12.7a1 2===== 3 * Experimental release. This introduces a new API for AEAD modes, and 4 makes a few other minor API changes. These APIs should be considered 5 experimental, and may be changed before the final release. 6 * New API for authenticated encryption with associated data (AEAD): 7 - New block cipher modes: 8 - MODE_CCM 9 - MODE_EAX 10 - MODE_GCM 11 - MODE_SIV 12 - New methods: 13 - .encrypt_and_digest() 14 - .decrypt_and_verify() 15 - .digest() 16 - .verify() 17 - New MAC algorithm: 18 - Crypto.Cipher.CMAC 19 - New .verify() and .hexverify() methods also added to Hash and 20 HMAC/CMAC objects, providing constant-time hash comparison. 21 (Thanks: Legrandin, Lucas Garron) 22 * LP#1132550: Fix MODE_OPENPGP not accepting uppercase 'IV' kwarg. 23 * LP#1119552: Fix PKCS#1v1.5 not accepting signatures without the 24 optional NULL parameter 25 * Add support for import/export of DSA keys. (Thanks: Legrandin) 26 * Add support for PKCS#8-encrypted private keys. (Thanks: Legrandin) 27 * LP#996193: Fix MODE_OFB requiring padding (it now behaves as a stream 28 cipher) 29 * Improve C extension autodocs 30 * Remove pointless 'error' attribute from stream ciphers. 31 * Deprecate the disable_shortcut option to Crypto.Util.Counter; 32 Remove __PCT_CTR_SHORTCUT__ entirely. 33 * Fix small MODE_CTR memory leak under Python 3. 34 * Fix error importing winrandom on Python 3. (Thanks: Jason R. Coombs) 35 * FortunaAccumulator: Use time.monotonic for rate-limiting if available 36 (i.e. Python 3.3 and later) 37 * AES-NI support (Thanks: Sebastian Ramacher) 38 * setup.py: Fix compilation on HP-UX 11.31. (Thanks: Adam Woodbeck) 39 * ElGamal: Add blinding to ElGamal decryption. (Thanks: Legrandin) 40 * Hash: Remove pure-Python wrappers (speeds up hash init 4x-7x) 41 * Hash: Add generic Crypto.Hash.new(algo, [data]) function 42 (like hashlib.new) 43 * Hash: Remove 'oid' attributes; Add 'name' attributes for compatibility 44 with hashlib. 45 * Hash: Rename SHA -> SHA1 and RIPEMD -> RIPEMD160, since the original 46 names are frequently used as the names of other algorithms. 47 * setup.py: Use autoconf to generate compiler options; 48 Fix OpenBSD build issues. 49 * Fix RSA object serialization (i.e. pickle) 50 * LP#1061217: random.shuffle takes O(n^2) time. 51 (Thanks: Sujay Jayakar, Andrew Cooke) 52 * _fastmath: Fix leaks when errors occur. 53 (Thanks: Sebastian Ramacher, Andreas Stührk) 54 * SHA256/224/384/512: Don't export symbol 'add_length' 55 * setup.py: Use os.chmod instead of os.system("chmod ..."). 56 (Thanks: Sebastian Ramacher) 57 * setup.py: The 'test' command now runs the 'build' command first. 58 (Thanks: Sebastian Ramacher) 59 * New tools/create-pythons.sh and tools/test-all.sh scripts for testing 60 against multiple versions of Python. 61 * getStrongProne: Fix error handling (Thanks: Sebastian Ramacher) 62 * ARC4: Add ARC4-drop[n] cipher support. (Thanks: Legrandin) 63 * RSA.importKey: Properly catch IndexError. (Thanks: Sebastian Ramacher) 64 * RSA.exportKey: Raise ValueError as documented when key format is 65 unknown. (Thanks: Sebastian Ramacher) 66 * RSA.exportKey: Always return bytes (Thanks: Sebastian Ramacher) 67 * Fix & re-enable some broken tests (Thanks: Sebastian Ramacher) 68 * Improve Python 3 compatibility 69 * Various documentation fixes and improvements 70 (Thanks: Anton Rieder, Legrandin, Sebastian Ramacher, Stefano Rivera) 71 * Various cleanups, especially for Python 3. 72 73 742.6.1 75===== 76 * [CVE-2013-1445] Fix PRNG not correctly reseeded in some situations. 77 78 In previous versions of PyCrypto, the Crypto.Random PRNG exhibits a 79 race condition that may cause forked processes to generate identical 80 sequences of 'random' numbers. 