ "FB94A14C72DE5ACD10D0EB5ECE029CAD"
+ "FA3BA17A40B2FFA2163991B17786E51C"
+ "ABA79E5E0FFD34CF085E2A098BE8BACB");
+ tt_int_op(i, OP_EQ, 0);
+
+ /* Len = 1096, Msg = 04410E310... ...601016A0D (SHA3-256 rate + 1) */
+ const uint8_t keccak_kat_msg1096[] = {
+ 0x04, 0x41, 0x0E, 0x31, 0x08, 0x2A, 0x47, 0x58, 0x4B, 0x40,
+ 0x6F, 0x05, 0x13, 0x98, 0xA6, 0xAB, 0xE7, 0x4E, 0x4D, 0xA5,
+ 0x9B, 0xB6, 0xF8, 0x5E, 0x6B, 0x49, 0xE8, 0xA1, 0xF7, 0xF2,
+ 0xCA, 0x00, 0xDF, 0xBA, 0x54, 0x62, 0xC2, 0xCD, 0x2B, 0xFD,
+ 0xE8, 0xB6, 0x4F, 0xB2, 0x1D, 0x70, 0xC0, 0x83, 0xF1, 0x13,
+ 0x18, 0xB5, 0x6A, 0x52, 0xD0, 0x3B, 0x81, 0xCA, 0xC5, 0xEE,
+ 0xC2, 0x9E, 0xB3, 0x1B, 0xD0, 0x07, 0x8B, 0x61, 0x56, 0x78,
+ 0x6D, 0xA3, 0xD6, 0xD8, 0xC3, 0x30, 0x98, 0xC5, 0xC4, 0x7B,
+ 0xB6, 0x7A, 0xC6, 0x4D, 0xB1, 0x41, 0x65, 0xAF, 0x65, 0xB4,
+ 0x45, 0x44, 0xD8, 0x06, 0xDD, 0xE5, 0xF4, 0x87, 0xD5, 0x37,
+ 0x3C, 0x7F, 0x97, 0x92, 0xC2, 0x99, 0xE9, 0x68, 0x6B, 0x7E,
+ 0x58, 0x21, 0xE7, 0xC8, 0xE2, 0x45, 0x83, 0x15, 0xB9, 0x96,
+ 0xB5, 0x67, 0x7D, 0x92, 0x6D, 0xAC, 0x57, 0xB3, 0xF2, 0x2D,
+ 0xA8, 0x73, 0xC6, 0x01, 0x01, 0x6A, 0x0D,
+ };
+ i = crypto_digest256(data, (const char*)keccak_kat_msg1096, 137, DIGEST_SHA3_256);
+ test_memeq_hex(data, "D52432CF3B6B4B949AA848E058DCD62D"
+ "735E0177279222E7AC0AF8504762FAA0");
+ tt_int_op(i, OP_EQ, 0);
+ i = crypto_digest512(data, (const char*)keccak_kat_msg1096, 137, DIGEST_SHA3_512);
+ test_memeq_hex(data, "BE8E14B6757FFE53C9B75F6DDE9A7B6C"
+ "40474041DE83D4A60645A826D7AF1ABE"
+ "1EEFCB7B74B62CA6A514E5F2697D585B"
+ "FECECE12931BBE1D4ED7EBF7B0BE660E");
+ tt_int_op(i, OP_EQ, 0);
+
+ /* Len = 1144, Msg = EA40E83C... ...66DFAFEC (SHA3-512 rate *2 - 1) */
+ const uint8_t keccak_kat_msg1144[] = {
+ 0xEA, 0x40, 0xE8, 0x3C, 0xB1, 0x8B, 0x3A, 0x24, 0x2C, 0x1E,
+ 0xCC, 0x6C, 0xCD, 0x0B, 0x78, 0x53, 0xA4, 0x39, 0xDA, 0xB2,
+ 0xC5, 0x69, 0xCF, 0xC6, 0xDC, 0x38, 0xA1, 0x9F, 0x5C, 0x90,
+ 0xAC, 0xBF, 0x76, 0xAE, 0xF9, 0xEA, 0x37, 0x42, 0xFF, 0x3B,
+ 0x54, 0xEF, 0x7D, 0x36, 0xEB, 0x7C, 0xE4, 0xFF, 0x1C, 0x9A,
