From 22e80cb96e034679750a38702aaa55e30da05f69 Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Wed, 20 Nov 2013 21:27:00 -0600 Subject: GCM support --- tests/hazmat/primitives/utils.py | 105 ++++++++++++++++++++++++++++++++++++++- 1 file changed, 103 insertions(+), 2 deletions(-) (limited to 'tests/hazmat/primitives/utils.py') diff --git a/tests/hazmat/primitives/utils.py b/tests/hazmat/primitives/utils.py index 6c67ddb3..839ff822 100644 --- a/tests/hazmat/primitives/utils.py +++ b/tests/hazmat/primitives/utils.py @@ -4,9 +4,11 @@ import os import pytest from cryptography.hazmat.bindings import _ALL_BACKENDS -from cryptography.hazmat.primitives import hashes -from cryptography.hazmat.primitives import hmac +from cryptography.hazmat.primitives import hashes, hmac from cryptography.hazmat.primitives.ciphers import Cipher +from cryptography.exceptions import ( + AlreadyFinalized, NotFinalized, +) from ...utils import load_vectors_from_file @@ -54,6 +56,72 @@ def encrypt_test(backend, cipher_factory, mode_factory, params, only_if, assert actual_plaintext == binascii.unhexlify(plaintext) +def generate_aead_test(param_loader, path, file_names, cipher_factory, + mode_factory, only_if, skip_message): + def test_aead(self): + for backend in _ALL_BACKENDS: + for file_name in file_names: + for params in load_vectors_from_file( + os.path.join(path, file_name), + param_loader + ): + yield ( + aead_test, + backend, + cipher_factory, + mode_factory, + params, + only_if, + skip_message + ) + return test_aead + + +def aead_test(backend, cipher_factory, mode_factory, params, only_if, + skip_message): + if not only_if(backend): + pytest.skip(skip_message) + if params.get("pt") is not None: + plaintext = params.pop("pt") + ciphertext = params.pop("ct") + aad = params.pop("aad") + if params.get("fail") is True: + cipher = Cipher( + cipher_factory(binascii.unhexlify(params["key"])), + mode_factory(binascii.unhexlify(params["iv"]), + binascii.unhexlify(params["tag"])), + backend + ) + decryptor = cipher.decryptor() + decryptor.add_data(binascii.unhexlify(aad)) + actual_plaintext = decryptor.update(binascii.unhexlify(ciphertext)) + with pytest.raises(AssertionError): + decryptor.finalize() + else: + cipher = Cipher( + cipher_factory(binascii.unhexlify(params["key"])), + mode_factory(binascii.unhexlify(params["iv"]), None), + backend + ) + encryptor = cipher.encryptor() + encryptor.add_data(binascii.unhexlify(aad)) + actual_ciphertext = encryptor.update(binascii.unhexlify(plaintext)) + actual_ciphertext += encryptor.finalize() + tag_len = len(params["tag"]) + assert binascii.hexlify(encryptor.tag)[:tag_len] == params["tag"] + cipher = Cipher( + cipher_factory(binascii.unhexlify(params["key"])), + mode_factory(binascii.unhexlify(params["iv"]), + binascii.unhexlify(params["tag"])), + backend + ) + decryptor = cipher.decryptor() + decryptor.add_data(binascii.unhexlify(aad)) + actual_plaintext = decryptor.update(binascii.unhexlify(ciphertext)) + actual_plaintext += decryptor.finalize() + assert actual_plaintext == binascii.unhexlify(plaintext) + + def generate_stream_encryption_test(param_loader, path, file_names, cipher_factory, only_if=None, skip_message=None): @@ -237,3 +305,36 @@ def base_hmac_test(backend, algorithm, only_if, skip_message): h_copy = h.copy() assert h != h_copy assert h._ctx != h_copy._ctx + + +def generate_aead_use_after_finalize_test(cipher_factory, mode_factory, + only_if, skip_message): + def test_aead_use_after_finalize(self): + for backend in _ALL_BACKENDS: + yield ( + aead_use_after_finalize_test, + backend, + cipher_factory, + mode_factory, + only_if, + skip_message + ) + return test_aead_use_after_finalize + + +def aead_use_after_finalize_test(backend, cipher_factory, mode_factory, + only_if, skip_message): + if not only_if(backend): + pytest.skip(skip_message) + cipher = Cipher( + cipher_factory(binascii.unhexlify(b"0" * 32)), + mode_factory(binascii.unhexlify(b"0" * 24)), + backend + ) + encryptor = cipher.encryptor() + encryptor.update(b"a" * 16) + with pytest.raises(NotFinalized): + encryptor.tag + encryptor.finalize() + with pytest.raises(AlreadyFinalized): + encryptor.add_data(b"b" * 16) -- cgit v1.2.3 From cc9ec987e82d1c4e2d42e6ef41664a090425287c Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Thu, 21 Nov 2013 11:21:35 -0600 Subject: rename NotFinalized exception to NotYetFinalized because alex is right ...it does read better that way --- tests/hazmat/primitives/utils.