Add test vectors for ChaCha20 counter overflow (#9221)

facutuesca · web-flow · commit b660044dce45 · 2023-08-17T08:54:35.000-05:00
* Adapt ChaCha20 test vectors to 64-bit counter

* Add ChaCha20 test vectors for counter overflow

These vectors test the behavior during counter overflow. Since
different implementations use different counter sizes (e.g. OpenSSL
uses a 64-bit counter, whereas BoringSSL uses a 32-bit counter),
it's important to ensure that the behavior during counter overflow
is consistent between implementations.

These vectors take into account both 32-bit and 64-bit overflows.
diff --git a/docs/development/custom-vectors/chacha20.rst b/docs/development/custom-vectors/chacha20.rst
@@ -0,0 +1,29 @@
+ChaCha20 vector creation
+========================
+
+This page documents the code that was used to generate the vectors
+to test the counter overflow behavior in ChaCha20 as well as code
+used to verify them against another implementation.
+
+Creation
+--------
+
+The following Python script was run to generate the vector files.
+
+.. literalinclude:: /development/custom-vectors/chacha20/generate_chacha20_overflow.py
+
+Download link: :download:`generate_chacha20_overflow.py
+</development/custom-vectors/chacha20/generate_chacha20_overflow.py>`
+
+
+Verification
+------------
+
+The following Python script was used to verify the vectors. The
+counter overflow is handled manually to avoid relying on the same
+code that generated the vectors.
+
+.. literalinclude:: /development/custom-vectors/chacha20/verify_chacha20_overflow.py
+
+Download link: :download:`verify_chacha20_overflow.py
+</development/custom-vectors/chacha20/verify_chacha20_overflow.py>`
diff --git a/docs/development/custom-vectors/chacha20/generate_chacha20_overflow.py b/docs/development/custom-vectors/chacha20/generate_chacha20_overflow.py
@@ -0,0 +1,49 @@
+# This file is dual licensed under the terms of the Apache License, Version
+# 2.0, and the BSD License. See the LICENSE file in the root of this repository
+# for complete details.
+
+import binascii
+import struct
+
+from cryptography.hazmat.primitives import ciphers
+from cryptography.hazmat.primitives.ciphers import algorithms
+
+_N_BLOCKS = [1, 1.5, 2, 2.5, 3]
+_INITIAL_COUNTERS = [2**32 - 1, 2**64 - 1]
+
+
+def _build_vectors():
+    count = 0
+    output = []
+    key = "0" * 64
+    nonce = "0" * 16
+    for blocks in _N_BLOCKS:
+        plaintext = binascii.unhexlify("0" * int(128 * blocks))
+        for counter in _INITIAL_COUNTERS:
+            full_nonce = struct.pack("<Q", counter) + binascii.unhexlify(nonce)
+            cipher = ciphers.Cipher(
+                algorithms.ChaCha20(binascii.unhexlify(key), full_nonce),
+                None,
+            )
+            encryptor = cipher.encryptor()
+            output.append(f"\nCOUNT = {count}")
+            count += 1
+            output.append(f"KEY = {key}")
+            output.append(f"NONCE = {nonce}")
+            output.append(f"INITIAL_BLOCK_COUNTER = {counter}")
+            output.append(f"PLAINTEXT = {binascii.hexlify(plaintext)}")
+            output.append(
+                "CIPHERTEXT = {}".format(
+                    binascii.hexlify(encryptor.update(plaintext))
+                )
+            )
+    return "\n".join(output)
+
+
+def _write_file(data, filename):
+    with open(filename, "w") as f:
+        f.write(data)
+
+
+if __name__ == "__main__":
+    _write_file(_build_vectors(), "counter-overflow.txt")
diff --git a/docs/development/custom-vectors/chacha20/verify_chacha20_overflow.py b/docs/development/custom-vectors/chacha20/verify_chacha20_overflow.py
@@ -0,0 +1,67 @@
+# This file is dual licensed under the terms of the Apache License, Version
+# 2.0, and the BSD License. See the LICENSE file in the root of this repository
+# for complete details.
