test_crypto.c 111 KB
Newer Older
1
2
/* Copyright (c) 2001-2004, Roger Dingledine.
 * Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson.
Nick Mathewson's avatar
Nick Mathewson committed
3
 * Copyright (c) 2007-2018, The Tor Project, Inc. */
4
5
6
/* See LICENSE for licensing information */

#include "orconfig.h"
7
#define CRYPTO_CURVE25519_PRIVATE
8
#define CRYPTO_RAND_PRIVATE
Nick Mathewson's avatar
Nick Mathewson committed
9
10
#include "or/or.h"
#include "test/test.h"
11
#include "lib/crypt_ops/aes.h"
Nick Mathewson's avatar
Nick Mathewson committed
12
#include "common/util.h"
13
#include "siphash.h"
14
#include "lib/crypt_ops/crypto_curve25519.h"
15
#include "lib/crypt_ops/crypto_dh.h"
16
#include "lib/crypt_ops/crypto_ed25519.h"
17
#include "lib/crypt_ops/crypto_hkdf.h"
18
#include "lib/crypt_ops/crypto_rand.h"
19
#include "ed25519_vectors.inc"
20
21
22

/** Run unit tests for Diffie-Hellman functionality. */
static void
23
test_crypto_dh(void *arg)
24
{
25
  crypto_dh_t *dh1 = crypto_dh_new(DH_TYPE_CIRCUIT);
26
  crypto_dh_t *dh1_dup = NULL;
27
  crypto_dh_t *dh2 = crypto_dh_new(DH_TYPE_CIRCUIT);
28
29
30
31
  char p1[DH1024_KEY_LEN];
  char p2[DH1024_KEY_LEN];
  char s1[DH1024_KEY_LEN];
  char s2[DH1024_KEY_LEN];
32
33
  ssize_t s1len, s2len;

34
  (void)arg;
35
36
  tt_int_op(crypto_dh_get_bytes(dh1),OP_EQ, DH1024_KEY_LEN);
  tt_int_op(crypto_dh_get_bytes(dh2),OP_EQ, DH1024_KEY_LEN);
37

38
39
40
  memset(p1, 0, DH1024_KEY_LEN);
  memset(p2, 0, DH1024_KEY_LEN);
  tt_mem_op(p1,OP_EQ, p2, DH1024_KEY_LEN);
41
42
43

  tt_int_op(-1, OP_EQ, crypto_dh_get_public(dh1, p1, 6)); /* too short */

44
45
46
47
  tt_assert(! crypto_dh_get_public(dh1, p1, DH1024_KEY_LEN));
  tt_mem_op(p1,OP_NE, p2, DH1024_KEY_LEN);
  tt_assert(! crypto_dh_get_public(dh2, p2, DH1024_KEY_LEN));
  tt_mem_op(p1,OP_NE, p2, DH1024_KEY_LEN);
48

49
50
51
52
  memset(s1, 0, DH1024_KEY_LEN);
  memset(s2, 0xFF, DH1024_KEY_LEN);
  s1len = crypto_dh_compute_secret(LOG_WARN, dh1, p2, DH1024_KEY_LEN, s1, 50);
  s2len = crypto_dh_compute_secret(LOG_WARN, dh2, p1, DH1024_KEY_LEN, s2, 50);
53
  tt_assert(s1len > 0);
54
55
  tt_int_op(s1len,OP_EQ, s2len);
  tt_mem_op(s1,OP_EQ, s2, s1len);
56

57
58
  /* test dh_dup; make sure it works the same. */
  dh1_dup = crypto_dh_dup(dh1);
59
60
  s1len = crypto_dh_compute_secret(LOG_WARN, dh1_dup, p2, DH1024_KEY_LEN,
                                   s1, 50);
61
62
  tt_mem_op(s1,OP_EQ, s2, s1len);

63
  {
64
65
66
67
68
69
70
71
72
    /* Now fabricate some bad values and make sure they get caught. */

    /* 1 and 0 should both fail. */
    s1len = crypto_dh_compute_secret(LOG_WARN, dh1, "\x01", 1, s1, 50);
    tt_int_op(-1, OP_EQ, s1len);

    s1len = crypto_dh_compute_secret(LOG_WARN, dh1, "\x00", 1, s1, 50);
    tt_int_op(-1, OP_EQ, s1len);

73
74
75
    memset(p1, 0, DH1024_KEY_LEN); /* 0 with padding. */
    s1len = crypto_dh_compute_secret(LOG_WARN, dh1, p1, DH1024_KEY_LEN,
                                     s1, 50);
76
77
    tt_int_op(-1, OP_EQ, s1len);

78
79
80
    p1[DH1024_KEY_LEN-1] = 1; /* 1 with padding*/
    s1len = crypto_dh_compute_secret(LOG_WARN, dh1, p1, DH1024_KEY_LEN,
                                     s1, 50);
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
    tt_int_op(-1, OP_EQ, s1len);

    /* 2 is okay, though weird. */
    s1len = crypto_dh_compute_secret(LOG_WARN, dh1, "\x02", 1, s1, 50);
    tt_int_op(50, OP_EQ, s1len);

    const char P[] =
      "FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD129024E08"
      "8A67CC74020BBEA63B139B22514A08798E3404DDEF9519B3CD3A431B"
      "302B0A6DF25F14374FE1356D6D51C245E485B576625E7EC6F44C42E9"
      "A637ED6B0BFF5CB6F406B7EDEE386BFB5A899FA5AE9F24117C4B1FE6"
      "49286651ECE65381FFFFFFFFFFFFFFFF";

    /* p-1, p, and so on are not okay. */
    base16_decode(p1, sizeof(p1), P, strlen(P));

97
98
    s1len = crypto_dh_compute_secret(LOG_WARN, dh1, p1, DH1024_KEY_LEN,
                                     s1, 50);
99
100
    tt_int_op(-1, OP_EQ, s1len);

101
102
103
    p1[DH1024_KEY_LEN-1] = 0xFE; /* p-1 */
    s1len = crypto_dh_compute_secret(LOG_WARN, dh1, p1, DH1024_KEY_LEN,
                                     s1, 50);
104
105
    tt_int_op(-1, OP_EQ, s1len);

106
107
108
    p1[DH1024_KEY_LEN-1] = 0xFD; /* p-2 works fine */
    s1len = crypto_dh_compute_secret(LOG_WARN, dh1, p1, DH1024_KEY_LEN,
                                     s1, 50);
109
110
111
112
113
114
115
116
117
118
119
    tt_int_op(50, OP_EQ, s1len);

    const char P_plus_one[] =
      "FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD129024E08"
      "8A67CC74020BBEA63B139B22514A08798E3404DDEF9519B3CD3A431B"
      "302B0A6DF25F14374FE1356D6D51C245E485B576625E7EC6F44C42E9"
      "A637ED6B0BFF5CB6F406B7EDEE386BFB5A899FA5AE9F24117C4B1FE6"
      "49286651ECE653820000000000000000";

    base16_decode(p1, sizeof(p1), P_plus_one, strlen(P_plus_one));

120
121
    s1len = crypto_dh_compute_secret(LOG_WARN, dh1, p1, DH1024_KEY_LEN,
                                     s1, 50);
122
123
    tt_int_op(-1, OP_EQ, s1len);

124
125
126
    p1[DH1024_KEY_LEN-1] = 0x01; /* p+2 */
    s1len = crypto_dh_compute_secret(LOG_WARN, dh1, p1, DH1024_KEY_LEN,
                                     s1, 50);
127
128
    tt_int_op(-1, OP_EQ, s1len);

