-
Notifications
You must be signed in to change notification settings - Fork 10.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[update] fix (unexploitable) BB'06 vulnerability in rsa_verify #8142
Conversation
|
Well this format is unavailable in Python < 3.5. [1] |
With this alternate form the test passes in all python versions: signature = ('%x' % pow(int(signature, 16), key[1], key[0])).encode() Please run |
fd3c06d
to
89bb48d
Compare
|
Is there some reason to use the last Additionally: due to my lack of knowledge I can't comment on the actual change, since you know more feel free to merge it after some time if nobody disagrees. |
Very good point. [Done] The crypto itself was reviewed by a couple people that know what they are doing, so should be alright. Or at least better than the one before. I just want to be sure I'm not bricking the update process. |
89bb48d
to
13871f1
Compare
Well, I have tried to update and it works. Feel free to merge when you think it's ready. |
The rsa_verify code was vulnerable to a BB'06 attack, allowing to forge signatures for arbitrary messages if and only if the public key exponent is 3. Since the updates key is hardcoded to 65537, there is no risk for youtube-dl, but I don't want vulnerable code in the wild. The new function adopts a way safer approach of encoding-and-comparing to replace the dangerous parsing code.
13871f1
to
4d318be
Compare
[update] fix (unexploitable) BB'06 vulnerability in rsa_verify
I've just learned import hmac
# First try to use the safe comparison function to prevent timing analysis attack
if hasattr(hmac, 'compare_digest'):
return hmac.compare_digest(expected, signature)
else: # Otherwise, fallback to unsafe direct comparison
return expected == signature This funciton is written in C for providing timing-analysis proof. (https://hg.python.org/cpython/file/e0df94327586/Modules/_operator.c#l165) I guess it's impossible to port it to pure Python for older Python versions. |
The rsa_verify code was vulnerable to a BB'06 attack, allowing to forge
signatures for arbitrary messages if and only if the public key exponent is
3. Since the updates key is hardcoded to 65537, there is no risk for
youtube-dl, but I don't want vulnerable code in the wild.
The new function adopts a way safer approach of encoding-and-comparing to
replace the dangerous parsing code.