[tor-commits] [tor/master] Add the SHA-3 hash functions to common/crypto.h.

nickm at torproject.org nickm at torproject.org
Sun Dec 20 20:00:26 UTC 2015


commit 687f9b3bd7b55bcf4d984d745e978c2a03aeb4e1
Author: Yawning Angel <yawning at schwanenlied.me>
Date:   Fri Dec 18 22:15:01 2015 +0000

    Add the SHA-3 hash functions to common/crypto.h.
    
     * DIGEST_SHA3_[256,512] added as supported algorithms, which do
       exactly what is said on the tin.
     * test/bench now benchmarks all of the supported digest algorithms,
       so it's possible to see just how slow SHA-3 is, though the message
       sizes could probably use tweaking since this is very dependent on
       the message size vs the SHA-3 rate.
---
 src/common/crypto.c    |   91 +++++++++++++---
 src/common/crypto.h    |    4 +-
 src/or/include.am      |    4 +-
 src/test/bench.c       |   40 +++++++
 src/test/include.am    |   11 +-
 src/test/test_crypto.c |  274 ++++++++++++++++++++++++++++++++++++++++++++++++
 src/tools/include.am   |    3 +
 7 files changed, 405 insertions(+), 22 deletions(-)

diff --git a/src/common/crypto.c b/src/common/crypto.c
index 7f0f842..f66ae9e 100644
--- a/src/common/crypto.c
+++ b/src/common/crypto.c
@@ -64,6 +64,8 @@
 #include "sandbox.h"
 #include "util_format.h"
 
+#include "keccak-tiny/keccak-tiny.h"
+
 #ifdef ANDROID
 /* Android's OpenSSL seems to have removed all of its Engine support. */
 #define DISABLE_ENGINES
@@ -1616,8 +1618,11 @@ crypto_digest256(char *digest, const char *m, size_t len,
 {
   tor_assert(m);
   tor_assert(digest);
-  tor_assert(algorithm == DIGEST_SHA256);
-  return (SHA256((const unsigned char*)m,len,(unsigned char*)digest) == NULL);
+  tor_assert(algorithm == DIGEST_SHA256 || algorithm == DIGEST_SHA3_256);
+  if (algorithm == DIGEST_SHA256)
+    return (SHA256((const unsigned char*)m,len,(unsigned char*)digest) == NULL);
+  else
+    return (sha3_256((uint8_t *)digest, DIGEST256_LEN, (const uint8_t *)m, len) == -1);
 }
 
 /** Compute a 512-bit digest of <b>len</b> bytes in data stored in <b>m</b>,
@@ -1629,8 +1634,11 @@ crypto_digest512(char *digest, const char *m, size_t len,
 {
   tor_assert(m);
   tor_assert(digest);
-  tor_assert(algorithm == DIGEST_SHA512);
-  return (SHA512((const unsigned char*)m,len,(unsigned char*)digest) == NULL);
+  tor_assert(algorithm == DIGEST_SHA512 || algorithm == DIGEST_SHA3_512);
+  if (algorithm == DIGEST_SHA512)
+    return (SHA512((const unsigned char*)m,len,(unsigned char*)digest) == NULL);
+  else
+    return (sha3_512((uint8_t*)digest, DIGEST512_LEN, (const uint8_t*)m, len) == -1);
 }
 
 /** Set the digests_t in <b>ds_out</b> to contain every digest on the
@@ -1646,11 +1654,13 @@ crypto_digest_all(digests_t *ds_out, const char *m, size_t len)
     return -1;
   for (i = DIGEST_SHA256; i < N_DIGEST_ALGORITHMS; ++i) {
       switch (i) {
-        case DIGEST_SHA256:
+        case DIGEST_SHA256: /* FALLSTHROUGH */
+        case DIGEST_SHA3_256:
           if (crypto_digest256(ds_out->d[i], m, len, i) < 0)
             return -1;
           break;
         case DIGEST_SHA512:
+        case DIGEST_SHA3_512: /* FALLSTHROUGH */
           if (crypto_digest512(ds_out->d[i], m, len, i) < 0)
             return -1;
           break;
@@ -1672,6 +1682,10 @@ crypto_digest_algorithm_get_name(digest_algorithm_t alg)
       return "sha256";
     case DIGEST_SHA512:
       return "sha512";
+    case DIGEST_SHA3_256:
+      return "sha3-256";
+    case DIGEST_SHA3_512:
+      return "sha3-512";
     default:
       tor_fragile_assert();
       return "??unknown_digest??";
@@ -1689,16 +1703,41 @@ crypto_digest_algorithm_parse_name(const char *name)
     return DIGEST_SHA256;
   else if (!strcmp(name, "sha512"))
     return DIGEST_SHA512;
