From dbb64bd2a4a63f6071b1ac982b96d5d07bbd8a63 Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Mon, 11 Jul 2016 02:13:40 +0000 Subject: disable blowfish in commoncrypto backend for key lengths under 64-bit (#3040) This is due to a bug in CommonCrypto present in 10.11.x. Filed as radar://26636600 --- src/cryptography/hazmat/backends/commoncrypto/backend.py | 7 ++++++- tests/hazmat/primitives/utils.py | 5 +++++ 2 files changed, 11 insertions(+), 1 deletion(-) diff --git a/src/cryptography/hazmat/backends/commoncrypto/backend.py b/src/cryptography/hazmat/backends/commoncrypto/backend.py index 315d67d8..1205b6a6 100644 --- a/src/cryptography/hazmat/backends/commoncrypto/backend.py +++ b/src/cryptography/hazmat/backends/commoncrypto/backend.py @@ -104,7 +104,12 @@ class Backend(object): return _HMACContext(self, key, algorithm) def cipher_supported(self, cipher, mode): - return (type(cipher), type(mode)) in self._cipher_registry + # In OS X 10.11.2-5 (as of this writing) CommonCrypto has a bug with + # Blowfish key lengths less than 64-bit. Filed as radar://26636600 + if isinstance(cipher, Blowfish) and len(cipher.key) < 8: + return False + else: + return (type(cipher), type(mode)) in self._cipher_registry def create_symmetric_encryption_ctx(self, cipher, mode): if isinstance(mode, GCM): diff --git a/tests/hazmat/primitives/utils.py b/tests/hazmat/primitives/utils.py index 8705cdc4..d0e87a78 100644 --- a/tests/hazmat/primitives/utils.py +++ b/tests/hazmat/primitives/utils.py @@ -47,6 +47,11 @@ def generate_encrypt_test(param_loader, path, file_names, cipher_factory, def encrypt_test(backend, cipher_factory, mode_factory, params): + if not backend.cipher_supported( + cipher_factory(**params), mode_factory(**params) + ): + pytest.skip("cipher/mode combo is unsupported by this backend") + plaintext = params["plaintext"] ciphertext = params["ciphertext"] cipher = Cipher( -- cgit v1.2.3