129
130
131
    p1[DH1024_KEY_LEN-1] = 0xff; /* p+256 */
    s1len = crypto_dh_compute_secret(LOG_WARN, dh1, p1, DH1024_KEY_LEN,
                                     s1, 50);
132
133
    tt_int_op(-1, OP_EQ, s1len);

134
135
136
    memset(p1, 0xff, DH1024_KEY_LEN), /* 2^1024-1 */
    s1len = crypto_dh_compute_secret(LOG_WARN, dh1, p1, DH1024_KEY_LEN,
                                     s1, 50);
137
    tt_int_op(-1, OP_EQ, s1len);
138
139
  }

140
141
142
  {
    /* provoke an error in the openssl DH_compute_key function; make sure we
     * survive. */
143
    tt_assert(! crypto_dh_get_public(dh1, p1, DH1024_KEY_LEN));
144
145
146
147

    crypto_dh_free(dh2);
    dh2= crypto_dh_new(DH_TYPE_CIRCUIT); /* no private key set */
    s1len = crypto_dh_compute_secret(LOG_WARN, dh2,
148
                                     p1, DH1024_KEY_LEN,
149
150
151
152
                                     s1, 50);
    tt_int_op(s1len, OP_EQ, -1);
  }

153
154
155
 done:
  crypto_dh_free(dh1);
  crypto_dh_free(dh2);
156
  crypto_dh_free(dh1_dup);
157
158
}

159
160
161
162
163
164
165
166
static void
test_crypto_openssl_version(void *arg)
{
  (void)arg;
  const char *version = crypto_openssl_get_version_str();
  const char *h_version = crypto_openssl_get_header_version_str();
  tt_assert(version);
  tt_assert(h_version);
167
168
169
170
171
172
173
  if (strcmpstart(version, h_version)) { /* "-fips" suffix, etc */
    TT_DIE(("OpenSSL library version %s did not begin with header version %s.",
            version, h_version));
  }
  if (strstr(version, "OpenSSL")) {
    TT_DIE(("assertion failed: !strstr(\"%s\", \"OpenSSL\")", version));
  }
174
  int a=-1,b=-1,c=-1;
175
176
  if (!strcmpstart(version, "LibreSSL") || !strcmpstart(version, "BoringSSL"))
    return;
177
178
  int r = tor_sscanf(version, "%d.%d.%d", &a,&b,&c);
  tt_int_op(r, OP_EQ, 3);
179
180
181
182
183
184
185
186
  tt_int_op(a, OP_GE, 0);
  tt_int_op(b, OP_GE, 0);
  tt_int_op(c, OP_GE, 0);

 done:
  ;
}

187
188
189
/** Run unit tests for our random number generation function and its wrappers.
 */
static void
190
test_crypto_rng(void *arg)
191
192
193
{
  int i, j, allok;
  char data1[100], data2[100];
194
  double d;
195
  char *h=NULL;
196
197

  /* Try out RNG. */
198
  (void)arg;
199
  tt_assert(! crypto_seed_rng());
200
201
  crypto_rand(data1, 100);
  crypto_rand(data2, 100);
202
  tt_mem_op(data1,OP_NE, data2,100);
203
204
205
206
207
  allok = 1;
  for (i = 0; i < 100; ++i) {
    uint64_t big;
    char *host;
    j = crypto_rand_int(100);
208
    if (j < 0 || j >= 100)
209
210
211
212
213
214
215
      allok = 0;
    big = crypto_rand_uint64(U64_LITERAL(1)<<40);
    if (big >= (U64_LITERAL(1)<<40))
      allok = 0;
    big = crypto_rand_uint64(U64_LITERAL(5));
    if (big >= 5)
      allok = 0;
216
    d = crypto_rand_double();
217
218
    tt_assert(d >= 0);
    tt_assert(d < 1.0);
219
220
221
222
223
224
225
226
    host = crypto_random_hostname(3,8,"www.",".onion");
    if (strcmpstart(host,"www.") ||
        strcmpend(host,".onion") ||
        strlen(host) < 13 ||
        strlen(host) > 18)
      allok = 0;
    tor_free(host);
  }
227
228
229
230
231
232
233

  /* Make sure crypto_random_hostname clips its inputs properly. */
  h = crypto_random_hostname(20000, 9000, "www.", ".onion");
  tt_assert(! strcmpstart(h,"www."));
  tt_assert(! strcmpend(h,".onion"));
  tt_int_op(63+4+6, OP_EQ, strlen(h));

234
  tt_assert(allok);
235
 done:
236
  tor_free(h);
237
238
}

239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
static void
test_crypto_rng_range(void *arg)
{
  int got_smallest = 0, got_largest = 0;
  int i;

  (void)arg;
  for (i = 0; i < 1000; ++i) {
    int x = crypto_rand_int_range(5,9);
    tt_int_op(x, OP_GE, 5);
    tt_int_op(x, OP_LT, 9);
    if (x == 5)
      got_smallest = 1;
    if (x == 8)
      got_largest = 1;
  }
  /* These fail with probability 1/10^603. */
  tt_assert(got_smallest);
  tt_assert(got_largest);
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286

  got_smallest = got_largest = 0;
  const uint64_t ten_billion = 10 * ((uint64_t)1000000000000);
  for (i = 0; i < 1000; ++i) {
    uint64_t x = crypto_rand_uint64_range(ten_billion, ten_billion+10);
    tt_u64_op(x, OP_GE, ten_billion);
    tt_u64_op(x, OP_LT, ten_billion+10);
    if (x == ten_billion)
      got_smallest = 1;
    if (x == ten_billion+9)
      got_largest = 1;
  }

  tt_assert(got_smallest);
  tt_assert(got_largest);

  const time_t now = time(NULL);
  for (i = 0; i < 2000; ++i) {
    time_t x = crypto_rand_time_range(now, now+60);
    tt_i64_op(x, OP_GE, now);
    tt_i64_op(x, OP_LT, now+60);
    if (x == now)
      got_smallest = 1;
    if (x == now+59)
      got_largest = 1;
  }

  tt_assert(got_smallest);
  tt_assert(got_largest);
287
288
289
290
 done:
  ;
}

291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
static void
test_crypto_rng_strongest(void *arg)
{
  const char *how = arg;
  int broken = 0;

  if (how == NULL) {
    ;
  } else if (!strcmp(how, "nosyscall")) {
    break_strongest_rng_syscall = 1;
  } else if (!strcmp(how, "nofallback")) {
    break_strongest_rng_fallback = 1;
  } else if (!strcmp(how, "broken")) {
    broken = break_strongest_rng_syscall = break_strongest_rng_fallback = 1;
  }

#define N 128
  uint8_t combine_and[N];
  uint8_t combine_or[N];
  int i, j;

  memset(combine_and, 0xff, N);
  memset(combine_or, 0, N);

  for (i = 0; i < 100; ++i) { /* 2^-100 chances just don't happen. */
    uint8_t output[N];
    memset(output, 0, N);
    if (how == NULL) {
      /* this one can't fail. */
      crypto_strongest_rand(output, sizeof(output));
    } else {
      int r = crypto_strongest_rand_raw(output, sizeof(output));
      if (r == -1) {
        if (broken) {
          goto done; /* we're fine. */
        }
        /* This function is allowed to break, but only if it always breaks. */
        tt_int_op(i, OP_EQ, 0);
        tt_skip();
      } else {
        tt_assert(! broken);
      }
    }
    for (j = 0; j < N; ++j) {
      combine_and[j] &= output[j];
      combine_or[j] |= output[j];
    }
  }

  for (j = 0; j < N; ++j) {
    tt_int_op(combine_and[j], OP_EQ, 0);
    tt_int_op(combine_or[j], OP_EQ, 0xff);
  }
 done:
  ;
#undef N
}