+  else if (!strcmp(name, "sha3-256"))
+    return DIGEST_SHA3_256;
+  else if (!strcmp(name, "sha3-512"))
+    return DIGEST_SHA3_512;
   else
     return -1;
 }
 
+/** Given an algorithm, return the digest length in bytes. */
+static inline size_t
+crypto_digest_algorithm_get_length(digest_algorithm_t alg)
+{
+  switch (alg) {
+    case DIGEST_SHA1:
+      return DIGEST_LEN;
+    case DIGEST_SHA256:
+      return DIGEST256_LEN;
+    case DIGEST_SHA512:
+      return DIGEST512_LEN;
+    case DIGEST_SHA3_256:
+      return DIGEST256_LEN;
+    case DIGEST_SHA3_512:
+      return DIGEST512_LEN;
+    default:
+      tor_assert(0);
+  }
+}
+
 /** Intermediate information about the digest of a stream of data. */
 struct crypto_digest_t {
   union {
     SHA_CTX sha1; /**< state for SHA1 */
     SHA256_CTX sha2; /**< state for SHA256 */
     SHA512_CTX sha512; /**< state for SHA512 */
+    keccak_state sha3; /**< state for SHA3-[256,512] */
   } d; /**< State for the digest we're using.  Only one member of the
         * union is usable, depending on the value of <b>algorithm</b>. */
   digest_algorithm_bitfield_t algorithm : 8; /**< Which algorithm is in use? */
@@ -1722,9 +1761,12 @@ crypto_digest_t *
 crypto_digest256_new(digest_algorithm_t algorithm)
 {
   crypto_digest_t *r;
-  tor_assert(algorithm == DIGEST_SHA256);
+  tor_assert(algorithm == DIGEST_SHA256 || algorithm == DIGEST_SHA3_256);
   r = tor_malloc(sizeof(crypto_digest_t));
-  SHA256_Init(&r->d.sha2);
+  if (algorithm == DIGEST_SHA256)
+    SHA256_Init(&r->d.sha2);
+  else
+    keccak_digest_init(&r->d.sha3, 256);
   r->algorithm = algorithm;
   return r;
 }
@@ -1735,9 +1777,12 @@ crypto_digest_t *
 crypto_digest512_new(digest_algorithm_t algorithm)
 {
   crypto_digest_t *r;
-  tor_assert(algorithm == DIGEST_SHA512);
+  tor_assert(algorithm == DIGEST_SHA512 || algorithm == DIGEST_SHA3_512);
   r = tor_malloc(sizeof(crypto_digest_t));
-  SHA512_Init(&r->d.sha512);
+  if (algorithm == DIGEST_SHA512)
+    SHA512_Init(&r->d.sha512);
+  else
+    keccak_digest_init(&r->d.sha3, 512);
   r->algorithm = algorithm;
   return r;
 }
@@ -1776,6 +1821,10 @@ crypto_digest_add_bytes(crypto_digest_t *digest, const char *data,
     case DIGEST_SHA512:
       SHA512_Update(&digest->d.sha512, (void*)data, len);
       break;
+    case DIGEST_SHA3_256: /* FALLSTHROUGH */
+    case DIGEST_SHA3_512:
+      keccak_digest_update(&digest->d.sha3, (const uint8_t *)data, len);
+      break;
     default:
       tor_fragile_assert();
       break;
@@ -1794,26 +1843,38 @@ crypto_digest_get_digest(crypto_digest_t *digest,
   crypto_digest_t tmpenv;
   tor_assert(digest);
   tor_assert(out);
+  tor_assert(out_len <= crypto_digest_algorithm_get_length(digest->algorithm));
+
+  /* The SHA-3 code handles copying into a temporary ctx, and also can handle
+   * short output buffers by truncating appropriately. */
+  if (digest->algorithm == DIGEST_SHA3_256 ||
+      digest->algorithm == DIGEST_SHA3_512) {
+    keccak_digest_sum(&digest->d.sha3, (uint8_t *)out, out_len);
+    return;
+  }
+
   /* memcpy into a temporary ctx, since SHA*_Final clears the context */
   memcpy(&tmpenv, digest, sizeof(crypto_digest_t));
   switch (digest->algorithm) {
     case DIGEST_SHA1:
-      tor_assert(out_len <= DIGEST_LEN);
       SHA1_Final(r, &tmpenv.d.sha1);
       break;
     case DIGEST_SHA256:
-      tor_assert(out_len <= DIGEST256_LEN);
       SHA256_Final(r, &tmpenv.d.sha2);
       break;
     case DIGEST_SHA512:
-      tor_assert(out_len <= DIGEST512_LEN);
       SHA512_Final(r, &tmpenv.d.sha512);
       break;
+    case DIGEST_SHA3_256: /* FALLSTHROUGH */
+    case DIGEST_SHA3_512:
+      log_warn(LD_BUG, "Handling unexpected algorithm %d", digest->algorithm);
