def prepare(
cls,
*,
nonce: Nonce,
initiator_key: AES128Key,
message: BaseMessage,
auth_data: TAuthData,
source_node_id: NodeID,
dest_node_id: NodeID,
protocol_id: bytes = PROTOCOL_ID,
) -> "Packet[TAuthData]":
auth_data_bytes = auth_data.to_wire_bytes()
auth_data_size = len(auth_data_bytes)
header = Header(
protocol_id,
source_node_id,
auth_data.flag,
auth_data_size,
)
message_cipher_text = aesgcm_encrypt(
key=initiator_key,
nonce=nonce,
plain_text=message.to_bytes(),
authenticated_data=header.to_wire_bytes() +
auth_data.to_wire_bytes(),
)
return cls(
header=header,
auth_data=auth_data,
message_cipher_text=message_cipher_text,
dest_node_id=dest_node_id,
)
def compute_encrypted_message(
key: AES128Key, auth_tag: Nonce, message: BaseMessage, authenticated_data: bytes
) -> bytes:
encrypted_message = aesgcm_encrypt(
key=key,
nonce=auth_tag,
plain_text=message.to_bytes(),
authenticated_data=authenticated_data,
)
return encrypted_message
def test_decryption_with_wrong_inputs():
key = AES128Key(b"\x00" * 16)
nonce = Nonce(b"\x11" * 12)
plain_text = b"\x33" * 5
aad = b"\x44" * 5
cipher_text = aesgcm_encrypt(key, nonce, plain_text, aad)
assert aesgcm_decrypt(key, nonce, cipher_text, aad) == plain_text
with pytest.raises(ValidationError):
aesgcm_decrypt(b"", nonce, cipher_text, aad)
with pytest.raises(ValidationError):
aesgcm_decrypt(key, b"", cipher_text, aad)
with pytest.raises(DecryptionError):
aesgcm_decrypt(key, nonce, b"", aad)
with pytest.raises(DecryptionError):
aesgcm_decrypt(key, nonce, cipher_text, b"")
def prepare(
cls,
*,
aes_gcm_nonce: Nonce,
initiator_key: AES128Key,
message: BaseMessage,
auth_data: TAuthData,
dest_node_id: NodeID,
protocol_id: bytes = PROTOCOL_ID,
iv: Optional[bytes] = None,
) -> "Packet[TAuthData]":
if iv is None:
iv = secrets.token_bytes(16)
auth_data_bytes = auth_data.to_wire_bytes()
auth_data_size = len(auth_data_bytes)
header = Header(
protocol_id,
PACKET_VERSION_1,
auth_data.flag,
aes_gcm_nonce,
auth_data_size,
)
authenticated_data = b"".join((
iv,
header.to_wire_bytes(),
auth_data_bytes,
))
# encrypted empty bytestring results in a bytestring,
# which we don't want if message is supposed to be empty
if type(message) is EmptyMessage:
message_cipher_text = b""
else:
message_cipher_text = aesgcm_encrypt(
key=initiator_key,
nonce=aes_gcm_nonce,
plain_text=message.to_bytes(),
authenticated_data=authenticated_data,
)
return cls(
iv=iv,
header=header,
auth_data=auth_data,
message_cipher_text=message_cipher_text,
dest_node_id=dest_node_id,
)
def compute_encrypted_auth_response(
auth_response_key: AES128Key, id_nonce_signature: bytes, enr: Optional[ENRAPI]
) -> bytes:
if enr:
plain_text_auth_response = rlp.encode(
[AUTH_RESPONSE_VERSION, id_nonce_signature, enr]
)
else:
plain_text_auth_response = rlp.encode(
[AUTH_RESPONSE_VERSION, id_nonce_signature, []]
)
encrypted_auth_response = aesgcm_encrypt(
key=auth_response_key,
nonce=ZERO_NONCE,
plain_text=plain_text_auth_response,
authenticated_data=b"",
)
return encrypted_auth_response
def test_encryption_official(key, nonce, plain_text, aad, cipher_text):
encrypted = aesgcm_encrypt(key, nonce, plain_text, aad)
assert encrypted == cipher_text
assert aesgcm_decrypt(key, nonce, cipher_text, aad) == plain_text
def test_roundtrip(key, nonce, plain_text, aad):
cipher_text = aesgcm_encrypt(key, nonce, plain_text, aad)
plain_text_recovered = aesgcm_decrypt(key, nonce, cipher_text, aad)
assert plain_text_recovered == plain_text