使用 cryptopp 生成 SHA3 哈希的行为不正确
Incorrect behaviour generating SHA3 hash with cryptopp
我发现在 RHEL7 和 Debian9 上使用 cryptopp 生成 SHA3 哈希的行为存在非常奇怪的差异。
如果我改用 SHA1 或 MD5 哈希,则两个平台上的输出是相同的。
我已将其缩减为以下最小程序:
#include <iostream>
#include <cryptopp/sha3.h>
#include <cryptopp/filters.h>
#include <cryptopp/hex.h>
using namespace CryptoPP;
int main(int argc, const char* argv[])
{
{
CryptoPP::SHA3_256 sha256;
std::string hash = "";
StringSource("", true, new HashFilter(sha256, new HexEncoder(new StringSink(hash))));
std::cout << "hash='" << hash << "'\n";
}
{
CryptoPP::SHA3_256 sha256;
std::string hash = "";
StringSource("{}", true, new HashFilter(sha256, new HexEncoder(new StringSink(hash))));
std::cout << "hash='" << hash << "'\n";
}
}
在 Debian 上输出是:
hash='A7FFC6F8BF1ED76651C14756A061D662F580FF4DE43B49FA82D80A4B80F8434A'
hash='840EB7AA2A9935DE63366BACBE9D97E978A859E93DC792A0334DE60ED52F8E99'
根据 https://emn178.github.io/online-tools/sha3_256.html
处的在线转换器,这是正确的
但是在 RHEL7 上输出很奇怪:
hash='C5D2460186F7233C927E7DB2DCC703C0E500B653CA82273B7BFAD8045D85A470'
hash='B48D38F93EAA084033FC5970BF96E559C33C4CDC07D889AB00B4D63F9590739D'
所以要么我做错了什么,要么库中有错误或安装错误。
我是在滥用 libcrytopp 吗?像缺少 MessageEnd()?
在 RHEL7 上:
>ldd ./hashtest
linux-vdso.so.1 => (0x00007ffecd1b1000)
libcryptopp.so.6 => /lib64/libcryptopp.so.6 (0x00007f71c3707000)
libstdc++.so.6 => /lib64/libstdc++.so.6 (0x00007f71c3400000)
libgcc_s.so.1 => /lib64/libgcc_s.so.1 (0x00007f71c31ea000)
libc.so.6 => /lib64/libc.so.6 (0x00007f71c2e1d000)
libpthread.so.0 => /lib64/libpthread.so.0 (0x00007f71c2c01000)
libm.so.6 => /lib64/libm.so.6 (0x00007f71c28ff000)
/lib64/ld-linux-x86-64.so.2 (0x00007f71c3e2e000)
>file /lib64/libcryptopp.so.6.0.0
/lib64/libcryptopp.so.6.0.0: ELF 64-bit LSB shared object, x86-64, version 1 (GNU/Linux), dynamically linked, BuildID[sha1]=4a0941023c6e957077cb555536a509a0ef93bf04, stripped
在 Debian 上:
>ldd ./hashtest
linux-vdso.so.1 (0x00007ffedc5e6000)
libcrypto++.so.6 => /usr/lib/x86_64-linux-gnu/libcrypto++.so.6 (0x00007f1d3b79a000)
libstdc++.so.6 => /usr/lib/x86_64-linux-gnu/libstdc++.so.6 (0x00007f1d3b418000)
libgcc_s.so.1 => /lib/x86_64-linux-gnu/libgcc_s.so.1 (0x00007f1d3b201000)
libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007f1d3ae62000)
libpthread.so.0 => /lib/x86_64-linux-gnu/libpthread.so.0 (0x00007f1d3ac45000)
libm.so.6 => /lib/x86_64-linux-gnu/libm.so.6 (0x00007f1d3a941000)
/lib64/ld-linux-x86-64.so.2 (0x00007f1d3bf35000)
>file /usr/lib/x86_64-linux-gnu/libcrypto++.so.6.0.0
/usr/lib/x86_64-linux-gnu/libcrypto++.so.6.0.0: ELF 64-bit LSB shared object, x86-64, version 1 (GNU/Linux), dynamically linked, BuildID[sha1]=5c6cb06479005d2ebfa40c75e5489c915d314b70, stripped
这两个平台似乎都是 v6.0.0 但是:
>apt-cache show crypto++
[snip]
Package: libcrypto++-dev
Source: libcrypto++
Version: 5.6.4-7
>yum info --enablerepo=epel cryptopp
Installed Packages
Name : cryptopp
Arch : x86_64
Version : 5.6.2
Release : 10.el7
Size : 5.2 M
Repo : installed
From repo : epel
Summary : C++ class library of cryptographic schemes
URL : http://www.cryptopp.com/
Licence : Boost
Description : Crypto++ Library is a free C++ class library of cryptographic schemes.
: See http://www.cryptopp.com/ for a list of supported algorithms.
:
: One purpose of Crypto++ is to act as a repository of public domain
: (not copyrighted) source code. Although the library is copyrighted as a
: compilation, the individual files in it are in the public domain.
