TEST_VERSION = 1
TEST_PARAMVERSION = 1
TEST_STATIC_NACL = os.urandom (CRYPTO_NACL_SIZE)
+PLAIN_PARAMVERSION = 0
def faux_hdr (ctsize=1337, iv=None):
return \
password=password,
nacl=TEST_STATIC_NACL)
+ def test_crypto_aes_gcm_enc_ctor_bad_plainparams (self):
+ """Refuse plaintext passthrough mode by default."""
+ password = str (os.urandom (42))
+ with self.assertRaises (crypto.InvalidParameter):
+ encryptor = crypto.Encrypt (TEST_VERSION,
+ PLAIN_PARAMVERSION,
+ password=password,
+ nacl=TEST_STATIC_NACL)
+
+
+ def test_crypto_aes_gcm_enc_ctor_ok_insecure_plainparams (self):
+ """
+ Comply with request for plaintext passthrough mode if the
+ *insecure* flag is passed.
+ """
+ password = str (os.urandom (42))
+ encryptor = crypto.Encrypt (TEST_VERSION,
+ PLAIN_PARAMVERSION,
+ password=password,
+ nacl=TEST_STATIC_NACL,
+ insecure=True)
+
def test_crypto_aes_gcm_enc_ctor_key (self):
key = os.urandom (42)
assert plaintext == TEST_PLAINTEXT
+ def test_crypto_aes_gcm_dec_plain_bad (self):
+ """
+ Downgrade to plaintext must not be allowed in parameters
+ obtained from headers.
+ """
+ password = str (os.urandom (42))
+ encryptor = crypto.Encrypt (TEST_VERSION,
+ TEST_PARAMVERSION,
+ password=password,
+ nacl=TEST_STATIC_NACL)
+
+ header_dummy = encryptor.next (TEST_DUMMY_FILENAME)
+ _, ciphertext = encryptor.process (TEST_PLAINTEXT)
+ rest, header, fixed = encryptor.done (header_dummy)
+ ciphertext += rest
+
+ header = crypto.hdr_read (header)
+ header ["paramversion"] = PLAIN_PARAMVERSION
+ ok, header = crypto.hdr_make (header)
+ assert ok
+
+ decryptor = crypto.Decrypt (password=password, fixedparts=fixed)
+ with self.assertRaises (crypto.InvalidParameter):
+ decryptor.next (header)
+
+
+ def test_crypto_aes_gcm_dec_plain_ok_insecure (self):
+ """
+ Allow plaintext crypto mode if *insecure* flag is passed.
+ """
+ password = str (os.urandom (42))
+ encryptor = crypto.Encrypt (TEST_VERSION,
+ PLAIN_PARAMVERSION,
+ password=password,
+ nacl=TEST_STATIC_NACL,
+ insecure=True)
+
+ header_dummy = encryptor.next (TEST_DUMMY_FILENAME)
+ _, ciphertext = encryptor.process (TEST_PLAINTEXT)
+ rest, header, fixed = encryptor.done (header_dummy)
+ ciphertext += rest
+
+ header = crypto.hdr_read (header)
+ header ["paramversion"] = PLAIN_PARAMVERSION
+ ok, header = crypto.hdr_make (header)
+ assert ok
+
+ decryptor = crypto.Decrypt (password=password,
+ fixedparts=fixed,
+ insecure=True)
+ decryptor.next (header)
+ plaintext = decryptor.process (ciphertext)
+ rest = decryptor.done ()
+ plaintext += rest
+
+ assert plaintext == TEST_PLAINTEXT
+
+
def test_crypto_aes_gcm_dec_bad_tag (self):
password = str (os.urandom (42))
encryptor = crypto.Encrypt (TEST_VERSION,