diff options
author | Legrandin <helderijs@gmail.com> | 2013-01-23 22:37:53 +0100 |
---|---|---|
committer | Dwayne Litzenberger <dlitz@dlitz.net> | 2013-10-20 13:30:21 -0700 |
commit | 57104488faa9fc386ea1aee249bafb6e2a529a57 (patch) | |
tree | c9f2245c097fbf4a0b00b29356c95dab2c3841aa /lib | |
parent | da79b781af41ff815b812c49d9be434f5de52aa4 (diff) | |
download | pycrypto-57104488faa9fc386ea1aee249bafb6e2a529a57.tar.gz |
Add support for CCM mode (AES only).
[dlitz@dlitz.net: Included changes from the following commits from the author's pull request:]
- [5306cf3] Added support for CCM mode (AES cipher only)
- [9abe301] Added CCM tests
- [f0c1395] Add MacMismatchError and ApiUsageError
- [fb62fae] ApiUsageError becomes TypeError
- [9c13f9c] Rename 'IV' parameter to 'nonce' for AEAD modes.
- [4ec64d8] Removed last references to ApiUsageError
- [80bfd35] Corrected AES-CCM examples
[dlitz@dlitz.net: Removed unrelated documentation change]
[dlitz@dlitz.net: Renamed 'targs' back to 'args']
[dlitz@dlitz.net: Whitespace fixed with "git rebase --whitespace=fix"]
Diffstat (limited to 'lib')
-rw-r--r-- | lib/Crypto/Cipher/AES.py | 63 | ||||
-rw-r--r-- | lib/Crypto/Cipher/blockalgo.py | 441 | ||||
-rw-r--r-- | lib/Crypto/SelfTest/Cipher/common.py | 340 | ||||
-rw-r--r-- | lib/Crypto/SelfTest/Cipher/test_AES.py | 234 |
4 files changed, 1010 insertions, 68 deletions
diff --git a/lib/Crypto/Cipher/AES.py b/lib/Crypto/Cipher/AES.py index 351b954..5316700 100644 --- a/lib/Crypto/Cipher/AES.py +++ b/lib/Crypto/Cipher/AES.py @@ -31,15 +31,46 @@ encryption. As an example, encryption can be done as follows: >>> from Crypto.Cipher import AES - >>> from Crypto import Random + >>> from Crypto.Random import get_random_bytes >>> >>> key = b'Sixteen byte key' - >>> iv = Random.new().read(AES.block_size) + >>> iv = get_random_bytes(16) >>> cipher = AES.new(key, AES.MODE_CFB, iv) >>> msg = iv + cipher.encrypt(b'Attack at dawn') +A more complicated example is based on CCM, (see `MODE_CCM`) an `AEAD`_ mode +that provides both confidentiality and authentication for a message. +It also allows message for the header to remain in the clear, whilst still +being authenticated. The encryption is done as follows: + + >>> from Crypto.Cipher import AES + >>> from Crypto.Random import get_random_bytes + >>> + >>> + >>> hdr = b'To your eyes only' + >>> plaintext = b'Attack at dawn' + >>> key = b'Sixteen byte key' + >>> nonce = get_random_bytes(11) + >>> cipher = AES.new(key, AES.MODE_CCM, nonce) + >>> cipher.update(hdr) + >>> msg = nonce, hdr, cipher.encrypt(plaintext), cipher.digest() + +We assume that the tuple ``msg`` is transmitted to the receiver: + + >>> nonce, hdr, ciphertext, mac = msg + >>> key = b'Sixteen byte key' + >>> cipher = AES.new(key, AES.MODE_CCM, nonce) + >>> cipher.update(hdr) + >>> plaintext = cipher.decrypt(ciphertext) + >>> try: + >>> cipher.verify(mac) + >>> print "The message is authentic: hdr=%s, pt=%s" % (hdr, plaintext) + >>> except ValueError: + >>> print "Key incorrect or message corrupted" + .. __: http://en.wikipedia.org/wiki/Advanced_Encryption_Standard .. _NIST: http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf +.. _AEAD: http://blog.cryptographyengineering.com/2012/05/how-to-choose-authenticated-encryption.html :undocumented: __revision__, __package__ """ @@ -67,7 +98,7 @@ class AESCipher (blockalgo.BlockAlgo): def __init__(self, key, *args, **kwargs): """Initialize an AES cipher object - + See also `new()` at the module level.""" # Check if the use_aesni was specified. @@ -94,6 +125,8 @@ def new(key, *args, **kwargs): The chaining mode to use for encryption or decryption. Default is `MODE_ECB`. IV : byte string + (*Only* `MODE_CBC`, `MODE_CFB`, `MODE_OFB`, `MODE_OPENPGP`). + The initialization vector to use for encryption or decryption. It is ignored for `MODE_ECB` and `MODE_CTR`. @@ -102,8 +135,17 @@ def new(key, *args, **kwargs): and `block_size` +2 bytes for decryption (in the latter case, it is actually the *encrypted* IV which was prefixed to the ciphertext). It is mandatory. - - For all other modes, it must be `block_size` bytes longs. + + For all other modes, it must be 16 bytes long. + nonce : byte string + (*Only* `MODE_CCM`). + + A mandatory value that must never be reused for any other encryption. + + For `MODE_CCM`, its length must be in the range ``[7..13]``. + 11 or 12 bytes are reasonable values in general. Bear in + mind that with CCM there is a trade-off between nonce length and + maximum message size. counter : callable (*Only* `MODE_CTR`). A stateful function that returns the next *counter block*, which is a byte string of `block_size` bytes. @@ -112,6 +154,15 @@ def new(key, *args, **kwargs): (*Only* `MODE_CFB`).The number of bits the plaintext and ciphertext are segmented in. It must be a multiple of 8. If 0 or not specified, it will be assumed to be 8. + mac_len : integer + (*Only* `MODE_CCM`). Length of the MAC, in bytes. It must be even and in + the range ``[4..16]``. The default is 16. + msg_len : integer + (*Only* `MODE_CCM`). Length of the message to (de)cipher. + If not specified, ``encrypt`` or ``decrypt`` may only be called once. + assoc_len : integer + (*Only* `MODE_CCM`). Length of the associated data. + If not specified, all data is internally buffered. use_aesni : boolean Use AES-NI if available. @@ -133,6 +184,8 @@ MODE_OFB = 5 MODE_CTR = 6 #: OpenPGP Mode. See `blockalgo.MODE_OPENPGP`. MODE_OPENPGP = 7 +#: Counter with CBC-MAC (CCM) Mode. See `blockalgo.MODE_CCM`. +MODE_CCM = 8 #: Size of a data block (in bytes) block_size = 16 #: Size of a key (in bytes) diff --git a/lib/Crypto/Cipher/blockalgo.py b/lib/Crypto/Cipher/blockalgo.py