This PR pins pycryptodome to the latest release 3.19.0.
Changelog
### 3.19.0
```
++++++++++++++++++++++++++
New features
---------------
* The ``update()`` methods of TupleHash128 and TupleHash256 objects
can now hash multiple items (byte strings) at once.
Thanks to Sylvain Pelissier.
* Added support for ECDH, with ``Crypto.Protocol.DH``.
Resolved issues
---------------
* GH754: due to a bug in ``cffi``, do not use it on Windows with Python 3.12+.
```
### 3.18.0
```
++++++++++++++++++++++++++
New features
---------------
* Added support for DER BOOLEAN encodings.
* The library now compiles on Windows ARM64. Thanks to Niyas Sait.
Resolved issues
---------------
* GH722: ``nonce`` attribute was not correctly set for XChaCha20_Poly1305 ciphers. Thanks to Liam Haber.
* GH728: Workaround for a possible x86 emulator bug in Windows for ARM64.
* GH739: OID encoding for arc 2 didn't accept children larger than 39. Thanks to James.
* Correctly check that the scalar matches the point when importing an ECC private key.
```
### 3.17.0
```
++++++++++++++++++++++++++
New features
---------------
* Added support for the Counter Mode KDF defined in SP 800-108 Rev 1.
* Reduce the minimum tag length for the EAX cipher to 2 bytes.
* An RSA object has 4 new properties for the CRT coefficients:
``dp``, ``dq``, ``invq`` and ``invq`` (``invp`` is the same value
as the existing ``u``).
Resolved issues
---------------
* GH526: improved typing for ``RSA.construct``.
* GH534: reduced memory consumption when using a large number
of cipher objects.
* GH598: fixed missing error handling for ``Util.number.inverse``.
* GH629: improved typing for ``AES.new`` and the various
mode-specific types it returns. Thanks to Greg Werbin.
* GH653: added workaround for an alleged GCC compiler bug
that affected Ed25519 code compiled for AVX2.
* GH658: attribute ``curve`` of an ECC key was not always
the preferred curve name, as it used to be in v3.15.0
(independently of the curve name specified when generating
the key).
* GH637: fixed typing for legacy modules ``PKCS1_v1_5`` and ``PKCS1_PSS``,
as their ``verify()`` returned a boolean.
* GH664: with OCB mode, nonces of maximum length (15 bytes)
were actually used as 14 bytes nonces.
After this fix, data that was encrypted in past using the
(default) nonce length of 15 bytes can still be decrypted
by reducing the nonce to its first 14 bytes.
* GH705: improved typing for ``nonce``, ``iv``, and ``IV`` parameters
of cipher objects.
Other changes
-------------
* Build PyPy wheels only for versions 3.8 and 3.9, and not for 3.7 anymore.
```
### 3.16.0
```
++++++++++++++++++++++++++
New features
------------
* Build wheels for musl Linux. Thanks to Ben Raz.
Resolved issues
---------------
* GH639: ARC4 now also works with 'keys' as short as 8 bits.
* GH669: fix segfaults when running in a manylinux2010 i686 image.
```
### 3.15.0
```
++++++++++++++++++++++++++
New features
------------
* Add support for curves Ed25519 and Ed448, including export and import of keys.
* Add support for EdDSA signatures.
* Add support for Asymmetric Key Packages (RFC5958) to import private keys.
Resolved issues
---------------
* GH620: for ``Crypto.Util.number.getPrime`` , do not sequentially
scan numbers searching for a prime.
```
### 3.14.1
```
++++++++++++++++++++++++++
Resolved issues
---------------
* GH595: Fixed memory leak for GMP integers.
Thanks to Witalij Siebert and Pablo Quílez.
```
### 3.14.0
```
++++++++++++++++++++++++++
New features
------------
* Add support for curve NIST P-192.
```
### 3.13.0
```
++++++++++++++++++++++++++
New features
------------
* Add support for curve NIST P-224.
Resolved issues
---------------
* GH590: Fixed typing info for ``Crypto.PublicKey.ECC``.
Other changes
-------------
* Relaxed ECDSA requirements for FIPS 186 signatures and accept any SHA-2 or SHA-3 hash.
``sign()`` and ``verify()`` will be performed even if the hash is stronger than the ECC key.
```
### 3.12.0
```
++++++++++++++++++++++++++
New features
------------
* ECC keys in the SEC1 format can be exported and imported.
* Add support for KMAC128, KMAC256, TupleHash128, and TupleHash256 (NIST SP-800 185).
* Add support for KangarooTwelve.
Resolved issues
---------------
* GH563: An asymmetric key could not be imported as a ``memoryview``.
* GH566: cSHAKE128/256 generated a wrong output for customization strings
longer than 255 bytes.
* GH582: CBC decryption generated the wrong plaintext when the input and the output were the same buffer.
Thanks to Michael K. Ashburn.
```
### 3.11.0
```
++++++++++++++++++++++++++
Resolved issues
---------------
* GH512: Especially for very small bit sizes, ``Crypto.Util.number.getPrime()`` was
occasionally generating primes larger than given the bit size. Thanks to Koki Takahashi.
* GH552: Correct typing annotations for ``PKCS115_Cipher.decrypt()``.
* GH555: ``decrypt()`` method of a PKCS1v1.5 cipher returned a ``bytearray`` instead of ``bytes``.
* GH557: External DSA domain parameters were accepted even when the modulus (``p``) was not prime.
This affected ``Crypto.PublicKey.DSA.generate()`` and ``Crypto.PublicKey.DSA.construct()``.
Thanks to Koki Takahashi.
New features
------------
* Added cSHAKE128 and cSHAKE256 (of SHA-3 family). Thanks to Michael Schaffner.
* GH558: The flag RTLD_DEEPBIND passed to ``dlopen()`` is not well supported by
`address sanitizers <https://github.com/google/sanitizers/issues/611>`_.
It is now possible to set the environment variable ``PYCRYPTDOME_DISABLE_DEEPBIND``
to drop that flag and allow security testing.
```
### 3.10.4
```
++++++++++++++++++++++++++
Resolved issues
---------------
* Output of ``Crypto.Util.number.long_to_bytes()`` was not always a multiple of ``blocksize``.
```
### 3.10.3
```
++++++++++++++++++++++++++
Resolved issues
---------------
* GH376: Fixed symbol conflict between different versions of ``libgmp``.
* GH481: Improved robustness of PKCS1v1.5 decryption against timing attacks.
* GH506 and GH509: Fixed segmentation faults on Apple M1 and other Aarch64 SoCs,
when the GMP library was accessed via ``ctypes``. Do not use GMP's own sscanf
and snprintf routines: instead, use simpler conversion routines.
* GH510: Workaround for ``cffi`` calling ``ctypes.util.find_library()``, which
invokes ``gcc`` and ``ld`` on Linux, considerably slowing down all imports.
On certain configurations, that may also leave temporary files behind.
* GH517: Fix RSAES-OAEP, as it didn't always fail when zero padding was incorrect.
New features
------------
* Added support for SHA-3 hash functions to HMAC.
Other changes
-------------
* The Windows wheels of Python 2.7 now require the VS2015 runtime to be installed in the system,
because Microsoft stopped distributing the VS2008 compiler in April 2021.
VS2008 was used to compile the Python 2.7 extensions.
```
### 3.10.1
```
++++++++++++++++++++++++
Other changes
-------------
* Python 3 wheels use ``abi3`` ABI tag.
* Remove Appveyor CI.
```
### 3.10.0
```
++++++++++++++++++++++++
Resolved issues
---------------
* Fixed a potential memory leak when initializing block ciphers.
* GH466: ``Crypto.Math.miller_rabin_test()`` was still using the system random
source and not the one provided as parameter.
* GH469: RSA objects have the method ``public_key()`` like ECC objects.
The old method ``publickey()`` is still available for backward compatibility.
* GH476: ``Crypto.Util.Padding.unpad()`` was raising an incorrect exception
in case of zero-length inputs. Thanks to Captainowie.
* GH491: better exception message when ``Counter.new()`` is called with an integer
``initial_value`` than doesn't fit into ``nbits`` bits.
* GH496: added missing ``block_size`` member for ECB cipher objects. Thanks to willem.
* GH500: ``nonce`` member of an XChaCha20 cipher object was not matching the original nonce.
Thanks to Charles Machalow.
Other changes
-------------
* The bulk of the test vectors have been moved to the separate
package ``pycryptodome-test-vectors``. As result, packages ``pycryptodome`` and
``pycryptodomex`` become significantly smaller (from 14MB to 3MB).
