summaryrefslogtreecommitdiff
path: root/src
Commit message (Collapse)AuthorAgeFilesLines
* Increase attempts for recovering RSA (p,q) from (n,e,d)stageWouter Bolsterlee2014-06-231-1/+1
| | | | | | | | | | | | | | | Bump the maximum number of iterations to recover (p,q) given (n,e,d) to increase the chance that the algorithm succeeds. The algorithm used is a probabilistic one with a 1/2 chance of finding the right value in each iteration, so it's likely that only a few iterations are needed. However, in some extreme cases this may still fail. Bumping the maximum number allow the algorithm to correctly find the right values for these cases. This changes bumps the number of iterations from 50 to 500 (the value 'a' is increased by 2 in each step), and hence reduces the chance of failure from 2**-50 to 2**-500. Note that this change does *not* result in a performance degradation.
* Realign V tables dynamicallyLegrandin2014-06-221-15/+32
|
* Make Cipher.galois module privateLegrandin2014-06-221-9/+9
|
* Make GHASH more robust against timing attacks.Legrandin2014-06-222-187/+99
| | | | | | | | | | | | | | | | | | | | | In order to speed up as much as possible the GHASH, the current implementation expands the 16 byte hash key (H) into a table of 64 KBytes. However, that is sensitive to cache-based timing attacks. If we assume that access to data inside the same cache line is constant-time (likely), fitting a table item into a cache line may help against the attacks. This patch reduce the pre-computed table from 64K to 4K and aligns every item to a 32 byte boundary (since most modern CPUs have cache line of that size or larger). This patch will reduce the overall performance. This patch also reverts commit 965871a727 ("GCM mode: Optimize key setup for GCM mode") since I actually got conflicting benchmark results.
* Add side-channel countermeasures to DSA.Legrandin2014-06-221-9/+19
| | | | | | | | | | | | | | | | | | | | | | | | | | This patch strenghten the DSA signing code against side-channel attacks. The DSA signing formulae: r = (g^{k} mod p) mod q s = k^{-1} * (H(m) + r*x) mod q becomes: b = random in [1..q) r = (g^{k} mod p) mod q s = (b * k)^{-1} * (b*H(m) + r*(b*x)) mod q In this way we avoid that the secret (x) gets multiplied by a random factor (r) which is immediately disclosed to an attacker (which we assume can both collect (r) and also monitor the side-channel produced by the multiplication). See also attack DSA_2 in: "Minimum Requirements for Evaluating Side-Channel Attack Resistance of RSA, DSA and Diffie-Hellman Key Exchange Implementations", BSI
* Upgrade libtomcrypt 1.16 -> 1.17 (LP#1264130)Dwayne Litzenberger2014-06-2212-311/+375
|\ | | | | | | | | | | | | | | This should fix a FreeBSD build issue: https://bugs.launchpad.net/pycrypto/+bug/1264130 Thanks to Richard Mitchell <richard.j.mitchell@gmail.com> for suggesting how to fix this.
| * PyCrypto customizations: Declare things static so that we don't leak symbolsDwayne Litzenberger2014-06-222-28/+28
| |
| * Pristine files from libtomcrypt-1.17Dwayne Litzenberger2014-06-2214-0/+6010
| | | | | | | | | | | | | | | | | | Original tarball downloaded from: http://libtom.org/files/crypt-1.17.tar.bz2 http://libtom.org/files/crypt-1.17.tar.bz2.sig SHA256 sums: e33b47d77a495091c8703175a25c8228aff043140b2554c08a3c3cd71f79d116 *crypt-1.17.tar.bz2 8f52ddfb17656f7a2e510d92a26c8b33e0c1f431af7febd9cf1298a77b5fd932 *crypt-1.17.tar.bz2.sig libtomcrypt-1.17/LICENSE says: LibTomCrypt is public domain. As should all quality software be. Tom St Denis
* DES3: Move "Two-key 3DES" support into DES.c instead of customizing ↵Dwayne Litzenberger2014-06-222-14/+20
| | | | tomcrypt_des.c
* Workaround missing bit_AES definesSebastian Ramacher2014-06-221-0/+13
| | | | | | | clang provides the same constant as bit_AESNI in some versions, and doesn't provide it at all in others. Signed-off-by: Sebastian Ramacher <sebastian+dev@ramacher.at>
* Fix compilation with clang-3.3Sebastian Ramacher2014-06-221-8/+9
| | | | | | clang-3.3 is stricter regarding the second argument of _mm_shuffle_epi32. Signed-off-by: Sebastian Ramacher <sebastian+dev@ramacher.at>
* Merge branch 'fix-aesni-aligned-malloc'Dwayne Litzenberger2014-02-221-1/+5
|\
| * AESNI: Fix order of alignment & size args in _aligned_mallocDwayne Litzenberger2014-02-221-1/+5
| |
* | Regenerate autoconf filesDwayne Litzenberger2014-02-221-0/+9
|/
* Clean up AESNI aligned malloc() wrappersDwayne Litzenberger2014-02-221-33/+22
| | | | | | | - Set errno properly when using posix_memalign - Rename to aligned_malloc_wrapper / aligned_free_wrapper - Use a single set of #if blocks, to avoid the possibility of mismatching them.