index e20ec5a..57738c4 100644 --- a/lib/Crypto/Cipher/blockalgo.py +++ b/lib/Crypto/Cipher/blockalgo.py @@ -24,8 +24,15 @@ import sys if sys.version_info[0] == 2 and sys.version_info[1] == 1: from Crypto.Util.py21compat import * + from Crypto.Util.py3compat import * +from binascii import unhexlify + +from Crypto.Util import Counter +from Crypto.Util.strxor import strxor +from Crypto.Util.number import long_to_bytes + #: *Electronic Code Book (ECB)*. #: This is the simplest encryption mode. Each of the plaintext blocks #: is directly encrypted into a ciphertext block, independently of @@ -123,6 +130,61 @@ MODE_CTR = 6 #: .. _OpenPGP: http://tools.ietf.org/html/rfc4880 MODE_OPENPGP = 7 +#: *Counter with CBC-MAC (CCM)*. This is an Authenticated Encryption with +#: Associated Data (`AEAD`_) mode. It provides both confidentiality and +#: authenticity. +#: The header of the message may be left in the clear, if needed, and it will +#: still be subject to authentication. The decryption step tells the receiver +#: if the message comes from a source that really knowns the secret key. +#: Additionally, decryption detects if any part of the message - including the +#: header - has been modified or corrupted. +#: +#: This mode requires a nonce. The nonce shall never repeat for two +#: different messages encrypted with the same key, but it does not need +#: to be random. +#: Note that there is a trade-off between the size of the nonce and the +#: maximum size of a single message you can encrypt. +#: +#: It is important to use a large nonce if the key is reused across several +#: messages and the nonce is chosen randomly. +#: +#: It is acceptable to us a short nonce if the key is only used a few times or +#: if the nonce is taken from a counter. +#: +#: The following table shows the trade-off when the nonce is chosen at +#: random. The column on the left shows how many messages it takes +#: for the keystream to repeat **on average**. In practice, you will want to +#: stop using the key way before that. +#: +#: +--------------------+---------------+-------------------+ +#: | Avg. # of messages | nonce | Max. message | +#: | before keystream | size | size | +#: | repeats | (bytes) | (bytes) | +#: +====================+===============+===================+ +#: | 2**52 | 13 | 64K | +#: +--------------------+---------------+-------------------+ +#: | 2**48 | 12 | 16M | +#: +--------------------+---------------+-------------------+ +#: | 2**44 | 11 | 4G | +#: +--------------------+---------------+-------------------+ +#: | 2**40 | 10 | 1T | +#: +--------------------+---------------+-------------------+ +#: | 2**36 | 9 | 64P | +#: +--------------------+---------------+-------------------+ +#: | 2**32 | 8 | 16E | +#: +--------------------+---------------+-------------------+ +#: +#: This mode is only available for ciphers that operate on 128 bits blocks +#: (e.g. AES but not TDES). +#: +#: See `NIST SP800-38C`_ or RFC3610_ . +#: +#: .. _`NIST SP800-38C`: http://csrc.nist.gov/publications/nistpubs/800-38C/SP800-38C.pdf +#: .. _RFC3610: https://tools.ietf.org/html/rfc3610 +#: .. _AEAD: http://blog.cryptographyengineering.com/2012/05/how-to-choose-authenticated-encryption.html +MODE_CCM = 8 + + def _getParameter(name, index, args, kwargs, default=None): """Find a parameter in tuple and dictionary arguments a function receives""" @@ -132,68 +194,220 @@ def _getParameter(name, index, args, kwargs, default=None): raise ValueError("Parameter '%s' is specified twice" % name) param = args[index] return param or default - + + class BlockAlgo: """Class modelling an abstract block cipher.""" def __init__(self, factory, key, *args, **kwargs): self.mode = _getParameter('mode', 0, args, kwargs, default=MODE_ECB) self.block_size = factory.block_size - - if self.mode != MODE_OPENPGP: + self._factory = factory + + if self.mode == MODE_CCM: + if self.block_size != 16: + raise ValueError("CCM mode is only available for ciphers that operate on 128 bits blocks") + + self._mac_len = kwargs.get('mac_len', 16) # t + if self._mac_len not in (4, 6, 8, 10, 12, 14, 16): + raise ValueError("Parameter 'mac_len' must be even and in the range 4..16") + + self.nonce = _getParameter('nonce', 1, args, kwargs) # N + if not (self.nonce and 7 <= len(self.nonce) <= 13): + raise ValueError("Length of parameter 'nonce' must be" + " in the range 7..13 bytes") + + self._key = key + self._msg_len = kwargs.get('msg_len', None) # p + self._assoc_len = kwargs.get('assoc_len', None) # a + + self._assoc_buffer = [] + self._assoc_buffer_len = 0 + self._cipherCBC = None # To be used for MAC + self._done_assoc_data = False # True when all associated data + # has been processed + + # Allowed transitions after initialization + self._next = [self.update, self.encrypt, self.decrypt, + self.digest, self.verify] + + # Try to start CCM + self._start_ccm() + + elif self.mode == MODE_OPENPGP: + self._start_PGP(factory, key, *args, **kwargs) + else: self._cipher = factory.new(key, *args, **kwargs) self.IV = self._cipher.IV + + def _start_PGP(self, factory, key, *args, **kwargs): + # OPENPGP mode. For details, see 13.9 in RCC4880. + # + # A few members are specifically created for this mode: + # - _encrypted_iv, set in this constructor + # - _done_first_block, set to True after the first encryption + # - _done_last_block, set to True after a partial block is processed + + self._done_first_block = False + self._done_last_block = False + self.IV = _getParameter('iv', 1, args, kwargs) + if not self.IV: + raise ValueError("MODE_OPENPGP requires an IV") + + # Instantiate a temporary cipher to process the IV + IV_cipher = factory.new( + key, + MODE_CFB, + b('\x00') * self.block_size, # IV for CFB + segment_size=self.block_size * 8) + + # The cipher will be used for... + if len(self.IV) == self.block_size: + # ... encryption + self._encrypted_IV = IV_cipher.encrypt( + self.IV + self.IV[-2:] + # Plaintext + b('\x00') * (self.block_size - 2) # Padding + )[:self.block_size + 2] + elif len(self.IV) == self.block_size + 2: + # ... decryption + self._encrypted_IV = self.IV + self.IV = IV_cipher.decrypt( + self.IV + # Ciphertext + b('\x00') * (self.block_size - 2) # Padding + )[:self.block_size + 2] + if self.IV[-2:] != self.IV[-4:-2]: + raise ValueError("Failed integrity check for OPENPGP IV") + self.IV = self.IV[:-2] else: - # OPENPGP mode. For details, see 13.9 in RCC4880. - # - # A few members are specifically created for this mode: - # - _encrypted_iv, set in this constructor - # - _done_first_block, set to True after the first encryption - # - _done_last_block, set to True after a partial block is processed - - self._done_first_block = False - self._done_last_block = False - self.IV = _getParameter('iv', 1, args, kwargs) - if not self.IV: - raise ValueError("MODE_OPENPGP requires an IV") - - # Instantiate a temporary cipher to process the IV - IV_cipher = factory.new(key, MODE_CFB, - b('\x00')*self.block_size, # IV for CFB - segment_size=self.block_size*8) - - # The cipher will be used for... - if len(self.IV) == self.block_size: - # ... encryption - self._encrypted_IV = IV_cipher.encrypt( - self.IV + self.IV[-2:] + # Plaintext - b('\x00')*(self.block_size-2) # Padding - )[:self.block_size+2] - elif len(self.IV) == self.block_size+2: - # ... decryption - self._encrypted_IV = self.IV - self.IV = IV_cipher.decrypt(self.IV + # Ciphertext - b('\x00')*(self.block_size-2) # Padding - )[:self.block_size+2] - if self.IV[-2:] != self.IV[-4:-2]: - raise ValueError("Failed integrity check for OPENPGP IV") - self.IV = self.IV[:-2] + raise ValueError("Length of IV must be %d or %d bytes for MODE_OPENPGP" + % (self.block_size, self.block_size+2)) + + # Instantiate the cipher for the real PGP data + self._cipher = factory.new( + key, + MODE_CFB, + self._encrypted_IV[-self.block_size:], + segment_size=self.block_size * 8 + ) + + def _start_ccm(self, assoc_len=None, msg_len=None): + # CCM mode. This method creates the 2 ciphers used for the MAC + # (self._cipherCBC) and for the encryption/decryption (self._cipher). + # + # Member _assoc_buffer may already contain user data that needs to be + # authenticated. + + if self._cipherCBC: + # Already started + return + if assoc_len is not None: + self._assoc_len = assoc_len + if msg_len is not None: + self._msg_len = msg_len + if None in (self._assoc_len, self._msg_len): + return + + # q is the length of Q, the encoding of the message length + q = 15 - len(self.nonce) + + ## Compute B_0 + flags = ( + 64 * (self._assoc_len > 0) + + 8 * divmod(self._mac_len - 2, 2)[0] + + (q - 1) + ) + b_0 = bchr(flags) + self.nonce + long_to_bytes(self._msg_len, q) + self._assoc_buffer.insert(0, b_0) + self._assoc_buffer_len += 16 + + # Start CBC MAC with zero IV + # Mind that self._assoc_buffer may already contain some data + self._cipherCBC = self._factory.new(self._key, MODE_CBC, bchr(0)*16) + assoc_len_encoded = b('') + if self._assoc_len > 0: + if self._assoc_len < (2 ** 16 - 2 ** 8): + enc_size = 2 + elif self._assoc_len < (2L ** 32): + assoc_len_encoded = b('\xFF\xFE') + enc_size = 4 else: - raise ValueError("Length of IV must be %d or %d bytes for MODE_OPENPGP" - % (self.block_size, self.block_size+2)) + assoc_len_encoded = b('\xFF\xFF') + enc_size = 8 + assoc_len_encoded += long_to_bytes(self._assoc_len, enc_size) + self._assoc_buffer.insert(1, assoc_len_encoded) + self._assoc_buffer_len += len(assoc_len_encoded) + + # Start CTR cipher + flags = q - 1 + prefix = bchr(flags) + self.nonce + ctr = Counter.new(128 - len(prefix) * 8, prefix, initial_value=0) + self._cipher = self._factory.new(self._key, MODE_CTR, counter=ctr) + # Will XOR against CBC MAC + self._s_0 = self._cipher.encrypt(bchr(0) * 16) + + def update(self, assoc_data): + """Protect associated data + + When using an AEAD mode like CCM, and if there is any associated data, + the caller has to invoke this function one or more times, before + using ``decrypt`` or ``encrypt``. + + By *associated data* it is meant any data (e.g. packet headers) that + will not be encrypted and will be transmitted in the clear. + However, the receiver is still able to detect any modification to it. + In CCM, the *associated data* is also called *additional authenticated + data*. + + If there is no associated data, this method must not be called. + + The caller may split associated data in segments of any size, and + invoke this method multiple times, each time with the next segment. - # Instantiate the cipher for the real PGP data - self._cipher = factory.new(key, MODE_CFB, - self._encrypted_IV[-self.block_size:], - segment_size=self.block_size*8) + :Parameters: + assoc_data : byte string + A piece of associated data. There are no restrictions on its size. + """ + + if self.mode == MODE_CCM: + if self.update not in self._next: + raise TypeError("update() can only be called immediately after initialization") + self._next = [ self.update, self.encrypt, self.decrypt, + self.digest, self.verify ] + return self._update(assoc_data) + + def _update(self, assoc_data, do_zero_padding=False): + """Equivalent to update(), but without FSM checks.""" + + if self.mode == MODE_CCM: + self._assoc_buffer.append(assoc_data) + self._assoc_buffer_len += len(assoc_data) + + if not self._cipherCBC: + return + + if do_zero_padding and (self._assoc_buffer_len & 