| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Bump the maximum number of iterations to recover (p,q) given (n,e,d) to
increase the chance that the algorithm succeeds. The algorithm used is a
probabilistic one with a 1/2 chance of finding the right value in each
iteration, so it's likely that only a few iterations are needed.
However, in some extreme cases this may still fail. Bumping the maximum
number allow the algorithm to correctly find the right values for these
cases. This changes bumps the number of iterations from 50 to 500 (the
value 'a' is increased by 2 in each step), and hence reduces the chance
of failure from 2**-50 to 2**-500.
Note that this change does *not* result in a performance degradation.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch strenghten the DSA signing code against
side-channel attacks.
The DSA signing formulae:
r = (g^{k} mod p) mod q
s = k^{-1} * (H(m) + r*x) mod q
becomes:
b = random in [1..q)
r = (g^{k} mod p) mod q
s = (b * k)^{-1} * (b*H(m) + r*(b*x)) mod q
In this way we avoid that the secret (x) gets multiplied
by a random factor (r) which is immediately disclosed
to an attacker (which we assume can both collect (r) and
also monitor the side-channel produced by the multiplication).
See also attack DSA_2 in:
"Minimum Requirements for Evaluating Side-Channel Attack Resistance
of RSA, DSA and Diffie-Hellman Key Exchange Implementations", BSI
|
| |
|
|
|
|
| |
Also rename _fastmath_module -> m for consistency
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
|
|
|
| |
The solution is to include Python.h before string.h is included.
|
|
|
|
|
|
|
| |
Fix leaks in getRandomInteger and rsaKeyNew. If randfunc throws an exception
they both don't clean up properly.
Thanks to Andreas Stührk for helping me to debug these two leaks.
|
| |
|
|
|
|
|
| |
"long int" is equivalent to "long" in C, and it's harder to misread it as
"int" this way.
|
|
|
|
| |
This should never happen, but the behaviour is saner if it does.
|
| |
|
| |
|
|
|
|
|
| |
rabinMillerTest returns an int but getStrongPrime stores the result in an
unsigned long int which makes the tests in line 1545 and 1621 useless.
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
| |
When _fastmath is present, the following code caused the Python interpreter
to abort with a fatal error:
from Crypto.Util.number import isPrime
isPrime(1) # Fatal Python error: PyEval_SaveThread: NULL tstate
Bug report: https://bugs.launchpad.net/pycrypto/+bug/988431
|
|
|
|
|
|
|
| |
This should never happen, but we're already checking that Crypto.Random.new is
callable, so we might as well also check that Crypto.Random.new exists. Also,
fixing this should silence an (arguably false-positive) error emitted by
cpychecker (a static analysis tool used by the Fedora project).
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
These bugs are likely only triggered during out-of-memory conditions. The bug
report is at:
https://bugs.launchpad.net/pycrypto/+bug/934294
These were found by Dave Malcolm's experimental static analysis tool:
http://fedorapeople.org/~dmalcolm/gcc-python-plugin/2012-02-14/python-crypto-2.5-1.fc17/
See also:
https://fedorahosted.org/gcc-python-plugin/
http://gcc-python-plugin.readthedocs.org/en/latest/cpychecker.html
|
|\ |
|
| | |
|
| |\
| | |
| | |
| | |
| | |
| | | |
Conflicts:
setup.py
src/_fastmath.c
|
| | |
| | |
| | |
| | | |
(libgmp 5 or later)
|
| |\ \
| | |/ |
|
| | |
| | |
| | |
| | |
| | | |
o Add Ron Rivet DES test to test_DES.py
o Started on API documentation for 3.x
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
o _fastmath now builds and runs on PY3K
o Changes to setup.py to allow /usr/include for gmp.h
o Changes to setup.py to allow linking fastmath w/ static mpir
on Windows without warning messages
o Changes to test_DSA/test_RSA to throw an exception if _fastmath
is present but cannot be imported (due to an issue building
_fastmath or the shared gmp/mpir libraries not being reachable)
o number.py has the code to flag a failing _fastmath, but that
code is commented out for a better runtime experience
o Clean up the if for py21compat import - should have been == not is
o Clean up some '== None' occurences, now 'is None' instead
|
| | |
| | |
| | |
| | | |
divmod(a,b)[0]; move to assertEqual throughout the test suite to prep for assert_ and failIf being removed in 3.3/3.4
|
| | | |
|
| | |
| | |
| | |
| | | |
to gmp
|
| | | |
|
|\ \ \
| | |/
| |/| |
|
| |/
| |
| |
| |
| |
| | |
timing attacks.
