check if the ciphers are supported by m2crypto before using them

tlsfuzzer · Jun 7, 2020 · a54e566 · a54e566
1 parent 1bb89a9
commit a54e566
Show file tree

Hide file tree

Showing 2 changed files with 18 additions and 1 deletion.
diff --git a/tlslite/utils/cryptomath.py b/tlslite/utils/cryptomath.py
@@ -27,9 +27,13 @@
 # **************************************************************************
 
 # Try to load M2Crypto/OpenSSL
+# pylint: disable=invalid-name
 try:
     from M2Crypto import m2
     m2cryptoLoaded = True
+    M2CRYPTO_AES_CTR = False
+    if hasattr(m2, 'aes_192_ctr'):
+        M2CRYPTO_AES_CTR = True
 
     try:
         with open('/proc/sys/crypto/fips_enabled', 'r') as fipsFile:
@@ -39,8 +43,13 @@
         # looks like we're running in container, likely not FIPS mode
         m2cryptoLoaded = True
 
+    # If AES-CBC is not available, don't use m2crypto
+    if not hasattr(m2, 'aes_192_cbc'):
+        m2cryptoLoaded = False
+
 except ImportError:
     m2cryptoLoaded = False
+# pylint: enable=invalid-name
 
 #Try to load GMPY
 try:

diff --git a/tlslite/utils/openssl_aes.py b/tlslite/utils/openssl_aes.py
@@ -5,16 +5,24 @@
 
 from .cryptomath import *
 from .aes import *
+from .python_aes import Python_AES_CTR
 
 if m2cryptoLoaded:
 
     def new(key, mode, IV):
         # IV argument name is a part of the interface
         # pylint: disable=invalid-name
+        """
+        Try using AES CTR from m2crpyto,
+        if it is not available fall back to the
+        python implementation.
+        """
         if mode == 2:
             return OpenSSL_AES(key, mode, IV)
         elif mode == 6:
-            return OpenSSL_CTR(key, mode, IV)
+            if M2CRYPTO_AES_CTR:
+                return OpenSSL_CTR(key, mode, IV)
+            return Python_AES_CTR(key, mode, IV)
         else:
             raise NotImplementedError()