+      tor_assert(0); /* This is fatal, because it should never happen. */
     default:
       log_warn(LD_BUG, "Called with unknown algorithm %d", digest->algorithm);
       /* If fragile_assert is not enabled, then we should at least not
        * leak anything. */
       memwipe(r, 0xff, sizeof(r));
+      memwipe(&tmpenv, 0, sizeof(crypto_digest_t));
       tor_fragile_assert();
       break;
   }
@@ -1878,10 +1939,12 @@ crypto_digest_smartlist_prefix(char *digest_out, size_t len_out,
     case DIGEST_SHA1:
       d = crypto_digest_new();
       break;
-    case DIGEST_SHA256:
+    case DIGEST_SHA256: /* FALLSTHROUGH */
+    case DIGEST_SHA3_256:
       d = crypto_digest256_new(alg);
       break;
-    case DIGEST_SHA512:
+    case DIGEST_SHA512: /* FALLSTHROUGH */
+    case DIGEST_SHA3_512:
       d = crypto_digest512_new(alg);
       break;
     default:
diff --git a/src/common/crypto.h b/src/common/crypto.h
index 0fba958..ff640ce 100644
--- a/src/common/crypto.h
+++ b/src/common/crypto.h
@@ -96,8 +96,10 @@ typedef enum {
   DIGEST_SHA1 = 0,
   DIGEST_SHA256 = 1,
   DIGEST_SHA512 = 2,
+  DIGEST_SHA3_256 = 3,
+  DIGEST_SHA3_512 = 4,
 } digest_algorithm_t;
-#define  N_DIGEST_ALGORITHMS (DIGEST_SHA512+1)
+#define  N_DIGEST_ALGORITHMS (DIGEST_SHA3_512+1)
 #define digest_algorithm_bitfield_t ENUM_BF(digest_algorithm_t)
 
 /** A set of all the digests we know how to compute, taken on a single
diff --git a/src/or/include.am b/src/or/include.am
index 5ec96e5..dab0048 100644
--- a/src/or/include.am
+++ b/src/or/include.am
@@ -109,7 +109,7 @@ src_or_libtor_testing_a_CFLAGS = $(AM_CFLAGS) $(TEST_CFLAGS)
 
 src_or_tor_LDFLAGS = @TOR_LDFLAGS_zlib@ @TOR_LDFLAGS_openssl@ @TOR_LDFLAGS_libevent@
 src_or_tor_LDADD = src/or/libtor.a src/common/libor.a \
-	src/common/libor-crypto.a $(LIBDONNA) \
+	src/common/libor-crypto.a $(LIBKECCAK_TINY) $(LIBDONNA) \
 	src/common/libor-event.a src/trunnel/libor-trunnel.a \
 	@TOR_ZLIB_LIBS@ @TOR_LIB_MATH@ @TOR_LIBEVENT_LIBS@ @TOR_OPENSSL_LIBS@ \
 	@TOR_LIB_WS32@ @TOR_LIB_GDI@ @CURVE25519_LIBS@ @TOR_SYSTEMD_LIBS@
@@ -120,7 +120,7 @@ src_or_tor_cov_CPPFLAGS = $(AM_CPPFLAGS) $(TEST_CPPFLAGS)
 src_or_tor_cov_CFLAGS = $(AM_CFLAGS) $(TEST_CFLAGS)
 src_or_tor_cov_LDFLAGS = @TOR_LDFLAGS_zlib@ @TOR_LDFLAGS_openssl@ @TOR_LDFLAGS_libevent@
 src_or_tor_cov_LDADD = src/or/libtor-testing.a src/common/libor-testing.a \
-	src/common/libor-crypto-testing.a $(LIBDONNA) \
+	src/common/libor-crypto-testing.a $(LIBKECCAK_TINY) $(LIBDONNA) \
 	src/common/libor-event-testing.a src/trunnel/libor-trunnel-testing.a \
 	@TOR_ZLIB_LIBS@ @TOR_LIB_MATH@ @TOR_LIBEVENT_LIBS@ @TOR_OPENSSL_LIBS@ \
 	@TOR_LIB_WS32@ @TOR_LIB_GDI@ @CURVE25519_LIBS@ @TOR_SYSTEMD_LIBS@
diff --git a/src/test/bench.c b/src/test/bench.c
index 70ec025..1ef5404 100644
--- a/src/test/bench.c
+++ b/src/test/bench.c
@@ -443,6 +443,45 @@ bench_siphash(void)
 }
 
 static void
+bench_digest(void)
+{
+  char buf[8192];
+  char out[DIGEST512_LEN];
+  const int lens[] = { 1, 16, 32, 64, 128, 512, 1024, 2048, -1 };
+  const int N = 300000;
+  uint64_t start, end;
+  crypto_rand(buf, sizeof(buf));
+
+  for (int alg = 0; alg < N_DIGEST_ALGORITHMS; alg++) {
+    for (int i = 0; lens[i] > 0; ++i) {
+      reset_perftime();
+      start = perftime();
+      for (int j = 0; j < N; ++j) {
+        switch (alg) {
+          case DIGEST_SHA1:
+            crypto_digest(out, buf, lens[i]);
+            break;
+          case DIGEST_SHA256:
+          case DIGEST_SHA3_256:
+            crypto_digest256(out, buf, lens[i], alg);
+            break;
+          case DIGEST_SHA512:
+          case DIGEST_SHA3_512:
+            crypto_digest512(out, buf, lens[i], alg);
+            break;
+          default:
+            tor_assert(0);
+        }
+      }
