Crypto.Signature.PKCS1_PSS is reverted to the old behavior it had
in PyCrypto: verify() returns True/False and does not raise an
exception with wrong signature.
In the process, we add a "randfunc" parameter to
- Crypto.Cipher.PKCS1_OAEP.new()
- Crypto.Cipher.PKCS1_v1_5.new()
- Crypto.Signature.PKCS1_PSS.new()
to set the PRNG used by each algorithm.
Previously, the PRNG was taken from the RSA key itself.
This patch does a few things to simplify the public key classes
(RSA, DSA and ElGamal):
* It removes the Crypto.PublicKey.pubkey module. The 3 classes
do not have an ancestor anymore.
* Methods sign(), verify(), encrypt(), and decrypt() are removed.
* Methods blind() and unblind() are removed.
* Methods can_sign() and can_encrypt() are removed.
* The 3 classes cannot be pickled anymore.
The expression AES.new(key) used to be equivalent
to AES.new(key, AES.MODE_ECB). The same applies to
any other algorithm beside AES.
Since the ECB mode is not a secure default,
the expression AES.new(key) will now raise an exception.
NOTE: this change sets breaks compatibility with PyCrypto
In order to speed up as much as possible the GHASH,
the current implementation expands the 16 byte hash key
(H) into a table of 64 KBytes. However, that is sensitive
to cache-based timing attacks.
If we assume that access to data inside the same cache line
is constant-time (likely), fitting a table item into a cache
line may help against the attacks.
This patch reduce the pre-computed table from 64K to 4K
and aligns every item to a 32 byte boundary (since most modern
CPUs have cache line of that size or larger).
This patch will reduce the overall performance.
This patch also reverts commit 965871a727 ("GCM mode:
Optimize key setup for GCM mode") since I actually
got conflicting benchmark results.
This patch adds encrypt_and_digest() and decrypt_and_verify()
methods to a cipher object.
In most cases they are just shortcuts to the existing functions.
For SIV mode, decrypt_and_verify() replaces decrypt().
[dlitz@dlitz.net: Squashed with bugfix commit:]
Bug in encrypt_and_digest() (all AEAD modes)
decrypt() was being called instead of encrypt().
Added also a unit test to validate that composition
of encrypt_and_digest() and decrypt_and_verify()
is the identity function.
[dlitz@dlitz.net: Included changes from the following commit from the author's pull request:]
- [9c13f9c] Rename 'IV' parameter to 'nonce' for AEAD modes.
[dlitz@dlitz.net: Whitespace fixed with "git rebase --whitespace=fix"]
[dlitz@dlitz.net: Replaced MacMismatchError with ValueError]
[dlitz@dlitz.net: Replaced ApiUsageError with TypeError]
GCM mode requires GHASH for 2 different operations: one for
the data (AD + ciphertext) and one for the IV.
Construction of tables to speed-up GHASH is very expensive
and it is worth doing only for the data, not for the IV.
This patch ensures that the GHASH for the IV does not
use tables, with a ~40% faster key setup.
[dlitz@dlitz.net: Whitespace fixed with "git rebase --whitespace=fix"]