+ 0xB3, 0xBC, 0x11, 0x9C, 0xFF, 0x6B, 0xE9, 0x3C, 0x03, 0xE2,
+ 0x08, 0x78, 0x33, 0x35, 0xC0, 0xAB, 0x81, 0x37, 0xBE, 0x5B,
+ 0x10, 0xCD, 0xC6, 0x6F, 0xF3, 0xF8, 0x9A, 0x1B, 0xDD, 0xC6,
+ 0xA1, 0xEE, 0xD7, 0x4F, 0x50, 0x4C, 0xBE, 0x72, 0x90, 0x69,
+ 0x0B, 0xB2, 0x95, 0xA8, 0x72, 0xB9, 0xE3, 0xFE, 0x2C, 0xEE,
+ 0x9E, 0x6C, 0x67, 0xC4, 0x1D, 0xB8, 0xEF, 0xD7, 0xD8, 0x63,
+ 0xCF, 0x10, 0xF8, 0x40, 0xFE, 0x61, 0x8E, 0x79, 0x36, 0xDA,
+ 0x3D, 0xCA, 0x5C, 0xA6, 0xDF, 0x93, 0x3F, 0x24, 0xF6, 0x95,
+ 0x4B, 0xA0, 0x80, 0x1A, 0x12, 0x94, 0xCD, 0x8D, 0x7E, 0x66,
+ 0xDF, 0xAF, 0xEC,
+ };
+ i = crypto_digest512(data, (const char*)keccak_kat_msg1144, 143, DIGEST_SHA3_512);
+ test_memeq_hex(data, "3A8E938C45F3F177991296B24565D9A6"
+ "605516615D96A062C8BE53A0D6C5A648"
+ "7BE35D2A8F3CF6620D0C2DBA2C560D68"
+ "295F284BE7F82F3B92919033C9CE5D80");
+ tt_int_op(i, OP_EQ, 0);
+ i = crypto_digest256(data, (const char*)keccak_kat_msg1144, 143, DIGEST_SHA3_256);
+ test_memeq_hex(data, "E58A947E98D6DD7E932D2FE02D9992E6"
+ "118C0C2C606BDCDA06E7943D2C95E0E5");
+ tt_int_op(i, OP_EQ, 0);
+
+ /* Len = 1152, Msg = 157D5B7E... ...79EE00C63 (SHA3-512 rate * 2) */
+ const uint8_t keccak_kat_msg1152[] = {
+ 0x15, 0x7D, 0x5B, 0x7E, 0x45, 0x07, 0xF6, 0x6D, 0x9A, 0x26,
+ 0x74, 0x76, 0xD3, 0x38, 0x31, 0xE7, 0xBB, 0x76, 0x8D, 0x4D,
+ 0x04, 0xCC, 0x34, 0x38, 0xDA, 0x12, 0xF9, 0x01, 0x02, 0x63,
+ 0xEA, 0x5F, 0xCA, 0xFB, 0xDE, 0x25, 0x79, 0xDB, 0x2F, 0x6B,
+ 0x58, 0xF9, 0x11, 0xD5, 0x93, 0xD5, 0xF7, 0x9F, 0xB0, 0x5F,
+ 0xE3, 0x59, 0x6E, 0x3F, 0xA8, 0x0F, 0xF2, 0xF7, 0x61, 0xD1,
+ 0xB0, 0xE5, 0x70, 0x80, 0x05, 0x5C, 0x11, 0x8C, 0x53, 0xE5,
+ 0x3C, 0xDB, 0x63, 0x05, 0x52, 0x61, 0xD7, 0xC9, 0xB2, 0xB3,
+ 0x9B, 0xD9, 0x0A, 0xCC, 0x32, 0x52, 0x0C, 0xBB, 0xDB, 0xDA,
+ 0x2C, 0x4F, 0xD8, 0x85, 0x6D, 0xBC, 0xEE, 0x17, 0x31, 0x32,
+ 0xA2, 0x67, 0x91, 0x98, 0xDA, 0xF8, 0x30, 0x07, 0xA9, 0xB5,
+ 0xC5, 0x15, 0x11, 0xAE, 0x49, 0x76, 0x6C, 0x79, 0x2A, 0x29,
+ 0x52, 0x03, 0x88, 0x44, 0x4E, 0xBE, 0xFE, 0x28, 0x25, 0x6F,
+ 0xB3, 0x3D, 0x42, 0x60, 0x43, 0x9C, 0xBA, 0x73, 0xA9, 0x47,
