From da4e5fadf7f5254975d397dd0ca33a32274ae948 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Joachim=20Stro=CC=88mbergson?= Date: Thu, 28 Jun 2018 11:45:07 +0200 Subject: Adding the Python keywrap model from sw/libhal/unit-tests.py to modify as needed to get intermediate values. Removed the aes model taken from the aes core. --- src/model/keywrap.py | 125 +++++++++++++++++++++++++++++++++++++++++---------- 1 file changed, 101 insertions(+), 24 deletions(-) (limited to 'src/model/keywrap.py') diff --git a/src/model/keywrap.py b/src/model/keywrap.py index 08aac9a..747f406 100755 --- a/src/model/keywrap.py +++ b/src/model/keywrap.py @@ -1,4 +1,4 @@ -#!/usr/bin/env python3 +#!/usr/bin/env python # -*- coding: utf-8 -*- #======================================================================= # @@ -43,7 +43,9 @@ # Python module imports. #------------------------------------------------------------------- import sys -import aes +import Crypto.Random +from Crypto.Cipher import AES +from struct import pack, unpack #------------------------------------------------------------------- @@ -52,37 +54,112 @@ import aes VERBOSE = True + +#------------------------------------------------------------------- +# AESKeyWrapWithPadding +#------------------------------------------------------------------- +class AESKeyWrapWithPadding(object): + """ + Implementation of AES Key Wrap With Padding from RFC 5649. + """ + + class UnwrapError(Exception): + "Something went wrong during unwrap." + + def __init__(self, key): + self.ctx = AES.new(key, AES.MODE_ECB) + + def _encrypt(self, b1, b2): + aes_block = self.ctx.encrypt(b1 + b2) + return aes_block[:8], aes_block[8:] + + def _decrypt(self, b1, b2): + aes_block = self.ctx.decrypt(b1 + b2) + return aes_block[:8], aes_block[8:] + + @staticmethod + def _start_stop(start, stop): # Syntactic sugar + step = -1 if start > stop else 1 + return xrange(start, stop + step, step) + + @staticmethod + def _xor(R0, t): + return pack(">Q", unpack(">Q", R0)[0] ^ t) + + def wrap(self, Q): + "RFC 5649 section 4.1." + m = len(Q) # Plaintext length + if m % 8 != 0: # Pad Q if needed + Q += "\x00" * (8 - (m % 8)) + R = [pack(">LL", 0xa65959a6, m)] # Magic MSB(32,A), build LSB(32,A) + R.extend(Q[i : i + 8] # Append Q + for i in xrange(0, len(Q), 8)) + n = len(R) - 1 + if n == 1: + R[0], R[1] = self._encrypt(R[0], R[1]) + else: + # RFC 3394 section 2.2.1 + for j in self._start_stop(0, 5): + for i in self._start_stop(1, n): + R[0], R[i] = self._encrypt(R[0], R[i]) + R[0] = self._xor(R[0], n * j + i) + assert len(R) == (n + 1) and all(len(r) == 8 for r in R) + return "".join(R) + + def unwrap(self, C): + "RFC 5649 section 4.2." + if len(C) % 8 != 0: + raise self.UnwrapError("Ciphertext length {} is not an integral number of blocks" + .format(len(C))) + n = (len(C) / 8) - 1 + R = [C[i : i + 8] for i in xrange(0, len(C), 8)] + if n == 1: + R[0], R[1] = self._decrypt(R[0], R[1]) + else: + # RFC 3394 section 2.2.2 steps (1), (2), and part of (3) + for j in self._start_stop(5, 0): + for i in self._start_stop(n, 1): + R[0] = self._xor(R[0], n * j + i) + R[0], R[i] = self._decrypt(R[0], R[i]) + magic, m = unpack(">LL", R[0]) + if magic != 0xa65959a6: + raise self.UnwrapError("Magic value in AIV should have been 0xa65959a6, was 0x{:02x}" + .format(magic)) + if m <= 8 * (n - 1) or m > 8 * n: + raise self.UnwrapError("Length encoded in AIV out of range: m {}, n {}".format(m, n)) + R = "".join(R[1:]) + assert len(R) == 8 * n + if any(r != "\x00" for r in R[m:]): + raise self.UnwrapError("Nonzero trailing bytes {}".format(R[m:].encode("hex"))) + return R[:m] + + #------------------------------------------------------------------- -# aes_test +# wrap_test1 # -# Check that the AES functionality is available and works -# as expected. +# First, simplest test from NIST test vectors. #------------------------------------------------------------------- -def keywrap_aes_test(): - nist_aes128_key = (0x2b7e1516, 0x28aed2a6, 0xabf71588, 0x09cf4f3c) - nist_plaintext0 = (0x6bc1bee2, 0x2e409f96, 0xe93d7e11, 0x7393172a) - nist_exp128_0 = (0x3ad77bb4, 0x0d7a3660, 0xa89ecaf3, 0x2466ef97) - enc_result128_0 = aes.aes_encipher_block(nist_aes128_key, nist_plaintext0) - - print("Test 0 for AES-128.") - print("Key:") - aes.print_key(nist_aes128_key) - print("Block in:") - aes.print_block(nist_plaintext0) - print("Expected block out:") - aes.print_block(nist_exp128_0) - print("Got block out:") - aes.print_block(enc_result128_0) - print("") +def wrap_test1(): + my_key = Crypto.Random.new().read(256/8) + my_keywrap = AESKeyWrapWithPadding(my_key) + + my_plaintext = "\x31\x32\x33" + my_wrap = my_keywrap.wrap(my_plaintext) + print(type(my_wrap)) + my_unwrap = my_keywrap.wrap(my_wrap) + print(type(my_unwrap)) + print("plaintext: %s wrapped: %s unwrapped: %s" % + (my_plaintext, my_wrap, my_unwrap)) #------------------------------------------------------------------- #------------------------------------------------------------------- def main(): - print("Testing the KEY WRAP model") - print("===========================") + print("Testing the Key Wrap Python model") + print("=================================") print - keywrap_aes_test() + # keywrap_aes_test() + wrap_test1() #------------------------------------------------------------------- -- cgit v1.2.3