+
+import binascii
+import math
+import struct
+from pathlib import Path
+
+from cryptography.hazmat.primitives.ciphers import Cipher, algorithms
+from tests.utils import load_nist_vectors
+
+BLOCK_SIZE = 64
+MAX_COUNTER = 2**64 - 1
+
+
+def encrypt(
+    key: bytes, nonce: bytes, initial_block_counter: int, plaintext: bytes
+) -> bytes:
+    full_nonce = struct.pack("<Q", initial_block_counter) + nonce
+    encryptor = Cipher(
+        algorithms.ChaCha20(key, full_nonce), mode=None
+    ).encryptor()
+
+    plaintext_len_blocks = math.ceil(len(plaintext) / BLOCK_SIZE)
+    blocks_until_overflow = MAX_COUNTER - initial_block_counter + 1
+
+    if plaintext_len_blocks <= blocks_until_overflow:
+        return binascii.hexlify(encryptor.update(plaintext))
+    else:
+        bytes_until_overflow = min(blocks_until_overflow * 64, len(plaintext))
+        first_batch = binascii.hexlify(
+            encryptor.update(plaintext[:bytes_until_overflow])
+        )
+        # We manually handle the overflow by resetting the counter to zero once
+        # we surpass MAX_COUNTER blocks. This way we can check the vectors are
+        # correct without relying on the same logic that generated them.
+        full_nonce = struct.pack("<Q", 0) + nonce
+        encryptor = Cipher(
+            algorithms.ChaCha20(key, full_nonce), mode=None
+        ).encryptor()
+        second_batch = binascii.hexlify(
+            encryptor.update(plaintext[bytes_until_overflow:])
+        )
+        return first_batch + second_batch
+
+
+def verify_vectors(filename: Path):
+    with open(filename) as f:
+        vector_file = f.read().splitlines()
+
+    vectors = load_nist_vectors(vector_file)
+    for vector in vectors:
+        key = binascii.unhexlify(vector["key"])
+        nonce = binascii.unhexlify(vector["nonce"])
+        ibc = int(vector["initial_block_counter"])
+        pt = binascii.unhexlify(vector["plaintext"])
+
+        computed_ct = encrypt(key, nonce, ibc, pt)
+
+        assert computed_ct == vector["ciphertext"]
+
+
+overflow_path = Path(
+    "vectors/cryptography_vectors/ciphers/ChaCha20/counter-overflow.txt"
+)
+verify_vectors(overflow_path)
diff --git a/docs/development/test-vectors.rst b/docs/development/test-vectors.rst
@@ -951,7 +951,8 @@ Symmetric ciphers
 * CAST5 (ECB) from :rfc:`2144`.
 * CAST5 (CBC, CFB, OFB) generated by this project.
   See: :doc:`/development/custom-vectors/cast5`
-* ChaCha20 from :rfc:`7539`.
+* ChaCha20 from :rfc:`7539` and generated by this project.
+  See: :doc:`/development/custom-vectors/chacha20`
 * ChaCha20Poly1305 from :rfc:`7539`, `OpenSSL's evpciph.txt`_, and the
   `BoringSSL ChaCha20Poly1305 tests`_.
 * IDEA (ECB) from the `NESSIE IDEA vectors`_ created by `NESSIE`_.
