- The DSA parameter 'p' prime was created with 255 bits cleared (but still with the correct strength).
- API documentation is made with sphinx instead of epydoc.
- Start using
importlib
instead ofimp
where available.
- GH#82. Fixed PEM header for RSA/DSA public keys.
- GH#65. Keccak, SHA3, SHAKE and the seek functionality for ChaCha20 were not working on big endian machines. Fixed. Thanks to Mike Gilbert.
- A few fixes in the documentation.
- The library can also be compiled using MinGW.
- Removed use of
alloca()
. - [Security] Removed implementation of deprecated "quick check" feature of PGP block cipher mode.
- Improved the performance of
scrypt
by converting some Python to C.
- Undefined warning was raised with libgmp version < 5
- Forgot inclusion of
alloca.h
- Fixed a warning about type mismatch raised by recent versions of cffi
- Fix renaming of package for
install
command.
- Added option to install the library under the
Cryptodome
package (instead ofCrypto
).
- Added
Crypto.PublicKey.ECC
module (NIST P-256 curve only), including export/import of ECC keys. - Added support for ECDSA (FIPS 186-3 and RFC6979).
- For CBC/CFB/OFB/CTR cipher objects,
encrypt()
anddecrypt()
cannot be intermixed. - CBC/CFB/OFB, the cipher objects have both
IV
andiv
attributes.new()
acceptsIV
as well asiv
as parameter. - For CFB/OPENPGP cipher object,
encrypt()
anddecrypt()
do not require the plaintext or ciphertext pieces to have length multiple of the CFB segment size. - Added dedicated tests for all cipher modes, including NIST test vectors
- CTR/CCM/EAX/GCM/SIV/Salsa20/ChaCha20 objects expose the
nonce
attribute. - For performance reasons, CCM cipher optionally accepted a pre-declaration of the length of the associated data, but never checked if the actual data passed to the cipher really matched that length. Such check is now enforced.
- CTR cipher objects accept parameter
nonce
and possiblyinitial_value
in alternative tocounter
(which is deprecated). - All
iv
/IV
andnonce
parameters are optional. If not provided, they will be randomly generated (exception:nonce
for CTR mode in case of block sizes smaller than 16 bytes). - Refactored ARC2 cipher.
- Added
Crypto.Cipher.DES3.adjust_key_parity()
function. - Added
RSA.import_key
as an alias to the deprecatedRSA.importKey
(same for theDSA
module). - Added
size_in_bits()
andsize_in_bytes()
methods toRsaKey
.
- RSA key size is now returned correctly in
RsaKey.__repr__()
method (kudos to hannesv). - CTR mode does not modify anymore
counter
parameter passed tonew()
method. - CTR raises
OverflowError
instead ofValueError
when the counter wraps around. - PEM files with Windows newlines could not be imported.
Crypto.IO.PEM
andCrypto.IO.PKCS8
used to accept empty passphrases.- GH#6: NotImplementedError now raised for unsupported methods
sign
,verify
,encrypt
,decrypt
,blind
,unblind
andsize
in objectsRsaKey
,DsaKey
,ElGamalKey
.
- Parameter
segment_size
cannot be 0 for the CFB mode. - For OCB ciphers, a final call without parameters to
encrypt
must end a sequence of calls toencrypt
with data (similarly fordecrypt
). - Key size for
ARC2
,ARC4
andBlowfish
must be at least 40 bits long (still very weak). - DES3 (Triple DES module) does not allow keys that degenerate to Single DES.
- Removed method
getRandomNumber
inCrypto.Util.number
. - Removed module
Crypto.pct_warnings
. - Removed attribute
Crypto.PublicKey.RSA.algorithmIdentifier
.
- Opt-in for
update()
afterdigest()
for SHA-3, keccak, BLAKE2 hashes
- Removed unused SHA-3 and keccak test vectors, therefore significantly reducing the package from 13MB to 3MB.
- Removed method
copy()
from BLAKE2 hashes - Removed ability to
update()
a BLAKE2 hash after the first call to(hex)digest()
- Windows wheels bundle the MPIR library
- Detection of faults occuring during secret RSA operations
- Detection of non-prime (weak) q value in DSA domain parameters
- Added original Keccak hash family (b=1600 only). In the process, simplified the C code base for SHA-3.
- Added SHAKE128 and SHAKE256 (of SHA-3 family)
- GH#3: gcc 4.4.7 unhappy about double typedef
- Removed method
copy()
from all SHA-3 hashes - Removed ability to
update()
a SHA-3 hash after the first call to(hex)digest()
- Windows wheels are automatically built on Appveyor
- Added hash functions BLAKE2b and BLAKE2s.
- Added stream cipher ChaCha20.
- Added OCB cipher mode.
- CMAC raises an exception whenever the message length is found to be too large and the chance of collisions not negligeable.
- New attribute
oid
for Hash objects with ASN.1 Object ID - Added
Crypto.Signature.pss
andCrypto.Signature.pkcs1_15
- Added NIST test vectors (roughly 1200) for PKCS#1 v1.5 and PSS signatures.
