Fixes from review

embhorn · embhorn · commit 6e9f2ba1dc1c · 2026-03-02T11:54:06.000-06:00
diff --git a/tests/test_chacha20poly1305.py b/tests/test_chacha20poly1305.py
@@ -50,6 +50,24 @@ def test_invalid_key_size():
         with pytest.raises(ValueError):
             ChaCha20Poly1305(b"tooshort")
 
+    def test_encrypt_invalid_iv_length():
+        key = h2b("808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9f")
+        chacha = ChaCha20Poly1305(key)
+        with pytest.raises(ValueError):
+            chacha.encrypt(b"aad", b"short", b"plaintext")
+
+    def test_decrypt_invalid_iv_length():
+        key = h2b("808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9f")
+        chacha = ChaCha20Poly1305(key)
+        with pytest.raises(ValueError):
+            chacha.decrypt(b"aad", b"short", b"\x00" * 16, b"ciphertext")
+
+    def test_decrypt_invalid_tag_length():
+        key = h2b("808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9f")
+        chacha = ChaCha20Poly1305(key)
+        with pytest.raises(ValueError):
+            chacha.decrypt(b"aad", b"\x00" * 12, b"short", b"ciphertext")
+
     def test_decrypt_bad_tag():
         key = h2b("808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9f")
         iv = h2b("07000000404142434445464748")
diff --git a/wolfcrypt/ciphers.py b/wolfcrypt/ciphers.py
@@ -561,6 +561,8 @@ def encrypt(self, aad, iv, plaintext):
             """
             aad = t2b(aad)
             iv = t2b(iv)
+            if len(iv) != 12:
+                raise ValueError("iv must be 12 bytes, got %d" % len(iv))
             plaintext = t2b(plaintext)
             ciphertext = _ffi.new("byte[%d]" % len(plaintext))
             authTag = _ffi.new("byte[%d]" % self._tag_bytes)
@@ -587,7 +589,12 @@ def decrypt(self, aad, iv, authTag, ciphertext):
             """
             aad = t2b(aad)
             iv = t2b(iv)
+            if len(iv) != 12:
+                raise ValueError("iv must be 12 bytes, got %d" % len(iv))
             authTag = t2b(authTag)
+            if len(authTag) != self._tag_bytes:
+                raise ValueError("authTag must be %d bytes, got %d" %
+                                 (self._tag_bytes, len(authTag)))
             ciphertext = t2b(ciphertext)
             plaintext = _ffi.new("byte[%d]" % len(ciphertext))
             ret = _lib.wc_ChaCha20Poly1305_Decrypt(
