| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| | |
|
| |
|
|
|
|
|
|
|
|
|
| |
The following custom exceptions are replaced with ValueError:
* Crypto.Util.PaddingError
* Crypto.PublicKey.KeyFormatError
The custom Crypto.Util.asn1.NoDerElementError is now private to the
module.
Some white spaces have been removed.
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
| |
previous commit)
Tested on py21-py33 by force-uninstalling libgmp10 after building.
|
| |
|
|
|
| |
so that they call `Crypto.SelfTest.st_common.handle_fastmath_import_error`,
thereby eliminiating duplicate code.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
```
ext_suffix = get_config_var("EXT_SUFFIX") or get_config_var("SO")
```
because `get_config_var("SO")` returns None in Python 3.4.0a4 because the "SO"
variable is deprecated and "EXT_SUFFIX" is the new way to get this information
(see: http://bugs.python.org/issue19555)
This fixes `TypeError: Can't convert 'NoneType' object to str implicitly`
errors when running the tests on Python 3.4.0a4.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
The IV parameter is currently ignored when initializing
a cipher in ECB or CTR mode.
For CTR mode, it is confusing: it takes some time to see
that a different parameter is needed (the counter).
For ECB mode, it is outright dangerous.
This patch forces an exception to be raised.
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
We were getting this error on Python 3.2:
ERROR: runTest (Crypto.SelfTest.Hash.common.MACSelfTest)
CMAC #17: NIST SP 800 38B D.7 Example 17
----------------------------------------------------------------------
Traceback (most recent call last):
File "build/lib.linux-x86_64-3.2/Crypto/SelfTest/Hash/common.py", line 199, in runTest
self.assertRaises(ValueError, h.hexverify, "4556")
File "/home/dwon/py/pythons/python3.2/lib/python3.2/unittest/case.py", line 557, in assertRaises
callableObj(*args, **kwargs)
File "build/lib.linux-x86_64-3.2/Crypto/Hash/CMAC.py", line 323, in hexverify
self.verify(unhexlify(hex_mac_tag))
TypeError: 'str' does not support the buffer interface
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch adds encrypt_and_digest() and decrypt_and_verify()
methods to a cipher object.
In most cases they are just shortcuts to the existing functions.
For SIV mode, decrypt_and_verify() replaces decrypt().
[dlitz@dlitz.net: Squashed with bugfix commit:]
Bug in encrypt_and_digest() (all AEAD modes)
decrypt() was being called instead of encrypt().
Added also a unit test to validate that composition
of encrypt_and_digest() and decrypt_and_verify()
is the identity function.
[dlitz@dlitz.net: Included changes from the following commit from the author's pull request:]
- [9c13f9c] Rename 'IV' parameter to 'nonce' for AEAD modes.
[dlitz@dlitz.net: Whitespace fixed with "git rebase --whitespace=fix"]
[dlitz@dlitz.net: Replaced MacMismatchError with ValueError]
[dlitz@dlitz.net: Replaced ApiUsageError with TypeError]
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The main change done by this commit is adding support
for MODE_GCM (NIST SP 800 38D). Test vectors are included.
The mode uses a C extension (Crypto.Util.galois._ghash)
to compute the GHASH step. The C implementation is the most
basic one and it is still significantly (5x times) slower than CTR.
Optimizations can be introduced using tables (CPU/memory trade-off)
or even AES NI instructions on newer x86 CPUs.
This patch also simplifies Crypto.Cipher.blockalgo.py by:
* removing duplicated code previously shared by digest() and verify().
* removing duplicated code previously shared by Crypto.Hash.CMAC
and Crypto.Cipher.block_algo (management of internal buffers
for MACs that can only operate on block aligned data, like
CMAC, CBCMAC, and now also GHASH).
[dlitz@dlitz.net: Included changes from the following commits from the author's pull request:]
- [9c13f9c] Rename 'IV' parameter to 'nonce' for AEAD modes.
- [ca460a7] Made blockalgo.py more PEP-8 compliant;
The second parameter of the _GHASH constructor
is now the length of the block (block_size)
and not the full module.