15): + npad = 16 - self._assoc_buffer_len & 15 + self._assoc_buffer.append(bchr(0) * npad) + self._assoc_buffer_len += npad + + # Feed data into CBC MAC + aligned_data = 16 * divmod(self._assoc_buffer_len, 16)[0] + if aligned_data > 0: + buf = b("").join(self._assoc_buffer) + self._t = self._cipherCBC.encrypt(buf[:aligned_data])[-16:] + self._assoc_buffer = [buf[aligned_data:]] + self._assoc_buffer_len -= aligned_data + return + raise ValueError("update() not supported by this mode of operation") def encrypt(self, plaintext): """Encrypt data with the key and the parameters set at initialization. - + The cipher object is stateful; encryption of a long block of data can be broken up in two or more calls to `encrypt()`. + That is, the statement: - + >>> c.encrypt(a) + c.encrypt(b) is always equivalent to: @@ -211,7 +425,8 @@ class BlockAlgo: - For `MODE_CFB`, *plaintext* length (in bytes) must be a multiple of *segment_size*/8. - - For `MODE_OFB` and `MODE_CTR`, *plaintext* can be of any length. + - For `MODE_OFB`, `MODE_CTR` and `MODE_CCM` *plaintext* can be + of any length. - For `MODE_OPENPGP`, *plaintext* must be a multiple of *block_size*, unless it is the last chunk of the message. @@ -245,6 +460,23 @@ class BlockAlgo: self._done_first_block = True return res + if self.mode == MODE_CCM: + + if self.encrypt not in self._next: + raise TypeError("encrypt() can only be called after initialization or an update()") + self._next = [self.encrypt, self.digest] + + if self._assoc_len is None: + self._start_ccm(assoc_len=self._assoc_buffer_len) + if self._msg_len is None: + self._start_ccm(msg_len=len(plaintext)) + self._next = [self.digest] + if not self._done_assoc_data: + self._update(b(""), do_zero_padding=True) + self._done_assoc_data = True + + self._update(plaintext) + return self._cipher.encrypt(plaintext) def decrypt(self, ciphertext): @@ -272,7 +504,8 @@ class BlockAlgo: - For `MODE_CFB`, *ciphertext* length (in bytes) must be a multiple of *segment_size*/8. - - For `MODE_OFB` and `MODE_CTR`, *ciphertext* can be of any length. + - For `MODE_OFB`, `MODE_CTR` and `MODE_CCM`, *ciphertext* can be + of any length. - For `MODE_OPENPGP`, *plaintext* must be a multiple of *block_size*, unless it is the last chunk of the message. @@ -282,6 +515,7 @@ class BlockAlgo: The piece of data to decrypt. :Return: the decrypted data (byte string, as long as *ciphertext*). """ + if self.mode == MODE_OPENPGP: padding_length = (self.block_size - len(ciphertext) % self.block_size) % self.block_size if padding_length > 0: @@ -298,5 +532,116 @@ class BlockAlgo: res = self._cipher.decrypt(ciphertext) return res - return self._cipher.decrypt(ciphertext) + if self.mode == MODE_CCM: + + if self.decrypt not in self._next: + raise TypeError("decrypt() can only be called after initialization or an update()") + self._next = [self.decrypt, self.verify] + + if self._assoc_len is None: + self._start_ccm(assoc_len=self._assoc_buffer_len) + if self._msg_len is None: + self._start_ccm(msg_len=len(ciphertext)) + self._next = [self.verify] + if not self._done_assoc_data: + self._update(b(""), do_zero_padding=True) + self._done_assoc_data = True + + pt = self._cipher.decrypt(ciphertext) + + if self.mode == MODE_CCM: + self._update(pt) + + return pt + + def digest(self): + """Compute the *binary* MAC tag in an AEAD mode. + + When using an AEAD mode like CCM, the caller invokes this function + at the very end. + + This method returns the MAC that shall be sent to the receiver, + together with the ciphertext. + + :Return: the MAC, as a byte string. + """ + + if self.mode == MODE_CCM: + + if self.digest not in self._next: + raise TypeError("digest() cannot be called when decrypting or validating a message") + self._next = [self.digest] + + if self._assoc_len is None: + self._start_ccm(assoc_len=self._assoc_buffer_len) + if self._msg_len is None: + self._start_ccm(msg_len=0) + self._update(b(""), do_zero_padding=True) + + return strxor(self._t, self._s_0)[:self._mac_len] + + raise TypeError("digest() not supported by this mode of operation") + + def hexdigest(self): + """Compute the *printable* MAC tag in an AEAD mode. + + This method is like `digest`. + + :Return: the MAC, as a hexadecimal string. + """ + return "".join(["%02x" % bord(x) for x in self.digest()]) + + def verify(self, mac_tag): + """Validate the *binary* MAC tag in an AEAD mode. + + When using an AEAD mode like CCM, the caller invokes this function + at the very end. + + This method checks if the decrypted message is indeed valid + (that is, if the key is correct) and it has not been + tampered with while in transit. + + :Parameters: + mac_tag : byte string + This is the *binary* MAC, as received from the sender. + :Raises ValueError: + if the MAC does not match. The message has been tampered with + or the key is incorrect. + """ + + if self.mode == MODE_CCM: + if self.verify not in self._next: + raise TypeError("verify() cannot be called when encrypting a message") + self._next = [self.verify] + + if self._assoc_len is None: + self._start_ccm(assoc_len=self._assoc_buffer_len) + if self._msg_len is None: + self._start_ccm(msg_len=0) + self._update(b(""), do_zero_padding=True) + u = strxor(self._t, self._s_0)[:self._mac_len] + + res = 0 + # Constant-time comparison + for x,y in zip(u, mac_tag): + res |= bord(x) ^ bord(y) + if res or len(mac_tag)!