| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Bump the maximum number of iterations to recover (p,q) given (n,e,d) to
increase the chance that the algorithm succeeds. The algorithm used is a
probabilistic one with a 1/2 chance of finding the right value in each
iteration, so it's likely that only a few iterations are needed.
However, in some extreme cases this may still fail. Bumping the maximum
number allow the algorithm to correctly find the right values for these
cases. This changes bumps the number of iterations from 50 to 500 (the
value 'a' is increased by 2 in each step), and hence reduces the chance
of failure from 2**-50 to 2**-500.
Note that this change does *not* result in a performance degradation.
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In order to speed up as much as possible the GHASH,
the current implementation expands the 16 byte hash key
(H) into a table of 64 KBytes. However, that is sensitive
to cache-based timing attacks.
If we assume that access to data inside the same cache line
is constant-time (likely), fitting a table item into a cache
line may help against the attacks.
This patch reduce the pre-computed table from 64K to 4K
and aligns every item to a 32 byte boundary (since most modern
CPUs have cache line of that size or larger).
This patch will reduce the overall performance.
This patch also reverts commit 965871a727 ("GCM mode:
Optimize key setup for GCM mode") since I actually
got conflicting benchmark results.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch strenghten the DSA signing code against
side-channel attacks.
The DSA signing formulae:
r = (g^{k} mod p) mod q
s = k^{-1} * (H(m) + r*x) mod q
becomes:
b = random in [1..q)
r = (g^{k} mod p) mod q
s = (b * k)^{-1} * (b*H(m) + r*(b*x)) mod q
In this way we avoid that the secret (x) gets multiplied
by a random factor (r) which is immediately disclosed
to an attacker (which we assume can both collect (r) and
also monitor the side-channel produced by the multiplication).
See also attack DSA_2 in:
"Minimum Requirements for Evaluating Side-Channel Attack Resistance
of RSA, DSA and Diffie-Hellman Key Exchange Implementations", BSI
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
| |
The following custom exceptions are replaced with ValueError:
* Crypto.Util.PaddingError
* Crypto.PublicKey.KeyFormatError
The custom Crypto.Util.asn1.NoDerElementError is now private to the
module.
Some white spaces have been removed.
|
| |
|
|
| |
Python 2.1 str objects don't have a .decode() method.
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
| |
previous commit)
Tested on py21-py33 by force-uninstalling libgmp10 after building.
|
| |
|
|
|
| |
so that they call `Crypto.SelfTest.st_common.handle_fastmath_import_error`,
thereby eliminiating duplicate code.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
```
ext_suffix = get_config_var("EXT_SUFFIX") or get_config_var("SO")
```
because `get_config_var("SO")` returns None in Python 3.4.0a4 because the "SO"
variable is deprecated and "EXT_SUFFIX" is the new way to get this information
(see: http://bugs.python.org/issue19555)
This fixes `TypeError: Can't convert 'NoneType' object to str implicitly`
errors when running the tests on Python 3.4.0a4.
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
| |
The IV parameter is currently ignored when initializing
a cipher in ECB or CTR mode.
For CTR mode, it is confusing: it takes some time to see
that a different parameter is needed (the counter).
For ECB mode, it is outright dangerous.
This patch forces an exception to be raised.
|
| |
|
|
|
|
|
|
|
|
| |
As it stood before this commit, the hash was never used in the signing
process. It looks like the bug was introduced by e053629 (Restructure
both PKCS#1 signature schemes as objects, 2011-10-16), which changed:
- >>> signature = PKCS1_PSS.sign(h, key)
+ >>> signer = PKCS1_PSS.new(key)
+ >>> signature = PKCS1_PSS.sign(key)
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
We were getting this error on Python 3.2:
ERROR: runTest (Crypto.SelfTest.Hash.common.MACSelfTest)
CMAC #17: NIST SP 800 38B D.7 Example 17
----------------------------------------------------------------------
Traceback (most recent call last):
File "build/lib.linux-x86_64-3.2/Crypto/SelfTest/Hash/common.py", line 199, in runTest
self.assertRaises(ValueError, h.hexverify, "4556")
File "/home/dwon/py/pythons/python3.2/lib/python3.2/unittest/case.py", line 557, in assertRaises
callableObj(*args, **kwargs)
File "build/lib.linux-x86_64-3.2/Crypto/Hash/CMAC.py", line 323, in hexverify
self.verify(unhexlify(hex_mac_tag))
TypeError: 'str' does not support the buffer interface
|
| |
|
|
|
|
| |
This is for consistency with the rest of PyCrypto.
