351 lines
16 KiB
Python
351 lines
16 KiB
Python
# ===================================================================
|
|
#
|
|
# Copyright (c) 2015, Legrandin <helderijs@gmail.com>
|
|
# All rights reserved.
|
|
#
|
|
# Redistribution and use in source and binary forms, with or without
|
|
# modification, are permitted provided that the following conditions
|
|
# are met:
|
|
#
|
|
# 1. Redistributions of source code must retain the above copyright
|
|
# notice, this list of conditions and the following disclaimer.
|
|
# 2. Redistributions in binary form must reproduce the above copyright
|
|
# notice, this list of conditions and the following disclaimer in
|
|
# the documentation and/or other materials provided with the
|
|
# distribution.
|
|
#
|
|
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
|
|
# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
|
|
# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
|
|
# FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
|
|
# COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
|
|
# INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
|
|
# BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
|
|
# LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
|
|
# CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
|
|
# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
|
|
# ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
|
|
# POSSIBILITY OF SUCH DAMAGE.
|
|
# ===================================================================
|
|
|
|
import unittest
|
|
|
|
from Crypto.SelfTest.st_common import list_test_cases
|
|
from Crypto.Util.py3compat import tobytes, b, unhexlify, bchr
|
|
from Crypto.Cipher import AES, DES3
|
|
from Crypto.Hash import SHAKE128
|
|
from Crypto.Util import Counter
|
|
|
|
def get_tag_random(tag, length):
|
|
return SHAKE128.new(data=tobytes(tag)).read(length)
|
|
|
|
class CtrTests(unittest.TestCase):
|
|
|
|
key_128 = get_tag_random("key_128", 16)
|
|
key_192 = get_tag_random("key_192", 24)
|
|
nonce_32 = get_tag_random("nonce_32", 4)
|
|
nonce_64 = get_tag_random("nonce_64", 8)
|
|
ctr_64 = Counter.new(32, prefix=nonce_32)
|
|
ctr_128 = Counter.new(64, prefix=nonce_64)
|
|
|
|
def test_loopback_128(self):
|
|
cipher = AES.new(self.key_128, AES.MODE_CTR, counter=self.ctr_128)
|
|
pt = get_tag_random("plaintext", 16 * 100)
|
|
ct = cipher.encrypt(pt)
|
|
|
|
cipher = AES.new(self.key_128, AES.MODE_CTR, counter=self.ctr_128)
|
|
pt2 = cipher.decrypt(ct)
|
|
self.assertEqual(pt, pt2)
|
|
|
|
def test_loopback_64(self):
|
|
cipher = DES3.new(self.key_192, DES3.MODE_CTR, counter=self.ctr_64)
|
|
pt = get_tag_random("plaintext", 8 * 100)
|
|
ct = cipher.encrypt(pt)
|
|
|
|
cipher = DES3.new(self.key_192, DES3.MODE_CTR, counter=self.ctr_64)
|
|
pt2 = cipher.decrypt(ct)
|
|
self.assertEqual(pt, pt2)
|
|
|
|
def test_invalid_counter_parameter(self):
|
|
# Counter object is required for ciphers with short block size
|
|