+      end = perftime();
+      printf("%s(%d): %.2f ns per call\n",
+             crypto_digest_algorithm_get_name(alg),
+             lens[i], NANOCOUNT(start,end,N));
+    }
+  }
+}
+
+static void
 bench_cell_ops(void)
 {
   const int iters = 1<<16;
@@ -589,6 +628,7 @@ typedef struct benchmark_t {
 static struct benchmark_t benchmarks[] = {
   ENT(dmap),
   ENT(siphash),
+  ENT(digest),
   ENT(aes),
   ENT(onion_TAP),
   ENT(onion_ntor),
diff --git a/src/test/include.am b/src/test/include.am
index d52867b..7f3e9c6 100644
--- a/src/test/include.am
+++ b/src/test/include.am
@@ -150,8 +150,9 @@ src_test_test_switch_id_LDADD = \
 src_test_test_LDFLAGS = @TOR_LDFLAGS_zlib@ @TOR_LDFLAGS_openssl@ \
         @TOR_LDFLAGS_libevent@
 src_test_test_LDADD = src/or/libtor-testing.a src/common/libor-testing.a \
-	src/common/libor-crypto-testing.a $(LIBDONNA) src/common/libor.a \
-	src/common/libor-event-testing.a src/trunnel/libor-trunnel-testing.a \
+	src/common/libor-crypto-testing.a $(LIBKECCAK_TINY) $(LIBDONNA) \
+	src/common/libor.a src/common/libor-event-testing.a \
+	src/trunnel/libor-trunnel-testing.a \
 	@TOR_ZLIB_LIBS@ @TOR_LIB_MATH@ @TOR_LIBEVENT_LIBS@ \
 	@TOR_OPENSSL_LIBS@ @TOR_LIB_WS32@ @TOR_LIB_GDI@ @CURVE25519_LIBS@ \
 	@TOR_SYSTEMD_LIBS@
@@ -169,7 +170,7 @@ src_test_test_memwipe_LDFLAGS = $(src_test_test_LDFLAGS)
 src_test_bench_LDFLAGS = @TOR_LDFLAGS_zlib@ @TOR_LDFLAGS_openssl@ \
         @TOR_LDFLAGS_libevent@
 src_test_bench_LDADD = src/or/libtor.a src/common/libor.a \
-	src/common/libor-crypto.a $(LIBDONNA) \
+	src/common/libor-crypto.a $(LIBKECCAK_TINY) $(LIBDONNA) \
 	src/common/libor-event.a src/trunnel/libor-trunnel.a \
 	@TOR_ZLIB_LIBS@ @TOR_LIB_MATH@ @TOR_LIBEVENT_LIBS@ \
 	@TOR_OPENSSL_LIBS@ @TOR_LIB_WS32@ @TOR_LIB_GDI@ @CURVE25519_LIBS@ \
@@ -179,7 +180,7 @@ src_test_test_workqueue_LDFLAGS = @TOR_LDFLAGS_zlib@ @TOR_LDFLAGS_openssl@ \
         @TOR_LDFLAGS_libevent@
 src_test_test_workqueue_LDADD = src/or/libtor-testing.a \
 	src/common/libor-testing.a \
-	src/common/libor-crypto-testing.a $(LIBDONNA) \
+	src/common/libor-crypto-testing.a $(LIBKECCAK_TINY) $(LIBDONNA) \
 	src/common/libor-event-testing.a \
 	@TOR_ZLIB_LIBS@ @TOR_LIB_MATH@ @TOR_LIBEVENT_LIBS@ \
 	@TOR_OPENSSL_LIBS@ @TOR_LIB_WS32@ @TOR_LIB_GDI@ @CURVE25519_LIBS@
@@ -201,7 +202,7 @@ noinst_PROGRAMS+= src/test/test-ntor-cl
 src_test_test_ntor_cl_SOURCES  = src/test/test_ntor_cl.c
 src_test_test_ntor_cl_LDFLAGS = @TOR_LDFLAGS_zlib@ @TOR_LDFLAGS_openssl@
 src_test_test_ntor_cl_LDADD = src/or/libtor.a src/common/libor.a \
-	src/common/libor-crypto.a $(LIBDONNA) \
+	src/common/libor-crypto.a $(LIBKECCAK_TINY) $(LIBDONNA) \
 	@TOR_ZLIB_LIBS@ @TOR_LIB_MATH@ \
 	@TOR_OPENSSL_LIBS@ @TOR_LIB_WS32@ @TOR_LIB_GDI@ @CURVE25519_LIBS@
 src_test_test_ntor_cl_AM_CPPFLAGS =	       \
diff --git a/src/test/test_crypto.c b/src/test/test_crypto.c
index a3bef2c..c50c4af 100644
--- a/src/test/test_crypto.c
+++ b/src/test/test_crypto.c
@@ -448,6 +448,279 @@ test_crypto_sha(void *arg)
   tor_free(mem_op_hex_tmp);
 }
 
+static void
+test_crypto_sha3(void *arg)
+{
+  crypto_digest_t *d1 = NULL, *d2 = NULL;
+  int i;
+  char data[DIGEST512_LEN];
+  char d_out1[DIGEST512_LEN], d_out2[DIGEST512_LEN];
+  char *mem_op_hex_tmp=NULL;
+
+  (void)arg;
+
+  /* Test SHA3-[256,512] with a test vectors from the Keccak Code Package.
+   *
+   * NB: The code package's test vectors have length expressed in bits.
+   */
+
+  /* Len = 8, Msg = CC */
+  const uint8_t keccak_kat_msg8[] = { 0xcc };
+  i = crypto_digest256(data, (const char*)keccak_kat_msg8, 1, DIGEST_SHA3_256);
+  test_memeq_hex(data, "677035391CD3701293D385F037BA3279"
+                       "6252BB7CE180B00B582DD9B20AAAD7F0");
+  tt_int_op(i, OP_EQ, 0);
