From 93af6f2f89a9bf28361e67716c4240e691520f30 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Sybren=20A=2E=20St=C3=BCvel?= <sybren@stuvel.eu>
Date: Wed, 3 Jun 2020 14:39:23 +0200
Subject: [PATCH] Fix CVE-2020-13757: detect cyphertext modifications by
 prepending zero bytes

Reject cyphertexts that have been modified by prepending zero bytes, by
checking the cyphertext length against the expected size (given the
decryption key). This resolves CVE-2020-13757.

The same approach is used when verifying a signature.

Thanks Carnil for pointing this out on https://github.com/sybrenstuvel/python-rsa/issues/146
---
 rsa/pkcs1.py        |  9 +++++++++
 1 files changed, 9 insertions(+)

diff --git a/rsa/pkcs1.py b/rsa/pkcs1.py
index 28f0dc5..cdf830b 100644
--- a/rsa/pkcs1.py
+++ b/rsa/pkcs1.py
@@ -232,6 +232,12 @@ def decrypt(crypto, priv_key):
     decrypted = priv_key.blinded_decrypt(encrypted)
     cleartext = transform.int2bytes(decrypted, blocksize)
 
+    # Detect leading zeroes in the crypto. These are not reflected in the
+    # encrypted value (as leading zeroes do not influence the value of an
+    # integer). This fixes CVE-2020-13757.
+    if len(crypto) > blocksize:
+        raise DecryptionError('Decryption failed')
+
     # If we can't find the cleartext marker, decryption failed.
     if cleartext[0:2] != b('\x00\x02'):
         raise DecryptionError('Decryption failed')
@@ -310,6 +316,9 @@ def verify(message, signature, pub_key):
     cleartext = HASH_ASN1[method_name] + message_hash
     expected = _pad_for_signing(cleartext, keylength)
 
+    if len(signature) != keylength:
+        raise VerificationError('Verification failed')
+
     # Compare with the signed one
     if expected != clearsig:
         raise VerificationError('Verification failed')
 
-- 
1.8.3.1