-
-
Notifications
You must be signed in to change notification settings - Fork 586
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Add PyCryptodome to import blacklists
PyCryptodome is a direct fork of PyCrypto, and is generally considered to not be the replacement for it. It is recommended that projects move to pyca/cryptography instead, as this may be exposing folks to the same inherent issues that PyCrypto was deprecated because of. Signed-off-by: John 'Warthog9' Hawley <warthog9@eaglescrag.net> Signed-off-by: John 'Warthog9' Hawley <jhawley@vmware.com> Signed-off-by: Terri Oda <terri.oda@intel.com>
- Loading branch information
Showing
4 changed files
with
54 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,11 @@ | ||
from Cryptodome.Cipher import AES | ||
from Cryptodome import Random | ||
|
||
from . import CryptoMaterialsCacheEntry | ||
|
||
|
||
def test_pycrypto(): | ||
key = b'Sixteen byte key' | ||
iv = Random.new().read(AES.block_size) | ||
cipher = pycrypto_arc2.new(key, AES.MODE_CFB, iv) | ||
factory = CryptoMaterialsCacheEntry() |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
1c716be
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think, this is not the correct approach.
Weak algorithms are available in any crypto library out there. PyCryptodome is a fairly well maintained library, that does not depend on any other crypto package, with mostly any methods implemented in (portable) Python, falling back to optimized C code for performance critical parts only. You should parse the AST down to the crypto methods used, and flag weak ones only.
To be fair, you need to flag pyca/cryptography package as highly vunerable as well, since it contains similar methods, that even depend on a 3rd party package (openssl). openssl directly qualifies, what features are available, therefore deciding about pyca/cryptography, you need to take the openssl version and revision into account. Do you?
Obviously, this is more based on a political decision, not on rational/technical reasons. In case, I'm wrong, leave us a note on the real technical reasons here, please.
Apart from watching and using this project in my own projects since January 2017, I'm not affiliated to PyCryptodome in any further way.