| Commit message (Collapse) | Author | Age | Files | Lines |
| |
|
| |
|
|
|
|
| |
www.dlitz.net
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Bump the maximum number of iterations to recover (p,q) given (n,e,d) to
increase the chance that the algorithm succeeds. The algorithm used is a
probabilistic one with a 1/2 chance of finding the right value in each
iteration, so it's likely that only a few iterations are needed.
However, in some extreme cases this may still fail. Bumping the maximum
number allow the algorithm to correctly find the right values for these
cases. This changes bumps the number of iterations from 50 to 500 (the
value 'a' is increased by 2 in each step), and hence reduces the chance
of failure from 2**-50 to 2**-500.
Note that this change does *not* result in a performance degradation.
|
| |
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In order to speed up as much as possible the GHASH,
the current implementation expands the 16 byte hash key
(H) into a table of 64 KBytes. However, that is sensitive
to cache-based timing attacks.
If we assume that access to data inside the same cache line
is constant-time (likely), fitting a table item into a cache
line may help against the attacks.
This patch reduce the pre-computed table from 64K to 4K
and aligns every item to a 32 byte boundary (since most modern
CPUs have cache line of that size or larger).
This patch will reduce the overall performance.
This patch also reverts commit 965871a727 ("GCM mode:
Optimize key setup for GCM mode") since I actually
got conflicting benchmark results.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch strenghten the DSA signing code against
side-channel attacks.
The DSA signing formulae:
r = (g^{k} mod p) mod q
s = k^{-1} * (H(m) + r*x) mod q
becomes:
b = random in [1..q)
r = (g^{k} mod p) mod q
s = (b * k)^{-1} * (b*H(m) + r*(b*x)) mod q
In this way we avoid that the secret (x) gets multiplied
by a random factor (r) which is immediately disclosed
to an attacker (which we assume can both collect (r) and
also monitor the side-channel produced by the multiplication).
See also attack DSA_2 in:
"Minimum Requirements for Evaluating Side-Channel Attack Resistance
of RSA, DSA and Diffie-Hellman Key Exchange Implementations", BSI
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
The following custom exceptions are replaced with ValueError:
* Crypto.Util.PaddingError
* Crypto.PublicKey.KeyFormatError
The custom Crypto.Util.asn1.NoDerElementError is now private to the
module.
Some white spaces have been removed.
|
| |
|
| |
|
|
|
|
| |
Python 2.1 str objects don't have a .decode() method.
|
| |
|
|\
| |
| |
| |
| |
| |
| |
| | |
This should fix a FreeBSD build issue:
https://bugs.launchpad.net/pycrypto/+bug/1264130
Thanks to Richard Mitchell <richard.j.mitchell@gmail.com> for suggesting
how to fix this.
|
| | |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Original tarball downloaded from:
http://libtom.org/files/crypt-1.17.tar.bz2
http://libtom.org/files/crypt-1.17.tar.bz2.sig
SHA256 sums:
e33b47d77a495091c8703175a25c8228aff043140b2554c08a3c3cd71f79d116 *crypt-1.17.tar.bz2
8f52ddfb17656f7a2e510d92a26c8b33e0c1f431af7febd9cf1298a77b5fd932 *crypt-1.17.tar.bz2.sig
libtomcrypt-1.17/LICENSE says:
LibTomCrypt is public domain. As should all quality software be.
Tom St Denis
|
|
|
|
| |
tomcrypt_des.c
|
|
|
|
| |
them if the build fails with a specific error. LP:1270996.
|
|
|
|
|
|
|
| |
clang provides the same constant as bit_AESNI in some versions, and doesn't
provide it at all in others.
Signed-off-by: Sebastian Ramacher <sebastian+dev@ramacher.at>
|
|
|
|
|
|
| |
clang-3.3 is stricter regarding the second argument of _mm_shuffle_epi32.
Signed-off-by: Sebastian Ramacher <sebastian+dev@ramacher.at>
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
|\ |
|
| | |
|
| |
| |
| |
| | |
(sys.platform should be "linux2", not "linux3")
|
| | |
|
| | |
|
|/ |
|
|
|
|
|
|
|
| |
- Set errno properly when using posix_memalign
- Rename to aligned_malloc_wrapper / aligned_free_wrapper
- Use a single set of #if blocks, to avoid the possibility of
mismatching them.
|
|\ |
|
| |
| |
| |
| | |
Signed-off-by: Sebastian Ramacher <sebastian+dev@ramacher.at>
|
| |
| |
| |
| | |
Signed-off-by: Sebastian Ramacher <sebastian+dev@ramacher.at>
|
| |
| |
| |
| |
| |
| |
| | |
For _aligned_malloc calling free is illegal. We need to use_aligned_free
instead.
Signed-off-by: Sebastian Ramacher <sebastian+dev@ramacher.at>
|
| |
| |
| |
| |
| |
| | |
This also fixes the order of arguments passed to _aligned_malloc.
Signed-off-by: Sebastian Ramacher <sebastian+dev@ramacher.at>
|
| |
| |
| |
| |
| |
| |
| |
| | |
ek and dk are used as operands in instructions that require 16 byte alignment.
Thanks to Greg Price for finding this issue.
Signed-off-by: Sebastian Ramacher <sebastian+dev@ramacher.at>
|
| |
| |
| |
| |
| |
| | |
This is the counterpart to block_init which is called from ALGnew.
Signed-off-by: Sebastian Ramacher <sebastian+dev@ramacher.at>
|
| |
| |
| |
| | |
Signed-off-by: Sebastian Ramacher <sebastian+dev@ramacher.at>
|
| |
| |
| |
| |
| |
| | |
previous commit)
Tested on py21-py33 by force-uninstalling libgmp10 after building.
|
| |
| |
| |
| |
| | |
so that they call `Crypto.SelfTest.st_common.handle_fastmath_import_error`,
thereby eliminiating duplicate code.
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
```
ext_suffix = get_config_var("EXT_SUFFIX") or get_config_var("SO")
```
because `get_config_var("SO")` returns None in Python 3.4.0a4 because the "SO"
variable is deprecated and "EXT_SUFFIX" is the new way to get this information
(see: http://bugs.python.org/issue19555)
This fixes `TypeError: Can't convert 'NoneType' object to str implicitly`
errors when running the tests on Python 3.4.0a4.
|
| | |
|