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'tests/hazmat/primitives/utils.py') diff --git a/tests/hazmat/primitives/utils.py b/tests/hazmat/primitives/utils.py index 839ff822..98455556 100644 --- a/tests/hazmat/primitives/utils.py +++ b/tests/hazmat/primitives/utils.py @@ -7,7 +7,7 @@ from cryptography.hazmat.bindings import _ALL_BACKENDS from cryptography.hazmat.primitives import hashes, hmac from cryptography.hazmat.primitives.ciphers import Cipher from cryptography.exceptions import ( - AlreadyFinalized, NotFinalized, + AlreadyFinalized, NotYetFinalized, ) from ...utils import load_vectors_from_file @@ -333,7 +333,7 @@ def aead_use_after_finalize_test(backend, cipher_factory, mode_factory, ) encryptor = cipher.encryptor() encryptor.update(b"a" * 16) - with pytest.raises(NotFinalized): + with pytest.raises(NotYetFinalized): encryptor.tag encryptor.finalize() with pytest.raises(AlreadyFinalized): -- cgit v1.2.3 From 24316fd1945909ef720ceb0e294752c4d3b6bbb2 Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Fri, 22 Nov 2013 13:30:46 -0600 Subject: _AEADCipherContext refactor * No longer extends _CipherContext * Remove _tag from _CipherContext * This change duplicates a small amount of code from _CipherContext --- tests/hazmat/primitives/utils.py | 4 ++++ 1 file changed, 4 insertions(+) (limited to 'tests/hazmat/primitives/utils.py') diff --git a/tests/hazmat/primitives/utils.py b/tests/hazmat/primitives/utils.py index 98455556..2a99cab9 100644 --- a/tests/hazmat/primitives/utils.py +++ b/tests/hazmat/primitives/utils.py @@ -338,3 +338,7 @@ def aead_use_after_finalize_test(backend, cipher_factory, mode_factory, encryptor.finalize() with pytest.raises(AlreadyFinalized): encryptor.add_data(b"b" * 16) + with pytest.raises(AlreadyFinalized): + encryptor.update(b"b" * 16) + with pytest.raises(AlreadyFinalized): + encryptor.finalize() -- cgit v1.2.3 From ce9c611feb4db781fcab5b7bbc68b936816d6a73 Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Fri, 22 Nov 2013 14:10:59 -0600 Subject: enforce AEAD add_data before update --- tests/hazmat/primitives/utils.py | 18 ++++++++++-------- 1 file changed, 10 insertions(+), 8 deletions(-) (limited to 'tests/hazmat/primitives/utils.py') diff --git a/tests/hazmat/primitives/utils.py b/tests/hazmat/primitives/utils.py index 2a99cab9..8df02e78 100644 --- a/tests/hazmat/primitives/utils.py +++ b/tests/hazmat/primitives/utils.py @@ -7,7 +7,7 @@ from cryptography.hazmat.bindings import _ALL_BACKENDS from cryptography.hazmat.primitives import hashes, hmac from cryptography.hazmat.primitives.ciphers import Cipher from cryptography.exceptions import ( - AlreadyFinalized, NotYetFinalized, + AlreadyFinalized, NotYetFinalized, AlreadyUpdated, ) from ...utils import load_vectors_from_file @@ -307,23 +307,23 @@ def base_hmac_test(backend, algorithm, only_if, skip_message): assert h._ctx != h_copy._ctx -def generate_aead_use_after_finalize_test(cipher_factory, mode_factory, - only_if, skip_message): - def test_aead_use_after_finalize(self): +def generate_aead_exception_test(cipher_factory, mode_factory, + only_if, skip_message): + def test_aead_exception(self): for backend in _ALL_BACKENDS: yield ( - aead_use_after_finalize_test, + aead_exception_test, backend, cipher_factory, mode_factory, only_if, skip_message ) - return test_aead_use_after_finalize + return test_aead_exception -def aead_use_after_finalize_test(backend, cipher_factory, mode_factory, - only_if, skip_message): +def aead_exception_test(backend, cipher_factory, mode_factory, + only_if, skip_message): if not only_if(backend): pytest.skip(skip_message) cipher = Cipher( @@ -335,6 +335,8 @@ def aead_use_after_finalize_test(backend, cipher_factory, mode_factory, encryptor.update(b"a" * 16) with pytest.raises(NotYetFinalized): encryptor.tag + with pytest.raises(AlreadyUpdated): + encryptor.add_data(b"b" * 16) encryptor.finalize() with pytest.raises(AlreadyFinalized): encryptor.add_data(b"b" * 16) -- cgit v1.2.3 From a4bfc08b8d2ed312eeb1b0558ac20f285feb8cc2 Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Fri, 22 Nov 2013 19:57:37 -0600 Subject: invalidtag exception for gcm This exception is probably not safe. It depends on the assumption that if ERR_get_error returns a 0 then it is an AEAD tag error. --- tests/hazmat/primitives/utils.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'tests/hazmat/primitives/utils.py') diff --git a/tests/hazmat/primitives/utils.py b/tests/hazmat/primitives/utils.py index 8df02e78..39f5ae82 100644 --- a/tests/hazmat/primitives/utils.py +++ b/tests/hazmat/primitives/utils.py @@ -7,7 +7,7 @@ from cryptography.hazmat.bindings import _ALL_BACKENDS from cryptography.hazmat.primitives import hashes, hmac from cryptography.hazmat.primitives.ciphers import Cipher from cryptography.exceptions import ( - AlreadyFinalized, NotYetFinalized, AlreadyUpdated, + AlreadyFinalized, NotYetFinalized, AlreadyUpdated, InvalidTag, ) from ...utils import load_vectors_from_file @@ -95,7 +95,7 @@ def aead_test(backend, cipher_factory, mode_factory, params, only_if, decryptor = cipher.decryptor() decryptor.add_data(binascii.unhexlify(aad)) actual_plaintext = decryptor.update(binascii.unhexlify(ciphertext)) - with pytest.raises(AssertionError): + with pytest.raises(InvalidTag): decryptor.finalize() else: cipher = Cipher( -- cgit v1.2.3 From bc31fb22979df3f034ce286fab20da71be76fe58 Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Sun, 24 Nov 2013 11:03:53 -0600 Subject: rename add_data to authenticate_additional_data for clarity (hopefully) --- tests/hazmat/primitives/utils.py | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) (limited to 'tests/hazmat/primitives/utils.py') diff --git a/tests/hazmat/primitives/utils.py b/tests/hazmat/primitives/utils.py index 39f5ae82..b6f9e0f5 100644 --- a/tests/hazmat/primitives/utils.py +++ b/tests/hazmat/primitives/utils.py @@ -93,7 +93,7 @@ def aead_test(backend, cipher_factory, mode_factory, params, only_if, backend ) decryptor = cipher.decryptor() - decryptor.add_data(binascii.unhexlify(aad)) + decryptor.authenticate_additional_data(binascii.unhexlify(aad)) actual_plaintext = decryptor.update(binascii.unhexlify(ciphertext)) with pytest.raises(InvalidTag): decryptor.finalize() @@ -104,7 +104,7 @@ def aead_test(backend, cipher_factory, mode_factory, params, only_if, backend ) encryptor = cipher.encryptor() - encryptor.add_data(binascii.unhexlify(aad)) + encryptor.authenticate_additional_data(binascii.unhexlify(aad)) actual_ciphertext = encryptor.update(binascii.unhexlify(plaintext)) actual_ciphertext += encryptor.finalize() tag_len = len(params["tag"]) @@ -116,7 +116,7 @@ def aead_test(backend, cipher_factory, mode_factory, params, only_if, backend ) decryptor = cipher.decryptor() - decryptor.add_data(binascii.unhexlify(aad)) + decryptor.authenticate_additional_data(binascii.unhexlify(aad)) actual_plaintext = decryptor.update(binascii.unhexlify(ciphertext)) actual_plaintext += decryptor.finalize() assert actual_plaintext == binascii.unhexlify(plaintext) @@ -336,10 +336,10 @@ def aead_exception_test(backend, cipher_factory, mode_factory, with pytest.raises(NotYetFinalized): encryptor.tag with pytest.raises(AlreadyUpdated): - encryptor.add_data(b"b" * 16) + encryptor.authenticate_additional_data(b"b" * 16) encryptor.finalize() with pytest.raises(AlreadyFinalized): - encryptor.add_data(b"b" * 16) + encryptor.authenticate_additional_data(b"b" * 16) with pytest.raises(AlreadyFinalized): encryptor.update(b"b" * 16) with pytest.raises(AlreadyFinalized): -- cgit v1.2.3 From 0092c205657789e15848c7848eec768720de468f Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Sun, 24 Nov 2013 11:39:14 -0600 Subject: raise