[Git][java-team/bouncycastle][jessie-security] Import Debian changes 1.49+dfsg-3+deb8u3
Markus Koschany
gitlab at salsa.debian.org
Sat Jul 7 19:22:08 BST 2018
Markus Koschany pushed to branch jessie-security at Debian Java Maintainers / bouncycastle
Commits:
e714c18b by Markus Koschany at 2018-07-07T20:19:30+02:00
Import Debian changes 1.49+dfsg-3+deb8u3
bouncycastle (1.49+dfsg-3+deb8u3) jessie-security; urgency=high
* Non-maintainer upload by the LTS team.
* Fix CVE-2016-1000338:
DSA does not fully validate ASN.1 encoding of signature on verification.
It is possible to inject extra elements in the sequence making up the
signature and still have it validate, which in some cases may allow the
introduction of 'invisible' data into a signed structure.
* Fix CVE-2016-1000339:
Previously the primary engine class used for AES was AESFastEngine. Due to
the highly table driven approach used in the algorithm it turns out that if
the data channel on the CPU can be monitored the lookup table accesses are
sufficient to leak information on the AES key being used. There was also a
leak in AESEngine although it was substantially less. AESEngine has been
modified to remove any signs of leakage and is now the primary AES class
for the BC JCE provider. Use of AESFastEngine is now only recommended
where otherwise deemed appropriate.
* Fix CVE-2016-1000341:
DSA signature generation is vulnerable to timing attack. Where timings can
be closely observed for the generation of signatures, the lack of blinding
may allow an attacker to gain information about the signature's k value and
ultimately the private value as well.
* Fix CVE-2016-1000342:
ECDSA does not fully validate ASN.1 encoding of signature on verification.
It is possible to inject extra elements in the sequence making up the
signature and still have it validate, which in some cases may allow the
introduction of 'invisible' data into a signed structure.
* Fix CVE-2016-1000343:
The DSA key pair generator generates a weak private key if used with
default values. If the JCA key pair generator is not explicitly initialised
with DSA parameters, 1.55 and earlier generates a private value assuming a
1024 bit key size. In earlier releases this can be dealt with by explicitly
passing parameters to the key pair generator.
* Fix CVE-2016-1000345:
The DHIES/ECIES CBC mode is vulnerable to padding oracle attack. In an
environment where timings can be easily observed, it is possible with
enough observations to identify when the decryption is failing due to
padding.
* Fix CVE-2016-1000346:
In the Bouncy Castle JCE Provider the other party DH public key is not
fully validated. This can cause issues as invalid keys can be used to
reveal details about the other party's private key where static
Diffie-Hellman is in use. As of this release the key parameters are checked
on agreement calculation.
- - - - -
9 changed files:
- debian/changelog
- + debian/patches/CVE-2016-1000338.patch
- + debian/patches/CVE-2016-1000339.patch
- + debian/patches/CVE-2016-1000341.patch
- + debian/patches/CVE-2016-1000342.patch
- + debian/patches/CVE-2016-1000343.patch
- + debian/patches/CVE-2016-1000345.patch
- + debian/patches/CVE-2016-1000346.patch
- debian/patches/series
Changes:
=====================================
debian/changelog
=====================================
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,50 @@
+bouncycastle (1.49+dfsg-3+deb8u3) jessie-security; urgency=high
+
+ * Non-maintainer upload by the LTS team.
+ * Fix CVE-2016-1000338:
+ DSA does not fully validate ASN.1 encoding of signature on verification.
+ It is possible to inject extra elements in the sequence making up the
+ signature and still have it validate, which in some cases may allow the
+ introduction of 'invisible' data into a signed structure.
+ * Fix CVE-2016-1000339:
+ Previously the primary engine class used for AES was AESFastEngine. Due to
+ the highly table driven approach used in the algorithm it turns out that if
+ the data channel on the CPU can be monitored the lookup table accesses are
+ sufficient to leak information on the AES key being used. There was also a
+ leak in AESEngine although it was substantially less. AESEngine has been
+ modified to remove any signs of leakage and is now the primary AES class
+ for the BC JCE provider. Use of AESFastEngine is now only recommended
+ where otherwise deemed appropriate.
+ * Fix CVE-2016-1000341:
+ DSA signature generation is vulnerable to timing attack. Where timings can
+ be closely observed for the generation of signatures, the lack of blinding
+ may allow an attacker to gain information about the signature's k value and
+ ultimately the private value as well.
+ * Fix CVE-2016-1000342:
+ ECDSA does not fully validate ASN.1 encoding of signature on verification.
