invalidtag exception for gcm
This exception is probably not safe. It depends on the assumption that
if ERR_get_error returns a 0 then it is an AEAD tag error.
diff --git a/cryptography/exceptions.py b/cryptography/exceptions.py
index d56db21..e9d8819 100644
--- a/cryptography/exceptions.py
+++ b/cryptography/exceptions.py
@@ -26,3 +26,7 @@
class NotYetFinalized(Exception):
pass
+
+
+class InvalidTag(Exception):
+ pass
diff --git a/cryptography/hazmat/bindings/openssl/backend.py b/cryptography/hazmat/bindings/openssl/backend.py
index fdb6762..527706b 100644
--- a/cryptography/hazmat/bindings/openssl/backend.py
+++ b/cryptography/hazmat/bindings/openssl/backend.py
@@ -19,7 +19,7 @@
import cffi
from cryptography import utils
-from cryptography.exceptions import UnsupportedAlgorithm
+from cryptography.exceptions import UnsupportedAlgorithm, InvalidTag
from cryptography.hazmat.bindings.interfaces import (
CipherBackend, HashBackend, HMACBackend
)
@@ -200,7 +200,8 @@
def _handle_error(self):
code = self.lib.ERR_get_error()
- assert code != 0
+ if not code:
+ raise InvalidTag
lib = self.lib.ERR_GET_LIB(code)
func = self.lib.ERR_GET_FUNC(code)
reason = self.lib.ERR_GET_REASON(code)
diff --git a/tests/hazmat/primitives/utils.py b/tests/hazmat/primitives/utils.py
index 8df02e7..39f5ae8 100644
--- a/tests/hazmat/primitives/utils.py
+++ b/tests/hazmat/primitives/utils.py
@@ -7,7 +7,7 @@
from cryptography.hazmat.primitives import hashes, hmac
from cryptography.hazmat.primitives.ciphers import Cipher
from cryptography.exceptions import (
- AlreadyFinalized, NotYetFinalized, AlreadyUpdated,
+ AlreadyFinalized, NotYetFinalized, AlreadyUpdated, InvalidTag,
)
from ...utils import load_vectors_from_file
@@ -95,7 +95,7 @@
decryptor = cipher.decryptor()
decryptor.add_data(binascii.unhexlify(aad))
actual_plaintext = decryptor.update(binascii.unhexlify(ciphertext))
- with pytest.raises(AssertionError):
+ with pytest.raises(InvalidTag):
decryptor.finalize()
else:
cipher = Cipher(