self.assertRaises(TypeError, DES3.new, self.key_192, AES.MODE_CTR)
|
|
# Positional arguments are not allowed (Counter must be passed as
|
|
# keyword)
|
|
self.assertRaises(TypeError, AES.new, self.key_128, AES.MODE_CTR, self.ctr_128)
|
|
|
|
def test_nonce_attribute(self):
|
|
# Nonce attribute is the prefix passed to Counter (DES3)
|
|
cipher = DES3.new(self.key_192, DES3.MODE_CTR, counter=self.ctr_64)
|
|
self.assertEqual(cipher.nonce, self.nonce_32)
|
|
|
|
# Nonce attribute is the prefix passed to Counter (AES)
|
|
cipher = AES.new(self.key_128, AES.MODE_CTR, counter=self.ctr_128)
|
|
self.assertEqual(cipher.nonce, self.nonce_64)
|
|
|
|
# Nonce attribute is not defined if suffix is used in Counter
|
|
counter = Counter.new(64, prefix=self.nonce_32, suffix=self.nonce_32)
|
|
cipher = AES.new(self.key_128, AES.MODE_CTR, counter=counter)
|
|
self.assertFalse(hasattr(cipher, "nonce"))
|
|
|
|
def test_nonce_parameter(self):
|
|
# Nonce parameter becomes nonce attribute
|
|
cipher1 = AES.new(self.key_128, AES.MODE_CTR, nonce=self.nonce_64)
|
|
self.assertEqual(cipher1.nonce, self.nonce_64)
|
|
|
|
counter = Counter.new(64, prefix=self.nonce_64, initial_value=0)
|
|
cipher2 = AES.new(self.key_128, AES.MODE_CTR, counter=counter)
|
|
self.assertEqual(cipher1.nonce, cipher2.nonce)
|
|
|
|
pt = get_tag_random("plaintext", 65536)
|
|
self.assertEqual(cipher1.encrypt(pt), cipher2.encrypt(pt))
|
|
|
|
# Nonce is implicitly created (for AES) when no parameters are passed
|
|
nonce1 = AES.new(self.key_128, AES.MODE_CTR).nonce
|
|
nonce2 = AES.new(self.key_128, AES.MODE_CTR).nonce
|
|
self.assertNotEqual(nonce1, nonce2)
|
|
self.assertEqual(len(nonce1), 8)
|
|
|
|
# Nonce can be zero-length
|
|
cipher = AES.new(self.key_128, AES.MODE_CTR, nonce=b(""))
|
|
self.assertEqual(b(""), cipher.nonce)
|
|
|
|
# Nonce and Counter are mutually exclusive
|
|
self.assertRaises(TypeError, AES.new, self.key_128, AES.MODE_CTR,
|
|
counter=self.ctr_128, nonce=self.nonce_64)
|
|
|
|
def test_initial_value_parameter(self):
|
|
# Test with nonce parameter
|
|
cipher1 = AES.new(self.key_128, AES.MODE_CTR,
|
|
nonce=self.nonce_64, initial_value=0xFFFF)
|
|
counter = Counter.new(64, prefix=self.nonce_64, initial_value=0xFFFF)
|
|
cipher2 = AES.new(self.key_128, AES.MODE_CTR, counter=counter)
|
|
pt = get_tag_random("plaintext", 65536)
|
|
self.assertEqual(cipher1.encrypt(pt), cipher2.encrypt(pt))
|
|
|
|
# Test without nonce parameter
|
|
cipher1 = AES.new(self.key_128, AES.MODE_CTR,
|
|
initial_value=0xFFFF)
|
|
counter = Counter.new(64, prefix=cipher1.nonce, initial_value=0xFFFF)
|
|
cipher2 = AES.new(self.key_128, AES.MODE_CTR, counter=counter)
|
|
pt = get_tag_random("plaintext", 65536)
|
|
self.assertEqual(cipher1.encrypt(pt), cipher2.encrypt(pt))
|
|
|
|
# Initial_value and Counter are mutually exclusive
|
|
self.assertRaises(TypeError, AES.new, self.key_128, AES.MODE_CTR,
|
|
counter=self.ctr_128, initial_value=0)
|
|
|
|
def test_iv_with_matching_length(self):
|
|
