| # This file is dual licensed under the terms of the Apache License, Version |
| # 2.0, and the BSD License. See the LICENSE file in the root of this repository |
| # for complete details. |
| |
| from __future__ import absolute_import, division, print_function |
| |
| import binascii |
| import os |
| |
| import pytest |
| |
| from cryptography.exceptions import InvalidTag, UnsupportedAlgorithm, _Reasons |
| from cryptography.hazmat.backends.interfaces import CipherBackend |
| from cryptography.hazmat.primitives.ciphers.aead import ( |
| AESCCM, AESGCM, ChaCha20Poly1305 |
| ) |
| |
| from .utils import _load_all_params |
| from ...utils import ( |
| load_nist_ccm_vectors, load_nist_vectors, load_vectors_from_file, |
| raises_unsupported_algorithm |
| ) |
| |
| |
| class FakeData(object): |
| def __len__(self): |
| return 2 ** 32 + 1 |
| |
| |
| def _aead_supported(cls): |
| try: |
| cls(b"0" * 32) |
| return True |
| except UnsupportedAlgorithm: |
| return False |
| |
| |
| @pytest.mark.skipif( |
| _aead_supported(ChaCha20Poly1305), |
| reason="Requires OpenSSL without ChaCha20Poly1305 support" |
| ) |
| @pytest.mark.requires_backend_interface(interface=CipherBackend) |
| def test_chacha20poly1305_unsupported_on_older_openssl(backend): |
| with raises_unsupported_algorithm(_Reasons.UNSUPPORTED_CIPHER): |
| ChaCha20Poly1305(ChaCha20Poly1305.generate_key()) |
| |
| |
| @pytest.mark.skipif( |
| not _aead_supported(ChaCha20Poly1305), |
| reason="Does not support ChaCha20Poly1305" |
| ) |
| @pytest.mark.requires_backend_interface(interface=CipherBackend) |
| class TestChaCha20Poly1305(object): |
| def test_data_too_large(self): |
| key = ChaCha20Poly1305.generate_key() |
| chacha = ChaCha20Poly1305(key) |
| nonce = b"0" * 12 |
| |
| with pytest.raises(OverflowError): |
| chacha.encrypt(nonce, FakeData(), b"") |
| |
| with pytest.raises(OverflowError): |
| chacha.encrypt(nonce, b"", FakeData()) |
| |
| def test_generate_key(self): |
| key = ChaCha20Poly1305.generate_key() |
| assert len(key) == 32 |
| |
| def test_bad_key(self, backend): |
| with pytest.raises(TypeError): |
| ChaCha20Poly1305(object()) |
| |
| with pytest.raises(ValueError): |
| ChaCha20Poly1305(b"0" * 31) |
| |
| @pytest.mark.parametrize( |
| ("nonce", "data", "associated_data"), |
| [ |
| [object(), b"data", b""], |
| [b"0" * 12, object(), b""], |
| [b"0" * 12, b"data", object()] |
| ] |
| ) |
| def test_params_not_bytes_encrypt(self, nonce, data, associated_data, |
| backend): |
| key = ChaCha20Poly1305.generate_key() |
| chacha = ChaCha20Poly1305(key) |
| with pytest.raises(TypeError): |
| chacha.encrypt(nonce, data, associated_data) |
| |
| with pytest.raises(TypeError): |
| chacha.decrypt(nonce, data, associated_data) |
| |
| def test_nonce_not_12_bytes(self, backend): |
| key = ChaCha20Poly1305.generate_key() |
| chacha = ChaCha20Poly1305(key) |
| with pytest.raises(ValueError): |
| chacha.encrypt(b"00", b"hello", b"") |
| |
| with pytest.raises(ValueError): |
| chacha.decrypt(b"00", b"hello", b"") |
| |
| def test_decrypt_data_too_short(self, backend): |
| key = ChaCha20Poly1305.generate_key() |
| chacha = ChaCha20Poly1305(key) |
| with pytest.raises(InvalidTag): |
| chacha.decrypt(b"0" * 12, b"0", None) |
| |
| def test_associated_data_none_equal_to_empty_bytestring(self, backend): |
| key = ChaCha20Poly1305.generate_key() |
| chacha = ChaCha20Poly1305(key) |
| nonce = os.urandom(12) |
| ct1 = chacha.encrypt(nonce, b"some_data", None) |
| ct2 = chacha.encrypt(nonce, b"some_data", b"") |
| assert ct1 == ct2 |
| pt1 = chacha.decrypt(nonce, ct1, None) |
