From 86699be866b1ef3390da31f74a63980e4d2b7d99 Mon Sep 17 00:00:00 2001
From: Paul Kehrer <paul.l.kehrer@gmail.com>
Date: Sun, 24 Nov 2013 12:17:51 -0600
Subject: narrow the potential cases where invalidtag can be raised

---
 cryptography/hazmat/bindings/openssl/backend.py | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/cryptography/hazmat/bindings/openssl/backend.py b/cryptography/hazmat/bindings/openssl/backend.py
index 4d9a8ce5..e9ecc800 100644
--- a/cryptography/hazmat/bindings/openssl/backend.py
+++ b/cryptography/hazmat/bindings/openssl/backend.py
@@ -198,10 +198,11 @@ class Backend(object):
     def create_symmetric_decryption_ctx(self, cipher, mode):
         return _CipherContext(self, cipher, mode, _CipherContext._DECRYPT)
 
-    def _handle_error(self):
+    def _handle_error(self, mode):
         code = self.lib.ERR_get_error()
-        if not code:
+        if not code and isinstance(mode, GCM):
             raise InvalidTag
+        assert code != 0
         lib = self.lib.ERR_GET_LIB(code)
         func = self.lib.ERR_GET_FUNC(code)
         reason = self.lib.ERR_GET_REASON(code)
@@ -320,7 +321,7 @@ class _CipherContext(object):
         outlen = self._backend.ffi.new("int *")
         res = self._backend.lib.EVP_CipherFinal_ex(self._ctx, buf, outlen)
         if res == 0:
-            self._backend._handle_error()
+            self._backend._handle_error(self._mode)
 
         if (isinstance(self._mode, GCM) and
            self._operation == self._ENCRYPT):
-- 
cgit v1.2.3