support bytes-like keys in CMAC and HMAC contexts (#4701)

5 files changed, 29 insertions, 3 deletions

diff --git a/docs/hazmat/primitives/mac/hmac.rst b/docs/hazmat/primitives/mac/hmac.rst
index c605e58c..4c2f21c8 100644
--- a/docs/hazmat/primitives/mac/hmac.rst
+++ b/docs/hazmat/primitives/mac/hmac.rst
@@ -54,7 +54,8 @@ of a message.
         ...
         cryptography.exceptions.InvalidSignature: Signature did not match digest.
 
-    :param bytes key: Secret key as ``bytes``.
+    :param key: Secret key as ``bytes``.
+    :type key: :term:`bytes-like`
     :param algorithm: An
         :class:`~cryptography.hazmat.primitives.hashes.HashAlgorithm`
         instance such as those described in
diff --git a/src/cryptography/hazmat/backends/openssl/cmac.py b/src/cryptography/hazmat/backends/openssl/cmac.py
index e20f66d3..bc88f336 100644
--- a/src/cryptography/hazmat/backends/openssl/cmac.py
+++ b/src/cryptography/hazmat/backends/openssl/cmac.py
@@ -36,8 +36,9 @@ class _CMACContext(object):
             self._backend.openssl_assert(ctx != self._backend._ffi.NULL)
             ctx = self._backend._ffi.gc(ctx, self._backend._lib.CMAC_CTX_free)
 
+            key_ptr = self._backend._ffi.from_buffer(self._key)
             res = self._backend._lib.CMAC_Init(
-                ctx, self._key, len(self._key),
+                ctx, key_ptr, len(self._key),
                 evp_cipher, self._backend._ffi.NULL
             )
             self._backend.openssl_assert(res == 1)
diff --git a/src/cryptography/hazmat/backends/openssl/hmac.py b/src/cryptography/hazmat/backends/openssl/hmac.py
index 99c43f2a..b606e111 100644
--- a/src/cryptography/hazmat/backends/openssl/hmac.py
+++ b/src/cryptography/hazmat/backends/openssl/hmac.py
@@ -32,8 +32,9 @@ class _HMACContext(object):
                         algorithm.name),
                     _Reasons.UNSUPPORTED_HASH
                 )
+            key_ptr = self._backend._ffi.from_buffer(key)
             res = self._backend._lib.HMAC_Init_ex(
-                ctx, key, len(key), evp_md, self._backend._ffi.NULL
+                ctx, key_ptr, len(key), evp_md, self._backend._ffi.NULL
             )
             self._backend.openssl_assert(res != 0)
 
diff --git a/tests/hazmat/primitives/test_cmac.py b/tests/hazmat/primitives/test_cmac.py
index 2ca05d6d..e319396d 100644
--- a/tests/hazmat/primitives/test_cmac.py
+++ b/tests/hazmat/primitives/test_cmac.py
@@ -183,6 +183,19 @@ class TestCMAC(object):
         copy_cmac = cmac.copy()
         assert cmac.finalize() == copy_cmac.finalize()
 
+    @pytest.mark.supported(
+        only_if=lambda backend: backend.cmac_algorithm_supported(
+            AES(fake_key)),
+        skip_message="Does not support CMAC."
+    )
+    def test_buffer_protocol(self, backend):
+        key = bytearray(b"2b7e151628aed2a6abf7158809cf4f3c")
+        cmac = CMAC(AES(key), backend)
+        cmac.update(b"6bc1bee22e409f96e93d7e117393172a")
+        assert cmac.finalize() == binascii.unhexlify(
+            b"a21e6e647bfeaf5ca0a5e1bcd957dfad"
+        )
+
 
 def test_invalid_backend():
     key = b"2b7e151628aed2a6abf7158809cf4f3c"
diff --git a/tests/hazmat/primitives/test_hmac.py b/tests/hazmat/primitives/test_hmac.py
index 50aa9cc2..b6d18ff1 100644
--- a/tests/hazmat/primitives/test_hmac.py
+++ b/tests/hazmat/primitives/test_hmac.py
@@ -4,6 +4,8 @@
 
 from __future__ import absolute_import, division, print_function
 
+import binascii
+
 import pytest
 
 from cryptography.exceptions import (
@@ -79,6 +81,14 @@ class TestHMAC(object):
         with raises_unsupported_algorithm(_Reasons.UNSUPPORTED_HASH):
             hmac.HMAC(b"key", DummyHashAlgorithm(), backend)
 
+    def test_buffer_protocol(self, backend):
+        key = bytearray(b"2b7e151628aed2a6abf7158809cf4f3c")
+        h = hmac.HMAC(key, hashes.SHA256(), backend)
+        h.update(b"6bc1bee22e409f96e93d7e117393172a")
+        assert h.finalize() == binascii.unhexlify(
+            b"a1bf7169c56a501c6585190ff4f07cad6e492a3ee187c0372614fb444b9fc3f0"
+        )
+
 
 def test_invalid_backend():
     pretend_backend = object()