This patch add supports for SIV, an AEAD block cipher
mode defined in RFC5297. SIV is only valid for AES.
The PRF of SIV (S2V) is factored out in the Protocol.KDF module.
See the following example to get a feeling of the API (slightly
different than other AEAD mode, during decryption).
Encryption (Python 2):
>>> from Crypto.Cipher import AES
>>> key = b'0'*32
>>> siv = AES.new(key, AES.MODE_SIV)
>>> ct = siv.encrypt(b'Message')
>>> mac = siv.digest()
Decryption (Python 2):
>>> from Crypto.Cipher import AES, MacMismatchError
>>> key = b'0'*32
>>> siv = AES.new(key, AES.MODE_SIV)
>>> pt = siv.decrypt(ct + mac)
>>> try:
>>> siv.verify(mac)
>>> print "Plaintext", pt
>>> except MacMismatchError:
>>> print "Error"
This change also fixes the description/design of AEAD API.
With SIV (RFC5297), decryption can only start when the MAC is known.
The original AEAD API did not support that.
For SIV the MAC is now exceptionally passed together with the ciphertext
to the decrypt() method.
[dlitz@dlitz.net: Included changes from the following commits from the author's pull request:]
- [9c13f9c] Rename 'IV' parameter to 'nonce' for AEAD modes.
- [d7727fb] Fix description/design of AEAD API.
- [fb62fae] ApiUsageError becomes TypeError [whitespace]
- [4ec64d8] Removed last references to ApiUsageError [whitespace]
- [ee46922] Removed most 'import *' statements
- [ca460a7] Made blockalgo.py more PEP-8 compliant;
The second parameter of the _GHASH constructor
is now the length of the block (block_size)
and not the full module.
[dlitz@dlitz.net: A conflict that was not resolved in the previous
commit was originally resolved here. Moved the
resolution to the previous commit.]
[dlitz@dlitz.net: Replaced MacMismatchError with ValueError]
[dlitz@dlitz.net: Replaced ApiUsageError with TypeError]
[dlitz@dlitz.net: Whitespace fixed with "git rebase --whitespace=fix"]
[dlitz@dlitz.net: Included changes from the following commits from the author's pull request:]
- [5306cf3] Added support for CCM mode (AES cipher only)
- [9abe301] Added CCM tests
- [f0c1395] Add MacMismatchError and ApiUsageError
- [fb62fae] ApiUsageError becomes TypeError
- [9c13f9c] Rename 'IV' parameter to 'nonce' for AEAD modes.
- [4ec64d8] Removed last references to ApiUsageError
- [80bfd35] Corrected AES-CCM examples
[dlitz@dlitz.net: Removed unrelated documentation change]
[dlitz@dlitz.net: Renamed 'targs' back to 'args']
[dlitz@dlitz.net: Whitespace fixed with "git rebase --whitespace=fix"]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iFYEABEKAAYFAlJcZFMACgkQm4qoyix3/7Df6wDfUkS+QVyb7quQJrBiLi3jLAin
Otvcc25QTHgoTADePAglh6rbEOMNdyNUFinTeV1qwkOm/Q3YRiyiLA==
=XujS
-----END PGP SIGNATURE-----
Merge tag 'v2.6.1' (fix CVE-2013-1445)
This is the PyCrypto 2.6.1 release.
Dwayne Litzenberger (4):
Random: Make Crypto.Random.atfork() set last_reseed=None (CVE-2013-1445)
Fortuna: Add comments for reseed_interval and min_pool_size to FortunaAccumulator
Update the ChangeLog
Release v2.6.1
These algorithm names were confusing, because there are actually
algorithms called "SHA" (a.k.a. SHA-0) and "RIPEMD" (the original
version).
This commit just renames the modules, with no backward-compatibility
support.