@@ -993,6 +994,7 @@ Created Vectors
 
     custom-vectors/arc4
     custom-vectors/cast5
+    custom-vectors/chacha20
     custom-vectors/idea
     custom-vectors/seed
     custom-vectors/hkdf
diff --git a/tests/hazmat/primitives/test_chacha20.py b/tests/hazmat/primitives/test_chacha20.py
@@ -26,14 +26,14 @@ class TestChaCha20:
         "vector",
         _load_all_params(
             os.path.join("ciphers", "ChaCha20"),
-            ["rfc7539.txt"],
+            ["counter-overflow.txt", "rfc7539.txt"],
             load_nist_vectors,
         ),
     )
     def test_vectors(self, vector, backend):
         key = binascii.unhexlify(vector["key"])
         nonce = binascii.unhexlify(vector["nonce"])
-        ibc = struct.pack("<i", int(vector["initial_block_counter"]))
+        ibc = struct.pack("<Q", int(vector["initial_block_counter"]))
         pt = binascii.unhexlify(vector["plaintext"])
         encryptor = Cipher(
             algorithms.ChaCha20(key, ibc + nonce), None, backend
diff --git a/vectors/cryptography_vectors/ciphers/ChaCha20/counter-overflow.txt b/vectors/cryptography_vectors/ciphers/ChaCha20/counter-overflow.txt
@@ -0,0 +1,70 @@
+
+COUNT = 0
+KEY = 0000000000000000000000000000000000000000000000000000000000000000
+NONCE = 0000000000000000
+INITIAL_BLOCK_COUNTER = 4294967295
+PLAINTEXT = 00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
+CIPHERTEXT = ace4cd09e294d1912d4ad205d06f95d9c2f2bfcf453e8753f128765b62215f4d92c74f2f626c6a640c0b1284d839ec81f1696281dafc3e684593937023b58b1d
+
+COUNT = 1
+KEY = 0000000000000000000000000000000000000000000000000000000000000000
+NONCE = 0000000000000000
+INITIAL_BLOCK_COUNTER = 18446744073709551615
+PLAINTEXT = 00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
+CIPHERTEXT = d7918cd8620cf832532652c04c01a553092cfb32e7b3f2f5467ae9674a2e9eec17368ec8027a357c0c51e6ea747121fec45284be0f099d2b3328845607b17689
+
+COUNT = 2
+KEY = 0000000000000000000000000000000000000000000000000000000000000000
+NONCE = 0000000000000000
+INITIAL_BLOCK_COUNTER = 4294967295
+PLAINTEXT = 000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
+CIPHERTEXT = ace4cd09e294d1912d4ad205d06f95d9c2f2bfcf453e8753f128765b62215f4d92c74f2f626c6a640c0b1284d839ec81f1696281dafc3e684593937023b58b1d3db41d3aa0d329285de6f225e6e24bd59c9a17006943d5c9b680e3873bdc683a
+
+COUNT = 3
+KEY = 0000000000000000000000000000000000000000000000000000000000000000
+NONCE = 0000000000000000
+INITIAL_BLOCK_COUNTER = 18446744073709551615
+PLAINTEXT = 000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
+CIPHERTEXT = d7918cd8620cf832532652c04c01a553092cfb32e7b3f2f5467ae9674a2e9eec17368ec8027a357c0c51e6ea747121fec45284be0f099d2b3328845607b1768976b8e0ada0f13d90405d6ae55386bd28bdd219b8a08ded1aa836efcc8b770dc7
+
+COUNT = 4
+KEY = 0000000000000000000000000000000000000000000000000000000000000000
+NONCE = 0000000000000000
+INITIAL_BLOCK_COUNTER = 4294967295
+PLAINTEXT = 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
+CIPHERTEXT = ace4cd09e294d1912d4ad205d06f95d9c2f2bfcf453e8753f128765b62215f4d92c74f2f626c6a640c0b1284d839ec81f1696281dafc3e684593937023b58b1d3db41d3aa0d329285de6f225e6e24bd59c9a17006943d5c9b680e3873bdc683a5819469899989690c281cd17c96159af0682b5b903468a61f50228cf09622b5a
+
+COUNT = 5
