Warning for libgmp < 5 is unclear

Bug #1406686 reported by Toshio Kuratomi
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Python-Crypto
New
Undecided
Unassigned

Bug Description

Fedora EPEL builds addon packages for RHEL. One package that is shipped is a forwards compat version of pycrypto-2.6.1. For RHEL6, RHEL is shipping with libgmp-5.x. This triggers the following warning from pycrpyto:

- _warn("Not using mpz_powm_sec. You should rebuild using libgmp >= 5 to avoid timing attack vulnerability.", PowmInsecureWarning)

People using the library encounter this error and are concerned that pycrypto is insecure. However, reading the pycrypto code it seems that what's actually happening is that pycrypto detects the timing-attack-vulnerable version and then fallsback to a pure-python implementation that is not vulnerable. If this is the case, the warning message should be changed so that people are not mislead into thinking that pycrypto is insecure.

Patch with updated message is attached.

If my analysis of the code is incorrect and the pure-python version of the code being used when gmp < 5, please let us know so that we can figure out a solution. Thanks.

(EPEL Bug report: https://bugzilla.redhat.com/show_bug.cgi?id=1103566 )

Revision history for this message
Toshio Kuratomi (toshio) wrote :
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.