From 165743ee63d05b343bf7e6b6b0afe0c23be71ca2 Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Sun, 16 Jul 2017 17:34:42 +0200 Subject: move tag_length to the AESCCM constructor (#3783) * move tag_length to the AESCCM constructor * review feedback --- docs/hazmat/primitives/aead.rst | 18 +++++++----------- 1 file changed, 7 insertions(+), 11 deletions(-) (limited to 'docs/hazmat/primitives/aead.rst') diff --git a/docs/hazmat/primitives/aead.rst b/docs/hazmat/primitives/aead.rst index 94b08f0a..6b13edc1 100644 --- a/docs/hazmat/primitives/aead.rst +++ b/docs/hazmat/primitives/aead.rst @@ -78,7 +78,7 @@ also support providing integrity for associated data which is not encrypted. when the ciphertext has been changed, but will also occur when the key, nonce, or associated data are wrong. -.. class:: AESCCM(key) +.. class:: AESCCM(key, tag_length=16) .. versionadded:: 2.0 @@ -93,6 +93,10 @@ also support providing integrity for associated data which is not encrypted. cipher utilizing Counter with CBC-MAC (CCM) (specified in :rfc:`3610`). :param bytes key: A 128, 192, or 256-bit key. This **must** be kept secret. + :param int tag_length: The length of the authentication tag. This + defaults to 16 bytes and it is **strongly** recommended that you + do not make it shorter unless absolutely necessary. Valid tag + lengths are 4, 6, 8, 12, 14, and 16. :raises cryptography.exceptions.UnsupportedAlgorithm: If the version of OpenSSL does not support AES-CCM. @@ -119,7 +123,7 @@ also support providing integrity for associated data which is not encrypted. :returns bytes: The generated key. - .. method:: encrypt(nonce, data, associated_data, tag_length=16) + .. method:: encrypt(nonce, data, associated_data) .. warning:: @@ -138,13 +142,9 @@ also support providing integrity for associated data which is not encrypted. :param bytes data: The data to encrypt. :param bytes associated_data: Additional data that should be authenticated with the key, but is not encrypted. Can be ``None``. - :param int tag_length: The length of the authentication tag. This - defaults to 16 bytes and it is **strongly** recommended that you - do not make it shorter unless absolutely necessary. Valid tag - lengths are 4, 6, 8, 12, 14, and 16. :returns bytes: The ciphertext bytes with the tag appended. - .. method:: decrypt(nonce, data, associated_data, tag_length=16) + .. method:: decrypt(nonce, data, associated_data) Decrypts the ``data`` and authenticates the ``associated_data``. If you called encrypt with ``associated_data`` you must pass the same @@ -156,10 +156,6 @@ also support providing integrity for associated data which is not encrypted. :param bytes data: The data to decrypt (with tag appended). :param bytes associated_data: Additional data to authenticate. Can be ``None`` if none was passed during encryption. - :param int tag_length: The length of the authentication tag. This - defaults to 16 bytes. You only need to change this if your existing - ciphertext has a shorter tag. Valid tag lengths are 4, 6, 8, 12, - 14, and 16. :returns bytes: The original plaintext. :raises cryptography.exceptions.InvalidTag: If the authentication tag doesn't validate this exception will be raised. This will occur -- cgit v1.2.3