7 files changed, 106 insertions, 47 deletions

diff --git a/cryptography/hazmat/backends/commoncrypto/ciphers.py b/cryptography/hazmat/backends/commoncrypto/ciphers.py
index 525500c8..6d3ba863 100644
--- a/cryptography/hazmat/backends/commoncrypto/ciphers.py
+++ b/cryptography/hazmat/backends/commoncrypto/ciphers.py
@@ -151,6 +151,12 @@ class _GCMCipherContext(object):
             len(mode.initialization_vector)
         )
         self._backend._check_cipher_response(res)
+        # CommonCrypto has a bug where calling update without at least one
+        # call to authenticate_additional_data will result in null byte output
+        # for ciphertext. The following empty byte string call prevents the
+        # issue, which is present in at least 10.8 and 10.9.
+        # Filed as rdar://18314544
+        self.authenticate_additional_data(b"")
 
     def update(self, data):
         buf = self._backend._ffi.new("unsigned char[]", len(data))
@@ -164,6 +170,12 @@ class _GCMCipherContext(object):
         return self._backend._ffi.buffer(buf)[:]
 
     def finalize(self):
+        # CommonCrypto has a yet another bug where you must make at least one
+        # call to update. If you pass just AAD and call finalize without a call
+        # to update you'll get null bytes for tag. The following update call
+        # prevents this issue, which is present in at least 10.8 and 10.9.
+        # Filed as rdar://18314580
+        self.update(b"")
         tag_size = self._cipher.block_size // 8
         tag_buf = self._backend._ffi.new("unsigned char[]", tag_size)
         tag_len = self._backend._ffi.new("size_t *", tag_size)
diff --git a/cryptography/hazmat/backends/openssl/backend.py b/cryptography/hazmat/backends/openssl/backend.py
index 7e619a10..cb988ac9 100644
--- a/cryptography/hazmat/backends/openssl/backend.py
+++ b/cryptography/hazmat/backends/openssl/backend.py
@@ -16,6 +16,7 @@ from __future__ import absolute_import, division, print_function
 import collections
 import itertools
 import warnings
+from contextlib import contextmanager
 
 import six
 
@@ -1012,6 +1013,17 @@ class Backend(object):
             )
         return curve_nid
 
+    @contextmanager
+    def _bn_ctx_manager(self):
+        bn_ctx = self._lib.BN_CTX_new()
+        assert bn_ctx != self._ffi.NULL
+        bn_ctx = self._ffi.gc(bn_ctx, self._lib.BN_CTX_free)
+        try:
+            self._lib.BN_CTX_start(bn_ctx)
+            yield bn_ctx
+        finally:
+            self._lib.BN_CTX_end(bn_ctx)
+
     def _ec_key_set_public_key_affine_coordinates(self, ctx, x, y):
         """
         This is a port of EC_KEY_set_public_key_affine_coordinates that was
@@ -1029,10 +1041,6 @@ class Backend(object):
         nid_two_field = self._lib.OBJ_sn2nid(b"characteristic-two-field")
         assert nid_two_field != self._lib.NID_undef
 
-        bn_ctx = self._lib.BN_CTX_new()
-        assert bn_ctx != self._ffi.NULL
-        bn_ctx = self._ffi.gc(bn_ctx, self._lib.BN_CTX_free)
-
         group = self._lib.EC_KEY_get0_group(ctx)
         assert group != self._ffi.NULL
 
@@ -1046,9 +1054,6 @@ class Backend(object):
         nid = self._lib.EC_METHOD_get_field_type(method)
         assert nid != self._lib.NID_undef
 
-        check_x = self._lib.BN_CTX_get(bn_ctx)
-        check_y = self._lib.BN_CTX_get(bn_ctx)
-
         if nid == nid_two_field and self._lib.Cryptography_HAS_EC2M:
             set_func = self._lib.EC_POINT_set_affine_coordinates_GF2m
             get_func = self._lib.EC_POINT_get_affine_coordinates_GF2m
@@ -1058,16 +1063,20 @@ class Backend(object):
 
         assert set_func and get_func
 
-        res = set_func(group, point, bn_x, bn_y, bn_ctx)
-        assert res == 1
+        with self._bn_ctx_manager() as bn_ctx:
+            check_x = self._lib.BN_CTX_get(bn_ctx)
+            check_y = self._lib.BN_CTX_get(bn_ctx)
 
-        res = get_func(group, point, check_x, check_y, bn_ctx)
-        assert res == 1
+            res = set_func(group, point, bn_x, bn_y, bn_ctx)
+            assert res == 1
 