self.assertRaises(ValueError, AES.new, self.key_128, AES.MODE_CTR,
|
|
counter=Counter.new(120))
|
|
self.assertRaises(ValueError, AES.new, self.key_128, AES.MODE_CTR,
|
|
counter=Counter.new(136))
|
|
|
|
def test_block_size_128(self):
|
|
cipher = AES.new(self.key_128, AES.MODE_CTR, counter=self.ctr_128)
|
|
self.assertEqual(cipher.block_size, AES.block_size)
|
|
|
|
def test_block_size_64(self):
|
|
cipher = DES3.new(self.key_192, DES3.MODE_CTR, counter=self.ctr_64)
|
|
self.assertEqual(cipher.block_size, DES3.block_size)
|
|
|
|
def test_unaligned_data_128(self):
|
|
plaintexts = [ b("7777777") ] * 100
|
|
|
|
cipher = AES.new(self.key_128, AES.MODE_CTR, counter=self.ctr_128)
|
|
ciphertexts = [ cipher.encrypt(x) for x in plaintexts ]
|
|
cipher = AES.new(self.key_128, AES.MODE_CTR, counter=self.ctr_128)
|
|
self.assertEqual(b("").join(ciphertexts), cipher.encrypt(b("").join(plaintexts)))
|
|
|
|
cipher = AES.new(self.key_128, AES.MODE_CTR, counter=self.ctr_128)
|
|
ciphertexts = [ cipher.encrypt(x) for x in plaintexts ]
|
|
cipher = AES.new(self.key_128, AES.MODE_CTR, counter=self.ctr_128)
|
|
self.assertEqual(b("").join(ciphertexts), cipher.encrypt(b("").join(plaintexts)))
|
|
|
|
def test_unaligned_data_64(self):
|
|
plaintexts = [ b("7777777") ] * 100
|
|
cipher = DES3.new(self.key_192, AES.MODE_CTR, counter=self.ctr_64)
|
|
ciphertexts = [ cipher.encrypt(x) for x in plaintexts ]
|
|
cipher = DES3.new(self.key_192, AES.MODE_CTR, counter=self.ctr_64)
|
|
self.assertEqual(b("").join(ciphertexts), cipher.encrypt(b("").join(plaintexts)))
|
|
|
|
cipher = DES3.new(self.key_192, AES.MODE_CTR, counter=self.ctr_64)
|
|
ciphertexts = [ cipher.encrypt(x) for x in plaintexts ]
|
|
cipher = DES3.new(self.key_192, AES.MODE_CTR, counter=self.ctr_64)
|
|
self.assertEqual(b("").join(ciphertexts), cipher.encrypt(b("").join(plaintexts)))
|
|
|
|
def test_unknown_parameters(self):
|
|
self.assertRaises(TypeError, AES.new, self.key_128, AES.MODE_CTR,
|
|
7, counter=self.ctr_128)
|
|
self.assertRaises(TypeError, AES.new, self.key_128, AES.MODE_CTR,
|
|
counter=self.ctr_128, unknown=7)
|
|
# But some are only known by the base cipher (e.g. use_aesni consumed by the AES module)
|
|
AES.new(self.key_128, AES.MODE_CTR, counter=self.ctr_128, use_aesni=False)
|
|
|
|
def test_null_encryption_decryption(self):
|
|
for func in "encrypt", "decrypt":
|
|
cipher = AES.new(self.key_128, AES.MODE_CTR, counter=self.ctr_128)
|
|
result = getattr(cipher, func)(b(""))
|
|
self.assertEqual(result, b(""))
|
|
|
|
def test_either_encrypt_or_decrypt(self):
|
|
cipher = AES.new(self.key_128, AES.MODE_CTR, counter=self.ctr_128)
|
|
cipher.encrypt(b(""))
|
|
self.assertRaises(TypeError, cipher.decrypt, b(""))
|
|
|
|
cipher = AES.new(self.key_128, AES.MODE_CTR, counter=self.ctr_128)
|
|
cipher.decrypt(b(""))
|
|
self.assertRaises(TypeError, cipher.encrypt, b(""))
|
|
|
|
def test_wrap_around(self):
|
|
counter = Counter.new(8, prefix=bchr(9) * 15)
|
|
|
|