+ 0x9E, 0xE0, 0x0C, 0x63,
+ };
+ i = crypto_digest512(data, (const char*)keccak_kat_msg1152, 144, DIGEST_SHA3_512);
+ test_memeq_hex(data, "FE45289874879720CE2A844AE34BB735"
+ "22775DCB6019DCD22B8885994672A088"
+ "9C69E8115C641DC8B83E39F7311815A1"
+ "64DC46E0BA2FCA344D86D4BC2EF2532C");
+ tt_int_op(i, OP_EQ, 0);
+ i = crypto_digest256(data, (const char*)keccak_kat_msg1152, 144, DIGEST_SHA3_256);
+ test_memeq_hex(data, "A936FB9AF87FB67857B3EAD5C76226AD"
+ "84DA47678F3C2FFE5A39FDB5F7E63FFB");
+ tt_int_op(i, OP_EQ, 0);
+
+ /* Len = 1160, Msg = 836B34B5... ...11044C53 (SHA3-512 rate * 2 + 1) */
+ const uint8_t keccak_kat_msg1160[] = {
+ 0x83, 0x6B, 0x34, 0xB5, 0x15, 0x47, 0x6F, 0x61, 0x3F, 0xE4,
+ 0x47, 0xA4, 0xE0, 0xC3, 0xF3, 0xB8, 0xF2, 0x09, 0x10, 0xAC,
+ 0x89, 0xA3, 0x97, 0x70, 0x55, 0xC9, 0x60, 0xD2, 0xD5, 0xD2,
+ 0xB7, 0x2B, 0xD8, 0xAC, 0xC7, 0x15, 0xA9, 0x03, 0x53, 0x21,
+ 0xB8, 0x67, 0x03, 0xA4, 0x11, 0xDD, 0xE0, 0x46, 0x6D, 0x58,
+ 0xA5, 0x97, 0x69, 0x67, 0x2A, 0xA6, 0x0A, 0xD5, 0x87, 0xB8,
+ 0x48, 0x1D, 0xE4, 0xBB, 0xA5, 0x52, 0xA1, 0x64, 0x57, 0x79,
+ 0x78, 0x95, 0x01, 0xEC, 0x53, 0xD5, 0x40, 0xB9, 0x04, 0x82,
+ 0x1F, 0x32, 0xB0, 0xBD, 0x18, 0x55, 0xB0, 0x4E, 0x48, 0x48,
+ 0xF9, 0xF8, 0xCF, 0xE9, 0xEB, 0xD8, 0x91, 0x1B, 0xE9, 0x57,
+ 0x81, 0xA7, 0x59, 0xD7, 0xAD, 0x97, 0x24, 0xA7, 0x10, 0x2D,
+ 0xBE, 0x57, 0x67, 0x76, 0xB7, 0xC6, 0x32, 0xBC, 0x39, 0xB9,
+ 0xB5, 0xE1, 0x90, 0x57, 0xE2, 0x26, 0x55, 0x2A, 0x59, 0x94,
+ 0xC1, 0xDB, 0xB3, 0xB5, 0xC7, 0x87, 0x1A, 0x11, 0xF5, 0x53,
+ 0x70, 0x11, 0x04, 0x4C, 0x53,
+ };
+ i = crypto_digest512(data, (const char*)keccak_kat_msg1160, 145, DIGEST_SHA3_512);
+ test_memeq_hex(data, "AFF61C6E11B98E55AC213B1A0BC7DE04"
+ "05221AC5EFB1229842E4614F4A029C9B"
+ "D14A0ED7FD99AF3681429F3F309FDB53"
+ "166AA9A3CD9F1F1223D04B4A9015E94A");
+ tt_int_op(i, OP_EQ, 0);
+ i = crypto_digest256(data, (const char*)keccak_kat_msg1160, 145, DIGEST_SHA3_256);
+ test_memeq_hex(data, "3A654B88F88086C2751EDAE6D3924814"
+ "3CF6235C6B0B7969342C45A35194B67E");
+ tt_int_op(i, OP_EQ, 0);