* Moved CI tests and build service from Travis CI to GitHub Actions.
Breaks in compatibility
-----------------------
* Drop support for Python 2.6 and 3.4.
```
### 3.9.9
```
+++++++++++++++++++++++
Resolved issues
---------------
* GH435: Fixed ``Crypto.Util.number.size`` for negative numbers.
New features
------------
* Build Python 3.9 wheels on Windows.
```
### 3.9.8
```
++++++++++++++++++++
Resolved issues
---------------
* GH426: The Shamir's secret sharing implementation is not actually compatible with ``ssss``.
Added an optional parameter to enable interoperability.
* GH427: Skip altogether loading of ``gmp.dll`` on Windows.
* GH420: Fix incorrect CFB decryption when the input and the output are the same buffer.
New features
------------
* Speed up Shamir's secret sharing routines. Thanks to ncarve.
```
### 3.9.7
```
++++++++++++++++++++++++
Resolved issues
---------------
* GH381: Make notarization possible again on OS X when using wheels.
Thanks to Colin Atkinson.
```
### 3.9.6
```
++++++++++++++++++++++++
Resolved issues
---------------
* Fix building of wheels for OS X by explicitly setting `sysroot` location.
```
### 3.9.5
```
++++++++++++++++++++++++
Resolved issues
---------------
* RSA OAEP decryption was not verifying that all ``PS`` bytes are zero.
* GH372: fixed memory leak for operations that use memoryviews when `cffi` is not installed.
* Fixed wrong ASN.1 OID for HMAC-SHA512 in PBE2.
New features
------------
* Updated Wycheproof test vectors to version 0.8r12.
```
### 3.9.4
```
++++++++++++++++++++++++
Resolved issues
---------------
* GH341: Prevent ``key_to_english`` from creating invalid data when fed with
keys of length not multiple of 8. Thanks to vstoykovbg.
* GH347: Fix blocking RSA signing/decryption when key has very small factor.
Thanks to Martijn Pieters.
```
### 3.9.3
```
++++++++++++++++++++++++
Resolved issues
---------------
* GH308: Align stack of functions using SSE2 intrinsics to avoid crashes,
when compiled with gcc on 32-bit x86 platforms.
```
### 3.9.2
```
++++++++++++++++++++++++
New features
------------
* Add Python 3.8 wheels for Mac.
Resolved issues
---------------
* GH308: Avoid allocating arrays of ``__m128i`` on the stack, to cope with buggy compilers.
* GH322: Remove blanket ``-O3`` optimization for gcc and clang, to cope with buggy compilers.
* GH337: Fix typing stubs for signatures.
* GH338: Deal with gcc installations that don't have ``x86intrin.h``.
```
### 3.9.1
```
++++++++++++++++++++++++
New features
------------
* Add Python 3.8 wheels for Linux and Windows.
Resolved issues
---------------
* GH328: minor speed-up when importing RSA.
```
### 3.9.0
```
+++++++++++++++++++++++
New features
------------
* Add support for loading PEM files encrypted with AES256-CBC.
* Add support for XChaCha20 and XChaCha20-Poly1305 ciphers.
* Add support for bcrypt key derivation function (``Crypto.Protocol.KDF.bcrypt``).
* Add support for left multiplication of an EC point by a scalar.
* Add support for importing ECC and RSA keys in the new OpenSSH format.
Resolved issues
---------------
* GH312: it was not possible to invert an EC point anymore.
* GH316: fix printing of DSA keys.
* GH317: ``DSA.generate()`` was not always using the ``randfunc`` input.
* GH285: the MD2 hash had block size of 64 bytes instead of 16; as result the HMAC construction gave incorrect results.
```
### 3.8.2
```
+++++++++++++++++++++++
Resolved issues
---------------
* GH291: fix strict aliasing problem, emerged with GCC 9.1.
```
### 3.8.1
```
+++++++++++++++++++++++
New features
------------
* Add support for loading PEM files encrypted with AES192-CBC and AES256-GCM.
* When importing ECC keys in PEM format, ignore the redundant EC PARAMS section that was included by certain openssl commands.
Resolved issues
---------------
* ``repr()`` did not work for ``ECC.EccKey`` objects.
* Fix installation in development mode (``setup install develop`` or ``pip install -e .``).
* Minimal length for Blowfish cipher is 32 bits, not 40 bits.
* Various updates to docs.
```
### 3.8.0
```
+++++++++++++++++++++++
New features
------------
* Speed-up ECC performance. ECDSA is 33 times faster on the NIST P-256 curve.
* Added support for NIST P-384 and P-521 curves.
* ``EccKey`` has new methods ``size_in_bits()`` and ``size_in_bytes()``.
* Support HMAC-SHA224, HMAC-SHA256, HMAC-SHA384, and HMAC-SHA512 in PBE2/PBKDF2.
Resolved issues
---------------
* DER objects were not rejected if their length field had a leading zero.
* Allow legacy RC2 ciphers to have 40-bit keys.
* ASN.1 Object IDs did not allow the value 0 in the path.
Breaks in compatibility
-----------------------
* ``point_at_infinity()`` becomes an instance method for ``Crypto.PublicKey.ECC.EccKey``, from a static one.
```
### 3.7.3
```
+++++++++++++++++++++++
Resolved issues
---------------
* GH258: False positive on PSS signatures when externally provided salt is too long.
* Include type stub files for ``Crypto.IO`` and ``Crypto.Util``.
```
### 3.7.2
```
++++++++++++++++++++++++
Resolved issues
---------------
* GH242: Fixed compilation problem on ARM platforms.
```
### 3.7.1
```
++++++++++++++++++++++++
New features
------------
* Added type stubs to enable static type checking with mypy. Thanks to Michael Nix.
* New ``update_after_digest`` flag for CMAC.
Resolved issues
---------------
* GH232: Fixed problem with gcc 4.x when compiling ``ghash_clmul.c``.
* GH238: Incorrect digest value produced by CMAC after cloning the object.
* Method ``update()`` of an EAX cipher object was returning the underlying CMAC object,
instead of the EAX object itself.
* Method ``update()`` of a CMAC object was not throwing an exception after the digest
was computed (with ``digest()`` or ``verify()``).
```
### 3.7.0
```
+++++++++++++++++++++++
New features
------------
* Added support for Poly1305 MAC (with AES and ChaCha20 ciphers for key derivation).
* Added support for ChaCha20-Poly1305 AEAD cipher.
* New parameter ``output`` for ``Crypto.Util.strxor.strxor``, ``Crypto.Util.strxor.strxor_c``,
``encrypt`` and ``decrypt`` methods in symmetric ciphers (``Crypto.Cipher`` package).
``output`` is a pre-allocated buffer (a ``bytearray`` or a writeable ``memoryview``)
where the result must be stored.
This requires less memory for very large payloads; it is also more efficient when
encrypting (or decrypting) several small payloads.
Resolved issues
---------------
* GH266: AES-GCM hangs when processing more than 4GB at a time on x86 with PCLMULQDQ instruction.
Breaks in compatibility
-----------------------
* Drop support for Python 3.3.
* Remove ``Crypto.Util.py3compat.unhexlify`` and ``Crypto.Util.py3compat.hexlify``.
* With the old Python 2.6, use only ``ctypes`` (and not ``cffi``) to interface to native code.
```
### 3.6.6
```
++++++++++++++++++++++
Resolved issues
---------------
* GH198: Fix vulnerability on AESNI ECB with payloads smaller than 16 bytes (CVE-2018-15560).
```
### 3.6.5
```
++++++++++++++++++++++
Resolved issues
---------------
* GH187: Fixed incorrect AES encryption/decryption with AES acceleration on x86
due to gcc's optimization and strict aliasing rules.
* GH188: More prime number candidates than necessary where discarded as composite
due to the limited way D values were searched in the Lucas test.
* Fixed ResouceWarnings and DeprecationWarnings.
* Workaround for Python 3.7.0 bug on Windows (https://bugs.python.org/issue34108).
```
### 3.6.4
```
+++++++++++++++++++++
New features
------------
* Build Python 3.7 wheels on Linux, Windows and Mac.
Resolved issues
---------------
* GH178: Rename ``_cpuid`` module to make upgrades more robust.
* More meaningful exceptions in case of mismatch in IV length (CBC/OFB/CFB modes).
* Fix compilation issues on Solaris 10/11.
