105 lines
3.8 KiB
Diff
105 lines
3.8 KiB
Diff
# HG changeset patch
|
|
# User Filippo Valsorda <hi@filippo.io>
|
|
# Date 1450226563 0
|
|
# Node ID 0cbcc529926afd61c6df4f50cfc29971beafd2c2
|
|
# Parent 2baab06c8b867b01ec82b02118d4872a931a0437
|
|
Fix BB'06 attack in verify() by switching from parsing to comparison
|
|
|
|
diff --git a/rsa/pkcs1.py b/rsa/pkcs1.py
|
|
--- a/rsa/pkcs1.py
|
|
+++ b/rsa/pkcs1.py
|
|
@@ -22,10 +22,10 @@
|
|
At least 8 bytes of random padding is used when encrypting a message. This makes
|
|
these methods much more secure than the ones in the ``rsa`` module.
|
|
|
|
-WARNING: this module leaks information when decryption or verification fails.
|
|
-The exceptions that are raised contain the Python traceback information, which
|
|
-can be used to deduce where in the process the failure occurred. DO NOT PASS
|
|
-SUCH INFORMATION to your users.
|
|
+WARNING: this module leaks information when decryption fails. The exceptions
|
|
+that are raised contain the Python traceback information, which can be used to
|
|
+deduce where in the process the failure occurred. DO NOT PASS SUCH INFORMATION
|
|
+to your users.
|
|
'''
|
|
|
|
import hashlib
|
|
@@ -288,37 +288,23 @@
|
|
:param pub_key: the :py:class:`rsa.PublicKey` of the person signing the message.
|
|
:raise VerificationError: when the signature doesn't match the message.
|
|
|
|
- .. warning::
|
|
-
|
|
- Never display the stack trace of a
|
|
- :py:class:`rsa.pkcs1.VerificationError` exception. It shows where in
|
|
- the code the exception occurred, and thus leaks information about the
|
|
- key. It's only a tiny bit of information, but every bit makes cracking
|
|
- the keys easier.
|
|
-
|
|
'''
|
|
|
|
- blocksize = common.byte_size(pub_key.n)
|
|
+ keylength = common.byte_size(pub_key.n)
|
|
encrypted = transform.bytes2int(signature)
|
|
decrypted = core.decrypt_int(encrypted, pub_key.e, pub_key.n)
|
|
- clearsig = transform.int2bytes(decrypted, blocksize)
|
|
-
|
|
- # If we can't find the signature marker, verification failed.
|
|
- if clearsig[0:2] != b('\x00\x01'):
|
|
- raise VerificationError('Verification failed')
|
|
+ clearsig = transform.int2bytes(decrypted, keylength)
|
|
|
|
- # Find the 00 separator between the padding and the payload
|
|
- try:
|
|
- sep_idx = clearsig.index(b('\x00'), 2)
|
|
- except ValueError:
|
|
- raise VerificationError('Verification failed')
|
|
-
|
|
- # Get the hash and the hash method
|
|
- (method_name, signature_hash) = _find_method_hash(clearsig[sep_idx+1:])
|
|
+ # Get the hash method
|
|
+ method_name = _find_method_hash(clearsig)
|
|
message_hash = _hash(message, method_name)
|
|
|
|
- # Compare the real hash to the hash in the signature
|
|
- if message_hash != signature_hash:
|
|
+ # Reconstruct the expected padded hash
|
|
+ cleartext = HASH_ASN1[method_name] + message_hash
|
|
+ expected = _pad_for_signing(cleartext, keylength)
|
|
+
|
|
+ # Compare with the signed one
|
|
+ if expected != clearsig:
|
|
raise VerificationError('Verification failed')
|
|
|
|
return True
|
|
@@ -351,24 +337,20 @@
|
|
return hasher.digest()
|
|
|
|
|
|
-def _find_method_hash(method_hash):
|
|
- '''Finds the hash method and the hash itself.
|
|
+def _find_method_hash(clearsig):
|
|
+ '''Finds the hash method.
|
|
|
|
- :param method_hash: ASN1 code for the hash method concatenated with the
|
|
- hash itself.
|
|
+ :param clearsig: full padded ASN1 and hash.
|
|
|
|
- :return: tuple (method, hash) where ``method`` is the used hash method, and
|
|
- ``hash`` is the hash itself.
|
|
+ :return: the used hash method.
|
|
|
|
:raise VerificationFailed: when the hash method cannot be found
|
|
|
|
'''
|
|
|
|
for (hashname, asn1code) in HASH_ASN1.items():
|
|
- if not method_hash.startswith(asn1code):
|
|
- continue
|
|
-
|
|
- return (hashname, method_hash[len(asn1code):])
|
|
+ if asn1code in clearsig:
|
|
+ return hashname
|
|
|
|
raise VerificationError('Verification failed')
|
|
|