PyCrypto - The Python Cryptography Toolkit

Download Latest (v2.6.1) | Mailing List | Bugs | API Docs | Source Repo (GitHub)

Random number generation

Here is the current list of known random number generation issues/bugs that have been found in previous versions of PyCrypto:

In versions prior to v2.6.1, Crypto.Random was insecure when using fork() in some cases. See the advisory for CVE-2013-1445 for more information. It is recommended that users upgrade to PyCrypto v2.6.1 or later.
In versions prior to v2.1.0, Crypto.Util.randpool.RandomPool was unsafe as commonly used. It was not thread-safe or fork-safe at all, and it was not always properly seeded with entropy. This was by design, but most application developers simply read from it without any further thought, resulting in insecure applications. See this thread for more information. It is now is deprecated, and will be removed in a future release; Use Crypto.Random or os.urandom instead.

Keeping an entropy pool in a user-space program is complex and error-prone. It is especially difficult to do reliably in a generic crypto library, and it is quite common for mistakes to be made. Hopefully, operating systems will one day provide random number generation facilities that are sufficiently fast, trustworthy, and reliable that they can completely replace the multitude of user-space random number generators that currently plague our software.

Download the latest release

The latest stable release is available here:

The latest experimental release is available here:

SHA256 sums:

f2ce1e989b272cfcb677616763e0a2e7ec659effa67a88aa92b3a65528f60a3c *pycrypto-2.6.1.tar.gz
c2ab0516cc55321e6543ae75e2aa6f6e56e97432870f32a7799f3b89f467dc1b *pycrypto-2.6.1.tar.gz.asc

ee4013e297e6a5da5c9f49a3e38dc8a5c62ae816377aa766c9e87474197be3b9 *pycrypto-2.7a1.tar.gz
726c2711133ca210c3bc1c9f75c9d638a6235cacef8f8129fb61879e2f336e1a *pycrypto-2.7a1.tar.gz.asc

Documentation

API Documentation (epydoc output)
General overview of PyCrypto

Contributing

Bugs and feature requests are tracked on GitHub. If you are interested in contributing, please join the mailing list.

The source code is now managed on GitHub. Clone it using git by running the following command:

git clone https://github.com/dlitz/pycrypto

Submitting patches

In an effort to clarify PyCrypto's licensing terms and export control status, all new patch submissions must meet the requirements set out in the document, "PyCrypto Code Submission Requirements - Rev. D".

Once you have confirmed that you meet the "Code Submission Requirements" above, please send me a push request on GitHub. Alternatively, you can send your patches to the mailing list.

Tips for getting your patches accepted:

Don't needlessly break compatibility with older versions of PyCrypto. Patches that break compatibility with older version of PyCrypto, especially PyCrypto 2.0.1, will need an explanation about why it's worth breaking compatibility. Exception: Removing buggy code that nobody uses is fine.
Don't needlessly break compatibility with older versions of Python. Run the test suite using Python 2.1 and the latest version of Python 2.x.
Don't needlessly add complexity. The more complex the code is, the harder it is to maintain, and the more likely it is to have bugs.
Don't needlessly add features. Seriously. X.509 doesn't belong in PyCrypto. Or anywhere, really.
Don't create copyright headaches. It took me the better part of a year to sort out the licensing ambiguities in PyCrypto 2.0.1. If you're adding new files, include the standard PyCrypto public domain dedication at the top.
Whatever you do in _fastmath.c, also do in _slowmath.py. PyCrypto has two math libraries: one that depends on libgmp, and one that doesn't. They need to be kept synchronized with each other.
Make small, incremental, well-documented changes. Your commit messages should be clear and detailed. Include any applicable background information. Your patches should do one thing. Your code should have sensible comments.

Export of cryptography software

The export of cryptography software is (still) governed by arms control regulations in Canada, the United States, and elsewhere. The export or re-export of this software may be regulated by law in your country.