[dlitz@dlitz.net: Replaced MacMismatchError with ValueError]
[dlitz@dlitz.net: Replaced ApiUsageError with TypeError]
[dlitz@dlitz.net: Replaced renamed variable `ht` with original `h`]
[dlitz@dlitz.net: Whitespace fixed with "git rebase --whitespace=fix"]
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch add supports for SIV, an AEAD block cipher
mode defined in RFC5297. SIV is only valid for AES.
The PRF of SIV (S2V) is factored out in the Protocol.KDF module.
See the following example to get a feeling of the API (slightly
different than other AEAD mode, during decryption).
Encryption (Python 2):
>>> from Crypto.Cipher import AES
>>> key = b'0'*32
>>> siv = AES.new(key, AES.MODE_SIV)
>>> ct = siv.encrypt(b'Message')
>>> mac = siv.digest()
Decryption (Python 2):
>>> from Crypto.Cipher import AES, MacMismatchError
>>> key = b'0'*32
>>> siv = AES.new(key, AES.MODE_SIV)
>>> pt = siv.decrypt(ct + mac)
>>> try:
>>> siv.verify(mac)
>>> print "Plaintext", pt
>>> except MacMismatchError:
>>> print "Error"
This change also fixes the description/design of AEAD API.
With SIV (RFC5297), decryption can only start when the MAC is known.
The original AEAD API did not support that.
For SIV the MAC is now exceptionally passed together with the ciphertext
to the decrypt() method.
[dlitz@dlitz.net: Included changes from the following commits from the author's pull request:]
- [9c13f9c] Rename 'IV' parameter to 'nonce' for AEAD modes.
- [d7727fb] Fix description/design of AEAD API.
- [fb62fae] ApiUsageError becomes TypeError [whitespace]
- [4ec64d8] Removed last references to ApiUsageError [whitespace]
- [ee46922] Removed most 'import *' statements
- [ca460a7] Made blockalgo.py more PEP-8 compliant;
The second parameter of the _GHASH constructor
is now the length of the block (block_size)
and not the full module.
[dlitz@dlitz.net: A conflict that was not resolved in the previous
commit was originally resolved here. Moved the
resolution to the previous commit.]
[dlitz@dlitz.net: Replaced MacMismatchError with ValueError]
[dlitz@dlitz.net: Replaced ApiUsageError with TypeError]
[dlitz@dlitz.net: Whitespace fixed with "git rebase --whitespace=fix"]
|
| |
|
|
|
|
|
|
|
| |
[dlitz@dlitz.net: Included changes from the following commits from the author's pull request:]
- [9c13f9c] Rename 'IV' parameter to 'nonce' for AEAD modes.
- [ca460a7] Made blockalgo.py more PEP-8 compliant; The second parameter
of the _GHASH constructor is now the length of the block
(block_size) and not the full module.
[dlitz@dlitz.net: Fixed unresolved conflict in lib/Crypto/Cipher/blockalgo.py]
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
[dlitz@dlitz.net: Included changes from the following commits from the author's pull request:]
- [5306cf3] Added support for CCM mode (AES cipher only)
- [9abe301] Added CCM tests
- [f0c1395] Add MacMismatchError and ApiUsageError
- [fb62fae] ApiUsageError becomes TypeError
- [9c13f9c] Rename 'IV' parameter to 'nonce' for AEAD modes.
- [4ec64d8] Removed last references to ApiUsageError
- [80bfd35] Corrected AES-CCM examples
[dlitz@dlitz.net: Removed unrelated documentation change]
[dlitz@dlitz.net: Renamed 'targs' back to 'args']
[dlitz@dlitz.net: Whitespace fixed with "git rebase --whitespace=fix"]
|
| |
|
|
|
|
|
| |
This patch adds support for CMAC (RFC4493, NIST SP800-38B).
[dlitz@dlitz.net: Replaced MacMismatchError with ValueError]
[dlitz@dlitz.net: Whitespace fixed with "git rebase --whitespace=fix"]
|
| |
|
|
|
|
|
|
|
|
|
|
| |
[dlitz@dlitz.net: Re-ordered commits; so don't import S2V yet]
[dlitz@dlitz.net: Included an additional 'import *' change from the following commit:]
commit 4ec64d8eaaa4965889eb8e3b801fc77aa84e0a4e
Author: Legrandin <helderijs@gmail.com>
Date: Tue Sep 10 07:28:08 2013 +0200
Removed last references to ApiUsageError
[dlitz@dlitz.net: Removed unrelated whitespace changes]
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The MAC unit tests assume that the MAC algorithm is
based on hash functions (HMAC).