cipher = AES.new(self.key_128, AES.MODE_CTR, counter=counter)
|
|
cipher.encrypt(bchr(9) * 16 * 255)
|
|
self.assertRaises(OverflowError, cipher.encrypt, bchr(9) * 16)
|
|
|
|
cipher = AES.new(self.key_128, AES.MODE_CTR, counter=counter)
|
|
cipher.decrypt(bchr(9) * 16 * 255)
|
|
self.assertRaises(OverflowError, cipher.decrypt, bchr(9) * 16)
|
|
|
|
class SP800TestVectors(unittest.TestCase):
|
|
"""Class exercising the CTR test vectors found in Section F.3
|
|
of NIST SP 800-3A"""
|
|
|
|
def test_aes_128(self):
|
|
plaintext = '6bc1bee22e409f96e93d7e117393172a' +\
|
|
'ae2d8a571e03ac9c9eb76fac45af8e51' +\
|
|
'30c81c46a35ce411e5fbc1191a0a52ef' +\
|
|
'f69f2445df4f9b17ad2b417be66c3710'
|
|
ciphertext = '874d6191b620e3261bef6864990db6ce' +\
|
|
'9806f66b7970fdff8617187bb9fffdff' +\
|
|
'5ae4df3edbd5d35e5b4f09020db03eab' +\
|
|
'1e031dda2fbe03d1792170a0f3009cee'
|
|
key = '2b7e151628aed2a6abf7158809cf4f3c'
|
|
counter = Counter.new(nbits=16,
|
|
prefix=unhexlify('f0f1f2f3f4f5f6f7f8f9fafbfcfd'),
|
|
initial_value=0xfeff)
|
|
|
|
key = unhexlify(key)
|
|
plaintext = unhexlify(plaintext)
|
|
ciphertext = unhexlify(ciphertext)
|
|
|
|
cipher = AES.new(key, AES.MODE_CTR, counter=counter)
|
|
self.assertEqual(cipher.encrypt(plaintext), ciphertext)
|
|
cipher = AES.new(key, AES.MODE_CTR, counter=counter)
|
|
self.assertEqual(cipher.decrypt(ciphertext), plaintext)
|
|
|
|
def test_aes_192(self):
|
|
plaintext = '6bc1bee22e409f96e93d7e117393172a' +\
|
|
'ae2d8a571e03ac9c9eb76fac45af8e51' +\
|
|
'30c81c46a35ce411e5fbc1191a0a52ef' +\
|
|
'f69f2445df4f9b17ad2b417be66c3710'
|
|
ciphertext = '1abc932417521ca24f2b0459fe7e6e0b' +\
|
|
'090339ec0aa6faefd5ccc2c6f4ce8e94' +\
|
|
'1e36b26bd1ebc670d1bd1d665620abf7' +\
|
|
'4f78a7f6d29809585a97daec58c6b050'
|
|
key = '8e73b0f7da0e6452c810f32b809079e562f8ead2522c6b7b'
|
|
counter = Counter.new(nbits=16,
|
|
prefix=unhexlify('f0f1f2f3f4f5f6f7f8f9fafbfcfd'),
|
|
initial_value=0xfeff)
|
|
|
|
key = unhexlify(key)
|
|
plaintext = unhexlify(plaintext)
|
|
ciphertext = unhexlify(ciphertext)
|
|
|
|
cipher = AES.new(key, AES.MODE_CTR, counter=counter)
|
|
self.assertEqual(cipher.encrypt(plaintext), ciphertext)
|
|
cipher = AES.new(key, AES.MODE_CTR, counter=counter)
|
|
self.assertEqual(cipher.decrypt(ciphertext), plaintext)
|
|
|
|
def test_aes_256(self):
|
|
plaintext = '6bc1bee22e409f96e93d7e117393172a' +\
|
|
'ae2d8a571e03ac9c9eb76fac45af8e51' +\
|
|
'30c81c46a35ce411e5fbc1191a0a52ef' +\
|
|
'f69f2445df4f9b17ad2b417be66c3710'
|
|
ciphertext = '601ec313775789a5b7a7f504bbf3d228' +\
|
|
'f443e3ca4d62b59aca84e990cacaf5c5' +\
|
|
'2b0930daa23de94ce87017ba2d84988d' +\
|
|
'dfc9c58db67aada613c2dd08457941a6'
|
|
key = '603deb1015ca71be2b73aef0857d77811f352c073b6108d72d9810a30914dff4'
|
|
counter = Counter.new(nbits=16,
|
|
prefix=unhexlify('f0f1f2f3f4f5f6f7f8f9fafbfcfd'),
|
|
initial_value=0xfeff)
|
|
key = unhexlify(key)
|
|
plaintext = unhexlify(plaintext)
|
|
ciphertext = unhexlify(ciphertext)
|
|
|
|
cipher = AES.new(key, AES.MODE_CTR, counter=counter)