81 82 This is a fairly obscure bug that will (hopefully) not affect many 83 applications, but the failure scenario is pretty bad. Here is some 84 sample code that illustrates the problem: 85 86 from binascii import hexlify 87 import multiprocessing, pprint, time 88 import Crypto.Random 89 90 def task_main(arg): 91 a = Crypto.Random.get_random_bytes(8) 92 time.sleep(0.1) 93 b = Crypto.Random.get_random_bytes(8) 94 rdy, ack = arg 95 rdy.set() 96 ack.wait() 97 return "%s,%s" % (hexlify(a).decode(), 98 hexlify(b).decode()) 99 100 n_procs = 4 101 manager = multiprocessing.Manager() 102 rdys = [manager.Event() for i in range(n_procs)] 103 acks = [manager.Event() for i in range(n_procs)] 104 Crypto.Random.get_random_bytes(1) 105 pool = multiprocessing.Pool(processes=n_procs, 106 initializer=Crypto.Random.atfork) 107 res_async = pool.map_async(task_main, zip(rdys, acks)) 108 pool.close() 109 [rdy.wait() for rdy in rdys] 110 [ack.set() for ack in acks] 111 res = res_async.get() 112 pprint.pprint(sorted(res)) 113 pool.join() 114 115 The output should be random, but it looked like this: 116 117 ['c607803ae01aa8c0,2e4de6457a304b34', 118 'c607803ae01aa8c0,af80d08942b4c987', 119 'c607803ae01aa8c0,b0e4c0853de927c4', 120 'c607803ae01aa8c0,f0362585b3fceba4'] 121 122 This release fixes the problem by resetting the rate-limiter when 123 Crypto.Random.atfork() is invoked. It also adds some tests and a 124 few related comments. 125 1262.6 127=== 128 * [CVE-2012-2417] Fix LP#985164: insecure ElGamal key generation. 129 (thanks: Legrandin) 130 131 In the ElGamal schemes (for both encryption and signatures), g is 132 supposed to be the generator of the entire Z^*_p group. However, in 133 PyCrypto 2.5 and earlier, g is more simply the generator of a random 134 sub-group of Z^*_p. 135 136 The result is that the signature space (when the key is used for 137 signing) or the public key space (when the key is used for encryption) 138 may be greatly reduced from its expected size of log(p) bits, possibly 139 down to 1 bit (the worst case if the order of g is 2). 140 141 While it has not been confirmed, it has also been suggested that an 142 attacker might be able to use this fact to determine the private key. 143 144 Anyone using ElGamal keys should generate new keys as soon as practical. 145 146 Any additional information about this bug will be tracked at 147 https://bugs.launchpad.net/pycrypto/+bug/985164 148 149 * Huge documentation cleanup (thanks: Legrandin). 150 151 * Added more tests, including test vectors from NIST 800-38A 152 (thanks: Legrandin) 153 154 * Remove broken MODE_PGP, which never actually worked properly. 155 A new mode, MODE_OPENPGP, has been added for people wishing to write 156 OpenPGP implementations. Note that this does not implement the full 157 OpenPGP specification, only the "OpenPGP CFB mode" part of that 158 specification. 159 https://bugs.launchpad.net/pycrypto/+bug/996814 160 161 * Fix: getPrime with invalid input causes Python to abort with fatal error 162 https://bugs.launchpad.net/pycrypto/+bug/988431 163 164 * Fix: Segfaults within error-handling paths 165 (thanks: Paul Howarth & Dave Malcolm) 166 https://bugs.launchpad.net/pycrypto/+bug/934294 167 168 * Fix: Block ciphers allow empty string as IV 169 https://bugs.launchpad.net/pycrypto/+bug/997464 170 171 * Fix DevURandomRNG to work with Python3's new I/O stack. 172 (thanks: Sebastian Ramacher) 173 174 * Remove automagic dependencies on libgmp and libmpir, let the caller 175 disable them using args. 176 177 * Many other minor bug fixes and improvements (mostly thanks to Legrandin) 178 1792.5 180=== 181 * Added PKCS#1 encryption schemes (v1.5 and OAEP). We now have 182 a decent, easy-to-use non-textbook RSA implementation. Yay! 183 184 * Added PKCS#1 signature schemes (v1.5 and PSS). v1.5 required some 185 extensive changes to Hash modules to contain the algorithm specific 186 ASN.1 OID. To that end, we now always have a (thin) Python module to 187 hide the one in pure C. 188 189 * Added 2 standard Key Derivation Functions (PBKDF1 and PBKDF2). 190 191 * Added export/import of RSA keys in OpenSSH and PKCS#8 formats. 192 193 * Added password-protected export/import of RSA keys (one old method 194 for PKCS#8 PEM only). 195 196 * Added ability to generate RSA key pairs with configurable public 197 exponent e. 198 199 * Added ability to construct an RSA key pair even if only the private 200 exponent d is known, and not p and q. 201 202 * Added SHA-2 C source code (fully from Lorenz Quack). 