* Merge pull request #62 (Fixes AESNI alignment bug)Dwayne Litzenberger2014-02-227-17/+103
|\
| * Prefer C11's aligned_alloc if it is availableSebastian Ramacher2014-02-221-4/+4
| | | | | | | | Signed-off-by: Sebastian Ramacher <sebastian+dev@ramacher.at>
| * Check return value of posix_memalignSebastian Ramacher2014-02-221-1/+3
| | | | | | | | Signed-off-by: Sebastian Ramacher <sebastian+dev@ramacher.at>
| * Add wrapper for freeSebastian Ramacher2014-02-221-6/+19
| | | | | | | | | | | | | | For _aligned_malloc calling free is illegal. We need to use_aligned_free instead. Signed-off-by: Sebastian Ramacher <sebastian+dev@ramacher.at>
| * Add a wrapper for posix_memalign and friendsSebastian Ramacher2013-10-281-17/+22
| | | | | | | | | | | | This also fixes the order of arguments passed to _aligned_malloc. Signed-off-by: Sebastian Ramacher <sebastian+dev@ramacher.at>
| * Make sure that ek and dk are aligned at 16 byte boundariesSebastian Ramacher2013-10-281-4/+44
| | | | | | | | | | | | | | | | ek and dk are used as operands in instructions that require 16 byte alignment. Thanks to Greg Price for finding this issue. Signed-off-by: Sebastian Ramacher <sebastian+dev@ramacher.at>
| * Add block_finalize to clean up block_state from ALGdeallocSebastian Ramacher2013-10-287-0/+26
| | | | | | | | | | | | This is the counterpart to block_init which is called from ALGnew. Signed-off-by: Sebastian Ramacher <sebastian+dev@ramacher.at>
| * Be more consistent with spaces and tabsSebastian Ramacher2013-10-281-13/+13
| | | | | | | | Signed-off-by: Sebastian Ramacher <sebastian+dev@ramacher.at>
* | Fix typo in error stringDwayne Litzenberger2014-02-221-1/+1
| |
* | Fix exception string for incorrect key length (DES)Legrandin2014-02-211-0/+4
| |
* | Throw exception when IV is used with ECB or CTRLegrandin2014-02-211-0/+11
|/ | | | | | | | | | | | The IV parameter is currently ignored when initializing a cipher in ECB or CTR mode. For CTR mode, it is confusing: it takes some time to see that a different parameter is needed (the counter). For ECB mode, it is outright dangerous. This patch forces an exception to be raised.
* block_template: Fix compiler warning (%i -> %zi)Dwayne Litzenberger2013-10-201-1/+1
| | | | | | | | | | | This fixes this warning: In file included from src/CAST.c:453:0: src/block_template.c: In function ‘ALG_Encrypt’: src/block_template.c:426:12: warning: format ‘%i’ expects argument of type ‘int’, but argument 3 has type ‘Py_ssize_t’ [-Wformat=] ctr->buf_size, BLOCK_SIZE); ^
* GCM mode: Optimize key setup for GCM mode.Legrandin2013-10-201-16/+79
| | | | | | | | | | | | | GCM mode requires GHASH for 2 different operations: one for the data (AD + ciphertext) and one for the IV. Construction of tables to speed-up GHASH is very expensive and it is worth doing only for the data, not for the IV. This patch ensures that the GHASH for the IV does not use tables, with a ~40% faster key setup. [dlitz@dlitz.net: Whitespace fixed with "git rebase --whitespace=fix"]
* GCM mode: Optimize GCM speed with pre-computed tables.Legrandin2013-10-201-55/+184
| | | | | | | | | | | | | | | | | | | Tables take 64KByte per each key. Encryption performance is more than doubled (29 MBps vs 8MBps for AES128). As a drawback, key setup is much slower (1300 key/s on the same machine). [dlitz@dlitz.net: Replaced MacMismatchError with ValueError] [dlitz@dlitz.net: Replaced ApiUsageError with TypeError] [dlitz@dlitz.net: Included changes from the following commits from the author's pull request:] - [9c13f9c] Rename 'IV' parameter to 'nonce' for AEAD modes. - [ca460a7] Made blockalgo.py more PEP-8 compliant; The second parameter of the _GHASH constructor is now the length of the block (block_size) and not the full module. [dlitz@dlitz.net: Whitespace fixed with "git rebase --whitespace=fix"]
