summaryrefslogtreecommitdiff
Commit message (Collapse)AuthorAgeFilesLines
* Do not run multiprocessing test if multiprocessing.synchronize is not workingpyca2.6.xSebastian Ramacher2013-10-171-0/+5
| | | | | | | | | On platforms that do not have a working sem_open implementation, importing multiprocessing.synchronize will fail with an ImportError. While creating a multiprocessing.Pool instance, multiprocessing.synchronize will be imported and might throw an ImportError. Signed-off-by: Sebastian Ramacher <sebastian+dev@ramacher.at>
* Release v2.6.1v2.6.1Dwayne Litzenberger2013-10-143-4/+4
| | | | | | This release is identical to PyCrypto v2.6, except it fixes the Crypto.Random race condition (CVE-2013-1445) and adds a few related comments.
* Update the ChangeLogDwayne Litzenberger2013-10-141-0/+52
|
* Fortuna: Add comments for reseed_interval and min_pool_size to ↵Dwayne Litzenberger2013-10-141-2/+19
| | | | FortunaAccumulator
* Random: Make Crypto.Random.atfork() set last_reseed=None (CVE-2013-1445)Dwayne Litzenberger2013-10-144-0/+196
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | == Summary == In PyCrypto before v2.6.1, the Crypto.Random pseudo-random number generator (PRNG) exhibits a race condition that may cause it to generate the same 'random' output in multiple processes that are forked from each other. Depending on the application, this could reveal sensitive information or cryptographic keys to remote attackers. An application may be affected if, within 100 milliseconds, it performs the following steps (which may be summarized as "read-fork-read-read"): 1. Read from the Crypto.Random PRNG, causing an internal reseed; 2. Fork the process and invoke Crypto.Random.atfork() in the child; 3. Read from the Crypto.Random PRNG again, in at least two different processes (parent and child, or multiple children). Only applications that invoke Crypto.Random.atfork() and perform the above steps are affected by this issue. Other applications are unaffected. Note: Some PyCrypto functions, such as key generation and PKCS#1-related functions, implicitly read from the Crypto.Random PRNG. == Technical details == Crypto.Random uses Fortuna[1] to generate random numbers. The flow of entropy looks something like this: /dev/urandom -\ +-> "accumulator" --> "generator" --> output other sources -/ (entropy pools) (AES-CTR) - The "accumulator" maintains several pools that collect entropy from the environment. - The "generator" is a deterministic PRNG that is reseeded by the accumulator. Reseeding normally occurs during each request for random numbers, but never more than once every 100 ms (the "minimum reseed interval"). When a process is forked, the parent's state is duplicated in the child. In order to continue using the PRNG, the child process must invoke Crypto.Random.atfork(), which collects new entropy from /dev/urandom and adds it to the accumulator. When new PRNG output is subsequently requested, some of the new entropy in the accumulator is used to reseed the generator, causing the output of the child to diverge from its parent. However, in previous versions of PyCrypto, Crypto.Random.atfork() did not explicitly reset the child's rate-limiter, so if the child requested PRNG output before the minimum reseed interval of 100 ms had elapsed, it would generate its output using state inherited from its parent. This created a race condition between the parent process and its forked children that could cause them to produce identical PRNG output for the duration of the 100 ms minimum reseed interval. == Demonstration == Here is some sample code that illustrates the problem: from binascii import hexlify import multiprocessing, pprint, time import Crypto.Random def task_main(arg): a = Crypto.Random.get_random_bytes(8) time.sleep(0.1) b = Crypto.Random.get_random_bytes(8) rdy, ack = arg rdy.set() ack.wait() return "%s,%s" % (hexlify(a).decode(), hexlify(b).decode()) n_procs = 4 manager = multiprocessing.Manager() rdys = [manager.Event() for i in range(n_procs)] acks = [manager.Event() for i in range(n_procs)] Crypto.Random.get_random_bytes(1) pool = multiprocessing.Pool(processes=n_procs, initializer=Crypto.Random.atfork) res_async = pool.map_async(task_main, zip(rdys, acks)) pool.close() [rdy.wait() for rdy in rdys] [ack.set() for ack in acks] res = res_async.get() pprint.pprint(sorted(res)) pool.join() The output should be random, but it looked like this: ['c607803ae01aa8c0,2e4de6457a304b34', 'c607803ae01aa8c0,af80d08942b4c987', 'c607803ae01aa8c0,b0e4c0853de927c4', 'c607803ae01aa8c0,f0362585b3fceba4'] == Solution == The solution is to upgrade to PyCrypto v2.6.1 or later, which properly resets the rate-limiter when Crypto.Random.atfork() is invoked in the child. == References == [1] N. Ferguson and B. Schneier, _Practical Cryptography_, Indianapolis: Wiley, 2003, pp. 155-184.