```
### 3.6.3
```
+++++++++++++++++++++
Resolved issues
---------------
* GH175: Fixed incorrect results for CTR encryption/decryption with more than 8 blocks.
```
### 3.6.2
```
+++++++++++++++++++++
New features
------------
* ChaCha20 accepts 96 bit nonces (in addition to 64 bit nonces)
as defined in RFC7539.
* Accelerate AES-GCM on x86 using PCLMULQDQ instruction.
* Accelerate AES-ECB and AES-CTR on x86 by pipelining AESNI instructions.
* As result of the two improvements above, on x86 (Broadwell):
- AES-ECB and AES-CTR are 3x faster
- AES-GCM is 9x faster
Resolved issues
---------------
* On Windows, MPIR library was stilled pulled in if renamed to ``gmp.dll``.
Breaks in compatibility
-----------------------
* In ``Crypto.Util.number``, functions ``floor_div`` and ``exact_div``
have been removed. Also, ``ceil_div`` is limited to non-negative terms only.
```
### 3.6.1
```
+++++++++++++++++++++
New features
------------
* Added Google Wycheproof tests (https://github.com/google/wycheproof)
for RSA, DSA, ECDSA, GCM, SIV, EAX, CMAC.
* New parameter ``mac_len`` (length of MAC tag) for CMAC.
Resolved issues
---------------
* In certain circumstances (at counter wrapping, which happens on average after
32 GB) AES GCM produced wrong ciphertexts.
* Method ``encrypt()`` of AES SIV cipher could be still called,
whereas only ``encrypt_and_digest()`` is allowed.
```
### 3.6.0
```
++++++++++++++++++++
New features
------------
* Introduced ``export_key`` and deprecated ``exportKey`` for DSA and RSA key
objects.
* Ciphers and hash functions accept ``memoryview`` objects in input.
* Added support for SHA-512/224 and SHA-512/256.
Resolved issues
---------------
* Reintroduced ``Crypto.__version__`` variable as in PyCrypto.
* Fixed compilation problem with MinGW.
```
### 3.5.1
```
++++++++++++++++++++
Resolved issues
---------------
* GH142. Fix mismatch with declaration and definition of addmul128.
```
### 3.5.0
```
++++++++++++++++++++
New features
------------
* Import and export of ECC curves in compressed form.
* The initial counter for a cipher in CTR mode can be a byte string
(in addition to an integer).
* Faster PBKDF2 for HMAC-based PRFs (at least 20x for short passwords,
more for longer passwords). Thanks to Christian Heimes for pointing
out the implementation was under-optimized.
* The salt for PBKDF2 can be either a string or bytes (GH67).
* Ciphers and hash functions accept data as `bytearray`, not just
binary strings.
* The old SHA-1 and MD5 hash functions are available even when Python's
own `hashlib` does not include them.
Resolved issues
---------------
* Without libgmp, modular exponentiation (since v3.4.8) crashed
on 32-bit big-endian systems.
Breaks in compatibility
-----------------------
* Removed support for Python < 2.6.
```
### 3.4.12
```
++++++++++++++++++++++++
Resolved issues
---------------
* GH129. pycryptodomex could only be installed via wheels.
```
### 3.4.11
```
++++++++++++++++++++++++
Resolved issues
---------------
* GH121. the record list was still not correct due to PEP3147
and __pycache__ directories. Thanks again to John O'Brien.
```
### 3.4.10
```
++++++++++++++++++++++++
Resolved issues
---------------
* When creating ElGamal keys, the generator wasn't a square residue:
ElGamal encryption done with those keys cannot be secure under
the DDH assumption. Thanks to Weikeng Chen.
```
### 3.4.9
```
+++++++++++++++++++++++
New features
------------
* More meaningful error messages while importing an ECC key.
Resolved issues
---------------
* GH123 and 125. The SSE2 command line switch was not always passed on 32-bit x86 platforms.
* GH121. The record list (--record) was not always correctly filled for the
pycryptodomex package. Thanks to John W. O'Brien.
```
### 3.4.8
```
+++++++++++++++++++++++
New features
------------
* Added a native extension in pure C for modular exponentiation, optimized for SSE2 on x86.
In the process, we drop support for the arbitrary arithmetic library MPIR
on Windows, which is painful to compile and deploy.
The custom modular exponentiation is 130% (160%) slower on an Intel CPU in 32-bit (64-bit) mode,
compared to MPIR. Still, that is much faster that CPython's own `pow()` function which
is 900% (855%) slower than MPIR. Support for the GMP library on Unix remains.
* Added support for *manylinux* wheels.
* Support for Python 3.7.
Resolved issues
---------------
* The DSA parameter 'p' prime was created with 255 bits cleared
(but still with the correct strength).
* GH106. Not all docs were included in the tar ball.
Thanks to Christopher Hoskin.
* GH109. ECDSA verification failed for DER encoded signatures.
Thanks to Alastair Houghton.
* Human-friendly messages for padding errors with ECB and CBC.
```
### 3.4.7
```
++++++++++++++++++++++
New features
------------
* API documentation is made with sphinx instead of epydoc.
* Start using ``importlib`` instead of ``imp`` where available.
Resolved issues
---------------
* GH82. Fixed PEM header for RSA/DSA public keys.
```
### 3.4.6
```
+++++++++++++++++++++++
Resolved issues
---------------
* GH65. Keccak, SHA3, SHAKE and the seek functionality for ChaCha20 were
not working on big endian machines. Fixed. Thanks to Mike Gilbert.
* A few fixes in the documentation.
```
### 3.4.5
```
+++++++++++++++++++++++
Resolved issues
---------------
* The library can also be compiled using MinGW.
```
### 3.4.4
```
+++++++++++++++++++++++
Resolved issues
---------------
* Removed use of ``alloca()``.
* [Security] Removed implementation of deprecated "quick check" feature of PGP block cipher mode.
* Improved the performance of ``scrypt`` by converting some Python to C.
```
### 3.4.3
```
+++++++++++++++++++++++
Resolved issues
---------------
* Undefined warning was raised with libgmp version < 5
* Forgot inclusion of ``alloca.h``
* Fixed a warning about type mismatch raised by recent versions of cffi
```
### 3.4.2
```
++++++++++++++++++++
Resolved issues
---------------
* Fix renaming of package for ``install`` command.
```
### 3.4.1
```
++++++++++++++++++++++++
New features
------------
* Added option to install the library under the ``Cryptodome`` package
(instead of ``Crypto``).
```
### 3.4
```
+++++++++++++++++++++
New features
------------
* Added ``Crypto.PublicKey.ECC`` module (NIST P-256 curve only), including export/import of ECC keys.
* Added support for ECDSA (FIPS 186-3 and RFC6979).
* For CBC/CFB/OFB/CTR cipher objects, ``encrypt()`` and ``decrypt()`` cannot be intermixed.
* CBC/CFB/OFB, the cipher objects have both ``IV`` and ``iv`` attributes.
``new()`` accepts ``IV`` as well as ``iv`` as parameter.
* For CFB/OPENPGP cipher object, ``encrypt()`` and ``decrypt()`` do not require the plaintext
or ciphertext pieces to have length multiple of the CFB segment size.
* Added dedicated tests for all cipher modes, including NIST test vectors
* CTR/CCM/EAX/GCM/SIV/Salsa20/ChaCha20 objects expose the ``nonce`` attribute.
* For performance reasons, CCM cipher optionally accepted a pre-declaration of
the length of the associated data, but never checked if the actual data passed
to the cipher really matched that length. Such check is now enforced.
* CTR cipher objects accept parameter ``nonce`` and possibly ``initial_value`` in
alternative to ``counter`` (which is deprecated).
* All ``iv``/``IV`` and ``nonce`` parameters are optional. If not provided,
they will be randomly generated (exception: ``nonce`` for CTR mode in case
of block sizes smaller than 16 bytes).
* Refactored ARC2 cipher.
* Added ``Crypto.Cipher.DES3.adjust_key_parity()`` function.
* Added ``RSA.import_key`` as an alias to the deprecated ``RSA.importKey``
(same for the ``DSA`` module).
* Added ``size_in_bits()`` and ``size_in_bytes()`` methods to ``RsaKey``.
Resolved issues
---------------
* RSA key size is now returned correctly in ``RsaKey.__repr__()`` method (kudos to *hannesv*).
* CTR mode does not modify anymore ``counter`` parameter passed to ``new()`` method.
* CTR raises ``OverflowError`` instead of ``ValueError`` when the counter wraps around.
* PEM files with Windows newlines could not be imported.
