[security] Fix BB'06 attack in verify() by switching from parsing to comparison

#14 Merged at 0cbcc52
Repository
Deleted repository
Branch
default (0cbcc529926a)
Repository
python-rsa
Branch
default
Author
  1. Filippo Valsorda
Reviewers
Description

This is a security-critical fix. An attacker can fake signatures for any public key with low exponent.

Details here: https://blog.filippo.io/bleichenbacher-06-signature-forgery-in-python-rsa/

Comments (5)

  1. Sybren Stüvel repo owner

    Thanks for this patch! I'll accept it as soon as you can answer my question in the inline comment.

  2. Fabio Alessandro Locati

    Sorry to be picky, but you did not tagged python-rsa 3.3, please do so. In pypi it is present the release 3.3.