From 2fa92e048b76fcc7bf2d4f4443478c8292d17470 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Mat=C4=9Bj=20Cepl?= Date: Thu, 1 Jun 2023 14:56:34 +0000 Subject: [PATCH] Mitigate the Bleichenbacher timing attacks in the RSA decryption API (CVE-2020-25657) Fixes #282 CVE: CVE-2020-25657 Upstream-Status: Backport [https://gitlab.com/m2crypto/m2crypto/-/commit/84c53958def0f510e92119fca14d74f94215827a] Signed-off-by: Narpat Mali --- src/SWIG/_m2crypto_wrap.c | 20 ++++++++++++-------- src/SWIG/_rsa.i | 20 ++++++++++++-------- tests/test_rsa.py | 15 +++++++-------- 3 files changed, 31 insertions(+), 24 deletions(-) diff --git a/src/SWIG/_m2crypto_wrap.c b/src/SWIG/_m2crypto_wrap.c index 3db88b9..6aafe1f 100644 --- a/src/SWIG/_m2crypto_wrap.c +++ b/src/SWIG/_m2crypto_wrap.c @@ -7129,9 +7129,10 @@ PyObject *rsa_private_encrypt(RSA *rsa, PyObject *from, int padding) { tlen = RSA_private_encrypt(flen, (unsigned char *)fbuf, (unsigned char *)tbuf, rsa, padding); if (tlen == -1) { - m2_PyErr_Msg(_rsa_err); + ERR_clear_error(); + PyErr_Clear(); PyMem_Free(tbuf); - return NULL; + Py_RETURN_NONE; } ret = PyBytes_FromStringAndSize((const char *)tbuf, tlen); @@ -7159,9 +7160,10 @@ PyObject *rsa_public_decrypt(RSA *rsa, PyObject *from, int padding) { tlen = RSA_public_decrypt(flen, (unsigned char *)fbuf, (unsigned char *)tbuf, rsa, padding); if (tlen == -1) { - m2_PyErr_Msg(_rsa_err); + ERR_clear_error(); + PyErr_Clear(); PyMem_Free(tbuf); - return NULL; + Py_RETURN_NONE; } ret = PyBytes_FromStringAndSize((const char *)tbuf, tlen); @@ -7186,9 +7188,10 @@ PyObject *rsa_public_encrypt(RSA *rsa, PyObject *from, int padding) { tlen = RSA_public_encrypt(flen, (unsigned char *)fbuf, (unsigned char *)tbuf, rsa, padding); if (tlen == -1) { - m2_PyErr_Msg(_rsa_err); + ERR_clear_error(); + PyErr_Clear(); PyMem_Free(tbuf); - return NULL; + Py_RETURN_NONE; } ret = PyBytes_FromStringAndSize((const char *)tbuf, tlen); @@ -7213,9 +7216,10 @@ PyObject *rsa_private_decrypt(RSA *rsa, PyObject *from, int padding) { tlen = RSA_private_decrypt(flen, (unsigned char *)fbuf, (unsigned char *)tbuf, rsa, padding); if (tlen == -1) { - m2_PyErr_Msg(_rsa_err); + ERR_clear_error(); + PyErr_Clear(); PyMem_Free(tbuf); - return NULL; + Py_RETURN_NONE; } ret = PyBytes_FromStringAndSize((const char *)tbuf, tlen); diff --git a/src/SWIG/_rsa.i b/src/SWIG/_rsa.i index bc714e0..1377b8b 100644 --- a/src/SWIG/_rsa.i +++ b/src/SWIG/_rsa.i @@ -239,9 +239,10 @@ PyObject *rsa_private_encrypt(RSA *rsa, PyObject *from, int padding) { tlen = RSA_private_encrypt(flen, (unsigned char *)fbuf, (unsigned char *)tbuf, rsa, padding); if (tlen == -1) { - m2_PyErr_Msg(_rsa_err); + ERR_clear_error(); + PyErr_Clear(); PyMem_Free(tbuf); - return NULL; + Py_RETURN_NONE; } ret = PyBytes_FromStringAndSize((const