=self._mac_len: + raise ValueError("MAC check failed") + return + + raise TypeError("verify() not supported by this mode of operation") + + def hexverify(self, hex_mac_tag): + """Validate the *printable* MAC tag in an AEAD mode. + + This method is like `verify`. + + :Parameters: + hex_mac_tag : string + This is the *printable* MAC, as received from the sender. + :Raises ValueError: + if the MAC does not match. The message has been tampered with + or the key is incorrect. + """ + self.verify(unhexlify(hex_mac_tag)) diff --git a/lib/Crypto/SelfTest/Cipher/common.py b/lib/Crypto/SelfTest/Cipher/common.py index a20a3aa..e52a781 100644 --- a/lib/Crypto/SelfTest/Cipher/common.py +++ b/lib/Crypto/SelfTest/Cipher/common.py @@ -30,8 +30,9 @@ __revision__ = "$Id$" import sys import unittest -from binascii import a2b_hex, b2a_hex +from binascii import a2b_hex, b2a_hex, hexlify from Crypto.Util.py3compat import * +from Crypto.Util.strxor import strxor_c # For compatibility with Python 2.1 and Python 2.2 if sys.hexversion < 0x02030000: @@ -68,14 +69,24 @@ class CipherSelfTest(unittest.TestCase): self.plaintext = b(_extract(params, 'plaintext')) self.ciphertext = b(_extract(params, 'ciphertext')) self.module_name = _extract(params, 'module_name', None) + self.assoc_data = _extract(params, 'assoc_data', None) + if self.assoc_data: + self.assoc_data = b(self.assoc_data) + self.mac = _extract(params, 'mac', None) + if self.assoc_data: + self.mac = b(self.mac) mode = _extract(params, 'mode', None) self.mode_name = str(mode) if mode is not None: # Block cipher self.mode = getattr(self.module, "MODE_" + mode) + self.iv = _extract(params, 'iv', None) - if self.iv is not None: self.iv = b(self.iv) + if self.iv is None: + self.iv = _extract(params, 'nonce', None) + if self.iv is not None: + self.iv = b(self.iv) # Only relevant for OPENPGP mode self.encrypted_iv = _extract(params, 'encrypted_iv', None) @@ -122,26 +133,49 @@ class CipherSelfTest(unittest.TestCase): def runTest(self): plaintext = a2b_hex(self.plaintext) ciphertext = a2b_hex(self.ciphertext) - - ct1 = b2a_hex(self._new().encrypt(plaintext)) - pt1 = b2a_hex(self._new(1).decrypt(ciphertext)) - ct2 = b2a_hex(self._new().encrypt(plaintext)) - pt2 = b2a_hex(self._new(1).decrypt(ciphertext)) + assoc_data = None + if self.assoc_data: + assoc_data = a2b_hex(self.assoc_data) + + ct = None + pt = None + + # + # Repeat the same encryption or decryption twice and verify + # that the result is always the same + # + for i in xrange(2): + cipher = self._new() + decipher = self._new(1) + + # Only AEAD modes + if self.assoc_data: + cipher.update(assoc_data) + decipher.update(assoc_data) + + ctX = b2a_hex(cipher.encrypt(plaintext)) + ptX = b2a_hex(decipher.decrypt(ciphertext)) + + if ct: + self.assertEqual(ct, ctX) + self.assertEqual(pt, ptX) + ct, pt = ctX, ptX if hasattr(self.module, "MODE_OPENPGP") and self.mode == self.module.MODE_OPENPGP: # In PGP mode, data returned by the first encrypt() # is prefixed with the encrypted IV. # Here we check it and then remove it from the ciphertexts. eilen = len(self.encrypted_iv) - self.assertEqual(self.encrypted_iv, ct1[:eilen]) - self.assertEqual(self.encrypted_iv, ct2[:eilen]) - ct1 = ct1[eilen:] - ct2 = ct2[eilen:] + self.assertEqual(self.encrypted_iv, ct[:eilen]) + ct = ct[eilen:] - self.assertEqual(self.ciphertext, ct1) # encrypt - self.assertEqual(self.ciphertext, ct2) # encrypt (second time) - self.assertEqual(self.plaintext, pt1) # decrypt - self.assertEqual(self.plaintext, pt2) # decrypt (second time) + self.assertEqual(self.ciphertext, ct) # encrypt + self.assertEqual(self.plaintext, pt) # decrypt + + if self.mac: + mac = b2a_hex(cipher.digest()) + self.assertEqual(self.mac, mac) + decipher.verify(a2b_hex(self.mac)) class CipherStreamingSelfTest(CipherSelfTest): @@ -252,6 +286,258 @@ class CFBSegmentSizeTest(unittest.TestCase): self.assertRaises(ValueError, self.module.new, a2b_hex(self.key), self.module.MODE_CFB, segment_size=i) self.module.new(a2b_hex(self.key), self.module.MODE_CFB, "\0"*self.module.block_size, segment_size=8) # should succeed +class CCMMACLengthTest(unittest.TestCase): + """CCM specific tests about MAC""" + + def __init__(self, module): + unittest.TestCase.__init__(self) + self.module = module + self.key = b('\xFF')*16 + self.iv = b('\x00')*10 + + def shortDescription(self): + return self.description + + def runTest(self): + """Verify that MAC can only be 4,6,8,..,16 bytes long.""" + for i in range(3,16,2): + self.description = "CCM MAC length check (%d bytes)" % i + self.assertRaises(ValueError, self.module.new, self.key, + self.module.MODE_CCM, self.iv, msg_len=10, mac_len=i) + + """Verify that default MAC length is 16.""" + self.description = "CCM default MAC length check" + cipher = self.module.new(self.key, self.module.MODE_CCM, + self.iv, msg_len=4) + cipher.encrypt(b('z')*4) + self.assertEqual(len(cipher.digest()), 16) + +class CCMSplitEncryptionTest(unittest.TestCase): + """CCM specific tests to validate how encrypt() + decrypt() can be called multiple times on the + same object.""" + + def __init__(self, module): + unittest.TestCase.