+ It is possible to inject extra elements in the sequence making up the
+ signature and still have it validate, which in some cases may allow the
+ introduction of 'invisible' data into a signed structure.
+ * Fix CVE-2016-1000343:
+ The DSA key pair generator generates a weak private key if used with
+ default values. If the JCA key pair generator is not explicitly initialised
+ with DSA parameters, 1.55 and earlier generates a private value assuming a
+ 1024 bit key size. In earlier releases this can be dealt with by explicitly
+ passing parameters to the key pair generator.
+ * Fix CVE-2016-1000345:
+ The DHIES/ECIES CBC mode is vulnerable to padding oracle attack. In an
+ environment where timings can be easily observed, it is possible with
+ enough observations to identify when the decryption is failing due to
+ padding.
+ * Fix CVE-2016-1000346:
+ In the Bouncy Castle JCE Provider the other party DH public key is not
+ fully validated. This can cause issues as invalid keys can be used to
+ reveal details about the other party's private key where static
+ Diffie-Hellman is in use. As of this release the key parameters are checked
+ on agreement calculation.
+
+ -- Markus Koschany <apo at debian.org> Sat, 07 Jul 2018 12:33:00 +0200
+
bouncycastle (1.49+dfsg-3+deb8u2) jessie-security; urgency=high
* Team upload.
=====================================
debian/patches/CVE-2016-1000338.patch
=====================================
--- /dev/null
+++ b/debian/patches/CVE-2016-1000338.patch
@@ -0,0 +1,202 @@
+From: Markus Koschany <apo at debian.org>
+Date: Thu, 7 Jun 2018 15:06:06 +0200
+Subject: CVE-2016-1000338
+
+Origin: https://github.com/bcgit/bc-java/commit/b0c3ce99d43d73a096268831d0d120ffc89eac7f
+---
+ .../jcajce/provider/asymmetric/dsa/DSASigner.java | 5 +
+ src/org/bouncycastle/util/test/SimpleTest.java | 22 ++++-
+ .../bouncycastle/jce/provider/test/DSATest.java | 110 ++++++++++++++++++++-
+ 3 files changed, 135 insertions(+), 2 deletions(-)
+
+diff --git a/src/org/bouncycastle/jcajce/provider/asymmetric/dsa/DSASigner.java b/src/org/bouncycastle/jcajce/provider/asymmetric/dsa/DSASigner.java
+index ef12b4f..ea46467 100644
+--- a/src/org/bouncycastle/jcajce/provider/asymmetric/dsa/DSASigner.java
++++ b/src/org/bouncycastle/jcajce/provider/asymmetric/dsa/DSASigner.java
+@@ -205,6 +205,11 @@ public class DSASigner
+ throws IOException
+ {
+ ASN1Sequence s = (ASN1Sequence)ASN1Primitive.fromByteArray(encoding);
++ if (s.size() != 2)
++ {
++ throw new IOException("malformed signature");
++ }
++
+ return new BigInteger[]{
+ ((ASN1Integer)s.getObjectAt(0)).getValue(),
+ ((ASN1Integer)s.getObjectAt(1)).getValue()
+diff --git a/src/org/bouncycastle/util/test/SimpleTest.java b/src/org/bouncycastle/util/test/SimpleTest.java
+index ef8ee61..d44b7a7 100644
+--- a/src/org/bouncycastle/util/test/SimpleTest.java
++++ b/src/org/bouncycastle/util/test/SimpleTest.java
+@@ -34,7 +34,27 @@ public abstract class SimpleTest
+ {
+ throw new TestFailedException(SimpleTestResult.failed(this, message, expected, found));
+ }
+-
++
++ protected void isTrue(
++ boolean value)
++ {
++ if (!value)
++ {
++ throw new TestFailedException(SimpleTestResult.failed(this, "no message"));
++ }
++ }
++
++ protected void isTrue(
++ String message,
++ boolean value)
++ {
++ if (!value)
++ {
++ throw new TestFailedException(SimpleTestResult.failed(this, message));
++ }
++ }
++
++
+ protected boolean areEqual(
+ byte[] a,
+ byte[] b)
+diff --git a/test/src/org/bouncycastle/jce/provider/test/DSATest.java b/test/src/org/bouncycastle/jce/provider/test/DSATest.java
+index e047899..4d30f1c 100644
+--- a/test/src/org/bouncycastle/jce/provider/test/DSATest.java
++++ b/test/src/org/bouncycastle/jce/provider/test/DSATest.java
+@@ -21,6 +21,8 @@ import java.security.SignatureException;
+ import java.security.interfaces.DSAPrivateKey;