203 204 * Unit tests for all the above. 205 206 * Updates to documentation (both inline and in Doc/pycrypt.rst) 207 208 * All of the above changes were put together by Legrandin (Thanks!) 209 210 * Minor bug fixes (setup.py and tests). 211 2122.4.1 213===== 214 * Fix "error: Setup script exited with error: src/config.h: No such file or 215 directory" when installing via easy_install. (Sebastian Ramacher) 216 2172.4 218=== 219 * Python 3 support! (Thorsten E. Behrens, Anders Sundman) 220 PyCrypto now supports every version of Python from 2.1 through 3.2. 221 222 * Timing-attack countermeasures in _fastmath: When built against 223 libgmp version 5 or later, we use mpz_powm_sec instead of mpz_powm. 224 This should prevent the timing attack described by Geremy Condra at 225 PyCon 2011: 226 http://blip.tv/pycon-us-videos-2009-2010-2011/pycon-2011-through-the-side-channel-timing-and-implementation-attacks-in-python-4897955 227 228 * New hash modules (for Python >= 2.5 only): SHA224, SHA384, and 229 SHA512 (Frédéric Bertolus) 230 231 * Configuration using GNU autoconf. This should help fix a bunch of 232 build issues. 233 234 * Support using MPIR as an alternative to GMP. 235 236 * Improve the test command in setup.py, by allowing tests to be 237 performed on a single sub-package or module only. (Legrandin) 238 239 You can now do something like this: 240 241 python setup.py test -m Hash.SHA256 --skip-slow-tests 242 243 * Fix double-decref of "counter" when Cipher object initialisation 244 fails (Ryan Kelly) 245 246 * Apply patches from Debian's python-crypto 2.3-3 package (Jan 247 Dittberner, Sebastian Ramacher): 248 - fix-RSA-generate-exception.patch 249 - epydoc-exclude-introspect.patch 250 - no-usr-local.patch 251 252 * Fix launchpad bug #702835: "Import key code is not compatible with 253 GMP library" (Legrandin) 254 255 * More tests, better documentation, various bugfixes. 256 2572.3 258=== 259 * Fix NameError when attempting to use deprecated getRandomNumber() 260 function. 261 262 * _slowmath: Compute RSA u parameter when it's not given to 263 RSA.construct. This makes _slowmath behave the same as _fastmath in 264 this regard. 265 266 * Make RSA.generate raise a more user-friendly exception message when 267 the user tries to generate a bogus-length key. 268 269 2702.2 271=== 272 273 * Deprecated Crypto.Util.number.getRandomNumber(), which had confusing 274 semantics. It's been replaced by getRandomNBitInteger and 275 getRandomInteger. (Thanks: Lorenz Quack) 276 277 * Better isPrime() and getPrime() implementations that do a real 278 Rabin-Miller probabilistic primality test (not the phony test we did 279 before with fixed bases). (Thanks: Lorenz Quack) 280 281 * getStrongPrime() implementation for generating RSA primes. 282 (Thanks: Lorenz Quack) 283 284 * Support for importing and exporting RSA keys in DER and PEM format. 285 (Thanks: Legrandin) 286 287 * Fix PyCrypto when floor division (python -Qnew) is enabled. 288 289 * When building using gcc, use -std=c99 for compilation. This should 290 fix building on FreeBSD and NetBSD. 291 292 2932.1.0 294===== 295 296 * Fix building PyCrypto on Win64 using MS Visual Studio 9. 297 (Thanks: Nevins Bartolomeo.) 298 299 3002.1.0beta1 301========== 302 303 * Modified RSA.generate() to ensure that e is coprime to p-1 and q-1. 304 Apparently, RSA.generate was capable of generating unusable keys. 305 306 3072.1.0alpha2 308=========== 309 310 * Modified isPrime() to release the global interpreter lock while 311 performing computations. (patch from Lorenz Quack) 312 313 * Release the GIL while encrypting, decrypting, and hashing (but not 314 during initialization or finalization). 315 316 * API changes: 317 318 - Removed RandomPoolCompat and made Crypto.Util.randpool.RandomPool 319 a wrapper around Crypto.Random that emits a DeprecationWarning. 320 This is to discourage developers from attempting to provide 321 backwards compatibility for systems where there are NO strong 322 entropy sources available. 