From 341e5c4f939988bd472530441b6a02b625a30806 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Sybren=20A=2E=20St=C3=BCvel?= <sybren@stuvel.eu>
Date: Sun, 15 Nov 2020 16:23:19 +0100
Subject: Directly raise `DecryptionError` when crypto length is bad

Crypto length and blocksize are public info, so don't need side-channel
free comparison.
---
 rsa/pkcs1.py | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/rsa/pkcs1.py b/rsa/pkcs1.py
index d0149a1..07cf85b 100644
--- a/rsa/pkcs1.py
+++ b/rsa/pkcs1.py
@@ -252,7 +252,9 @@ def decrypt(crypto: bytes, priv_key: key.PrivateKey) -> bytes:
     # Detect leading zeroes in the crypto. These are not reflected in the
     # encrypted value (as leading zeroes do not influence the value of an
     # integer). This fixes CVE-2020-13757.
-    crypto_len_bad = len(crypto) > blocksize
+    if len(crypto) > blocksize:
+        # This is operating on public information, so doesn't need to be constant-time.
+        raise DecryptionError('Decryption failed')
 
     # If we can't find the cleartext marker, decryption failed.
     cleartext_marker_bad = not compare_digest(cleartext[:2], b'\x00\x02')
@@ -267,7 +269,7 @@ def decrypt(crypto: bytes, priv_key: key.PrivateKey) -> bytes:
     # `\x00\x02` marker that preceeds it).
     sep_idx_bad = sep_idx < 10
 
-    anything_bad = crypto_len_bad | cleartext_marker_bad | sep_idx_bad
+    anything_bad = cleartext_marker_bad | sep_idx_bad
     if anything_bad:
         raise DecryptionError('Decryption failed')
 
-- 
cgit v1.2.1