From 366d4b42fefd6b94c7497fc42344d3744d692650 Mon Sep 17 00:00:00 2001
From: Philipp Gesang <philipp.gesang@intra2net.com>
Date: Wed, 29 Jan 2020 11:03:54 +0100
Subject: [PATCH] turn API-mandated no-op into assertion

Make it explicit that there cannot actually be a rest data when
finalizing an encrypted object. The Cryptography API mandates
that the caller handle the remainder of the data on finalization.
By virtue of being a stream cipher, the AES-GCM encoder always
returns the exact number of bytes that it was given so
technically the rest is meaningless.
---
 testing/test_crypto.py |   12 +++++++++++-
 1 files changed, 11 insertions(+), 1 deletions(-)

diff --git a/testing/test_crypto.py b/testing/test_crypto.py
index 0e881aa..f4d9254 100644
--- a/testing/test_crypto.py
+++ b/testing/test_crypto.py
@@ -455,7 +455,17 @@ class AESGCMTest (CryptoLayerTest):
 
             n, ct = encryptor.process (pt)
             rest, _, _ = encryptor.done (header_dummy)
-            ct += rest
+
+            # NB: If this check *ever* fails, then something changed in the
+            #     encoding layer. AES-GCM is a stream cipher so each encoding
+            #     step will yield the exact number of ciphertext bytes that
+            #     was provided as plaintext. Thus there cannot be any encoded
+            #     data left when calling the finalizers. None of the crypo code
+            #     depends on that assumption but nevertheless we check it here
+            #     in case anything changes upstream in the Cryptography
+            #     library. In case there actually is a rest, replace the
+            #     assertion below with ``ct += rest``.
+            assert (len (rest) == 0)
 
             if len (pt) > new_max:
                 assert n < len (pt)
-- 
1.7.1