| From 688e0f673bfbf43fa898994326c6877f00ab19ef Mon Sep 17 00:00:00 2001 |
| From: Paul Kehrer <paul.l.kehrer@gmail.com> |
| Date: Tue, 17 Jul 2018 10:47:57 +0800 |
| Subject: [PATCH] disallow implicit tag truncation with finalize_with_tag |
| |
| --- |
| docs/hazmat/primitives/symmetric-encryption.rst | 1 + |
| src/cryptography/hazmat/backends/openssl/ciphers.py | 5 +++++ |
| src/cryptography/hazmat/primitives/ciphers/modes.py | 1 + |
| tests/hazmat/primitives/test_aes.py | 16 ++++++++++++++++ |
| 5 files changed, 28 insertions(+) |
| |
| diff --git a/docs/hazmat/primitives/symmetric-encryption.rst b/docs/hazmat/primitives/symmetric-encryption.rst |
| index 5ebcca754..5b6000902 100644 |
| --- a/docs/hazmat/primitives/symmetric-encryption.rst |
| +++ b/docs/hazmat/primitives/symmetric-encryption.rst |
| @@ -670,6 +670,7 @@ Interfaces |
| :raises ValueError: This is raised when the data provided isn't |
| a multiple of the algorithm's block size, if ``min_tag_length`` is |
| less than 4, or if ``len(tag) < min_tag_length``. |
| + ``min_tag_length`` is an argument to the ``GCM`` constructor. |
| :raises NotImplementedError: This is raised if the version of the |
| OpenSSL backend used is 1.0.1 or earlier. |
| |
| diff --git a/src/cryptography/hazmat/backends/openssl/ciphers.py b/src/cryptography/hazmat/backends/openssl/ciphers.py |
| index 462ffea25..e0ee06ee2 100644 |
| --- a/src/cryptography/hazmat/backends/openssl/ciphers.py |
| +++ b/src/cryptography/hazmat/backends/openssl/ciphers.py |
| @@ -199,6 +199,11 @@ def finalize_with_tag(self, tag): |
| "finalize_with_tag requires OpenSSL >= 1.0.2. To use this " |
| "method please update OpenSSL" |
| ) |
| + if len(tag) < self._mode._min_tag_length: |
| + raise ValueError( |
| + "Authentication tag must be {0} bytes or longer.".format( |
| + self._mode._min_tag_length) |
| + ) |
| res = self._backend._lib.EVP_CIPHER_CTX_ctrl( |
| self._ctx, self._backend._lib.EVP_CTRL_AEAD_SET_TAG, |
| len(tag), tag |
| diff --git a/src/cryptography/hazmat/primitives/ciphers/modes.py b/src/cryptography/hazmat/primitives/ciphers/modes.py |
| index 598dfaa4a..543015fef 100644 |
| --- a/src/cryptography/hazmat/primitives/ciphers/modes.py |
| +++ b/src/cryptography/hazmat/primitives/ciphers/modes.py |
| @@ -220,6 +220,7 @@ def __init__(self, initialization_vector, tag=None, min_tag_length=16): |
| min_tag_length) |
| ) |
| self._tag = tag |
| + self._min_tag_length = min_tag_length |
| |
| tag = utils.read_only_property("_tag") |
| initialization_vector = utils.read_only_property("_initialization_vector") |
| diff --git a/tests/hazmat/primitives/test_aes.py b/tests/hazmat/primitives/test_aes.py |
| index d6f83ebc2..4ceccf155 100644 |
| --- a/tests/hazmat/primitives/test_aes.py |
| +++ b/tests/hazmat/primitives/test_aes.py |
| @@ -439,3 +439,19 @@ def test_gcm_tag_decrypt_finalize(self, backend): |
| decryptor.finalize() |
| else: |
| decryptor.finalize_with_tag(tag) |
| + |
| + @pytest.mark.supported( |
| + only_if=lambda backend: ( |
| + not backend._lib.CRYPTOGRAPHY_OPENSSL_LESS_THAN_102 or |
| + backend._lib.CRYPTOGRAPHY_IS_LIBRESSL |
| + ), |
| + skip_message="Not supported on OpenSSL 1.0.1", |
| + ) |
| + def test_gcm_tag_decrypt_finalize_tag_length(self, backend): |
| + decryptor = base.Cipher( |
| + algorithms.AES(b"0" * 16), |
| + modes.GCM(b"0" * 12), |
| + backend=backend |
| + ).decryptor() |
| + with pytest.raises(ValueError): |
| + decryptor.finalize_with_tag(b"tagtooshort") |