!13 fix CVE-2020-25658

From: @markeryang
Reviewed-by: @wubo009,@liuzhiqiang26,@small_leek
Signed-off-by: @small_leek

0001-CVE-2020-13757.patch

@@ -0,0 +1,48 @@
+From 93af6f2f89a9bf28361e67716c4240e691520f30 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Sybren=20A=2E=20St=C3=BCvel?= <sybren@stuvel.eu>
+Date: Wed, 3 Jun 2020 14:39:23 +0200
+Subject: [PATCH] Fix CVE-2020-13757: detect cyphertext modifications by
+ prepending zero bytes
+
+Reject cyphertexts that have been modified by prepending zero bytes, by
+checking the cyphertext length against the expected size (given the
+decryption key). This resolves CVE-2020-13757.
+
+The same approach is used when verifying a signature.
+
+Thanks Carnil for pointing this out on https://github.com/sybrenstuvel/python-rsa/issues/146
+---
+ rsa/pkcs1.py        |  9 +++++++++
+ 1 files changed, 9 insertions(+)
+
+diff --git a/rsa/pkcs1.py b/rsa/pkcs1.py
+index 28f0dc5..cdf830b 100644
+--- a/rsa/pkcs1.py
++++ b/rsa/pkcs1.py
+@@ -232,6 +232,12 @@ def decrypt(crypto, priv_key):
+     decrypted = priv_key.blinded_decrypt(encrypted)
+     cleartext = transform.int2bytes(decrypted, blocksize)
+ 
++    # Detect leading zeroes in the crypto. These are not reflected in the
++    # encrypted value (as leading zeroes do not influence the value of an
++    # integer). This fixes CVE-2020-13757.
++    if len(crypto) > blocksize:
++        raise DecryptionError('Decryption failed')
++
+     # If we can't find the cleartext marker, decryption failed.
+     if cleartext[0:2] != b('\x00\x02'):
+         raise DecryptionError('Decryption failed')
+@@ -310,6 +316,9 @@ def verify(message, signature, pub_key):
+     cleartext = HASH_ASN1[method_name] + message_hash
+     expected = _pad_for_signing(cleartext, keylength)
+ 
++    if len(signature) != keylength:
++        raise VerificationError('Verification failed')
++
+     # Compare with the signed one
+     if expected != clearsig:
+         raise VerificationError('Verification failed')
+
+-- 
+1.8.3.1
+

0002-CVE-2020-25658.patch

@@ -0,0 +1,62 @@
+From dae8ce0d85478e16f2368b2341632775313d41ed Mon Sep 17 00:00:00 2001
+From: sybrenstuvel <sybren@stuvel.eu>
+Date: Sun, 15 Nov 2020 15:18:38 +0100
+Subject: [PATCH] Fix #165: CVE-2020-25658 - Bleichenbacher-style timing oracle
+
+Use as many constant-time comparisons as practical in the
+`rsa.pkcs1.decrypt` function.
+
+`cleartext.index(b'\x00', 2)` will still be non-constant-time. The
+alternative would be to iterate over all the data byte by byte in
+Python, which is several orders of magnitude slower. Given that a
+perfect constant-time implementation is very hard or even impossible to
+do in Python [1], I chose the more performant option here.
+
+[1]: https://securitypitfalls.wordpress.com/2018/08/03/constant-time-compare-in-python/
+source link:https://github.com/sybrenstuvel/python-rsa/commit/dae8ce0d85478e16f2368b2341632775313d41ed
+
+Signed-off-by: sybrenstuvel <sybren@stuvel.eu>
+---
+ rsa/pkcs1.py | 12 ++++++++----
+ 1 file changed, 8 insertions(+), 4 deletions(-)
+
+diff --git a/rsa/pkcs1.py b/rsa/pkcs1.py
+index cdf830b..7b210a5 100644
+--- a/rsa/pkcs1.py
++++ b/rsa/pkcs1.py
+@@ -30,6 +30,7 @@ to your users.
+ 
+ import hashlib
+ import os
++from hmac import compare_digest
+ 
+ from rsa._compat import b
+ from rsa import common, transform, core
+@@ -235,17 +236,20 @@ def decrypt(crypto, priv_key):
+     # Detect leading zeroes in the crypto. These are not reflected in the
+     # encrypted value (as leading zeroes do not influence the value of an
+     # integer). This fixes CVE-2020-13757.
+-    if len(crypto) > blocksize:
+-        raise DecryptionError('Decryption failed')
++    crypto_len_bad = len(crypto) > blocksize
+ 
+     # If we can't find the cleartext marker, decryption failed.
+-    if cleartext[0:2] != b('\x00\x02'):
+-        raise DecryptionError('Decryption failed')
++    cleartext_marker_bad = not compare_digest(cleartext[:2], b'\x00\x02')
+ 
+     # Find the 00 separator between the padding and the message
+     try:
+         sep_idx = cleartext.index(b('\x00'), 2)
+     except ValueError:
++        sep_idx = -1
++    sep_idx_bad = sep_idx < 0
++
++    anything_bad = crypto_len_bad | cleartext_marker_bad | sep_idx_bad
++    if anything_bad:
+         raise DecryptionError('Decryption failed')
+ 
+     return cleartext[sep_idx + 1:]
+-- 
+2.27.0
+

python-rsa.spec

@@ -1,12 +1,15 @@
 Name:           python-rsa
 Version:        3.4.2
-Release:        11
+Release:        13
 Summary:        Pure-Python RSA implementation
 License:        ASL 2.0
 URL:            http://stuvel.eu/rsa
 Source0:        https://pypi.python.org/packages/source/r/rsa/rsa-%{version}.tar.gz
 BuildArch:      noarch
 
+Patch1: 0001-CVE-2020-13757.patch
+Patch2: 0002-CVE-2020-25658.patch
+
 %description
 Python-RSA is a pure-Python RSA implementation. It supports
 encryption and decryption, signing and verifying signatures,
@@ -79,5 +82,11 @@ mv $RPM_BUILD_ROOT%{_bindir}/pyrsa-decrypt-bigfile $RPM_BUILD_ROOT%{_bindir}/pyr
 %{__python3} setup.py test
 
 %changelog
+* Tue Dec 15 2020 yanglongkang <yanglongkang@huawei.com> - 3.4.2-13
+- fix CVE-2020-25658
+
+* Tue Aug 4 2020 yanglongkang <yanglongkang@huawei.com> - 3.4.2-12
+- fix CVE-2020-13757
+
 * Mon Feb 10 2020 Ruijun Ge <geruijun@huawei.com> - 3.4.2-11
 - package init