Closes: https://bugs.launchpad.net/pycrypto/+bug/1132550
|
| | |
|
| |
|
|
|
|
|
|
| |
unusable
This makes the CMAC module behave more like most Python functions do
when a required argument is missing, and reserves ValueError for a MAC
failure.
|
| |
|
|
| |
I don't want to make this a public API just yet.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch adds encrypt_and_digest() and decrypt_and_verify()
methods to a cipher object.
In most cases they are just shortcuts to the existing functions.
For SIV mode, decrypt_and_verify() replaces decrypt().
[dlitz@dlitz.net: Squashed with bugfix commit:]
Bug in encrypt_and_digest() (all AEAD modes)
decrypt() was being called instead of encrypt().
Added also a unit test to validate that composition
of encrypt_and_digest() and decrypt_and_verify()
is the identity function.
[dlitz@dlitz.net: Included changes from the following commit from the author's pull request:]
- [9c13f9c] Rename 'IV' parameter to 'nonce' for AEAD modes.
[dlitz@dlitz.net: Whitespace fixed with "git rebase --whitespace=fix"]
[dlitz@dlitz.net: Replaced MacMismatchError with ValueError]
[dlitz@dlitz.net: Replaced ApiUsageError with TypeError]
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
GCM mode requires GHASH for 2 different operations: one for
the data (AD + ciphertext) and one for the IV.
Construction of tables to speed-up GHASH is very expensive
and it is worth doing only for the data, not for the IV.
This patch ensures that the GHASH for the IV does not
use tables, with a ~40% faster key setup.
[dlitz@dlitz.net: Whitespace fixed with "git rebase --whitespace=fix"]
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Tables take 64KByte per each key.
Encryption performance is more than doubled
(29 MBps vs 8MBps for AES128).
As a drawback, key setup is much slower (1300 key/s
on the same machine).
[dlitz@dlitz.net: Replaced MacMismatchError with ValueError]
[dlitz@dlitz.net: Replaced ApiUsageError with TypeError]
[dlitz@dlitz.net: Included changes from the following commits from the author's pull request:]
- [9c13f9c] Rename 'IV' parameter to 'nonce' for AEAD modes.
- [ca460a7] Made blockalgo.py more PEP-8 compliant; The second parameter
of the _GHASH constructor is now the length of the block
(block_size) and not the full module.
[dlitz@dlitz.net: Whitespace fixed with "git rebase --whitespace=fix"]
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The main change done by this commit is adding support
for MODE_GCM (NIST SP 800 38D). Test vectors are included.
The mode uses a C extension (Crypto.Util.galois._ghash)
to compute the GHASH step. The C implementation is the most
basic one and it is still significantly (5x times) slower than CTR.
Optimizations can be introduced using tables (CPU/memory trade-off)
or even AES NI instructions on newer x86 CPUs.
This patch also simplifies Crypto.Cipher.blockalgo.py by:
* removing duplicated code previously shared by digest() and verify().
* removing duplicated code previously shared by Crypto.Hash.CMAC
and Crypto.Cipher.block_algo (management of internal buffers
for MACs that can only operate on block aligned data, like
CMAC, CBCMAC, and now also GHASH).
[dlitz@dlitz.net: Included changes from the following commits from the author's pull request:]
- [9c13f9c] Rename 'IV' parameter to 'nonce' for AEAD modes.
- [ca460a7] Made blockalgo.py more PEP-8 compliant;
The second parameter of the _GHASH constructor
is now the length of the block (block_size)
and not the full module.
[dlitz@dlitz.net: Replaced MacMismatchError with ValueError]
[dlitz@dlitz.net: Replaced ApiUsageError with TypeError]
[dlitz@dlitz.net: Replaced renamed variable `ht` with original `h`]
[dlitz@dlitz.net: Whitespace fixed with "git rebase --whitespace=fix"]
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch add supports for SIV, an AEAD block cipher
mode defined in RFC5297. SIV is only valid for AES.
