tiran's pull request #56: "Use RSA-OAEP instead of RSA PKCS#1 v1.5" was opened
PR body: """ jwcrypto's RSA1-5 (PKCS#1 v1.5) is vulnerable to padding oracle side-channel attacks. OAEP (PKCS#1 v2.0) is a safe, more modern alternative. https://fedorahosted.org/freeipa/ticket/6278 Signed-off-by: Christian Heimes <chei...@redhat.com> """ See the full pull-request at https://github.com/freeipa/freeipa/pull/56 ... or pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/56/head:pr56 git checkout pr56
From 64cc8c4bcb3dcad27a78ab611786d3c71a5a80b7 Mon Sep 17 00:00:00 2001 From: Christian Heimes <chei...@redhat.com> Date: Mon, 5 Sep 2016 15:38:48 +0200 Subject: [PATCH] Use RSA-OAEP instead of RSA PKCS#1 v1.5 jwcrypto's RSA1-5 (PKCS#1 v1.5) is vulnerable to padding oracle side-channel attacks. OAEP (PKCS#1 v2.0) is a safe, more modern alternative. https://fedorahosted.org/freeipa/ticket/6278 Signed-off-by: Christian Heimes <chei...@redhat.com> --- ipapython/secrets/client.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ipapython/secrets/client.py b/ipapython/secrets/client.py index 56ed6f7..d9cc7d0 100644 --- a/ipapython/secrets/client.py +++ b/ipapython/secrets/client.py @@ -86,7 +86,7 @@ def fetch_key(self, keyname, store=True): url = 'https://%s/ipa/keys/%s' % (self.server, keyname) # Prepare signed/encrypted request - encalg = ('RSA1_5', 'A256CBC-HS512') + encalg = ('RSA-OAEP', 'A256CBC-HS512') request = self.kemcli.make_request(keyname, encalg=encalg) # Prepare Authentication header
-- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code