349
/** Run unit tests for our AES128 functionality */
350
static void
351
test_crypto_aes128(void *arg)
352
353
{
  char *data1 = NULL, *data2 = NULL, *data3 = NULL;
354
  crypto_cipher_t *env1 = NULL, *env2 = NULL;
355
  int i, j;
356
  char *mem_op_hex_tmp=NULL;
357
  char key[CIPHER_KEY_LEN];
358
359
  int use_evp = !strcmp(arg,"evp");
  evaluate_evp_for_aes(use_evp);
360
  evaluate_ctr_for_aes();
361

362
363
364
365
366
367
368
369
370
371
372
  data1 = tor_malloc(1024);
  data2 = tor_malloc(1024);
  data3 = tor_malloc(1024);

  /* Now, test encryption and decryption with stream cipher. */
  data1[0]='\0';
  for (i = 1023; i>0; i -= 35)
    strncat(data1, "Now is the time for all good onions", i);

  memset(data2, 0, 1024);
  memset(data3, 0, 1024);
373
374
  crypto_rand(key, sizeof(key));
  env1 = crypto_cipher_new(key);
375
  tt_ptr_op(env1, OP_NE, NULL);
376
  env2 = crypto_cipher_new(key);
377
  tt_ptr_op(env2, OP_NE, NULL);
378
379
380
381

  /* Try encrypting 512 chars. */
  crypto_cipher_encrypt(env1, data2, data1, 512);
  crypto_cipher_decrypt(env2, data3, data2, 512);
382
383
  tt_mem_op(data1,OP_EQ, data3, 512);
  tt_mem_op(data1,OP_NE, data2, 512);
384
385
386
387
388
389
390
391

  /* Now encrypt 1 at a time, and get 1 at a time. */
  for (j = 512; j < 560; ++j) {
    crypto_cipher_encrypt(env1, data2+j, data1+j, 1);
  }
  for (j = 512; j < 560; ++j) {
    crypto_cipher_decrypt(env2, data3+j, data2+j, 1);
  }
392
  tt_mem_op(data1,OP_EQ, data3, 560);
393
394
395
396
397
398
399
  /* Now encrypt 3 at a time, and get 5 at a time. */
  for (j = 560; j < 1024-5; j += 3) {
    crypto_cipher_encrypt(env1, data2+j, data1+j, 3);
  }
  for (j = 560; j < 1024-5; j += 5) {
    crypto_cipher_decrypt(env2, data3+j, data2+j, 5);
  }
400
  tt_mem_op(data1,OP_EQ, data3, 1024-5);
401
402
  /* Now make sure that when we encrypt with different chunk sizes, we get
     the same results. */
403
  crypto_cipher_free(env2);
404
405
406
  env2 = NULL;

  memset(data3, 0, 1024);
407
  env2 = crypto_cipher_new(key);
408
  tt_ptr_op(env2, OP_NE, NULL);
409
410
411
412
413
414
415
416
  for (j = 0; j < 1024-16; j += 17) {
    crypto_cipher_encrypt(env2, data3+j, data1+j, 17);
  }
  for (j= 0; j < 1024-16; ++j) {
    if (data2[j] != data3[j]) {
      printf("%d:  %d\t%d\n", j, (int) data2[j], (int) data3[j]);
    }
  }
417
  tt_mem_op(data2,OP_EQ, data3, 1024-16);
418
  crypto_cipher_free(env1);
419
  env1 = NULL;
420
  crypto_cipher_free(env2);
421
422
423
  env2 = NULL;

  /* NIST test vector for aes. */
424
425
426
  /* IV starts at 0 */
  env1 = crypto_cipher_new("\x80\x00\x00\x00\x00\x00\x00\x00"
                           "\x00\x00\x00\x00\x00\x00\x00\x00");
427
428
429
430
431
432
433
  crypto_cipher_encrypt(env1, data1,
                        "\x00\x00\x00\x00\x00\x00\x00\x00"
                        "\x00\x00\x00\x00\x00\x00\x00\x00", 16);
  test_memeq_hex(data1, "0EDD33D3C621E546455BD8BA1418BEC8");

  /* Now test rollover.  All these values are originally from a python
   * script. */
434
435
436
437
438
439
  crypto_cipher_free(env1);
  env1 = crypto_cipher_new_with_iv(
                                   "\x80\x00\x00\x00\x00\x00\x00\x00"
                                   "\x00\x00\x00\x00\x00\x00\x00\x00",
                                   "\x00\x00\x00\x00\x00\x00\x00\x00"
                                   "\xff\xff\xff\xff\xff\xff\xff\xff");
440
441
442
443
  memset(data2, 0,  1024);
  crypto_cipher_encrypt(env1, data1, data2, 32);
  test_memeq_hex(data1, "335fe6da56f843199066c14a00a40231"
                        "cdd0b917dbc7186908a6bfb5ffd574d3");
444
445
446
447
448
449
  crypto_cipher_free(env1);
  env1 = crypto_cipher_new_with_iv(
                                   "\x80\x00\x00\x00\x00\x00\x00\x00"
                                   "\x00\x00\x00\x00\x00\x00\x00\x00",
                                   "\x00\x00\x00\x00\xff\xff\xff\xff"
                                   "\xff\xff\xff\xff\xff\xff\xff\xff");
450
451
452
453
  memset(data2, 0,  1024);
  crypto_cipher_encrypt(env1, data1, data2, 32);
  test_memeq_hex(data1, "e627c6423fa2d77832a02b2794094b73"
                        "3e63c721df790d2c6469cc1953a3ffac");
454
455
456
457
458
459
  crypto_cipher_free(env1);
  env1 = crypto_cipher_new_with_iv(
                                   "\x80\x00\x00\x00\x00\x00\x00\x00"
                                   "\x00\x00\x00\x00\x00\x00\x00\x00",
                                   "\xff\xff\xff\xff\xff\xff\xff\xff"
                                   "\xff\xff\xff\xff\xff\xff\xff\xff");
460
461
462
463
464
465
  memset(data2, 0,  1024);
  crypto_cipher_encrypt(env1, data1, data2, 32);
  test_memeq_hex(data1, "2aed2bff0de54f9328efd070bf48f70a"
                        "0EDD33D3C621E546455BD8BA1418BEC8");

