Fix CVE-2020-13757
Fix CVE-2020-13757
This commit is contained in:
Markeryang
Gitee
parent
a3b88ad9ee
commit
23f433f24b
110
0001-Fix-CVE-2020-13757.patch
Normal file
110
0001-Fix-CVE-2020-13757.patch
Normal file
@ -0,0 +1,110 @@
|
|||||||
|
From 93af6f2f89a9bf28361e67716c4240e691520f30 Mon Sep 17 00:00:00 2001
|
||||||
|
From: =?UTF-8?q?Sybren=20A=2E=20St=C3=BCvel?= <sybren@stuvel.eu>
|
||||||
|
Date: Wed, 3 Jun 2020 14:39:23 +0200
|
||||||
|
Subject: [PATCH] Fix CVE-2020-13757: detect cyphertext modifications by
|
||||||
|
prepending zero bytes
|
||||||
|
|
||||||
|
Reject cyphertexts that have been modified by prepending zero bytes, by
|
||||||
|
checking the cyphertext length against the expected size (given the
|
||||||
|
decryption key). This resolves CVE-2020-13757.
|
||||||
|
|
||||||
|
The same approach is used when verifying a signature.
|
||||||
|
|
||||||
|
Thanks Carnil for pointing this out on https://github.com/sybrenstuvel/python-rsa/issues/146
|
||||||
|
---
|
||||||
|
rsa/pkcs1.py | 9 +++++++++
|
||||||
|
tests/test_pkcs1.py | 44 ++++++++++++++++++++++++++++++++++++++++++++
|
||||||
|
2 files changed, 53 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/rsa/pkcs1.py b/rsa/pkcs1.py
|
||||||
|
index 28f0dc5..cdf830b 100644
|
||||||
|
--- a/rsa/pkcs1.py
|
||||||
|
+++ b/rsa/pkcs1.py
|
||||||
|
@@ -232,6 +232,12 @@ def decrypt(crypto, priv_key):
|
||||||
|
decrypted = priv_key.blinded_decrypt(encrypted)
|
||||||
|
cleartext = transform.int2bytes(decrypted, blocksize)
|
||||||
|
|
||||||
|
+ # Detect leading zeroes in the crypto. These are not reflected in the
|
||||||
|
+ # encrypted value (as leading zeroes do not influence the value of an
|
||||||
|
+ # integer). This fixes CVE-2020-13757.
|
||||||
|
+ if len(crypto) > blocksize:
|
||||||
|
+ raise DecryptionError('Decryption failed')
|
||||||
|
+
|
||||||
|
# If we can't find the cleartext marker, decryption failed.
|
||||||
|
if cleartext[0:2] != b('\x00\x02'):
|
||||||
|
raise DecryptionError('Decryption failed')
|
||||||
|
@@ -310,6 +316,9 @@ def verify(message, signature, pub_key):
|
||||||
|
cleartext = HASH_ASN1[method_name] + message_hash
|
||||||
|
expected = _pad_for_signing(cleartext, keylength)
|
||||||
|
|
||||||
|
+ if len(signature) != keylength:
|
||||||
|
+ raise VerificationError('Verification failed')
|
||||||
|
+
|
||||||
|
# Compare with the signed one
|
||||||
|
if expected != clearsig:
|
||||||
|
raise VerificationError('Verification failed')
|
||||||
|
