| Commit message (Collapse) | Author | Age | Files | Lines |
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
|
|
|
|
|
| |
This is the first of a series of changes that aims to reduce code
duplication between the Python 3 and Python 2 versions of the C
extensions.
|
| |
|
| |
|
|
|
|
| |
I have permission to do this. See the LEGAL directory.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
There are three things that, when combined, produce exploitably-weak random
number generation reminiscent of the infamous Debian libssl fiasco
(CVE-2008-0166):
1. Microsoft Windows
2. A long-standing bug in PyCrypto's setup.py that omits the "winrandom"
module from the build procedure, causing RandomPool to be seeded weakly
when it is instantiated.
3. A tendency among PyCrypto's users to (incorrectly) treat RandomPool as
a portable substitute for reading from /dev/urandom. RandomPool was
never intended as a complete RNG, but I have seen several cases where
it has been treated as one. (See footnote.)
This commit provides a quick fix for #2. Future work will attempt to fix #3 by
providing users with a "works out-of-the-box" random number generation API.
Fixing #1 probably won't happen any time soon, though reports of the initial
success of Windows Vista suggest that Microsoft may be working hard on the
problem.
Footnote:
For more information about the misuse of RandomPool, see:
http://lists.dlitz.net/pipermail/pycrypto/2008q3/000000.html
http://www.lag.net/pipermail/paramiko/2008-January/000599.html
http://www.lag.net/pipermail/paramiko/2008-April/000678.html
https://bugs.launchpad.net/pycrypto/+bug/249765
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
[project @ 2003-02-01 00:46:43 by moraes]
Changed winrandom module interface to a "new" function that
returns an object with a "get_bytes" method, which can
be called repeatedly.
Module contains a list of providers and provider types that
can be passed to new(), and get_bytes() accepts an optional
string of userdata which can be stirred into the mix.
Examples:
data = winrandom.new().get_bytes(10)
w = winrandom.new(winrandom.MS_ENHANCED_PROV, winrandom.PROV_RSA_FULL)
data = w.get_bytes(10)
data = w.get_bytes(10)
...
|
|
|
|
|
|
|
| |
[project @ 2003-01-31 06:25:14 by moraes]
Added provider and provtype options so that I can try this with
Intel RNG driver. (provider "Intel Hardware Cryptographic Service Provider",
provtype 22)
|
|
[project @ 2002-10-23 04:52:20 by moraes]
Added Crypto.Util.winrandom.winrandom C extension code
to get randomness from Windows CryptGenRandom.
|