* ``Crypto.IO.PEM`` and ``Crypto.IO.PKCS8`` used to accept empty passphrases.
* GH6: NotImplementedError now raised for unsupported methods ``sign``, ``verify``,
``encrypt``, ``decrypt``, ``blind``, ``unblind`` and ``size`` in objects ``RsaKey``, ``DsaKey``,
``ElGamalKey``.
Breaks in compatibility
-----------------------
* Parameter ``segment_size`` cannot be 0 for the CFB mode.
* For OCB ciphers, a final call without parameters to ``encrypt`` must end a sequence
of calls to ``encrypt`` with data (similarly for ``decrypt``).
* Key size for ``ARC2``, ``ARC4`` and ``Blowfish`` must be at least 40 bits long (still very weak).
* DES3 (Triple DES module) does not allow keys that degenerate to Single DES.
* Removed method ``getRandomNumber`` in ``Crypto.Util.number``.
* Removed module ``Crypto.pct_warnings``.
* Removed attribute ``Crypto.PublicKey.RSA.algorithmIdentifier``.
```
### 3.3.1
```
+++++++++++++++++++++++
New features
------------
* Opt-in for ``update()`` after ``digest()`` for SHA-3, keccak, BLAKE2 hashes
Resolved issues
---------------
* Removed unused SHA-3 and keccak test vectors, therefore significantly reducing
the package from 13MB to 3MB.
Breaks in compatibility
-----------------------
* Removed method ``copy()`` from BLAKE2 hashes
* Removed ability to ``update()`` a BLAKE2 hash after the first call to ``(hex)digest()``
```
### 3.3
```
+++++++++++++++++++++
New features
------------
* Windows wheels bundle the MPIR library
* Detection of faults occurring during secret RSA operations
* Detection of non-prime (weak) q value in DSA domain parameters
* Added original Keccak hash family (b=1600 only).
In the process, simplified the C code base for SHA-3.
* Added SHAKE128 and SHAKE256 (of SHA-3 family)
Resolved issues
---------------
* GH3: gcc 4.4.7 unhappy about double typedef
Breaks in compatibility
-----------------------
* Removed method ``copy()`` from all SHA-3 hashes
* Removed ability to ``update()`` a SHA-3 hash after the first call to ``(hex)digest()``
```
### 3.2.1
```
++++++++++++++++++++++++
New features
------------
* Windows wheels are automatically built on Appveyor
```
### 3.2
```
++++++++++++++++++++++
New features
------------
* Added hash functions BLAKE2b and BLAKE2s.
* Added stream cipher ChaCha20.
* Added OCB cipher mode.
* CMAC raises an exception whenever the message length is found to be
too large and the chance of collisions not negligeable.
* New attribute ``oid`` for Hash objects with ASN.1 Object ID
* Added ``Crypto.Signature.pss`` and ``Crypto.Signature.pkcs1_15``
* Added NIST test vectors (roughly 1200) for PKCS1 v1.5 and PSS signatures.
Resolved issues
---------------
* tomcrypt_macros.h asm error 1
Breaks in compatibility
-----------------------
* Removed keyword ``verify_x509_cert`` from module method ``importKey`` (RSA and DSA).
* Reverted to original PyCrypto behavior of method ``verify`` in ``PKCS1_v1_5``
and ``PKCS1_PSS``.
```
### 3.1
```
+++++++++++++++++++
New features
------------
* Speed up execution of Public Key algorithms on PyPy, when backed
by the Gnu Multiprecision (GMP) library.
* GMP headers and static libraries are not required anymore at the time
PyCryptodome is built. Instead, the code will automatically use the
GMP dynamic library (.so/.DLL) if found in the system at runtime.
* Reduced the amount of C code by almost 40% (4700 lines).
Modularized and simplified all code (C and Python) related to block ciphers.
Pycryptodome is now free of CPython extensions.
* Add support for CI in Windows via Appveyor.
* RSA and DSA key generation more closely follows FIPS 186-4 (though it is
not 100% compliant).
Resolved issues
---------------
* None
Breaks in compatibility
-----------------------
* New dependency on ctypes with Python 2.4.
* The ``counter`` parameter of a CTR mode cipher must be generated via
``Crypto.Util.Counter``. It cannot be a generic callable anymore.
* Removed the ``Crypto.Random.Fortuna`` package (due to lack of test vectors).
* Removed the ``Crypto.Hash.new`` function.
* The ``allow_wraparound`` parameter of ``Crypto.Util.Counter`` is ignored.
An exception is always generated if the counter is reused.
* ``DSA.generate``, ``RSA.generate`` and ``ElGamal.generate`` do not
accept the ``progress_func`` parameter anymore.
* Removed ``Crypto.PublicKey.RSA.RSAImplementation``.
* Removed ``Crypto.PublicKey.DSA.DSAImplementation``.
* Removed ambiguous method ``size()`` from RSA, DSA and ElGamal keys.
```
### 3.0
```
++++++++++++++++++
New features
------------
* Initial support for PyPy.
* SHA-3 hash family based on the April 2014 draft of FIPS 202.
See modules ``Crypto.Hash.SHA3_224/256/384/512``.
Initial Keccak patch by Fabrizio Tarizzo.
* Salsa20 stream cipher. See module ``Crypto.Cipher.Salsa20``.
Patch by Fabrizio Tarizzo.
* Colin Percival's ``scrypt`` key derivation function (``Crypto.Protocol.KDF.scrypt``).
* Proper interface to FIPS 186-3 DSA. See module ``Crypto.Signature.DSS``.
* Deterministic DSA (RFC6979). Again, see ``Crypto.Signature.DSS``.
* HMAC-based Extract-and-Expand key derivation function
(``Crypto.Protocol.KDF.HKDF``, RFC5869).
* Shamir's Secret Sharing protocol, compatible with *ssss* (128 bits only).
See module ``Crypto.Protocol.SecretSharing``.
* Ability to generate a DSA key given the domain parameters.
* Ability to test installation with a simple ``python -m Crypto.SelfTest``.
Resolved issues
---------------
* LP1193521: ``mpz_powm_sec()`` (and Python) crashed when modulus was odd.
* Benchmarks work again (they broke when ECB stopped working if
an IV was passed. Patch by Richard Mitchell.
* LP1178485: removed some catch-all exception handlers.
Patch by Richard Mitchell.
* LP1209399: Removal of Python wrappers caused HMAC to silently
produce the wrong data with SHA-2 algorithms.
* LP1279231: remove dead code that does nothing in SHA-2 hashes.
Patch by Richard Mitchell.
* LP1327081: AESNI code accesses memory beyond buffer end.
* Stricter checks on ciphertext and plaintext size for textbook RSA
(kudos to sharego).
Breaks in compatibility
-----------------------
* Removed support for Python < 2.4.
* Removed the following methods from all 3 public key object types (RSA, DSA, ElGamal):
- ``sign``
- ``verify``
- ``encrypt``
- ``decrypt``
- ``blind``
- ``unblind``
Code that uses such methods is doomed anyway. It should be fixed ASAP to
use the algorithms available in ``Crypto.Signature`` and ``Crypto.Cipher``.
* The 3 public key object types (RSA, DSA, ElGamal) are now unpickable.
* Symmetric ciphers do not have a default mode anymore (used to be ECB).
An expression like ``AES.new(key)`` will now fail. If ECB is the desired mode,
one has to explicitly use ``AES.new(key, AES.MODE_ECB)``.
* Unsuccessful verification of a signature will now raise an exception [reverted in 3.2].
* Removed the ``Crypto.Random.OSRNG`` package.
* Removed the ``Crypto.Util.winrandom`` module.
* Removed the ``Crypto.Random.randpool`` module.
* Removed the ``Crypto.Cipher.XOR`` module.
* Removed the ``Crypto.Protocol.AllOrNothing`` module.
* Removed the ``Crypto.Protocol.Chaffing`` module.
* Removed the parameters ``disabled_shortcut`` and ``overflow`` from ``Crypto.Util.Counter.new``.
Other changes
-------------
* ``Crypto.Random`` stops being a userspace CSPRNG. It is now a pure wrapper over ``os.urandom``.
* Added certain resistance against side-channel attacks for GHASH (GCM) and DSA.
* More test vectors for ``HMAC-RIPEMD-160``.
* Update ``libtomcrypt`` headers and code to v1.17 (kudos to Richard Mitchell).
* RSA and DSA keys are checked for consistency as they are imported.
* Simplified build process by removing autoconf.
* Speed optimization to PBKDF2.
* Add support for MSVC.
