From f8952226bc46341ba56744e06645b488735793d4 Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Tue, 17 Jul 2018 23:09:02 +0800 Subject: [PATCH 1/2] also check iv length for GCM nonce in AEAD --- src/cryptography/hazmat/primitives/ciphers/aead.py | 2 ++ tests/hazmat/primitives/test_aead.py | 6 ++++++ 2 files changed, 8 insertions(+) diff --git a/src/cryptography/hazmat/primitives/ciphers/aead.py b/src/cryptography/hazmat/primitives/ciphers/aead.py index 9794d7682abc..e5197653fb93 100644 --- a/src/cryptography/hazmat/primitives/ciphers/aead.py +++ b/src/cryptography/hazmat/primitives/ciphers/aead.py @@ -184,3 +184,5 @@ def _check_params(self, nonce, data, associated_data): utils._check_bytes("nonce", nonce) utils._check_bytes("data", data) utils._check_bytes("associated_data", associated_data) + if len(nonce) == 0: + raise ValueError("Nonce must be at least 1 byte") diff --git a/tests/hazmat/primitives/test_aead.py b/tests/hazmat/primitives/test_aead.py index a0cc79e1439b..6de2f492e666 100644 --- a/tests/hazmat/primitives/test_aead.py +++ b/tests/hazmat/primitives/test_aead.py @@ -383,6 +383,12 @@ def test_params_not_bytes(self, nonce, data, associated_data, backend): with pytest.raises(TypeError): aesgcm.decrypt(nonce, data, associated_data) + def test_invalid_nonce_length(self, backend): + key = AESGCM.generate_key(128) + aesccm = AESGCM(key) + with pytest.raises(ValueError): + aesccm.encrypt(b"", b"hi", None) + def test_bad_key(self, backend): with pytest.raises(TypeError): AESGCM(object()) From 1e32c929d0437014091046793b7fefc24aa8a12e Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Tue, 17 Jul 2018 23:10:24 +0800 Subject: [PATCH 2/2] ugh --- tests/hazmat/primitives/test_aead.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tests/hazmat/primitives/test_aead.py b/tests/hazmat/primitives/test_aead.py index 6de2f492e666..5a5185583972 100644 --- a/tests/hazmat/primitives/test_aead.py +++ b/tests/hazmat/primitives/test_aead.py @@ -385,9 +385,9 @@ def test_params_not_bytes(self, nonce, data, associated_data, backend): def test_invalid_nonce_length(self, backend): key = AESGCM.generate_key(128) - aesccm = AESGCM(key) + aesgcm = AESGCM(key) with pytest.raises(ValueError): - aesccm.encrypt(b"", b"hi", None) + aesgcm.encrypt(b"", b"hi", None) def test_bad_key(self, backend): with pytest.raises(TypeError):