From 12a1cacb6ae6de51a003dcc884e769854a1345a8 Mon Sep 17 00:00:00 2001
From: Paul Kehrer <paul.l.kehrer@gmail.com>
Date: Tue, 17 Jul 2018 22:56:12 +0800
Subject: raise ValueError on zero length GCM IV (#4348)

---
 docs/hazmat/primitives/symmetric-encryption.rst     | 3 ++-
 src/cryptography/hazmat/primitives/ciphers/modes.py | 2 ++
 tests/hazmat/primitives/test_block.py               | 4 ++++
 3 files changed, 8 insertions(+), 1 deletion(-)

diff --git a/docs/hazmat/primitives/symmetric-encryption.rst b/docs/hazmat/primitives/symmetric-encryption.rst
index 5b6000902..e74b4d665 100644
--- a/docs/hazmat/primitives/symmetric-encryption.rst
+++ b/docs/hazmat/primitives/symmetric-encryption.rst
@@ -399,7 +399,8 @@ Modes
         this is ``16``, meaning tag truncation is not allowed. Allowing tag
         truncation is strongly discouraged for most applications.
 
-    :raises ValueError: This is raised if ``len(tag) < min_tag_length``.
+    :raises ValueError: This is raised if ``len(tag) < min_tag_length`` or the
+        ``initialization_vector`` is too short.
 
     :raises NotImplementedError: This is raised if the version of the OpenSSL
         backend used is 1.0.1 or earlier.
diff --git a/src/cryptography/hazmat/primitives/ciphers/modes.py b/src/cryptography/hazmat/primitives/ciphers/modes.py
index 543015fef..e82c1a8d6 100644
--- a/src/cryptography/hazmat/primitives/ciphers/modes.py
+++ b/src/cryptography/hazmat/primitives/ciphers/modes.py
@@ -208,6 +208,8 @@ class GCM(object):
         # for it
         if not isinstance(initialization_vector, bytes):
             raise TypeError("initialization_vector must be bytes")
+        if len(initialization_vector) == 0:
+            raise ValueError("initialization_vector must be at least 1 byte")
         self._initialization_vector = initialization_vector
         if tag is not None:
             if not isinstance(tag, bytes):
diff --git a/tests/hazmat/primitives/test_block.py b/tests/hazmat/primitives/test_block.py
index c053feafb..37158f153 100644
--- a/tests/hazmat/primitives/test_block.py
+++ b/tests/hazmat/primitives/test_block.py
@@ -191,6 +191,10 @@ class TestModeValidation(object):
                 backend,
             )
 
+    def test_gcm(self):
+        with pytest.raises(ValueError):
+            modes.GCM(b"")
+
 
 class TestModesRequireBytes(object):
     def test_cbc(self):
-- 
cgit v1.2.3