* Replaced HMAC code with a BSD implementation. Clarified that starting from the fork,
all contributions are released under the BSD license.
```
Links
- PyPI: https://pypi.org/project/pycryptodome
- Changelog: https://data.safetycli.com/changelogs/pycryptodome/
- Homepage: https://www.pycryptodome.org
This PR pins pycryptodome to the latest release 3.19.0.
Changelog
### 3.19.0 ``` ++++++++++++++++++++++++++ New features --------------- * The ``update()`` methods of TupleHash128 and TupleHash256 objects can now hash multiple items (byte strings) at once. Thanks to Sylvain Pelissier. * Added support for ECDH, with ``Crypto.Protocol.DH``. Resolved issues --------------- * GH754: due to a bug in ``cffi``, do not use it on Windows with Python 3.12+. ``` ### 3.18.0 ``` ++++++++++++++++++++++++++ New features --------------- * Added support for DER BOOLEAN encodings. * The library now compiles on Windows ARM64. Thanks to Niyas Sait. Resolved issues --------------- * GH722: ``nonce`` attribute was not correctly set for XChaCha20_Poly1305 ciphers. Thanks to Liam Haber. * GH728: Workaround for a possible x86 emulator bug in Windows for ARM64. * GH739: OID encoding for arc 2 didn't accept children larger than 39. Thanks to James. * Correctly check that the scalar matches the point when importing an ECC private key. ``` ### 3.17.0 ``` ++++++++++++++++++++++++++ New features --------------- * Added support for the Counter Mode KDF defined in SP 800-108 Rev 1. * Reduce the minimum tag length for the EAX cipher to 2 bytes. * An RSA object has 4 new properties for the CRT coefficients: ``dp``, ``dq``, ``invq`` and ``invq`` (``invp`` is the same value as the existing ``u``). Resolved issues --------------- * GH526: improved typing for ``RSA.construct``. * GH534: reduced memory consumption when using a large number of cipher objects. * GH598: fixed missing error handling for ``Util.number.inverse``. * GH629: improved typing for ``AES.new`` and the various mode-specific types it returns. Thanks to Greg Werbin. * GH653: added workaround for an alleged GCC compiler bug that affected Ed25519 code compiled for AVX2. * GH658: attribute ``curve`` of an ECC key was not always the preferred curve name, as it used to be in v3.15.0 (independently of the curve name specified when generating the key). * GH637: fixed typing for legacy modules ``PKCS1_v1_5`` and ``PKCS1_PSS``, as their ``verify()`` returned a boolean. * GH664: with OCB mode, nonces of maximum length (15 bytes) were actually used as 14 bytes nonces. After this fix, data that was encrypted in past using the (default) nonce length of 15 bytes can still be decrypted by reducing the nonce to its first 14 bytes. * GH705: improved typing for ``nonce``, ``iv``, and ``IV`` parameters of cipher objects. Other changes ------------- * Build PyPy wheels only for versions 3.8 and 3.9, and not for 3.7 anymore. ``` ### 3.16.0 ``` ++++++++++++++++++++++++++ New features ------------ * Build wheels for musl Linux. Thanks to Ben Raz. Resolved issues --------------- * GH639: ARC4 now also works with 'keys' as short as 8 bits. * GH669: fix segfaults when running in a manylinux2010 i686 image. ``` ### 3.15.0 ``` ++++++++++++++++++++++++++ New features ------------ * Add support for curves Ed25519 and Ed448, including export and import of keys. * Add support for EdDSA signatures. * Add support for Asymmetric Key Packages (RFC5958) to import private keys. Resolved issues --------------- * GH620: for ``Crypto.Util.number.getPrime`` , do not sequentially scan numbers searching for a prime. ``` ### 3.14.1 ``` ++++++++++++++++++++++++++ Resolved issues --------------- * GH595: Fixed memory leak for GMP integers. Thanks to Witalij Siebert and Pablo Quílez. ``` ### 3.14.0 ``` ++++++++++++++++++++++++++ New features ------------ * Add support for curve NIST P-192. ``` ### 3.13.0 ``` ++++++++++++++++++++++++++ New features ------------ * Add support for curve NIST P-224. Resolved issues --------------- * GH590: Fixed typing info for ``Crypto.PublicKey.ECC``. Other changes ------------- * Relaxed ECDSA requirements for FIPS 186 signatures and accept any SHA-2 or SHA-3 hash. ``sign()`` and ``verify()`` will be performed even if the hash is stronger than the ECC key. ``` ### 3.12.0 ``` ++++++++++++++++++++++++++ New features ------------ * ECC keys in the SEC1 format can be exported and imported. * Add support for KMAC128, KMAC256, TupleHash128, and TupleHash256 (NIST SP-800 185). * Add support for KangarooTwelve. Resolved issues --------------- * GH563: An asymmetric key could not be imported as a ``memoryview``. * GH566: cSHAKE128/256 generated a wrong output for customization strings longer than 255 bytes. * GH582: CBC decryption generated the wrong plaintext when the input and the output were the same buffer. Thanks to Michael K. Ashburn. ``` ### 3.11.0 ``` ++++++++++++++++++++++++++ Resolved issues --------------- * GH512: Especially for very small bit sizes, ``Crypto.Util.number.getPrime()`` was occasionally generating primes larger than given the bit size. Thanks to Koki Takahashi. * GH552: Correct typing annotations for ``PKCS115_Cipher.decrypt()``. * GH555: ``decrypt()`` method of a PKCS1v1.5 cipher returned a ``bytearray`` instead of ``bytes``. * GH557: External DSA domain parameters were accepted even when the modulus (``p``) was not prime. This affected ``Crypto.PublicKey.DSA.generate()`` and ``Crypto.PublicKey.DSA.construct()``. Thanks to Koki Takahashi. New features ------------ * Added cSHAKE128 and cSHAKE256 (of SHA-3 family). Thanks to Michael Schaffner. * GH558: The flag RTLD_DEEPBIND passed to ``dlopen()`` is not well supported by `address sanitizers <https://github.com/google/sanitizers/issues/611>`_. It is now possible to set the environment variable ``PYCRYPTDOME_DISABLE_DEEPBIND`` to drop that flag and allow security testing. ``` ### 3.10.4 ``` ++++++++++++++++++++++++++ Resolved issues --------------- * Output of ``Crypto.Util.number.long_to_bytes()`` was not always a multiple of ``blocksize``. ``` ### 3.10.3 ``` ++++++++++++++++++++++++++ Resolved issues --------------- * GH376: Fixed symbol conflict between different versions of ``libgmp``. * GH481: Improved robustness of PKCS1v1.5 decryption against timing attacks. * GH506 and GH509: Fixed segmentation faults on Apple M1 and other Aarch64 SoCs, when the GMP library was accessed via ``ctypes``. Do not use GMP's own sscanf and snprintf routines: instead, use simpler conversion routines. * GH510: Workaround for ``cffi`` calling ``ctypes.util.find_library()``, which invokes ``gcc`` and ``ld`` on Linux, considerably slowing down all imports. On certain configurations, that may also leave temporary files behind. * GH517: Fix RSAES-OAEP, as it didn't always fail when zero padding was incorrect. New features ------------ * Added support for SHA-3 hash functions to HMAC. Other changes ------------- * The Windows wheels of Python 2.7 now require the VS2015 runtime to be installed in the system, because Microsoft stopped distributing the VS2008 compiler in April 2021. VS2008 was used to compile the Python 2.7 extensions. ``` ### 3.10.1 ``` ++++++++++++++++++++++++ Other changes ------------- * Python 3 wheels use ``abi3`` ABI tag. * Remove Appveyor CI. ``` ### 3.10.0 ``` ++++++++++++++++++++++++ Resolved issues --------------- * Fixed a potential memory leak when initializing block ciphers. * GH466: ``Crypto.Math.miller_rabin_test()`` was still using the system random source and not the one provided as parameter. * GH469: RSA objects have the method ``public_key()`` like ECC objects. The old method ``publickey()`` is still available for backward compatibility. * GH476: ``Crypto.Util.Padding.unpad()`` was raising an incorrect exception in case of zero-length inputs. Thanks to Captainowie. * GH491: better exception message when ``Counter.new()`` is called with an integer ``initial_value`` than doesn't fit into ``nbits`` bits. * GH496: added missing ``block_size`` member for ECB cipher objects. Thanks to willem. * GH500: ``nonce`` member of an