fixes #12837 - make AES-GCM tag length configurable

Valid AES-GCM tag lengths as per NIST 800-38D, default is 16 (which is
also backwards compatible.).

Signed-off-by: David Lamparter <[email protected]>

Author: eqvinox

docs/hazmat/primitives/aead.rst

@@ -86,16 +86,21 @@ also support providing integrity for associated data which is not encrypted.
             when the ciphertext has been changed, but will also occur when the
             key, nonce, or associated data are wrong.
 
-.. class:: AESGCM(key)
+.. class:: AESGCM(key, tag_length=16)
 
-    .. versionadded:: 2.0
 
     The AES-GCM construction is composed of the
     :class:`~cryptography.hazmat.primitives.ciphers.algorithms.AES` block
     cipher utilizing Galois Counter Mode (GCM).
 
     :param key: A 128, 192, or 256-bit key. This **must** be kept secret.
     :type key: :term:`bytes-like`
+    :param int tag_length: The length of the authentication tag. This
+        defaults to 16 bytes and it is **strongly** recommended that you
+        do not make it shorter unless absolutely necessary. Valid tag
+        lengths are 4, 8, 12, 13, 14, 15, and 16.
+
+        .. versionadded:: 45.0.0
 
     .. doctest::
 

src/cryptography/hazmat/bindings/_rust/openssl/aead.pyi

@@ -7,7 +7,7 @@ from collections.abc import Sequence
 from cryptography.utils import Buffer
 
 class AESGCM:
-    def __init__(self, key: Buffer) -> None: ...
+    def __init__(self, key: Buffer, tag_length: int = 16) -> None: ...
     @staticmethod
     def generate_key(bit_length: int) -> bytes: ...
     def encrypt(

src/rust/src/backend/aead.rs

@@ -600,7 +600,12 @@ struct AesGcm {
 #[pyo3::pymethods]
 impl AesGcm {
     #[new]
-    fn new(py: pyo3::Python<'_>, key: pyo3::Py<pyo3::PyAny>) -> CryptographyResult<AesGcm> {
+    #[pyo3(signature = (key, tag_length=None))]
+    fn new(
+        py: pyo3::Python<'_>,
+        key: pyo3::Py<pyo3::PyAny>,
+        tag_length: Option<usize>,
+    ) -> CryptographyResult<AesGcm> {
         let key_buf = key.extract::<CffiBuf<'_>>(py)?;
         let cipher = match key_buf.as_bytes().len() {
             16 => openssl::cipher::Cipher::aes_128_gcm(),
@@ -614,6 +619,12 @@ impl AesGcm {
                 ))
             }
         };
+        let tag_length = tag_length.unwrap_or(16);
+        if ![4, 8, 12, 13, 14, 15, 16].contains(&tag_length) {
+            return Err(CryptographyError::from(
+                pyo3::exceptions::PyValueError::new_err("Invalid tag_length"),
+            ));
+        }
 
         cfg_if::cfg_if! {
             if #[cfg(any(
@@ -624,11 +635,11 @@ impl AesGcm {
                 not(CRYPTOGRAPHY_OPENSSL_300_OR_GREATER),
             ))] {
                 Ok(AesGcm {
-                    ctx: EvpCipherAead::new(cipher, key_buf.as_bytes(), 16, false)?,
+                    ctx: EvpCipherAead::new(cipher, key_buf.as_bytes(), tag_length, false)?,
                 })
             } else {
                 Ok(AesGcm {
-                    ctx: LazyEvpCipherAead::new(cipher, key, 16, false, false),
+                    ctx: LazyEvpCipherAead::new(cipher, key, tag_length, false, false),
                 })
 
             }

tests/hazmat/primitives/test_aead.py

@@ -487,6 +487,13 @@ def test_bad_generate_key(self, backend):
         with pytest.raises(ValueError):
             AESGCM.generate_key(129)
 
+    def test_bad_tag_length(self, backend):
+        with pytest.raises(TypeError):
+            AESGCM(b"X" * 32, object())  # type:ignore[arg-type]
+
+        with pytest.raises(ValueError):
+            AESGCM(b"X" * 32, 17)
+
     def test_associated_data_none_equal_to_empty_bytestring(self, backend):
         key = AESGCM.generate_key(128)
         aesgcm = AESGCM(key)
@@ -498,6 +505,18 @@ def test_associated_data_none_equal_to_empty_bytestring(self, backend):
         pt2 = aesgcm.decrypt(nonce, ct2, b"")
         assert pt1 == pt2
 
+    @pytest.mark.parametrize("length", [4, 15])
+    def test_short_tags(self, length, backend):
+        key = AESGCM.generate_key(128)
+        aesgcm_ref = AESGCM(key)
+        aesgcm_cut = AESGCM(key, length)
+        nonce = os.urandom(12)
+        ct_ref = aesgcm_ref.encrypt(nonce, b"some_data", b"some_aad")
+        ct_cut = aesgcm_cut.encrypt(nonce, b"some_data", b"some_aad")
+        assert ct_cut == ct_ref[: -16 + length]
+        pt_cut = aesgcm_cut.decrypt(nonce, ct_cut, b"some_aad")
+        assert pt_cut == b"some_data"
+
     def test_buffer_protocol(self, backend):
         key = AESGCM.generate_key(128)
         aesgcm = AESGCM(key)