__init__(self) + self.module = module + self.key = b('\xFF')*16 + self.iv = b('\x00')*10 + self.description = "CCM Split Encryption Test" + + def shortDescription(self): + return self.description + + def runTest(self): + """Verify that CCM update()/encrypt() can be called multiple times, + provided that lengths are declared beforehand""" + + data = b("AUTH DATA") + pt1 = b("PLAINTEXT1") # Short + pt2 = b("PLAINTEXT2") # Long + pt_ref = pt1+pt2 + + # REFERENCE: Run with 1 update() and 1 encrypt() + cipher = self.module.new(self.key, self.module.MODE_CCM, + self.iv) + cipher.update(data) + ct_ref = cipher.encrypt(pt_ref) + mac_ref = cipher.digest() + + # Verify that calling CCM encrypt()/decrypt() twice is not + # possible without the 'msg_len' parameter and regardless + # of the 'assoc_len' parameter + for ad_len in None, len(data): + cipher = self.module.new(self.key, self.module.MODE_CCM, + self.iv, assoc_len=ad_len) + cipher.update(data) + cipher.encrypt(pt1) + self.assertRaises(TypeError, cipher.encrypt, pt2) + + cipher = self.module.new(self.key, self.module.MODE_CCM, + self.iv, assoc_len=ad_len) + cipher.update(data) + cipher.decrypt(ct_ref[:len(pt1)]) + self.assertRaises(TypeError, cipher.decrypt, ct_ref[len(pt1):]) + + # Run with 2 encrypt()/decrypt(). Results must be the same + # regardless of the 'assoc_len' parameter + for ad_len in None, len(data): + cipher = self.module.new(self.key, self.module.MODE_CCM, + self.iv, assoc_len=ad_len, msg_len=len(pt_ref)) + cipher.update(data) + ct = cipher.encrypt(pt1) + ct += cipher.encrypt(pt2) + mac = cipher.digest() + self.assertEqual(ct_ref, ct) + self.assertEqual(mac_ref, mac) + + cipher = self.module.new(self.key, self.module.MODE_CCM, + self.iv, msg_len=len(pt1+pt2)) + cipher.update(data) + pt = cipher.decrypt(ct[:len(pt1)]) + pt += cipher.decrypt(ct[len(pt1):]) + mac = cipher.verify(mac_ref) + self.assertEqual(pt_ref, pt) + +class AEADTests(unittest.TestCase): + """Tests generic to all AEAD modes""" + + def __init__(self, module, mode_name): + unittest.TestCase.__init__(self) + self.module = module + self.mode_name = mode_name + self.mode = getattr(module, mode_name) + self.key = b('\xFF')*16 + self.iv = b('\x00')*10 + self.description = "AEAD Test" + + def right_mac_test(self): + """Positive tests for MAC""" + + self.description = "Test for right MAC in %s of %s" % \ + (self.mode_name, self.module.__name__) + + ad_ref = b("Reference AD") + pt_ref = b("Reference plaintext") + + # Encrypt and create the reference MAC + cipher = self.module.new(self.key, self.mode, self.iv) + cipher.update(ad_ref) + ct_ref = cipher.encrypt(pt_ref) + mac_ref = cipher.digest() + + # Decrypt and verify that MAC is accepted + decipher = self.module.new(self.key, self.mode, self.iv) + decipher.update(ad_ref) + pt = decipher.decrypt(ct_ref) + decipher.verify(mac_ref) + self.assertEqual(pt, pt_ref) + + # Verify that hexverify work + decipher.hexverify(hexlify(mac_ref)) + + def wrong_mac_test(self): + """Negative tests for MAC""" + + self.description = "Test for wrong MAC in %s of %s" % \ + (self.mode_name, self.module.__name__) + + ad_ref = b("Reference AD") + pt_ref = b("Reference plaintext") + + # Encrypt and create the reference MAC + cipher = self.module.new(self.key, self.mode, self.iv) + cipher.update(ad_ref) + ct_ref = cipher.encrypt(pt_ref) + mac_ref = cipher.digest() + + # Modify the MAC and verify it is NOT ACCEPTED + wrong_mac = strxor_c(mac_ref, 255) + decipher = self.module.new(self.key, self.mode, self.iv) + decipher.update(ad_ref) + pt = decipher.decrypt(ct_ref) + self.assertRaises(ValueError, decipher.verify, wrong_mac) + + def zero_data(self): + """Verify transition from INITIALIZED to FINISHED""" + + self.description = "Test for zero data in %s of %s" % \ + (self.mode_name, self.module.__name__) + cipher = self.module.new(self.key, self.mode, self.iv) + cipher.digest() + + def multiple_updates(self): + """Verify that update() can be called multiple times""" + + self.description = "Test for multiple updates in %s of %s" % \ + (self.mode_name, self.module.__name__) + + ad = b("").join([bchr(x) for x in xrange(0,128)]) + + mac1, mac2, mac3 = (None,)*3 + for chunk_length in 1,10,40,80,128: + chunks = [ad[i:i+chunk_length] for i in range(0, len(ad), chunk_length)] + + # No encryption/decryption + cipher = self.module.new(self.key, self.mode, self.iv) + for c in chunks: + cipher.update(c) + if mac1: + cipher.verify(mac1) + else: + mac1 = cipher.digest() + + # Encryption + cipher = self.module.new(self.key, self.mode, self.iv) + for c in chunks: + cipher.update(c) + ct = cipher.encrypt(b("PT")) + mac2 = cipher.digest() + + # Decryption + cipher = self.module.new(self.key, self.mode, self.iv) + for c in chunks: + cipher.update(c) + cipher.decrypt(ct) + cipher.verify(mac2) + + def no_mix_encrypt_decrypt(self): + """Verify that encrypt and decrypt cannot be mixed up""" + + self.description = "Test for mix of encrypt and decrypt in %s of %s" % \ + (self.mode_name, self.module.__name__) + + # Calling decrypt after encrypt raises an exception + cipher = self.module.new(self.key, self.mode, self.iv) + cipher.encrypt(b("PT")) + self.assertRaises(TypeError, cipher.decrypt, b("XYZ")) + + # Calling encrypt after decrypt raises an exception + cipher = self.module.new(self.key, self.mode, self.iv) + cipher.decrypt(b("CT")) + self.assertRaises(TypeError, cipher.encrypt, b("XYZ")) + + # Calling verify after encrypt raises an exception + cipher = self.module.new(self.key, self.mode, self.iv) + cipher.encrypt(b("PT")) + self.assertRaises(TypeError, cipher.verify, b("XYZ")) + self.assertRaises(TypeError, cipher.hexverify, "12") + + # Calling digest after decrypt raises an exception + cipher = self.module.new(self.key, self.mode, self.iv) + cipher.decrypt(b("CT")) + self.assertRaises(TypeError, cipher.digest) + self.assertRaises(TypeError, cipher.hexdigest) + + def no_late_update(self): + """Verify that update cannot be called after encrypt or decrypt""" + + self.description = "Test for late update in %s of %s" % \ + (self.mode_name, self.module.