-        assert (
-            self._lib.BN_cmp(bn_x, check_x) == 0 and
-            self._lib.BN_cmp(bn_y, check_y) == 0
-        )
+            res = get_func(group, point, check_x, check_y, bn_ctx)
+            assert res == 1
+
+            assert (
+                self._lib.BN_cmp(bn_x, check_x) == 0 and
+                self._lib.BN_cmp(bn_y, check_y) == 0
+            )
 
         res = self._lib.EC_KEY_set_public_key(ctx, point)
         assert res == 1
diff --git a/cryptography/hazmat/backends/openssl/ciphers.py b/cryptography/hazmat/backends/openssl/ciphers.py
index c3a5499a..d37bb014 100644
--- a/cryptography/hazmat/backends/openssl/ciphers.py
+++ b/cryptography/hazmat/backends/openssl/ciphers.py
@@ -128,6 +128,14 @@ class _CipherContext(object):
         return self._backend._ffi.buffer(buf)[:outlen[0]]
 
     def finalize(self):
+        # OpenSSL 1.0.1 on Ubuntu 12.04 (and possibly other distributions)
+        # appears to have a bug where you must make at least one call to update
+        # even if you are only using authenticate_additional_data or the
+        # GCM tag will be wrong. An (empty) call to update resolves this
+        # and is harmless for all other versions of OpenSSL.
+        if isinstance(self._mode, GCM):
+            self.update(b"")
+
         buf = self._backend._ffi.new("unsigned char[]", self._block_size)
         outlen = self._backend._ffi.new("int *")
         res = self._backend._lib.EVP_CipherFinal_ex(self._ctx, buf, outlen)
diff --git a/cryptography/hazmat/backends/openssl/ec.py b/cryptography/hazmat/backends/openssl/ec.py
index b7cd9802..51fc8f4b 100644
--- a/cryptography/hazmat/backends/openssl/ec.py
+++ b/cryptography/hazmat/backends/openssl/ec.py
@@ -24,6 +24,13 @@ from cryptography.hazmat.primitives.asymmetric import ec
 
 
 def _truncate_digest_for_ecdsa(ec_key_cdata, digest, backend):
+    """
+    This function truncates digests that are longer than a given elliptic
+    curve key's length so they can be signed. Since elliptic curve keys are
+    much shorter than RSA keys many digests (e.g. SHA-512) may require
+    truncation.
+    """
+
     _lib = backend._lib
     _ffi = backend._ffi
 
@@ -31,17 +38,14 @@ def _truncate_digest_for_ecdsa(ec_key_cdata, digest, backend):
 
     group = _lib.EC_KEY_get0_group(ec_key_cdata)
 
-    bn_ctx = _lib.BN_CTX_new()
-    assert bn_ctx != _ffi.NULL
-    bn_ctx = _ffi.gc(bn_ctx, _lib.BN_CTX_free)
-
-    order = _lib.BN_CTX_get(bn_ctx)
-    assert order != _ffi.NULL
+    with backend._bn_ctx_manager() as bn_ctx:
+        order = _lib.BN_CTX_get(bn_ctx)
+        assert order != _ffi.NULL
 
-    res = _lib.EC_GROUP_get_order(group, order, bn_ctx)
-    assert res == 1
+        res = _lib.EC_GROUP_get_order(group, order, bn_ctx)
+        assert res == 1
 
-    order_bits = _lib.BN_num_bits(order)
+        order_bits = _lib.BN_num_bits(order)
 
     if 8 * digest_len > order_bits:
         digest_len = (order_bits + 7) // 8
diff --git a/docs/development/test-vectors.rst b/docs/development/test-vectors.rst
index e9ab6123..32128681 100644
--- a/docs/development/test-vectors.rst
+++ b/docs/development/test-vectors.rst
@@ -99,29 +99,29 @@ Creating test vectors
 ---------------------
 
 When official vectors are unavailable ``cryptography`` may choose to build
-its own using existing vectors as source material. 
+its own using existing vectors as source material.
 
