diff options
author | Sybren A. Stüvel <sybren@stuvel.eu> | 2020-11-15 16:23:19 +0100 |
---|---|---|
committer | Sybren A. Stüvel <sybren@stuvel.eu> | 2020-11-15 16:23:19 +0100 |
commit | 341e5c4f939988bd472530441b6a02b625a30806 (patch) | |
tree | 820002b0ad3971955d2c8bd896976760480b7652 | |
parent | f254895b02f0cb106f9ccee6d8dc6af1a27f0bd1 (diff) | |
download | rsa-341e5c4f939988bd472530441b6a02b625a30806.tar.gz |
Directly raise `DecryptionError` when crypto length is bad
Crypto length and blocksize are public info, so don't need side-channel
free comparison.
-rw-r--r-- | rsa/pkcs1.py | 6 |
1 files changed, 4 insertions, 2 deletions
diff --git a/rsa/pkcs1.py b/rsa/pkcs1.py index d0149a1..07cf85b 100644 --- a/rsa/pkcs1.py +++ b/rsa/pkcs1.py @@ -252,7 +252,9 @@ def decrypt(crypto: bytes, priv_key: key.PrivateKey) -> bytes: # Detect leading zeroes in the crypto. These are not reflected in the # encrypted value (as leading zeroes do not influence the value of an # integer). This fixes CVE-2020-13757. - crypto_len_bad = len(crypto) > blocksize + if len(crypto) > blocksize: + # This is operating on public information, so doesn't need to be constant-time. + raise DecryptionError('Decryption failed') # If we can't find the cleartext marker, decryption failed. cleartext_marker_bad = not compare_digest(cleartext[:2], b'\x00\x02') @@ -267,7 +269,7 @@ def decrypt(crypto: bytes, priv_key: key.PrivateKey) -> bytes: # `\x00\x02` marker that preceeds it). sep_idx_bad = sep_idx < 10 - anything_bad = crypto_len_bad | cleartext_marker_bad | sep_idx_bad + anything_bad = cleartext_marker_bad | sep_idx_bad if anything_bad: raise DecryptionError('Decryption failed') |