+ import java.security.interfaces.DSAPublicKey;
+ import java.security.spec.DSAParameterSpec;
++import java.security.spec.DSAPrivateKeySpec;
++import java.security.spec.DSAPublicKeySpec;
+ import java.security.spec.PKCS8EncodedKeySpec;
+ import java.security.spec.X509EncodedKeySpec;
+
+@@ -44,6 +46,7 @@ import org.bouncycastle.jce.spec.ECPublicKeySpec;
+ import org.bouncycastle.math.ec.ECCurve;
+ import org.bouncycastle.util.Arrays;
+ import org.bouncycastle.util.BigIntegers;
++import org.bouncycastle.util.Strings;
+ import org.bouncycastle.util.encoders.Hex;
+ import org.bouncycastle.util.test.FixedSecureRandom;
+ import org.bouncycastle.util.test.SimpleTest;
+@@ -55,7 +58,111 @@ public class DSATest
+ byte[] k2 = Hex.decode("345e8d05c075c3a508df729a1685690e68fcfb8c8117847e89063bca1f85d968fd281540b6e13bd1af989a1fbf17e06462bf511f9d0b140fb48ac1b1baa5bded");
+
+ SecureRandom random = new FixedSecureRandom(new byte[][] { k1, k2 });
+-
++
++ // DSA modified signatures, courtesy of the Google security team
++ static final DSAPrivateKeySpec PRIVATE_KEY = new DSAPrivateKeySpec(
++ // x
++ new BigInteger(
++ "15382583218386677486843706921635237927801862255437148328980464126979"),
++ // p
++ new BigInteger(
++ "181118486631420055711787706248812146965913392568235070235446058914"
++ + "1170708161715231951918020125044061516370042605439640379530343556"
++ + "4101919053459832890139496933938670005799610981765220283775567361"
++ + "4836626483403394052203488713085936276470766894079318754834062443"
++ + "1033792580942743268186462355159813630244169054658542719322425431"
++ + "4088256212718983105131138772434658820375111735710449331518776858"
++ + "7867938758654181244292694091187568128410190746310049564097068770"
++ + "8161261634790060655580211122402292101772553741704724263582994973"
++ + "9109274666495826205002104010355456981211025738812433088757102520"
++ + "562459649777989718122219159982614304359"),
++ // q
++ new BigInteger(
++ "19689526866605154788513693571065914024068069442724893395618704484701"),
++ // g
++ new BigInteger(
++ "2859278237642201956931085611015389087970918161297522023542900348"
++ + "0877180630984239764282523693409675060100542360520959501692726128"
++ + "3149190229583566074777557293475747419473934711587072321756053067"
++ + "2532404847508798651915566434553729839971841903983916294692452760"
++ + "2490198571084091890169933809199002313226100830607842692992570749"
++ + "0504363602970812128803790973955960534785317485341020833424202774"
++ + "0275688698461842637641566056165699733710043802697192696426360843"
++ + "1736206792141319514001488556117408586108219135730880594044593648"
++ + "9237302749293603778933701187571075920849848690861126195402696457"
++ + "4111219599568903257472567764789616958430"));
++
++ static final DSAPublicKeySpec PUBLIC_KEY = new DSAPublicKeySpec(
++ new BigInteger(
++ "3846308446317351758462473207111709291533523711306097971550086650"
++ + "2577333637930103311673872185522385807498738696446063139653693222"
++ + "3528823234976869516765207838304932337200968476150071617737755913"
++ + "3181601169463467065599372409821150709457431511200322947508290005"
++ + "1780020974429072640276810306302799924668893998032630777409440831"
++ + "4314588994475223696460940116068336991199969153649625334724122468"
++ + "7497038281983541563359385775312520539189474547346202842754393945"
++ + "8755803223951078082197762886933401284142487322057236814878262166"
++ + "5072306622943221607031324846468109901964841479558565694763440972"
++ + "5447389416166053148132419345627682740529"),
++ PRIVATE_KEY.getP(),
++ PRIVATE_KEY.getQ(),
++ PRIVATE_KEY.getG());
++
++ // The following test vectors check for signature malleability and bugs. That means the test
++ // vectors are derived from a valid signature by modifying the ASN encoding. A correct
++ // implementation of DSA should only accept correct DER encoding and properly handle the others.