  /* Now check rollover on inplace cipher. */
466
467
468
469
470
471
  crypto_cipher_free(env1);
  env1 = crypto_cipher_new_with_iv(
                                   "\x80\x00\x00\x00\x00\x00\x00\x00"
                                   "\x00\x00\x00\x00\x00\x00\x00\x00",
                                   "\xff\xff\xff\xff\xff\xff\xff\xff"
                                   "\xff\xff\xff\xff\xff\xff\xff\xff");
472
473
474
475
476
  crypto_cipher_crypt_inplace(env1, data2, 64);
  test_memeq_hex(data2, "2aed2bff0de54f9328efd070bf48f70a"
                        "0EDD33D3C621E546455BD8BA1418BEC8"
                        "93e2c5243d6839eac58503919192f7ae"
                        "1908e67cafa08d508816659c2e693191");
477
478
479
480
481
482
  crypto_cipher_free(env1);
  env1 = crypto_cipher_new_with_iv(
                                   "\x80\x00\x00\x00\x00\x00\x00\x00"
                                   "\x00\x00\x00\x00\x00\x00\x00\x00",
                                   "\xff\xff\xff\xff\xff\xff\xff\xff"
                                   "\xff\xff\xff\xff\xff\xff\xff\xff");
483
  crypto_cipher_crypt_inplace(env1, data2, 64);
484
  tt_assert(tor_mem_is_zero(data2, 64));
485
486

 done:
487
  tor_free(mem_op_hex_tmp);
488
  if (env1)
489
    crypto_cipher_free(env1);
490
  if (env2)
491
    crypto_cipher_free(env2);
492
493
494
495
496
  tor_free(data1);
  tor_free(data2);
  tor_free(data3);
}

497
498
499
static void
test_crypto_aes_ctr_testvec(void *arg)
{
500
  const char *bitstr = arg;
501
  char *mem_op_hex_tmp=NULL;
502
  crypto_cipher_t *c=NULL;
503
504
505
506
507
508
509
510

  /* from NIST SP800-38a, section F.5 */
  const char ctr16[] = "f0f1f2f3f4f5f6f7f8f9fafbfcfdfeff";
  const char plaintext16[] =
    "6bc1bee22e409f96e93d7e117393172a"
    "ae2d8a571e03ac9c9eb76fac45af8e51"
    "30c81c46a35ce411e5fbc1191a0a52ef"
    "f69f2445df4f9b17ad2b417be66c3710";
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
  const char *ciphertext16;
  const char *key16;
  int bits;

  if (!strcmp(bitstr, "128")) {
    ciphertext16 = /* section F.5.1 */
      "874d6191b620e3261bef6864990db6ce"
      "9806f66b7970fdff8617187bb9fffdff"
      "5ae4df3edbd5d35e5b4f09020db03eab"
      "1e031dda2fbe03d1792170a0f3009cee";
    key16 = "2b7e151628aed2a6abf7158809cf4f3c";
    bits = 128;
  } else if (!strcmp(bitstr, "192")) {
    ciphertext16 = /* section F.5.3 */
      "1abc932417521ca24f2b0459fe7e6e0b"
      "090339ec0aa6faefd5ccc2c6f4ce8e94"
      "1e36b26bd1ebc670d1bd1d665620abf7"
      "4f78a7f6d29809585a97daec58c6b050";
    key16 = "8e73b0f7da0e6452c810f32b809079e562f8ead2522c6b7b";
    bits = 192;
  } else if (!strcmp(bitstr, "256")) {
    ciphertext16 = /* section F.5.5 */
      "601ec313775789a5b7a7f504bbf3d228"
      "f443e3ca4d62b59aca84e990cacaf5c5"
      "2b0930daa23de94ce87017ba2d84988d"
      "dfc9c58db67aada613c2dd08457941a6";
    key16 =
      "603deb1015ca71be2b73aef0857d7781"
      "1f352c073b6108d72d9810a30914dff4";
    bits = 256;
  } else {
    tt_abort_msg("AES doesn't support this number of bits.");
  }
544

545
  char key[32];
546
547
  char iv[16];
  char plaintext[16*4];
548
  memset(key, 0xf9, sizeof(key)); /* poison extra bytes */
549
550
  base16_decode(key, sizeof(key), key16, strlen(key16));
  base16_decode(iv, sizeof(iv), ctr16, strlen(ctr16));
551
552
  base16_decode(plaintext, sizeof(plaintext),
                plaintext16, strlen(plaintext16));
553

554
  c = crypto_cipher_new_with_iv_and_bits((uint8_t*)key, (uint8_t*)iv, bits);
555
556
557
558
559
  crypto_cipher_crypt_inplace(c, plaintext, sizeof(plaintext));
  test_memeq_hex(plaintext, ciphertext16);

 done:
  tor_free(mem_op_hex_tmp);
560
  crypto_cipher_free(c);
561
562
}

563
564
/** Run unit tests for our SHA-1 functionality */
static void
565
test_crypto_sha(void *arg)
566
{
567
  crypto_digest_t *d1 = NULL, *d2 = NULL;
568
  int i;
569
570
571
572
573
#define RFC_4231_MAX_KEY_SIZE 131
  char key[RFC_4231_MAX_KEY_SIZE];
  char digest[DIGEST256_LEN];
  char data[DIGEST512_LEN];
  char d_out1[DIGEST512_LEN], d_out2[DIGEST512_LEN];
574
  char *mem_op_hex_tmp=NULL;
575
576

  /* Test SHA-1 with a test vector from the specification. */
577
  (void)arg;
578
579
  i = crypto_digest(data, "abc", 3);
  test_memeq_hex(data, "A9993E364706816ABA3E25717850C26C9CD0D89D");
580
  tt_int_op(i, OP_EQ, 0);
581
582
583
584
585

  /* Test SHA-256 with a test vector from the specification. */
  i = crypto_digest256(data, "abc", 3, DIGEST_SHA256);
  test_memeq_hex(data, "BA7816BF8F01CFEA414140DE5DAE2223B00361A3"
                       "96177A9CB410FF61F20015AD");
586
  tt_int_op(i, OP_EQ, 0);
587

588
589
590
591
592
593
594
  /* Test SHA-512 with a test vector from the specification. */
  i = crypto_digest512(data, "abc", 3, DIGEST_SHA512);
  test_memeq_hex(data, "ddaf35a193617abacc417349ae20413112e6fa4e89a97"
                       "ea20a9eeee64b55d39a2192992a274fc1a836ba3c23a3"
                       "feebbd454d4423643ce80e2a9ac94fa54ca49f");
  tt_int_op(i, OP_EQ, 0);

595
596
597
598
  /* Test HMAC-SHA256 with test cases from wikipedia and RFC 4231 */

  /* Case empty (wikipedia) */
  crypto_hmac_sha256(digest, "", 0, "", 0);
599
  tt_str_op(hex_str(digest, 32),OP_EQ,
600
601
602
603
604
           "B613679A0814D9EC772F95D778C35FC5FF1697C493715653C6C712144292C5AD");

  /* Case quick-brown (wikipedia) */
  crypto_hmac_sha256(digest, "key", 3,
                     "The quick brown fox jumps over the lazy dog", 43);
605
  tt_str_op(hex_str(digest, 32),OP_EQ,
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
           "F7BC83F430538424B13298E6AA6FB143EF4D59A14946175997479DBC2D1A3CD8");

  /* "Test Case 1" from RFC 4231 */
  memset(key, 0x0b, 20);
  crypto_hmac_sha256(digest, key, 20, "Hi There", 8);
  test_memeq_hex(digest,
                 "b0344c61d8db38535ca8afceaf0bf12b"
                 "881dc200c9833da726e9376c2e32cff7");

  /* "Test Case 2" from RFC 4231 */
  memset(key, 0x0b, 20);
  crypto_hmac_sha256(digest, "Jefe", 4, "what do ya want for nothing?", 28);
  test_memeq_hex(digest,
                 "5bdcc146bf60754e6a042426089575c7"
                 "5a003f089d2739839dec58b964ec3843");

  /* "Test case 3" from RFC 4231 */
  memset(key, 0xaa, 20);
  memset(data, 0xdd, 50);
  crypto_hmac_sha256(digest, key, 20, data, 50);
  test_memeq_hex(digest,
                 "773ea91e36800e46854db8ebd09181a7"
                 "2959098b3ef8c122d9635514ced565fe");