The PRF of SIV (S2V) is factored out in the Protocol.KDF module.
See the following example to get a feeling of the API (slightly
different than other AEAD mode, during decryption).
Encryption (Python 2):
>>> from Crypto.Cipher import AES
>>> key = b'0'*32
>>> siv = AES.new(key, AES.MODE_SIV)
>>> ct = siv.encrypt(b'Message')
>>> mac = siv.digest()
Decryption (Python 2):
>>> from Crypto.Cipher import AES, MacMismatchError
>>> key = b'0'*32
>>> siv = AES.new(key, AES.MODE_SIV)
>>> pt = siv.decrypt(ct + mac)
>>> try:
>>> siv.verify(mac)
>>> print "Plaintext", pt
>>> except MacMismatchError:
>>> print "Error"
This change also fixes the description/design of AEAD API.
With SIV (RFC5297), decryption can only start when the MAC is known.
The original AEAD API did not support that.
For SIV the MAC is now exceptionally passed together with the ciphertext
to the decrypt() method.
[dlitz@dlitz.net: Included changes from the following commits from the author's pull request:]
- [9c13f9c] Rename 'IV' parameter to 'nonce' for AEAD modes.
- [d7727fb] Fix description/design of AEAD API.
- [fb62fae] ApiUsageError becomes TypeError [whitespace]
- [4ec64d8] Removed last references to ApiUsageError [whitespace]
- [ee46922] Removed most 'import *' statements
- [ca460a7] Made blockalgo.py more PEP-8 compliant;
The second parameter of the _GHASH constructor
is now the length of the block (block_size)
and not the full module.
[dlitz@dlitz.net: A conflict that was not resolved in the previous
commit was originally resolved here. Moved the
resolution to the previous commit.]
[dlitz@dlitz.net: Replaced MacMismatchError with ValueError]
[dlitz@dlitz.net: Replaced ApiUsageError with TypeError]
[dlitz@dlitz.net: Whitespace fixed with "git rebase --whitespace=fix"]
|
| |
|
|
|
|
|
|
|
| |
[dlitz@dlitz.net: Included changes from the following commits from the author's pull request:]
- [9c13f9c] Rename 'IV' parameter to 'nonce' for AEAD modes.
- [ca460a7] Made blockalgo.py more PEP-8 compliant; The second parameter
of the _GHASH constructor is now the length of the block
(block_size) and not the full module.
[dlitz@dlitz.net: Fixed unresolved conflict in lib/Crypto/Cipher/blockalgo.py]
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
[dlitz@dlitz.net: Included changes from the following commits from the author's pull request:]
- [5306cf3] Added support for CCM mode (AES cipher only)
- [9abe301] Added CCM tests
- [f0c1395] Add MacMismatchError and ApiUsageError
- [fb62fae] ApiUsageError becomes TypeError
- [9c13f9c] Rename 'IV' parameter to 'nonce' for AEAD modes.
- [4ec64d8] Removed last references to ApiUsageError
- [80bfd35] Corrected AES-CCM examples
[dlitz@dlitz.net: Removed unrelated documentation change]
[dlitz@dlitz.net: Renamed 'targs' back to 'args']
[dlitz@dlitz.net: Whitespace fixed with "git rebase --whitespace=fix"]
|
| |
|
|
|
|
|
| |
This patch adds support for CMAC (RFC4493, NIST SP800-38B).
[dlitz@dlitz.net: Replaced MacMismatchError with ValueError]
[dlitz@dlitz.net: Whitespace fixed with "git rebase --whitespace=fix"]
|
| |
|
|
|
|
|
|
|
|
|
|
| |
[dlitz@dlitz.net: Re-ordered commits; so don't import S2V yet]
[dlitz@dlitz.net: Included an additional 'import *' change from the following commit:]
commit 4ec64d8eaaa4965889eb8e3b801fc77aa84e0a4e
Author: Legrandin <helderijs@gmail.com>
Date: Tue Sep 10 07:28:08 2013 +0200
Removed last references to ApiUsageError
[dlitz@dlitz.net: Removed unrelated whitespace changes]
|
| | |
|
| |
|
|
|
|
|
|
|
| |
[dlitz@dlitz.net: Extracted from the following commit:]
commit 5306cf38ba060a70e5397ec48a5cea00c2bf0203
Author: Legrandin <helderijs@gmail.com>
Date: Wed Jan 23 22:37:53 2013 +0100
Added support for CCM mode (AES cipher only)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The MAC unit tests assume that the MAC algorithm is
based on hash functions (HMAC).
