Merge pull request #327 from reaperhulk/gcm-lower-limit-tag Restrict GCM tag length to 4+ bytes

commit: 8eda240d0e055e16c26021de2624eb7fab1ccb47 [log] [tgz]
author: Alex Gaynor <alex.gaynor@gmail.com> Sat Dec 21 17:29:02 2013 -0800
committer: Alex Gaynor <alex.gaynor@gmail.com> Sat Dec 21 17:29:02 2013 -0800
tree: 9cf1f4c95e35b3e4191cb85667c1d83af6909098
parent: 9b7624e3cd4d19cae38bc8f05eea7b6164445453 [diff]
parent: 048d6cb43a0757f3b4cca385e788d30173ebcb17 [diff]
diff --git a/cryptography/hazmat/backends/openssl/backend.py b/cryptography/hazmat/backends/openssl/backend.py
index b0ea96e..bd3eee2 100644
--- a/cryptography/hazmat/backends/openssl/backend.py
+++ b/cryptography/hazmat/backends/openssl/backend.py

@@ -446,7 +446,11 @@
             ctx = self._backend.ffi.gc(ctx, self._backend.lib.HMAC_CTX_cleanup)
             evp_md = self._backend.lib.EVP_get_digestbyname(
                 algorithm.name.encode('ascii'))
-            assert evp_md != self._backend.ffi.NULL
+            if evp_md == self._backend.ffi.NULL:
+                raise UnsupportedAlgorithm(
+                    "{0} is not a supported hash on this backend".format(
+                        algorithm.name)
+                )
             res = self._backend.lib.Cryptography_HMAC_Init_ex(
                 ctx, key, len(key), evp_md, self._backend.ffi.NULL
             )

diff --git a/docs/hazmat/primitives/hmac.rst b/docs/hazmat/primitives/hmac.rst
index 0c0d022..0547b7d 100644
--- a/docs/hazmat/primitives/hmac.rst
+++ b/docs/hazmat/primitives/hmac.rst

@@ -34,6 +34,8 @@
         >>> h.finalize()
         '#F\xdaI\x8b"e\xc4\xf1\xbb\x9a\x8fc\xff\xf5\xdex.\xbc\xcd/+\x8a\x86\x1d\x84\'\xc3\xa6\x1d\xd8J'
 
+    If the backend doesn't support the requested ``algorithm`` an
+    :class:`~cryptography.exceptions.UnsupportedAlgorithm` will be raised.
 
     :param key: Secret key as ``bytes``.
     :param algorithm: A

diff --git a/tests/hazmat/primitives/test_hmac.py b/tests/hazmat/primitives/test_hmac.py
index 992bcb1..124c437 100644
--- a/tests/hazmat/primitives/test_hmac.py
+++ b/tests/hazmat/primitives/test_hmac.py

@@ -19,12 +19,18 @@
 
 import six
 
-from cryptography.exceptions import AlreadyFinalized
-from cryptography.hazmat.primitives import hashes, hmac
+from cryptography import utils
+from cryptography.exceptions import AlreadyFinalized, UnsupportedAlgorithm
+from cryptography.hazmat.primitives import hashes, hmac, interfaces
 
 from .utils import generate_base_hmac_test
 
 
+@utils.register_interface(interfaces.HashAlgorithm)
+class UnsupportedDummyHash(object):
+        name = "unsupported-dummy-hash"
+
+
 class TestHMAC(object):
     test_copy = generate_base_hmac_test(
         hashes.MD5(),
@@ -63,3 +69,7 @@
 
         with pytest.raises(AlreadyFinalized):
             h.finalize()
+
+    def test_unsupported_hash(self, backend):
+        with pytest.raises(UnsupportedAlgorithm):
+            hmac.HMAC(b"key", UnsupportedDummyHash(), backend)
commit	8eda240d0e055e16c26021de2624eb7fab1ccb47	[log] [tgz]
author	Alex Gaynor <alex.gaynor@gmail.com>	Sat Dec 21 17:29:02 2013 -0800
committer	Alex Gaynor <alex.gaynor@gmail.com>	Sat Dec 21 17:29:02 2013 -0800
tree	9cf1f4c95e35b3e4191cb85667c1d83af6909098
parent	9b7624e3cd4d19cae38bc8f05eea7b6164445453 [diff]
parent	048d6cb43a0757f3b4cca385e788d30173ebcb17 [diff]