323 324 - Added Crypto.Random.get_random_bytes(). This should allow people 325 to use something like this if they want backwards-compatibility: 326 327 try: 328 from Crypto.Random import get_random_bytes 329 except ImportError: 330 try: 331 from os import urandom as get_random_bytes 332 except ImportError: 333 get_random_bytes = open("/dev/urandom", "rb").read 334 335 - Implemented __ne__() on pubkey, which fixes the following broken 336 behaviour: 337 >>> pk.publickey() == pk.publickey() 338 True 339 >>> pk.publickey() != pk.publickey() 340 True 341 (patch from Lorenz Quack) 342 343 - Block ciphers created with MODE_CTR can now operate on strings of 344 any size, rather than just multiples of the underlying cipher's 345 block size. 346 347 - Crypto.Util.Counter objects now raise OverflowError when they wrap 348 around to zero. You can override this new behaviour by passing 349 allow_wraparound=True to Counter.new() 350 351 3522.1.0alpha1 353=========== 354 355 * This version supports Python versions 2.1 through 2.6. 356 357 * Clarified copyright status of much of the existing code by tracking 358 down Andrew M. Kuchling, Barry A. Warsaw, Jeethu Rao, Joris Bontje, 359 Mark Moraes, Paul Swartz, Robey Pointer, and Wim Lewis and getting 360 their permission to clarify the license/public-domain status of their 361 contributions. Many thanks to all involved! 362 363 * Replaced the test suite with a new, comprehensive package 364 (Crypto.SelfTest) that includes documentation about where its test 365 vectors came from, or how they were derived. 366 367 Use "python setup.py test" to run the tests after building. 368 369 * API changes: 370 371 - Added Crypto.version_info, which from now on will contain version 372 information in a format similar to Python's sys.version_info. 373 374 - Added a new random numbers API (Crypto.Random), and deprecated the 375 old one (Crypto.Util.randpool.RandomPool), which was misused more 376 often than not. 377 378 The new API is used by invoking Crypto.Random.new() and then just 379 reading from the file-like object that is returned. 380 381 CAVEAT: To maintain the security of the PRNG, you must call 382 Crypto.Random.atfork() in both the parent and the child processes 383 whenever you use os.fork(). Otherwise, the parent and child will 384 share copies of the same entropy pool, causing them to return the 385 same results! This is a limitation of Python, which does not 386 provide readily-accessible hooks to os.fork(). It's also a 387 limitation caused by the failure of operating systems to provide 388 sufficiently fast, trustworthy sources of cryptographically-strong 389 random numbers. 390 391 - Crypto.PublicKey now raises ValueError/TypeError/RuntimeError 392 instead of the various custom "error" exceptions 393 394 - Removed the IDEA and RC5 modules due to software patents. Debian 395 has been doing this for a while 396 397 - Added Crypto.Random.random, a strong version of the standard Python 398 'random' module. 399 400 - Added Crypto.Util.Counter, providing fast counter implementations 401 for use with CTR-mode ciphers. 402 403 * Bug fixes: 404 405 - Fixed padding bug in SHA256; this resulted in bad digests whenever 406 (the number of bytes hashed) mod 64 == 55. 407 408 - Fixed a 32-bit limitation on the length of messages the SHA256 module 409 could hash. 410 411 - AllOrNothing: Fixed padding bug in digest() 412 413 - Fixed a bad behaviour of the XOR cipher module: It would silently 414 truncate all keys to 32 bytes. Now it raises ValueError when the 415 key is too long. 416 417 - DSA: Added code to enforce FIPS 186-2 requirements on the size of 418 the prime p 419 420 - Fixed the winrandom module, which had been omitted from the build 421 process, causing security problems for programs that misuse RandomPool. 422 423 - Fixed infinite loop when attempting to generate RSA keys with an 424 odd number of bits in the modulus. (Not that you should do that.) 425 426 * Clarified the documentation for Crypto.Util.number.getRandomNumber. 