Additionally, a single test vector is quite complex
in that it includes result for multiple tests (each
performed on the same data, but with different
hashes).
This patch simplifies the MAC unit test so that it does
not depend on hashes and a test vector is simply made up by:
* 1 input
* 1 result
* All parameters to pass to the new() function
[dlitz@dlitz.net: Replaced custom MacMismatchError with ValueError.]
[dlitz@dlitz.net: Replaced 'import *' with appropriate imports.]
[dlitz@dlitz.net: Whitespace fixed with "git rebase --whitespace=fix"]
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In the current implementation, it is left up to the caller
to assess if the locally computed MAC matches the MAC associated
to the received message.
However, the most natural way to do that (use == operator)
is also deepy unsecure, see here:
http://seb.dbzteam.org/crypto/python-oauth-timing-hmac.pdf
With this patch, the new HMAC.verify() method accepts
the given MAC and perform the check on behalf of the caller.
The method will use constant-time code (still dependent on the length
of the MAC, but not on the actual content).
[dlitz@dlitz.net: Modified commit message subject line.]
[dlitz@dlitz.net: Whitespace fixed with "git rebase --whitespace=fix"]
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
[dlitz@dlitz.net: Original commit was:]
commit ca460a79aecdbf6e5973e99f8bdbf3888b6d34d2
Author: Legrandin <helderijs@gmail.com>
Date: Sun Aug 4 22:46:06 2013 +0200
Made blockalgo.py more PEP-8 compliant
The second parameter of the _GHASH constructor
is now the length of the block (block_size)
and not the full module.
[dlitz@dlitz.net: Included only style-related changes that apply cleanly to the master branch (pre-AEAD)]
[dlitz@dlitz.net: Omitted functional changes that were made in the author's original commit.]
[dlitz@dlitz.net: Omitted some changes that broke exception messages onto multiple lines.]
[dlitz@dlitz.net: Omitted some changes that broke arithmetic expressions onto multiple lines.]
|
| |
|
|
|
|
|
| |
[dlitz@dlitz.net: Whitespace changes extracted from the author's pull request:]
- [9c13f9c] Rename 'IV' parameter to 'nonce' for AEAD modes.
- [4ec64d8] Removed last references to ApiUsageError
- [ee46922] Removed most 'import *' statements
|
| |\
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This is the PyCrypto 2.6.1 release.
Dwayne Litzenberger (4):
Random: Make Crypto.Random.atfork() set last_reseed=None (CVE-2013-1445)
Fortuna: Add comments for reseed_interval and min_pool_size to FortunaAccumulator
Update the ChangeLog
Release v2.6.1
|
| | |
| |
| |
| |
| |
| | |
This release is identical to PyCrypto v2.6, except it fixes the
Crypto.Random race condition (CVE-2013-1445) and adds a few related
comments.
|
| | |
| |
| |
| | |
FortunaAccumulator
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
== Summary ==
In PyCrypto before v2.6.1, the Crypto.Random pseudo-random number
generator (PRNG) exhibits a race condition that may cause it to generate
the same 'random' output in multiple processes that are forked from each
other. Depending on the application, this could reveal sensitive
information or cryptographic keys to remote attackers.
An application may be affected if, within 100 milliseconds, it performs
the following steps (which may be summarized as "read-fork-read-read"):
1. Read from the Crypto.Random PRNG, causing an internal reseed;
2. Fork the process and invoke Crypto.Random.atfork() in the child;
3. Read from the Crypto.Random PRNG again, in at least two different
processes (parent and child, or multiple children).
Only applications that invoke Crypto.Random.atfork() and perform the
above steps are affected by this issue. Other applications are
unaffected.
Note: Some PyCrypto functions, such as key generation and PKCS#1-related
functions, implicitly read from the Crypto.Random PRNG.
== Technical details ==
Crypto.Random uses Fortuna[1] to generate random numbers. The flow of
entropy looks something like this:
/dev/urandom -\
+-> "accumulator" --> "generator" --> output
other sources -/ (entropy pools) (AES-CTR)
- The "accumulator" maintains several pools that collect entropy from
the environment.
