disallow implicit tag truncation with finalize_with_tag (#4342)

author: Paul Kehrer <paul.l.kehrer@gmail.com> 2018-07-17 21:49:03 +0800
committer: Alex Gaynor <alex.gaynor@gmail.com> 2018-07-17 09:49:03 -0400
commit: d4378e42937b56f473ddade2667f919ce32208cb (patch)
tree: f2374c70935a8b64e3b13d2d89314675d71cdeee /src/cryptography/hazmat/backends/openssl/ciphers.py
parent: c574e7554c7aa27c56f6478258a4e18f79457652 (diff)
download: cryptography-d4378e42937b56f473ddade2667f919ce32208cb.tar.gz
cryptography-d4378e42937b56f473ddade2667f919ce32208cb.tar.bz2
cryptography-d4378e42937b56f473ddade2667f919ce32208cb.zip
1 files changed, 5 insertions, 0 deletions
diff --git a/src/cryptography/hazmat/backends/openssl/ciphers.py b/src/cryptography/hazmat/backends/openssl/ciphers.py
index 462ffea2..e0ee06ee 100644
--- a/src/cryptography/hazmat/backends/openssl/ciphers.py
+++ b/src/cryptography/hazmat/backends/openssl/ciphers.py
@@ -199,6 +199,11 @@ class _CipherContext(object):
                 "finalize_with_tag requires OpenSSL >= 1.0.2. To use this "
                 "method please update OpenSSL"
             )
+        if len(tag) < self._mode._min_tag_length:
+            raise ValueError(
+                "Authentication tag must be {0} bytes or longer.".format(
+                    self._mode._min_tag_length)
+            )
         res = self._backend._lib.EVP_CIPHER_CTX_ctrl(
             self._ctx, self._backend._lib.EVP_CTRL_AEAD_SET_TAG,
             len(tag), tag
author	Paul Kehrer <paul.l.kehrer@gmail.com>	2018-07-17 21:49:03 +0800
committer	Alex Gaynor <alex.gaynor@gmail.com>	2018-07-17 09:49:03 -0400
commit	d4378e42937b56f473ddade2667f919ce32208cb (patch)
tree	f2374c70935a8b64e3b13d2d89314675d71cdeee /src/cryptography/hazmat/backends/openssl/ciphers.py
parent	c574e7554c7aa27c56f6478258a4e18f79457652 (diff)
download	cryptography-d4378e42937b56f473ddade2667f919ce32208cb.tar.gz cryptography-d4378e42937b56f473ddade2667f919ce32208cb.tar.bz2 cryptography-d4378e42937b56f473ddade2667f919ce32208cb.zip