test_crypto.c 116 KB
Newer Older
1
2
/* Copyright (c) 2001-2004, Roger Dingledine.
 * Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson.
Nick Mathewson's avatar
Nick Mathewson committed
3
 * Copyright (c) 2007-2019, The Tor Project, Inc. */
4
5
6
/* See LICENSE for licensing information */

#include "orconfig.h"
7
#define CRYPTO_CURVE25519_PRIVATE
8
#define CRYPTO_RAND_PRIVATE
9
#include "core/or/or.h"
Nick Mathewson's avatar
Nick Mathewson committed
10
#include "test/test.h"
11
#include "lib/crypt_ops/aes.h"
12
#include "siphash.h"
13
#include "lib/crypt_ops/crypto_curve25519.h"
14
#include "lib/crypt_ops/crypto_dh.h"
15
#include "lib/crypt_ops/crypto_ed25519.h"
16
#include "lib/crypt_ops/crypto_format.h"
17
#include "lib/crypt_ops/crypto_hkdf.h"
18
#include "lib/crypt_ops/crypto_rand.h"
19
#include "lib/crypt_ops/crypto_init.h"
20
#include "ed25519_vectors.inc"
21
#include "test/log_test_helpers.h"
22

23
24
25
26
27
28
29
#ifdef HAVE_SYS_STAT_H
#include <sys/stat.h>
#endif
#ifdef HAVE_UNISTD_H
#include <unistd.h>
#endif

Nick Mathewson's avatar
Nick Mathewson committed
30
31
32
33
34
35
36
#if defined(ENABLE_OPENSSL)
#include "lib/crypt_ops/compat_openssl.h"
DISABLE_GCC_WARNING(redundant-decls)
#include <openssl/dh.h>
ENABLE_GCC_WARNING(redundant-decls)
#endif

37
38
/** Run unit tests for Diffie-Hellman functionality. */
static void
39
test_crypto_dh(void *arg)
40
{
41
  crypto_dh_t *dh1 = crypto_dh_new(DH_TYPE_CIRCUIT);
42
  crypto_dh_t *dh1_dup = NULL;
43
  crypto_dh_t *dh2 = crypto_dh_new(DH_TYPE_CIRCUIT);
44
45
46
47
  char p1[DH1024_KEY_LEN];
  char p2[DH1024_KEY_LEN];
  char s1[DH1024_KEY_LEN];
  char s2[DH1024_KEY_LEN];
48
  ssize_t s1len, s2len;
Nick Mathewson's avatar
Nick Mathewson committed
49
50
51
52
53
#ifdef ENABLE_OPENSSL
  crypto_dh_t *dh3 = NULL;
  DH *dh4 = NULL;
  BIGNUM *pubkey_tmp = NULL;
#endif
54

55
  (void)arg;
56
57
  tt_int_op(crypto_dh_get_bytes(dh1),OP_EQ, DH1024_KEY_LEN);
  tt_int_op(crypto_dh_get_bytes(dh2),OP_EQ, DH1024_KEY_LEN);
58

59
60
61
  memset(p1, 0, DH1024_KEY_LEN);
  memset(p2, 0, DH1024_KEY_LEN);
  tt_mem_op(p1,OP_EQ, p2, DH1024_KEY_LEN);
62
63
64

  tt_int_op(-1, OP_EQ, crypto_dh_get_public(dh1, p1, 6)); /* too short */

65
66
67
68
  tt_assert(! crypto_dh_get_public(dh1, p1, DH1024_KEY_LEN));
  tt_mem_op(p1,OP_NE, p2, DH1024_KEY_LEN);
  tt_assert(! crypto_dh_get_public(dh2, p2, DH1024_KEY_LEN));
  tt_mem_op(p1,OP_NE, p2, DH1024_KEY_LEN);
69

70
71
72
73
  memset(s1, 0, DH1024_KEY_LEN);
  memset(s2, 0xFF, DH1024_KEY_LEN);
  s1len = crypto_dh_compute_secret(LOG_WARN, dh1, p2, DH1024_KEY_LEN, s1, 50);
  s2len = crypto_dh_compute_secret(LOG_WARN, dh2, p1, DH1024_KEY_LEN, s2, 50);
74
  tt_assert(s1len > 0);
75
76
  tt_int_op(s1len,OP_EQ, s2len);
  tt_mem_op(s1,OP_EQ, s2, s1len);
77

78
79
  /* test dh_dup; make sure it works the same. */
  dh1_dup = crypto_dh_dup(dh1);
80
81
  s1len = crypto_dh_compute_secret(LOG_WARN, dh1_dup, p2, DH1024_KEY_LEN,
                                   s1, 50);
82
  tt_i64_op(s1len, OP_GE, 0);
83
84
  tt_mem_op(s1,OP_EQ, s2, s1len);

85
  {
86
87
88
89
90
91
92
93
94
    /* Now fabricate some bad values and make sure they get caught. */

    /* 1 and 0 should both fail. */
    s1len = crypto_dh_compute_secret(LOG_WARN, dh1, "\x01", 1, s1, 50);
    tt_int_op(-1, OP_EQ, s1len);

    s1len = crypto_dh_compute_secret(LOG_WARN, dh1, "\x00", 1, s1, 50);
    tt_int_op(-1, OP_EQ, s1len);

95
96
97
    memset(p1, 0, DH1024_KEY_LEN); /* 0 with padding. */
    s1len = crypto_dh_compute_secret(LOG_WARN, dh1, p1, DH1024_KEY_LEN,
                                     s1, 50);
98
99
    tt_int_op(-1, OP_EQ, s1len);

100
101
102
    p1[DH1024_KEY_LEN-1] = 1; /* 1 with padding*/
    s1len = crypto_dh_compute_secret(LOG_WARN, dh1, p1, DH1024_KEY_LEN,
                                     s1, 50);
103
104
105
106
107
108
    tt_int_op(-1, OP_EQ, s1len);

    /* 2 is okay, though weird. */
    s1len = crypto_dh_compute_secret(LOG_WARN, dh1, "\x02", 1, s1, 50);
    tt_int_op(50, OP_EQ, s1len);

Nick Mathewson's avatar
Nick Mathewson committed
109
110
111
112
    /* 2 a second time is still okay, though weird. */
    s1len = crypto_dh_compute_secret(LOG_WARN, dh1, "\x02", 1, s1, 50);
    tt_int_op(50, OP_EQ, s1len);

113
114
115
116
117
118
119
120
121
122
    const char P[] =
      "FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD129024E08"
      "8A67CC74020BBEA63B139B22514A08798E3404DDEF9519B3CD3A431B"
      "302B0A6DF25F14374FE1356D6D51C245E485B576625E7EC6F44C42E9"
      "A637ED6B0BFF5CB6F406B7EDEE386BFB5A899FA5AE9F24117C4B1FE6"
      "49286651ECE65381FFFFFFFFFFFFFFFF";

    /* p-1, p, and so on are not okay. */
    base16_decode(p1, sizeof(p1), P, strlen(P));

123
124
    s1len = crypto_dh_compute_secret(LOG_WARN, dh1, p1, DH1024_KEY_LEN,
                                     s1, 50);
125
126
    tt_int_op(-1, OP_EQ, s1len);

