diff options
| author | Terry Chia <terrycwk1994@gmail.com> | 2016-09-03 07:57:45 +0800 |
|---|---|---|
| committer | Alex Gaynor <alex.gaynor@gmail.com> | 2016-09-02 19:57:45 -0400 |
| commit | a2d0da9bcd7b5660b5038c79b7168d6fb645971f (patch) | |
| tree | fc281bf52c97116c9fc8bce7c43e06b25ef71538 | |
| parent | 8bd420513e3a1f8594079889a5ca8f5d12fd00a6 (diff) | |
| download | cryptography-a2d0da9bcd7b5660b5038c79b7168d6fb645971f.tar.gz cryptography-a2d0da9bcd7b5660b5038c79b7168d6fb645971f.tar.bz2 cryptography-a2d0da9bcd7b5660b5038c79b7168d6fb645971f.zip | |
Add bounds checking for Scrypt parameters. (#3130)
* Add bounds checking for Scrypt parameters.
* Pep8.
* More PEP8.
* Change wording.
| -rw-r--r-- | docs/hazmat/primitives/key-derivation-functions.rst | 3 | ||||
| -rw-r--r-- | src/cryptography/hazmat/primitives/kdf/scrypt.py | 10 | ||||
| -rw-r--r-- | tests/hazmat/primitives/test_scrypt.py | 17 |
3 files changed, 30 insertions, 0 deletions
diff --git a/docs/hazmat/primitives/key-derivation-functions.rst b/docs/hazmat/primitives/key-derivation-functions.rst index 03260c06..511708d6 100644 --- a/docs/hazmat/primitives/key-derivation-functions.rst +++ b/docs/hazmat/primitives/key-derivation-functions.rst @@ -805,6 +805,9 @@ Different KDFs are suitable for different tasks such as: :class:`~cryptography.hazmat.backends.interfaces.ScryptBackend` :raises TypeError: This exception is raised if ``salt`` is not ``bytes``. + :raises ValueError: This exception is raised if ``n`` is less than 2, if + ``n`` is not a power of 2, if ``r`` is less than 1 or if ``p`` is less + than 1. .. method:: derive(key_material) diff --git a/src/cryptography/hazmat/primitives/kdf/scrypt.py b/src/cryptography/hazmat/primitives/kdf/scrypt.py index 09181d97..20935409 100644 --- a/src/cryptography/hazmat/primitives/kdf/scrypt.py +++ b/src/cryptography/hazmat/primitives/kdf/scrypt.py @@ -25,6 +25,16 @@ class Scrypt(object): self._length = length if not isinstance(salt, bytes): raise TypeError("salt must be bytes.") + + if n < 2 or (n & (n - 1)) != 0: + raise ValueError("n must be greater than 1 and be a power of 2.") + + if r < 1: + raise ValueError("r must be greater than or equal to 1.") + + if p < 1: + raise ValueError("p must be greater than or equal to 1.") + self._used = False self._salt = salt self._n = n diff --git a/tests/hazmat/primitives/test_scrypt.py b/tests/hazmat/primitives/test_scrypt.py index de4100e3..49b304e0 100644 --- a/tests/hazmat/primitives/test_scrypt.py +++ b/tests/hazmat/primitives/test_scrypt.py @@ -117,3 +117,20 @@ class TestScrypt(object): scrypt.derive(password) with pytest.raises(AlreadyFinalized): scrypt.derive(password) + + def test_invalid_n(self, backend): + # n is less than 2 + with pytest.raises(ValueError): + Scrypt(b"NaCl", 64, 1, 8, 16, backend) + + # n is not a power of 2 + with pytest.raises(ValueError): + Scrypt(b"NaCl", 64, 3, 8, 16, backend) + + def test_invalid_r(self, backend): + with pytest.raises(ValueError): + Scrypt(b"NaCl", 64, 2, 0, 16, backend) + + def test_invalid_p(self, backend): + with pytest.raises(ValueError): + Scrypt(b"NaCl", 64, 2, 8, 0, backend) |