ek and dk are used as operands in instructions that require 16 byte alignment.
Thanks to Greg Price for finding this issue.
Signed-off-by: Sebastian Ramacher <sebastian+dev@ramacher.at>
The main change done by this commit is adding support
for MODE_GCM (NIST SP 800 38D). Test vectors are included.
The mode uses a C extension (Crypto.Util.galois._ghash)
to compute the GHASH step. The C implementation is the most
basic one and it is still significantly (5x times) slower than CTR.
Optimizations can be introduced using tables (CPU/memory trade-off)
or even AES NI instructions on newer x86 CPUs.
This patch also simplifies Crypto.Cipher.blockalgo.py by:
* removing duplicated code previously shared by digest() and verify().
* removing duplicated code previously shared by Crypto.Hash.CMAC
and Crypto.Cipher.block_algo (management of internal buffers
for MACs that can only operate on block aligned data, like
CMAC, CBCMAC, and now also GHASH).
[dlitz@dlitz.net: Included changes from the following commits from the author's pull request:]
- [9c13f9c] Rename 'IV' parameter to 'nonce' for AEAD modes.
- [ca460a7] Made blockalgo.py more PEP-8 compliant;
The second parameter of the _GHASH constructor
is now the length of the block (block_size)
and not the full module.
[dlitz@dlitz.net: Replaced MacMismatchError with ValueError]
[dlitz@dlitz.net: Replaced ApiUsageError with TypeError]
[dlitz@dlitz.net: Replaced renamed variable `ht` with original `h`]
[dlitz@dlitz.net: Whitespace fixed with "git rebase --whitespace=fix"]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iFYEABEKAAYFAlJcZFMACgkQm4qoyix3/7Df6wDfUkS+QVyb7quQJrBiLi3jLAin
Otvcc25QTHgoTADePAglh6rbEOMNdyNUFinTeV1qwkOm/Q3YRiyiLA==
=XujS
-----END PGP SIGNATURE-----
Merge tag 'v2.6.1' (fix CVE-2013-1445)
This is the PyCrypto 2.6.1 release.
Dwayne Litzenberger (4):
Random: Make Crypto.Random.atfork() set last_reseed=None (CVE-2013-1445)
Fortuna: Add comments for reseed_interval and min_pool_size to FortunaAccumulator
Update the ChangeLog
Release v2.6.1
The patch contains the following changes:
- Private RSA keys can be imported/exported in encrypted form,
protected according to PKCS#8 and:
* PBKDF2WithHMAC-SHA1AndDES-EDE3-CBC.
* PBKDF2WithHMAC-SHA1AndAES128-CBC
* PBKDF2WithHMAC-SHA1AndAES192-CBC
* PBKDF2WithHMAC-SHA1AndAES256-CBC
In addition to that, it is possible to import keys i the
following weak formats:
* pbeWithMD5AndDES-CBC
* pbeWithSHA1AndRC2-CBC
* pbeWithMD5AndRC2-CBC
* pbeWithSHA1AndDES-CBC
- The following new module (and 1 new package) are added:
* Crypto.Util.Padding for simple padding/unpadding logic
* Crypto.IO._PBES for PBE-related PKCS#5 logic
* Crypto.IO.PEM for PEM wrapping/unwrapping
* Crypto.IO.PKCS8 for PKCS#8 wrapping/unwrapping
- All Object ID (OIDs) are now in dotted form to increase
readability.
- Add AES support to PEM format (decode only).
The PEM module can decrypt messages protected with AES-CBC.
- Update RSA import test cases.
- Updated to PKCS8 test cases
new file: lib/Crypto/Cipher/Salsa20.py
modified: lib/Crypto/SelfTest/Cipher/__init__.py
new file: lib/Crypto/SelfTest/Cipher/test_Salsa20.py
modified: setup.py
new file: src/Salsa20.c
new file: src/salsa20/ecrypt-config.h
new file: src/salsa20/ecrypt-machine.h
new file: src/salsa20/ecrypt-portable.h
new file: src/salsa20/ecrypt-sync.h
new file: src/streamIV_template.c
The pure Python wrappers around Crypto.Hash.* were convenient, but they
slowed down hash initialization by 4-7x.
There is a speed trade-off here: The MD5 and SHA1 objects are just
wrapped hashlib objects (or old-style md5/sha objects). To maintain API
compatibility with the rest of PyCrypto, we still have to wrap them, so
they're slower to initialize than the rest of the hash functions. If
hashlib ever adds a .new() method, we will automatically use hashlib
directly and gain the initialization speed-up.
Hopefully this means we'll break on fewer platforms.
Also, remove some of the extra optimization flags (e.g. -O3
-fomit-frame-pointer), which don't really do much.
A new module (blockalgo) has been added. It contains a class (BlockAlgo)
all ciphers derive from. The only purpose of such base class
is to centralize all general documentation applicable to all block
ciphers (e.g. modes) into a single file.
When installing with easy_install build_ext ist called directly. Thus we have to
ensure that build_configure is run before we're building the extensions in
build_ext.
(as submitted here https://bugs.launchpad.net/pycrypto/+bug/544792)
so that they are available also in Python 2.1, 2.2, 2.3 and 2.4.
Regardless where the implementation comes from (Python standard
library or our native modules, depending on the Python version),
all Crypto.Hash objects are always used as front-ends.