char *)tbuf, tlen); @@ -269,9 +270,10 @@ PyObject *rsa_public_decrypt(RSA *rsa, PyObject *from, int padding) { tlen = RSA_public_decrypt(flen, (unsigned char *)fbuf, (unsigned char *)tbuf, rsa, padding); if (tlen == -1) { - m2_PyErr_Msg(_rsa_err); + ERR_clear_error(); + PyErr_Clear(); PyMem_Free(tbuf); - return NULL; + Py_RETURN_NONE; } ret = PyBytes_FromStringAndSize((const char *)tbuf, tlen); @@ -296,9 +298,10 @@ PyObject *rsa_public_encrypt(RSA *rsa, PyObject *from, int padding) { tlen = RSA_public_encrypt(flen, (unsigned char *)fbuf, (unsigned char *)tbuf, rsa, padding); if (tlen == -1) { - m2_PyErr_Msg(_rsa_err); + ERR_clear_error(); + PyErr_Clear(); PyMem_Free(tbuf); - return NULL; + Py_RETURN_NONE; } ret = PyBytes_FromStringAndSize((const char *)tbuf, tlen); @@ -323,9 +326,10 @@ PyObject *rsa_private_decrypt(RSA *rsa, PyObject *from, int padding) { tlen = RSA_private_decrypt(flen, (unsigned char *)fbuf, (unsigned char *)tbuf, rsa, padding); if (tlen == -1) { - m2_PyErr_Msg(_rsa_err); + ERR_clear_error(); + PyErr_Clear(); PyMem_Free(tbuf); - return NULL; + Py_RETURN_NONE; } ret = PyBytes_FromStringAndSize((const char *)tbuf, tlen); diff --git a/tests/test_rsa.py b/tests/test_rsa.py index 7bb3af7..5e75d68 100644 --- a/tests/test_rsa.py +++ b/tests/test_rsa.py @@ -109,8 +109,9 @@ class RSATestCase(unittest.TestCase): # The other paddings. for padding in self.s_padding_nok: p = getattr(RSA, padding) - with self.assertRaises(RSA.RSAError): - priv.private_encrypt(self.data, p) + # Exception disabled as a part of mitigation against CVE-2020-25657 + # with self.assertRaises(RSA.RSAError): + priv.private_encrypt(self.data, p) # Type-check the data to be encrypted. with self.assertRaises(TypeError): priv.private_encrypt(self.gen_callback, RSA.pkcs1_padding) @@ -127,10 +128,12 @@ class RSATestCase(unittest.TestCase): self.assertEqual(ptxt, self.data) # no_padding - with six.assertRaisesRegex(self, RSA.RSAError, 'data too small'): - priv.public_encrypt(self.data, RSA.no_padding) + # Exception disabled as a part of mitigation against CVE-2020-25657 + # with six.assertRaisesRegex(self, RSA.RSAError, 'data too small'): + priv.public_encrypt(self.data, RSA.no_padding) # Type-check the data to be encrypted. + # Exception disabled as a part of mitigation against CVE-2020-25657 with self.assertRaises(TypeError): priv.public_encrypt(self.gen_callback, RSA.pkcs1_padding) @@ -146,10 +149,6 @@ class RSATestCase(unittest.TestCase): b'\000\000\000\003\001\000\001') # aka 65537 aka 0xf4 with self.assertRaises(RSA.RSAError): setattr(rsa, 'e', '\000\000\000\003\001\000\001') - with self.assertRaises(RSA.RSAError): - rsa.private_encrypt(1) - with self.assertRaises(RSA.RSAError): - rsa.private_decrypt(1) assert rsa.check_key() def test_loadpub_bad(self): -- 2.40.0