+  i = crypto_digest512(data, (const char*)keccak_kat_msg8, 1, DIGEST_SHA3_512);
+  test_memeq_hex(data, "3939FCC8B57B63612542DA31A834E5DC"
+                       "C36E2EE0F652AC72E02624FA2E5ADEEC"
+                       "C7DD6BB3580224B4D6138706FC6E8059"
+                       "7B528051230B00621CC2B22999EAA205");
+  tt_int_op(i, OP_EQ, 0);
+
+  /* Len = 24, Msg = 1F877C */
+  const uint8_t keccak_kat_msg24[] = { 0x1f, 0x87, 0x7c };
+  i = crypto_digest256(data, (const char*)keccak_kat_msg24, 3, DIGEST_SHA3_256);
+  test_memeq_hex(data, "BC22345E4BD3F792A341CF18AC0789F1"
+                       "C9C966712A501B19D1B6632CCD408EC5");
+  tt_int_op(i, OP_EQ, 0);
+  i = crypto_digest512(data, (const char*)keccak_kat_msg24, 3, DIGEST_SHA3_512);
+  test_memeq_hex(data, "CB20DCF54955F8091111688BECCEF48C"
+                       "1A2F0D0608C3A575163751F002DB30F4"
+                       "0F2F671834B22D208591CFAF1F5ECFE4"
+                       "3C49863A53B3225BDFD7C6591BA7658B");
+  tt_int_op(i, OP_EQ, 0);
+
+  /* Len = 1080, Msg = B771D5CEF... ...C35AC81B5 (SHA3-256 rate - 1) */
+  const uint8_t keccak_kat_msg1080[] = {
+    0xB7, 0x71, 0xD5, 0xCE, 0xF5, 0xD1, 0xA4, 0x1A, 0x93, 0xD1,
+    0x56, 0x43, 0xD7, 0x18, 0x1D, 0x2A, 0x2E, 0xF0, 0xA8, 0xE8,
+    0x4D, 0x91, 0x81, 0x2F, 0x20, 0xED, 0x21, 0xF1, 0x47, 0xBE,
+    0xF7, 0x32, 0xBF, 0x3A, 0x60, 0xEF, 0x40, 0x67, 0xC3, 0x73,
+    0x4B, 0x85, 0xBC, 0x8C, 0xD4, 0x71, 0x78, 0x0F, 0x10, 0xDC,
+    0x9E, 0x82, 0x91, 0xB5, 0x83, 0x39, 0xA6, 0x77, 0xB9, 0x60,
+    0x21, 0x8F, 0x71, 0xE7, 0x93, 0xF2, 0x79, 0x7A, 0xEA, 0x34,
+    0x94, 0x06, 0x51, 0x28, 0x29, 0x06, 0x5D, 0x37, 0xBB, 0x55,
+    0xEA, 0x79, 0x6F, 0xA4, 0xF5, 0x6F, 0xD8, 0x89, 0x6B, 0x49,
+    0xB2, 0xCD, 0x19, 0xB4, 0x32, 0x15, 0xAD, 0x96, 0x7C, 0x71,
+    0x2B, 0x24, 0xE5, 0x03, 0x2D, 0x06, 0x52, 0x32, 0xE0, 0x2C,
+    0x12, 0x74, 0x09, 0xD2, 0xED, 0x41, 0x46, 0xB9, 0xD7, 0x5D,
+    0x76, 0x3D, 0x52, 0xDB, 0x98, 0xD9, 0x49, 0xD3, 0xB0, 0xFE,
+    0xD6, 0xA8, 0x05, 0x2F, 0xBB,
+  };
+  i = crypto_digest256(data, (const char*)keccak_kat_msg1080, 135, DIGEST_SHA3_256);
+  test_memeq_hex(data, "A19EEE92BB2097B64E823D597798AA18"
+                       "BE9B7C736B8059ABFD6779AC35AC81B5");
+  tt_int_op(i, OP_EQ, 0);
+  i = crypto_digest512(data, (const char*)keccak_kat_msg1080, 135, DIGEST_SHA3_512);
+  test_memeq_hex(data, "7575A1FB4FC9A8F9C0466BD5FCA496D1"
+                       "CB78696773A212A5F62D02D14E3259D1"
+                       "92A87EBA4407DD83893527331407B6DA"
+                       "DAAD920DBC46489B677493CE5F20B595");
+  tt_int_op(i, OP_EQ, 0);
+
+  /* Len = 1088, Msg = B32D95B0... ...8E380C04 (SHA3-256 rate) */
+  const uint8_t keccak_kat_msg1088[] = {
+    0xB3, 0x2D, 0x95, 0xB0, 0xB9, 0xAA, 0xD2, 0xA8, 0x81, 0x6D,
+    0xE6, 0xD0, 0x6D, 0x1F, 0x86, 0x00, 0x85, 0x05, 0xBD, 0x8C,
+    0x14, 0x12, 0x4F, 0x6E, 0x9A, 0x16, 0x3B, 0x5A, 0x2A, 0xDE,
+    0x55, 0xF8, 0x35, 0xD0, 0xEC, 0x38, 0x80, 0xEF, 0x50, 0x70,
+    0x0D, 0x3B, 0x25, 0xE4, 0x2C, 0xC0, 0xAF, 0x05, 0x0C, 0xCD,
+    0x1B, 0xE5, 0xE5, 0x55, 0xB2, 0x30, 0x87, 0xE0, 0x4D, 0x7B,
+    0xF9, 0x81, 0x36, 0x22, 0x78, 0x0C, 0x73, 0x13, 0xA1, 0x95,
+    0x4F, 0x87, 0x40, 0xB6, 0xEE, 0x2D, 0x3F, 0x71, 0xF7, 0x68,
+    0xDD, 0x41, 0x7F, 0x52, 0x04, 0x82, 0xBD, 0x3A, 0x08, 0xD4,
+    0xF2, 0x22, 0xB4, 0xEE, 0x9D, 0xBD, 0x01, 0x54, 0x47, 0xB3,
+    0x35, 0x07, 0xDD, 0x50, 0xF3, 0xAB, 0x42, 0x47, 0xC5, 0xDE,
+    0x9A, 0x8A, 0xBD, 0x62, 0xA8, 0xDE, 0xCE, 0xA0, 0x1E, 0x3B,
+    0x87, 0xC8, 0xB9, 0x27, 0xF5, 0xB0, 0x8B, 0xEB, 0x37, 0x67,
+    0x4C, 0x6F, 0x8E, 0x38, 0x0C, 0x04,
+  };
+  i = crypto_digest256(data, (const char*)keccak_kat_msg1088, 136, DIGEST_SHA3_256);
+  test_memeq_hex(data, "DF673F4105379FF6B755EEAB20CEB0DC"
+                       "77B5286364FE16C59CC8A907AFF07732");