127
128
129
    p1[DH1024_KEY_LEN-1] = 0xFE; /* p-1 */
    s1len = crypto_dh_compute_secret(LOG_WARN, dh1, p1, DH1024_KEY_LEN,
                                     s1, 50);
130
131
    tt_int_op(-1, OP_EQ, s1len);

132
133
134
    p1[DH1024_KEY_LEN-1] = 0xFD; /* p-2 works fine */
    s1len = crypto_dh_compute_secret(LOG_WARN, dh1, p1, DH1024_KEY_LEN,
                                     s1, 50);
135
136
137
138
139
140
141
142
143
144
145
    tt_int_op(50, OP_EQ, s1len);

    const char P_plus_one[] =
      "FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD129024E08"
      "8A67CC74020BBEA63B139B22514A08798E3404DDEF9519B3CD3A431B"
      "302B0A6DF25F14374FE1356D6D51C245E485B576625E7EC6F44C42E9"
      "A637ED6B0BFF5CB6F406B7EDEE386BFB5A899FA5AE9F24117C4B1FE6"
      "49286651ECE653820000000000000000";

    base16_decode(p1, sizeof(p1), P_plus_one, strlen(P_plus_one));

146
147
    s1len = crypto_dh_compute_secret(LOG_WARN, dh1, p1, DH1024_KEY_LEN,
                                     s1, 50);
148
149
    tt_int_op(-1, OP_EQ, s1len);

150
151
152
    p1[DH1024_KEY_LEN-1] = 0x01; /* p+2 */
    s1len = crypto_dh_compute_secret(LOG_WARN, dh1, p1, DH1024_KEY_LEN,
                                     s1, 50);
153
154
    tt_int_op(-1, OP_EQ, s1len);

155
156
157
    p1[DH1024_KEY_LEN-1] = 0xff; /* p+256 */
    s1len = crypto_dh_compute_secret(LOG_WARN, dh1, p1, DH1024_KEY_LEN,
                                     s1, 50);
158
159
    tt_int_op(-1, OP_EQ, s1len);

160
161
162
    memset(p1, 0xff, DH1024_KEY_LEN), /* 2^1024-1 */
    s1len = crypto_dh_compute_secret(LOG_WARN, dh1, p1, DH1024_KEY_LEN,
                                     s1, 50);
163
    tt_int_op(-1, OP_EQ, s1len);
164
165
  }

166
167
168
  {
    /* provoke an error in the openssl DH_compute_key function; make sure we
     * survive. */
169
    tt_assert(! crypto_dh_get_public(dh1, p1, DH1024_KEY_LEN));
170
171
172
173

    crypto_dh_free(dh2);
    dh2= crypto_dh_new(DH_TYPE_CIRCUIT); /* no private key set */
    s1len = crypto_dh_compute_secret(LOG_WARN, dh2,
174
                                     p1, DH1024_KEY_LEN,
175
176
177
178
                                     s1, 50);
    tt_int_op(s1len, OP_EQ, -1);
  }

Nick Mathewson's avatar
Nick Mathewson committed
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
#if defined(ENABLE_OPENSSL)
  {
    /* Make sure that our crypto library can handshake with openssl. */
    dh3 = crypto_dh_new(DH_TYPE_TLS);
    tt_assert(!crypto_dh_get_public(dh3, p1, DH1024_KEY_LEN));

    dh4 = crypto_dh_new_openssl_tls();
    tt_assert(DH_generate_key(dh4));
    const BIGNUM *pk=NULL;
#ifdef OPENSSL_1_1_API
    const BIGNUM *sk=NULL;
    DH_get0_key(dh4, &pk, &sk);
#else
    pk = dh4->pub_key;
#endif
    tt_assert(pk);
    tt_int_op(BN_num_bytes(pk), OP_LE, DH1024_KEY_LEN);
    tt_int_op(BN_num_bytes(pk), OP_GT, 0);
    memset(p2, 0, sizeof(p2));
    /* right-pad. */
    BN_bn2bin(pk, (unsigned char *)(p2+DH1024_KEY_LEN-BN_num_bytes(pk)));

    s1len = crypto_dh_handshake(LOG_WARN, dh3, p2, DH1024_KEY_LEN,
                                (unsigned char *)s1, sizeof(s1));
    pubkey_tmp = BN_bin2bn((unsigned char *)p1, DH1024_KEY_LEN, NULL);
    s2len = DH_compute_key((unsigned char *)s2, pubkey_tmp, dh4);

    tt_int_op(s1len, OP_EQ, s2len);
    tt_int_op(s1len, OP_GT, 0);
    tt_mem_op(s1, OP_EQ, s2, s1len);
  }
#endif

212
213
214
 done:
  crypto_dh_free(dh1);
  crypto_dh_free(dh2);
215
  crypto_dh_free(dh1_dup);
Nick Mathewson's avatar
Nick Mathewson committed
216
217
218
219
220
221
222
#ifdef ENABLE_OPENSSL
  crypto_dh_free(dh3);
  if (dh4)
    DH_free(dh4);
  if (pubkey_tmp)
    BN_free(pubkey_tmp);
#endif
223
224
}

225
226
227
228
static void
test_crypto_openssl_version(void *arg)
{
  (void)arg;
229
230
231
#ifdef ENABLE_NSS
  tt_skip();
#else
232
233
234
235
  const char *version = crypto_openssl_get_version_str();
  const char *h_version = crypto_openssl_get_header_version_str();
  tt_assert(version);
  tt_assert(h_version);
236
237
238
239
240
241
242
  if (strcmpstart(version, h_version)) { /* "-fips" suffix, etc */
    TT_DIE(("OpenSSL library version %s did not begin with header version %s.",
            version, h_version));
  }
  if (strstr(version, "OpenSSL")) {
    TT_DIE(("assertion failed: !strstr(\"%s\", \"OpenSSL\")", version));
  }
243
  int a=-1,b=-1,c=-1;
244
245
  if (!strcmpstart(version, "LibreSSL") || !strcmpstart(version, "BoringSSL"))
    return;
246
247
  int r = tor_sscanf(version, "%d.%d.%d", &a,&b,&c);
  tt_int_op(r, OP_EQ, 3);
248
249
250
  tt_int_op(a, OP_GE, 0);
  tt_int_op(b, OP_GE, 0);
  tt_int_op(c, OP_GE, 0);
251
#endif
252
253
254
255
256

 done:
  ;
}

257
258
259
/** Run unit tests for our random number generation function and its wrappers.
 */
static void
260
test_crypto_rng(void *arg)
261
262
263
{
  int i, j, allok;
  char data1[100], data2[100];
264
  double d;
265
  char *h=NULL;
266
267