|
|
self.assertEqual(cipher.encrypt(plaintext), ciphertext)
|
|
cipher = AES.new(key, AES.MODE_CTR, counter=counter)
|
|
self.assertEqual(cipher.decrypt(ciphertext), plaintext)
|
|
|
|
|
|
class RFC3686TestVectors(unittest.TestCase):
|
|
|
|
# Each item is a test vector with:
|
|
# - plaintext
|
|
# - ciphertext
|
|
# - key (AES 128, 192 or 256 bits)
|
|
# - counter prefix
|
|
data = (
|
|
('53696e676c6520626c6f636b206d7367',
|
|
'e4095d4fb7a7b3792d6175a3261311b8',
|
|
'ae6852f8121067cc4bf7a5765577f39e',
|
|
'00000030'+'0000000000000000'),
|
|
('000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f',
|
|
'5104a106168a72d9790d41ee8edad388eb2e1efc46da57c8fce630df9141be28',
|
|
'7e24067817fae0d743d6ce1f32539163',
|
|
'006cb6dbc0543b59da48d90b'),
|
|
('000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f20212223',
|
|
'c1cf48a89f2ffdd9cf4652e9efdb72d74540a42bde6d7836d59a5ceaaef3105325b2072f',
|
|
'7691be035e5020a8ac6e618529f9a0dc',
|
|
'00e0017b27777f3f4a1786f0'),
|
|
('53696e676c6520626c6f636b206d7367',
|
|
'4b55384fe259c9c84e7935a003cbe928',
|
|
'16af5b145fc9f579c175f93e3bfb0eed863d06ccfdb78515',
|
|
'0000004836733c147d6d93cb'),
|
|
('000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f',
|
|
'453243fc609b23327edfaafa7131cd9f8490701c5ad4a79cfc1fe0ff42f4fb00',
|
|
'7c5cb2401b3dc33c19e7340819e0f69c678c3db8e6f6a91a',
|
|
'0096b03b020c6eadc2cb500d'),
|
|
('000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f20212223',
|
|
'96893fc55e5c722f540b7dd1ddf7e758d288bc95c69165884536c811662f2188abee0935',
|
|
'02bf391ee8ecb159b959617b0965279bf59b60a786d3e0fe',
|
|
'0007bdfd5cbd60278dcc0912'),
|
|
('53696e676c6520626c6f636b206d7367',
|
|
'145ad01dbf824ec7560863dc71e3e0c0',
|
|
'776beff2851db06f4c8a0542c8696f6c6a81af1eec96b4d37fc1d689e6c1c104',
|
|
'00000060db5672c97aa8f0b2'),
|
|
('000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f',
|
|
'f05e231b3894612c49ee000b804eb2a9b8306b508f839d6a5530831d9344af1c',
|
|
'f6d66d6bd52d59bb0796365879eff886c66dd51a5b6a99744b50590c87a23884',
|
|
'00faac24c1585ef15a43d875'),
|
|
('000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f20212223',
|
|
'eb6c52821d0bbbf7ce7594462aca4faab407df866569fd07f48cc0b583d6071f1ec0e6b8',
|
|
'ff7a617ce69148e4f1726e2f43581de2aa62d9f805532edff1eed687fb54153d',
|
|
'001cc5b751a51d70a1c11148')
|
|
)
|
|
|
|
bindata = []
|
|
for tv in data:
|
|
bindata.append([unhexlify(x) for x in tv])
|
|
|
|
def runTest(self):
|
|
for pt, ct, key, prefix in self.bindata:
|
|
counter = Counter.new(32, prefix=prefix)
|
|
cipher = AES.new(key, AES.MODE_CTR, counter=counter)
|
|
result = cipher.encrypt(pt)
|
|
self.assertEqual(ct, result)
|
|
|
|
|
|
def get_tests(config={}):
|
|
tests = []
|
|
tests += list_test_cases(CtrTests)
|
|
tests += list_test_cases(SP800TestVectors)
|
|
tests += [ RFC3686TestVectors() ]
|
|
return tests
|
|
|
|
|
|
if __name__ == '__main__':
|
|
suite = lambda: unittest.TestSuite(get_tests())
|
|
unittest.main(defaultTest='suite')
|