+  tt_int_op(i, OP_EQ, 0);
+  i = crypto_digest512(data, (const char*)keccak_kat_msg1088, 136, DIGEST_SHA3_512);
+  test_memeq_hex(data, "2E293765022D48996CE8EFF0BE54E87E"
+                       "FB94A14C72DE5ACD10D0EB5ECE029CAD"
+                       "FA3BA17A40B2FFA2163991B17786E51C"
+                       "ABA79E5E0FFD34CF085E2A098BE8BACB");
+  tt_int_op(i, OP_EQ, 0);
+
+  /* Len = 1096, Msg = 04410E310... ...601016A0D (SHA3-256 rate + 1) */
+  const uint8_t keccak_kat_msg1096[] = {
+    0x04, 0x41, 0x0E, 0x31, 0x08, 0x2A, 0x47, 0x58, 0x4B, 0x40,
+    0x6F, 0x05, 0x13, 0x98, 0xA6, 0xAB, 0xE7, 0x4E, 0x4D, 0xA5,
+    0x9B, 0xB6, 0xF8, 0x5E, 0x6B, 0x49, 0xE8, 0xA1, 0xF7, 0xF2,
+    0xCA, 0x00, 0xDF, 0xBA, 0x54, 0x62, 0xC2, 0xCD, 0x2B, 0xFD,
+    0xE8, 0xB6, 0x4F, 0xB2, 0x1D, 0x70, 0xC0, 0x83, 0xF1, 0x13,
+    0x18, 0xB5, 0x6A, 0x52, 0xD0, 0x3B, 0x81, 0xCA, 0xC5, 0xEE,
+    0xC2, 0x9E, 0xB3, 0x1B, 0xD0, 0x07, 0x8B, 0x61, 0x56, 0x78,
+    0x6D, 0xA3, 0xD6, 0xD8, 0xC3, 0x30, 0x98, 0xC5, 0xC4, 0x7B,
+    0xB6, 0x7A, 0xC6, 0x4D, 0xB1, 0x41, 0x65, 0xAF, 0x65, 0xB4,
+    0x45, 0x44, 0xD8, 0x06, 0xDD, 0xE5, 0xF4, 0x87, 0xD5, 0x37,
+    0x3C, 0x7F, 0x97, 0x92, 0xC2, 0x99, 0xE9, 0x68, 0x6B, 0x7E,
+    0x58, 0x21, 0xE7, 0xC8, 0xE2, 0x45, 0x83, 0x15, 0xB9, 0x96,
+    0xB5, 0x67, 0x7D, 0x92, 0x6D, 0xAC, 0x57, 0xB3, 0xF2, 0x2D,
+    0xA8, 0x73, 0xC6, 0x01, 0x01, 0x6A, 0x0D,
+  };
+  i = crypto_digest256(data, (const char*)keccak_kat_msg1096, 137, DIGEST_SHA3_256);
+  test_memeq_hex(data, "D52432CF3B6B4B949AA848E058DCD62D"
+                       "735E0177279222E7AC0AF8504762FAA0");
+  tt_int_op(i, OP_EQ, 0);
+  i = crypto_digest512(data, (const char*)keccak_kat_msg1096, 137, DIGEST_SHA3_512);
+  test_memeq_hex(data, "BE8E14B6757FFE53C9B75F6DDE9A7B6C"
+                       "40474041DE83D4A60645A826D7AF1ABE"
+                       "1EEFCB7B74B62CA6A514E5F2697D585B"
+                       "FECECE12931BBE1D4ED7EBF7B0BE660E");
+  tt_int_op(i, OP_EQ, 0);
+
+  /* Len = 1144, Msg = EA40E83C...  ...66DFAFEC (SHA3-512 rate *2 - 1) */
+  const uint8_t keccak_kat_msg1144[] = {
+    0xEA, 0x40, 0xE8, 0x3C, 0xB1, 0x8B, 0x3A, 0x24, 0x2C, 0x1E,
+    0xCC, 0x6C, 0xCD, 0x0B, 0x78, 0x53, 0xA4, 0x39, 0xDA, 0xB2,
+    0xC5, 0x69, 0xCF, 0xC6, 0xDC, 0x38, 0xA1, 0x9F, 0x5C, 0x90,
+    0xAC, 0xBF, 0x76, 0xAE, 0xF9, 0xEA, 0x37, 0x42, 0xFF, 0x3B,
+    0x54, 0xEF, 0x7D, 0x36, 0xEB, 0x7C, 0xE4, 0xFF, 0x1C, 0x9A,
+    0xB3, 0xBC, 0x11, 0x9C, 0xFF, 0x6B, 0xE9, 0x3C, 0x03, 0xE2,
+    0x08, 0x78, 0x33, 0x35, 0xC0, 0xAB, 0x81, 0x37, 0xBE, 0x5B,
+    0x10, 0xCD, 0xC6, 0x6F, 0xF3, 0xF8, 0x9A, 0x1B, 0xDD, 0xC6,
+    0xA1, 0xEE, 0xD7, 0x4F, 0x50, 0x4C, 0xBE, 0x72, 0x90, 0x69,
+    0x0B, 0xB2, 0x95, 0xA8, 0x72, 0xB9, 0xE3, 0xFE, 0x2C, 0xEE,
+    0x9E, 0x6C, 0x67, 0xC4, 0x1D, 0xB8, 0xEF, 0xD7, 0xD8, 0x63,
+    0xCF, 0x10, 0xF8, 0x40, 0xFE, 0x61, 0x8E, 0x79, 0x36, 0xDA,
+    0x3D, 0xCA, 0x5C, 0xA6, 0xDF, 0x93, 0x3F, 0x24, 0xF6, 0x95,
+    0x4B, 0xA0, 0x80, 0x1A, 0x12, 0x94, 0xCD, 0x8D, 0x7E, 0x66,
+    0xDF, 0xAF, 0xEC,
+  };
+  i = crypto_digest512(data, (const char*)keccak_kat_msg1144, 143, DIGEST_SHA3_512);
+  test_memeq_hex(data, "3A8E938C45F3F177991296B24565D9A6"
+                       "605516615D96A062C8BE53A0D6C5A648"
+                       "7BE35D2A8F3CF6620D0C2DBA2C560D68"
+                       "295F284BE7F82F3B92919033C9CE5D80");
+  tt_int_op(i, OP_EQ, 0);
+  i = crypto_digest256(data, (const char*)keccak_kat_msg1144, 143, DIGEST_SHA3_256);
+  test_memeq_hex(data, "E58A947E98D6DD7E932D2FE02D9992E6"
+                       "118C0C2C606BDCDA06E7943D2C95E0E5");
+  tt_int_op(i, OP_EQ, 0);
+
+  /* Len = 1152, Msg = 157D5B7E... ...79EE00C63 (SHA3-512 rate * 2) */
+  const uint8_t keccak_kat_msg1152[] = {
