diff options
| author | Paul Kehrer <paul.l.kehrer@gmail.com> | 2013-12-21 17:25:19 -0600 |
|---|---|---|
| committer | Paul Kehrer <paul.l.kehrer@gmail.com> | 2013-12-21 17:25:19 -0600 |
| commit | f7b4ede584f5612546a07eb085eb5672629dcb96 (patch) | |
| tree | 25f06581d0f52b436b1d287806b341c12077d7a4 /cryptography | |
| parent | 4447e5a72c6c5d4f3f8fc27711e094540d66ef67 (diff) | |
| download | cryptography-f7b4ede584f5612546a07eb085eb5672629dcb96.tar.gz cryptography-f7b4ede584f5612546a07eb085eb5672629dcb96.tar.bz2 cryptography-f7b4ede584f5612546a07eb085eb5672629dcb96.zip | |
restrict gcm tags to a minimum of 4 bytes in length
Diffstat (limited to 'cryptography')
| -rw-r--r-- | cryptography/hazmat/backends/openssl/backend.py | 6 |
1 files changed, 3 insertions, 3 deletions
diff --git a/cryptography/hazmat/backends/openssl/backend.py b/cryptography/hazmat/backends/openssl/backend.py index 5b7cb3de..559ace7e 100644 --- a/cryptography/hazmat/backends/openssl/backend.py +++ b/cryptography/hazmat/backends/openssl/backend.py @@ -319,9 +319,9 @@ class _CipherContext(object): ) assert res != 0 if operation == self._DECRYPT: - if not mode.tag: - raise ValueError("Authentication tag must be supplied " - "when decrypting") + if not mode.tag or len(mode.tag) < 4: + raise ValueError("Authentication tag must be provided " + "and >= 4 bytes when decrypting") res = self._backend.lib.EVP_CIPHER_CTX_ctrl( ctx, self._backend.lib.Cryptography_EVP_CTRL_GCM_SET_TAG, len(mode.tag), mode.tag |