packages/python-rsa
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
python-rsa/0002-CVE-2020-25658.patch
markeryang 237d4427b7 fix CVE-2020-25658
2020-12-15 14:36:14 +08:00

63 lines
2.2 KiB
Diff
Raw Blame History

From dae8ce0d85478e16f2368b2341632775313d41ed Mon Sep 17 00:00:00 2001
From: sybrenstuvel <sybren@stuvel.eu>
Date: Sun, 15 Nov 2020 15:18:38 +0100
Subject: [PATCH] Fix #165: CVE-2020-25658 - Bleichenbacher-style timing oracle
Use as many constant-time comparisons as practical in the
`rsa.pkcs1.decrypt` function.
`cleartext.index(b'\x00', 2)` will still be non-constant-time. The
alternative would be to iterate over all the data byte by byte in
Python, which is several orders of magnitude slower. Given that a
perfect constant-time implementation is very hard or even impossible to
do in Python [1], I chose the more performant option here.
[1]: https://securitypitfalls.wordpress.com/2018/08/03/constant-time-compare-in-python/
source link:https://github.com/sybrenstuvel/python-rsa/commit/dae8ce0d85478e16f2368b2341632775313d41ed
Signed-off-by: sybrenstuvel <sybren@stuvel.eu>
---
rsa/pkcs1.py | 12 ++++++++----
1 file changed, 8 insertions(+), 4 deletions(-)
diff --git a/rsa/pkcs1.py b/rsa/pkcs1.py
index cdf830b..7b210a5 100644
--- a/rsa/pkcs1.py
+++ b/rsa/pkcs1.py
@@ -30,6 +30,7 @@ to your users.
import hashlib
import os
+from hmac import compare_digest
from rsa._compat import b
from rsa import common, transform, core
@@ -235,17 +236,20 @@ def decrypt(crypto, priv_key):
# Detect leading zeroes in the crypto. These are not reflected in the
# encrypted value (as leading zeroes do not influence the value of an
# integer). This fixes CVE-2020-13757.
- if len(crypto) > blocksize:
- raise DecryptionError('Decryption failed')
+ crypto_len_bad = len(crypto) > blocksize
# If we can't find the cleartext marker, decryption failed.
- if cleartext[0:2] != b('\x00\x02'):
- raise DecryptionError('Decryption failed')
+ cleartext_marker_bad = not compare_digest(cleartext[:2], b'\x00\x02')
# Find the 00 separator between the padding and the message
try:
sep_idx = cleartext.index(b('\x00'), 2)
except ValueError:
+ sep_idx = -1
+ sep_idx_bad = sep_idx < 0
+
+ anything_bad = crypto_len_bad | cleartext_marker_bad | sep_idx_bad
+ if anything_bad:
raise DecryptionError('Decryption failed')
return cleartext[sep_idx + 1:]
--
2.27.0
Reference in New Issue View Git Blame Copy Permalink