427 428 Confusingly, this function does NOT return N random bits; It returns 429 a random N-bit number, i.e. a random number between 2**(N-1) and (2**N)-1. 430 431 Note that getRandomNumber is for internal use only and may be 432 renamed or removed in future releases. 433 434 * Replaced RIPEMD.c with a new implementation (RIPEMD160.c) to 435 alleviate copyright concerns. 436 437 * Replaced the DES/DES3 modules with ones based on libtomcrypt-1.16 to 438 alleviate copyright concerns. 439 440 * Replaced Blowfish.c with a new implementation to alleviate copyright 441 concerns. 442 443 * Added a string-XOR implementation written in C (Crypto.Util.strxor) 444 and used it to speed up Crypto.Hash.HMAC 445 446 * Converted documentation to reStructured Text. 447 448 * Added epydoc configuration Doc/epydoc-config 449 450 * setup.py now emits a warning when building without GMP. 451 452 * Added pct-speedtest.py to the source tree for doing performance 453 testing on the new code. 454 455 * Cleaned up the code in several places. 456 457 4582.0.1 459===== 460 461 * Fix SHA256 and RIPEMD on AMD64 platform. 462 * Deleted Demo/ directory. 463 * Add PublicKey to Crypto.__all__ 464 465 4662.0 467=== 468 469 * Added SHA256 module contributed by Jeethu Rao, with test data 470 from Taylor Boon. 471 472 * Fixed AES.c compilation problems with Borland C. 473 (Contributed by Jeethu Rao.) 474 475 * Fix ZeroDivisionErrors on Windows, caused by the system clock 476 not having enough resolution. 477 478 * Fix 2.1/2.2-incompatible use of (key not in dict), 479 pointed out by Ian Bicking. 480 481 * Fix FutureWarning in Crypto.Util.randpool, noted by James P Rutledge. 482 483 4841.9alpha6 485========= 486 487 * Util.number.getPrime() would inadvertently round off the bit 488 size; if you asked for a 129-bit prime or 135-bit prime, you 489 got a 128-bit prime. 490 491 * Added Util/test/prime_speed.py to measure the speed of prime 492 generation, and PublicKey/test/rsa_speed.py to measure 493 the speed of RSA operations. 494 495 * Merged the _rsa.c and _dsa.c files into a single accelerator 496 module, _fastmath.c. 497 498 * Speed improvements: Added fast isPrime() function to _fastmath, 499 cutting the time to generate a 1024-bit prime by a factor of 10. 500 Optimized the C version of RSA decryption to use a longer series 501 of operations that's roughly 3x faster than a single 502 exponentiation. (Contributed by Joris Bontje.) 503 504 * Added support to RSA key objects for blinding and unblinding 505 data. (Contributed by Joris Bontje.) 506 507 * Simplified RSA key generation: hard-wired the encryption 508 exponent to 65537 instead of generating a random prime; 509 generate prime factors in a loop until the product 510 is large enough. 511 512 * Renamed cansign(), canencrypt(), hasprivate(), to 513 can_sign, can_encrypt, has_private. If people shriek about 514 this change very loudly, I'll add aliases for the old method 515 names that log a warning and call the new method. 516 517 5181.9alpha5 519========= 520 521 * Many randpool changes. RandomPool now has a 522 randomize(N:int) method that can be called to get N 523 bytes of entropy for the pool (N defaults to 0, 524 which 'fills up' the pool's entropy) KeyboardRandom 525 overloads this method. 526 527 * Added src/winrand.c for Crypto.Util.winrandom and 528 now use winrandom for _randomize if possible. 529 (Calls Windows CryptoAPI CryptGenRandom) 530 531 * Several additional places for stirring the pool, 532 capturing inter-event entropy when reading/writing, 533 stirring before and after saves. 534 535 * RandomPool.add_event now returns the number of 536 estimated bits of added entropy, rather than the 537 pool entropy itself (since the pool entropy is 538 capped at the number of bits in the pool) 539 540 * Moved termios code from KeyboardRandomPool into a 541 KeyboardEntry class, provided a version for Windows 542 using msvcrt. 543 544 * Fix randpool.py crash on machines with poor timer resolution. 