fixes #10808 -- allow empty plaintexts for aes-gcm-siv (#12355)

* fixes #10808 -- allow empty plaintexts for aes-gcm-siv

* Update src/rust/build.rs

Co-authored-by: Nick Pope <nick@nickpope.me.uk>

---------

Co-authored-by: Nick Pope <nick@nickpope.me.uk>

Author: alex

src/cryptography/hazmat/bindings/_rust/openssl/__init__.pyi

@@ -50,6 +50,7 @@ CRYPTOGRAPHY_IS_BORINGSSL: bool
 CRYPTOGRAPHY_OPENSSL_300_OR_GREATER: bool
 CRYPTOGRAPHY_OPENSSL_309_OR_GREATER: bool
 CRYPTOGRAPHY_OPENSSL_320_OR_GREATER: bool
+CRYPTOGRAPHY_OPENSSL_350_OR_GREATER: bool
 
 class Providers: ...
 

src/rust/Cargo.toml

@@ -33,4 +33,4 @@ name = "cryptography_rust"
 crate-type = ["cdylib"]
 
 [lints.rust]
-unexpected_cfgs = { level = "warn", check-cfg = ['cfg(CRYPTOGRAPHY_OPENSSL_300_OR_GREATER)', 'cfg(CRYPTOGRAPHY_OPENSSL_309_OR_GREATER)', 'cfg(CRYPTOGRAPHY_OPENSSL_320_OR_GREATER)', 'cfg(CRYPTOGRAPHY_IS_LIBRESSL)', 'cfg(CRYPTOGRAPHY_IS_BORINGSSL)', 'cfg(CRYPTOGRAPHY_OSSLCONF, values("OPENSSL_NO_IDEA", "OPENSSL_NO_CAST", "OPENSSL_NO_BF", "OPENSSL_NO_CAMELLIA", "OPENSSL_NO_SEED", "OPENSSL_NO_SM4"))'] }
+unexpected_cfgs = { level = "warn", check-cfg = ['cfg(CRYPTOGRAPHY_OPENSSL_300_OR_GREATER)', 'cfg(CRYPTOGRAPHY_OPENSSL_309_OR_GREATER)', 'cfg(CRYPTOGRAPHY_OPENSSL_320_OR_GREATER)', 'cfg(CRYPTOGRAPHY_OPENSSL_350_OR_GREATER)', 'cfg(CRYPTOGRAPHY_IS_LIBRESSL)', 'cfg(CRYPTOGRAPHY_IS_BORINGSSL)', 'cfg(CRYPTOGRAPHY_OSSLCONF, values("OPENSSL_NO_IDEA", "OPENSSL_NO_CAST", "OPENSSL_NO_BF", "OPENSSL_NO_CAMELLIA", "OPENSSL_NO_SEED", "OPENSSL_NO_SM4"))'] }

src/rust/build.rs

@@ -18,6 +18,9 @@ fn main() {
         if version >= 0x3_02_00_00_0 {
             println!("cargo:rustc-cfg=CRYPTOGRAPHY_OPENSSL_320_OR_GREATER");
         }
+        if version >= 0x3_05_00_00_0 {
+            println!("cargo:rustc-cfg=CRYPTOGRAPHY_OPENSSL_350_OR_GREATER");
+        }
     }
 
     if env::var("DEP_OPENSSL_LIBRESSL_VERSION_NUMBER").is_ok() {

src/rust/src/backend/aead.rs

@@ -1141,6 +1141,7 @@ impl AesGcmSiv {
         let data_bytes = data.as_bytes();
         let aad = associated_data.map(Aad::Single);
 
+        #[cfg(not(any(CRYPTOGRAPHY_OPENSSL_350_OR_GREATER, CRYPTOGRAPHY_IS_BORINGSSL)))]
         if data_bytes.is_empty() {
             return Err(CryptographyError::from(
                 pyo3::exceptions::PyValueError::new_err("data must not be zero length"),

src/rust/src/lib.rs

@@ -207,6 +207,10 @@ mod _rust {
                 "CRYPTOGRAPHY_OPENSSL_320_OR_GREATER",
                 cfg!(CRYPTOGRAPHY_OPENSSL_320_OR_GREATER),
             )?;
+            openssl_mod.add(
+                "CRYPTOGRAPHY_OPENSSL_350_OR_GREATER",
+                cfg!(CRYPTOGRAPHY_OPENSSL_350_OR_GREATER),
+            )?;
 
             openssl_mod.add("CRYPTOGRAPHY_IS_LIBRESSL", cfg!(CRYPTOGRAPHY_IS_LIBRESSL))?;
             openssl_mod.add("CRYPTOGRAPHY_IS_BORINGSSL", cfg!(CRYPTOGRAPHY_IS_BORINGSSL))?;

tests/hazmat/primitives/test_aead.py

@@ -892,13 +892,29 @@ def test_invalid_nonce_length(self, backend):
         with pytest.raises(ValueError):
             aesgcmsiv.decrypt(nonce, pt, None)
 
-    def test_no_empty_encryption(self):
+    def test_empty(self):
         key = AESGCMSIV.generate_key(256)
         aesgcmsiv = AESGCMSIV(key)
         nonce = os.urandom(12)
 
-        with pytest.raises(ValueError):
-            aesgcmsiv.encrypt(nonce, b"", None)
+        if (
+            not rust_openssl.CRYPTOGRAPHY_OPENSSL_350_OR_GREATER
+            and not rust_openssl.CRYPTOGRAPHY_IS_BORINGSSL
+        ):
+            with pytest.raises(ValueError):
+                aesgcmsiv.encrypt(nonce, b"", None)
+        else:
+            # From RFC 8452
+            assert (
+                AESGCMSIV(
+                    b"\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+                ).encrypt(
+                    b"\x03\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00",
+                    b"",
+                    b"",
+                )
+                == b"\xdc \xe2\xd8?%p[\xb4\x9eC\x9e\xcaV\xde%"
+            )
 
         with pytest.raises(InvalidTag):
             aesgcmsiv.decrypt(nonce, b"", None)