delta/python-packages/pycrypto.git/lib/Crypto, branch master

Increase attempts for recovering RSA (p,q) from (n,e,d)

2014-06-23T07:12:24+00:00

Bump the maximum number of iterations to recover (p,q) given (n,e,d) to
increase the chance that the algorithm succeeds. The algorithm used is a
probabilistic one with a 1/2 chance of finding the right value in each
iteration, so it's likely that only a few iterations are needed.

However, in some extreme cases this may still fail. Bumping the maximum
number allow the algorithm to correctly find the right values for these
cases. This changes bumps the number of iterations from 50 to 500 (the
value 'a' is increased by 2 in each step), and hence reduces the chance
of failure from 2**-50 to 2**-500.

Note that this change does *not* result in a performance degradation.

Make Cipher.galois module private

2014-06-23T06:47:53+00:00

Make GHASH more robust against timing attacks.

2014-06-23T06:38:31+00:00

In order to speed up as much as possible the GHASH,
the current implementation expands the 16 byte hash key
(H) into a table of 64 KBytes. However, that is sensitive
to cache-based timing attacks.

If we assume that access to data inside the same cache line
is constant-time (likely), fitting a table item into a cache
line may help against the attacks.

This patch reduce the pre-computed table from 64K to 4K
and aligns every item to a 32 byte boundary (since most modern
CPUs have cache line of that size or larger).

This patch will reduce the overall performance.

This patch also reverts commit 965871a727 ("GCM mode:
Optimize key setup for GCM mode") since I actually
got conflicting benchmark results.

Add side-channel countermeasures to DSA.

2014-06-23T06:30:26+00:00

This patch strenghten the DSA signing code against
side-channel attacks.

The DSA signing formulae:

r = (g^{k} mod p) mod q
s = k^{-1} * (H(m) + r*x) mod q

becomes:

b = random in [1..q)
r = (g^{k} mod p) mod q
s = (b * k)^{-1} * (b*H(m) + r*(b*x)) mod q

In this way we avoid that the secret (x) gets multiplied
by a random factor (r) which is immediately disclosed
to an attacker (which we assume can both collect (r) and
also monitor the side-channel produced by the multiplication).

See also attack DSA_2 in:

"Minimum Requirements for Evaluating Side-Channel Attack Resistance
of RSA, DSA and Diffie-Hellman Key Exchange Implementations", BSI

Extended fix for the RSA boundary check

2014-06-23T04:28:37+00:00

Remove a few custom exception types.

2014-06-23T03:42:00+00:00

The following custom exceptions are replaced with ValueError:
* Crypto.Util.PaddingError
* Crypto.PublicKey.KeyFormatError

The custom Crypto.Util.asn1.NoDerElementError is now private to the
module.

Some white spaces have been removed.

Fix tobytes() broken by previous commit.

2014-06-23T03:17:45+00:00

Python 2.1 str objects don't have a .decode() method.

Get rid of catch-all exceptions. LP#1178485.

2014-06-23T03:16:05+00:00

Fix tests when running under "python -OO" (PYTHONOPTIMIZE set to 1 or 2)

2014-06-22T11:07:24+00:00

Fix BytesWarning when running with "python3 -bb"

2014-06-22T11:07:24+00:00