NotificationsYou must be signed in to change notification settings
Fork0
Star0

Commitdae8ce0

committed

Fixsybrenstuvel#165:CVE-2020-25658 - Bleichenbacher-style timing oracle

Use as many constant-time comparisons as practical in the`rsa.pkcs1.decrypt` function.`cleartext.index(b'\x00', 2)` will still be non-constant-time. Thealternative would be to iterate over all the data byte by byte inPython, which is several orders of magnitude slower. Given that aperfect constant-time implementation is very hard or even impossible todo in Python [1], I chose the more performant option here.[1]:https://securitypitfalls.wordpress.com/2018/08/03/constant-time-compare-in-python/

1 parent6f59ff0 commitdae8ce0Copy full SHA for dae8ce0

File tree

2 files changed

+13

-4

lines changed

CHANGELOG.md
rsa
- pkcs1.py

2 files changed

+13

-4

lines changed

`‎CHANGELOG.md`

Lines changed: 5 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -1,5 +1,10 @@`
`1`	`1`	`#Python-RSA changelog`
`2`	`2`
	`3`	`+##Version 4.7 - in development`
	`4`	`+`
	`5`	`+- Fix#165:CVE-2020-25658 - Bleichenbacher-style timing oracle inPKCS#1 v1.5`
	`6`	`+ decryption code`
	`7`	`+`
`3`	`8`
`4`	`9`	`##Version 4.4 & 4.6 - released 2020-06-12`
`5`	`10`

`‎rsa/pkcs1.py`

Lines changed: 8 additions & 4 deletions

Original file line number	Diff line number	Diff line change
`@@ -30,6 +30,7 @@`
`30`	`30`	`importos`
`31`	`31`	`importsys`
`32`	`32`	`importtyping`
	`33`	`+fromhmacimportcompare_digest`
`33`	`34`
`34`	`35`	`from .importcommon,transform,core,key`
`35`	`36`
`@@ -251,17 +252,20 @@ def decrypt(crypto: bytes, priv_key: key.PrivateKey) -> bytes:`
`251`	`252`	`# Detect leading zeroes in the crypto. These are not reflected in the`
`252`	`253`	`# encrypted value (as leading zeroes do not influence the value of an`
`253`	`254`	`# integer). This fixes CVE-2020-13757.`
`254`		`-iflen(crypto)>blocksize:`
`255`		`-raiseDecryptionError('Decryption failed')`
	`255`	`+crypto_len_bad=len(crypto)>blocksize`
`256`	`256`
`257`	`257`	`# If we can't find the cleartext marker, decryption failed.`
`258`		`-ifcleartext[0:2]!=b'\x00\x02':`
`259`		`-raiseDecryptionError('Decryption failed')`
	`258`	`+cleartext_marker_bad=notcompare_digest(cleartext[:2],b'\x00\x02')`
`260`	`259`
`261`	`260`	`# Find the 00 separator between the padding and the message`
`262`	`261`	`try:`
`263`	`262`	`sep_idx=cleartext.index(b'\x00',2)`
`264`	`263`	`exceptValueError:`
	`264`	`+sep_idx=-1`
	`265`	`+sep_idx_bad=sep_idx<0`
	`266`	`+`
	`267`	`+anything_bad=crypto_len_bad\|cleartext_marker_bad\|sep_idx_bad`
	`268`	`+ifanything_bad:`
`265`	`269`	`raiseDecryptionError('Decryption failed')`
`266`	`270`
`267`	`271`	`returncleartext[sep_idx+1:]`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commitdae8ce0

File tree

2 files changed

2 files changed

`‎CHANGELOG.md`

`‎rsa/pkcs1.py`

0 commit comments