+KEY = 0000000000000000000000000000000000000000000000000000000000000000
+NONCE = 0000000000000000
+INITIAL_BLOCK_COUNTER = 18446744073709551615
+PLAINTEXT = 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
+CIPHERTEXT = d7918cd8620cf832532652c04c01a553092cfb32e7b3f2f5467ae9674a2e9eec17368ec8027a357c0c51e6ea747121fec45284be0f099d2b3328845607b1768976b8e0ada0f13d90405d6ae55386bd28bdd219b8a08ded1aa836efcc8b770dc7da41597c5157488d7724e03fb8d84a376a43b8f41518a11cc387b669b2ee6586
+
+COUNT = 6
+KEY = 0000000000000000000000000000000000000000000000000000000000000000
+NONCE = 0000000000000000
+INITIAL_BLOCK_COUNTER = 4294967295
+PLAINTEXT = 00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
+CIPHERTEXT = ace4cd09e294d1912d4ad205d06f95d9c2f2bfcf453e8753f128765b62215f4d92c74f2f626c6a640c0b1284d839ec81f1696281dafc3e684593937023b58b1d3db41d3aa0d329285de6f225e6e24bd59c9a17006943d5c9b680e3873bdc683a5819469899989690c281cd17c96159af0682b5b903468a61f50228cf09622b5a46f0f6efee15c8f1b198cb49d92b990867905159440cc723916dc00128269810
+
+COUNT = 7
+KEY = 0000000000000000000000000000000000000000000000000000000000000000
+NONCE = 0000000000000000
+INITIAL_BLOCK_COUNTER = 18446744073709551615
+PLAINTEXT = 00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
+CIPHERTEXT = d7918cd8620cf832532652c04c01a553092cfb32e7b3f2f5467ae9674a2e9eec17368ec8027a357c0c51e6ea747121fec45284be0f099d2b3328845607b1768976b8e0ada0f13d90405d6ae55386bd28bdd219b8a08ded1aa836efcc8b770dc7da41597c5157488d7724e03fb8d84a376a43b8f41518a11cc387b669b2ee65869f07e7be5551387a98ba977c732d080dcb0f29a048e3656912c6533e32ee7aed
+
+COUNT = 8
+KEY = 0000000000000000000000000000000000000000000000000000000000000000
+NONCE = 0000000000000000
+INITIAL_BLOCK_COUNTER = 4294967295
+PLAINTEXT = 000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
+CIPHERTEXT = ace4cd09e294d1912d4ad205d06f95d9c2f2bfcf453e8753f128765b62215f4d92c74f2f626c6a640c0b1284d839ec81f1696281dafc3e684593937023b58b1d3db41d3aa0d329285de6f225e6e24bd59c9a17006943d5c9b680e3873bdc683a5819469899989690c281cd17c96159af0682b5b903468a61f50228cf09622b5a46f0f6efee15c8f1b198cb49d92b990867905159440cc723916dc0012826981039ce1766aa2542b05db3bd809ab142489d5dbfe1273e7399637b4b3213768aaa
+
+COUNT = 9
+KEY = 0000000000000000000000000000000000000000000000000000000000000000
+NONCE = 0000000000000000
+INITIAL_BLOCK_COUNTER = 18446744073709551615
+PLAINTEXT = 000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
+CIPHERTEXT = d7918cd8620cf832532652c04c01a553092cfb32e7b3f2f5467ae9674a2e9eec17368ec8027a357c0c51e6ea747121fec45284be0f099d2b3328845607b1768976b8e0ada0f13d90405d6ae55386bd28bdd219b8a08ded1aa836efcc8b770dc7da41597c5157488d7724e03fb8d84a376a43b8f41518a11cc387b669b2ee65869f07e7be5551387a98ba977c732d080dcb0f29a048e3656912c6533e32ee7aed29b721769ce64e43d57133b074d839d531ed1f28510afb45ace10a1f4b794d6f
diff --git a/vectors/cryptography_vectors/ciphers/ChaCha20/rfc7539.txt b/vectors/cryptography_vectors/ciphers/ChaCha20/rfc7539.txt
@@ -1,23 +1,25 @@
 # The vectors are from RFC 7539 Appendix A.2. They are reformatted into NIST
-# form for our vector loaders.
+# form for our vector loaders, and adapted to use a 64/64 bit counter/nonce
+# split (matching our implementation), rather than the 32/96 split defined
+# in the RFC.