  /* Try out RNG. */
268
  (void)arg;
269
  tt_assert(! crypto_seed_rng());
270
271
  crypto_rand(data1, 100);
  crypto_rand(data2, 100);
272
  tt_mem_op(data1,OP_NE, data2,100);
273
274
275
276
277
  allok = 1;
  for (i = 0; i < 100; ++i) {
    uint64_t big;
    char *host;
    j = crypto_rand_int(100);
278
    if (j < 0 || j >= 100)
279
      allok = 0;
280
281
    big = crypto_rand_uint64(UINT64_C(1)<<40);
    if (big >= (UINT64_C(1)<<40))
282
      allok = 0;
283
    big = crypto_rand_uint64(UINT64_C(5));
284
285
    if (big >= 5)
      allok = 0;
286
    d = crypto_rand_double();
287
288
    tt_assert(d >= 0);
    tt_assert(d < 1.0);
289
290
291
292
293
294
295
296
    host = crypto_random_hostname(3,8,"www.",".onion");
    if (strcmpstart(host,"www.") ||
        strcmpend(host,".onion") ||
        strlen(host) < 13 ||
        strlen(host) > 18)
      allok = 0;
    tor_free(host);
  }
297
298
299
300
301
302
303

  /* Make sure crypto_random_hostname clips its inputs properly. */
  h = crypto_random_hostname(20000, 9000, "www.", ".onion");
  tt_assert(! strcmpstart(h,"www."));
  tt_assert(! strcmpend(h,".onion"));
  tt_int_op(63+4+6, OP_EQ, strlen(h));

304
  tt_assert(allok);
305
 done:
306
  tor_free(h);
307
308
}

309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
static void
test_crypto_rng_range(void *arg)
{
  int got_smallest = 0, got_largest = 0;
  int i;

  (void)arg;
  for (i = 0; i < 1000; ++i) {
    int x = crypto_rand_int_range(5,9);
    tt_int_op(x, OP_GE, 5);
    tt_int_op(x, OP_LT, 9);
    if (x == 5)
      got_smallest = 1;
    if (x == 8)
      got_largest = 1;
  }
  /* These fail with probability 1/10^603. */
  tt_assert(got_smallest);
  tt_assert(got_largest);
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356

  got_smallest = got_largest = 0;
  const uint64_t ten_billion = 10 * ((uint64_t)1000000000000);
  for (i = 0; i < 1000; ++i) {
    uint64_t x = crypto_rand_uint64_range(ten_billion, ten_billion+10);
    tt_u64_op(x, OP_GE, ten_billion);
    tt_u64_op(x, OP_LT, ten_billion+10);
    if (x == ten_billion)
      got_smallest = 1;
    if (x == ten_billion+9)
      got_largest = 1;
  }

  tt_assert(got_smallest);
  tt_assert(got_largest);

  const time_t now = time(NULL);
  for (i = 0; i < 2000; ++i) {
    time_t x = crypto_rand_time_range(now, now+60);
    tt_i64_op(x, OP_GE, now);
    tt_i64_op(x, OP_LT, now+60);
    if (x == now)
      got_smallest = 1;
    if (x == now+59)
      got_largest = 1;
  }

  tt_assert(got_smallest);
  tt_assert(got_largest);
357
358
359
360
 done:
  ;
}

361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
static void
test_crypto_rng_strongest(void *arg)
{
  const char *how = arg;
  int broken = 0;

  if (how == NULL) {
    ;
  } else if (!strcmp(how, "nosyscall")) {
    break_strongest_rng_syscall = 1;
  } else if (!strcmp(how, "nofallback")) {
    break_strongest_rng_fallback = 1;
  } else if (!strcmp(how, "broken")) {
    broken = break_strongest_rng_syscall = break_strongest_rng_fallback = 1;
  }

#define N 128
  uint8_t combine_and[N];
  uint8_t combine_or[N];
  int i, j;

  memset(combine_and, 0xff, N);
  memset(combine_or, 0, N);

  for (i = 0; i < 100; ++i) { /* 2^-100 chances just don't happen. */
    uint8_t output[N];
    memset(output, 0, N);
    if (how == NULL) {
      /* this one can't fail. */
      crypto_strongest_rand(output, sizeof(output));
    } else {
      int r = crypto_strongest_rand_raw(output, sizeof(output));
      if (r == -1) {
        if (broken) {
          goto done; /* we're fine. */
        }
        /* This function is allowed to break, but only if it always breaks. */
        tt_int_op(i, OP_EQ, 0);
        tt_skip();
      } else {
        tt_assert(! broken);
      }
    }
    for (j = 0; j < N; ++j) {
      combine_and[j] &= output[j];
      combine_or[j] |= output[j];
    }
  }

  for (j = 0; j < N; ++j) {
    tt_int_op(combine_and[j], OP_EQ, 0);
    tt_int_op(combine_or[j], OP_EQ, 0xff);
  }
 done:
  ;
#undef N
}

419
/** Run unit tests for our AES128 functionality */
420
static void
421
test_crypto_aes128(void *arg)
422
423
{
  char *data1 = NULL, *data2 = NULL, *data3 = NULL;
424
  crypto_cipher_t *env1 = NULL, *env2 = NULL;
425
  int i, j;
426
  char *mem_op_hex_tmp=NULL;
427
  char key[CIPHER_KEY_LEN];
428
429
  int use_evp = !strcmp(arg,"evp");
  evaluate_evp_for_aes(use_evp);
430
  evaluate_ctr_for_aes();
431

432
433
434
435
436
437
438
439
440
441
442
  data1 = tor_malloc(1024);
  data2 = tor_malloc(1024);
  data3 = tor_malloc(1024);

  /* Now, test encryption and decryption with stream cipher. */
  data1[0]='\0';
  for (i = 1023; i>0; i -= 35)
    strncat(data1, "Now is the time for all good onions", i);

  memset(data2, 0, 1024);
  memset(data3, 0, 1024);
443
444
  crypto_rand(key, sizeof(key));
  env1 = crypto_cipher_new(key);
445
  tt_ptr_op(env1, OP_NE, NULL);
446
  env2 = crypto_cipher_new(key);
447
  tt_ptr_op(env2, OP_NE, NULL);
448
449
450
451

  /* Try encrypting 512 chars. */
  crypto_cipher_encrypt(env1, data2, data1, 512);
  crypto_cipher_decrypt(env2, data3, data2, 512);
452
453
  tt_mem_op(data1,OP_EQ, data3, 512);
  tt_mem_op(data1,OP_NE, data2, 512);
454
455
456
457
458
459
460
461

  /* Now encrypt 1 at a time, and get 1 at a time. */
  for (j = 512; j < 560; ++j) {
    crypto_cipher_encrypt(env1, data2+j, data1+j, 1);
  }
  for (j = 512; j < 560; ++j) {
    crypto_cipher_decrypt(env2, data3+j, data2+j, 1);
  }
462
  tt_mem_op(data1,OP_EQ, data3, 560);
463
464
465
466
467
468
469
  /* Now encrypt 3 at a time, and get 5 at a time. */
  for (j = 560; j < 1024-5; j += 3) {
    crypto_cipher_encrypt(env1, data2+j, data1+j, 3);
  }
  for (j = 560; j < 1024-5; j += 5) {
    crypto_cipher_decrypt(env2, data3+j, data2+j, 5);
  }
470
  tt_mem_op(data1,OP_EQ, data3, 1024-5);
471
472
  /* Now make sure that when we encrypt with different chunk sizes, we get
     the same results. */
473
  crypto_cipher_free(env2);
474
475
476
  env2 = NULL;

  memset(data3, 0, 1024);
477
  env2 = crypto_cipher_new(key);
478
  tt_ptr_op(env2, OP_NE, NULL);
479
480
481
482
483
484
485
486
  for (j = 0; j < 1024-16; j += 17) {
    crypto_cipher_encrypt(env2, data3+j, data1+j, 17);
  }
  for (j= 0; j < 1024-16; ++j) {
    if (data2[j] != data3[j]) {
      printf("%d:  %d\t%d\n", j, (int) data2[j], (int) data3[j]);
    }
  }
487
  tt_mem_op(data2,OP_EQ, data3, 1024-16);
488
  crypto_cipher_free(env1);
489
  env1 = NULL;
490
  crypto_cipher_free(env2);
491
492
493
  env2 = NULL;