Additionally, a single test vector is quite complex
in that it includes result for multiple tests (each
performed on the same data, but with different
hashes).
This patch simplifies the MAC unit test so that it does
not depend on hashes and a test vector is simply made up by:
* 1 input
* 1 result
* All parameters to pass to the new() function
[dlitz@dlitz.net: Replaced custom MacMismatchError with ValueError.]
[dlitz@dlitz.net: Replaced 'import *' with appropriate imports.]
[dlitz@dlitz.net: Whitespace fixed with "git rebase --whitespace=fix"]
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In the current implementation, it is left up to the caller
to assess if the locally computed MAC matches the MAC associated
to the received message.
However, the most natural way to do that (use == operator)
is also deepy unsecure, see here:
http://seb.dbzteam.org/crypto/python-oauth-timing-hmac.pdf
With this patch, the new HMAC.verify() method accepts
the given MAC and perform the check on behalf of the caller.
The method will use constant-time code (still dependent on the length
of the MAC, but not on the actual content).
[dlitz@dlitz.net: Modified commit message subject line.]
[dlitz@dlitz.net: Whitespace fixed with "git rebase --whitespace=fix"]
|
| |
|
|
|
|
|
| |
[dlitz@dlitz.net: Whitespace changes extracted from the author's pull request:]
- [9c13f9c] Rename 'IV' parameter to 'nonce' for AEAD modes.
- [4ec64d8] Removed last references to ApiUsageError
- [ee46922] Removed most 'import *' statements
|
| |\
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This is the PyCrypto 2.6.1 release.
Dwayne Litzenberger (4):
Random: Make Crypto.Random.atfork() set last_reseed=None (CVE-2013-1445)
Fortuna: Add comments for reseed_interval and min_pool_size to FortunaAccumulator
Update the ChangeLog
Release v2.6.1
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
== Summary ==
In PyCrypto before v2.6.1, the Crypto.Random pseudo-random number
generator (PRNG) exhibits a race condition that may cause it to generate
the same 'random' output in multiple processes that are forked from each
other. Depending on the application, this could reveal sensitive
information or cryptographic keys to remote attackers.
An application may be affected if, within 100 milliseconds, it performs
the following steps (which may be summarized as "read-fork-read-read"):
1. Read from the Crypto.Random PRNG, causing an internal reseed;
2. Fork the process and invoke Crypto.Random.atfork() in the child;
3. Read from the Crypto.Random PRNG again, in at least two different
processes (parent and child, or multiple children).
Only applications that invoke Crypto.Random.atfork() and perform the
above steps are affected by this issue. Other applications are
unaffected.
Note: Some PyCrypto functions, such as key generation and PKCS#1-related
functions, implicitly read from the Crypto.Random PRNG.
== Technical details ==
Crypto.Random uses Fortuna[1] to generate random numbers. The flow of
entropy looks something like this:
/dev/urandom -\
+-> "accumulator" --> "generator" --> output
other sources -/ (entropy pools) (AES-CTR)
- The "accumulator" maintains several pools that collect entropy from
the environment.
- The "generator" is a deterministic PRNG that is reseeded by the
accumulator. Reseeding normally occurs during each request for random
numbers, but never more than once every 100 ms (the "minimum reseed
interval").
When a process is forked, the parent's state is duplicated in the child.
In order to continue using the PRNG, the child process must invoke
Crypto.Random.atfork(), which collects new entropy from /dev/urandom and
adds it to the accumulator. When new PRNG output is subsequently
requested, some of the new entropy in the accumulator is used to reseed
the generator, causing the output of the child to diverge from its
parent.
However, in previous versions of PyCrypto, Crypto.Random.atfork() did
not explicitly reset the child's rate-limiter, so if the child requested
PRNG output before the minimum reseed interval of 100 ms had elapsed, it
would generate its output using state inherited from its parent.