| pt2 = chacha.decrypt(nonce, ct2, b"") |
| assert pt1 == pt2 |
| |
| @pytest.mark.parametrize( |
| "vector", |
| load_vectors_from_file( |
| os.path.join("ciphers", "ChaCha20Poly1305", "openssl.txt"), |
| load_nist_vectors |
| ) |
| ) |
| def test_openssl_vectors(self, vector, backend): |
| key = binascii.unhexlify(vector["key"]) |
| nonce = binascii.unhexlify(vector["iv"]) |
| aad = binascii.unhexlify(vector["aad"]) |
| tag = binascii.unhexlify(vector["tag"]) |
| pt = binascii.unhexlify(vector["plaintext"]) |
| ct = binascii.unhexlify(vector["ciphertext"]) |
| chacha = ChaCha20Poly1305(key) |
| if vector.get("result") == b"CIPHERFINAL_ERROR": |
| with pytest.raises(InvalidTag): |
| chacha.decrypt(nonce, ct + tag, aad) |
| else: |
| computed_pt = chacha.decrypt(nonce, ct + tag, aad) |
| assert computed_pt == pt |
| computed_ct = chacha.encrypt(nonce, pt, aad) |
| assert computed_ct == ct + tag |
| |
| @pytest.mark.parametrize( |
| "vector", |
| load_vectors_from_file( |
| os.path.join("ciphers", "ChaCha20Poly1305", "boringssl.txt"), |
| load_nist_vectors |
| ) |
| ) |
| def test_boringssl_vectors(self, vector, backend): |
| key = binascii.unhexlify(vector["key"]) |
| nonce = binascii.unhexlify(vector["nonce"]) |
| if vector["ad"].startswith(b'"'): |
| aad = vector["ad"][1:-1] |
| else: |
| aad = binascii.unhexlify(vector["ad"]) |
| tag = binascii.unhexlify(vector["tag"]) |
| if vector["in"].startswith(b'"'): |
| pt = vector["in"][1:-1] |
| else: |
| pt = binascii.unhexlify(vector["in"]) |
| ct = binascii.unhexlify(vector["ct"].strip(b'"')) |
| chacha = ChaCha20Poly1305(key) |
| computed_pt = chacha.decrypt(nonce, ct + tag, aad) |
| assert computed_pt == pt |
| computed_ct = chacha.encrypt(nonce, pt, aad) |
| assert computed_ct == ct + tag |
| |
| def test_buffer_protocol(self, backend): |
| key = ChaCha20Poly1305.generate_key() |
| chacha = ChaCha20Poly1305(key) |
| pt = b"encrypt me" |
| ad = b"additional" |
| nonce = os.urandom(12) |
| ct = chacha.encrypt(nonce, pt, ad) |
| computed_pt = chacha.decrypt(nonce, ct, ad) |
| assert computed_pt == pt |
| chacha2 = ChaCha20Poly1305(bytearray(key)) |
| ct2 = chacha2.encrypt(bytearray(nonce), pt, ad) |
| assert ct2 == ct |
| computed_pt2 = chacha2.decrypt(bytearray(nonce), ct2, ad) |
| assert computed_pt2 == pt |
| |
| |
| @pytest.mark.skipif( |
| _aead_supported(AESCCM), |
| reason="Requires OpenSSL without AES-CCM support" |
| ) |
| @pytest.mark.requires_backend_interface(interface=CipherBackend) |
| def test_aesccm_unsupported_on_older_openssl(backend): |
| with raises_unsupported_algorithm(_Reasons.UNSUPPORTED_CIPHER): |
| AESCCM(AESCCM.generate_key(128)) |
| |
| |
| @pytest.mark.skipif( |
| not _aead_supported(AESCCM), |
| reason="Does not support AESCCM" |
| ) |
| @pytest.mark.requires_backend_interface(interface=CipherBackend) |
| class TestAESCCM(object): |
| def test_data_too_large(self): |
| key = AESCCM.generate_key(128) |
| aesccm = AESCCM(key) |
| nonce = b"0" * 12 |
| |
| with pytest.raises(OverflowError): |
| aesccm.encrypt(nonce, FakeData(), b"") |
| |
| with pytest.raises(OverflowError): |
| aesccm.encrypt(nonce, b"", FakeData()) |
| |
| def test_default_tag_length(self, backend): |
| key = AESCCM.generate_key(128) |
| aesccm = AESCCM(key) |
| nonce = os.urandom(12) |
| pt = b"hello" |
| ct = aesccm.encrypt(nonce, pt, None) |
| assert len(ct) == len(pt) + 16 |
| |
| def test_invalid_tag_length(self, backend): |
| key = AESCCM.generate_key(128) |
| with pytest.raises(ValueError): |
| AESCCM(key, tag_length=7) |
| |
| with pytest.raises(ValueError): |
| AESCCM(key, tag_length=2) |
