From a2173583d928cc95977f8dbbb7dd48cc732b24f5 Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Mon, 17 Jul 2017 13:10:14 +0200 Subject: add AESGCM AEAD support (#3785) * add AESGCM AEAD support * remove stray newline * move AESGCM docs above CCM --- src/cryptography/hazmat/backends/openssl/aead.py | 8 +++-- src/cryptography/hazmat/primitives/ciphers/aead.py | 42 ++++++++++++++++++++++ 2 files changed, 47 insertions(+), 3 deletions(-) (limited to 'src') diff --git a/src/cryptography/hazmat/backends/openssl/aead.py b/src/cryptography/hazmat/backends/openssl/aead.py index 5402acb3..9cec3e23 100644 --- a/src/cryptography/hazmat/backends/openssl/aead.py +++ b/src/cryptography/hazmat/backends/openssl/aead.py @@ -13,13 +13,15 @@ _DECRYPT = 0 def _aead_cipher_name(cipher): from cryptography.hazmat.primitives.ciphers.aead import ( - AESCCM, ChaCha20Poly1305 + AESCCM, AESGCM, ChaCha20Poly1305 ) if isinstance(cipher, ChaCha20Poly1305): return b"chacha20-poly1305" - else: - assert isinstance(cipher, AESCCM) + elif isinstance(cipher, AESCCM): return "aes-{0}-ccm".format(len(cipher._key) * 8).encode("ascii") + else: + assert isinstance(cipher, AESGCM) + return "aes-{0}-gcm".format(len(cipher._key) * 8).encode("ascii") def _aead_setup(backend, cipher_name, key, nonce, tag, tag_len, operation): diff --git a/src/cryptography/hazmat/primitives/ciphers/aead.py b/src/cryptography/hazmat/primitives/ciphers/aead.py index e2c5e381..07b6bce6 100644 --- a/src/cryptography/hazmat/primitives/ciphers/aead.py +++ b/src/cryptography/hazmat/primitives/ciphers/aead.py @@ -118,3 +118,45 @@ class AESCCM(object): utils._check_bytes("associated_data", associated_data) if not 7 <= len(nonce) <= 13: raise ValueError("Nonce must be between 7 and 13 bytes") + + +class AESGCM(object): + def __init__(self, key): + utils._check_bytes("key", key) + if len(key) not in (16, 24, 32): + raise ValueError("AESGCM key must be 128, 192, or 256 bits.") + + self._key = key + + @classmethod + def generate_key(cls, bit_length): + if not isinstance(bit_length, int): + raise TypeError("bit_length must be an integer") + + if bit_length not in (128, 192, 256): + raise ValueError("bit_length must be 128, 192, or 256") + + return os.urandom(bit_length // 8) + + def encrypt(self, nonce, data, associated_data): + if associated_data is None: + associated_data = b"" + + self._check_params(nonce, data, associated_data) + return aead._encrypt( + backend, self, nonce, data, associated_data, 16 + ) + + def decrypt(self, nonce, data, associated_data): + if associated_data is None: + associated_data = b"" + + self._check_params(nonce, data, associated_data) + return aead._decrypt( + backend, self, nonce, data, associated_data, 16 + ) + + def _check_params(self, nonce, data, associated_data): + utils._check_bytes("nonce", nonce) + utils._check_bytes("data", data) + utils._check_bytes("associated_data", associated_data) -- cgit v1.2.3