From dbb64bd2a4a63f6071b1ac982b96d5d07bbd8a63 Mon Sep 17 00:00:00 2001
From: Paul Kehrer <paul.l.kehrer@gmail.com>
Date: Mon, 11 Jul 2016 02:13:40 +0000
Subject: disable blowfish in commoncrypto backend for key lengths under 64-bit
 (#3040)

This is due to a bug in CommonCrypto present in 10.11.x. Filed as
radar://26636600
---
 src/cryptography/hazmat/backends/commoncrypto/backend.py | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

(limited to 'src')

diff --git a/src/cryptography/hazmat/backends/commoncrypto/backend.py b/src/cryptography/hazmat/backends/commoncrypto/backend.py
index 315d67d8..1205b6a6 100644
--- a/src/cryptography/hazmat/backends/commoncrypto/backend.py
+++ b/src/cryptography/hazmat/backends/commoncrypto/backend.py
@@ -104,7 +104,12 @@ class Backend(object):
         return _HMACContext(self, key, algorithm)
 
     def cipher_supported(self, cipher, mode):
-        return (type(cipher), type(mode)) in self._cipher_registry
+        # In OS X 10.11.2-5 (as of this writing) CommonCrypto has a bug with
+        # Blowfish key lengths less than 64-bit. Filed as radar://26636600
+        if isinstance(cipher, Blowfish) and len(cipher.key) < 8:
+            return False
+        else:
+            return (type(cipher), type(mode)) in self._cipher_registry
 
     def create_symmetric_encryption_ctx(self, cipher, mode):
         if isinstance(mode, GCM):
-- 
cgit v1.2.3