545 (Reported by Mark Moraes and others.) 546 547 * If the GNU GMP library is available, two C extensions will be 548 compiled to speed up RSA and DSA operations. (Contributed by 549 Paul Swartz.) 550 551 * DES3 with a 24-byte key was broken; now fixed. 552 (Patch by Philippe Frycia.) 553 554 5551.9alpha4 556========= 557 558 * Fix compilation problem on Windows. 559 560 * HMAC.py fixed to work with pre-2.2 Pythons 561 562 * setup.py now dies if built with Python 1.x 563 564 5651.9alpha3 566========= 567 568 * Fix a ref-counting bug that caused core dumps. 569 (Reported by Piers Lauder and an anonymous SF poster.) 570 571 5721.9alpha2 573========= 574 575 * (Backwards incompatible) The old Crypto.Hash.HMAC module is 576 gone, replaced by a copy of hmac.py from Python 2.2's standard 577 library. It will display a warning on interpreter versions 578 older than 2.2. 579 580 * (Backwards incompatible) Restored the Crypto.Protocol package, 581 and modernized and tidied up the two modules in it, 582 AllOrNothing.py and Chaffing.py, renaming various methods 583 and changing the interface. 584 585 * (Backwards incompatible) Changed the function names in 586 Crypto.Util.RFC1751. 587 588 * Restored the Crypto.PublicKey package at user request. I 589 think I'll leave it in the package and warn about it in the 590 documentation. I hope that eventually I can point to 591 someone else's better public-key code, and at that point I 592 may insert warnings and begin the process of deprecating 593 this code. 594 595 * Fix use of a Python 2.2 C function, replacing it with a 596 2.1-compatible equivalent. (Bug report and patch by Andrew 597 Eland.) 598 599 * Fix endianness bugs that caused test case failures on Sparc, 600 PPC, and doubtless other platforms. 601 602 * Fixed compilation problem on FreeBSD and MacOS X. 603 604 * Expanded the test suite (requires Sancho, from 605 http://www.mems-exchange.org/software/sancho/) 606 607 * Added lots of docstrings, so 'pydoc Crypto' now produces 608 helpful output. (Open question: maybe *all* of the documentation 609 should be moved into docstrings?) 610 611 * Make test.py automatically add the build/* directory to sys.path. 612 613 * Removed 'inline' declaration from C functions. Some compilers 614 don't support it, and Python's pyconfig.h no longer tells you whether 615 it's supported or not. After this change, some ciphers got slower, 616 but others got faster. 617 618 * The C-level API has been changed to reduce the amount of 619 memory-to-memory copying. This makes the code neater, but 620 had ambiguous performance effects; again, some ciphers got slower 621 and others became faster. Probably this is due to my compiler 622 optimizing slightly worse or better as a result. 623 624 * Moved C source implementations into src/ from block/, hash/, 625 and stream/. Having Hash/ and hash/ directories causes problems 626 on case-insensitive filesystems such as Mac OS. 627 628 * Cleaned up the C code for the extensions. 629 630 6311.9alpha1 632========= 633 634 * Added Crypto.Cipher.AES. 635 636 * Added the CTR mode and the variable-sized CFB mode from the 637 NIST standard on feedback modes. 638 639 * Removed Diamond, HAVAL, MD5, Sapphire, SHA, and Skipjack. MD5 640 and SHA are included with Python; the others are all of marginal 641 usefulness in the real world. 642 643 * Renamed the module-level constants ECB, CFB, &c., to MODE_ECB, 644 MODE_CFB, as part of making the block encryption modules 645 compliant with PEP 272. (I'm not sure about this change; 646 if enough users complain about it, I might back it out.) 647 648 * Made the hashing modules compliant with PEP 247 (not backward 649 compatible -- the major changes are that the constructor is now 650 MD2.new and not MD2.MD2, and the size of the digest is now 651 given as 'digest_size', not 'digestsize'. 