document one shot AEAD length restrictions (#4322)

* document one shot AEAD length restrictions * write a test that won't consume infinity ram continue to raise OverflowError since that's what cffi did. * this applies to associated_data too * remove unneeded arg * review feedback on docs
author: Paul Kehrer <paul.l.kehrer@gmail.com> 2018-07-15 09:15:16 +0530
committer: Alex Gaynor <alex.gaynor@gmail.com> 2018-07-14 23:45:16 -0400
commit: bb23c6c7cbb3f62f1b1b2480f9dc07c6beba3398 (patch)
tree: 9e4fe9cecf15bd625558fcf32614ea3fbca5bbc8 /src
parent: 33db1c83b7ccb18e3319dedb5c7eb38edb74d8ab (diff)
download: cryptography-bb23c6c7cbb3f62f1b1b2480f9dc07c6beba3398.tar.gz
cryptography-bb23c6c7cbb3f62f1b1b2480f9dc07c6beba3398.tar.bz2
cryptography-bb23c6c7cbb3f62f1b1b2480f9dc07c6beba3398.zip
1 files changed, 24 insertions, 0 deletions
diff --git a/src/cryptography/hazmat/primitives/ciphers/aead.py b/src/cryptography/hazmat/primitives/ciphers/aead.py
index 415a45a9..9794d768 100644
--- a/src/cryptography/hazmat/primitives/ciphers/aead.py
+++ b/src/cryptography/hazmat/primitives/ciphers/aead.py
@@ -12,6 +12,8 @@ from cryptography.hazmat.backends.openssl.backend import backend
 
 
 class ChaCha20Poly1305(object):
+    _MAX_SIZE = 2 ** 32
+
     def __init__(self, key):
         if not backend.aead_cipher_supported(self):
             raise exceptions.UnsupportedAlgorithm(
@@ -33,6 +35,12 @@ class ChaCha20Poly1305(object):
         if associated_data is None:
             associated_data = b""
 
+        if len(data) > self._MAX_SIZE or len(associated_data) > self._MAX_SIZE:
+            # This is OverflowError to match what cffi would raise
+            raise OverflowError(
+                "Data or associated data too long. Max 2**32 bytes"
+            )
+
         self._check_params(nonce, data, associated_data)
         return aead._encrypt(
             backend, self, nonce, data, associated_data, 16
@@ -56,6 +64,8 @@ class ChaCha20Poly1305(object):
 
 
 class AESCCM(object):
+    _MAX_SIZE = 2 ** 32
+
     def __init__(self, key, tag_length=16):
         utils._check_bytes("key", key)
         if len(key) not in (16, 24, 32):
@@ -90,6 +100,12 @@ class AESCCM(object):
         if associated_data is None:
             associated_data = b""
 
+        if len(data) > self._MAX_SIZE or len(associated_data) > self._MAX_SIZE:
+            # This is OverflowError to match what cffi would raise
+            raise OverflowError(
+                "Data or associated data too long. Max 2**32 bytes"
+            )
+
         self._check_params(nonce, data, associated_data)
         self._validate_lengths(nonce, len(data))
         return aead._encrypt(
@@ -121,6 +137,8 @@ class AESCCM(object):
 
 
 class AESGCM(object):
+    _MAX_SIZE = 2 ** 32
+
     def __init__(self, key):
         utils._check_bytes("key", key)
         if len(key) not in (16, 24, 32):
@@ -142,6 +160,12 @@ class AESGCM(object):
         if associated_data is None:
             associated_data = b""
 
+        if len(data) > self._MAX_SIZE or len(associated_data) > self._MAX_SIZE:
+            # This is OverflowError to match what cffi would raise
+            raise OverflowError(
+                "Data or associated data too long. Max 2**32 bytes"
+            )
+
         self._check_params(nonce, data, associated_data)
         return aead._encrypt(
             backend, self, nonce, data, associated_data, 16
author	Paul Kehrer <paul.l.kehrer@gmail.com>	2018-07-15 09:15:16 +0530
committer	Alex Gaynor <alex.gaynor@gmail.com>	2018-07-14 23:45:16 -0400
commit	bb23c6c7cbb3f62f1b1b2480f9dc07c6beba3398 (patch)
tree	9e4fe9cecf15bd625558fcf32614ea3fbca5bbc8 /src
parent	33db1c83b7ccb18e3319dedb5c7eb38edb74d8ab (diff)
download	cryptography-bb23c6c7cbb3f62f1b1b2480f9dc07c6beba3398.tar.gz cryptography-bb23c6c7cbb3f62f1b1b2480f9dc07c6beba3398.tar.bz2 cryptography-bb23c6c7cbb3f62f1b1b2480f9dc07c6beba3398.zip