diff options
| author | Paul Kehrer <paul.l.kehrer@gmail.com> | 2014-09-12 15:03:32 -0500 |
|---|---|---|
| committer | Paul Kehrer <paul.l.kehrer@gmail.com> | 2014-09-12 15:03:32 -0500 |
| commit | 9a11c00b464225f4aa3e761e103930c6b8b9115b (patch) | |
| tree | a68a49de22df129916c4d8b303c8599724b9cacf /cryptography | |
| parent | c48abb09571f7ade75612c8f254ca76df41ac80d (diff) | |
| download | cryptography-9a11c00b464225f4aa3e761e103930c6b8b9115b.tar.gz cryptography-9a11c00b464225f4aa3e761e103930c6b8b9115b.tar.bz2 cryptography-9a11c00b464225f4aa3e761e103930c6b8b9115b.zip | |
resolve GCM tag issue with AAD only on OpenSSL 1.0.1 in Ubuntu 12.04
Diffstat (limited to 'cryptography')
| -rw-r--r-- | cryptography/hazmat/backends/openssl/ciphers.py | 8 |
1 files changed, 8 insertions, 0 deletions
diff --git a/cryptography/hazmat/backends/openssl/ciphers.py b/cryptography/hazmat/backends/openssl/ciphers.py index c3a5499a..d37bb014 100644 --- a/cryptography/hazmat/backends/openssl/ciphers.py +++ b/cryptography/hazmat/backends/openssl/ciphers.py @@ -128,6 +128,14 @@ class _CipherContext(object): return self._backend._ffi.buffer(buf)[:outlen[0]] def finalize(self): + # OpenSSL 1.0.1 on Ubuntu 12.04 (and possibly other distributions) + # appears to have a bug where you must make at least one call to update + # even if you are only using authenticate_additional_data or the + # GCM tag will be wrong. An (empty) call to update resolves this + # and is harmless for all other versions of OpenSSL. + if isinstance(self._mode, GCM): + self.update(b"") + buf = self._backend._ffi.new("unsigned char[]", self._block_size) outlen = self._backend._ffi.new("int *") res = self._backend._lib.EVP_CipherFinal_ex(self._ctx, buf, outlen) |