This created a race condition between the parent process and its forked
children that could cause them to produce identical PRNG output for the
duration of the 100 ms minimum reseed interval.
== Demonstration ==
Here is some sample code that illustrates the problem:
from binascii import hexlify
import multiprocessing, pprint, time
import Crypto.Random
def task_main(arg):
a = Crypto.Random.get_random_bytes(8)
time.sleep(0.1)
b = Crypto.Random.get_random_bytes(8)
rdy, ack = arg
rdy.set()
ack.wait()
return "%s,%s" % (hexlify(a).decode(),
hexlify(b).decode())
n_procs = 4
manager = multiprocessing.Manager()
rdys = [manager.Event() for i in range(n_procs)]
acks = [manager.Event() for i in range(n_procs)]
Crypto.Random.get_random_bytes(1)
pool = multiprocessing.Pool(processes=n_procs,
initializer=Crypto.Random.atfork)
res_async = pool.map_async(task_main, zip(rdys, acks))
pool.close()
[rdy.wait() for rdy in rdys]
[ack.set() for ack in acks]
res = res_async.get()
pprint.pprint(sorted(res))
pool.join()
The output should be random, but it looked like this:
['c607803ae01aa8c0,2e4de6457a304b34',
'c607803ae01aa8c0,af80d08942b4c987',
'c607803ae01aa8c0,b0e4c0853de927c4',
'c607803ae01aa8c0,f0362585b3fceba4']
== Solution ==
The solution is to upgrade to PyCrypto v2.6.1 or later, which properly
resets the rate-limiter when Crypto.Random.atfork() is invoked in the
child.
== References ==
[1] N. Ferguson and B. Schneier, _Practical Cryptography_,
Indianapolis: Wiley, 2003, pp. 155-184.
|
| | | |
|
| | |
| |
| |
| |
| |
| |
| |
| | |
Under Python 3.2, unhexlify expects to receive a `bytes` object.
Passing it a (unicodr) `str` object causes it to raise the following
exception:
TypeError: 'str' does not support the buffer interface
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This patch adds methods importKey() to DSA module
and exportKey() to _DSAobj object.
Public and private keys can be imported/exported
in a variety of formats:
* DER vs PEM
* PKCS#8 vs OpenSSL vs OpenSSH/OpenSSL
* Encrypted vs clear
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
The patch contains the following changes:
- Private RSA keys can be imported/exported in encrypted form,
protected according to PKCS#8 and:
* PBKDF2WithHMAC-SHA1AndDES-EDE3-CBC.
* PBKDF2WithHMAC-SHA1AndAES128-CBC
* PBKDF2WithHMAC-SHA1AndAES192-CBC
* PBKDF2WithHMAC-SHA1AndAES256-CBC
In addition to that, it is possible to import keys i the
following weak formats:
* pbeWithMD5AndDES-CBC
* pbeWithSHA1AndRC2-CBC
* pbeWithMD5AndRC2-CBC
* pbeWithSHA1AndDES-CBC
- The following new module (and 1 new package) are added:
* Crypto.Util.Padding for simple padding/unpadding logic
* Crypto.IO._PBES for PBE-related PKCS#5 logic
* Crypto.IO.PEM for PEM wrapping/unwrapping
* Crypto.IO.PKCS8 for PKCS#8 wrapping/unwrapping
- All Object ID (OIDs) are now in dotted form to increase
readability.
- Add AES support to PEM format (decode only).
The PEM module can decrypt messages protected with AES-CBC.
- Update RSA import test cases.
- Updated to PKCS8 test cases
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
The following changes are included:
- Decoding is a much simpler operation. The internal
logic is based on stream of binary data, and not
on string indexing anymore. Additionally,
decoding used to look like this:
bitmap = DerObject()
bitmap.decode(input_buffer, True)
if bitmap.isType('BIT STRING'):
... proceed with parsing ...
else:
... error ...
Whereas now, it is cleaner and more compact:
bitmap = DerBitString()
bitmap.decode(input_buffer)
Any error condition will lead to an exception.
- isType() method has been removed because of the above.
- Added examples and documentation
- Added support IMPLICIT tags
- Added support for negative INTEGERs
- Added DerSetOf ASN.1 class
- DerObjectID can be initialized from the dotted representation of
the Object ID.