  /* "Test case 4" from RFC 4231 */
  base16_decode(key, 25,
                "0102030405060708090a0b0c0d0e0f10111213141516171819", 50);
  memset(data, 0xcd, 50);
  crypto_hmac_sha256(digest, key, 25, data, 50);
  test_memeq_hex(digest,
                 "82558a389a443c0ea4cc819899f2083a"
                 "85f0faa3e578f8077a2e3ff46729665b");

  /* "Test case 5" from RFC 4231 */
  memset(key, 0x0c, 20);
  crypto_hmac_sha256(digest, key, 20, "Test With Truncation", 20);
  test_memeq_hex(digest,
                 "a3b6167473100ee06e0c796c2955552b");

  /* "Test case 6" from RFC 4231 */
  memset(key, 0xaa, 131);
  crypto_hmac_sha256(digest, key, 131,
                     "Test Using Larger Than Block-Size Key - Hash Key First",
                     54);
  test_memeq_hex(digest,
                 "60e431591ee0b67f0d8a26aacbf5b77f"
                 "8e0bc6213728c5140546040f0ee37f54");

  /* "Test case 7" from RFC 4231 */
  memset(key, 0xaa, 131);
  crypto_hmac_sha256(digest, key, 131,
                     "This is a test using a larger than block-size key and a "
                     "larger than block-size data. The key needs to be hashed "
                     "before being used by the HMAC algorithm.", 152);
  test_memeq_hex(digest,
                 "9b09ffa71b942fcb27635fbcd5b0e944"
                 "bfdc63644f0713938a7f51535c3a35e2");

664
  /* Incremental digest code. */
665
  d1 = crypto_digest_new();
666
  tt_assert(d1);
667
668
  crypto_digest_add_bytes(d1, "abcdef", 6);
  d2 = crypto_digest_dup(d1);
669
  tt_assert(d2);
670
  crypto_digest_add_bytes(d2, "ghijkl", 6);
671
  crypto_digest_get_digest(d2, d_out1, DIGEST_LEN);
672
  crypto_digest(d_out2, "abcdefghijkl", 12);
673
  tt_mem_op(d_out1,OP_EQ, d_out2, DIGEST_LEN);
674
675
  crypto_digest_assign(d2, d1);
  crypto_digest_add_bytes(d2, "mno", 3);
676
  crypto_digest_get_digest(d2, d_out1, DIGEST_LEN);
677
  crypto_digest(d_out2, "abcdefmno", 9);
678
  tt_mem_op(d_out1,OP_EQ, d_out2, DIGEST_LEN);
679
  crypto_digest_get_digest(d1, d_out1, DIGEST_LEN);
680
  crypto_digest(d_out2, "abcdef", 6);
681
  tt_mem_op(d_out1,OP_EQ, d_out2, DIGEST_LEN);
682
683
  crypto_digest_free(d1);
  crypto_digest_free(d2);
684
685

  /* Incremental digest code with sha256 */
686
  d1 = crypto_digest256_new(DIGEST_SHA256);
687
  tt_assert(d1);
688
689
  crypto_digest_add_bytes(d1, "abcdef", 6);
  d2 = crypto_digest_dup(d1);
690
  tt_assert(d2);
691
  crypto_digest_add_bytes(d2, "ghijkl", 6);
692
  crypto_digest_get_digest(d2, d_out1, DIGEST256_LEN);
693
  crypto_digest256(d_out2, "abcdefghijkl", 12, DIGEST_SHA256);
694
  tt_mem_op(d_out1,OP_EQ, d_out2, DIGEST256_LEN);
695
696
  crypto_digest_assign(d2, d1);
  crypto_digest_add_bytes(d2, "mno", 3);
697
  crypto_digest_get_digest(d2, d_out1, DIGEST256_LEN);
698
  crypto_digest256(d_out2, "abcdefmno", 9, DIGEST_SHA256);
699
700
  tt_mem_op(d_out1,OP_EQ, d_out2, DIGEST256_LEN);
  crypto_digest_get_digest(d1, d_out1, DIGEST256_LEN);
701
  crypto_digest256(d_out2, "abcdef", 6, DIGEST_SHA256);
702
  tt_mem_op(d_out1,OP_EQ, d_out2, DIGEST256_LEN);
703
704
705
706
707
708
709
710
711
712
  crypto_digest_free(d1);
  crypto_digest_free(d2);

  /* Incremental digest code with sha512 */
  d1 = crypto_digest512_new(DIGEST_SHA512);
  tt_assert(d1);
  crypto_digest_add_bytes(d1, "abcdef", 6);
  d2 = crypto_digest_dup(d1);
  tt_assert(d2);
  crypto_digest_add_bytes(d2, "ghijkl", 6);
713
  crypto_digest_get_digest(d2, d_out1, DIGEST512_LEN);
714
  crypto_digest512(d_out2, "abcdefghijkl", 12, DIGEST_SHA512);
715
  tt_mem_op(d_out1,OP_EQ, d_out2, DIGEST512_LEN);
716
717
  crypto_digest_assign(d2, d1);
  crypto_digest_add_bytes(d2, "mno", 3);
718
  crypto_digest_get_digest(d2, d_out1, DIGEST512_LEN);
719
  crypto_digest512(d_out2, "abcdefmno", 9, DIGEST_SHA512);
720
721
  tt_mem_op(d_out1,OP_EQ, d_out2, DIGEST512_LEN);
  crypto_digest_get_digest(d1, d_out1, DIGEST512_LEN);
722
  crypto_digest512(d_out2, "abcdef", 6, DIGEST_SHA512);
723
  tt_mem_op(d_out1,OP_EQ, d_out2, DIGEST512_LEN);
724
725
726

 done:
  if (d1)
727
    crypto_digest_free(d1);
728
  if (d2)
729
    crypto_digest_free(d2);
730
  tor_free(mem_op_hex_tmp);
731
732
}

733
734
735
736
737
738
739
740
static void
test_crypto_sha3(void *arg)
{
  crypto_digest_t *d1 = NULL, *d2 = NULL;
  int i;
  char data[DIGEST512_LEN];
  char d_out1[DIGEST512_LEN], d_out2[DIGEST512_LEN];
  char *mem_op_hex_tmp=NULL;
741
  char *large = NULL;
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764

  (void)arg;

  /* Test SHA3-[256,512] with a test vectors from the Keccak Code Package.
   *
   * NB: The code package's test vectors have length expressed in bits.
   */

  /* Len = 8, Msg = CC */
  const uint8_t keccak_kat_msg8[] = { 0xcc };
  i = crypto_digest256(data, (const char*)keccak_kat_msg8, 1, DIGEST_SHA3_256);
  test_memeq_hex(data, "677035391CD3701293D385F037BA3279"
                       "6252BB7CE180B00B582DD9B20AAAD7F0");
  tt_int_op(i, OP_EQ, 0);
  i = crypto_digest512(data, (const char*)keccak_kat_msg8, 1, DIGEST_SHA3_512);
  test_memeq_hex(data, "3939FCC8B57B63612542DA31A834E5DC"
                       "C36E2EE0F652AC72E02624FA2E5ADEEC"
                       "C7DD6BB3580224B4D6138706FC6E8059"
                       "7B528051230B00621CC2B22999EAA205");
  tt_int_op(i, OP_EQ, 0);