diff --git a/tests/test_pkcs1.py b/tests/test_pkcs1.py
|
||||||
|
index 39555f6..5ee5bd7 100644
|
||||||
|
--- a/tests/test_pkcs1.py
|
||||||
|
+++ b/tests/test_pkcs1.py
|
||||||
|
@@ -65,6 +65,32 @@ class BinaryTest(unittest.TestCase):
|
||||||
|
self.assertNotEqual(encrypted1, encrypted2)
|
||||||
|
|
||||||
|
|
||||||
|
+class ExtraZeroesTest(unittest.TestCase):
|
||||||
|
+ def setUp(self):
|
||||||
|
+ # Key, cyphertext, and plaintext taken from https://github.com/sybrenstuvel/python-rsa/issues/146
|
||||||
|
+ self.private_key = rsa.PrivateKey.load_pkcs1(
|
||||||
|
+ "-----BEGIN RSA PRIVATE KEY-----\nMIIEowIBAAKCAQEAs1EKK81M5kTFtZSuUFnhKy8FS2WNXaWVmi/fGHG4CLw98+Yo\n0nkuUarVwSS0O9pFPcpc3kvPKOe9Tv+6DLS3Qru21aATy2PRqjqJ4CYn71OYtSwM\n/ZfSCKvrjXybzgu+sBmobdtYm+sppbdL+GEHXGd8gdQw8DDCZSR6+dPJFAzLZTCd\nB+Ctwe/RXPF+ewVdfaOGjkZIzDoYDw7n+OHnsYCYozkbTOcWHpjVevipR+IBpGPi\n1rvKgFnlcG6d/tj0hWRl/6cS7RqhjoiNEtxqoJzpXs/Kg8xbCxXbCchkf11STA8u\ndiCjQWuWI8rcDwl69XMmHJjIQAqhKvOOQ8rYTQIDAQABAoIBABpQLQ7qbHtp4h1Y\nORAfcFRW7Q74UvtH/iEHH1TF8zyM6wZsYtcn4y0mxYE3Mp+J0xlTJbeVJkwZXYVH\nL3UH29CWHSlR+TWiazTwrCTRVJDhEoqbcTiRW8fb+o/jljVxMcVDrpyYUHNo2c6w\njBxhmKPtp66hhaDpds1Cwi0A8APZ8Z2W6kya/L/hRBzMgCz7Bon1nYBMak5PQEwV\nF0dF7Wy4vIjvCzO6DSqA415DvJDzUAUucgFudbANNXo4HJwNRnBpymYIh8mHdmNJ\n/MQ0YLSqUWvOB57dh7oWQwe3UsJ37ZUorTugvxh3NJ7Tt5ZqbCQBEECb9ND63gxo\n/a3YR/0CgYEA7BJc834xCi/0YmO5suBinWOQAF7IiRPU+3G9TdhWEkSYquupg9e6\nK9lC5k0iP+t6I69NYF7+6mvXDTmv6Z01o6oV50oXaHeAk74O3UqNCbLe9tybZ/+F\ndkYlwuGSNttMQBzjCiVy0+y0+Wm3rRnFIsAtd0RlZ24aN3bFTWJINIsCgYEAwnQq\nvNmJe9SwtnH5c/yCqPhKv1cF/4jdQZSGI6/p3KYNxlQzkHZ/6uvrU5V27ov6YbX8\nvKlKfO91oJFQxUD6lpTdgAStI3GMiJBJIZNpyZ9EWNSvwUj28H34cySpbZz3s4Xd\nhiJBShgy+fKURvBQwtWmQHZJ3EGrcOI7PcwiyYcCgYEAlql5jSUCY0ALtidzQogW\nJ+B87N+RGHsBuJ/0cxQYinwg+ySAAVbSyF1WZujfbO/5+YBN362A/1dn3lbswCnH\nK/bHF9+fZNqvwprPnceQj5oK1n4g6JSZNsy6GNAhosT+uwQ0misgR8SQE4W25dDG\nkdEYsz+BgCsyrCcu8J5C+tUCgYAFVPQbC4f2ikVyKzvgz0qx4WUDTBqRACq48p6e\n+eLatv7nskVbr7QgN+nS9+Uz80ihR0Ev1yCAvnwmM/XYAskcOea87OPmdeWZlQM8\nVXNwINrZ6LMNBLgorfuTBK1UoRo1pPUHCYdqxbEYI2unak18mikd2WB7Fp3h0YI4\nVpGZnwKBgBxkAYnZv+jGI4MyEKdsQgxvROXXYOJZkWzsKuKxVkVpYP2V4nR2YMOJ\nViJQ8FUEnPq35cMDlUk4SnoqrrHIJNOvcJSCqM+bWHAioAsfByLbUPM8sm3CDdIk\nXVJl32HuKYPJOMIWfc7hIfxLRHnCN+coz2M6tgqMDs0E/OfjuqVZ\n-----END RSA PRIVATE KEY-----",
|
||||||
|
+ format='PEM')
|
||||||
|
+ self.cyphertext = bytes.fromhex(
|
||||||
|