XChaCha20 cipher object was not matching the original nonce. Thanks to Charles Machalow. Other changes ------------- * The bulk of the test vectors have been moved to the separate package ``pycryptodome-test-vectors``. As result, packages ``pycryptodome`` and ``pycryptodomex`` become significantly smaller (from 14MB to 3MB). * Moved CI tests and build service from Travis CI to GitHub Actions. Breaks in compatibility ----------------------- * Drop support for Python 2.6 and 3.4. ``` ### 3.9.9 ``` +++++++++++++++++++++++ Resolved issues --------------- * GH435: Fixed ``Crypto.Util.number.size`` for negative numbers. New features ------------ * Build Python 3.9 wheels on Windows. ``` ### 3.9.8 ``` ++++++++++++++++++++ Resolved issues --------------- * GH426: The Shamir's secret sharing implementation is not actually compatible with ``ssss``. Added an optional parameter to enable interoperability. * GH427: Skip altogether loading of ``gmp.dll`` on Windows. * GH420: Fix incorrect CFB decryption when the input and the output are the same buffer. New features ------------ * Speed up Shamir's secret sharing routines. Thanks to ncarve. ``` ### 3.9.7 ``` ++++++++++++++++++++++++ Resolved issues --------------- * GH381: Make notarization possible again on OS X when using wheels. Thanks to Colin Atkinson. ``` ### 3.9.6 ``` ++++++++++++++++++++++++ Resolved issues --------------- * Fix building of wheels for OS X by explicitly setting `sysroot` location. ``` ### 3.9.5 ``` ++++++++++++++++++++++++ Resolved issues --------------- * RSA OAEP decryption was not verifying that all ``PS`` bytes are zero. * GH372: fixed memory leak for operations that use memoryviews when `cffi` is not installed. * Fixed wrong ASN.1 OID for HMAC-SHA512 in PBE2. New features ------------ * Updated Wycheproof test vectors to version 0.8r12. ``` ### 3.9.4 ``` ++++++++++++++++++++++++ Resolved issues --------------- * GH341: Prevent ``key_to_english`` from creating invalid data when fed with keys of length not multiple of 8. Thanks to vstoykovbg. * GH347: Fix blocking RSA signing/decryption when key has very small factor. Thanks to Martijn Pieters. ``` ### 3.9.3 ``` ++++++++++++++++++++++++ Resolved issues --------------- * GH308: Align stack of functions using SSE2 intrinsics to avoid crashes, when compiled with gcc on 32-bit x86 platforms. ``` ### 3.9.2 ``` ++++++++++++++++++++++++ New features ------------ * Add Python 3.8 wheels for Mac. Resolved issues --------------- * GH308: Avoid allocating arrays of ``__m128i`` on the stack, to cope with buggy compilers. * GH322: Remove blanket ``-O3`` optimization for gcc and clang, to cope with buggy compilers. * GH337: Fix typing stubs for signatures. * GH338: Deal with gcc installations that don't have ``x86intrin.h``. ``` ### 3.9.1 ``` ++++++++++++++++++++++++ New features ------------ * Add Python 3.8 wheels for Linux and Windows. Resolved issues --------------- * GH328: minor speed-up when importing RSA. ``` ### 3.9.0 ``` +++++++++++++++++++++++ New features ------------ * Add support for loading PEM files encrypted with AES256-CBC. * Add support for XChaCha20 and XChaCha20-Poly1305 ciphers. * Add support for bcrypt key derivation function (``Crypto.Protocol.KDF.bcrypt``). * Add support for left multiplication of an EC point by a scalar. * Add support for importing ECC and RSA keys in the new OpenSSH format. Resolved issues --------------- * GH312: it was not possible to invert an EC point anymore. * GH316: fix printing of DSA keys. * GH317: ``DSA.generate()`` was not always using the ``randfunc`` input. * GH285: the MD2 hash had block size of 64 bytes instead of 16; as result the HMAC construction gave incorrect results. ``` ### 3.8.2 ``` +++++++++++++++++++++++ Resolved issues --------------- * GH291: fix strict aliasing problem, emerged with GCC 9.1. ``` ### 3.8.1 ``` +++++++++++++++++++++++ New features ------------ * Add support for loading PEM files encrypted with AES192-CBC and AES256-GCM. * When importing ECC keys in PEM format, ignore the redundant EC PARAMS section that was included by certain openssl commands. Resolved issues --------------- * ``repr()`` did not work for ``ECC.EccKey`` objects. * Fix installation in development mode (``setup install develop`` or ``pip install -e .``). * Minimal length for Blowfish cipher is 32 bits, not 40 bits. * Various updates to docs. ``` ### 3.8.0 ``` +++++++++++++++++++++++ New features ------------ * Speed-up ECC performance. ECDSA is 33 times faster on the NIST P-256 curve. * Added support for NIST P-384 and P-521 curves. * ``EccKey`` has new methods ``size_in_bits()`` and ``size_in_bytes()``. * Support HMAC-SHA224, HMAC-SHA256, HMAC-SHA384, and HMAC-SHA512 in PBE2/PBKDF2. Resolved issues --------------- * DER objects were not rejected if their length field had a leading zero. * Allow legacy RC2 ciphers to have 40-bit keys. * ASN.1 Object IDs did not allow the value 0 in the path. Breaks in compatibility ----------------------- * ``point_at_infinity()`` becomes an instance method for ``Crypto.PublicKey.ECC.EccKey``, from a static one. ``` ### 3.7.3 ``` +++++++++++++++++++++++ Resolved issues --------------- * GH258: False positive on PSS signatures when externally provided salt is too long. * Include type stub files for ``Crypto.IO`` and ``Crypto.Util``. ``` ### 3.7.2 ``` ++++++++++++++++++++++++ Resolved issues --------------- * GH242: Fixed compilation problem on ARM platforms. ``` ### 3.7.1 ``` ++++++++++++++++++++++++ New features ------------ * Added type stubs to enable static type checking with mypy. Thanks to Michael Nix. * New ``update_after_digest`` flag for CMAC. Resolved issues --------------- * GH232: Fixed problem with gcc 4.x when compiling ``ghash_clmul.c``. * GH238: Incorrect digest value produced by CMAC after cloning the object. * Method ``update()`` of an EAX cipher object was returning the underlying CMAC object, instead of the EAX object itself. * Method ``update()`` of a CMAC object was not throwing an exception after the digest was computed (with ``digest()`` or ``verify()``). ``` ### 3.7.0 ``` +++++++++++++++++++++++ New features ------------ * Added support for Poly1305 MAC (with AES and ChaCha20 ciphers for key derivation). * Added support for ChaCha20-Poly1305 AEAD cipher. * New parameter ``output`` for ``Crypto.Util.strxor.strxor``, ``Crypto.Util.strxor.strxor_c``, ``encrypt`` and ``decrypt`` methods in symmetric ciphers (``Crypto.Cipher`` package). ``output`` is a pre-allocated buffer (a ``bytearray`` or a writeable ``memoryview``) where the result must be stored. This requires less memory for very large payloads; it is also more efficient when encrypting (or decrypting) several small payloads. Resolved issues --------------- * GH266: AES-GCM hangs when processing more than 4GB at a time on x86 with PCLMULQDQ instruction. Breaks in compatibility ----------------------- * Drop support for Python 3.3. * Remove ``Crypto.Util.py3compat.unhexlify`` and ``Crypto.Util.py3compat.hexlify``. * With the old Python 2.6, use only ``ctypes`` (and not ``cffi``) to interface to native code. ``` ### 3.6.6 ``` ++++++++++++++++++++++ Resolved issues --------------- * GH198: Fix vulnerability on AESNI ECB with payloads smaller than 16 bytes (CVE-2018-15560). ``` ### 3.6.5 ``` ++++++++++++++++++++++ Resolved issues --------------- * GH187: Fixed incorrect AES encryption/decryption with AES acceleration on x86 due to gcc's optimization and strict aliasing rules. * GH188: More prime number candidates than necessary where discarded as composite due to the limited way D values were searched in the Lucas test. * Fixed ResouceWarnings and DeprecationWarnings. * Workaround for Python 3.7.0 bug on Windows (https://bugs.python.org/issue34108). ``` ### 3.6.4 ``` +++++++++++++++++++++ New features ------------ * Build Python 3.7 wheels on Linux, Windows and Mac. Resolved issues --------------- * GH178: Rename ``_cpuid`` module to make upgrades more robust. * More meaningful exceptions in case of mismatch in IV length (CBC/OFB/CFB modes). * Fix