* Add support for GCM mode (AES only).Legrandin2013-10-201-0/+234
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | The main change done by this commit is adding support for MODE_GCM (NIST SP 800 38D). Test vectors are included. The mode uses a C extension (Crypto.Util.galois._ghash) to compute the GHASH step. The C implementation is the most basic one and it is still significantly (5x times) slower than CTR. Optimizations can be introduced using tables (CPU/memory trade-off) or even AES NI instructions on newer x86 CPUs. This patch also simplifies Crypto.Cipher.blockalgo.py by: * removing duplicated code previously shared by digest() and verify(). * removing duplicated code previously shared by Crypto.Hash.CMAC and Crypto.Cipher.block_algo (management of internal buffers for MACs that can only operate on block aligned data, like CMAC, CBCMAC, and now also GHASH). [dlitz@dlitz.net: Included changes from the following commits from the author's pull request:] - [9c13f9c] Rename 'IV' parameter to 'nonce' for AEAD modes. - [ca460a7] Made blockalgo.py more PEP-8 compliant; The second parameter of the _GHASH constructor is now the length of the block (block_size) and not the full module. [dlitz@dlitz.net: Replaced MacMismatchError with ValueError] [dlitz@dlitz.net: Replaced ApiUsageError with TypeError] [dlitz@dlitz.net: Replaced renamed variable `ht` with original `h`] [dlitz@dlitz.net: Whitespace fixed with "git rebase --whitespace=fix"]
* Clarify message about incorrect length in the counter block.Legrandin2013-10-201-2/+2
| | | | | | When the counter function returns an incorrect counter block to the cipher in CTR mode, the error message includes both the required and the provided amount of data (in bytes).
* FIX #1096857. Update reference to FIPS 180-4.Legrandin2013-07-144-4/+4
| | | | Closes: https://bugs.launchpad.net/pycrypto/+bug/1096857
* Fixed MODE_OFB requiring paddingdev-jjc2013-07-141-20/+42
| | | | | | Closes: https://bugs.launchpad.net/pycrypto/+bug/996193 Closes: https://github.com/dlitz/pycrypto/pull/26 [dlitz: Squashed and fixed whitespace.]
* Improve C extension autodocsDwayne Litzenberger2013-07-1410-20/+162
| | | | | | | | - Add __all__ to C cipher & hash modules - Update hash module docstrings to document the block_size and digest_size variables. Closes: https://bugs.launchpad.net/pycrypto/+bug/1179255
* Py3k cleanup: bytes/string -> bytestring in error messagesDwayne Litzenberger2013-07-141-15/+3
|
* Py3k cleanup: Module initializationDwayne Litzenberger2013-07-147-101/+188
|
* Py3k cleanup: Remove PyModule_GetDictDwayne Litzenberger2013-07-141-10/+8
| | | | Also rename _fastmath_module -> m for consistency
* Py3k cleanup: PyBytesObjectDwayne Litzenberger2013-07-141-4/+0
|
* Py3k cleanup: Always use tp_getattroDwayne Litzenberger2013-07-147-231/+102
|
* Py3k cleanup: PyMODINIT_FUNCDwayne Litzenberger2013-07-145-18/+4
|
* Py3k cleanup: OB_SIZEDwayne Litzenberger2013-07-141-18/+10
|
* Py3k cleanup: PyVarObject_HEAD_INITDwayne Litzenberger2013-07-147-40/+1
|
* Py3k cleanup: PyType_ReadyDwayne Litzenberger2013-07-147-15/+21
|
* Py3k cleanup: PyInt_CheckExact & PyInt_AS_LONGDwayne Litzenberger2013-07-142-11/+3
|
* Py3k cleanup: staticforward and Py_TYPEDwayne Litzenberger2013-07-145-17/+4
|
* Py3k cleanup: METH_ODwayne Litzenberger2013-07-143-10/+3
|
* Py3k cleanup: PyModule_AddIntConstantDwayne Litzenberger2013-07-145-24/+12
|
* Py3k cleanup: Remove unused is_ALGobject macroDwayne Litzenberger2013-07-143-6/+0
|
* Py3k cleanup: Define PyLong_SHIFT and PyLong_MASK in Python 2.5 and belowDwayne Litzenberger2013-07-142-14/+3
|
* Py3k cleanup: Define PyInt_FromLong for Python 3.x and use itDwayne Litzenberger2013-07-146-19/+12
| | | | | | This is the first of a series of changes that aims to reduce code duplication between the Python 3 and Python 2 versions of the C extensions.
View Lorry Controller Status