+ "4501b4d669e01b9ef2dc800aa1b06d49196f5a09fe8fbcd037323c60eaf027bfb98432be4e4a26c567ffec718bcbea977dd26812fa071c33808b4d5ebb742d9879806094b6fbeea63d25ea3141733b60e31c6912106e1b758a7fe0014f075193faa8b4622bfd5d3013f0a32190a95de61a3604711bc62945f95a6522bd4dfed0a994ef185b28c281f7b5e4c8ed41176d12d9fc1b837e6a0111d0132d08a6d6f0580de0c9eed8ed105531799482d1e466c68c23b0c222af7fc12ac279bc4ff57e7b4586d209371b38c4c1035edd418dc5f960441cb21ea2bedbfea86de0d7861e81021b650a1de51002c315f1e7c12debe4dcebf790caaa54a2f26b149cf9e77d"
|
||||||
|
+ )
|
||||||
|
+ self.plaintext = bytes.fromhex("54657374")
|
||||||
|
+
|
||||||
|
+ def test_unmodified(self):
|
||||||
|
+ message = rsa.decrypt(self.cyphertext, self.private_key)
|
||||||
|
+ self.assertEqual(message, self.plaintext)
|
||||||
|
+
|
||||||
|
+ def test_prepend_zeroes(self):
|
||||||
|
+ cyphertext = bytes.fromhex("0000") + self.cyphertext
|
||||||
|
+ with self.assertRaises(rsa.DecryptionError):
|
||||||
|
+ rsa.decrypt(cyphertext, self.private_key)
|
||||||
|
+
|
||||||
|
+ def test_append_zeroes(self):
|
||||||
|
+ cyphertext = self.cyphertext + bytes.fromhex("0000")
|
||||||
|
+ with self.assertRaises(rsa.DecryptionError):
|
||||||
|
+ rsa.decrypt(cyphertext, self.private_key)
|
||||||
|
+
|
||||||
|
+
|
||||||
|
class SignatureTest(unittest.TestCase):
|
||||||
|
def setUp(self):
|
||||||
|
(self.pub, self.priv) = rsa.newkeys(512)
|
||||||
|
@@ -80,6 +106,24 @@ class SignatureTest(unittest.TestCase):
|
||||||
|
|
||||||
|
self.assertTrue(pkcs1.verify(message, signature, self.pub))
|
||||||
|
|
||||||
|
+ def test_prepend_zeroes(self):
|
||||||
|
+ """Prepending the signature with zeroes should be detected."""
|
||||||
|
+
|
||||||
|
+ message = b'je moeder'
|
||||||
|
+ signature = pkcs1.sign(message, self.priv, 'SHA-256')
|
||||||
|
+ signature = bytes.fromhex('0000') + signature
|
||||||
|
+ with self.assertRaises(rsa.VerificationError):
|
||||||
|
+ pkcs1.verify(message, signature, self.pub)
|
||||||
|
+
|
||||||
|
+ def test_apppend_zeroes(self):
|
||||||
|
+ """Apppending the signature with zeroes should be detected."""
|
||||||
|
+
|
||||||
|
+ message = b'je moeder'
|
||||||
|
+ signature = pkcs1.sign(message, self.priv, 'SHA-256')
|
||||||
|
+ signature = signature + bytes.fromhex('0000')
|
||||||
|
+ with self.assertRaises(rsa.VerificationError):
|
||||||
|
+ pkcs1.verify(message, signature, self.pub)
|
||||||
|
+
|
||||||
|
def test_alter_message(self):
|
||||||
|
"""Altering the message should let the verification fail."""
|
||||||
|
|
||||||
|
--
|
||||||
|
1.8.3.1
|
||||||
|
|
||||||
Loading…
x
Reference in New Issue
Block a user