652 653 * The Crypto.PublicKey package is no longer installed; the 654 interfaces are all wrong, and I have no idea what the right 655 interfaces should be. 656 657 6581.1alpha2 659========= 660 * Most importantly, the distribution has been broken into two 661parts: exportable, and export-controlled. The exportable part 662contains all the hashing algorithms, signature-only public key 663algorithms, chaffing & winnowing, random number generation, various 664utility modules, and the documentation. 665 666 The export-controlled part contains public-key encryption 667algorithms such as RSA and ElGamal, and bulk encryption algorithms 668like DES, IDEA, or Skipjack. Getting this code still requires that 669you go through an access control CGI script, and denies you access if 670you're outside the US or Canada. 671 672 * Added the RIPEMD hashing algorithm. (Contributed by 673Hirendra Hindocha.) 674 675 * Implemented the recently declassified Skipjack block 676encryption algorithm. My implementation runs at 864 K/sec on a 677PII/266, which isn't particularly fast, but you're probably better off 678using another algorithm anyway. :) 679 680 * A simple XOR cipher has been added, mostly for use by the 681chaffing/winnowing code. (Contributed by Barry Warsaw.) 682 683 * Added Protocol.Chaffing and Hash.HMAC.py. (Contributed by 684Barry Warsaw.) 685 686 Protocol.Chaffing implements chaffing and winnowing, recently 687proposed by R. Rivest, which hides a message (the wheat) by adding 688many noise messages to it (the chaff). The chaff can be discarded by 689the receiver through a message authentication code. The neat thing 690about this is that it allows secret communication without actually 691having an encryption algorithm, and therefore this falls within the 692exportable subset. 693 694 * Tidied up randpool.py, and removed its use of a block 695cipher; this makes it work with only the export-controlled subset 696available. 697 698 * Various renamings and reorganizations, mostly internal. 699 700 7011.0.2 702===== 703 704 * Changed files to work with Python 1.5; everything has been 705re-arranged into a hierarchical package. (Not backward compatible.) 706The package organization is: 707Crypto. 708 Hash. 709 MD2, MD4, MD5, SHA, HAVAL 710 Cipher. 711 ARC2, ARC4, Blowfish, CAST, DES, DES3, Diamond, 712 IDEA, RC5, Sapphire 713 PublicKey. 714 DSA, ElGamal, qNEW, RSA 715 Util. 716 number, randpool, RFC1751 717 718 Since this is backward-incompatible anyway, I also changed 719module names from all lower-case to mixed-case: diamond -> Diamond, 720rc5 -> RC5, etc. That had been an annoying inconsistency for a while. 721 722 * Added CAST5 module contributed by <wiml@hhhh.org>. 723 724 * Added qNEW digital signature algorithm (from the digisign.py 725I advertised a while back). (If anyone would like to suggest new 726algorithms that should be implemented, please do; I think I've got 727everything that's really useful at the moment, but...) 728 729 * Support for keyword arguments has been added. This allowed 730removing the obnoxious key handling for Diamond and RC5, where the 731first few bytes of the key indicated the number of rounds to use, and 732various other parameters. Now you need only do something like: 733 734from Crypto.Cipher import RC5 735obj = RC5.new(key, RC5.ECB, rounds=8) 736 737(Not backward compatible.) 738 739 * Various function names have been changed, and parameter 740names altered. None of these were part of the public interface, so it 741shouldn't really matter much. 742 743 * Various bugs fixed, the test suite has been expanded, and 744the build process simplified. 745 746 * Updated the documentation accordingly. 747 748 7491.0.1 750===== 751 752 * Changed files to work with Python 1.4 . 753 754 * The DES and DES3 modules now automatically correct the 755parity of their keys. 756 757 * Added R. Rivest's DES test (see http://theory.lcs.mit.edu/~rivest/destest.txt) 758 759 7601.0.0 761===== 762 763 * REDOC III succumbed to differential cryptanalysis, and has 764been removed. 765 766 * The crypt and rotor modules have been dropped; they're still 767available in the standard Python distribution. 768 769 * The Ultra-Fast crypt() module has been placed in a separate 770distribution. 771 772 * Various bugs fixed. 773