  /* NIST test vector for aes. */
494
495
496
  /* IV starts at 0 */
  env1 = crypto_cipher_new("\x80\x00\x00\x00\x00\x00\x00\x00"
                           "\x00\x00\x00\x00\x00\x00\x00\x00");
497
498
499
500
501
502
503
  crypto_cipher_encrypt(env1, data1,
                        "\x00\x00\x00\x00\x00\x00\x00\x00"
                        "\x00\x00\x00\x00\x00\x00\x00\x00", 16);
  test_memeq_hex(data1, "0EDD33D3C621E546455BD8BA1418BEC8");

  /* Now test rollover.  All these values are originally from a python
   * script. */
504
505
506
507
508
509
  crypto_cipher_free(env1);
  env1 = crypto_cipher_new_with_iv(
                                   "\x80\x00\x00\x00\x00\x00\x00\x00"
                                   "\x00\x00\x00\x00\x00\x00\x00\x00",
                                   "\x00\x00\x00\x00\x00\x00\x00\x00"
                                   "\xff\xff\xff\xff\xff\xff\xff\xff");
510
511
512
513
  memset(data2, 0,  1024);
  crypto_cipher_encrypt(env1, data1, data2, 32);
  test_memeq_hex(data1, "335fe6da56f843199066c14a00a40231"
                        "cdd0b917dbc7186908a6bfb5ffd574d3");
514
515
516
517
518
519
  crypto_cipher_free(env1);
  env1 = crypto_cipher_new_with_iv(
                                   "\x80\x00\x00\x00\x00\x00\x00\x00"
                                   "\x00\x00\x00\x00\x00\x00\x00\x00",
                                   "\x00\x00\x00\x00\xff\xff\xff\xff"
                                   "\xff\xff\xff\xff\xff\xff\xff\xff");
520
521
522
523
  memset(data2, 0,  1024);
  crypto_cipher_encrypt(env1, data1, data2, 32);
  test_memeq_hex(data1, "e627c6423fa2d77832a02b2794094b73"
                        "3e63c721df790d2c6469cc1953a3ffac");
524
525
526
527
528
529
  crypto_cipher_free(env1);
  env1 = crypto_cipher_new_with_iv(
                                   "\x80\x00\x00\x00\x00\x00\x00\x00"
                                   "\x00\x00\x00\x00\x00\x00\x00\x00",
                                   "\xff\xff\xff\xff\xff\xff\xff\xff"
                                   "\xff\xff\xff\xff\xff\xff\xff\xff");
530
531
532
533
534
535
  memset(data2, 0,  1024);
  crypto_cipher_encrypt(env1, data1, data2, 32);
  test_memeq_hex(data1, "2aed2bff0de54f9328efd070bf48f70a"
                        "0EDD33D3C621E546455BD8BA1418BEC8");

  /* Now check rollover on inplace cipher. */
536
537
538
539
540
541
  crypto_cipher_free(env1);
  env1 = crypto_cipher_new_with_iv(
                                   "\x80\x00\x00\x00\x00\x00\x00\x00"
                                   "\x00\x00\x00\x00\x00\x00\x00\x00",
                                   "\xff\xff\xff\xff\xff\xff\xff\xff"
                                   "\xff\xff\xff\xff\xff\xff\xff\xff");
542
543
544
545
546
  crypto_cipher_crypt_inplace(env1, data2, 64);
  test_memeq_hex(data2, "2aed2bff0de54f9328efd070bf48f70a"
                        "0EDD33D3C621E546455BD8BA1418BEC8"
                        "93e2c5243d6839eac58503919192f7ae"
                        "1908e67cafa08d508816659c2e693191");
547
548
549
550
551
552
  crypto_cipher_free(env1);
  env1 = crypto_cipher_new_with_iv(
                                   "\x80\x00\x00\x00\x00\x00\x00\x00"
                                   "\x00\x00\x00\x00\x00\x00\x00\x00",
                                   "\xff\xff\xff\xff\xff\xff\xff\xff"
                                   "\xff\xff\xff\xff\xff\xff\xff\xff");
553
  crypto_cipher_crypt_inplace(env1, data2, 64);
554
  tt_assert(tor_mem_is_zero(data2, 64));
555
556

 done:
557
  tor_free(mem_op_hex_tmp);
558
  if (env1)
559
    crypto_cipher_free(env1);
560
  if (env2)
561
    crypto_cipher_free(env2);
562
563
564
565
566
  tor_free(data1);
  tor_free(data2);
  tor_free(data3);
}

567
568
569
static void
test_crypto_aes_ctr_testvec(void *arg)
{
570
  const char *bitstr = arg;
571
  char *mem_op_hex_tmp=NULL;
572
  crypto_cipher_t *c=NULL;
573
574
575
576
577
578
579
580

  /* from NIST SP800-38a, section F.5 */
  const char ctr16[] = "f0f1f2f3f4f5f6f7f8f9fafbfcfdfeff";
  const char plaintext16[] =
    "6bc1bee22e409f96e93d7e117393172a"
    "ae2d8a571e03ac9c9eb76fac45af8e51"
    "30c81c46a35ce411e5fbc1191a0a52ef"
    "f69f2445df4f9b17ad2b417be66c3710";
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
  const char *ciphertext16;
  const char *key16;
  int bits;

  if (!strcmp(bitstr, "128")) {
    ciphertext16 = /* section F.5.1 */
      "874d6191b620e3261bef6864990db6ce"
      "9806f66b7970fdff8617187bb9fffdff"
      "5ae4df3edbd5d35e5b4f09020db03eab"
      "1e031dda2fbe03d1792170a0f3009cee";
    key16 = "2b7e151628aed2a6abf7158809cf4f3c";
    bits = 128;
  } else if (!strcmp(bitstr, "192")) {
    ciphertext16 = /* section F.5.3 */
      "1abc932417521ca24f2b0459fe7e6e0b"
      "090339ec0aa6faefd5ccc2c6f4ce8e94"
      "1e36b26bd1ebc670d1bd1d665620abf7"
      "4f78a7f6d29809585a97daec58c6b050";
    key16 = "8e73b0f7da0e6452c810f32b809079e562f8ead2522c6b7b";
    bits = 192;
  } else if (!strcmp(bitstr, "256")) {
    ciphertext16 = /* section F.5.5 */
      "601ec313775789a5b7a7f504bbf3d228"
      "f443e3ca4d62b59aca84e990cacaf5c5"
      "2b0930daa23de94ce87017ba2d84988d"
      "dfc9c58db67aada613c2dd08457941a6";
    key16 =
      "603deb1015ca71be2b73aef0857d7781"
      "1f352c073b6108d72d9810a30914dff4";
    bits = 256;
  } else {
    tt_abort_msg("AES doesn't support this number of bits.");
  }
614

