disallow implicit tag truncation with finalize_with_tag (#4342)

author: Paul Kehrer <paul.l.kehrer@gmail.com> 2018-07-17 21:49:03 +0800
committer: Alex Gaynor <alex.gaynor@gmail.com> 2018-07-17 09:49:03 -0400
commit: d4378e42937b56f473ddade2667f919ce32208cb (patch)
tree: f2374c70935a8b64e3b13d2d89314675d71cdeee /CHANGELOG.rst
parent: c574e7554c7aa27c56f6478258a4e18f79457652 (diff)
download: cryptography-d4378e42937b56f473ddade2667f919ce32208cb.tar.gz
cryptography-d4378e42937b56f473ddade2667f919ce32208cb.tar.bz2
cryptography-d4378e42937b56f473ddade2667f919ce32208cb.zip
1 files changed, 5 insertions, 0 deletions
diff --git a/CHANGELOG.rst b/CHANGELOG.rst
index c8db7e7d..5ac43d0d 100644
--- a/CHANGELOG.rst
+++ b/CHANGELOG.rst
@@ -8,6 +8,11 @@ Changelog
 
 .. note:: This version is not yet released and is under active development.
 
+* **SECURITY ISSUE:**
+  :meth:`~cryptography.hazmat.primitives.ciphers.AEADDecryptionContext.finalize_with_tag`
+  allowed tag truncation by default which can allow tag forgery in some cases.
+  The method now enforces the ``min_tag_length`` provided to the
+  :class:`~cryptography.hazmat.primitives.ciphers.modes.GCM` constructor.
 * Added support for Python 3.7.
 * Added :meth:`~cryptography.fernet.Fernet.extract_timestamp` to get the
   authenticated timestamp of a :doc:`Fernet </fernet>` token.
author	Paul Kehrer <paul.l.kehrer@gmail.com>	2018-07-17 21:49:03 +0800
committer	Alex Gaynor <alex.gaynor@gmail.com>	2018-07-17 09:49:03 -0400
commit	d4378e42937b56f473ddade2667f919ce32208cb (patch)
tree	f2374c70935a8b64e3b13d2d89314675d71cdeee /CHANGELOG.rst
parent	c574e7554c7aa27c56f6478258a4e18f79457652 (diff)
download	cryptography-d4378e42937b56f473ddade2667f919ce32208cb.tar.gz cryptography-d4378e42937b56f473ddade2667f919ce32208cb.tar.bz2 cryptography-d4378e42937b56f473ddade2667f919ce32208cb.zip