  /* Len = 24, Msg = 1F877C */
  const uint8_t keccak_kat_msg24[] = { 0x1f, 0x87, 0x7c };
Nick Mathewson's avatar
Nick Mathewson committed
765
766
  i = crypto_digest256(data, (const char*)keccak_kat_msg24, 3,
                       DIGEST_SHA3_256);
767
768
769
  test_memeq_hex(data, "BC22345E4BD3F792A341CF18AC0789F1"
                       "C9C966712A501B19D1B6632CCD408EC5");
  tt_int_op(i, OP_EQ, 0);
Nick Mathewson's avatar
Nick Mathewson committed
770
771
  i = crypto_digest512(data, (const char*)keccak_kat_msg24, 3,
                       DIGEST_SHA3_512);
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
  test_memeq_hex(data, "CB20DCF54955F8091111688BECCEF48C"
                       "1A2F0D0608C3A575163751F002DB30F4"
                       "0F2F671834B22D208591CFAF1F5ECFE4"
                       "3C49863A53B3225BDFD7C6591BA7658B");
  tt_int_op(i, OP_EQ, 0);

  /* Len = 1080, Msg = B771D5CEF... ...C35AC81B5 (SHA3-256 rate - 1) */
  const uint8_t keccak_kat_msg1080[] = {
    0xB7, 0x71, 0xD5, 0xCE, 0xF5, 0xD1, 0xA4, 0x1A, 0x93, 0xD1,
    0x56, 0x43, 0xD7, 0x18, 0x1D, 0x2A, 0x2E, 0xF0, 0xA8, 0xE8,
    0x4D, 0x91, 0x81, 0x2F, 0x20, 0xED, 0x21, 0xF1, 0x47, 0xBE,
    0xF7, 0x32, 0xBF, 0x3A, 0x60, 0xEF, 0x40, 0x67, 0xC3, 0x73,
    0x4B, 0x85, 0xBC, 0x8C, 0xD4, 0x71, 0x78, 0x0F, 0x10, 0xDC,
    0x9E, 0x82, 0x91, 0xB5, 0x83, 0x39, 0xA6, 0x77, 0xB9, 0x60,
    0x21, 0x8F, 0x71, 0xE7, 0x93, 0xF2, 0x79, 0x7A, 0xEA, 0x34,
    0x94, 0x06, 0x51, 0x28, 0x29, 0x06, 0x5D, 0x37, 0xBB, 0x55,
    0xEA, 0x79, 0x6F, 0xA4, 0xF5, 0x6F, 0xD8, 0x89, 0x6B, 0x49,
    0xB2, 0xCD, 0x19, 0xB4, 0x32, 0x15, 0xAD, 0x96, 0x7C, 0x71,
    0x2B, 0x24, 0xE5, 0x03, 0x2D, 0x06, 0x52, 0x32, 0xE0, 0x2C,
    0x12, 0x74, 0x09, 0xD2, 0xED, 0x41, 0x46, 0xB9, 0xD7, 0x5D,
    0x76, 0x3D, 0x52, 0xDB, 0x98, 0xD9, 0x49, 0xD3, 0xB0, 0xFE,
    0xD6, 0xA8, 0x05, 0x2F, 0xBB,
  };
Nick Mathewson's avatar
Nick Mathewson committed
795
796
  i = crypto_digest256(data, (const char*)keccak_kat_msg1080, 135,
                       DIGEST_SHA3_256);
797
798
799
  test_memeq_hex(data, "A19EEE92BB2097B64E823D597798AA18"
                       "BE9B7C736B8059ABFD6779AC35AC81B5");
  tt_int_op(i, OP_EQ, 0);
Nick Mathewson's avatar
Nick Mathewson committed
800
801
  i = crypto_digest512(data, (const char*)keccak_kat_msg1080, 135,
                       DIGEST_SHA3_512);
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
  test_memeq_hex(data, "7575A1FB4FC9A8F9C0466BD5FCA496D1"
                       "CB78696773A212A5F62D02D14E3259D1"
                       "92A87EBA4407DD83893527331407B6DA"
                       "DAAD920DBC46489B677493CE5F20B595");
  tt_int_op(i, OP_EQ, 0);

  /* Len = 1088, Msg = B32D95B0... ...8E380C04 (SHA3-256 rate) */
  const uint8_t keccak_kat_msg1088[] = {
    0xB3, 0x2D, 0x95, 0xB0, 0xB9, 0xAA, 0xD2, 0xA8, 0x81, 0x6D,
    0xE6, 0xD0, 0x6D, 0x1F, 0x86, 0x00, 0x85, 0x05, 0xBD, 0x8C,
    0x14, 0x12, 0x4F, 0x6E, 0x9A, 0x16, 0x3B, 0x5A, 0x2A, 0xDE,
    0x55, 0xF8, 0x35, 0xD0, 0xEC, 0x38, 0x80, 0xEF, 0x50, 0x70,
    0x0D, 0x3B, 0x25, 0xE4, 0x2C, 0xC0, 0xAF, 0x05, 0x0C, 0xCD,
    0x1B, 0xE5, 0xE5, 0x55, 0xB2, 0x30, 0x87, 0xE0, 0x4D, 0x7B,
    0xF9, 0x81, 0x36, 0x22, 0x78, 0x0C, 0x73, 0x13, 0xA1, 0x95,
    0x4F, 0x87, 0x40, 0xB6, 0xEE, 0x2D, 0x3F, 0x71, 0xF7, 0x68,
    0xDD, 0x41, 0x7F, 0x52, 0x04, 0x82, 0xBD, 0x3A, 0x08, 0xD4,
    0xF2, 0x22, 0xB4, 0xEE, 0x9D, 0xBD, 0x01, 0x54, 0x47, 0xB3,
    0x35, 0x07, 0xDD, 0x50, 0xF3, 0xAB, 0x42, 0x47, 0xC5, 0xDE,
    0x9A, 0x8A, 0xBD, 0x62, 0xA8, 0xDE, 0xCE, 0xA0, 0x1E, 0x3B,
    0x87, 0xC8, 0xB9, 0x27, 0xF5, 0xB0, 0x8B, 0xEB, 0x37, 0x67,
    0x4C, 0x6F, 0x8E, 0x38, 0x0C, 0x04,
  };
Nick Mathewson's avatar
Nick Mathewson committed
825
826
  i = crypto_digest256(data, (const char*)keccak_kat_msg1088, 136,
                       DIGEST_SHA3_256);
827
828
829
  test_memeq_hex(data, "DF673F4105379FF6B755EEAB20CEB0DC"
                       "77B5286364FE16C59CC8A907AFF07732");
  tt_int_op(i, OP_EQ, 0);
Nick Mathewson's avatar
Nick Mathewson committed
830
831
  i = crypto_digest512(data, (const char*)keccak_kat_msg1088, 136,
                       DIGEST_SHA3_512);
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
  test_memeq_hex(data, "2E293765022D48996CE8EFF0BE54E87E"
                       "FB94A14C72DE5ACD10D0EB5ECE029CAD"
                       "FA3BA17A40B2FFA2163991B17786E51C"
                       "ABA79E5E0FFD34CF085E2A098BE8BACB");
  tt_int_op(i, OP_EQ, 0);