615
  char key[32];
616
617
  char iv[16];
  char plaintext[16*4];
618
  memset(key, 0xf9, sizeof(key)); /* poison extra bytes */
619
620
  base16_decode(key, sizeof(key), key16, strlen(key16));
  base16_decode(iv, sizeof(iv), ctr16, strlen(ctr16));
621
622
  base16_decode(plaintext, sizeof(plaintext),
                plaintext16, strlen(plaintext16));
623

624
  c = crypto_cipher_new_with_iv_and_bits((uint8_t*)key, (uint8_t*)iv, bits);
625
626
627
628
629
  crypto_cipher_crypt_inplace(c, plaintext, sizeof(plaintext));
  test_memeq_hex(plaintext, ciphertext16);

 done:
  tor_free(mem_op_hex_tmp);
630
  crypto_cipher_free(c);
631
632
}

633
634
/** Run unit tests for our SHA-1 functionality */
static void
635
test_crypto_sha(void *arg)
636
{
637
  crypto_digest_t *d1 = NULL, *d2 = NULL;
638
  int i;
639
640
641
642
643
#define RFC_4231_MAX_KEY_SIZE 131
  char key[RFC_4231_MAX_KEY_SIZE];
  char digest[DIGEST256_LEN];
  char data[DIGEST512_LEN];
  char d_out1[DIGEST512_LEN], d_out2[DIGEST512_LEN];
644
  char *mem_op_hex_tmp=NULL;
645
646

  /* Test SHA-1 with a test vector from the specification. */
647
  (void)arg;
648
649
  i = crypto_digest(data, "abc", 3);
  test_memeq_hex(data, "A9993E364706816ABA3E25717850C26C9CD0D89D");
650
  tt_int_op(i, OP_EQ, 0);
651
652
653
654
655

  /* Test SHA-256 with a test vector from the specification. */
  i = crypto_digest256(data, "abc", 3, DIGEST_SHA256);
  test_memeq_hex(data, "BA7816BF8F01CFEA414140DE5DAE2223B00361A3"
                       "96177A9CB410FF61F20015AD");
656
  tt_int_op(i, OP_EQ, 0);
657

658
659
660
661
662
663
664
  /* Test SHA-512 with a test vector from the specification. */
  i = crypto_digest512(data, "abc", 3, DIGEST_SHA512);
  test_memeq_hex(data, "ddaf35a193617abacc417349ae20413112e6fa4e89a97"
                       "ea20a9eeee64b55d39a2192992a274fc1a836ba3c23a3"
                       "feebbd454d4423643ce80e2a9ac94fa54ca49f");
  tt_int_op(i, OP_EQ, 0);

665
666
667
668
  /* Test HMAC-SHA256 with test cases from wikipedia and RFC 4231 */

  /* Case empty (wikipedia) */
  crypto_hmac_sha256(digest, "", 0, "", 0);
669
  tt_str_op(hex_str(digest, 32),OP_EQ,
670
671
672
673
674
           "B613679A0814D9EC772F95D778C35FC5FF1697C493715653C6C712144292C5AD");

  /* Case quick-brown (wikipedia) */
  crypto_hmac_sha256(digest, "key", 3,
                     "The quick brown fox jumps over the lazy dog", 43);
675
  tt_str_op(hex_str(digest, 32),OP_EQ,
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
           "F7BC83F430538424B13298E6AA6FB143EF4D59A14946175997479DBC2D1A3CD8");

  /* "Test Case 1" from RFC 4231 */
  memset(key, 0x0b, 20);
  crypto_hmac_sha256(digest, key, 20, "Hi There", 8);
  test_memeq_hex(digest,
                 "b0344c61d8db38535ca8afceaf0bf12b"
                 "881dc200c9833da726e9376c2e32cff7");

  /* "Test Case 2" from RFC 4231 */
  memset(key, 0x0b, 20);
  crypto_hmac_sha256(digest, "Jefe", 4, "what do ya want for nothing?", 28);
  test_memeq_hex(digest,
                 "5bdcc146bf60754e6a042426089575c7"
                 "5a003f089d2739839dec58b964ec3843");

  /* "Test case 3" from RFC 4231 */
  memset(key, 0xaa, 20);
  memset(data, 0xdd, 50);
  crypto_hmac_sha256(digest, key, 20, data, 50);
  test_memeq_hex(digest,
                 "773ea91e36800e46854db8ebd09181a7"
                 "2959098b3ef8c122d9635514ced565fe");

  /* "Test case 4" from RFC 4231 */
  base16_decode(key, 25,
                "0102030405060708090a0b0c0d0e0f10111213141516171819", 50);
  memset(data, 0xcd, 50);
  crypto_hmac_sha256(digest, key, 25, data, 50);
  test_memeq_hex(digest,
                 "82558a389a443c0ea4cc819899f2083a"
                 "85f0faa3e578f8077a2e3ff46729665b");

  /* "Test case 5" from RFC 4231 */
  memset(key, 0x0c, 20);
  crypto_hmac_sha256(digest, key, 20, "Test With Truncation", 20);
  test_memeq_hex(digest,
                 "a3b6167473100ee06e0c796c2955552b");

  /* "Test case 6" from RFC 4231 */
  memset(key, 0xaa, 131);
  crypto_hmac_sha256(digest, key, 131,
                     "Test Using Larger Than Block-Size Key - Hash Key First",
                     54);
  test_memeq_hex(digest,
                 "60e431591ee0b67f0d8a26aacbf5b77f"
                 "8e0bc6213728c5140546040f0ee37f54");

  /* "Test case 7" from RFC 4231 */
  memset(key, 0xaa, 131);
  crypto_hmac_sha256(digest, key, 131,
                     "This is a test using a larger than block-size key and a "
                     "larger than block-size data. The key needs to be hashed "
                     "before being used by the HMAC algorithm.", 152);
  test_memeq_hex(digest,
                 "9b09ffa71b942fcb27635fbcd5b0e944"
                 "bfdc63644f0713938a7f51535c3a35e2");

734
  /* Incremental digest code. */
735
  d1 = crypto_digest_new();
736
  tt_assert(d1);
737
738
  crypto_digest_add_bytes(d1, "abcdef", 6);
  d2 = crypto_digest_dup(d1);
739
  tt_assert(d2);
740
  crypto_digest_add_bytes(d2, "ghijkl", 6);
741
  crypto_digest_get_digest(d2, d_out1, DIGEST_LEN);
742
  crypto_digest(d_out2, "abcdefghijkl", 12);
743
  tt_mem_op(d_out1,OP_EQ, d_out2, DIGEST_LEN);
744
745
  crypto_digest_assign(d2, d1);
  crypto_digest_add_bytes(d2, "mno", 3);
746
  crypto_digest_get_digest(d2, d_out1, DIGEST_LEN);
747
  crypto_digest(d_out2, "abcdefmno", 9);
748
  tt_mem_op(d_out1,OP_EQ, d_out2, DIGEST_LEN);
749
  crypto_digest_get_digest(d1, d_out1, DIGEST_LEN);
750
  crypto_digest(d_out2, "abcdef", 6);
751
  tt_mem_op(d_out1,OP_EQ, d_out2, DIGEST_LEN);
752
753
  crypto_digest_free(d1);
  crypto_digest_free(d2);
754
755

