| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
| |
Computing the blinding factor and its inverse was done in a thread-unsafe
manner. Locking the computation & update of the blinding factors, and
passing these around in frame- and stack-bound data, solves this.
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
| |
Store blinding factor + its inverse, so that they can be reused & updated
on every blinding operation. This avoids expensive computations.
The reuse of the previous blinding factor is done via squaring (mod n), as
per section 9 of 'A Timing Attack against RSA with the Chinese Remainder
Theorem' by Werner Schindler, https://tls.mbed.org/public/WSchindler-RSA_Timing_Attack.pdf
|
| |
|
|
|
| |
Crypto length and blocksize are public info, so don't need side-channel
free comparison.
|
| |
|
|
|
| |
Use `bytes.find()` instead of `bytes.index()`, as the former doesn't raise
an exception when the to-be-found byte doesn't exist.
|
| |
|
|
|
| |
According to PKCS#1 v1.5, the padding should be at least 8 bytes long.
See https://tools.ietf.org/html/rfc8017#section-7.2.2 step 3 for more info.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Use as many constant-time comparisons as practical in the
`rsa.pkcs1.decrypt` function.
`cleartext.index(b'\x00', 2)` will still be non-constant-time. The
alternative would be to iterate over all the data byte by byte in
Python, which is several orders of magnitude slower. Given that a
perfect constant-time implementation is very hard or even impossible to
do in Python [1], I chose the more performant option here.
[1]: https://securitypitfalls.wordpress.com/2018/08/03/constant-time-compare-in-python/
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
| |
The third-party library that adds support for this to Python 3.5 is a
binary package, and thus breaks the pure-Python nature of Python-RSA.
This should fix [#147](https://github.com/sybrenstuvel/python-rsa/issues/147).
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
| |
Reject cyphertexts that have been modified by prepending zero bytes, by
checking the cyphertext length against the expected size (given the
decryption key). This resolves CVE-2020-13757.
The same approach is used when verifying a signature.
Thanks Carnil for pointing this out on https://github.com/sybrenstuvel/python-rsa/issues/146
|
| | |
|
| | |
|
| |
|
|
| |
This is a requirement for RSA blinding, but wasn't implemented yet.
|
| |
|
|
| |
Also reorganised the only function that had a higher complexity.
|
| | |
|
| |
|
|
|
|
|
|
|
|
| |
This is based on https://github.com/sybrenstuvel/python-rsa/pull/96, with
a few improvements:
- The minimum of one use of SHA3 in a unit test, to at least touch it at
some point.
- Documented the support of SHA3.
- Only install the third-party library required by Python 3.5 when we're
running on Python 3.5. Newer Python versions support SHA3 natively.
|
| |
|
|
|
|
| |
One functional change: `CryptoOperation.read_infile()` now reads bytes
from `sys.stdin` instead of text. This is necessary to be consistent with
the rest of the code, which all deals with bytes.
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
| |
"if A and B" if mostly A is True then we should judge B at first
|
| |
|
|
|
|
| |
In preparation of removal of Python 2.7 support, I only want to have
compatibility code for Python 2.7 in `_compat.py`, and not other kinds
of 'compatibility'.
|
| | |
|
| |
|
|
|
|
|
| |
There is no need to specify this list in PKCS1_v2 when it is
already specified in PKCS1. This does rely on the digest_size
attribute being available, but pkcs1.py already depends heavily
on the specific API of hashlib.
|
| |
|
|
| |
Implementation of the Mask Generation Function `MGF1` used in the OAEP encoding step.
For more information, the MGF1 specification is at https://tools.ietf.org/html/rfc2437#section-10.2.1
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* Split the hashing out of the sign method
This code change adds support to split the hashing of a message
and the actual signing of the message.
* Updating unit test and documentation
This commit updates the unit test and usage docs. In addition,
This change removes a redundant error check inside rsa.sign().
* Refactore unit tests and code comments
Removed the print statements from the unit test and refactored a
few code comments to improve readability.
* Rename hash function
The new hash function had the same name as a function in the
standard library. This commit changes the name to avoid conflicts.
* Rename hash function to compute_hash()
This commit renames the hash function to compute_hash().
|
| |
|
|
| |
Created as a new function as it will be needed by the new PKCS#1 2.0 implementation. Specifically, for the MGF1 function used in the OAEP encoding/decoding.
This allows us not to have `math` dependencies
|
| |
|
|
|
|
| |
I've not used the name "find_method_hash" suggested in #78, as it's a bit
vague. It's ok-ish for a private function `_find_method_hash`, but I
thought `find_signature_hash` would be more descriptive.
|
| |
|
| |
Good catch, thanks!
|
| | |
|
| |
|
| |
It's about time to get this merged, thanks again!
|
| |
|
| |
Thanks for the improvements!
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
| |
Overriding __eq__ blocks inheritance of __hash__ in Python 3.
Fixes issue #55
|