TypeError if you attempt to get the tag attribute on a decrypt * To support this the _AEADCipherContext in base.py now needs to be aware of whether it is encrypting/decrypting --- tests/hazmat/primitives/utils.py | 9 +++++++++ 1 file changed, 9 insertions(+) (limited to 'tests/hazmat/primitives/utils.py') diff --git a/tests/hazmat/primitives/utils.py b/tests/hazmat/primitives/utils.py index b6f9e0f5..58b9a917 100644 --- a/tests/hazmat/primitives/utils.py +++ b/tests/hazmat/primitives/utils.py @@ -344,3 +344,12 @@ def aead_exception_test(backend, cipher_factory, mode_factory, encryptor.update(b"b" * 16) with pytest.raises(AlreadyFinalized): encryptor.finalize() + cipher = Cipher( + cipher_factory(binascii.unhexlify(b"0" * 32)), + mode_factory(binascii.unhexlify(b"0" * 24), b"0" * 16), + backend + ) + decryptor = cipher.decryptor() + decryptor.update(b"a" * 16) + with pytest.raises(TypeError): + decryptor.tag -- cgit v1.2.3 From 5a40896cbeae2cc2673c86aa18d3953314e760ba Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Fri, 29 Nov 2013 17:19:25 -0600 Subject: create AEADEncryptionContext and DecryptionContext --- tests/hazmat/primitives/utils.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'tests/hazmat/primitives/utils.py') diff --git a/tests/hazmat/primitives/utils.py b/tests/hazmat/primitives/utils.py index 58b9a917..9aa3a89a 100644 --- a/tests/hazmat/primitives/utils.py +++ b/tests/hazmat/primitives/utils.py @@ -351,5 +351,5 @@ def aead_exception_test(backend, cipher_factory, mode_factory, ) decryptor = cipher.decryptor() decryptor.update(b"a" * 16) - with pytest.raises(TypeError): + with pytest.raises(AttributeError): decryptor.tag -- cgit v1.2.3 From b91221dd7f27b3dcc09d3ad55645b12da08780cf Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Wed, 4 Dec 2013 17:56:40 -0600 Subject: raise ValueErrors when supplying/not supplying tags for GCM --- tests/hazmat/primitives/utils.py | 35 +++++++++++++++++++++++++++++++++++ 1 file changed, 35 insertions(+) (limited to 'tests/hazmat/primitives/utils.py') diff --git a/tests/hazmat/primitives/utils.py b/tests/hazmat/primitives/utils.py index 9aa3a89a..705983a0 100644 --- a/tests/hazmat/primitives/utils.py +++ b/tests/hazmat/primitives/utils.py @@ -353,3 +353,38 @@ def aead_exception_test(backend, cipher_factory, mode_factory, decryptor.update(b"a" * 16) with pytest.raises(AttributeError): decryptor.tag + + +def generate_aead_tag_exception_test(cipher_factory, mode_factory, + only_if, skip_message): + def test_aead_tag_exception(self): + for backend in _ALL_BACKENDS: + yield ( + aead_tag_exception_test, + backend, + cipher_factory, + mode_factory, + only_if, + skip_message + ) + return test_aead_tag_exception + + +def aead_tag_exception_test(backend, cipher_factory, mode_factory, + only_if, skip_message): + if not only_if(backend): + pytest.skip(skip_message) + cipher = Cipher( + cipher_factory(binascii.unhexlify(b"0" * 32)), + mode_factory(binascii.unhexlify(b"0" * 24)), + backend + ) + with pytest.raises(ValueError): + cipher.decryptor() + cipher = Cipher( + cipher_factory(binascii.unhexlify(b"0" * 32)), + mode_factory(binascii.unhexlify(b"0" * 24), b"0" * 16), + backend + ) + with pytest.raises(ValueError): + cipher.encryptor() -- cgit v1.2.3 From f8796b15a279db82cdefcd00bebfef4cdef8fee8 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Fri, 13 Dec 2013 20:28:55 -0800 Subject: Renamed bindings to backends --- tests/hazmat/primitives/utils.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'tests/hazmat/primitives/utils.py') diff --git a/tests/hazmat/primitives/utils.py b/tests/hazmat/primitives/utils.py index 705983a0..b06f9b29 100644 --- a/tests/hazmat/primitives/utils.py +++ b/tests/hazmat/primitives/utils.py @@ -3,7 +3,7 @@ import os import pytest -from cryptography.hazmat.bindings import _ALL_BACKENDS +from cryptography.hazmat.backends import _ALL_BACKENDS from cryptography.hazmat.primitives import hashes, hmac from cryptography.hazmat.primitives.ciphers import Cipher from cryptography.exceptions import ( -- cgit v1.2.3