__name__) + + # Calling update after encrypt raises an exception + cipher = self.module.new(self.key, self.mode, self.iv) + cipher.update(b("XX")) + cipher.encrypt(b("PT")) + self.assertRaises(TypeError, cipher.update, b("XYZ")) + + # Calling update after decrypt raises an exception + cipher = self.module.new(self.key, self.mode, self.iv) + cipher.update(b("XX")) + cipher.decrypt(b("CT")) + self.assertRaises(TypeError, cipher.update, b("XYZ")) + + def runTest(self): + self.right_mac_test() + self.wrong_mac_test() + self.zero_data() + self.multiple_updates() + self.no_mix_encrypt_decrypt() + self.no_late_update() + + def shortDescription(self): + return self.description + class RoundtripTest(unittest.TestCase): def __init__(self, module, params): from Crypto import Random @@ -310,6 +596,10 @@ class IVLengthTest(unittest.TestCase): self.module.MODE_OFB, "") self.assertRaises(ValueError, self.module.new, a2b_hex(self.key), self.module.MODE_OPENPGP, "") + if hasattr(self.module, "MODE_CCM"): + for ivlen in (0,6,14): + self.assertRaises(ValueError, self.module.new, a2b_hex(self.key), + self.module.MODE_CCM, bchr(0)*ivlen, msg_len=10) self.module.new(a2b_hex(self.key), self.module.MODE_ECB, "") self.module.new(a2b_hex(self.key), self.module.MODE_CTR, "", counter=self._dummy_counter) @@ -367,6 +657,13 @@ def make_block_tests(module, module_name, test_data, additional_params=dict()): ] extra_tests_added = 1 + # Extract associated data and MAC for AEAD modes + if p_mode == 'CCM': + assoc_data, params['plaintext'] = params['plaintext'].split('|') + assoc_data2, params['ciphertext'], params['mac'] = params['ciphertext'].split('|') + params['assoc_data'] = assoc_data + params['mac_len'] = len(params['mac'])>>1 + # Add the current test to the test suite tests.append(CipherSelfTest(module, params)) @@ -383,6 +680,19 @@ def make_block_tests(module, module_name, test_data, additional_params=dict()): if not params2['ctr_params'].has_key('disable_shortcut'): params2['ctr_params']['disable_shortcut'] = 1 tests.append(CipherSelfTest(module, params2)) + + # Add tests that don't use test vectors + if hasattr(module, "MODE_CCM"): + tests += [ + CCMMACLengthTest(module), + CCMSplitEncryptionTest(module), + ] + for aead_mode in ("MODE_CCM",): + if hasattr(module, aead_mode): + tests += [ + AEADTests(module, aead_mode), + ] + return tests def make_stream_tests(module, module_name, test_data): diff --git a/lib/Crypto/SelfTest/Cipher/test_AES.py b/lib/Crypto/SelfTest/Cipher/test_AES.py index 8fd4a6f..878f56b 100644 --- a/lib/Crypto/SelfTest/Cipher/test_AES.py +++ b/lib/Crypto/SelfTest/Cipher/test_AES.py @@ -1445,6 +1445,240 @@ test_data = [ '5baa61e4c9b93f3f0682250b6cf8331b', # Key (hash of 'password') 'GPG Test Vector #1', dict(mode='OPENPGP', iv='3d7d3e62282add7eb203eeba5c800733', encrypted_iv='fd934601ef49cb58b6d9aebca6056bdb96ef' ) ), + + # NIST SP 800-38C test vectors for CCM + # This is a list of tuples with 5 items: + # + # 1. Associated data + '|' + plaintext + # 2. Associated data + '|' + ciphertext + '|' + MAC + # 3. AES-128 key + # 4. Description + # 5. Dictionary of parameters to be passed to AES.new(). + # It must include the nonce. + # + ( '0001020304050607|20212223', + '0001020304050607|7162015b|4dac255d', + '404142434445464748494a4b4c4d4e4f', + 'NIST SP 800-38C Appex C.1', + dict(mode='CCM', nonce='10111213141516') + ), + ( '000102030405060708090a0b0c0d0e0f|202122232425262728292a2b2c2d2e2f', + '000102030405060708090a0b0c0d0e0f|d2a1f0e051ea5f62081a7792073d593d|1fc64fbfaccd', + '404142434445464748494a4b4c4d4e4f', + 'NIST SP 800-38C Appex C.2', + dict(mode='CCM', nonce='1011121314151617') + ), + ( '000102030405060708090a0b0c0d0e0f10111213|'+ + '202122232425262728292a2b2c2d2e2f3031323334353637', + '000102030405060708090a0b0c0d0e0f10111213|'+ + 'e3b201a9f5b71a7a9b1ceaeccd97e70b6176aad9a4428aa5|484392fbc1b09951', + '404142434445464748494a4b4c4d4e4f', + 'NIST SP 800-38C Appex C.3', + dict(mode='CCM', nonce='101112131415161718191a1b') + ), + ( + (''.join(["%02X" % (x*16+y) for x in xrange(0,16) for y in xrange(0,16)]))*256+'|'+ + '202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f', + (''.join(["%02X" % (x*16+y) for x in xrange(0,16) for y in xrange(0,16)]))*256+'|'+ + '69915dad1e84c6376a68c2967e4dab615ae0fd1faec44cc484828529463ccf72|'+ + 'b4ac6bec93e8598e7f0dadbcea5b', + '404142434445464748494a4b4c4d4e4f', + 'NIST SP 800-38C Appex C.4', + dict(mode='CCM', nonce='101112131415161718191a1b1c') + ), + # RFC3610 test vectors + ( + '0001020304050607|08090a0b0c0d0e0f101112131415161718191a1b1c1d1e', + '0001020304050607|588c979a61c663d2f066d0c2c0f989806d5f6b61dac384|'+ + '17e8d12cfdf926e0', + 'c0c1c2c3c4c5c6c7c8c9cacbcccdcecf', + 'RFC3610 Packet Vector #1', + dict(mode='CCM', nonce='00000003020100a0a1a2a3a4a5') + ), + ( + '0001020304050607|08090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f', + '0001020304050607|72c91a36e135f8cf291ca894085c87e3cc15c439c9e43a3b|'+ + 'a091d56e10400916', + 'c0c1c2c3c4c5c6c7c8c9cacbcccdcecf', + 'RFC3610 Packet Vector #2', + dict(mode='CCM', nonce='00000004030201a0a1a2a3a4a5') + ), + ( + '0001020304050607|08090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f20', + '0001020304050607|51b1e5f44a197d1da46b0f8e2d282ae871e838bb64da859657|'+ + '4adaa76fbd9fb0c5', + 'c0c1c2c3c4c5c6c7c8c9cacbcccdcecf', + 'RFC3610 Packet Vector #3', + dict(mode='CCM', nonce='00000005040302A0A1A2A3A4A5') + ), + ( + '000102030405060708090a0b|0c0d0e0f101112131415161718191a1b1c1d1e', + '000102030405060708090a0b|a28c6865939a9a79faaa5c4c2a9d4a91cdac8c|'+ + '96c861b9c9e61ef1', + 'c0c1c2c3c4c5c6c7c8c9cacbcccdcecf', + 'RFC3610 Packet Vector #4', + dict(mode='CCM', nonce='00000006050403a0a1a2a3a4a5') + ), + ( + '000102030405060708090a0b|0c0d0e0f101112131415161718191a1b1c1d1e1f', + '000102030405060708090a0b|dcf1fb7b5d9e23fb9d4e131253658ad86ebdca3e|'+ + '51e83f077d9c2d93', + 'c0c1c2c3c4c5c6c7c8c9cacbcccdcecf', + 'RFC3610 Packet Vector #5', + dict(mode='CCM', nonce='00000007060504a0a1a2a3a4a5') + ), + ( + '000102030405060708090a0b|0c0d0e0f101112131415161718191a1b1c1d1e1f20', + '000102030405060708090a0b|6fc1b011f006568b5171a42d953d469b2570a4bd87|'+ + '405a0443ac91cb94', + 'c0c1c2c3c4c5c6c7c8c9cacbcccdcecf', + 'RFC3610 Packet Vector #6', + dict(mode='CCM', nonce='00000008070605a0a1a2a3a4a5') + ), + ( + '0001020304050607|08090a0b0c0d0e0f101112131415161718191a1b1c1d1e', + '0001020304050607|0135d1b2c95f41d5d1d4fec185d166b8094e999dfed96c|'+ + '048c56602c97acbb7490', + 'c0c1c2c3c4c5c6c7c8c9cacbcccdcecf', + 'RFC3610 Packet Vector #7', + dict(mode='CCM', nonce='00000009080706a0a1a2a3a4a5') + ), + ( + '0001020304050607|08090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f', + '0001020304050607|7b75399ac0831dd2f0bbd75879a2fd8f6cae6b6cd9b7db24|'+ + 'c17b4433f434963f34b4', + 'c0c1c2c3c4c5c6c7c8c9cacbcccdcecf', + 'RFC3610 Packet Vector #8', + dict(mode='CCM', nonce='0000000a090807a0a1a2a3a4a5') + ), + ( + '0001020304050607|08090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f20', + '0001020304050607|82531a60cc24945a4b8279181ab5c84df21ce7f9b73f42e197|'+ + 'ea9c07e56b5eb17e5f4e', + 'c0c1c2c3c4c5c6c7c8c9cacbcccdcecf', + 'RFC3610 Packet Vector #9', + dict(mode='CCM', nonce='0000000b0a0908a0a1a2a3a4a5') + ), + ( + '000102030405060708090a0b|0c0d0e0f101112131415161718191a1b1c1d1e', + '000102030405060708090a0b|07342594157785152b074098330abb141b947b|'+ + '566aa9406b4d999988dd', + 'c0c1c2c3c4c5c6c7c8c9cacbcccdcecf', + 'RFC3610 Packet Vector #10', + dict(mode='CCM', nonce='0000000c0b0a09a0a1a2a3a4a5') + ), + ( + '000102030405060708090a0b|0c0d0e0f101112131415161718191a1b1c1d1e1f', + '000102030405060708090a0b|676bb20380b0e301e8ab79590a396da78b834934|'+ + 'f53aa2e9107a8b6c022c', + 'c0c1c2c3c4c5c6c7c8c9cacbcccdcecf', + 'RFC3610 Packet Vector #11', + dict(mode='CCM', nonce='0000000d0c0b0aa0a1a2a3a4a5') + ), + ( + '000102030405060708090a0b|0c0d0e0f101112131415161718191a1b1c1d1e1f20', + '000102030405060708090a0b|c0ffa0d6f05bdb67f24d43a4338d2aa4bed7b20e43|'+ + 'cd1aa31662e7ad65d6db', + 'c0c1c2c3c4c5c6c7c8c9cacbcccdcecf', + 'RFC3610 Packet Vector #12', + dict(mode='CCM', nonce='0000000e0d0c0ba0a1a2a3a4a5') + ), + ( + '0be1a88bace018b1|08e8cf97d820ea258460e96ad9cf5289054d895ceac47c', + '0be1a88bace018b1|4cb97f86a2a4689a877947ab8091ef5386a6ffbdd080f8|'+ + 'e78cf7cb0cddd7b3', + 'd7828d13b2b0bdc325a76236df93cc6b', + 'RFC3610 Packet Vector #13', + dict(mode='CCM', nonce='00412b4ea9cdbe3c9696766cfa') + ), + ( + '63018f76dc8a1bcb|9020ea6f91bdd85afa0039ba4baff9bfb79c7028949cd0ec', + '63018f76dc8a1bcb|4ccb1e7ca981befaa0726c55d378061298c85c92814abc33|'+ + 'c52ee81d7d77c08a', + 'd7828d13b2b0bdc325a76236df93cc6b', + 'RFC3610 Packet Vector #14', + dict(mode='CCM', nonce='0033568ef7b2633c9696766cfa') + ), + ( + 'aa6cfa36cae86b40|b916e0eacc1c00d7dcec68ec0b3bbb1a02de8a2d1aa346132e', + 'aa6cfa36cae86b40|b1d23a2220ddc0ac900d9aa03c61fcf4a559a4417767089708|'+ + 'a776796edb723506', + 'd7828d13b2b0bdc325a76236df93cc6b', + 'RFC3610 Packet Vector #15', + dict(mode='CCM', nonce='00103fe41336713c9696766cfa') + ), + ( + 'd0d0735c531e1becf049c244|12daac5630efa5396f770ce1a66b21f7b2101c', + 'd0d0735c531e1becf049c244|14d253c3967b70609b7cbb7c49916028324526|'+ + '9a6f49975bcadeaf', + 'd7828d13b2b0bdc325a76236df93cc6b', + 'RFC3610 Packet Vector #16', + dict(mode='CCM', nonce='00764c63b8058e3c9696766cfa') + ), + ( + '77b60f011c03e1525899bcae|e88b6a46c78d63e52eb8c546efb5de6f75e9cc0d', + '77b60f011c03e1525899bcae|5545ff1a085ee2efbf52b2e04bee1e2336c73e3f|'+ + '762c0c7744fe7e3c', + 'd7828d13b2b0bdc325a76236df93cc6b', + 'RFC3610 Packet Vector #17', + dict(mode='CCM', nonce='00f8b678094e3b3c9696766cfa') + ), + ( + 'cd9044d2b71fdb8120ea60c0|6435acbafb11a82e2f071d7ca4a5ebd93a803ba87f', + 'cd9044d2b71fdb8120ea60c0|009769ecabdf48625594c59251e6035722675e04c8|'+ + '47099e5ae0704551', + 'd7828d13b2b0bdc325a76236df93cc6b', + 'RFC3610 Packet Vector #18', + dict(mode='CCM', nonce='00d560912d3f703c9696766cfa') + ), + ( + 'd85bc7e69f944fb8|8a19b950bcf71a018e5e6701c91787659809d67dbedd18', + 'd85bc7e69f944fb8|bc218daa947427b6db386a99ac1aef23ade0b52939cb6a|'+ + '637cf9bec2408897c6ba', + 'd7828d13b2b0bdc325a76236df93cc6b', + 'RFC3610 Packet Vector #19', + dict(mode='CCM', nonce='0042fff8f1951c3c9696766cfa') + ), + ( + '74a0ebc9069f5b37|1761433c37c5a35fc1f39f406302eb907c6163be38c98437', + '74a0ebc9069f5b37|5810e6fd25874022e80361a478e3e9cf484ab04f447efff6|'+ + 'f0a477cc2fc9bf548944', + 'd7828d13b2b0bdc325a76236df93cc6b', + 'RFC3610 Packet Vector #20', + dict(mode='CCM', nonce='00920f40e56cdc3c9696766cfa') + ), + ( + '44a3aa3aae6475ca|a434a8e58500c6e41530538862d686ea9e81301b5ae4226bfa', + '44a3aa3aae6475ca|f2beed7bc5098e83feb5b31608f8e29c38819a89c8e776f154|'+ + '4d4151a4ed3a8b87b9ce', + 'd7828d13b2b0bdc325a76236df93cc6b', + 'RFC3610 Packet Vector #21', + dict(mode='CCM', nonce='0027ca0c7120bc3c9696766cfa') + ), + ( + 'ec46bb63b02520c33c49fd70|b96b49e21d621741632875db7f6c9243d2d7c2', + 'ec46bb63b02520c33c49fd70|31d750a09da3ed7fddd49a2032aabf17ec8ebf|'+ + '7d22c8088c666be5c197', + 'd7828d13b2b0bdc325a76236df93cc6b', + 'RFC3610 Packet Vector #22', + dict(mode='CCM', nonce='005b8ccbcd9af83c9696766cfa') + ), + ( + '47a65ac78b3d594227e85e71|e2fcfbb880442c731bf95167c8ffd7895e337076', + '47a65ac78b3d594227e85e71|e882f1dbd38ce3eda7c23f04dd65071eb41342ac|'+ + 'df7e00dccec7ae52987d', + 'd7828d13b2b0bdc325a76236df93cc6b', + 'RFC3610 Packet Vector #23', + dict(mode='CCM', nonce='003ebe94044b9a3c9696766cfa') + ), + ( + '6e37a6ef546d955d34ab6059|abf21c0b02feb88f856df4a37381bce3cc128517d4', + '6e37a6ef546d955d34ab6059|f32905b88a641b04b9c9ffb58cc390900f3da12ab1|'+ + '6dce9e82efa16da62059', + 'd7828d13b2b0bdc325a76236df93cc6b', + 'RFC3610 Packet Vector #24', + dict(mode='CCM', nonce='008d493b30ae8b3c9696766cfa') + ), ] def get_tests(config={}): |