+    0x15, 0x7D, 0x5B, 0x7E, 0x45, 0x07, 0xF6, 0x6D, 0x9A, 0x26,
+    0x74, 0x76, 0xD3, 0x38, 0x31, 0xE7, 0xBB, 0x76, 0x8D, 0x4D,
+    0x04, 0xCC, 0x34, 0x38, 0xDA, 0x12, 0xF9, 0x01, 0x02, 0x63,
+    0xEA, 0x5F, 0xCA, 0xFB, 0xDE, 0x25, 0x79, 0xDB, 0x2F, 0x6B,
+    0x58, 0xF9, 0x11, 0xD5, 0x93, 0xD5, 0xF7, 0x9F, 0xB0, 0x5F,
+    0xE3, 0x59, 0x6E, 0x3F, 0xA8, 0x0F, 0xF2, 0xF7, 0x61, 0xD1,
+    0xB0, 0xE5, 0x70, 0x80, 0x05, 0x5C, 0x11, 0x8C, 0x53, 0xE5,
+    0x3C, 0xDB, 0x63, 0x05, 0x52, 0x61, 0xD7, 0xC9, 0xB2, 0xB3,
+    0x9B, 0xD9, 0x0A, 0xCC, 0x32, 0x52, 0x0C, 0xBB, 0xDB, 0xDA,
+    0x2C, 0x4F, 0xD8, 0x85, 0x6D, 0xBC, 0xEE, 0x17, 0x31, 0x32,
+    0xA2, 0x67, 0x91, 0x98, 0xDA, 0xF8, 0x30, 0x07, 0xA9, 0xB5,
+    0xC5, 0x15, 0x11, 0xAE, 0x49, 0x76, 0x6C, 0x79, 0x2A, 0x29,
+    0x52, 0x03, 0x88, 0x44, 0x4E, 0xBE, 0xFE, 0x28, 0x25, 0x6F,
+    0xB3, 0x3D, 0x42, 0x60, 0x43, 0x9C, 0xBA, 0x73, 0xA9, 0x47,
+    0x9E, 0xE0, 0x0C, 0x63,
+  };
+  i = crypto_digest512(data, (const char*)keccak_kat_msg1152, 144, DIGEST_SHA3_512);
+  test_memeq_hex(data, "FE45289874879720CE2A844AE34BB735"
+                       "22775DCB6019DCD22B8885994672A088"
+                       "9C69E8115C641DC8B83E39F7311815A1"
+                       "64DC46E0BA2FCA344D86D4BC2EF2532C");
+  tt_int_op(i, OP_EQ, 0);
+  i = crypto_digest256(data, (const char*)keccak_kat_msg1152, 144, DIGEST_SHA3_256);
+  test_memeq_hex(data, "A936FB9AF87FB67857B3EAD5C76226AD"
+                       "84DA47678F3C2FFE5A39FDB5F7E63FFB");
+  tt_int_op(i, OP_EQ, 0);
+
+  /* Len = 1160, Msg = 836B34B5... ...11044C53 (SHA3-512 rate * 2 + 1) */
+  const uint8_t keccak_kat_msg1160[] = {
+    0x83, 0x6B, 0x34, 0xB5, 0x15, 0x47, 0x6F, 0x61, 0x3F, 0xE4,
+    0x47, 0xA4, 0xE0, 0xC3, 0xF3, 0xB8, 0xF2, 0x09, 0x10, 0xAC,
+    0x89, 0xA3, 0x97, 0x70, 0x55, 0xC9, 0x60, 0xD2, 0xD5, 0xD2,
+    0xB7, 0x2B, 0xD8, 0xAC, 0xC7, 0x15, 0xA9, 0x03, 0x53, 0x21,
+    0xB8, 0x67, 0x03, 0xA4, 0x11, 0xDD, 0xE0, 0x46, 0x6D, 0x58,
+    0xA5, 0x97, 0x69, 0x67, 0x2A, 0xA6, 0x0A, 0xD5, 0x87, 0xB8,
+    0x48, 0x1D, 0xE4, 0xBB, 0xA5, 0x52, 0xA1, 0x64, 0x57, 0x79,
+    0x78, 0x95, 0x01, 0xEC, 0x53, 0xD5, 0x40, 0xB9, 0x04, 0x82,
+    0x1F, 0x32, 0xB0, 0xBD, 0x18, 0x55, 0xB0, 0x4E, 0x48, 0x48,
+    0xF9, 0xF8, 0xCF, 0xE9, 0xEB, 0xD8, 0x91, 0x1B, 0xE9, 0x57,
+    0x81, 0xA7, 0x59, 0xD7, 0xAD, 0x97, 0x24, 0xA7, 0x10, 0x2D,
+    0xBE, 0x57, 0x67, 0x76, 0xB7, 0xC6, 0x32, 0xBC, 0x39, 0xB9,
+    0xB5, 0xE1, 0x90, 0x57, 0xE2, 0x26, 0x55, 0x2A, 0x59, 0x94,
+    0xC1, 0xDB, 0xB3, 0xB5, 0xC7, 0x87, 0x1A, 0x11, 0xF5, 0x53,
+    0x70, 0x11, 0x04, 0x4C, 0x53,
+  };
+  i = crypto_digest512(data, (const char*)keccak_kat_msg1160, 145, DIGEST_SHA3_512);
+  test_memeq_hex(data, "AFF61C6E11B98E55AC213B1A0BC7DE04"
+                       "05221AC5EFB1229842E4614F4A029C9B"
+                       "D14A0ED7FD99AF3681429F3F309FDB53"
+                       "166AA9A3CD9F1F1223D04B4A9015E94A");
+  tt_int_op(i, OP_EQ, 0);
+  i = crypto_digest256(data, (const char*)keccak_kat_msg1160, 145, DIGEST_SHA3_256);
+  test_memeq_hex(data, "3A654B88F88086C2751EDAE6D3924814"
+                       "3CF6235C6B0B7969342C45A35194B67E");
+  tt_int_op(i, OP_EQ, 0);
+
+  /* SHA3-[256,512] Empty case (wikipedia) */
+  i = crypto_digest256(data, "", 0, DIGEST_SHA3_256);
+  test_memeq_hex(data, "a7ffc6f8bf1ed76651c14756a061d662"
+                       "f580ff4de43b49fa82d80a4b80f8434a");
+  tt_int_op(i, OP_EQ, 0);
+  i = crypto_digest512(data, "", 0, DIGEST_SHA3_512);
+  test_memeq_hex(data, "a69f73cca23a9ac5c8b567dc185a756e"
+                       "97c982164fe25859e0d1dcc1475c80a6"
+                       "15b2123af1f5f94c11e3e9402c3ac558"
+                       "f500199d95b6d3e301758586281dcd26");
+  tt_int_op(i, OP_EQ, 0);