+
+ /* SHA3-[256,512] Empty case (wikipedia) */
+ i = crypto_digest256(data, "", 0, DIGEST_SHA3_256);
+ test_memeq_hex(data, "a7ffc6f8bf1ed76651c14756a061d662"
+ "f580ff4de43b49fa82d80a4b80f8434a");
+ tt_int_op(i, OP_EQ, 0);
+ i = crypto_digest512(data, "", 0, DIGEST_SHA3_512);
+ test_memeq_hex(data, "a69f73cca23a9ac5c8b567dc185a756e"
+ "97c982164fe25859e0d1dcc1475c80a6"
+ "15b2123af1f5f94c11e3e9402c3ac558"
+ "f500199d95b6d3e301758586281dcd26");
+ tt_int_op(i, OP_EQ, 0);
+
+ /* Incremental digest code with SHA3-256 */
+ d1 = crypto_digest256_new(DIGEST_SHA3_256);
+ tt_assert(d1);
+ crypto_digest_add_bytes(d1, "abcdef", 6);
+ d2 = crypto_digest_dup(d1);
+ tt_assert(d2);
+ crypto_digest_add_bytes(d2, "ghijkl", 6);
+ crypto_digest_get_digest(d2, d_out1, DIGEST256_LEN);
+ crypto_digest256(d_out2, "abcdefghijkl", 12, DIGEST_SHA3_256);
+ tt_mem_op(d_out1,OP_EQ, d_out2, DIGEST256_LEN);
+ crypto_digest_assign(d2, d1);
+ crypto_digest_add_bytes(d2, "mno", 3);
+ crypto_digest_get_digest(d2, d_out1, DIGEST256_LEN);
+ crypto_digest256(d_out2, "abcdefmno", 9, DIGEST_SHA3_256);
+ tt_mem_op(d_out1,OP_EQ, d_out2, DIGEST256_LEN);
+ crypto_digest_get_digest(d1, d_out1, DIGEST256_LEN);
+ crypto_digest256(d_out2, "abcdef", 6, DIGEST_SHA3_256);
+ tt_mem_op(d_out1,OP_EQ, d_out2, DIGEST256_LEN);
+ crypto_digest_free(d1);
+ crypto_digest_free(d2);
+
+ /* Incremental digest code with SHA3-512 */
+ d1 = crypto_digest512_new(DIGEST_SHA3_512);
+ tt_assert(d1);
+ crypto_digest_add_bytes(d1, "abcdef", 6);
+ d2 = crypto_digest_dup(d1);
+ tt_assert(d2);
+ crypto_digest_add_bytes(d2, "ghijkl", 6);
+ crypto_digest_get_digest(d2, d_out1, DIGEST512_LEN);
+ crypto_digest512(d_out2, "abcdefghijkl", 12, DIGEST_SHA3_512);
+ tt_mem_op(d_out1,OP_EQ, d_out2, DIGEST512_LEN);
+ crypto_digest_assign(d2, d1);
+ crypto_digest_add_bytes(d2, "mno", 3);
+ crypto_digest_get_digest(d2, d_out1, DIGEST512_LEN);
+ crypto_digest512(d_out2, "abcdefmno", 9, DIGEST_SHA3_512);
+ tt_mem_op(d_out1,OP_EQ, d_out2, DIGEST512_LEN);
