Fix CVE-2020-13757: detect cyphertext modifications by prepending zero bytes

Reject cyphertexts that have been modified by prepending zero bytes, by
checking the cyphertext length against the expected size (given the
decryption key). This resolves CVE-2020-13757.

The same approach is used when verifying a signature.

Thanks Carnil for pointing this out on https://github.com/sybrenstuvel/python-rsa/issues/146

1 files changed, 9 insertions, 0 deletions

diff --git a/rsa/pkcs1.py b/rsa/pkcs1.py
index 8d77a97..408bc5b 100644
--- a/rsa/pkcs1.py
+++ b/rsa/pkcs1.py
@@ -245,6 +245,12 @@ def decrypt(crypto: bytes, priv_key: key.PrivateKey) -> bytes:
     decrypted = priv_key.blinded_decrypt(encrypted)
     cleartext = transform.int2bytes(decrypted, blocksize)
 
+    # Detect leading zeroes in the crypto. These are not reflected in the
+    # encrypted value (as leading zeroes do not influence the value of an
+    # integer). This fixes CVE-2020-13757.
+    if len(crypto) > blocksize:
+        raise DecryptionError('Decryption failed')
+
     # If we can't find the cleartext marker, decryption failed.
     if cleartext[0:2] != b'\x00\x02':
         raise DecryptionError('Decryption failed')
@@ -341,6 +347,9 @@ def verify(message: bytes, signature: bytes, pub_key: key.PublicKey) -> str:
     cleartext = HASH_ASN1[method_name] + message_hash
     expected = _pad_for_signing(cleartext, keylength)
 
+    if len(signature) != keylength:
+        raise VerificationError('Verification failed')
+
     # Compare with the signed one
     if expected != clearsig:
         raise VerificationError('Verification failed')