  /* Incremental digest code with sha256 */
756
  d1 = crypto_digest256_new(DIGEST_SHA256);
757
  tt_assert(d1);
758
759
  crypto_digest_add_bytes(d1, "abcdef", 6);
  d2 = crypto_digest_dup(d1);
760
  tt_assert(d2);
761
  crypto_digest_add_bytes(d2, "ghijkl", 6);
762
  crypto_digest_get_digest(d2, d_out1, DIGEST256_LEN);
763
  crypto_digest256(d_out2, "abcdefghijkl", 12, DIGEST_SHA256);
764
  tt_mem_op(d_out1,OP_EQ, d_out2, DIGEST256_LEN);
765
766
  crypto_digest_assign(d2, d1);
  crypto_digest_add_bytes(d2, "mno", 3);
767
  crypto_digest_get_digest(d2, d_out1, DIGEST256_LEN);
768
  crypto_digest256(d_out2, "abcdefmno", 9, DIGEST_SHA256);
769
770
  tt_mem_op(d_out1,OP_EQ, d_out2, DIGEST256_LEN);
  crypto_digest_get_digest(d1, d_out1, DIGEST256_LEN);
771
  crypto_digest256(d_out2, "abcdef", 6, DIGEST_SHA256);
772
  tt_mem_op(d_out1,OP_EQ, d_out2, DIGEST256_LEN);
773
774
775
776
777
778
779
780
781
782
  crypto_digest_free(d1);
  crypto_digest_free(d2);

  /* Incremental digest code with sha512 */
  d1 = crypto_digest512_new(DIGEST_SHA512);
  tt_assert(d1);
  crypto_digest_add_bytes(d1, "abcdef", 6);
  d2 = crypto_digest_dup(d1);
  tt_assert(d2);
  crypto_digest_add_bytes(d2, "ghijkl", 6);
783
  crypto_digest_get_digest(d2, d_out1, DIGEST512_LEN);
784
  crypto_digest512(d_out2, "abcdefghijkl", 12, DIGEST_SHA512);
785
  tt_mem_op(d_out1,OP_EQ, d_out2, DIGEST512_LEN);
786
787
  crypto_digest_assign(d2, d1);
  crypto_digest_add_bytes(d2, "mno", 3);
788
  crypto_digest_get_digest(d2, d_out1, DIGEST512_LEN);
789
  crypto_digest512(d_out2, "abcdefmno", 9, DIGEST_SHA512);
790
791
  tt_mem_op(d_out1,OP_EQ, d_out2, DIGEST512_LEN);
  crypto_digest_get_digest(d1, d_out1, DIGEST512_LEN);
792
  crypto_digest512(d_out2, "abcdef", 6, DIGEST_SHA512);
793
  tt_mem_op(d_out1,OP_EQ, d_out2, DIGEST512_LEN);
794
795
796

 done:
  if (d1)
797
    crypto_digest_free(d1);
798
  if (d2)
799
    crypto_digest_free(d2);
800
  tor_free(mem_op_hex_tmp);
801
802
}

803
804
805
806
807
808
809
810
static void
test_crypto_sha3(void *arg)
{
  crypto_digest_t *d1 = NULL, *d2 = NULL;
  int i;
  char data[DIGEST512_LEN];
  char d_out1[DIGEST512_LEN], d_out2[DIGEST512_LEN];
  char *mem_op_hex_tmp=NULL;
811
  char *large = NULL;
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834

  (void)arg;

  /* Test SHA3-[256,512] with a test vectors from the Keccak Code Package.
   *
   * NB: The code package's test vectors have length expressed in bits.
   */

  /* Len = 8, Msg = CC */
  const uint8_t keccak_kat_msg8[] = { 0xcc };
  i = crypto_digest256(data, (const char*)keccak_kat_msg8, 1, DIGEST_SHA3_256);
  test_memeq_hex(data, "677035391CD3701293D385F037BA3279"
                       "6252BB7CE180B00B582DD9B20AAAD7F0");
  tt_int_op(i, OP_EQ, 0);
  i = crypto_digest512(data, (const char*)keccak_kat_msg8, 1, DIGEST_SHA3_512);
  test_memeq_hex(data, "3939FCC8B57B63612542DA31A834E5DC"
                       "C36E2EE0F652AC72E02624FA2E5ADEEC"
                       "C7DD6BB3580224B4D6138706FC6E8059"
                       "7B528051230B00621CC2B22999EAA205");
  tt_int_op(i, OP_EQ, 0);

  /* Len = 24, Msg = 1F877C */
  const uint8_t keccak_kat_msg24[] = { 0x1f, 0x87, 0x7c };
Nick Mathewson's avatar
Nick Mathewson committed
835
836
  i = crypto_digest256(data, (const char*)keccak_kat_msg24, 3,
                       DIGEST_SHA3_256);
837
838
839
  test_memeq_hex(data, "BC22345E4BD3F792A341CF18AC0789F1"
                       "C9C966712A501B19D1B6632CCD408EC5");
  tt_int_op(i, OP_EQ, 0);
Nick Mathewson's avatar
Nick Mathewson committed
840
841
  i = crypto_digest512(data, (const char*)keccak_kat_msg24, 3,
                       DIGEST_SHA3_512);
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
  test_memeq_hex(data, "CB20DCF54955F8091111688BECCEF48C"
                       "1A2F0D0608C3A575163751F002DB30F4"
                       "0F2F671834B22D208591CFAF1F5ECFE4"
                       "3C49863A53B3225BDFD7C6591BA7658B");
  tt_int_op(i, OP_EQ, 0);