+
+  /* Incremental digest code with SHA3-256 */
+  d1 = crypto_digest256_new(DIGEST_SHA3_256);
+  tt_assert(d1);
+  crypto_digest_add_bytes(d1, "abcdef", 6);
+  d2 = crypto_digest_dup(d1);
+  tt_assert(d2);
+  crypto_digest_add_bytes(d2, "ghijkl", 6);
+  crypto_digest_get_digest(d2, d_out1, DIGEST256_LEN);
+  crypto_digest256(d_out2, "abcdefghijkl", 12, DIGEST_SHA3_256);
+  tt_mem_op(d_out1,OP_EQ, d_out2, DIGEST256_LEN);
+  crypto_digest_assign(d2, d1);
+  crypto_digest_add_bytes(d2, "mno", 3);
+  crypto_digest_get_digest(d2, d_out1, DIGEST256_LEN);
+  crypto_digest256(d_out2, "abcdefmno", 9, DIGEST_SHA3_256);
+  tt_mem_op(d_out1,OP_EQ, d_out2, DIGEST256_LEN);
+  crypto_digest_get_digest(d1, d_out1, DIGEST256_LEN);
+  crypto_digest256(d_out2, "abcdef", 6, DIGEST_SHA3_256);
+  tt_mem_op(d_out1,OP_EQ, d_out2, DIGEST256_LEN);
+  crypto_digest_free(d1);
+  crypto_digest_free(d2);
+
+  /* Incremental digest code with SHA3-512 */
+  d1 = crypto_digest512_new(DIGEST_SHA3_512);
+  tt_assert(d1);
+  crypto_digest_add_bytes(d1, "abcdef", 6);
+  d2 = crypto_digest_dup(d1);
+  tt_assert(d2);
+  crypto_digest_add_bytes(d2, "ghijkl", 6);
+  crypto_digest_get_digest(d2, d_out1, DIGEST512_LEN);
+  crypto_digest512(d_out2, "abcdefghijkl", 12, DIGEST_SHA3_512);
+  tt_mem_op(d_out1,OP_EQ, d_out2, DIGEST512_LEN);
+  crypto_digest_assign(d2, d1);
+  crypto_digest_add_bytes(d2, "mno", 3);
+  crypto_digest_get_digest(d2, d_out1, DIGEST512_LEN);
+  crypto_digest512(d_out2, "abcdefmno", 9, DIGEST_SHA3_512);
+  tt_mem_op(d_out1,OP_EQ, d_out2, DIGEST512_LEN);
+  crypto_digest_get_digest(d1, d_out1, DIGEST512_LEN);
+  crypto_digest512(d_out2, "abcdef", 6, DIGEST_SHA3_512);
+  tt_mem_op(d_out1,OP_EQ, d_out2, DIGEST512_LEN);
+
+ done:
+  if (d1)
+    crypto_digest_free(d1);
+  if (d2)
+    crypto_digest_free(d2);
+  tor_free(mem_op_hex_tmp);
+}
+
 /** Run unit tests for our public key crypto functions */
 static void
 test_crypto_pk(void *arg)
@@ -1950,6 +2223,7 @@ struct testcase_t crypto_tests[] = {
   { "pk_fingerprints", test_crypto_pk_fingerprints, TT_FORK, NULL, NULL },
   { "pk_base64", test_crypto_pk_base64, TT_FORK, NULL, NULL },
   CRYPTO_LEGACY(digests),
+  { "sha3", test_crypto_sha3, TT_FORK, NULL, NULL},
   CRYPTO_LEGACY(dh),
   { "aes_iv_AES", test_crypto_aes_iv, TT_FORK, &passthrough_setup,
     (void*)"aes" },
diff --git a/src/tools/include.am b/src/tools/include.am
index ebdd349..38ed575 100644
--- a/src/tools/include.am
+++ b/src/tools/include.am
@@ -20,6 +20,7 @@ endif
 src_tools_tor_gencert_SOURCES = src/tools/tor-gencert.c
 src_tools_tor_gencert_LDFLAGS = @TOR_LDFLAGS_zlib@ @TOR_LDFLAGS_openssl@
 src_tools_tor_gencert_LDADD = src/common/libor.a src/common/libor-crypto.a \
+    $(LIBKECCAK_TINY) \
     $(LIBDONNA) \
         @TOR_LIB_MATH@ @TOR_ZLIB_LIBS@ @TOR_OPENSSL_LIBS@ \
         @TOR_LIB_WS32@ @TOR_LIB_GDI@ @CURVE25519_LIBS@
@@ -31,6 +32,7 @@ src_tools_tor_cov_gencert_CFLAGS = $(AM_CFLAGS) $(TEST_CFLAGS)
 src_tools_tor_cov_gencert_LDFLAGS = @TOR_LDFLAGS_zlib@ @TOR_LDFLAGS_openssl@
 src_tools_tor_cov_gencert_LDADD = src/common/libor-testing.a \
     src/common/libor-crypto-testing.a \
+    $(LIBKECCAK_TINY) \
     $(LIBDONNA) \
         @TOR_LIB_MATH@ @TOR_ZLIB_LIBS@ @TOR_OPENSSL_LIBS@ \
         @TOR_LIB_WS32@ @TOR_LIB_GDI@ @CURVE25519_LIBS@
@@ -39,6 +41,7 @@ endif
 src_tools_tor_checkkey_SOURCES = src/tools/tor-checkkey.c
 src_tools_tor_checkkey_LDFLAGS = @TOR_LDFLAGS_zlib@ @TOR_LDFLAGS_openssl@
 src_tools_tor_checkkey_LDADD = src/common/libor.a src/common/libor-crypto.a \
+    $(LIBKECCAK_TINY) \
     $(LIBDONNA) \
         @TOR_LIB_MATH@ @TOR_ZLIB_LIBS@ @TOR_OPENSSL_LIBS@ \
         @TOR_LIB_WS32@ @TOR_LIB_GDI@ @CURVE25519_LIBS@





More information about the tor-commits mailing list