diff options
| author | Paul Kehrer <paul.l.kehrer@gmail.com> | 2013-11-24 11:39:14 -0600 |
|---|---|---|
| committer | Paul Kehrer <paul.l.kehrer@gmail.com> | 2013-11-29 17:19:46 -0600 |
| commit | 0092c205657789e15848c7848eec768720de468f (patch) | |
| tree | 331ac997c5689fa0b7fc6c962371a7f72a8d826c | |
| parent | 4664108ac1771b694f917b9ef70d358638371c04 (diff) | |
| download | cryptography-0092c205657789e15848c7848eec768720de468f.tar.gz cryptography-0092c205657789e15848c7848eec768720de468f.tar.bz2 cryptography-0092c205657789e15848c7848eec768720de468f.zip | |
raise TypeError if you attempt to get the tag attribute on a decrypt
* To support this the _AEADCipherContext in base.py now needs to be
aware of whether it is encrypting/decrypting
| -rw-r--r-- | cryptography/hazmat/primitives/ciphers/base.py | 14 | ||||
| -rw-r--r-- | docs/hazmat/primitives/symmetric-encryption.rst | 1 | ||||
| -rw-r--r-- | tests/hazmat/primitives/utils.py | 9 |
3 files changed, 19 insertions, 5 deletions
diff --git a/cryptography/hazmat/primitives/ciphers/base.py b/cryptography/hazmat/primitives/ciphers/base.py index 3f6ca0fe..252a9feb 100644 --- a/cryptography/hazmat/primitives/ciphers/base.py +++ b/cryptography/hazmat/primitives/ciphers/base.py @@ -33,17 +33,17 @@ class Cipher(object): ctx = self._backend.create_symmetric_encryption_ctx( self.algorithm, self.mode ) - return self._wrap_ctx(ctx) + return self._wrap_ctx(ctx, True) def decryptor(self): ctx = self._backend.create_symmetric_decryption_ctx( self.algorithm, self.mode ) - return self._wrap_ctx(ctx) + return self._wrap_ctx(ctx, False) - def _wrap_ctx(self, ctx): + def _wrap_ctx(self, ctx, encrypt): if isinstance(self.mode, interfaces.ModeWithAAD): - return _AEADCipherContext(ctx) + return _AEADCipherContext(ctx, encrypt) else: return _CipherContext(ctx) @@ -69,10 +69,11 @@ class _CipherContext(object): @utils.register_interface(interfaces.AEADCipherContext) @utils.register_interface(interfaces.CipherContext) class _AEADCipherContext(object): - def __init__(self, ctx): + def __init__(self, ctx, encrypt): self._ctx = ctx self._tag = None self._updated = False + self._encrypt = encrypt def update(self, data): if self._ctx is None: @@ -97,6 +98,9 @@ class _AEADCipherContext(object): @property def tag(self): + if not self._encrypt: + raise TypeError("The tag attribute is unavailable on a " + "decryption context") if self._ctx is not None: raise NotYetFinalized("You must finalize encryption before " "getting the tag") diff --git a/docs/hazmat/primitives/symmetric-encryption.rst b/docs/hazmat/primitives/symmetric-encryption.rst index d123d15c..f35357d0 100644 --- a/docs/hazmat/primitives/symmetric-encryption.rst +++ b/docs/hazmat/primitives/symmetric-encryption.rst @@ -139,6 +139,7 @@ an "encrypt-then-MAC" formulation as `described by Colin Percival`_. :return bytes: Returns the tag value as bytes. :raises: :class:`~cryptography.exceptions.NotYetFinalized` if called before the context is finalized. + :raises TypeError: If called on a decryption context. .. _symmetric-encryption-algorithms: diff --git a/tests/hazmat/primitives/utils.py b/tests/hazmat/primitives/utils.py index b6f9e0f5..58b9a917 100644 --- a/tests/hazmat/primitives/utils.py +++ b/tests/hazmat/primitives/utils.py @@ -344,3 +344,12 @@ def aead_exception_test(backend, cipher_factory, mode_factory, encryptor.update(b"b" * 16) with pytest.raises(AlreadyFinalized): encryptor.finalize() + cipher = Cipher( + cipher_factory(binascii.unhexlify(b"0" * 32)), + mode_factory(binascii.unhexlify(b"0" * 24), b"0" * 16), + backend + ) + decryptor = cipher.decryptor() + decryptor.update(b"a" * 16) + with pytest.raises(TypeError): + decryptor.tag |