++ // Allowing alternative BER encodings is in many cases benign. An example where this kind of
++ // signature malleability was a problem: https://en.bitcoin.it/wiki/Transaction_Malleability
++ static final String[] MODIFIED_SIGNATURES = {
++ "303e02811c1e41b479ad576905b960fe14eadb91b0ccf34843dab916173bb8c9cd021d00ade65988d237d30f9e"
++ + "f41dd424a4e1c8f16967cf3365813fe8786236",
++ "303f0282001c1e41b479ad576905b960fe14eadb91b0ccf34843dab916173bb8c9cd021d00ade65988d237d30f"
++ + "9ef41dd424a4e1c8f16967cf3365813fe8786236",
++ "303e021d001e41b479ad576905b960fe14eadb91b0ccf34843dab916173bb8c9cd021d00ade65988d237d30f9e"
++ + "f41dd424a4e1c8f16967cf3365813fe8786236",
++ "303e021c1e41b479ad576905b960fe14eadb91b0ccf34843dab916173bb8c9cd02811d00ade65988d237d30f9e"
++ + "f41dd424a4e1c8f16967cf3365813fe8786236",
++ "303f021c1e41b479ad576905b960fe14eadb91b0ccf34843dab916173bb8c9cd0282001d00ade65988d237d30f"
++ + "9ef41dd424a4e1c8f16967cf3365813fe8786236",
++ "303e021c1e41b479ad576905b960fe14eadb91b0ccf34843dab916173bb8c9cd021e0000ade65988d237d30f9e"
++ + "f41dd424a4e1c8f16967cf3365813fe8786236",
++ "30813d021c1e41b479ad576905b960fe14eadb91b0ccf34843dab916173bb8c9cd021d00ade65988d237d30f9e"
++ + "f41dd424a4e1c8f16967cf3365813fe8786236",
++ "3082003d021c1e41b479ad576905b960fe14eadb91b0ccf34843dab916173bb8c9cd021d00ade65988d237d30f"
++ + "9ef41dd424a4e1c8f16967cf3365813fe8786236",
++ "303d021c1e41b479ad576905b960fe14eadb91b0ccf34843dab916173bb8c9cd021d00ade65988d237d30f9ef4"
++ + "1dd424a4e1c8f16967cf3365813fe87862360000",
++ "3040021c57b10411b54ab248af03d8f2456676ebc6d3db5f1081492ac87e9ca8021d00942b117051d7d9d107fc42cac9c5a36a1fd7f0f8916ccca86cec4ed3040100"
++ };
++
++ private void testModified()
++ throws Exception
++ {
++ KeyFactory kFact = KeyFactory.getInstance("DSA", "BC");
++ PublicKey pubKey = kFact.generatePublic(PUBLIC_KEY);
++ Signature sig = Signature.getInstance("DSA", "BC");
++
++ for (int i = 0; i != MODIFIED_SIGNATURES.length; i++)
++ {
++ sig.initVerify(pubKey);
++
++ sig.update(Strings.toByteArray("Hello"));
++
++ boolean failed;
++
++ try
++ {
++ failed = !sig.verify(Hex.decode(MODIFIED_SIGNATURES[i]));
++ }
++ catch (SignatureException e)
++ {
++ failed = true;
++ }
++
++ isTrue("sig verified when shouldn't", failed);
++ }
++ }
++
+ private void testCompat()
+ throws Exception
+ {
+@@ -959,6 +1066,7 @@ public class DSATest
+ testGeneration();
+ testParameters();
+ testDSA2Parameters();
++ testModified();
+ }
+
+ protected BigInteger[] derDecode(
=====================================
debian/patches/CVE-2016-1000339.patch
=====================================
--- /dev/null
+++ b/debian/patches/CVE-2016-1000339.patch
@@ -0,0 +1,668 @@
+From: Markus Koschany <apo at debian.org>
+Date: Mon, 18 Jun 2018 23:21:30 +0200
+Subject: CVE-2016-1000339
+
+Origin: https://github.com/bcgit/bc-java/commit/413b42f4d770456508585c830cfcde95f9b0e93b
+Origin: https://github.com/bcgit/bc-java/commit/8a73f08931450c17c749af067b6a8185abdfd2c0
+---
+ src/org/bouncycastle/asn1/x9/DomainParameters.java | 223 +++++++++++++++++++++
+ src/org/bouncycastle/asn1/x9/ValidationParams.java | 102 ++++++++++
+ src/org/bouncycastle/crypto/engines/AESEngine.java | 28 ++-
+ .../bouncycastle/crypto/engines/AESFastEngine.java | 6 +-
+ .../provider/asymmetric/dh/BCDHPublicKey.java | 32 ++-
+ .../provider/asymmetric/dh/KeyFactorySpi.java | 9 +-
+ .../jcajce/provider/asymmetric/util/DHUtil.java | 5 +
+ .../jcajce/provider/symmetric/AES.java | 18 +-
+ 8 files changed, 400 insertions(+), 23 deletions(-)
+ create mode 100644 src/org/bouncycastle/asn1/x9/DomainParameters.java
+ create mode 100644 src/org/bouncycastle/asn1/x9/ValidationParams.java
+
+diff --git a/src/org/bouncycastle/asn1/x9/DomainParameters.java b/src/org/bouncycastle/asn1/x9/DomainParameters.java
+new file mode 100644
+index 0000000..0555190
+--- /dev/null
++++ b/src/org/bouncycastle/asn1/x9/DomainParameters.java
+@@ -0,0 +1,223 @@
++package org.bouncycastle.asn1.x9;
++
++import java.math.BigInteger;
++import java.util.Enumeration;
++
++import org.bouncycastle.asn1.ASN1Encodable;
++import org.bouncycastle.asn1.ASN1EncodableVector;
++import org.bouncycastle.asn1.ASN1Integer;
++import org.bouncycastle.asn1.ASN1Object;
++import org.bouncycastle.asn1.ASN1Primitive;
++import org.bouncycastle.asn1.ASN1Sequence;
++import org.bouncycastle.asn1.ASN1TaggedObject;
++import org.bouncycastle.asn1.DERSequence;
++
++/**
++ * X9.44 Diffie-Hellman domain parameters.