 Current custom vectors
 ~~~~~~~~~~~~~~~~~~~~~~
 
-* ec_private_key.pem - Contains an Elliptic Curve key generated by OpenSSL 
-  from the curve secp256r1.
-* ec_private_key_encrypted.pem - Contains the same Elliptic Curve key as 
-  ec_private_key.pem, except that it is encrypted with AES-256 with the 
+* ``ec_private_key.pem`` - Contains an Elliptic Curve key generated by OpenSSL
+  from the curve ``secp256r1``.
+* ``ec_private_key_encrypted.pem`` - Contains the same Elliptic Curve key as
+  ``ec_private_key.pem``, except that it is encrypted with AES-256 with the
   password "123456".
-* ec_public_key.pem - Contains the public key corresponding to 
-  ec_private_key.pem, generated using OpenSSL.
-* rsa_private_key.pem - Contains an RSA 2048 bit key generated using 
+* ``ec_public_key.pem`` - Contains the public key corresponding to
+  ``ec_private_key.pem``, generated using OpenSSL.
+* ``rsa_private_key.pem`` - Contains an RSA 2048 bit key generated using
   OpenSSL, protected by the secret "123456" with DES3 encryption.
-* rsa_public_key.pem - Contains an RSA 2048 bit public generated using 
-  OpenSSL from rsa_private_key.pem.
-* dsaparam.pem - Contains 2048-bit DSA parameters generated using OpenSSL; 
+* ``rsa_public_key.pem`` - Contains an RSA 2048 bit public generated using
+  OpenSSL from ``rsa_private_key.pem``.
+* ``dsaparam.pem`` - Contains 2048-bit DSA parameters generated using OpenSSL;
   contains no keys.
-* dsa_private_key.pem - Contains a DSA 2048 bit key generated using 
-  OpenSSL from the parameters in dsaparam.pem, protected by the secret
+* ``dsa_private_key.pem`` - Contains a DSA 2048 bit key generated using
+  OpenSSL from the parameters in ``dsaparam.pem``, protected by the secret
   "123456" with DES3 encryption.
-* dsa_public_key.pem - Contains a DSA 2048 bit key generated using OpenSSL 
-  from dsa_private_key.pem.
+* ``dsa_public_key.pem`` - Contains a DSA 2048 bit key generated using OpenSSL
+  from ``dsa_private_key.pem``.
 
 .. toctree::
     :maxdepth: 1
diff --git a/docs/spelling_wordlist.txt b/docs/spelling_wordlist.txt
index 47be985f..b16026f6 100644
--- a/docs/spelling_wordlist.txt
+++ b/docs/spelling_wordlist.txt
@@ -20,9 +20,6 @@ decrypting
 deserialize
 deserialized
 Docstrings
-dsa
-dsaparam
-ec
 fernet
 Fernet
 hazmat
@@ -36,16 +33,12 @@ Lange
 metadata
 namespace
 namespaces
-pem
 pickleable
 plaintext
 preprocessor
 preprocessors
 pseudorandom
 pyOpenSSL
-rsa
-secp
-secp256r1
 Schneier
 scrypt
 Solaris
diff --git a/tests/hazmat/primitives/test_aes.py b/tests/hazmat/primitives/test_aes.py
index 5bde7d3c..e8e0eee4 100644
--- a/tests/hazmat/primitives/test_aes.py
+++ b/tests/hazmat/primitives/test_aes.py
@@ -18,7 +18,7 @@ import os
 
 import pytest
 
-from cryptography.hazmat.primitives.ciphers import algorithms, modes
+from cryptography.hazmat.primitives.ciphers import algorithms, base, modes
 
 from .utils import generate_aead_test, generate_encrypt_test
 from ...utils import load_nist_vectors
@@ -228,3 +228,36 @@ class TestAESModeGCM(object):
         algorithms.AES,
         modes.GCM,
     )
+
+    def test_gcm_tag_with_only_aad(self, backend):
+        key = binascii.unhexlify(b"5211242698bed4774a090620a6ca56f3")
+        iv = binascii.unhexlify(b"b1e1349120b6e832ef976f5d")
+        aad = binascii.unhexlify(b"b6d729aab8e6416d7002b9faa794c410d8d2f193")
+        tag = binascii.unhexlify(b"0f247e7f9c2505de374006738018493b")
+
+        cipher = base.Cipher(
+            algorithms.AES(key),
+            modes.GCM(iv),
+            backend=backend
+        )
+        encryptor = cipher.encryptor()
+        encryptor.authenticate_additional_data(aad)
+        encryptor.finalize()
+        assert encryptor.tag == tag
+
+    def test_gcm_ciphertext_with_no_aad(self, backend):
+        key = binascii.unhexlify(b"e98b72a9881a84ca6b76e0f43e68647a")
+        iv = binascii.unhexlify(b"8b23299fde174053f3d652ba")
+        ct = binascii.unhexlify(b"5a3c1cf1985dbb8bed818036fdd5ab42")
+        tag = binascii.unhexlify(b"23c7ab0f952b7091cd324835043b5eb5")
+        pt = binascii.unhexlify(b"28286a321293253c3e0aa2704a278032")
+
+        cipher = base.Cipher(
+            algorithms.AES(key),
+            modes.GCM(iv),
+            backend=backend
+        )
+        encryptor = cipher.encryptor()
+        computed_ct = encryptor.update(pt) + encryptor.finalize()
+        assert computed_ct == ct
+        assert encryptor.tag == tag