| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Bump the maximum number of iterations to recover (p,q) given (n,e,d) to
increase the chance that the algorithm succeeds. The algorithm used is a
probabilistic one with a 1/2 chance of finding the right value in each
iteration, so it's likely that only a few iterations are needed.
However, in some extreme cases this may still fail. Bumping the maximum
number allow the algorithm to correctly find the right values for these
cases. This changes bumps the number of iterations from 50 to 500 (the
value 'a' is increased by 2 in each step), and hence reduces the chance
of failure from 2**-50 to 2**-500.
Note that this change does *not* result in a performance degradation.
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In order to speed up as much as possible the GHASH,
the current implementation expands the 16 byte hash key
(H) into a table of 64 KBytes. However, that is sensitive
to cache-based timing attacks.
If we assume that access to data inside the same cache line
is constant-time (likely), fitting a table item into a cache
line may help against the attacks.
This patch reduce the pre-computed table from 64K to 4K
and aligns every item to a 32 byte boundary (since most modern
CPUs have cache line of that size or larger).
This patch will reduce the overall performance.
This patch also reverts commit 965871a727 ("GCM mode:
Optimize key setup for GCM mode") since I actually
got conflicting benchmark results.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch strenghten the DSA signing code against
side-channel attacks.
The DSA signing formulae:
r = (g^{k} mod p) mod q
s = k^{-1} * (H(m) + r*x) mod q
becomes:
b = random in [1..q)
r = (g^{k} mod p) mod q
s = (b * k)^{-1} * (b*H(m) + r*(b*x)) mod q
In this way we avoid that the secret (x) gets multiplied
by a random factor (r) which is immediately disclosed
to an attacker (which we assume can both collect (r) and
also monitor the side-channel produced by the multiplication).
See also attack DSA_2 in:
"Minimum Requirements for Evaluating Side-Channel Attack Resistance
of RSA, DSA and Diffie-Hellman Key Exchange Implementations", BSI
|
|\
| |
| |
| |
| |
| |
| |
| | |
This should fix a FreeBSD build issue:
https://bugs.launchpad.net/pycrypto/+bug/1264130
Thanks to Richard Mitchell <richard.j.mitchell@gmail.com> for suggesting
how to fix this.
|
| | |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Original tarball downloaded from:
http://libtom.org/files/crypt-1.17.tar.bz2
http://libtom.org/files/crypt-1.17.tar.bz2.sig
SHA256 sums:
e33b47d77a495091c8703175a25c8228aff043140b2554c08a3c3cd71f79d116 *crypt-1.17.tar.bz2
8f52ddfb17656f7a2e510d92a26c8b33e0c1f431af7febd9cf1298a77b5fd932 *crypt-1.17.tar.bz2.sig
libtomcrypt-1.17/LICENSE says:
LibTomCrypt is public domain. As should all quality software be.
Tom St Denis
|
|
|
|
| |
tomcrypt_des.c
|
|
|
|
|
|
|
| |
clang provides the same constant as bit_AESNI in some versions, and doesn't
provide it at all in others.
Signed-off-by: Sebastian Ramacher <sebastian+dev@ramacher.at>
|
|
|
|
|
|
| |
clang-3.3 is stricter regarding the second argument of _mm_shuffle_epi32.
Signed-off-by: Sebastian Ramacher <sebastian+dev@ramacher.at>
|
|\ |
|
| | |
|
|/ |
|
|
|
|
|
|
|
| |
- Set errno properly when using posix_memalign
- Rename to aligned_malloc_wrapper / aligned_free_wrapper
- Use a single set of #if blocks, to avoid the possibility of
mismatching them.
|
|\ |
|
| |
| |
| |
| | |
Signed-off-by: Sebastian Ramacher <sebastian+dev@ramacher.at>
|
| |
| |
| |
| | |
Signed-off-by: Sebastian Ramacher <sebastian+dev@ramacher.at>
|
| |
| |
| |
| |
| |
| |
| | |
For _aligned_malloc calling free is illegal. We need to use_aligned_free
instead.
Signed-off-by: Sebastian Ramacher <sebastian+dev@ramacher.at>
|
| |
| |
| |
| |
| |
| | |
This also fixes the order of arguments passed to _aligned_malloc.
Signed-off-by: Sebastian Ramacher <sebastian+dev@ramacher.at>
|
| |
| |
| |
| |
| |
| |
| |
| | |
ek and dk are used as operands in instructions that require 16 byte alignment.
Thanks to Greg Price for finding this issue.
Signed-off-by: Sebastian Ramacher <sebastian+dev@ramacher.at>
|
| |
| |
| |
| |
| |
| | |
This is the counterpart to block_init which is called from ALGnew.