* Release v2.6v2.6Dwayne C. Litzenberger2012-05-243-4/+4
|
* Update the ChangeLogDwayne C. Litzenberger2012-05-241-0/+53
|
* Fix block ciphers allowing empty string as IVDwayne C. Litzenberger2012-05-242-2/+27
| | | | Bug report: https://bugs.launchpad.net/pycrypto/+bug/997464
* In ALGnew, check the mode before checking other parametersDwayne C. Litzenberger2012-05-241-15/+15
|
* Remove -std=c99 when building using aCC compiler HP-UXDwayne C. Litzenberger2012-05-241-0/+4
| | | | Bug report: https://bugs.launchpad.net/pycrypto/+bug/980358
* Remove qNEW signature algorithmDwayne C. Litzenberger2012-05-243-190/+1
| | | | I doubt anyone uses it anyway, and we have no test suite for it.
* Fix typos in docsDwayne C. Litzenberger2012-05-232-2/+2
|
* Add ability to import RSAPublicKey objects (encoded in DER or PEM)Legrandin2012-05-182-6/+36
|
* Describe unit tests for importKeyLegrandin2012-05-181-2/+12
|
* Clarification of how RSA keys can be imported/exportedLegrandin2012-05-181-14/+23
|
* Performance test: display CFB-8 as CFB mode being testLegrandin2012-05-181-1/+1
|
* Added test vectors from NIST 800-38ALegrandin2012-05-181-0/+136
| | | | | | | | Test vectors cover ECB, CBC, OFB, CFB-8, CFB-128, and CTR modes for AES-128, AES-192, and AES-256. Test vectors for CFB-1 have not been added because it is not a mode supported by PyCrypto.
* Added OPENPGP mode to RoundTripTestsLegrandin2012-05-171-2/+8
|
* Fix to make Crypto.Cipher work with Python3 againLegrandin2012-05-171-1/+3
|
* Added OPENPGP speed testLegrandin2012-05-171-0/+1
|
* Added example for OPENPGP mode in CAST moduleLegrandin2012-05-171-2/+8
|
* Added OpenPGP modeLegrandin2012-05-1710-24/+254
|
* Fixed 2 typos in documentationLegrandin2012-05-172-2/+2
|
* Added example for all symmetric ciphersLegrandin2012-05-147-3/+85
|
* Removed PGP mode from block ciphersLegrandin2012-05-144-142/+25
|
* Added cipher type columnLegrandin2012-05-141-20/+20
|
* Add documentation for XOR cipherLegrandin2012-05-144-3/+89
|
* Minor fixes for documentation of ciphersLegrandin2012-05-147-10/+5
| | | | | | Fixed key lengths described with xrange() Removed unnecessary imports. Removed documentation for compiled modules starting with '_'.
* Added documentation for ARC4Legrandin2012-05-143-2/+110
|
* Added documentation for CAST-128Legrandin2012-05-123-2/+99
|
* Added documentation for RC2Legrandin2012-05-123-2/+113
|
* Added documentation for BlowfishLegrandin2012-05-113-2/+98
|
* Fixes to make test suite pass for Python 2.1 and Python 3Legrandin2012-05-114-6/+12
|
* TDES unit tests got broken. Fixed them again.Legrandin2012-05-101-1/+1
|
* Added documentation for Triple DES.Legrandin2012-05-104-2/+114
|
* Added description of what DES is.Legrandin2012-05-101-1/+15
|
* Added documentation for Counter moduleLegrandin2012-05-101-1/+63
|
* Added documentation for AES and DES.Legrandin2012-05-106-4/+368
| | | | | | | A new module (blockalgo) has been added. It contains a class (BlockAlgo) all ciphers derive from. The only purpose of such base class is to centralize all general documentation applicable to all block ciphers (e.g. modes) into a single file.
* Added documentation for all hash algorithmsLegrandin2012-05-0513-302/+801
| | | | (including for HMAC which, strictly speaking, does not belong with them).
* Add negative test for signature verification.Legrandin2012-05-031-2/+6
| | | | | Verify that Elgamal signature works with longs (it was disabled by mistake).
* Added test vectors for ElGamal signatures.Legrandin2012-05-031-18/+58
|
* Add ElGamal tests to the test suite.Legrandin2012-04-271-0/+1
|
* Fixed two small bugs in ElGamal code.Legrandin2012-04-261-4/+4
|
* Added some test vectors for ElGamal (encryption only). Fixed two small bugs ↵Legrandin2012-04-261-0/+166
| | | | in ElGamal code.
* Merge branch 'master' of git://github.com/dlitz/pycryptoLegrandin2012-04-263-12/+62
|\
| * _fastmath: Convert negative numbers properlyDwayne C. Litzenberger2012-04-252-7/+29
| |
| * some commentsDwayne C. Litzenberger2012-04-251-1/+2
| |
| * _fastmath: missing Py_BLOCK_THREADS on isPrime(1)Dwayne C. Litzenberger2012-04-252-2/+6
| | | | | | | | | | | | | | | | | | | | When _fastmath is present, the following code caused the Python interpreter to abort with a fatal error: from Crypto.Util.number import isPrime isPrime(1) # Fatal Python error: PyEval_SaveThread: NULL tstate Bug report: https://bugs.launchpad.net/pycrypto/+bug/988431
| * Fix DevURandomRNG to work with Python3's new I/O stack.Sebastian Ramacher2012-04-211-2/+25
| |
* | Domain parameters for ElGamal and DSA can be freely shared. The message M to ↵Legrandin2012-04-262-14/+26
| | | | | | | | sign must really be hash.
View Lorry Controller Status