tiran's pull request #57: "Use RSA-OAEP instead of RSA PKCS#1 v1.5" was opened

PR body:
"""
jwcrypto's RSA1-5 (PKCS#1 v1.5) is vulnerable to padding oracle
side-channel attacks. OAEP (PKCS#1 v2.0) is a safe, more modern
alternative.

https://fedorahosted.org/freeipa/ticket/6278

Signed-off-by: Christian Heimes <chei...@redhat.com>
"""

See the full pull-request at https://github.com/freeipa/freeipa/pull/57
... or pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/57/head:pr57
git checkout pr57
From e48b9b7840c5e800daaa9c546995a67fd563aff8 Mon Sep 17 00:00:00 2001
From: Christian Heimes <chei...@redhat.com>
Date: Mon, 5 Sep 2016 15:38:48 +0200
Subject: [PATCH] Use RSA-OAEP instead of RSA PKCS#1 v1.5

jwcrypto's RSA1-5 (PKCS#1 v1.5) is vulnerable to padding oracle
side-channel attacks. OAEP (PKCS#1 v2.0) is a safe, more modern
alternative.

https://fedorahosted.org/freeipa/ticket/6278

Signed-off-by: Christian Heimes <chei...@redhat.com>
---
 ipapython/secrets/client.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ipapython/secrets/client.py b/ipapython/secrets/client.py
index 5b67198..646ef7e 100644
--- a/ipapython/secrets/client.py
+++ b/ipapython/secrets/client.py
@@ -80,7 +80,7 @@ def fetch_key(self, keyname, store=True):
         url = 'https://%s/ipa/keys/%s' % (self.server, keyname)
 
         # Prepare signed/encrypted request
-        encalg = ('RSA1_5', 'A256CBC-HS512')
+        encalg = ('RSA-OAEP', 'A256CBC-HS512')
         request = self.kemcli.make_request(keyname, encalg=encalg)
 
         # Prepare Authentication header
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to