| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
| |
On platforms that do not have a working sem_open implementation, importing
multiprocessing.synchronize will fail with an ImportError. While creating a
multiprocessing.Pool instance, multiprocessing.synchronize will be imported and
might throw an ImportError.
Signed-off-by: Sebastian Ramacher <sebastian+dev@ramacher.at>
|
|
|
|
|
|
| |
This release is identical to PyCrypto v2.6, except it fixes the
Crypto.Random race condition (CVE-2013-1445) and adds a few related
comments.
|
| |
|
|
|
|
| |
FortunaAccumulator
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
== Summary ==
In PyCrypto before v2.6.1, the Crypto.Random pseudo-random number
generator (PRNG) exhibits a race condition that may cause it to generate
the same 'random' output in multiple processes that are forked from each
other. Depending on the application, this could reveal sensitive
information or cryptographic keys to remote attackers.
An application may be affected if, within 100 milliseconds, it performs
the following steps (which may be summarized as "read-fork-read-read"):
1. Read from the Crypto.Random PRNG, causing an internal reseed;
2. Fork the process and invoke Crypto.Random.atfork() in the child;
3. Read from the Crypto.Random PRNG again, in at least two different
processes (parent and child, or multiple children).
Only applications that invoke Crypto.Random.atfork() and perform the
above steps are affected by this issue. Other applications are
unaffected.
Note: Some PyCrypto functions, such as key generation and PKCS#1-related
functions, implicitly read from the Crypto.Random PRNG.
== Technical details ==
Crypto.Random uses Fortuna[1] to generate random numbers. The flow of
entropy looks something like this:
/dev/urandom -\
+-> "accumulator" --> "generator" --> output
other sources -/ (entropy pools) (AES-CTR)
- The "accumulator" maintains several pools that collect entropy from
the environment.
- The "generator" is a deterministic PRNG that is reseeded by the
accumulator. Reseeding normally occurs during each request for random
numbers, but never more than once every 100 ms (the "minimum reseed
interval").
When a process is forked, the parent's state is duplicated in the child.
In order to continue using the PRNG, the child process must invoke
Crypto.Random.atfork(), which collects new entropy from /dev/urandom and
adds it to the accumulator. When new PRNG output is subsequently
requested, some of the new entropy in the accumulator is used to reseed
the generator, causing the output of the child to diverge from its
parent.
However, in previous versions of PyCrypto, Crypto.Random.atfork() did
not explicitly reset the child's rate-limiter, so if the child requested
PRNG output before the minimum reseed interval of 100 ms had elapsed, it
would generate its output using state inherited from its parent.
This created a race condition between the parent process and its forked
children that could cause them to produce identical PRNG output for the
duration of the 100 ms minimum reseed interval.
== Demonstration ==
Here is some sample code that illustrates the problem:
from binascii import hexlify
import multiprocessing, pprint, time
import Crypto.Random
def task_main(arg):
a = Crypto.Random.get_random_bytes(8)
time.sleep(0.1)
b = Crypto.Random.get_random_bytes(8)
rdy, ack = arg
rdy.set()
ack.wait()
return "%s,%s" % (hexlify(a).decode(),
hexlify(b).decode())
n_procs = 4
manager = multiprocessing.Manager()
rdys = [manager.Event() for i in range(n_procs)]
acks = [manager.Event() for i in range(n_procs)]
Crypto.Random.get_random_bytes(1)
pool = multiprocessing.Pool(processes=n_procs,
initializer=Crypto.Random.atfork)
res_async = pool.map_async(task_main, zip(rdys, acks))
pool.close()
[rdy.wait() for rdy in rdys]
[ack.set() for ack in acks]
res = res_async.get()
pprint.pprint(sorted(res))
pool.join()
The output should be random, but it looked like this:
['c607803ae01aa8c0,2e4de6457a304b34',
'c607803ae01aa8c0,af80d08942b4c987',
'c607803ae01aa8c0,b0e4c0853de927c4',
'c607803ae01aa8c0,f0362585b3fceba4']
== Solution ==
The solution is to upgrade to PyCrypto v2.6.1 or later, which properly
resets the rate-limiter when Crypto.Random.atfork() is invoked in the
child.
== References ==
[1] N. Ferguson and B. Schneier, _Practical Cryptography_,
Indianapolis: Wiley, 2003, pp. 155-184.
|
| |
|
| |
|
|
|
|
| |
Bug report: https://bugs.launchpad.net/pycrypto/+bug/997464
|
| |
|
|
|
|
| |
Bug report: https://bugs.launchpad.net/pycrypto/+bug/980358
|
|
|
|
| |
I doubt anyone uses it anyway, and we have no test suite for it.
|
| |
|
| |
|
| |
|
| |
|
| |
|
|
|
|
|
|
|
|
| |
Test vectors cover ECB, CBC, OFB, CFB-8, CFB-128, and CTR modes
for AES-128, AES-192, and AES-256.
Test vectors for CFB-1 have not been added because it is not a mode
supported by PyCrypto.
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
|
|
|
|
|
| |
Fixed key lengths described with xrange()
Removed unnecessary imports.
Removed documentation for compiled modules starting with '_'.
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
|
|
|
|
|
|
| |
A new module (blockalgo) has been added. It contains a class (BlockAlgo)
all ciphers derive from. The only purpose of such base class
is to centralize all general documentation applicable to all block
ciphers (e.g. modes) into a single file.
|
|
|
|
| |
(including for HMAC which, strictly speaking, does not belong with them).
|
|
|
|
|
| |
Verify that Elgamal signature works with longs (it was disabled by
mistake).
|
| |
|
| |
|
| |
|
|
|
|
| |
in ElGamal code.
|
|\ |
|
| | |
|
| | |
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
When _fastmath is present, the following code caused the Python interpreter
to abort with a fatal error:
from Crypto.Util.number import isPrime
isPrime(1) # Fatal Python error: PyEval_SaveThread: NULL tstate
Bug report: https://bugs.launchpad.net/pycrypto/+bug/988431
|
| | |
|
| |
| |
| |
| | |
sign must really be hash.
|