Skip to content

Commit 11b15a3

Browse files
alexngnpope
andauthored
fixes #10808 -- allow empty plaintexts for aes-gcm-siv (#12355)
* fixes #10808 -- allow empty plaintexts for aes-gcm-siv * Update src/rust/build.rs Co-authored-by: Nick Pope <[email protected]> --------- Co-authored-by: Nick Pope <[email protected]>
1 parent ad53791 commit 11b15a3

File tree

6 files changed

+29
-4
lines changed

6 files changed

+29
-4
lines changed

src/cryptography/hazmat/bindings/_rust/openssl/__init__.pyi

+1
Original file line numberDiff line numberDiff line change
@@ -50,6 +50,7 @@ CRYPTOGRAPHY_IS_BORINGSSL: bool
5050
CRYPTOGRAPHY_OPENSSL_300_OR_GREATER: bool
5151
CRYPTOGRAPHY_OPENSSL_309_OR_GREATER: bool
5252
CRYPTOGRAPHY_OPENSSL_320_OR_GREATER: bool
53+
CRYPTOGRAPHY_OPENSSL_350_OR_GREATER: bool
5354

5455
class Providers: ...
5556

src/rust/Cargo.toml

+1-1
Original file line numberDiff line numberDiff line change
@@ -33,4 +33,4 @@ name = "cryptography_rust"
3333
crate-type = ["cdylib"]
3434

3535
[lints.rust]
36-
unexpected_cfgs = { level = "warn", check-cfg = ['cfg(CRYPTOGRAPHY_OPENSSL_300_OR_GREATER)', 'cfg(CRYPTOGRAPHY_OPENSSL_309_OR_GREATER)', 'cfg(CRYPTOGRAPHY_OPENSSL_320_OR_GREATER)', 'cfg(CRYPTOGRAPHY_IS_LIBRESSL)', 'cfg(CRYPTOGRAPHY_IS_BORINGSSL)', 'cfg(CRYPTOGRAPHY_OSSLCONF, values("OPENSSL_NO_IDEA", "OPENSSL_NO_CAST", "OPENSSL_NO_BF", "OPENSSL_NO_CAMELLIA", "OPENSSL_NO_SEED", "OPENSSL_NO_SM4"))'] }
36+
unexpected_cfgs = { level = "warn", check-cfg = ['cfg(CRYPTOGRAPHY_OPENSSL_300_OR_GREATER)', 'cfg(CRYPTOGRAPHY_OPENSSL_309_OR_GREATER)', 'cfg(CRYPTOGRAPHY_OPENSSL_320_OR_GREATER)', 'cfg(CRYPTOGRAPHY_OPENSSL_350_OR_GREATER)', 'cfg(CRYPTOGRAPHY_IS_LIBRESSL)', 'cfg(CRYPTOGRAPHY_IS_BORINGSSL)', 'cfg(CRYPTOGRAPHY_OSSLCONF, values("OPENSSL_NO_IDEA", "OPENSSL_NO_CAST", "OPENSSL_NO_BF", "OPENSSL_NO_CAMELLIA", "OPENSSL_NO_SEED", "OPENSSL_NO_SM4"))'] }

src/rust/build.rs

+3
Original file line numberDiff line numberDiff line change
@@ -18,6 +18,9 @@ fn main() {
1818
if version >= 0x3_02_00_00_0 {
1919
println!("cargo:rustc-cfg=CRYPTOGRAPHY_OPENSSL_320_OR_GREATER");
2020
}
21+
if version >= 0x3_05_00_00_0 {
22+
println!("cargo:rustc-cfg=CRYPTOGRAPHY_OPENSSL_350_OR_GREATER");
23+
}
2124
}
2225

2326
if env::var("DEP_OPENSSL_LIBRESSL_VERSION_NUMBER").is_ok() {

src/rust/src/backend/aead.rs

+1
Original file line numberDiff line numberDiff line change
@@ -1141,6 +1141,7 @@ impl AesGcmSiv {
11411141
let data_bytes = data.as_bytes();
11421142
let aad = associated_data.map(Aad::Single);
11431143

1144+
#[cfg(not(any(CRYPTOGRAPHY_OPENSSL_350_OR_GREATER, CRYPTOGRAPHY_IS_BORINGSSL)))]
11441145
if data_bytes.is_empty() {
11451146
return Err(CryptographyError::from(
11461147
pyo3::exceptions::PyValueError::new_err("data must not be zero length"),

src/rust/src/lib.rs

+4
Original file line numberDiff line numberDiff line change
@@ -207,6 +207,10 @@ mod _rust {
207207
"CRYPTOGRAPHY_OPENSSL_320_OR_GREATER",
208208
cfg!(CRYPTOGRAPHY_OPENSSL_320_OR_GREATER),
209209
)?;
210+
openssl_mod.add(
211+
"CRYPTOGRAPHY_OPENSSL_350_OR_GREATER",
212+
cfg!(CRYPTOGRAPHY_OPENSSL_350_OR_GREATER),
213+
)?;
210214

211215
openssl_mod.add("CRYPTOGRAPHY_IS_LIBRESSL", cfg!(CRYPTOGRAPHY_IS_LIBRESSL))?;
212216
openssl_mod.add("CRYPTOGRAPHY_IS_BORINGSSL", cfg!(CRYPTOGRAPHY_IS_BORINGSSL))?;

tests/hazmat/primitives/test_aead.py

+19-3
Original file line numberDiff line numberDiff line change
@@ -892,13 +892,29 @@ def test_invalid_nonce_length(self, backend):
892892
with pytest.raises(ValueError):
893893
aesgcmsiv.decrypt(nonce, pt, None)
894894

895-
def test_no_empty_encryption(self):
895+
def test_empty(self):
896896
key = AESGCMSIV.generate_key(256)
897897
aesgcmsiv = AESGCMSIV(key)
898898
nonce = os.urandom(12)
899899

900-
with pytest.raises(ValueError):
901-
aesgcmsiv.encrypt(nonce, b"", None)
900+
if (
901+
not rust_openssl.CRYPTOGRAPHY_OPENSSL_350_OR_GREATER
902+
and not rust_openssl.CRYPTOGRAPHY_IS_BORINGSSL
903+
):
904+
with pytest.raises(ValueError):
905+
aesgcmsiv.encrypt(nonce, b"", None)
906+
else:
907+
# From RFC 8452
908+
assert (
909+
AESGCMSIV(
910+
b"\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
911+
).encrypt(
912+
b"\x03\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00",
913+
b"",
914+
b"",
915+
)
916+
== b"\xdc \xe2\xd8?%p[\xb4\x9eC\x9e\xcaV\xde%"
917+
)
902918

903919
with pytest.raises(InvalidTag):
904920
aesgcmsiv.decrypt(nonce, b"", None)

0 commit comments

Comments
 (0)