rebuild (if necessary) PyCrypto eggs to use libgmp >= 5, to mitigate RSA timing attack #2094

Closed
opened 2013-10-17 14:54:00 +00:00 by daira · 2 comments
daira commented 2013-10-17 14:54:00 +00:00
Owner

The PyCrypto eggs at https://tahoe-lafs.org/source/tahoe-lafs/deps/tahoe-dep-eggs/ may need to be rebuilt against libgmp >= 5 in order to mitigate a timing attack. I don't know what libgmp versions the eggs currently hosted there are built against. See also #1586, which suppressed the (mostly useless to end-users) warning about this.

The PyCrypto eggs at <https://tahoe-lafs.org/source/tahoe-lafs/deps/tahoe-dep-eggs/> may need to be rebuilt against libgmp >= 5 in order to mitigate a timing attack. I don't know what libgmp versions the eggs currently hosted there are built against. See also #1586, which suppressed the (mostly useless to end-users) warning about this.
tahoe-lafs added the
packaging
normal
defect
1.10.0
labels 2013-10-17 14:54:00 +00:00
tahoe-lafs added this to the undecided milestone 2013-10-17 14:54:00 +00:00
daira commented 2016-03-25 20:29:40 +00:00
Author
Owner

Twisted 16.0.0 removed their dependency on PyCrypto.

Note that the cryptography library still uses the Python stdlib's pow function when gmpy is not installed, and so may be vulnerable to the same timing attack. gmpy is no longer maintained; cryptography should probably switch to gmpy2 which has binary wheels.

Twisted 16.0.0 removed their dependency on PyCrypto. Note that the cryptography library still uses the Python stdlib's `pow` function when gmpy is not installed, and so *may* be vulnerable to the same timing attack. gmpy is no longer maintained; cryptography should probably switch to [gmpy2](https://pypi.python.org/pypi/gmpy2) which has binary wheels.
tahoe-lafs added the
somebody else's problem
label 2016-03-25 20:31:01 +00:00
daira closed this issue 2016-03-25 20:31:01 +00:00
daira commented 2016-03-27 13:20:32 +00:00
Author
Owner

The Twisted ticket to stop depending on gmpy is https://twistedmatrix.com/trac/ticket/8079.

The Twisted ticket to stop depending on gmpy is <https://twistedmatrix.com/trac/ticket/8079>.
Sign in to join this conversation.
No Milestone
No Assignees
1 Participants
Notifications
Due Date
The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Reference: tahoe-lafs/trac-2024-07-25#2094
No description provided.