| |
| with pytest.raises(TypeError): |
| AESCCM(key, tag_length="notanint") |
| |
| def test_invalid_nonce_length(self, backend): |
| key = AESCCM.generate_key(128) |
| aesccm = AESCCM(key) |
| pt = b"hello" |
| nonce = os.urandom(14) |
| with pytest.raises(ValueError): |
| aesccm.encrypt(nonce, pt, None) |
| |
| with pytest.raises(ValueError): |
| aesccm.encrypt(nonce[:6], pt, None) |
| |
| @pytest.mark.parametrize( |
| "vector", |
| _load_all_params( |
| os.path.join("ciphers", "AES", "CCM"), |
| [ |
| "DVPT128.rsp", "DVPT192.rsp", "DVPT256.rsp", |
| "VADT128.rsp", "VADT192.rsp", "VADT256.rsp", |
| "VNT128.rsp", "VNT192.rsp", "VNT256.rsp", |
| "VPT128.rsp", "VPT192.rsp", "VPT256.rsp", |
| ], |
| load_nist_ccm_vectors |
| ) |
| ) |
| def test_vectors(self, vector, backend): |
| key = binascii.unhexlify(vector["key"]) |
| nonce = binascii.unhexlify(vector["nonce"]) |
| adata = binascii.unhexlify(vector["adata"])[:vector["alen"]] |
| ct = binascii.unhexlify(vector["ct"]) |
| pt = binascii.unhexlify(vector["payload"])[:vector["plen"]] |
| aesccm = AESCCM(key, vector["tlen"]) |
| if vector.get('fail'): |
| with pytest.raises(InvalidTag): |
| aesccm.decrypt(nonce, ct, adata) |
| else: |
| computed_pt = aesccm.decrypt(nonce, ct, adata) |
| assert computed_pt == pt |
| assert aesccm.encrypt(nonce, pt, adata) == ct |
| |
| def test_roundtrip(self, backend): |
| key = AESCCM.generate_key(128) |
| aesccm = AESCCM(key) |
| pt = b"encrypt me" |
| ad = b"additional" |
| nonce = os.urandom(12) |
| ct = aesccm.encrypt(nonce, pt, ad) |
| computed_pt = aesccm.decrypt(nonce, ct, ad) |
| assert computed_pt == pt |
| |
| def test_nonce_too_long(self, backend): |
| key = AESCCM.generate_key(128) |
| aesccm = AESCCM(key) |
| pt = b"encrypt me" * 6600 |
| # pt can be no more than 65536 bytes when nonce is 13 bytes |
| nonce = os.urandom(13) |
| with pytest.raises(ValueError): |
| aesccm.encrypt(nonce, pt, None) |
| |
| @pytest.mark.parametrize( |
| ("nonce", "data", "associated_data"), |
| [ |
| [object(), b"data", b""], |
| [b"0" * 12, object(), b""], |
| [b"0" * 12, b"data", object()], |
| ] |
| ) |
| def test_params_not_bytes(self, nonce, data, associated_data, backend): |
| key = AESCCM.generate_key(128) |
| aesccm = AESCCM(key) |
| with pytest.raises(TypeError): |
| aesccm.encrypt(nonce, data, associated_data) |
| |
| def test_bad_key(self, backend): |
| with pytest.raises(TypeError): |
| AESCCM(object()) |
| |
| with pytest.raises(ValueError): |
| AESCCM(b"0" * 31) |
| |
| def test_bad_generate_key(self, backend): |
| with pytest.raises(TypeError): |
| AESCCM.generate_key(object()) |
| |
| with pytest.raises(ValueError): |
| AESCCM.generate_key(129) |
| |
| def test_associated_data_none_equal_to_empty_bytestring(self, backend): |
| key = AESCCM.generate_key(128) |
| aesccm = AESCCM(key) |
| nonce = os.urandom(12) |
| ct1 = aesccm.encrypt(nonce, b"some_data", None) |
| ct2 = aesccm.encrypt(nonce, b"some_data", b"") |
| assert ct1 == ct2 |
| pt1 = aesccm.decrypt(nonce, ct1, None) |
| pt2 = aesccm.decrypt(nonce, ct2, b"") |
| assert pt1 == pt2 |
| |
| def test_decrypt_data_too_short(self, backend): |
| key = AESCCM.generate_key(128) |
| aesccm = AESCCM(key) |
| with pytest.raises(InvalidTag): |
| aesccm.decrypt(b"0" * 12, b"0", None) |
| |
| def test_buffer_protocol(self, backend): |
| key = AESCCM.generate_key(128) |
| aesccm = AESCCM(key) |
| pt = b"encrypt me" |
| ad = b"additional" |
| nonce = os.urandom(12) |
| ct = aesccm.encrypt(nonce, pt, ad) |
| computed_pt = aesccm.decrypt(nonce, ct, ad) |
| assert computed_pt == pt |
| aesccm2 = AESCCM(bytearray(key)) |