Signed-off-by: Sebastian Ramacher <sebastian+dev@ramacher.at>
|
| |
| |
| |
| | |
Signed-off-by: Sebastian Ramacher <sebastian+dev@ramacher.at>
|
| | |
|
| | |
|
|/
|
|
|
|
|
|
|
|
|
|
| |
The IV parameter is currently ignored when initializing
a cipher in ECB or CTR mode.
For CTR mode, it is confusing: it takes some time to see
that a different parameter is needed (the counter).
For ECB mode, it is outright dangerous.
This patch forces an exception to be raised.
|
|
|
|
|
|
|
|
|
|
|
| |
This fixes this warning:
In file included from src/CAST.c:453:0:
src/block_template.c: In function ‘ALG_Encrypt’:
src/block_template.c:426:12: warning: format ‘%i’ expects argument of
type ‘int’, but argument 3 has type ‘Py_ssize_t’ [-Wformat=]
ctr->buf_size, BLOCK_SIZE);
^
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
GCM mode requires GHASH for 2 different operations: one for
the data (AD + ciphertext) and one for the IV.
Construction of tables to speed-up GHASH is very expensive
and it is worth doing only for the data, not for the IV.
This patch ensures that the GHASH for the IV does not
use tables, with a ~40% faster key setup.
[dlitz@dlitz.net: Whitespace fixed with "git rebase --whitespace=fix"]
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Tables take 64KByte per each key.
Encryption performance is more than doubled
(29 MBps vs 8MBps for AES128).
As a drawback, key setup is much slower (1300 key/s
on the same machine).
[dlitz@dlitz.net: Replaced MacMismatchError with ValueError]
[dlitz@dlitz.net: Replaced ApiUsageError with TypeError]
[dlitz@dlitz.net: Included changes from the following commits from the author's pull request:]
- [9c13f9c] Rename 'IV' parameter to 'nonce' for AEAD modes.
- [ca460a7] Made blockalgo.py more PEP-8 compliant; The second parameter
of the _GHASH constructor is now the length of the block
(block_size) and not the full module.
[dlitz@dlitz.net: Whitespace fixed with "git rebase --whitespace=fix"]
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The main change done by this commit is adding support
for MODE_GCM (NIST SP 800 38D). Test vectors are included.
The mode uses a C extension (Crypto.Util.galois._ghash)
to compute the GHASH step. The C implementation is the most
basic one and it is still significantly (5x times) slower than CTR.
Optimizations can be introduced using tables (CPU/memory trade-off)
or even AES NI instructions on newer x86 CPUs.
This patch also simplifies Crypto.Cipher.blockalgo.py by:
* removing duplicated code previously shared by digest() and verify().
* removing duplicated code previously shared by Crypto.Hash.CMAC
and Crypto.Cipher.block_algo (management of internal buffers
for MACs that can only operate on block aligned data, like
CMAC, CBCMAC, and now also GHASH).
[dlitz@dlitz.net: Included changes from the following commits from the author's pull request:]
- [9c13f9c] Rename 'IV' parameter to 'nonce' for AEAD modes.
- [ca460a7] Made blockalgo.py more PEP-8 compliant;
The second parameter of the _GHASH constructor
is now the length of the block (block_size)
and not the full module.
[dlitz@dlitz.net: Replaced MacMismatchError with ValueError]
[dlitz@dlitz.net: Replaced ApiUsageError with TypeError]
[dlitz@dlitz.net: Replaced renamed variable `ht` with original `h`]
[dlitz@dlitz.net: Whitespace fixed with "git rebase --whitespace=fix"]
|
|
|
|
|
|
| |
When the counter function returns an incorrect counter block to
the cipher in CTR mode, the error message includes both the required and
the provided amount of data (in bytes).
|
|
|
|
| |
Closes: https://bugs.launchpad.net/pycrypto/+bug/1096857
|
|
|
|
|
|
| |
Closes: https://bugs.launchpad.net/pycrypto/+bug/996193
Closes: https://github.com/dlitz/pycrypto/pull/26
[dlitz: Squashed and fixed whitespace.]
|
|
|
|
|
|
|
|
| |
- Add __all__ to C cipher & hash modules
- Update hash module docstrings to document the block_size and
digest_size variables.
Closes: https://bugs.launchpad.net/pycrypto/+bug/1179255
|
| |
|
| |
|
|
|
|
| |
Also rename _fastmath_module -> m for consistency
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
|
|
|
|
|
| |
This is the first of a series of changes that aims to reduce code
duplication between the Python 3 and Python 2 versions of the C
extensions.
|