++ * <pre>
++ * DomainParameters ::= SEQUENCE {
++ * p INTEGER, -- odd prime, p=jq +1
++ * g INTEGER, -- generator, g
++ * q INTEGER, -- factor of p-1
++ * j INTEGER OPTIONAL, -- subgroup factor, j >= 2
++ * validationParams ValidationParams OPTIONAL
++ * }
++ * </pre>
++ */
++public class DomainParameters
++ extends ASN1Object
++{
++ private final ASN1Integer p, g, q, j;
++ private final ValidationParams validationParams;
++
++ /**
++ * Return a DomainParameters object from the passed in tagged object.
++ *
++ * @param obj a tagged object.
++ * @param explicit true if the contents of the object is explictly tagged, false otherwise.
++ * @return a DomainParameters
++ */
++ public static DomainParameters getInstance(ASN1TaggedObject obj, boolean explicit)
++ {
++ return getInstance(ASN1Sequence.getInstance(obj, explicit));
++ }
++
++ /**
++ * Return a DomainParameters object from the passed in object.
++ *
++ * @param obj an object for conversion or a byte[].
++ * @return a DomainParameters
++ */
++ public static DomainParameters getInstance(Object obj)
++ {
++ if (obj instanceof DomainParameters)
++ {
++ return (DomainParameters)obj;
++ }
++ else if (obj != null)
++ {
++ return new DomainParameters(ASN1Sequence.getInstance(obj));
++ }
++
++ return null;
++ }
++
++ /**
++ * Base constructor - the full domain parameter set.
++ *
++ * @param p the prime p defining the Galois field.
++ * @param g the generator of the multiplicative subgroup of order g.
++ * @param q specifies the prime factor of p - 1
++ * @param j optionally specifies the value that satisfies the equation p = jq+1
++ * @param validationParams parameters for validating these domain parameters.
++ */
++ public DomainParameters(BigInteger p, BigInteger g, BigInteger q, BigInteger j,
++ ValidationParams validationParams)
++ {
++ if (p == null)
++ {
++ throw new IllegalArgumentException("'p' cannot be null");
++ }
++ if (g == null)
++ {
++ throw new IllegalArgumentException("'g' cannot be null");
++ }
++ if (q == null)
++ {
++ throw new IllegalArgumentException("'q' cannot be null");
++ }
++
++ this.p = new ASN1Integer(p);
++ this.g = new ASN1Integer(g);
++ this.q = new ASN1Integer(q);
++
++ if (j != null)
++ {
++ this.j = new ASN1Integer(j);
++ }
++ else
++ {
++ this.j = null;
++ }
++ this.validationParams = validationParams;
++ }
++
++ private DomainParameters(ASN1Sequence seq)
++ {
++ if (seq.size() < 3 || seq.size() > 5)
++ {
++ throw new IllegalArgumentException("Bad sequence size: " + seq.size());
++ }
++
++ Enumeration e = seq.getObjects();
++ this.p = ASN1Integer.getInstance(e.nextElement());
++ this.g = ASN1Integer.getInstance(e.nextElement());
++ this.q = ASN1Integer.getInstance(e.nextElement());
++
++ ASN1Encodable next = getNext(e);
++
++ if (next != null && next instanceof ASN1Integer)
++ {
++ this.j = ASN1Integer.getInstance(next);
++ next = getNext(e);
++ }
++ else
++ {
++ this.j = null;
++ }
++
++ if (next != null)
++ {
++ this.validationParams = ValidationParams.getInstance(next.toASN1Primitive());
++ }
++ else
++ {
++ this.validationParams = null;
++ }
++ }
++
++ private static ASN1Encodable getNext(Enumeration e)
++ {
++ return e.hasMoreElements() ? (ASN1Encodable)e.nextElement() : null;
++ }
++
++ /**
++ * Return the prime p defining the Galois field.