compilation issues on Solaris 10/11. ``` ### 3.6.3 ``` +++++++++++++++++++++ Resolved issues --------------- * GH175: Fixed incorrect results for CTR encryption/decryption with more than 8 blocks. ``` ### 3.6.2 ``` +++++++++++++++++++++ New features ------------ * ChaCha20 accepts 96 bit nonces (in addition to 64 bit nonces) as defined in RFC7539. * Accelerate AES-GCM on x86 using PCLMULQDQ instruction. * Accelerate AES-ECB and AES-CTR on x86 by pipelining AESNI instructions. * As result of the two improvements above, on x86 (Broadwell): - AES-ECB and AES-CTR are 3x faster - AES-GCM is 9x faster Resolved issues --------------- * On Windows, MPIR library was stilled pulled in if renamed to ``gmp.dll``. Breaks in compatibility ----------------------- * In ``Crypto.Util.number``, functions ``floor_div`` and ``exact_div`` have been removed. Also, ``ceil_div`` is limited to non-negative terms only. ``` ### 3.6.1 ``` +++++++++++++++++++++ New features ------------ * Added Google Wycheproof tests (https://github.com/google/wycheproof) for RSA, DSA, ECDSA, GCM, SIV, EAX, CMAC. * New parameter ``mac_len`` (length of MAC tag) for CMAC. Resolved issues --------------- * In certain circumstances (at counter wrapping, which happens on average after 32 GB) AES GCM produced wrong ciphertexts. * Method ``encrypt()`` of AES SIV cipher could be still called, whereas only ``encrypt_and_digest()`` is allowed. ``` ### 3.6.0 ``` ++++++++++++++++++++ New features ------------ * Introduced ``export_key`` and deprecated ``exportKey`` for DSA and RSA key objects. * Ciphers and hash functions accept ``memoryview`` objects in input. * Added support for SHA-512/224 and SHA-512/256. Resolved issues --------------- * Reintroduced ``Crypto.__version__`` variable as in PyCrypto. * Fixed compilation problem with MinGW. ``` ### 3.5.1 ``` ++++++++++++++++++++ Resolved issues --------------- * GH142. Fix mismatch with declaration and definition of addmul128. ``` ### 3.5.0 ``` ++++++++++++++++++++ New features ------------ * Import and export of ECC curves in compressed form. * The initial counter for a cipher in CTR mode can be a byte string (in addition to an integer). * Faster PBKDF2 for HMAC-based PRFs (at least 20x for short passwords, more for longer passwords). Thanks to Christian Heimes for pointing out the implementation was under-optimized. * The salt for PBKDF2 can be either a string or bytes (GH67). * Ciphers and hash functions accept data as `bytearray`, not just binary strings. * The old SHA-1 and MD5 hash functions are available even when Python's own `hashlib` does not include them. Resolved issues --------------- * Without libgmp, modular exponentiation (since v3.4.8) crashed on 32-bit big-endian systems. Breaks in compatibility ----------------------- * Removed support for Python < 2.6. ``` ### 3.4.12 ``` ++++++++++++++++++++++++ Resolved issues --------------- * GH129. pycryptodomex could only be installed via wheels. ``` ### 3.4.11 ``` ++++++++++++++++++++++++ Resolved issues --------------- * GH121. the record list was still not correct due to PEP3147 and __pycache__ directories. Thanks again to John O'Brien. ``` ### 3.4.10 ``` ++++++++++++++++++++++++ Resolved issues --------------- * When creating ElGamal keys, the generator wasn't a square residue: ElGamal encryption done with those keys cannot be secure under the DDH assumption. Thanks to Weikeng Chen. ``` ### 3.4.9 ``` +++++++++++++++++++++++ New features ------------ * More meaningful error messages while importing an ECC key. Resolved issues --------------- * GH123 and 125. The SSE2 command line switch was not always passed on 32-bit x86 platforms. * GH121. The record list (--record) was not always correctly filled for the pycryptodomex package. Thanks to John W. O'Brien. ``` ### 3.4.8 ``` +++++++++++++++++++++++ New features ------------ * Added a native extension in pure C for modular exponentiation, optimized for SSE2 on x86. In the process, we drop support for the arbitrary arithmetic library MPIR on Windows, which is painful to compile and deploy. The custom modular exponentiation is 130% (160%) slower on an Intel CPU in 32-bit (64-bit) mode, compared to MPIR. Still, that is much faster that CPython's own `pow()` function which is 900% (855%) slower than MPIR. Support for the GMP library on Unix remains. * Added support for *manylinux* wheels. * Support for Python 3.7. Resolved issues --------------- * The DSA parameter 'p' prime was created with 255 bits cleared (but still with the correct strength). * GH106. Not all docs were included in the tar ball. Thanks to Christopher Hoskin. * GH109. ECDSA verification failed for DER encoded signatures. Thanks to Alastair Houghton. * Human-friendly messages for padding errors with ECB and CBC. ``` ### 3.4.7 ``` ++++++++++++++++++++++ New features ------------ * API documentation is made with sphinx instead of epydoc. * Start using ``importlib`` instead of ``imp`` where available. Resolved issues --------------- * GH82. Fixed PEM header for RSA/DSA public keys. ``` ### 3.4.6 ``` +++++++++++++++++++++++ Resolved issues --------------- * GH65. Keccak, SHA3, SHAKE and the seek functionality for ChaCha20 were not working on big endian machines. Fixed. Thanks to Mike Gilbert. * A few fixes in the documentation. ``` ### 3.4.5 ``` +++++++++++++++++++++++ Resolved issues --------------- * The library can also be compiled using MinGW. ``` ### 3.4.4 ``` +++++++++++++++++++++++ Resolved issues --------------- * Removed use of ``alloca()``. * [Security] Removed implementation of deprecated "quick check" feature of PGP block cipher mode. * Improved the performance of ``scrypt`` by converting some Python to C. ``` ### 3.4.3 ``` +++++++++++++++++++++++ Resolved issues --------------- * Undefined warning was raised with libgmp version < 5 * Forgot inclusion of ``alloca.h`` * Fixed a warning about type mismatch raised by recent versions of cffi ``` ### 3.4.2 ``` ++++++++++++++++++++ Resolved issues --------------- * Fix renaming of package for ``install`` command. ``` ### 3.4.1 ``` ++++++++++++++++++++++++ New features ------------ * Added option to install the library under the ``Cryptodome`` package (instead of ``Crypto``). ``` ### 3.4 ``` +++++++++++++++++++++ New features ------------ * Added ``Crypto.PublicKey.ECC`` module (NIST P-256 curve only), including export/import of ECC keys. * Added support for ECDSA (FIPS 186-3 and RFC6979). * For CBC/CFB/OFB/CTR cipher objects, ``encrypt()`` and ``decrypt()`` cannot be intermixed. * CBC/CFB/OFB, the cipher objects have both ``IV`` and ``iv`` attributes. ``new()`` accepts ``IV`` as well as ``iv`` as parameter. * For CFB/OPENPGP cipher object, ``encrypt()`` and ``decrypt()`` do not require the plaintext or ciphertext pieces to have length multiple of the CFB segment size. * Added dedicated tests for all cipher modes, including NIST test vectors * CTR/CCM/EAX/GCM/SIV/Salsa20/ChaCha20 objects expose the ``nonce`` attribute. * For performance reasons, CCM cipher optionally accepted a pre-declaration of the length of the associated data, but never checked if the actual data passed to the cipher really matched that length. Such check is now enforced. * CTR cipher objects accept parameter ``nonce`` and possibly ``initial_value`` in alternative to ``counter`` (which is deprecated). * All ``iv``/``IV`` and ``nonce`` parameters are optional. If not provided, they will be randomly generated (exception: ``nonce`` for CTR mode in case of block sizes smaller than 16 bytes). * Refactored ARC2 cipher. * Added ``Crypto.Cipher.DES3.adjust_key_parity()`` function. * Added ``RSA.import_key`` as an alias to the deprecated ``RSA.importKey`` (same for the ``DSA`` module). * Added ``size_in_bits()`` and ``size_in_bytes()`` methods to ``RsaKey``. Resolved issues --------------- * RSA key size is now returned correctly in ``RsaKey.