- DerBitString has a new member 'value' to hold the binary
string. The member 'payload' should not be accessed anymore.
- DerObjectID has a new member 'value' to hold the dotted representation
of the Object ID string. The member 'payload' should not be accessed
anymore.
- Added operator += to DER SEQUENCE. Now it is possible to do:
my_str = DerOctetString(b'ZYZ')
seq = DerSequence()
seq += 0
seq += my_str.encode()
- Update to test cases
|
| | |
| |
| |
| |
| |
| | |
Closes: https://bugs.launchpad.net/pycrypto/+bug/996193
Closes: https://github.com/dlitz/pycrypto/pull/26
[dlitz: Squashed and fixed whitespace.]
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
The `disable_shortcut` option served as a workaround in case
`__PCT_CTR_SHORTCUT__` leaked through a wrapper object, but I don't
think anyone actually used it, and it was a bad idea to expose it as
part of the public API.
Now that we do strong type checking inside block_template.c, there
shoujld be no need to ever use this option. It's now a no-op, retained
for backward compatibility only. It will be removed in some future
version of PyCrypto.
|
| | |
| |
| |
| |
| | |
- METH_NOARGS was introduced in Python 2.2.
- Python 2.1 doesn't have True and False builtins.
|
| | | |
|
| |\ \ |
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
The pure Python wrappers around Crypto.Hash.* were convenient, but they
slowed down hash initialization by 4-7x.
There is a speed trade-off here: The MD5 and SHA1 objects are just
wrapped hashlib objects (or old-style md5/sha objects). To maintain API
compatibility with the rest of PyCrypto, we still have to wrap them, so
they're slower to initialize than the rest of the hash functions. If
hashlib ever adds a .new() method, we will automatically use hashlib
directly and gain the initialization speed-up.
|
| | | |
| | |
| | |
| | |
| | | |
This allows us to instantiate a new hash given only an existing hash
object.
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
In PyCrypto v2.5, the "oid" attribute was added to hash objects. In
retrospect, this was not a good idea, since the OID is not really a
property of the hash algorithm, it's a protocol-specific identifer for
the hash functions. PKCS#1 v1.5 uses it, but other protocols (e.g.
OpenPGP, DNSSEC, SSH, etc.) use different identifiers, and it doesn't make
sense to add these to Crypto.Hash.* every time a new algorithm is added.
This also has the benefit of being compatible with the Python standard
library's "hashlib" objects, which also have a name attribute.
|
| | | |
| | |
| | |
| | |
| | |
| | | |
If stream is not None, add it to kwargs and pass it to TestTextRunner.
Signed-off-by: Sebastian Ramacher <sebastian+dev@ramacher.at>
|
| |/ /
| |
| |
| |
| |
| | |
If stream is None, write the value of StringIO to sys.stderr.
Signed-off-by: Sebastian Ramacher <sebastian+dev@ramacher.at>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| | |
These algorithm names were confusing, because there are actually
algorithms called "SHA" (a.k.a. SHA-0) and "RIPEMD" (the original
version).
This commit just renames the modules, with no backward-compatibility
support.
|
| | | |
|
| | | |
|
| | |
| |
| |
| |
| |
| | |
random.shuffle("1") is a no-op, so it doesn't raise TypeError. This is
now true of both the stdlib random.shuffle and PyCrypto's random.shuffle
implementation.
|
| | |
| |
| |
| |
| |
| |
| | |
Affects isPrime and getStrongPrime.
See https://github.com/dlitz/pycrypto/pull/23 ("Store result of
rabinMillerTest in an int.") for the bug report.
|
| | |
| |
| |
| | |
is available.
|
| | | |
|
| | |
| |
| |
| |
| | |
Test vectors are taken from RFC 6229.
All tests pass.
|
| | |
| |
| |
| | |
Also add a test case for it.
|
| | |
| |
| |
| | |
RSA.exportKey claims to return a byte string, so really return one.
|
| |/
|
|
|
|
|
|
| |
The test suite contains tests that are disabled because they have the same name
as other tests. Renaming them enables them again.
PKCS1_OAEP_Tests.testEncryptDecrypt1 is updated to work with the new interface
of PKCS1_OAEP.
|