++ *
++ * @return the prime p.
++ */
++ public BigInteger getP()
++ {
++ return this.p.getPositiveValue();
++ }
++
++ /**
++ * Return the generator of the multiplicative subgroup of order g.
++ *
++ * @return the generator g.
++ */
++ public BigInteger getG()
++ {
++ return this.g.getPositiveValue();
++ }
++
++ /**
++ * Return q, the prime factor of p - 1
++ *
++ * @return q value
++ */
++ public BigInteger getQ()
++ {
++ return this.q.getPositiveValue();
++ }
++
++ /**
++ * Return the value that satisfies the equation p = jq+1 (if present).
++ *
++ * @return j value or null.
++ */
++ public BigInteger getJ()
++ {
++ if (this.j == null)
++ {
++ return null;
++ }
++
++ return this.j.getPositiveValue();
++ }
++
++ /**
++ * Return the validation parameters for this set (if present).
++ *
++ * @return validation parameters, or null if absent.
++ */
++ public ValidationParams getValidationParams()
++ {
++ return this.validationParams;
++ }
++
++ /**
++ * Return an ASN.1 primitive representation of this object.
++ *
++ * @return a DERSequence containing the parameter values.
++ */
++ public ASN1Primitive toASN1Primitive()
++ {
++ ASN1EncodableVector v = new ASN1EncodableVector();
++ v.add(this.p);
++ v.add(this.g);
++ v.add(this.q);
++
++ if (this.j != null)
++ {
++ v.add(this.j);
++ }
++
++ if (this.validationParams != null)
++ {
++ v.add(this.validationParams);
++ }
++
++ return new DERSequence(v);
++ }
++}
+\ No newline at end of file
+diff --git a/src/org/bouncycastle/asn1/x9/ValidationParams.java b/src/org/bouncycastle/asn1/x9/ValidationParams.java
+new file mode 100644
+index 0000000..855974d
+--- /dev/null
++++ b/src/org/bouncycastle/asn1/x9/ValidationParams.java
+@@ -0,0 +1,102 @@
++package org.bouncycastle.asn1.x9;
++
++import java.math.BigInteger;
++
++import org.bouncycastle.asn1.ASN1EncodableVector;
++import org.bouncycastle.asn1.ASN1Integer;
++import org.bouncycastle.asn1.ASN1Object;
++import org.bouncycastle.asn1.ASN1Primitive;
++import org.bouncycastle.asn1.ASN1Sequence;
++import org.bouncycastle.asn1.ASN1TaggedObject;
++import org.bouncycastle.asn1.DERBitString;
++import org.bouncycastle.asn1.DERSequence;
++
++/**
++ * Diffie-Hellman domain validation parameters.