- tomcrypt_macros.h asm error #1
- Removed keyword
verify_x509_cert
from module methodimportKey
(RSA and DSA). - Reverted to original PyCrypto behavior of method
verify
inPKCS1_v1_5
andPKCS1_PSS
.
- Speed up execution of Public Key algorithms on PyPy, when backed by the Gnu Multiprecision (GMP) library.
- GMP headers and static libraries are not required anymore at the time PyCryptodome is built. Instead, the code will automatically use the GMP dynamic library (.so/.DLL) if found in the system at runtime.
- Reduced the amount of C code by almost 40% (4700 lines). Modularized and simplified all code (C and Python) related to block ciphers. Pycryptodome is now free of CPython extensions.
- Add support for CI in Windows via Appveyor.
- RSA and DSA key generation more closely follows FIPS 186-4 (though it is not 100% compliant).
- None
- New dependency on ctypes with Python 2.4.
- The
counter
parameter of a CTR mode cipher must be generated viaCrypto.Util.Counter
. It cannot be a generic callable anymore. - Removed the
Crypto.Random.Fortuna
package (due to lack of test vectors). - Removed the
Crypto.Hash.new
function. - The
allow_wraparound
parameter ofCrypto.Util.Counter
is ignored. An exception is always generated if the counter is reused. DSA.generate
,RSA.generate
andElGamal.generate
do not accept theprogress_func
parameter anymore.- Removed
Crypto.PublicKey.RSA.RSAImplementation
. - Removed
Crypto.PublicKey.DSA.DSAImplementation
. - Removed ambiguous method
size()
from RSA, DSA and ElGamal keys.
- Initial support for PyPy.
- SHA-3 hash family based on the April 2014 draft of FIPS 202.
See modules
Crypto.Hash.SHA3_224/256/384/512
. Initial Keccak patch by Fabrizio Tarizzo. - Salsa20 stream cipher. See module
Crypto.Cipher.Salsa20
. Patch by Fabrizio Tarizzo. - Colin Percival's
scrypt
key derivation function (Crypto.Protocol.KDF.scrypt
). - Proper interface to FIPS 186-3 DSA. See module
Crypto.Signature.DSS
. - Deterministic DSA (RFC6979). Again, see
Crypto.Signature.DSS
. - HMAC-based Extract-and-Expand key derivation function
(
Crypto.Protocol.KDF.HKDF
, RFC5869). - Shamir's Secret Sharing protocol, compatible with ssss (128 bits only).
See module
Crypto.Protocol.SecretSharing
. - Ability to generate a DSA key given the domain parameters.
- Ability to test installation with a simple
python -m Crypto.SelfTest
.
- LP#1193521:
mpz_powm_sec()
(and Python) crashed when modulus was odd. - Benchmarks work again (they broke when ECB stopped working if an IV was passed. Patch by Richard Mitchell.
- LP#1178485: removed some catch-all exception handlers. Patch by Richard Mitchell.
- LP#1209399: Removal of Python wrappers caused HMAC to silently produce the wrong data with SHA-2 algorithms.
- LP#1279231: remove dead code that does nothing in SHA-2 hashes. Patch by Richard Mitchell.
- LP#1327081: AESNI code accesses memory beyond buffer end.
- Stricter checks on ciphertext and plaintext size for textbook RSA (kudos to sharego).
Removed support for Python < 2.4.
Removed the following methods from all 3 public key object types (RSA, DSA, ElGamal):
sign
verify
encrypt
decrypt
blind
unblind
Code that uses such methods is doomed anyway. It should be fixed ASAP to use the algorithms available in
Crypto.Signature
andCrypto.Cipher
.The 3 public key object types (RSA, DSA, ElGamal) are now unpickable.
Symmetric ciphers do not have a default mode anymore (used to be ECB). An expression like
AES.new(key)
will now fail. If ECB is the desired mode, one has to explicitly useAES.new(key, AES.MODE_ECB)
.Unsuccessful verification of a signature will now raise an exception [reverted in 3.2].
Removed the
Crypto.Random.OSRNG
package.Removed the
Crypto.Util.winrandom
module.Removed the
Crypto.Random.randpool
module.Removed the
Crypto.Cipher.XOR
module.Removed the
Crypto.Protocol.AllOrNothing
module.Removed the
Crypto.Protocol.Chaffing
module.Removed the parameters
disabled_shortcut
andoverflow
fromCrypto.Util.Counter.new
.
Crypto.Random
stops being a userspace CSPRNG. It is now a pure wrapper overos.urandom
.- Added certain resistance against side-channel attacks for GHASH (GCM) and DSA.
- More test vectors for
HMAC-RIPEMD-160
. - Update
libtomcrypt
headers and code to v1.17 (kudos to Richard Mitchell). - RSA and DSA keys are checked for consistency as they are imported.
- Simplified build process by removing autoconf.
- Speed optimization to PBKDF2.
- Add support for MSVC.
- Replaced HMAC code with a BSD implementation. Clarified that starting from the fork, all contributions are released under the BSD license.