  /* Len = 1096, Msg = 04410E310... ...601016A0D (SHA3-256 rate + 1) */
  const uint8_t keccak_kat_msg1096[] = {
    0x04, 0x41, 0x0E, 0x31, 0x08, 0x2A, 0x47, 0x58, 0x4B, 0x40,
    0x6F, 0x05, 0x13, 0x98, 0xA6, 0xAB, 0xE7, 0x4E, 0x4D, 0xA5,
    0x9B, 0xB6, 0xF8, 0x5E, 0x6B, 0x49, 0xE8, 0xA1, 0xF7, 0xF2,
    0xCA, 0x00, 0xDF, 0xBA, 0x54, 0x62, 0xC2, 0xCD, 0x2B, 0xFD,
    0xE8, 0xB6, 0x4F, 0xB2, 0x1D, 0x70, 0xC0, 0x83, 0xF1, 0x13,
    0x18, 0xB5, 0x6A, 0x52, 0xD0, 0x3B, 0x81, 0xCA, 0xC5, 0xEE,
    0xC2, 0x9E, 0xB3, 0x1B, 0xD0, 0x07, 0x8B, 0x61, 0x56, 0x78,
    0x6D, 0xA3, 0xD6, 0xD8, 0xC3, 0x30, 0x98, 0xC5, 0xC4, 0x7B,
    0xB6, 0x7A, 0xC6, 0x4D, 0xB1, 0x41, 0x65, 0xAF, 0x65, 0xB4,
    0x45, 0x44, 0xD8, 0x06, 0xDD, 0xE5, 0xF4, 0x87, 0xD5, 0x37,
    0x3C, 0x7F, 0x97, 0x92, 0xC2, 0x99, 0xE9, 0x68, 0x6B, 0x7E,
    0x58, 0x21, 0xE7, 0xC8, 0xE2, 0x45, 0x83, 0x15, 0xB9, 0x96,
    0xB5, 0x67, 0x7D, 0x92, 0x6D, 0xAC, 0x57, 0xB3, 0xF2, 0x2D,
    0xA8, 0x73, 0xC6, 0x01, 0x01, 0x6A, 0x0D,
  };
Nick Mathewson's avatar
Nick Mathewson committed
855
856
  i = crypto_digest256(data, (const char*)keccak_kat_msg1096, 137,
                       DIGEST_SHA3_256);
857
858
859
  test_memeq_hex(data, "D52432CF3B6B4B949AA848E058DCD62D"
                       "735E0177279222E7AC0AF8504762FAA0");
  tt_int_op(i, OP_EQ, 0);
Nick Mathewson's avatar
Nick Mathewson committed
860
861
  i = crypto_digest512(data, (const char*)keccak_kat_msg1096, 137,
                       DIGEST_SHA3_512);
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
  test_memeq_hex(data, "BE8E14B6757FFE53C9B75F6DDE9A7B6C"
                       "40474041DE83D4A60645A826D7AF1ABE"
                       "1EEFCB7B74B62CA6A514E5F2697D585B"
                       "FECECE12931BBE1D4ED7EBF7B0BE660E");
  tt_int_op(i, OP_EQ, 0);

  /* Len = 1144, Msg = EA40E83C...  ...66DFAFEC (SHA3-512 rate *2 - 1) */
  const uint8_t keccak_kat_msg1144[] = {
    0xEA, 0x40, 0xE8, 0x3C, 0xB1, 0x8B, 0x3A, 0x24, 0x2C, 0x1E,
    0xCC, 0x6C, 0xCD, 0x0B, 0x78, 0x53, 0xA4, 0x39, 0xDA, 0xB2,
    0xC5, 0x69, 0xCF, 0xC6, 0xDC, 0x38, 0xA1, 0x9F, 0x5C, 0x90,
    0xAC, 0xBF, 0x76, 0xAE, 0xF9, 0xEA, 0x37, 0x42, 0xFF, 0x3B,
    0x54, 0xEF, 0x7D, 0x36, 0xEB, 0x7C, 0xE4, 0xFF, 0x1C, 0x9A,
    0xB3, 0xBC, 0x11, 0x9C, 0xFF, 0x6B, 0xE9, 0x3C, 0x03, 0xE2,
    0x08, 0x78, 0x33, 0x35, 0xC0, 0xAB, 0x81, 0x37, 0xBE, 0x5B,
    0x10, 0xCD, 0xC6, 0x6F, 0xF3, 0xF8, 0x9A, 0x1B, 0xDD, 0xC6,
    0xA1, 0xEE, 0xD7, 0x4F, 0x50, 0x4C, 0xBE, 0x72, 0x90, 0x69,
    0x0B, 0xB2, 0x95, 0xA8, 0x72, 0xB9, 0xE3, 0xFE, 0x2C, 0xEE,
    0x9E, 0x6C, 0x67, 0xC4, 0x1D, 0xB8, 0xEF, 0xD7, 0xD8, 0x63,
    0xCF, 0x10, 0xF8, 0x40, 0xFE, 0x61, 0x8E, 0x79, 0x36, 0xDA,
    0x3D, 0xCA, 0x5C, 0xA6, 0xDF, 0x93, 0x3F, 0x24, 0xF6, 0x95,
    0x4B, 0xA0, 0x80, 0x1A, 0x12, 0x94, 0xCD, 0x8D, 0x7E, 0x66,
    0xDF, 0xAF, 0xEC,
  };
Nick Mathewson's avatar
Nick Mathewson committed
886
887
  i = crypto_digest512(data, (const char*)keccak_kat_msg1144, 143,
                       DIGEST_SHA3_512);
888
889
890
891
892
  test_memeq_hex(data, "3A8E938C45F3F177991296B24565D9A6"
                       "605516615D96A062C8BE53A0D6C5A648"
                       "7BE35D2A8F3CF6620D0C2DBA2C560D68"
                       "295F284BE7F82F3B92919033C9CE5D80");
  tt_int_op(i, OP_EQ, 0);
Nick Mathewson's avatar
Nick Mathewson committed
893
894
  i = crypto_digest256(data, (const char*)keccak_kat_msg1144, 143,
                       DIGEST_SHA3_256);
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
  test_memeq_hex(data, "E58A947E98D6DD7E932D2FE02D9992E6"
                       "118C0C2C606BDCDA06E7943D2C95E0E5");
  tt_int_op(i, OP_EQ, 0);