++ * <pre>
++ * ValidationParams ::= SEQUENCE {
++ * seed BIT STRING,
++ * pgenCounter INTEGER
++ * }
++ * </pre>
++ */
++public class ValidationParams
++ extends ASN1Object
++{
++ private DERBitString seed;
++ private ASN1Integer pgenCounter;
++
++ public static ValidationParams getInstance(ASN1TaggedObject obj, boolean explicit)
++ {
++ return getInstance(ASN1Sequence.getInstance(obj, explicit));
++ }
++
++ public static ValidationParams getInstance(Object obj)
++ {
++ if (obj instanceof ValidationParams)
++ {
++ return (ValidationParams)obj;
++ }
++ else if (obj != null)
++ {
++ return new ValidationParams(ASN1Sequence.getInstance(obj));
++ }
++
++ return null;
++ }
++
++ public ValidationParams(byte[] seed, int pgenCounter)
++ {
++ if (seed == null)
++ {
++ throw new IllegalArgumentException("'seed' cannot be null");
++ }
++
++ this.seed = new DERBitString(seed);
++ this.pgenCounter = new ASN1Integer(pgenCounter);
++ }
++
++ public ValidationParams(DERBitString seed, ASN1Integer pgenCounter)
++ {
++ if (seed == null)
++ {
++ throw new IllegalArgumentException("'seed' cannot be null");
++ }
++ if (pgenCounter == null)
++ {
++ throw new IllegalArgumentException("'pgenCounter' cannot be null");
++ }
++
++ this.seed = seed;
++ this.pgenCounter = pgenCounter;
++ }
++
++ private ValidationParams(ASN1Sequence seq)
++ {
++ if (seq.size() != 2)
++ {
++ throw new IllegalArgumentException("Bad sequence size: " + seq.size());
++ }
++
++ this.seed = DERBitString.getInstance(seq.getObjectAt(0));
++ this.pgenCounter = ASN1Integer.getInstance(seq.getObjectAt(1));
++ }
++
++ public byte[] getSeed()
++ {
++ return this.seed.getBytes();
++ }
++
++ public BigInteger getPgenCounter()
++ {
++ return this.pgenCounter.getPositiveValue();
++ }
++
++ public ASN1Primitive toASN1Primitive()
++ {
++ ASN1EncodableVector v = new ASN1EncodableVector();
++ v.add(this.seed);
++ v.add(this.pgenCounter);
++ return new DERSequence(v);
++ }
++}
+diff --git a/src/org/bouncycastle/crypto/engines/AESEngine.java b/src/org/bouncycastle/crypto/engines/AESEngine.java
+index 756197c..4166ae0 100644
+--- a/src/org/bouncycastle/crypto/engines/AESEngine.java
++++ b/src/org/bouncycastle/crypto/engines/AESEngine.java
+@@ -5,6 +5,7 @@ import org.bouncycastle.crypto.CipherParameters;
+ import org.bouncycastle.crypto.DataLengthException;
+ import org.bouncycastle.crypto.OutputLengthException;
+ import org.bouncycastle.crypto.params.KeyParameter;
++import org.bouncycastle.util.Arrays;
+
+ /**
+ * an implementation of the AES (Rijndael), from FIPS-197.
+@@ -334,6 +335,8 @@ private static final int[] Tinv0 =
+ private int C0, C1, C2, C3;
+ private boolean forEncryption;
+
++ private byte[] s;
++
+ private static final int BLOCK_SIZE = 16;
+
+ /**
+@@ -359,6 +362,14 @@ private static final int[] Tinv0 =
+ {
+ WorkingKey = generateWorkingKey(((KeyParameter)params).getKey(), forEncryption);
+ this.forEncryption = forEncryption;
++ if (forEncryption)
++ {
++ s = Arrays.clone(S);
++ }
++ else
++ {
++ s = Arrays.clone(Si);
++ }
+ return;
+ }
+
+@@ -501,10 +512,10 @@ private static final int[] Tinv0 =
+
+ // the final round's table is a simple function of S so we don't use a whole other four tables for it
+
+- C0 = (S[r0&255]&255) ^ ((S[(r1>>8)&255]&255)<<8) ^ ((S[(r2>>16)&255]&255)<<16) ^ (S[(r3>>24)&255]<<24) ^ KW[r][0];
+- C1 = (S[r1&255]&255) ^ ((S[(r2>>8)&255]&255)<<8) ^ ((S[(r3>>16)&255]&255)<<16) ^ (S[(r0>>24)&255]<<24) ^ KW[r][1];
+- C2 = (S[r2&255]&255) ^ ((S[(r3>>8)&255]&255)<<8) ^ ((S[(r0>>16)&255]&255)<<16) ^ (S[(r1>>24)&255]<<24) ^ KW[r][2];