 
 COUNT = 0
 KEY = 0000000000000000000000000000000000000000000000000000000000000000
-NONCE = 000000000000000000000000
+NONCE = 0000000000000000
 INITIAL_BLOCK_COUNTER = 0
 PLAINTEXT = 00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
 CIPHERTEXT = 76b8e0ada0f13d90405d6ae55386bd28bdd219b8a08ded1aa836efcc8b770dc7da41597c5157488d7724e03fb8d84a376a43b8f41518a11cc387b669b2ee6586
 
 COUNT = 1
 KEY = 0000000000000000000000000000000000000000000000000000000000000001
-NONCE = 000000000000000000000002
+NONCE = 0000000000000002
 INITIAL_BLOCK_COUNTER = 1
 PLAINTEXT = 416e79207375626d697373696f6e20746f20746865204945544620696e74656e6465642062792074686520436f6e7472696275746f7220666f72207075626c69636174696f6e20617320616c6c206f722070617274206f6620616e204945544620496e7465726e65742d4472616674206f722052464320616e6420616e792073746174656d656e74206d6164652077697468696e2074686520636f6e74657874206f6620616e204945544620616374697669747920697320636f6e7369646572656420616e20224945544620436f6e747269627574696f6e222e20537563682073746174656d656e747320696e636c756465206f72616c2073746174656d656e747320696e20494554462073657373696f6e732c2061732077656c6c206173207772697474656e20616e6420656c656374726f6e696320636f6d6d756e69636174696f6e73206d61646520617420616e792074696d65206f7220706c6163652c207768696368206172652061646472657373656420746f
 CIPHERTEXT = a3fbf07df3fa2fde4f376ca23e82737041605d9f4f4f57bd8cff2c1d4b7955ec2a97948bd3722915c8f3d337f7d370050e9e96d647b7c39f56e031ca5eb6250d4042e02785ececfa4b4bb5e8ead0440e20b6e8db09d881a7c6132f420e52795042bdfa7773d8a9051447b3291ce1411c680465552aa6c405b7764d5e87bea85ad00f8449ed8f72d0d662ab052691ca66424bc86d2df80ea41f43abf937d3259dc4b2d0dfb48a6c9139ddd7f76966e928e635553ba76c5c879d7b35d49eb2e62b0871cdac638939e25e8a1e0ef9d5280fa8ca328b351c3c765989cbcf3daa8b6ccc3aaf9f3979c92b3720fc88dc95ed84a1be059c6499b9fda236e7e818b04b0bc39c1e876b193bfe5569753f88128cc08aaa9b63d1a16f80ef2554d7189c411f5869ca52c5b83fa36ff216b9c1d30062bebcfd2dc5bce0911934fda79a86f6e698ced759c3ff9b6477338f3da4f9cd8514ea9982ccafb341b2384dd902f3d1ab7ac61dd29c6f21ba5b862f3730e37cfdc4fd806c22f221
 
 COUNT = 2
 KEY = 1c9240a5eb55d38af333888604f6b5f0473917c1402b80099dca5cbc207075c0
-NONCE = 000000000000000000000002
+NONCE = 0000000000000002
 INITIAL_BLOCK_COUNTER = 42
 PLAINTEXT = 2754776173206272696c6c69672c20616e642074686520736c6974687920746f7665730a446964206779726520616e642067696d626c6520696e2074686520776162653a0a416c6c206d696d737920776572652074686520626f726f676f7665732c0a416e6420746865206d6f6d65207261746873206f757467726162652e
 CIPHERTEXT = 62e6347f95ed87a45ffae7426f27a1df5fb69110044c0d73118effa95b01e5cf166d3df2d721caf9b21e5fb14c616871fd84c54f9d65b283196c7fe4f60553ebf39c6402c42234e32a356b3e764312a61a5532055716ead6962568f87d3f3f7704c6a8d1bcd1bf4d50d6154b6da731b187b58dfd728afa36757a797ac188d1
