diff options
author | Sybren A. Stüvel <sybren@stuvel.eu> | 2020-11-15 15:18:38 +0100 |
---|---|---|
committer | Sybren A. Stüvel <sybren@stuvel.eu> | 2020-11-15 15:21:31 +0100 |
commit | dae8ce0d85478e16f2368b2341632775313d41ed (patch) | |
tree | b93513f2f24d50246410ab8379eb60a9fc2cdff0 /tests | |
parent | 6f59ff07a317409fe68696935daf8549b1555c74 (diff) | |
download | rsa-git-dae8ce0d85478e16f2368b2341632775313d41ed.tar.gz |
Fix #165: CVE-2020-25658 - Bleichenbacher-style timing oracle
Use as many constant-time comparisons as practical in the
`rsa.pkcs1.decrypt` function.
`cleartext.index(b'\x00', 2)` will still be non-constant-time. The
alternative would be to iterate over all the data byte by byte in
Python, which is several orders of magnitude slower. Given that a
perfect constant-time implementation is very hard or even impossible to
do in Python [1], I chose the more performant option here.
[1]: https://securitypitfalls.wordpress.com/2018/08/03/constant-time-compare-in-python/
Diffstat (limited to 'tests')
0 files changed, 0 insertions, 0 deletions