49 lines
1.8 KiB
Diff
49 lines
1.8 KiB
Diff
From 93af6f2f89a9bf28361e67716c4240e691520f30 Mon Sep 17 00:00:00 2001
|
|
From: =?UTF-8?q?Sybren=20A=2E=20St=C3=BCvel?= <sybren@stuvel.eu>
|
|
Date: Wed, 3 Jun 2020 14:39:23 +0200
|
|
Subject: [PATCH] Fix CVE-2020-13757: detect cyphertext modifications by
|
|
prepending zero bytes
|
|
|
|
Reject cyphertexts that have been modified by prepending zero bytes, by
|
|
checking the cyphertext length against the expected size (given the
|
|
decryption key). This resolves CVE-2020-13757.
|
|
|
|
The same approach is used when verifying a signature.
|
|
|
|
Thanks Carnil for pointing this out on https://github.com/sybrenstuvel/python-rsa/issues/146
|
|
---
|
|
rsa/pkcs1.py | 9 +++++++++
|
|
1 files changed, 9 insertions(+)
|
|
|
|
diff --git a/rsa/pkcs1.py b/rsa/pkcs1.py
|
|
index 28f0dc5..cdf830b 100644
|
|
--- a/rsa/pkcs1.py
|
|
+++ b/rsa/pkcs1.py
|
|
@@ -232,6 +232,12 @@ def decrypt(crypto, priv_key):
|
|
decrypted = priv_key.blinded_decrypt(encrypted)
|
|
cleartext = transform.int2bytes(decrypted, blocksize)
|
|
|
|
+ # Detect leading zeroes in the crypto. These are not reflected in the
|
|
+ # encrypted value (as leading zeroes do not influence the value of an
|
|
+ # integer). This fixes CVE-2020-13757.
|
|
+ if len(crypto) > blocksize:
|
|
+ raise DecryptionError('Decryption failed')
|
|
+
|
|
# If we can't find the cleartext marker, decryption failed.
|
|
if cleartext[0:2] != b('\x00\x02'):
|
|
raise DecryptionError('Decryption failed')
|
|
@@ -310,6 +316,9 @@ def verify(message, signature, pub_key):
|
|
cleartext = HASH_ASN1[method_name] + message_hash
|
|
expected = _pad_for_signing(cleartext, keylength)
|
|
|
|
+ if len(signature) != keylength:
|
|
+ raise VerificationError('Verification failed')
|
|
+
|
|
# Compare with the signed one
|
|
if expected != clearsig:
|
|
raise VerificationError('Verification failed')
|
|
|
|
--
|
|
1.8.3.1
|
|
|