diff options
| author | Alex Gaynor <alex.gaynor@gmail.com> | 2013-12-21 17:29:02 -0800 |
|---|---|---|
| committer | Alex Gaynor <alex.gaynor@gmail.com> | 2013-12-21 17:29:02 -0800 |
| commit | 8eda240d0e055e16c26021de2624eb7fab1ccb47 (patch) | |
| tree | 9cf1f4c95e35b3e4191cb85667c1d83af6909098 | |
| parent | 9b7624e3cd4d19cae38bc8f05eea7b6164445453 (diff) | |
| parent | 048d6cb43a0757f3b4cca385e788d30173ebcb17 (diff) | |
| download | cryptography-8eda240d0e055e16c26021de2624eb7fab1ccb47.tar.gz cryptography-8eda240d0e055e16c26021de2624eb7fab1ccb47.tar.bz2 cryptography-8eda240d0e055e16c26021de2624eb7fab1ccb47.zip | |
Merge pull request #327 from reaperhulk/gcm-lower-limit-tag
Restrict GCM tag length to 4+ bytes
| -rw-r--r-- | cryptography/hazmat/backends/openssl/backend.py | 6 | ||||
| -rw-r--r-- | docs/hazmat/primitives/symmetric-encryption.rst | 11 | ||||
| -rw-r--r-- | tests/hazmat/primitives/utils.py | 7 |
3 files changed, 21 insertions, 3 deletions
diff --git a/cryptography/hazmat/backends/openssl/backend.py b/cryptography/hazmat/backends/openssl/backend.py index b9e8b896..bd3eee20 100644 --- a/cryptography/hazmat/backends/openssl/backend.py +++ b/cryptography/hazmat/backends/openssl/backend.py @@ -319,9 +319,9 @@ class _CipherContext(object): ) assert res != 0 if operation == self._DECRYPT: - if not mode.tag: - raise ValueError("Authentication tag must be supplied " - "when decrypting") + if not mode.tag or len(mode.tag) < 4: + raise ValueError("Authentication tag must be provided and " + "be 4 bytes or longer when decrypting") res = self._backend.lib.EVP_CIPHER_CTX_ctrl( ctx, self._backend.lib.Cryptography_EVP_CTRL_GCM_SET_TAG, len(mode.tag), mode.tag diff --git a/docs/hazmat/primitives/symmetric-encryption.rst b/docs/hazmat/primitives/symmetric-encryption.rst index f4d0457a..6e3c1024 100644 --- a/docs/hazmat/primitives/symmetric-encryption.rst +++ b/docs/hazmat/primitives/symmetric-encryption.rst @@ -352,6 +352,16 @@ Modes Do not reuse an ``initialization_vector`` with a given ``key``. + .. note:: + + Cryptography will emit a 128-bit tag when finalizing encryption. + You can shorten a tag by truncating it to the desired length, but this + is **not recommended** as it lowers the security margins of the + authentication (`NIST SP-800-38D`_ recommends 96-bits or greater). + If you must shorten the tag the minimum allowed length is 4 bytes + (32-bits). Applications **must** verify the tag is the expected length + to guarantee the expected security margin. + :param bytes tag: The tag bytes to verify during decryption. When encrypting this must be None. @@ -390,3 +400,4 @@ Insecure Modes .. _`described by Colin Percival`: http://www.daemonology.net/blog/2009-06-11-cryptographic-right-answers.html .. _`recommends 96-bit IV length`: http://csrc.nist.gov/groups/ST/toolkit/BCM/documents/proposedmodes/gcm/gcm-spec.pdf +.. _`NIST SP-800-38D`: http://csrc.nist.gov/publications/nistpubs/800-38D/SP-800-38D.pdf diff --git a/tests/hazmat/primitives/utils.py b/tests/hazmat/primitives/utils.py index 227a4055..b00d3184 100644 --- a/tests/hazmat/primitives/utils.py +++ b/tests/hazmat/primitives/utils.py @@ -363,6 +363,13 @@ def aead_tag_exception_test(backend, cipher_factory, mode_factory, cipher.decryptor() cipher = Cipher( cipher_factory(binascii.unhexlify(b"0" * 32)), + mode_factory(binascii.unhexlify(b"0" * 24), b"000"), + backend + ) + with pytest.raises(ValueError): + cipher.decryptor() + cipher = Cipher( + cipher_factory(binascii.unhexlify(b"0" * 32)), mode_factory(binascii.unhexlify(b"0" * 24), b"0" * 16), backend ) |