  /* Len = 1152, Msg = 157D5B7E... ...79EE00C63 (SHA3-512 rate * 2) */
  const uint8_t keccak_kat_msg1152[] = {
    0x15, 0x7D, 0x5B, 0x7E, 0x45, 0x07, 0xF6, 0x6D, 0x9A, 0x26,
    0x74, 0x76, 0xD3, 0x38, 0x31, 0xE7, 0xBB, 0x76, 0x8D, 0x4D,
    0x04, 0xCC, 0x34, 0x38, 0xDA, 0x12, 0xF9, 0x01, 0x02, 0x63,
    0xEA, 0x5F, 0xCA, 0xFB, 0xDE, 0x25, 0x79, 0xDB, 0x2F, 0x6B,
    0x58, 0xF9, 0x11, 0xD5, 0x93, 0xD5, 0xF7, 0x9F, 0xB0, 0x5F,
    0xE3, 0x59, 0x6E, 0x3F, 0xA8, 0x0F, 0xF2, 0xF7, 0x61, 0xD1,
    0xB0, 0xE5, 0x70, 0x80, 0x05, 0x5C, 0x11, 0x8C, 0x53, 0xE5,
    0x3C, 0xDB, 0x63, 0x05, 0x52, 0x61, 0xD7, 0xC9, 0xB2, 0xB3,
    0x9B, 0xD9, 0x0A, 0xCC, 0x32, 0x52, 0x0C, 0xBB, 0xDB, 0xDA,
    0x2C, 0x4F, 0xD8, 0x85, 0x6D, 0xBC, 0xEE, 0x17, 0x31, 0x32,
    0xA2, 0x67, 0x91, 0x98, 0xDA, 0xF8, 0x30, 0x07, 0xA9, 0xB5,
    0xC5, 0x15, 0x11, 0xAE, 0x49, 0x76, 0x6C, 0x79, 0x2A, 0x29,
    0x52, 0x03, 0x88, 0x44, 0x4E, 0xBE, 0xFE, 0x28, 0x25, 0x6F,
    0xB3, 0x3D, 0x42, 0x60, 0x43, 0x9C, 0xBA, 0x73, 0xA9, 0x47,
    0x9E, 0xE0, 0x0C, 0x63,
  };
Nick Mathewson's avatar
Nick Mathewson committed
917
918
  i = crypto_digest512(data, (const char*)keccak_kat_msg1152, 144,
                       DIGEST_SHA3_512);
919
920
921
922
923
  test_memeq_hex(data, "FE45289874879720CE2A844AE34BB735"
                       "22775DCB6019DCD22B8885994672A088"
                       "9C69E8115C641DC8B83E39F7311815A1"
                       "64DC46E0BA2FCA344D86D4BC2EF2532C");
  tt_int_op(i, OP_EQ, 0);
Nick Mathewson's avatar
Nick Mathewson committed
924
925
  i = crypto_digest256(data, (const char*)keccak_kat_msg1152, 144,
                       DIGEST_SHA3_256);
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
  test_memeq_hex(data, "A936FB9AF87FB67857B3EAD5C76226AD"
                       "84DA47678F3C2FFE5A39FDB5F7E63FFB");
  tt_int_op(i, OP_EQ, 0);

  /* Len = 1160, Msg = 836B34B5... ...11044C53 (SHA3-512 rate * 2 + 1) */
  const uint8_t keccak_kat_msg1160[] = {
    0x83, 0x6B, 0x34, 0xB5, 0x15, 0x47, 0x6F, 0x61, 0x3F, 0xE4,
    0x47, 0xA4, 0xE0, 0xC3, 0xF3, 0xB8, 0xF2, 0x09, 0x10, 0xAC,
    0x89, 0xA3, 0x97, 0x70, 0x55, 0xC9, 0x60, 0xD2, 0xD5, 0xD2,
    0xB7, 0x2B, 0xD8, 0xAC, 0xC7, 0x15, 0xA9, 0x03, 0x53, 0x21,
    0xB8, 0x67, 0x03, 0xA4, 0x11, 0xDD, 0xE0, 0x46, 0x6D, 0x58,
    0xA5, 0x97, 0x69, 0x67, 0x2A, 0xA6, 0x0A, 0xD5, 0x87, 0xB8,
    0x48, 0x1D, 0xE4, 0xBB, 0xA5, 0x52, 0xA1, 0x64, 0x57, 0x79,
    0x78, 0x95, 0x01, 0xEC, 0x53, 0xD5, 0x40, 0xB9, 0x04, 0x82,
    0x1F, 0x32, 0xB0, 0xBD, 0x18, 0x55, 0xB0, 0x4E, 0x48, 0x48,
    0xF9, 0xF8, 0xCF, 0xE9, 0xEB, 0xD8, 0x91, 0x1B, 0xE9, 0x57,
    0x81, 0xA7, 0x59, 0xD7, 0xAD, 0x97, 0x24, 0xA7, 0x10, 0x2D,
    0xBE, 0x57, 0x67, 0x76, 0xB7, 0xC6, 0x32, 0xBC, 0x39, 0xB9,
    0xB5, 0xE1, 0x90, 0x57, 0xE2, 0x26, 0x55, 0x2A, 0x59, 0x94,
    0xC1, 0xDB, 0xB3, 0xB5, 0xC7, 0x87, 0x1A, 0x11, 0xF5, 0x53,
    0x70, 0x11, 0x04, 0x4C, 0x53,
  };
Nick Mathewson's avatar
Nick Mathewson committed
948
949
  i = crypto_digest512(data, (const char*)keccak_kat_msg1160, 145,
                       DIGEST_SHA3_512);
950
951
952
953
954
  test_memeq_hex(data, "AFF61C6E11B98E55AC213B1A0BC7DE04"
                       "05221AC5EFB1229842E4614F4A029C9B"
                       "D14A0ED7FD99AF3681429F3F309FDB53"
                       "166AA9A3CD9F1F1223D04B4A9015E94A");
  tt_int_op(i, OP_EQ, 0);
Nick Mathewson's avatar
Nick Mathewson committed
955
956
  i = crypto_digest256(data, (const char*)keccak_kat_msg1160, 145,
                       DIGEST_SHA3_256);
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
  test_memeq_hex(data, "3A654B88F88086C2751EDAE6D3924814"
                       "3CF6235C6B0B7969342C45A35194B67E");
  tt_int_op(i, OP_EQ, 0);

  /* SHA3-[256,512] Empty case (wikipedia) */
  i = crypto_digest256(data, "", 0, DIGEST_SHA3_256);
  test_memeq_hex(data, "a7ffc6f8bf1ed76651c14756a061d662"
                       "f580ff4de43b49fa82d80a4b80f8434a");
  tt_int_op(i, OP_EQ, 0);
  i = crypto_digest512(data, "", 0, DIGEST_SHA3_512);
  test_memeq_hex(data, "a69f73cca23a9ac5c8b567dc185a756e"
                       "97c982164fe25859e0d1dcc1475c80a6"
                       "15b2123af1f5f94c11e3e9402c3ac558"
                       "f500199d95b6d3e301758586281dcd26");
  tt_int_op(i, OP_EQ, 0);

  /* Incremental digest code with SHA3-256 */
  d1 = crypto_digest256_new(DIGEST_SHA3_256);
  tt_assert(d1);
  crypto_digest_add_bytes(d1, "abcdef", 6);
  d2 = crypto_digest_dup(d1);
  tt_assert(d2);
  crypto_digest_add_bytes(d2, "ghijkl", 6);
  crypto_digest_get_digest(d2, d_out1, DIGEST256_LEN);
  crypto_digest256(d_out2, "abcdefghijkl", 12, DIGEST_SHA3_256);
  tt_mem_op(d_out1,OP_EQ, d_out2, DIGEST256_LEN);
  crypto_digest_assign(d2, d1);
  crypto_digest_add_bytes(d2, "mno", 3);
  crypto_digest_get_digest(d2, d_out1, DIGEST256_LEN);
  crypto_digest256(d_out2, "abcdefmno", 9, DIGEST_SHA3_256);
  tt_mem_op(d_out1,OP_EQ, d_out2, DIGEST256_LEN);
  crypto_digest_get_digest(d1, d_out1, DIGEST256_LEN);
  crypto_digest256(d_out2, "abcdef", 6, DIGEST_SHA3_256);
  tt_mem_op(d_out1,OP_EQ, d_out2, DIGEST256_LEN);
  crypto_digest_free(d1);
  crypto_digest_free(d2);

  /* Incremental digest code with SHA3-512 */
  d1 = crypto_digest512_new(DIGEST_SHA3_512);
  tt_assert(d1);
  crypto_digest_add_bytes(d1, "abcdef", 6);
  d2 = crypto_digest_dup(d1);
  tt_assert(d2);
  crypto_digest_add_bytes(d2, "ghijkl", 6);
For faster browsing, not all history is shown. View entire blame