您需要让您的 RHEL box 至少达到 cryptopp 版本 5.6.4,因为那是 "real" SHA3 实现的来源。在 5.6.4 之前,该实现使用由指定的原始填充方案"Keccak" 提案被选为 SHA3 的基础,而不是已批准的 SHA3 标准中定义的修改后的填充方案。
有关 5.6.4 中更改的通知,请参阅 https://github.com/weidai11/cryptopp/issues/158 for background, and the release comments at the bottom of https://github.com/weidai11/cryptopp。
我发现在 RHEL7 和 Debian9 上使用 cryptopp 生成 SHA3 哈希的行为存在非常奇怪的差异。 如果我改用 SHA1 或 MD5 哈希,则两个平台上的输出是相同的。 我已将其缩减为以下最小程序:
#include <iostream>
#include <cryptopp/sha3.h>
#include <cryptopp/filters.h>
#include <cryptopp/hex.h>
using namespace CryptoPP;
int main(int argc, const char* argv[])
{
{
CryptoPP::SHA3_256 sha256;
std::string hash = "";
StringSource("", true, new HashFilter(sha256, new HexEncoder(new StringSink(hash))));
std::cout << "hash='" << hash << "'\n";
}
{
CryptoPP::SHA3_256 sha256;
std::string hash = "";
StringSource("{}", true, new HashFilter(sha256, new HexEncoder(new StringSink(hash))));
std::cout << "hash='" << hash << "'\n";
}
}
在 Debian 上输出是:
hash='A7FFC6F8BF1ED76651C14756A061D662F580FF4DE43B49FA82D80A4B80F8434A'
hash='840EB7AA2A9935DE63366BACBE9D97E978A859E93DC792A0334DE60ED52F8E99'
根据 https://emn178.github.io/online-tools/sha3_256.html
处的在线转换器,这是正确的但是在 RHEL7 上输出很奇怪:
hash='C5D2460186F7233C927E7DB2DCC703C0E500B653CA82273B7BFAD8045D85A470'
hash='B48D38F93EAA084033FC5970BF96E559C33C4CDC07D889AB00B4D63F9590739D'
所以要么我做错了什么,要么库中有错误或安装错误。
我是在滥用 libcrytopp 吗?像缺少 MessageEnd()?
在 RHEL7 上:
>ldd ./hashtest
linux-vdso.so.1 => (0x00007ffecd1b1000)
libcryptopp.so.6 => /lib64/libcryptopp.so.6 (0x00007f71c3707000)
libstdc++.so.6 => /lib64/libstdc++.so.6 (0x00007f71c3400000)
libgcc_s.so.1 => /lib64/libgcc_s.so.1 (0x00007f71c31ea000)
libc.so.6 => /lib64/libc.so.6 (0x00007f71c2e1d000)
libpthread.so.0 => /lib64/libpthread.so.0 (0x00007f71c2c01000)
libm.so.6 => /lib64/libm.so.6 (0x00007f71c28ff000)
/lib64/ld-linux-x86-64.so.2 (0x00007f71c3e2e000)
>file /lib64/libcryptopp.so.6.0.0
/lib64/libcryptopp.so.6.0.0: ELF 64-bit LSB shared object, x86-64, version 1 (GNU/Linux), dynamically linked, BuildID[sha1]=4a0941023c6e957077cb555536a509a0ef93bf04, stripped
在 Debian 上:
>ldd ./hashtest
linux-vdso.so.1 (0x00007ffedc5e6000)
libcrypto++.so.6 => /usr/lib/x86_64-linux-gnu/libcrypto++.so.6 (0x00007f1d3b79a000)
libstdc++.so.6 => /usr/lib/x86_64-linux-gnu/libstdc++.so.6 (0x00007f1d3b418000)
libgcc_s.so.1 => /lib/x86_64-linux-gnu/libgcc_s.so.1 (0x00007f1d3b201000)
libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007f1d3ae62000)
libpthread.so.0 => /lib/x86_64-linux-gnu/libpthread.so.0 (0x00007f1d3ac45000)
libm.so.6 => /lib/x86_64-linux-gnu/libm.so.6 (0x00007f1d3a941000)
/lib64/ld-linux-x86-64.so.2 (0x00007f1d3bf35000)
>file /usr/lib/x86_64-linux-gnu/libcrypto++.so.6.0.0
/usr/lib/x86_64-linux-gnu/libcrypto++.so.6.0.0: ELF 64-bit LSB shared object, x86-64, version 1 (GNU/Linux), dynamically linked, BuildID[sha1]=5c6cb06479005d2ebfa40c75e5489c915d314b70, stripped
这两个平台似乎都是 v6.0.0 但是:
>apt-cache show crypto++
[snip]
Package: libcrypto++-dev
Source: libcrypto++
Version: 5.6.4-7
>yum info --enablerepo=epel cryptopp
Installed Packages
Name : cryptopp
Arch : x86_64
Version : 5.6.2
Release : 10.el7
Size : 5.2 M
Repo : installed
From repo : epel
Summary : C++ class library of cryptographic schemes
URL : http://www.cryptopp.com/
Licence : Boost
Description : Crypto++ Library is a free C++ class library of cryptographic schemes.
: See http://www.cryptopp.com/ for a list of supported algorithms.
:
: One purpose of Crypto++ is to act as a repository of public domain
: (not copyrighted) source code. Although the library is copyrighted as a
: compilation, the individual files in it are in the public domain.
您需要让您的 RHEL box 至少达到 cryptopp 版本 5.6.4,因为那是 "real" SHA3 实现的来源。在 5.6.4 之前,该实现使用由指定的原始填充方案"Keccak" 提案被选为 SHA3 的基础,而不是已批准的 SHA3 标准中定义的修改后的填充方案。
有关 5.6.4 中更改的通知,请参阅 https://github.com/weidai11/cryptopp/issues/158 for background, and the release comments at the bottom of https://github.com/weidai11/cryptopp。