The randfunc parameter of getRandomInteger() can
be a callable object or None.
If it is None, C code will import the Random module
and create a new RNG object.
Apart from breaking pypy, the C code is ugly and unnecessary:
it is much easier to ensure that getRandomInteger()
is always called with a valid object from the Python side.
scrypt is a robust password-based key derivation function.
These set of changes implements it according to the RFC draft:
http://tools.ietf.org/html/draft-josefsson-scrypt-kdf-01
scrypt is also added to the algorithms understood by PKCS#8
(so that one can protect private keys at rest with it).
Additionally, this patch adds tests cases for PBES functions.
Fixing run time error caused by invalid attribute reference on object:
from Crypto import Random
File "/usr/lib64/python2.6/site-packages/Crypto/Random/__init__.py", line 29, in <module>
from Crypto.Random import _UserFriendlyRNG
File "/usr/lib64/python2.6/site-packages/Crypto/Random/_UserFriendlyRNG.py", line 38, in <module>
from Crypto.Random.Fortuna import FortunaAccumulator
File "/usr/lib64/python2.6/site-packages/Crypto/Random/Fortuna/FortunaAccumulator.py", line 39, in <module>
import FortunaGenerator
File "/usr/lib64/python2.6/site-packages/Crypto/Random/Fortuna/FortunaGenerator.py", line 34, in <module>
from Crypto.Util.number import ceil_shift, exact_log2, exact_div
File "/usr/lib64/python2.6/site-packages/Crypto/Util/number.py", line 56, in <module>
if _fastmath is not None and not getattr(_fastmath, "HAVE_DECL_MPZ_POWM_SEC"):
AttributeError: 'module' object has no attribute 'HAVE_DECL_MPZ_POWM_SEC'
o _fastmath now builds and runs on PY3K
o Changes to setup.py to allow /usr/include for gmp.h
o Changes to setup.py to allow linking fastmath w/ static mpir
on Windows without warning messages
o Changes to test_DSA/test_RSA to throw an exception if _fastmath
is present but cannot be imported (due to an issue building
_fastmath or the shared gmp/mpir libraries not being reachable)
o number.py has the code to flag a failing _fastmath, but that
code is commented out for a better runtime experience
o Clean up the if for py21compat import - should have been == not is
o Clean up some '== None' occurences, now 'is None' instead
Legrandin's getStrongPrime() patch changed the behaviour of
Crypto.Util.number.getRandomNumber() to something that is more like what
people would expect, but different from what we did before. This change
modifies Crypto.Util.number in the following ways:
- Rename getRandomNBitNumber -> getRandomNBitInteger
and getRandomNumber -> getRandomInteger
- Preserve old behaviour by making getRandomNumber work the same as
getRandomNBitInteger.
- Emit a DeprecationWarning when the old getRandomNumber is used.
- Replaced things like (1 << bits) with (1L << bits). See PEP 237:
- In Python < 2.4, (1<<31) evaluates as -2147483648
- In Python >= 2.4, it becomes 2147483648L
- Replaced things like (bits/2) with the equivalent (bits>>1). This makes
PyCrypto work when floating-point division is enabled (e.g. in Python 2.6
with -Qnew)
- In Python < 2.2, expressions like 2**1279, 1007119*2014237, and
3153640933 raise OverflowError. Replaced them with it with 2L**1279,
1007119L*2014237L, and 3153640933, respectively.
- The "//" and "//=" integer division operators are a syntax error in Python
2.1 and below. Replaced things like (m //= 2) with the equivalent
(m >>= 1).
- Where integer division can't be replaced by bit shifting, replace (a/b) with
(divmod(a, b)[0]).
- math.log takes exactly 1 argument in Python < 2.3, so replaced things like
"-math.log(false_positive_prob, 4)" with
"-math.log(false_positive_prob)/math.log(4)".
From http://lists.dlitz.net/pipermail/pycrypto/2009q4/000167.html, with the
following explanation included in the email:
=== snip ===
Hi there!
Here comes my monster patch.
It includes a python and C version of getStrongPrime, rabinMillerTest and isPrime.
there are also two small unit tests and some helper functions.
They all take a randfunc and propagate them (or so I hope).
The Rabin-Miller-Test uses random bases (non-deterministic).
getStrongPrime and isPrime take an optional parameter "false_positive_prob"
where one can specify the maximum probability that the prime is actually
composite. Internally the functions calculate the Rabin-Miller rounds from
this. It defaults to 1e-6 (1:1000000) which results in 10 rounds of Rabin-Miller
testing.
Please review this carefully. Even though I tried hard to get things right some
bugs always slip through.
maybe you could also review the way I acquire and release the GIL. It felt kind
of ugly the way I did it but I don't see a better way just now.
Concerning the public exponent e:
I now know why it needs to be coprime to p-1 and q-1. The private exponent d is
the inverse of e mod ((p-1)(q-1)).
If e is not coprime to ((p-1)(q-1)) then the inverse does not exist [1].
The getStrongPrime take an optional argument e. if provided the function will
make sure p-1 and e are coprime. if e is even (p-1)/2 will be coprime.
if e is even then there is a additional constraint: p =/= q mod 8.
I can't check for that in getStrongPrime of course but since we hardcoded e to
be odd in _RSA.py this should pose no problem.
The Baillie-PSW-Test is not included.
I tried hard not to use any functionality new than 2.1 but if you find anything
feel free to criticize. Also if I didn't get the coding style right either tell
me or feel free to correct it yourself.
have fun.
//Lorenz
[1] http://mathworld.wolfram.com/ModularInverse.html
=== snip ===
This will avoid the previous situation where scripts like the old "test.py"
get included accidentally in a release. It also frees us to put additional
build scripts in the top-level directory of the source tree.