Thanks to Geremy Condra for pointing this out.
|
| | |
|
| |
| |
| |
| | |
it (that is, because it helps a little the inversion step that follows).
|
| |
| |
| |
| |
| |
| |
| |
| | |
Small fix to importKey documentation (ASN.1 structure names were
incorrect for public keys).
Factors of an RSA private key are computed from private exponent d
(both slowmath and fastmath).
|
|/ |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Legrandin's getStrongPrime() patch changed the behaviour of
Crypto.Util.number.getRandomNumber() to something that is more like what
people would expect, but different from what we did before. This change
modifies Crypto.Util.number in the following ways:
- Rename getRandomNBitNumber -> getRandomNBitInteger
and getRandomNumber -> getRandomInteger
- Preserve old behaviour by making getRandomNumber work the same as
getRandomNBitInteger.
- Emit a DeprecationWarning when the old getRandomNumber is used.
|
|
|
|
| |
This could occur if getRNG() returns NULL.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
From http://lists.dlitz.net/pipermail/pycrypto/2009q4/000167.html, with the
following explanation included in the email:
=== snip ===
Hi there!
Here comes my monster patch.
It includes a python and C version of getStrongPrime, rabinMillerTest and isPrime.
there are also two small unit tests and some helper functions.
They all take a randfunc and propagate them (or so I hope).
The Rabin-Miller-Test uses random bases (non-deterministic).
getStrongPrime and isPrime take an optional parameter "false_positive_prob"
where one can specify the maximum probability that the prime is actually
composite. Internally the functions calculate the Rabin-Miller rounds from
this. It defaults to 1e-6 (1:1000000) which results in 10 rounds of Rabin-Miller
testing.
Please review this carefully. Even though I tried hard to get things right some
bugs always slip through.
maybe you could also review the way I acquire and release the GIL. It felt kind
of ugly the way I did it but I don't see a better way just now.
Concerning the public exponent e:
I now know why it needs to be coprime to p-1 and q-1. The private exponent d is
the inverse of e mod ((p-1)(q-1)).
If e is not coprime to ((p-1)(q-1)) then the inverse does not exist [1].
The getStrongPrime take an optional argument e. if provided the function will
make sure p-1 and e are coprime. if e is even (p-1)/2 will be coprime.
if e is even then there is a additional constraint: p =/= q mod 8.
I can't check for that in getStrongPrime of course but since we hardcoded e to
be odd in _RSA.py this should pose no problem.
The Baillie-PSW-Test is not included.
I tried hard not to use any functionality new than 2.1 but if you find anything
feel free to criticize. Also if I didn't get the coding style right either tell
me or feel free to correct it yourself.
have fun.
//Lorenz
[1] http://mathworld.wolfram.com/ModularInverse.html
=== snip ===
|
|
|
|
| |
This fixes https://bugs.launchpad.net/pycrypto/+bug/439958
|
|
|
|
| |
I have permission to do this. See the LEGAL directory.
|
|
|
|
|
|
| |
various custom "error" exceptions
At some point, it might be a good idea to remove the custom error classes themselves.
|
|
|
|
| |
Handy command: nm -g --extern-only `find . -name \*.so`
|