| ct2 = aesccm2.encrypt(bytearray(nonce), pt, ad) |
| assert ct2 == ct |
| computed_pt2 = aesccm2.decrypt(bytearray(nonce), ct2, ad) |
| assert computed_pt2 == pt |
| |
| |
| def _load_gcm_vectors(): |
| vectors = _load_all_params( |
| os.path.join("ciphers", "AES", "GCM"), |
| [ |
| "gcmDecrypt128.rsp", |
| "gcmDecrypt192.rsp", |
| "gcmDecrypt256.rsp", |
| "gcmEncryptExtIV128.rsp", |
| "gcmEncryptExtIV192.rsp", |
| "gcmEncryptExtIV256.rsp", |
| ], |
| load_nist_vectors |
| ) |
| return [x for x in vectors if len(x["tag"]) == 32] |
| |
| |
| @pytest.mark.requires_backend_interface(interface=CipherBackend) |
| class TestAESGCM(object): |
| def test_data_too_large(self): |
| key = AESGCM.generate_key(128) |
| aesgcm = AESGCM(key) |
| nonce = b"0" * 12 |
| |
| with pytest.raises(OverflowError): |
| aesgcm.encrypt(nonce, FakeData(), b"") |
| |
| with pytest.raises(OverflowError): |
| aesgcm.encrypt(nonce, b"", FakeData()) |
| |
| @pytest.mark.parametrize("vector", _load_gcm_vectors()) |
| def test_vectors(self, vector): |
| key = binascii.unhexlify(vector["key"]) |
| nonce = binascii.unhexlify(vector["iv"]) |
| aad = binascii.unhexlify(vector["aad"]) |
| ct = binascii.unhexlify(vector["ct"]) |
| pt = binascii.unhexlify(vector.get("pt", b"")) |
| tag = binascii.unhexlify(vector["tag"]) |
| aesgcm = AESGCM(key) |
| if vector.get("fail") is True: |
| with pytest.raises(InvalidTag): |
| aesgcm.decrypt(nonce, ct + tag, aad) |
| else: |
| computed_ct = aesgcm.encrypt(nonce, pt, aad) |
| assert computed_ct[:-16] == ct |
| assert computed_ct[-16:] == tag |
| computed_pt = aesgcm.decrypt(nonce, ct + tag, aad) |
| assert computed_pt == pt |
| |
| @pytest.mark.parametrize( |
| ("nonce", "data", "associated_data"), |
| [ |
| [object(), b"data", b""], |
| [b"0" * 12, object(), b""], |
| [b"0" * 12, b"data", object()] |
| ] |
| ) |
| def test_params_not_bytes(self, nonce, data, associated_data, backend): |
| key = AESGCM.generate_key(128) |
| aesgcm = AESGCM(key) |
| with pytest.raises(TypeError): |
| aesgcm.encrypt(nonce, data, associated_data) |
| |
| with pytest.raises(TypeError): |
| aesgcm.decrypt(nonce, data, associated_data) |
| |
| def test_invalid_nonce_length(self, backend): |
| key = AESGCM.generate_key(128) |
| aesgcm = AESGCM(key) |
| with pytest.raises(ValueError): |
| aesgcm.encrypt(b"", b"hi", None) |
| |
| def test_bad_key(self, backend): |
| with pytest.raises(TypeError): |
| AESGCM(object()) |
| |
| with pytest.raises(ValueError): |
| AESGCM(b"0" * 31) |
| |
| def test_bad_generate_key(self, backend): |
| with pytest.raises(TypeError): |
| AESGCM.generate_key(object()) |
| |
| with pytest.raises(ValueError): |
| AESGCM.generate_key(129) |
| |
| def test_associated_data_none_equal_to_empty_bytestring(self, backend): |
| key = AESGCM.generate_key(128) |
| aesgcm = AESGCM(key) |
| nonce = os.urandom(12) |
| ct1 = aesgcm.encrypt(nonce, b"some_data", None) |
| ct2 = aesgcm.encrypt(nonce, b"some_data", b"") |
| assert ct1 == ct2 |
| pt1 = aesgcm.decrypt(nonce, ct1, None) |
| pt2 = aesgcm.decrypt(nonce, ct2, b"") |
| assert pt1 == pt2 |
| |
| def test_buffer_protocol(self, backend): |
| key = AESGCM.generate_key(128) |
| aesgcm = AESGCM(key) |
| pt = b"encrypt me" |
| ad = b"additional" |
| nonce = os.urandom(12) |
| ct = aesgcm.encrypt(nonce, pt, ad) |
| computed_pt = aesgcm.decrypt(nonce, ct, ad) |
| assert computed_pt == pt |
| aesgcm2 = AESGCM(bytearray(key)) |
| ct2 = aesgcm2.encrypt(bytearray(nonce), pt, ad) |
| assert ct2 == ct |
| computed_pt2 = aesgcm2.decrypt(bytearray(nonce), ct2, ad) |
| assert computed_pt2 == pt |
