Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / external / python / cryptography / dc77ed3382b6d5b1b1c0555cb5e3b5245f2ae78e^1..dc77ed3382b6d5b1b1c0555cb5e3b5245f2ae78e / .
commitdc77ed3382b6d5b1b1c0555cb5e3b5245f2ae78e[log] [tgz]
authorAlex Gaynor <alex.gaynor@gmail.com>Fri Mar 07 05:56:14 2014 -0800
committerAlex Gaynor <alex.gaynor@gmail.com>Fri Mar 07 05:56:14 2014 -0800
tree8eafa442188a1f7f8b90c871563cb17c6623a3f2
parent792eef345d138a0d0eff5df923f8218376e78621 [diff]
parent3bb4c0dc28858f9572ed770cc89d397997262a50 [diff]
Merge pull request #750 from reaperhulk/update-098e

0.9.8e EVP Workaround
diff --git a/cryptography/hazmat/backends/openssl/backend.py b/cryptography/hazmat/backends/openssl/backend.py
index e37dba5..b4625aa 100644
--- a/cryptography/hazmat/backends/openssl/backend.py
+++ b/cryptography/hazmat/backends/openssl/backend.py

@@ -438,6 +438,15 @@
         self._ctx = ctx
 
     def update(self, data):
+        # OpenSSL 0.9.8e has an assertion in its EVP code that causes it
+        # to SIGABRT if you call update with an empty byte string. This can be
+        # removed when we drop support for 0.9.8e (CentOS/RHEL 5). This branch
+        # should be taken only when length is zero and mode is not GCM because
+        # AES GCM can return improper tag values if you don't call update
+        # with empty plaintext when authenticating AAD for ...reasons.
+        if len(data) == 0 and not isinstance(self._mode, GCM):
+            return b""
+
         buf = self._backend._ffi.new("unsigned char[]",
                                      len(data) + self._block_size - 1)
         outlen = self._backend._ffi.new("int *")