__repr__()`` method (kudos to *hannesv*). * CTR mode does not modify anymore ``counter`` parameter passed to ``new()`` method. * CTR raises ``OverflowError`` instead of ``ValueError`` when the counter wraps around. * PEM files with Windows newlines could not be imported. * ``Crypto.IO.PEM`` and ``Crypto.IO.PKCS8`` used to accept empty passphrases. * GH6: NotImplementedError now raised for unsupported methods ``sign``, ``verify``, ``encrypt``, ``decrypt``, ``blind``, ``unblind`` and ``size`` in objects ``RsaKey``, ``DsaKey``, ``ElGamalKey``. Breaks in compatibility ----------------------- * Parameter ``segment_size`` cannot be 0 for the CFB mode. * For OCB ciphers, a final call without parameters to ``encrypt`` must end a sequence of calls to ``encrypt`` with data (similarly for ``decrypt``). * Key size for ``ARC2``, ``ARC4`` and ``Blowfish`` must be at least 40 bits long (still very weak). * DES3 (Triple DES module) does not allow keys that degenerate to Single DES. * Removed method ``getRandomNumber`` in ``Crypto.Util.number``. * Removed module ``Crypto.pct_warnings``. * Removed attribute ``Crypto.PublicKey.RSA.algorithmIdentifier``. ``` ### 3.3.1 ``` +++++++++++++++++++++++ New features ------------ * Opt-in for ``update()`` after ``digest()`` for SHA-3, keccak, BLAKE2 hashes Resolved issues --------------- * Removed unused SHA-3 and keccak test vectors, therefore significantly reducing the package from 13MB to 3MB. Breaks in compatibility ----------------------- * Removed method ``copy()`` from BLAKE2 hashes * Removed ability to ``update()`` a BLAKE2 hash after the first call to ``(hex)digest()`` ``` ### 3.3 ``` +++++++++++++++++++++ New features ------------ * Windows wheels bundle the MPIR library * Detection of faults occurring during secret RSA operations * Detection of non-prime (weak) q value in DSA domain parameters * Added original Keccak hash family (b=1600 only). In the process, simplified the C code base for SHA-3. * Added SHAKE128 and SHAKE256 (of SHA-3 family) Resolved issues --------------- * GH3: gcc 4.4.7 unhappy about double typedef Breaks in compatibility ----------------------- * Removed method ``copy()`` from all SHA-3 hashes * Removed ability to ``update()`` a SHA-3 hash after the first call to ``(hex)digest()`` ``` ### 3.2.1 ``` ++++++++++++++++++++++++ New features ------------ * Windows wheels are automatically built on Appveyor ``` ### 3.2 ``` ++++++++++++++++++++++ New features ------------ * Added hash functions BLAKE2b and BLAKE2s. * Added stream cipher ChaCha20. * Added OCB cipher mode. * CMAC raises an exception whenever the message length is found to be too large and the chance of collisions not negligeable. * New attribute ``oid`` for Hash objects with ASN.1 Object ID * Added ``Crypto.Signature.pss`` and ``Crypto.Signature.pkcs1_15`` * Added NIST test vectors (roughly 1200) for PKCS1 v1.5 and PSS signatures. Resolved issues --------------- * tomcrypt_macros.h asm error 1 Breaks in compatibility ----------------------- * Removed keyword ``verify_x509_cert`` from module method ``importKey`` (RSA and DSA). * Reverted to original PyCrypto behavior of method ``verify`` in ``PKCS1_v1_5`` and ``PKCS1_PSS``. ``` ### 3.1 ``` +++++++++++++++++++ New features ------------ * Speed up execution of Public Key algorithms on PyPy, when backed by the Gnu Multiprecision (GMP) library. * GMP headers and static libraries are not required anymore at the time PyCryptodome is built. Instead, the code will automatically use the GMP dynamic library (.so/.DLL) if found in the system at runtime. * Reduced the amount of C code by almost 40% (4700 lines). Modularized and simplified all code (C and Python) related to block ciphers. Pycryptodome is now free of CPython extensions. * Add support for CI in Windows via Appveyor. * RSA and DSA key generation more closely follows FIPS 186-4 (though it is not 100% compliant). Resolved issues --------------- * None Breaks in compatibility ----------------------- * New dependency on ctypes with Python 2.4. * The ``counter`` parameter of a CTR mode cipher must be generated via ``Crypto.Util.Counter``. It cannot be a generic callable anymore. * Removed the ``Crypto.Random.Fortuna`` package (due to lack of test vectors). * Removed the ``Crypto.Hash.new`` function. * The ``allow_wraparound`` parameter of ``Crypto.Util.Counter`` is ignored. An exception is always generated if the counter is reused. * ``DSA.generate``, ``RSA.generate`` and ``ElGamal.generate`` do not accept the ``progress_func`` parameter anymore. * Removed ``Crypto.PublicKey.RSA.RSAImplementation``. * Removed ``Crypto.PublicKey.DSA.DSAImplementation``. * Removed ambiguous method ``size()`` from RSA, DSA and ElGamal keys. ``` ### 3.0 ``` ++++++++++++++++++ New features ------------ * Initial support for PyPy. * SHA-3 hash family based on the April 2014 draft of FIPS 202. See modules ``Crypto.Hash.SHA3_224/256/384/512``. Initial Keccak patch by Fabrizio Tarizzo. * Salsa20 stream cipher. See module ``Crypto.Cipher.Salsa20``. Patch by Fabrizio Tarizzo. * Colin Percival's ``scrypt`` key derivation function (``Crypto.Protocol.KDF.scrypt``). * Proper interface to FIPS 186-3 DSA. See module ``Crypto.Signature.DSS``. * Deterministic DSA (RFC6979). Again, see ``Crypto.Signature.DSS``. * HMAC-based Extract-and-Expand key derivation function (``Crypto.Protocol.KDF.HKDF``, RFC5869). * Shamir's Secret Sharing protocol, compatible with *ssss* (128 bits only). See module ``Crypto.Protocol.SecretSharing``. * Ability to generate a DSA key given the domain parameters. * Ability to test installation with a simple ``python -m Crypto.SelfTest``. Resolved issues --------------- * LP1193521: ``mpz_powm_sec()`` (and Python) crashed when modulus was odd. * Benchmarks work again (they broke when ECB stopped working if an IV was passed. Patch by Richard Mitchell. * LP1178485: removed some catch-all exception handlers. Patch by Richard Mitchell. * LP1209399: Removal of Python wrappers caused HMAC to silently produce the wrong data with SHA-2 algorithms. * LP1279231: remove dead code that does nothing in SHA-2 hashes. Patch by Richard Mitchell. * LP1327081: AESNI code accesses memory beyond buffer end. * Stricter checks on ciphertext and plaintext size for textbook RSA (kudos to sharego). Breaks in compatibility ----------------------- * Removed support for Python < 2.4. * Removed the following methods from all 3 public key object types (RSA, DSA, ElGamal): - ``sign`` - ``verify`` - ``encrypt`` - ``decrypt`` - ``blind`` - ``unblind`` Code that uses such methods is doomed anyway. It should be fixed ASAP to use the algorithms available in ``Crypto.Signature`` and ``Crypto.Cipher``. * The 3 public key object types (RSA, DSA, ElGamal) are now unpickable. * Symmetric ciphers do not have a default mode anymore (used to be ECB). An expression like ``AES.new(key)`` will now fail. If ECB is the desired mode, one has to explicitly use ``AES.new(key, AES.MODE_ECB)``. * Unsuccessful verification of a signature will now raise an exception [reverted in 3.2]. * Removed the ``Crypto.Random.OSRNG`` package. * Removed the ``Crypto.Util.winrandom`` module. * Removed the ``Crypto.Random.randpool`` module. * Removed the ``Crypto.Cipher.XOR`` module. * Removed the ``Crypto.Protocol.AllOrNothing`` module. * Removed the ``Crypto.Protocol.Chaffing`` module. * Removed the parameters ``disabled_shortcut`` and ``overflow`` from ``Crypto.Util.Counter.new``. Other changes ------------- * ``Crypto.Random`` stops being a userspace CSPRNG. It is now a pure wrapper over ``os.urandom``. * Added certain resistance against side-channel attacks for GHASH (GCM) and DSA. * More test vectors for ``HMAC-RIPEMD-160``. * Update ``libtomcrypt`` headers and code to v1.17 (kudos to Richard Mitchell). * RSA and DSA keys are checked for consistency as they are imported. * Simplified build process by removing autoconf. * Speed optimization to PBKDF2. * Add support for MSVC. * Replaced HMAC code with a BSD implementation. Clarified that starting from the fork, all contributions are released under the BSD license. ```Links
- PyPI: https://pypi.org/project/pycryptodome - Changelog: https://data.safetycli.com/changelogs/pycryptodome/ - Homepage: https://www.pycryptodome.org