+ crypto_digest_get_digest(d1, d_out1, DIGEST512_LEN);
+ crypto_digest512(d_out2, "abcdef", 6, DIGEST_SHA3_512);
+ tt_mem_op(d_out1,OP_EQ, d_out2, DIGEST512_LEN);
+
+ done:
+ if (d1)
+ crypto_digest_free(d1);
+ if (d2)
+ crypto_digest_free(d2);
+ tor_free(mem_op_hex_tmp);
+}
+
/** Run unit tests for our public key crypto functions */
static void
test_crypto_pk(void *arg)
@@ -1950,6 +2223,7 @@ struct testcase_t crypto_tests[] = {
{ "pk_fingerprints", test_crypto_pk_fingerprints, TT_FORK, NULL, NULL },
{ "pk_base64", test_crypto_pk_base64, TT_FORK, NULL, NULL },
CRYPTO_LEGACY(digests),
+ { "sha3", test_crypto_sha3, TT_FORK, NULL, NULL},
CRYPTO_LEGACY(dh),
{ "aes_iv_AES", test_crypto_aes_iv, TT_FORK, &passthrough_setup,
(void*)"aes" },
diff --git a/src/tools/include.am b/src/tools/include.am
index ebdd349..38ed575 100644
--- a/src/tools/include.am
+++ b/src/tools/include.am
@@ -20,6 +20,7 @@ endif
src_tools_tor_gencert_SOURCES = src/tools/tor-gencert.c
src_tools_tor_gencert_LDFLAGS = @TOR_LDFLAGS_zlib@ @TOR_LDFLAGS_openssl@
src_tools_tor_gencert_LDADD = src/common/libor.a src/common/libor-crypto.a \
+ $(LIBKECCAK_TINY) \
$(LIBDONNA) \
@TOR_LIB_MATH@ @TOR_ZLIB_LIBS@ @TOR_OPENSSL_LIBS@ \
@TOR_LIB_WS32@ @TOR_LIB_GDI@ @CURVE25519_LIBS@
@@ -31,6 +32,7 @@ src_tools_tor_cov_gencert_CFLAGS = $(AM_CFLAGS) $(TEST_CFLAGS)
src_tools_tor_cov_gencert_LDFLAGS = @TOR_LDFLAGS_zlib@ @TOR_LDFLAGS_openssl@
src_tools_tor_cov_gencert_LDADD = src/common/libor-testing.a \
src/common/libor-crypto-testing.a \
+ $(LIBKECCAK_TINY) \
$(LIBDONNA) \
@TOR_LIB_MATH@ @TOR_ZLIB_LIBS@ @TOR_OPENSSL_LIBS@ \
@TOR_LIB_WS32@ @TOR_LIB_GDI@ @CURVE25519_LIBS@
@@ -39,6 +41,7 @@ endif
src_tools_tor_checkkey_SOURCES = src/tools/tor-checkkey.c
src_tools_tor_checkkey_LDFLAGS = @TOR_LDFLAGS_zlib@ @TOR_LDFLAGS_openssl@
src_tools_tor_checkkey_LDADD = src/common/libor.a src/common/libor-crypto.a \
+ $(LIBKECCAK_TINY) \
$(LIBDONNA) \
@TOR_LIB_MATH@ @TOR_ZLIB_LIBS@ @TOR_OPENSSL_LIBS@ \
@TOR_LIB_WS32@ @TOR_LIB_GDI@ @CURVE25519_LIBS@
More information about the tor-commits
mailing list