disallow implicit tag truncation with finalize_with_tag (#4342)

2 files changed, 6 insertions, 0 deletions

diff --git a/src/cryptography/hazmat/backends/openssl/ciphers.py b/src/cryptography/hazmat/backends/openssl/ciphers.py
index 462ffea2..e0ee06ee 100644
--- a/src/cryptography/hazmat/backends/openssl/ciphers.py
+++ b/src/cryptography/hazmat/backends/openssl/ciphers.py
@@ -199,6 +199,11 @@ class _CipherContext(object):
                 "finalize_with_tag requires OpenSSL >= 1.0.2. To use this "
                 "method please update OpenSSL"
             )
+        if len(tag) < self._mode._min_tag_length:
+            raise ValueError(
+                "Authentication tag must be {0} bytes or longer.".format(
+                    self._mode._min_tag_length)
+            )
         res = self._backend._lib.EVP_CIPHER_CTX_ctrl(
             self._ctx, self._backend._lib.EVP_CTRL_AEAD_SET_TAG,
             len(tag), tag
diff --git a/src/cryptography/hazmat/primitives/ciphers/modes.py b/src/cryptography/hazmat/primitives/ciphers/modes.py
index 598dfaa4..543015fe 100644
--- a/src/cryptography/hazmat/primitives/ciphers/modes.py
+++ b/src/cryptography/hazmat/primitives/ciphers/modes.py
@@ -220,6 +220,7 @@ class GCM(object):
                         min_tag_length)
                 )
         self._tag = tag
+        self._min_tag_length = min_tag_length
 
     tag = utils.read_only_property("_tag")
     initialization_vector = utils.read_only_property("_initialization_vector")