Skip to content

Commit

Permalink
Fix for CVE-2020-25658
Browse files Browse the repository at this point in the history
Fix sybrenstuvel#165: CVE-2020-25658 - Bleichenbacher-style timing oracle

Use as many constant-time comparisons as practical in the
`rsa.pkcs1.decrypt` function.

`cleartext.index(b'\x00', 2)` will still be non-constant-time. The
alternative would be to iterate over all the data byte by byte in
Python, which is several orders of magnitude slower. Given that a
perfect constant-time implementation is very hard or even impossible to
do in Python [1], I chose the more performant option here.

[1]: https://securitypitfalls.wordpress.com/2018/08/03/constant-time-compare-in-python/
  • Loading branch information
Frederick Price committed Jul 14, 2023
1 parent 4d3025f commit b2c88a0
Show file tree
Hide file tree
Showing 2 changed files with 15 additions and 4 deletions.
5 changes: 5 additions & 0 deletions CHANGELOG.txt
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,11 @@ Version 4.3 - released 2020-06-12
Version 4.3 is almost a re-tagged release of version 4.0. It is the last to
support Python 2.7. This is now made explicit in the `python_requires` argument
in `setup.py`. Python 3.4 is not supported by this release.
- Fix #165: CVE-2020-25658 - Bleichenbacher-style timing oracle in PKCS#1 v1.5
decryption code


## Version 4.4 & 4.6 - released 2020-06-12

Two security fixes have also been backported, so 4.3 = 4.0 + these two fixes.

Expand Down
14 changes: 10 additions & 4 deletions rsa/pkcs1.py
Original file line number Diff line number Diff line change
Expand Up @@ -30,6 +30,9 @@

import hashlib
import os
import sys
import typing
from hmac import compare_digest

from rsa._compat import range
from rsa import common, transform, core
Expand Down Expand Up @@ -237,17 +240,20 @@ def decrypt(crypto, priv_key):
# Detect leading zeroes in the crypto. These are not reflected in the
# encrypted value (as leading zeroes do not influence the value of an
# integer). This fixes CVE-2020-13757.
if len(crypto) > blocksize:
raise DecryptionError('Decryption failed')
crypto_len_bad = len(crypto) > blocksize

# If we can't find the cleartext marker, decryption failed.
if cleartext[0:2] != b'\x00\x02':
raise DecryptionError('Decryption failed')
cleartext_marker_bad = not compare_digest(cleartext[:2], b'\x00\x02')

# Find the 00 separator between the padding and the message
try:
sep_idx = cleartext.index(b'\x00', 2)
except ValueError:
sep_idx = -1
sep_idx_bad = sep_idx < 0

anything_bad = crypto_len_bad | cleartext_marker_bad | sep_idx_bad
if anything_bad:
raise DecryptionError('Decryption failed')

return cleartext[sep_idx + 1:]
Expand Down

0 comments on commit b2c88a0

Please sign in to comment.