  /* Len = 1080, Msg = B771D5CEF... ...C35AC81B5 (SHA3-256 rate - 1) */
  const uint8_t keccak_kat_msg1080[] = {
    0xB7, 0x71, 0xD5, 0xCE, 0xF5, 0xD1, 0xA4, 0x1A, 0x93, 0xD1,
    0x56, 0x43, 0xD7, 0x18, 0x1D, 0x2A, 0x2E, 0xF0, 0xA8, 0xE8,
    0x4D, 0x91, 0x81, 0x2F, 0x20, 0xED, 0x21, 0xF1, 0x47, 0xBE,
    0xF7, 0x32, 0xBF, 0x3A, 0x60, 0xEF, 0x40, 0x67, 0xC3, 0x73,
    0x4B, 0x85, 0xBC, 0x8C, 0xD4, 0x71, 0x78, 0x0F, 0x10, 0xDC,
    0x9E, 0x82, 0x91, 0xB5, 0x83, 0x39, 0xA6, 0x77, 0xB9, 0x60,
    0x21, 0x8F, 0x71, 0xE7, 0x93, 0xF2, 0x79, 0x7A, 0xEA, 0x34,
    0x94, 0x06, 0x51, 0x28, 0x29, 0x06, 0x5D, 0x37, 0xBB, 0x55,
    0xEA, 0x79, 0x6F, 0xA4, 0xF5, 0x6F, 0xD8, 0x89, 0x6B, 0x49,
    0xB2, 0xCD, 0x19, 0xB4, 0x32, 0x15, 0xAD, 0x96, 0x7C, 0x71,
    0x2B, 0x24, 0xE5, 0x03, 0x2D, 0x06, 0x52, 0x32, 0xE0, 0x2C,
    0x12, 0x74, 0x09, 0xD2, 0xED, 0x41, 0x46, 0xB9, 0xD7, 0x5D,
    0x76, 0x3D, 0x52, 0xDB, 0x98, 0xD9, 0x49, 0xD3, 0xB0, 0xFE,
    0xD6, 0xA8, 0x05, 0x2F, 0xBB,
  };
Nick Mathewson's avatar
Nick Mathewson committed
865
866
  i = crypto_digest256(data, (const char*)keccak_kat_msg1080, 135,
                       DIGEST_SHA3_256);
867
868
869
  test_memeq_hex(data, "A19EEE92BB2097B64E823D597798AA18"
                       "BE9B7C736B8059ABFD6779AC35AC81B5");
  tt_int_op(i, OP_EQ, 0);
Nick Mathewson's avatar
Nick Mathewson committed
870
871
  i = crypto_digest512(data, (const char*)keccak_kat_msg1080, 135,
                       DIGEST_SHA3_512);
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
  test_memeq_hex(data, "7575A1FB4FC9A8F9C0466BD5FCA496D1"
                       "CB78696773A212A5F62D02D14E3259D1"
                       "92A87EBA4407DD83893527331407B6DA"
                       "DAAD920DBC46489B677493CE5F20B595");
  tt_int_op(i, OP_EQ, 0);

  /* Len = 1088, Msg = B32D95B0... ...8E380C04 (SHA3-256 rate) */
  const uint8_t keccak_kat_msg1088[] = {
    0xB3, 0x2D, 0x95, 0xB0, 0xB9, 0xAA, 0xD2, 0xA8, 0x81, 0x6D,
    0xE6, 0xD0, 0x6D, 0x1F, 0x86, 0x00, 0x85, 0x05, 0xBD, 0x8C,
    0x14, 0x12, 0x4F, 0x6E, 0x9A, 0x16, 0x3B, 0x5A, 0x2A, 0xDE,
    0x55, 0xF8, 0x35, 0xD0, 0xEC, 0x38, 0x80, 0xEF, 0x50, 0x70,
    0x0D, 0x3B, 0x25, 0xE4, 0x2C, 0xC0, 0xAF, 0x05, 0x0C, 0xCD,
    0x1B, 0xE5, 0xE5, 0x55, 0xB2, 0x30, 0x87, 0xE0, 0x4D, 0x7B,
    0xF9, 0x81, 0x36, 0x22, 0x78, 0x0C, 0x73, 0x13, 0xA1, 0x95,
    0x4F, 0x87, 0x40, 0xB6, 0xEE, 0x2D, 0x3F, 0x71, 0xF7, 0x68,
    0xDD, 0x41, 0x7F, 0x52, 0x04, 0x82, 0xBD, 0x3A, 0x08, 0xD4,
    0xF2, 0x22, 0xB4, 0xEE, 0x9D, 0xBD, 0x01, 0x54, 0x47, 0xB3,
    0x35, 0x07, 0xDD, 0x50, 0xF3, 0xAB, 0x42, 0x47, 0xC5, 0xDE,
    0x9A, 0x8A, 0xBD, 0x62, 0xA8, 0xDE, 0xCE, 0xA0, 0x1E, 0x3B,
    0x87, 0xC8, 0xB9, 0x27, 0xF5, 0xB0, 0x8B, 0xEB, 0x37, 0x67,
    0x4C, 0x6F, 0x8E, 0x38, 0x0C, 0x04,
  };
Nick Mathewson's avatar
Nick Mathewson committed
895
896
  i = crypto_digest256(data, (const char*)keccak_kat_msg1088, 136,
                       DIGEST_SHA3_256);
897
898
899
  test_memeq_hex(data, "DF673F4105379FF6B755EEAB20CEB0DC"
                       "77B5286364FE16C59CC8A907AFF07732");
  tt_int_op(i, OP_EQ, 0);
Nick Mathewson's avatar
Nick Mathewson committed
900
901
  i = crypto_digest512(data, (const char*)keccak_kat_msg1088, 136,
                       DIGEST_SHA3_512);
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
  test_memeq_hex(data, "2E293765022D48996CE8EFF0BE54E87E"
                       "FB94A14C72DE5ACD10D0EB5ECE029CAD"
                       "FA3BA17A40B2FFA2163991B17786E51C"
                       "ABA79E5E0FFD34CF085E2A098BE8BACB");
  tt_int_op(i, OP_EQ, 0);

  /* Len = 1096, Msg = 04410E310... ...601016A0D (SHA3-256 rate + 1) */
  const uint8_t keccak_kat_msg1096[] = {
    0x04, 0x41, 0x0E, 0x31, 0x08, 0x2A, 0x47, 0x58, 0x4B, 0x40,
    0x6F, 0x05, 0x13, 0x98, 0xA6, 0xAB, 0xE7, 0x4E, 0x4D, 0xA5,
    0x9B, 0xB6, 0xF8, 0x5E, 0x6B, 0x49, 0xE8, 0xA1, 0xF7, 0xF2,
    0xCA, 0x00, 0xDF, 0xBA, 0x54, 0x62, 0xC2, 0xCD, 0x2B, 0xFD,
    0xE8, 0xB6, 0x4F, 0xB2, 0x1D, 0x70, 0xC0, 0x83, 0xF1, 0x13,
    0x18, 0xB5, 0x6A, 0x52, 0xD0, 0x3B, 0x81, 0xCA, 0xC5, 0xEE,
    0xC2, 0x9E, 0xB3, 0x1B, 0xD0, 0x07, 0x8B, 0x61, 0x56, 0x78,
    0x6D, 0xA3, 0xD6, 0xD8, 0xC3, 0x30, 0x98, 0xC5, 0xC4, 0x7B,
    0xB6, 0x7A, 0xC6, 0x4D, 0xB1, 0x41, 0x65, 0xAF, 0x65, 0xB4,
    0x45, 0x44, 0xD8, 0x06, 0xDD, 0xE5, 0xF4, 0x87, 0xD5, 0x37,
    0x3C, 0x7F, 0x97, 0x92, 0xC2, 0x99, 0xE9, 0x68, 0x6B, 0x7E,
    0x58, 0x21, 0xE7, 0xC8, 0xE2, 0x45, 0x83, 0x15, 0xB9, 0x96,
    0xB5, 0x67, 0x7D, 0x92, 0x6D, 0xAC, 0x57, 0xB3, 0xF2, 0x2D,
    0xA8, 0x73, 0xC6, 0x01, 0x01, 0x6A, 0x0D,
  };
Nick Mathewson's avatar
Nick Mathewson committed
925
926
  i = crypto_digest256(data, (const char*)keccak_kat_msg1096, 137,
                       DIGEST_SHA3_256);
927
928
929
  test_memeq_hex(data, "D52432CF3B6B4B949AA848E058DCD62D"
                       "735E0177279222E7AC0AF8504762FAA0");
  tt_int_op(i, OP_EQ, 0);
Nick Mathewson's avatar
Nick Mathewson committed
930
931
  i = crypto_digest512(data, (const char*)keccak_kat_msg1096, 137,
                       DIGEST_SHA3_512);
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
  test_memeq_hex(data, "BE8E14B6757FFE53C9B75F6DDE9A7B6C"
                       "40474041DE83D4A60645A826D7AF1ABE"
                       "1EEFCB7B74B62CA6A514E5F2697D585B"
                       "FECECE12931BBE1D4ED7EBF7B0BE660E");
  tt_int_op(i, OP_EQ, 0);

