kitty/kitty_tests/crypto.py

#!/usr/bin/env python
# License: GPLv3 Copyright: 2022, Kovid Goyal <kovid at kovidgoyal.net>


import os

from . import BaseTest


def is_rlimit_memlock_too_low() -> bool:
    ''' On supported systems, return true if the MEMLOCK limit is too low to
    run the crypto test. '''
    try:
        import resource
    except ModuleNotFoundError:
        return False

    memlock_limit, _ = resource.getrlimit(resource.RLIMIT_MEMLOCK)
    pagesize = resource.getpagesize()
    return memlock_limit <= pagesize


class TestCrypto(BaseTest):

    def test_elliptic_curve_data_exchange(self):
        if is_rlimit_memlock_too_low():
            self.skipTest('RLIMIT_MEMLOCK is too low')
        from kitty.fast_data_types import AES256GCMDecrypt, AES256GCMEncrypt, CryptoError, EllipticCurveKey
        alice = EllipticCurveKey()
        bob = EllipticCurveKey()
        alice_secret = alice.derive_secret(bob.public)
        bob_secret = bob.derive_secret(alice.public)
        self.assertEqual(len(alice_secret), 32)
        self.assertEqual(len(bob_secret), 32)
        self.assertEqual(alice_secret, bob_secret)

        auth_data = os.urandom(213)
        plaintext = os.urandom(1011)
        e = AES256GCMEncrypt(alice_secret)
        e.add_authenticated_but_unencrypted_data(auth_data)
        ciphertext = e.add_data_to_be_encrypted(plaintext, True)

        d = AES256GCMDecrypt(bob_secret, e.iv, e.tag)
        d.add_data_to_be_authenticated_but_not_decrypted(auth_data)
        q = d.add_data_to_be_decrypted(ciphertext, True)
        self.ae(q, plaintext)

        def corrupt_data(data):
            b = bytearray(data)
            b[0] = (b[0] + 13) % 256
            return bytes(b)

        d = AES256GCMDecrypt(bob_secret, e.iv, corrupt_data(e.tag))
        d.add_data_to_be_authenticated_but_not_decrypted(auth_data)
        self.assertRaises(CryptoError, d.add_data_to_be_decrypted, ciphertext, True)

        d = AES256GCMDecrypt(bob_secret, e.iv, e.tag)
        d.add_data_to_be_authenticated_but_not_decrypted(corrupt_data(auth_data))
        self.assertRaises(CryptoError, d.add_data_to_be_decrypted, ciphertext, True)

        d = AES256GCMDecrypt(bob_secret, e.iv, e.tag)
        d.add_data_to_be_authenticated_but_not_decrypted(auth_data)
        self.assertRaises(CryptoError, d.add_data_to_be_decrypted, corrupt_data(ciphertext), True)
Test for secret derivation 2022-08-04 17:35:19 +03:00			`#!/usr/bin/env python`
			`# License: GPLv3 Copyright: 2022, Kovid Goyal <kovid at kovidgoyal.net>`


Add tests for AES256GCM 2022-08-05 11:20:03 +03:00			`import os`

Test for secret derivation 2022-08-04 17:35:19 +03:00			`from . import BaseTest`


Skip crypto test if RLIMIT_MEMLOCK is too low On systems where the max locked memory (a.k.a., RLIMIT_MEMLOCK) is too low, the crypto test fails with "Cannot allocate memory". Distros such as Debian and Ubuntu run the test-suite as part of the build process. This results in failed builds if the build machine itself does not have a sufficiently high value for RLIMIT_MEMLOCK. That said, the resulting builds would run perfectly fine when installed on machines that meet the requirements. On supported systems, we now check if the RLIMIT_MEMLOCK is high enough and skip the crypto test if it is not. Signed-off-by: Olivier Gayot <olivier.gayot@canonical.com> 2023-05-24 13:51:32 +03:00			`def is_rlimit_memlock_too_low() -> bool:`
			`''' On supported systems, return true if the MEMLOCK limit is too low to`
			`run the crypto test. '''`
			`try:`
			`import resource`
			`except ModuleNotFoundError:`
			`return False`

			`memlock_limit, _ = resource.getrlimit(resource.RLIMIT_MEMLOCK)`
			`pagesize = resource.getpagesize()`
			`return memlock_limit <= pagesize`


Test for secret derivation 2022-08-04 17:35:19 +03:00			`class TestCrypto(BaseTest):`

			`def test_elliptic_curve_data_exchange(self):`
Only import resource module when actually running the test instead of at import time 2023-05-24 14:29:44 +03:00			`if is_rlimit_memlock_too_low():`
			`self.skipTest('RLIMIT_MEMLOCK is too low')`
Replace isort with ruff 2023-01-09 14:17:42 +03:00			`from kitty.fast_data_types import AES256GCMDecrypt, AES256GCMEncrypt, CryptoError, EllipticCurveKey`
Test for secret derivation 2022-08-04 17:35:19 +03:00			`alice = EllipticCurveKey()`
			`bob = EllipticCurveKey()`
			`alice_secret = alice.derive_secret(bob.public)`
			`bob_secret = bob.derive_secret(alice.public)`
			`self.assertEqual(len(alice_secret), 32)`
			`self.assertEqual(len(bob_secret), 32)`
			`self.assertEqual(alice_secret, bob_secret)`
Add tests for AES256GCM 2022-08-05 11:20:03 +03:00
			`auth_data = os.urandom(213)`
			`plaintext = os.urandom(1011)`
			`e = AES256GCMEncrypt(alice_secret)`
			`e.add_authenticated_but_unencrypted_data(auth_data)`
			`ciphertext = e.add_data_to_be_encrypted(plaintext, True)`

			`d = AES256GCMDecrypt(bob_secret, e.iv, e.tag)`
			`d.add_data_to_be_authenticated_but_not_decrypted(auth_data)`
			`q = d.add_data_to_be_decrypted(ciphertext, True)`
			`self.ae(q, plaintext)`

			`def corrupt_data(data):`
			`b = bytearray(data)`
			`b[0] = (b[0] + 13) % 256`
			`return bytes(b)`

			`d = AES256GCMDecrypt(bob_secret, e.iv, corrupt_data(e.tag))`
			`d.add_data_to_be_authenticated_but_not_decrypted(auth_data)`
			`self.assertRaises(CryptoError, d.add_data_to_be_decrypted, ciphertext, True)`

			`d = AES256GCMDecrypt(bob_secret, e.iv, e.tag)`
			`d.add_data_to_be_authenticated_but_not_decrypted(corrupt_data(auth_data))`
			`self.assertRaises(CryptoError, d.add_data_to_be_decrypted, ciphertext, True)`

			`d = AES256GCMDecrypt(bob_secret, e.iv, e.tag)`
			`d.add_data_to_be_authenticated_but_not_decrypted(auth_data)`
			`self.assertRaises(CryptoError, d.add_data_to_be_decrypted, corrupt_data(ciphertext), True)`