- The "generator" is a deterministic PRNG that is reseeded by the
accumulator. Reseeding normally occurs during each request for random
numbers, but never more than once every 100 ms (the "minimum reseed
interval").
When a process is forked, the parent's state is duplicated in the child.
In order to continue using the PRNG, the child process must invoke
Crypto.Random.atfork(), which collects new entropy from /dev/urandom and
adds it to the accumulator. When new PRNG output is subsequently
requested, some of the new entropy in the accumulator is used to reseed
the generator, causing the output of the child to diverge from its
parent.
However, in previous versions of PyCrypto, Crypto.Random.atfork() did
not explicitly reset the child's rate-limiter, so if the child requested
PRNG output before the minimum reseed interval of 100 ms had elapsed, it
would generate its output using state inherited from its parent.
This created a race condition between the parent process and its forked
children that could cause them to produce identical PRNG output for the
duration of the 100 ms minimum reseed interval.
== Demonstration ==
Here is some sample code that illustrates the problem:
from binascii import hexlify
import multiprocessing, pprint, time
import Crypto.Random
def task_main(arg):
a = Crypto.Random.get_random_bytes(8)
time.sleep(0.1)
b = Crypto.Random.get_random_bytes(8)
rdy, ack = arg
rdy.set()
ack.wait()
return "%s,%s" % (hexlify(a).decode(),
hexlify(b).decode())
n_procs = 4
manager = multiprocessing.Manager()
rdys = [manager.Event() for i in range(n_procs)]
acks = [manager.Event() for i in range(n_procs)]
Crypto.Random.get_random_bytes(1)
pool = multiprocessing.Pool(processes=n_procs,
initializer=Crypto.Random.atfork)
res_async = pool.map_async(task_main, zip(rdys, acks))
pool.close()
[rdy.wait() for rdy in rdys]
[ack.set() for ack in acks]
res = res_async.get()
pprint.pprint(sorted(res))
pool.join()
The output should be random, but it looked like this:
['c607803ae01aa8c0,2e4de6457a304b34',
'c607803ae01aa8c0,af80d08942b4c987',
'c607803ae01aa8c0,b0e4c0853de927c4',
'c607803ae01aa8c0,f0362585b3fceba4']
== Solution ==
The solution is to upgrade to PyCrypto v2.6.1 or later, which properly
resets the rate-limiter when Crypto.Random.atfork() is invoked in the
child.
== References ==
[1] N. Ferguson and B. Schneier, _Practical Cryptography_,
Indianapolis: Wiley, 2003, pp. 155-184.
|
| | |
| |
| |
| | |
Closes: https://bugs.launchpad.net/pycrypto/+bug/1191411
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
* Add table to Crypto.Util package docs
* Clarify that PKCS#1v1.5 encryption only works on byte strings
* Clarify that padding is ignored by Cipher classes
* Clarify that block encrypt() and decrypt() do not respectively
add and remove any padding.
* Clarify what the 'overflow' parameter does (that is, nothing)
to the Crypto.Util.Counter class.
|
| | |
| |
| |
| |
| |
| |
| | |
In addition to fixing the problem, the patch also
improves readibility of other sentences a little.
Closes: https://bugs.launchpad.net/pycrypto/+bug/1093446
|
| | |
| |
| |
| | |
Closes: https://bugs.launchpad.net/pycrypto/+bug/1177614
|
| | | |
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
The digest AlgorithmIdentifier has optional (NULL) parameters; the
verification function should not reject a signature if they are omitted.
With this fix, either case is acceptable (parameters present with value NULL
or not present).
As an exception, signatures based on old MD2/MD5 must always have NULL
parameters.
See Appendix B.1 of RFC 3447 and Section 2.1 of RFC 4055.
Closes: https://bugs.launchpad.net/pycrypto/+bug/1119552
[dlitz: Rebased and updated to use refactored asn1 API, text OIDs, & to fix Python 2.1.]
|
| | |
| |
| |
| |
| |
| |
| |
| | |
Under Python 3.2, unhexlify expects to receive a `bytes` object.
Passing it a (unicodr) `str` object causes it to raise the following
exception:
TypeError: 'str' does not support the buffer interface
|
