Opened at 2011-11-17T22:50:31Z

Closed at 2013-10-17T14:43:51Z

Last modified at 2013-10-17T14:54:59Z

#1586 closed defect (somebody else's problem)

"PowmInsecureWarning: Not using mpz_powm_sec" warning from PyCrypto

Reported by: davidsarah Owned by: somebody
Priority: normal Milestone: eventually
Component: packaging Version: 1.9.0b1
Keywords: pycrypto-lib libgmp security sftp Cc:
Launchpad Bug:

Description (last modified by zooko)

This warning occurs when importing PyCrypto 2.4.1 (possibly depending on how the PyCrypto egg for the current platform was built): 

/usr/local/lib/python2.6/dist-packages/pycrypto-2.4.1-py2.6-linux-x86_64.egg/Crypto/Util/number.py:57: PowmInsecureWarning: Not using mpz_powm_sec.  You should rebuild using libgmp >= 5 to avoid timing attack vulnerability.

We probably just need to accelerate the programme to get rid of our dependency (via Twisted) on PyCrypto: http://twistedmatrix.com/trac/ticket/4633

Change History (10)

comment:1 Changed at 2011-11-17T22:52:27Z by davidsarah

  • Description modified (diff)

comment:2 Changed at 2012-04-01T04:36:31Z by davidsarah

  • Milestone changed from undecided to eventually
  • Priority changed from minor to normal

comment:3 Changed at 2012-05-14T04:10:34Z by david-sarah@…

In 4b80299fddd7ece4:

Suppress the PowmInsecureWarning? from PyCrypto?. refs #1586

comment:4 Changed at 2012-05-14T14:53:56Z by david-sarah <david-sarah@…>

In 4b80299fddd7ece4:

Suppress the PowmInsecureWarning? from PyCrypto?. refs #1586

comment:5 Changed at 2012-05-14T21:40:43Z by david-sarah@…

In 5649/ticket999-S3-backend:

Suppress the PowmInsecureWarning? from PyCrypto?. refs #1586

comment:6 Changed at 2012-05-15T15:59:54Z by zooko

I reviewed 4b80299fddd7ece4 and saw no problem with it.

comment:7 Changed at 2013-10-10T19:25:47Z by zooko

  • Description modified (diff)
  • Resolution set to fixed
  • Status changed from new to closed

This was apparently fixed by the warning-suppression patch [4b80299fddd7ece4].

comment:8 Changed at 2013-10-17T14:43:19Z by daira

  • Resolution fixed deleted
  • Status changed from closed to reopened

Well, the potential timing vulnerability is not fixed. (It affects only the SFTP frontend, and is documented at SftpFrontend, which I just updated to reflect that PyCrypto 2.4.1 is still vulnerable.)

As the message clearly says, someone "should rebuild [PyCrypto] using libgmp >= 5". Reopening in order to close as "somebody else's problem".

comment:9 Changed at 2013-10-17T14:43:51Z by daira

  • Keywords libgmp security sftp added
  • Resolution set to somebody else's problem
  • Status changed from reopened to closed

comment:10 Changed at 2013-10-17T14:54:30Z by daira

Actually, maybe this is our problem after all, since we build the PyCrypto eggs that are hosted at https://tahoe-lafs.org/source/tahoe-lafs/deps/tahoe-dep-eggs. Filed as #2094.

Version 0, edited at 2013-10-17T14:54:30Z by daira (next)
Note: See TracTickets for help on using tickets.