jmg
/
lora-irrigation


			
				
					
						
						
							
							"""
An example implementation of STROBE.  Doesn't include the key tree.

Copyright (c) Mike Hamburg, Cryptography Research, 2016.

I will need to contact legal to get a license for this; in the mean time it is
for example purposes only.
"""

from __future__ import absolute_import
from Strobe.Keccak import KeccakF

class AuthenticationFailed(Exception):
    """Thrown when a MAC fails."""
    pass

I,A,C,T,M,K = 1<<0, 1<<1, 1<<2, 1<<3, 1<<4, 1<<5
   
class Strobe(object):
    def __init__(self, proto, F = KeccakF(1600), security = 128, copy_of=None, doInit=True):
        if copy_of is None:
            self.pos = self.posbegin = 0
            self.I0 = None
            self.F  = F
            self.R  = F.nbytes - security//4

            # Domain separation doesn't use Strobe padding
            self.initialized = False
            self.st = bytearray(F.nbytes)
            domain = bytearray([1,self.R,1,0,1,12*8]) \
                   + bytearray(b"STROBEv1.0.2")
            if doInit: self._duplex(domain, forceF=True)
    
            # cSHAKE separation is done.
            # Turn on Strobe padding and do per-proto separation
            self.R -= 2
            self.initialized = True
            if doInit: self.operate(A|M, proto)
            
        else:
            self.R,self.pos,self.posbegin,self.I0,self.F = \
                (copy_of.R,copy_of.pos,copy_of.posbegin,copy_of.I0,
                 copy_of.F.copy())
            self.st = bytearray(copy_of.st)
            self.initialized = True
    
    def copy(self): return Strobe(None,copy_of=self)
    def deepcopy(self): return self.copy()
    def set_state_from(self, obj):
        self.R,self.pos,self.posbegin,self.I0,self.F = \
            (obj.R,obj.pos,obj.posbegin,obj.I0,
             obj.F.copy())
        self.st = bytearray(obj.st)
        self.initialized = True
 
    def _runF(self):
        if self.initialized:
            self.st[self.pos]   ^= self.posbegin
            self.st[self.pos+1] ^= 0x04
            self.st[self.R+1]   ^= 0x80
        self.st  = self.F(self.st)
        self.pos = self.posbegin = 0

    def _duplex(self, data, cbefore=False, cafter=False, forceF=False):
        assert not (cbefore and cafter)
    
        # Copy data, and convert string or int to bytearray
        # This converts an integer n to an array of n zeros
        data = bytearray(data)

        for i in range(len(data)):
            if cbefore: data[i] ^= self.st[self.pos]
            self.st[self.pos]   ^= data[i]
            if cafter:  data[i]  = self.st[self.pos]
        
            self.pos += 1
            if self.pos == self.R: self._runF()
    
        if forceF and self.pos != 0: self._runF()
        return data
          
    def _beginOp(self, flags):
        # Adjust direction information so that sender and receiver agree
        if flags & T:
            if self.I0 is None: self.I0 = flags & I
            flags ^= self.I0

        # Update posbegin
        oldbegin, self.posbegin = self.posbegin, self.pos+1
    
        self._duplex([oldbegin,flags], forceF = flags&(C|K))
    
    def operate(self, flags, data, more=False, meta_flags=A|M, metadata=None):
        """
        STROBE main duplexing mode.
        
        Op is a byte which describes the operating mode, per the STROBE paper.
        
        Data is either a string or bytearray of data, or else a length.  If it
        is given as a length, the data is that many bytes of zeros.
        
        If metadata is not None, first apply the given metadata in the given
        meta_op.
        
        STROBE operations are streamable.  If more is true, this operation
        continues the previous operation.  It therefore ignores metadata and
        doesn't use the beginOp code from the paper.
        
        Certain operations return data.  If an operation returns no data
        (for example, AD and KEY don't return any data), it returns the empty
        byte array.
        
        The meta-operation might also return data.  This is convenient for
        explicit framing (meta_op = 0b11010/0b11011) or encrypted explicit
        framing (meta_op = 0b11110/0b11111)
        
        If the operation is a MAC verification, this function returns the
        empty byte array (plus any metadata returned) on success, and throws
        AuthenticationFailed on failure.
        """
        assert not (flags & (K|1<<6|1<<7)) # Not implemented here
        meta_out = bytearray()
        if more:
            assert flags == self.cur_flags
        else:
            if metadata is not None:
                meta_out = self.operate(meta_flags, metadata)
            self._beginOp(flags)
            self.cur_flags = flags
    
        if (flags & (I|T) != (I|T)) and (flags & (I|A) != A):
            # Operation takes no input
            assert isinstance(data,int)

        # The actual processing code is just duplex
        cafter    = (flags & (C|I|T)) == (C|T)
        cbefore   = (flags & C) and not cafter
        processed = self._duplex(data, cbefore, cafter)
    
        # Determine what to do with the output.
        if (flags & (I|A)) == (I|A):
            # Return data to the application
            return meta_out + processed 
        
        elif (flags & (I|T)) == T:
            # Return data to the transport.
            # A fancier implementation might send it directly.
            return meta_out + processed 
            
        elif (flags & (I|A|T)) == (I|T):
            # Check MAC
            assert not more
            failures = 0
            for byte in processed: failures |= byte
            if failures != 0: raise AuthenticationFailed()
            return meta_out

        else:
            # Operation has no output data, but maybe output metadata
            return meta_out

    def ad      (self,data,   **kw): return self.operate(0b0010,data,**kw)
    def key     (self,data,   **kw): return self.operate(0b0110,data,**kw)
    def prf     (self,data,   **kw): return self.operate(0b0111,data,**kw)
    def send_clr(self,data,   **kw): return self.operate(0b1010,data,**kw)
    def recv_clr(self,data,   **kw): return self.operate(0b1011,data,**kw)
    def send_enc(self,data,   **kw): return self.operate(0b1110,data,**kw)
    def recv_enc(self,data,   **kw): return self.operate(0b1111,data,**kw)
    def send_mac(self,data=16,**kw): return self.operate(0b1100,data,**kw)
    def recv_mac(self,data   ,**kw): return self.operate(0b1101,data,**kw)
    def ratchet (self,data=32,**kw): return self.operate(0b0100,data,**kw)