  /* Len = 1144, Msg = EA40E83C...  ...66DFAFEC (SHA3-512 rate *2 - 1) */
  const uint8_t keccak_kat_msg1144[] = {
    0xEA, 0x40, 0xE8, 0x3C, 0xB1, 0x8B, 0x3A, 0x24, 0x2C, 0x1E,
    0xCC, 0x6C, 0xCD, 0x0B, 0x78, 0x53, 0xA4, 0x39, 0xDA, 0xB2,
    0xC5, 0x69, 0xCF, 0xC6, 0xDC, 0x38, 0xA1, 0x9F, 0x5C, 0x90,
    0xAC, 0xBF, 0x76, 0xAE, 0xF9, 0xEA, 0x37, 0x42, 0xFF, 0x3B,
    0x54, 0xEF, 0x7D, 0x36, 0xEB, 0x7C, 0xE4, 0xFF, 0x1C, 0x9A,
    0xB3, 0xBC, 0x11, 0x9C, 0xFF, 0x6B, 0xE9, 0x3C, 0x03, 0xE2,
    0x08, 0x78, 0x33, 0x35, 0xC0, 0xAB, 0x81, 0x37, 0xBE, 0x5B,
    0x10, 0xCD, 0xC6, 0x6F, 0xF3, 0xF8, 0x9A, 0x1B, 0xDD, 0xC6,
    0xA1, 0xEE, 0xD7, 0x4F, 0x50, 0x4C, 0xBE, 0x72, 0x90, 0x69,
    0x0B, 0xB2, 0x95, 0xA8, 0x72, 0xB9, 0xE3, 0xFE, 0x2C, 0xEE,
    0x9E, 0x6C, 0x67, 0xC4, 0x1D, 0xB8, 0xEF, 0xD7, 0xD8, 0x63,
    0xCF, 0x10, 0xF8, 0x40, 0xFE, 0x61, 0x8E, 0x79, 0x36, 0xDA,
    0x3D, 0xCA, 0x5C, 0xA6, 0xDF, 0x93, 0x3F, 0x24, 0xF6, 0x95,
    0x4B, 0xA0, 0x80, 0x1A, 0x12, 0x94, 0xCD, 0x8D, 0x7E, 0x66,
    0xDF, 0xAF, 0xEC,
  };
Nick Mathewson's avatar
Nick Mathewson committed
956
957
  i = crypto_digest512(data, (const char*)keccak_kat_msg1144, 143,
                       DIGEST_SHA3_512);
958
959
960
961
962
  test_memeq_hex(data, "3A8E938C45F3F177991296B24565D9A6"
                       "605516615D96A062C8BE53A0D6C5A648"
                       "7BE35D2A8F3CF6620D0C2DBA2C560D68"
                       "295F284BE7F82F3B92919033C9CE5D80");
  tt_int_op(i, OP_EQ, 0);
Nick Mathewson's avatar
Nick Mathewson committed
963
964
  i = crypto_digest256(data, (const char*)keccak_kat_msg1144, 143,
                       DIGEST_SHA3_256);
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
  test_memeq_hex(data, "E58A947E98D6DD7E932D2FE02D9992E6"
                       "118C0C2C606BDCDA06E7943D2C95E0E5");
  tt_int_op(i, OP_EQ, 0);

  /* Len = 1152, Msg = 157D5B7E... ...79EE00C63 (SHA3-512 rate * 2) */
  const uint8_t keccak_kat_msg1152[] = {
    0x15, 0x7D, 0x5B, 0x7E, 0x45, 0x07, 0xF6, 0x6D, 0x9A, 0x26,
    0x74, 0x76, 0xD3, 0x38, 0x31, 0xE7, 0xBB, 0x76, 0x8D, 0x4D,
    0x04, 0xCC, 0x34, 0x38, 0xDA, 0x12, 0xF9, 0x01, 0x02, 0x63,
    0xEA, 0x5F, 0xCA, 0xFB, 0xDE, 0x25, 0x79, 0xDB, 0x2F, 0x6B,
    0x58, 0xF9, 0x11, 0xD5, 0x93, 0xD5, 0xF7, 0x9F, 0xB0, 0x5F,
    0xE3, 0x59, 0x6E, 0x3F, 0xA8, 0x0F, 0xF2, 0xF7, 0x61, 0xD1,
    0xB0, 0xE5, 0x70, 0x80, 0x05, 0x5C, 0x11, 0x8C, 0x53, 0xE5,
    0x3C, 0xDB, 0x63, 0x05, 0x52, 0x61, 0xD7, 0xC9, 0xB2, 0xB3,
    0x9B, 0xD9, 0x0A, 0xCC, 0x32, 0x52, 0x0C, 0xBB, 0xDB, 0xDA,
    0x2C, 0x4F, 0xD8, 0x85, 0x6D, 0xBC, 0xEE, 0x17, 0x31, 0x32,
    0xA2, 0x67, 0x91, 0x98, 0xDA, 0xF8, 0x30, 0x07, 0xA9, 0xB5,
    0xC5, 0x15, 0x11, 0xAE, 0x49, 0x76, 0x6C, 0x79, 0x2A, 0x29,
    0x52, 0x03, 0x88, 0x44, 0x4E, 0xBE, 0xFE, 0x28, 0x25, 0x6F,
    0xB3, 0x3D, 0x42, 0x60, 0x43, 0x9C, 0xBA, 0x73, 0xA9, 0x47,
    0x9E, 0xE0, 0x0C, 0x63,
  };
Nick Mathewson's avatar
Nick Mathewson committed
987
988
  i = crypto_digest512(data, (const char*)keccak_kat_msg1152, 144,
                       DIGEST_SHA3_512);
989
990
991
992
993
  test_memeq_hex(data, "FE45289874879720CE2A844AE34BB735"
                       "22775DCB6019DCD22B8885994672A088"
                       "9C69E8115C641DC8B83E39F7311815A1"
                       "64DC46E0BA2FCA344D86D4BC2EF2532C");
  tt_int_op(i, OP_EQ, 0);
Nick Mathewson's avatar
Nick Mathewson committed
994
995
  i = crypto_digest256(data, (const char*)keccak_kat_msg1152, 144,
                       DIGEST_SHA3_256);
996
997
998
999
1000
  test_memeq_hex(data, "A936FB9AF87FB67857B3EAD5C76226AD"
                       "84DA47678F3C2FFE5A39FDB5F7E63FFB");
  tt_int_op(i, OP_EQ, 0);

  /* Len = 1160, Msg = 836B34B5... ...11044C53 (SHA3-512 rate * 2 + 1) */