+- C3 = (S[r3&255]&255) ^ ((S[(r0>>8)&255]&255)<<8) ^ ((S[(r1>>16)&255]&255)<<16) ^ (S[(r2>>24)&255]<<24) ^ KW[r][3];
++ C0 = (S[r0&255]&255) ^ ((S[(r1>>8)&255]&255)<<8) ^ ((s[(r2>>16)&255]&255)<<16) ^ (s[(r3>>24)&255]<<24) ^ KW[r][0];
++ C1 = (s[r1&255]&255) ^ ((S[(r2>>8)&255]&255)<<8) ^ ((S[(r3>>16)&255]&255)<<16) ^ (s[(r0>>24)&255]<<24) ^ KW[r][1];
++ C2 = (s[r2&255]&255) ^ ((S[(r3>>8)&255]&255)<<8) ^ ((S[(r0>>16)&255]&255)<<16) ^ (S[(r1>>24)&255]<<24) ^ KW[r][2];
++ C3 = (s[r3&255]&255) ^ ((s[(r0>>8)&255]&255)<<8) ^ ((s[(r1>>16)&255]&255)<<16) ^ (S[(r2>>24)&255]<<24) ^ KW[r][3];
+
+ }
+
+@@ -538,9 +549,10 @@ private static final int[] Tinv0 =
+
+ // the final round's table is a simple function of Si so we don't use a whole other four tables for it
+
+- C0 = (Si[r0&255]&255) ^ ((Si[(r3>>8)&255]&255)<<8) ^ ((Si[(r2>>16)&255]&255)<<16) ^ (Si[(r1>>24)&255]<<24) ^ KW[0][0];
+- C1 = (Si[r1&255]&255) ^ ((Si[(r0>>8)&255]&255)<<8) ^ ((Si[(r3>>16)&255]&255)<<16) ^ (Si[(r2>>24)&255]<<24) ^ KW[0][1];
+- C2 = (Si[r2&255]&255) ^ ((Si[(r1>>8)&255]&255)<<8) ^ ((Si[(r0>>16)&255]&255)<<16) ^ (Si[(r3>>24)&255]<<24) ^ KW[0][2];
+- C3 = (Si[r3&255]&255) ^ ((Si[(r2>>8)&255]&255)<<8) ^ ((Si[(r1>>16)&255]&255)<<16) ^ (Si[(r0>>24)&255]<<24) ^ KW[0][3];
++ C0 = (Si[r0&255]&255) ^ ((s[(r3>>8)&255]&255)<<8) ^ ((s[(r2>>16)&255]&255)<<16) ^ (Si[(r1>>24)&255]<<24) ^ KW[0][0];
++ C1 = (s[r1&255]&255) ^ ((s[(r0>>8)&255]&255)<<8) ^ ((Si[(r3>>16)&255]&255)<<16) ^ (s[(r2>>24)&255]<<24) ^ KW[0][1];
++ C2 = (s[r2&255]&255) ^ ((Si[(r1>>8)&255]&255)<<8) ^ ((Si[(r0>>16)&255]&255)<<16) ^ (s[(r3>>24)&255]<<24) ^ KW[0][2];
++ C3 = (Si[r3&255]&255) ^ ((s[(r2>>8)&255]&255)<<8) ^ ((s[(r1>>16)&255]&255)<<16) ^ (s[(r0>>24)&255]<<24) ^ KW[0][3];
++
+ }
+ }
+diff --git a/src/org/bouncycastle/crypto/engines/AESFastEngine.java b/src/org/bouncycastle/crypto/engines/AESFastEngine.java
+index ff4b2f8..b17c87b 100644
+--- a/src/org/bouncycastle/crypto/engines/AESFastEngine.java
++++ b/src/org/bouncycastle/crypto/engines/AESFastEngine.java
+@@ -25,9 +25,11 @@ import org.bouncycastle.crypto.params.KeyParameter;
+ * the contents of the first
+ *
+ * The slowest version uses no static tables at all and computes the values in each round
++ * </p>
+ * <p>
+- * This file contains the fast version with 8Kbytes of static tables for round precomputation
+- *
++ * This file contains the fast version with 8Kbytes of static tables for round precomputation.
++ * </p>
++ * @deprecated unfortunately this class is has a few side channel issues. In an environment where encryption/decryption may be closely observed it should not be used.
+ */
+ public class AESFastEngine
+ implements BlockCipher
+diff --git a/src/org/bouncycastle/jcajce/provider/asymmetric/dh/BCDHPublicKey.java b/src/org/bouncycastle/jcajce/provider/asymmetric/dh/BCDHPublicKey.java
+index 0697f75..ae92980 100644
+--- a/src/org/bouncycastle/jcajce/provider/asymmetric/dh/BCDHPublicKey.java
++++ b/src/org/bouncycastle/jcajce/provider/asymmetric/dh/BCDHPublicKey.java
+@@ -16,10 +16,14 @@ import org.bouncycastle.asn1.pkcs.DHParameter;
+ import org.bouncycastle.asn1.pkcs.PKCSObjectIdentifiers;
+ import org.bouncycastle.asn1.x509.AlgorithmIdentifier;
+ import org.bouncycastle.asn1.x509.SubjectPublicKeyInfo;
+-import org.bouncycastle.asn1.x9.DHDomainParameters;
+ import org.bouncycastle.asn1.x9.X9ObjectIdentifiers;
++import org.bouncycastle.asn1.x9.DHDomainParameters;
++import org.bouncycastle.asn1.x9.DomainParameters;
++import org.bouncycastle.asn1.x9.ValidationParams;
+ import org.bouncycastle.crypto.params.DHPublicKeyParameters;
+ import org.bouncycastle.jcajce.provider.asymmetric.util.KeyUtil;
++import org.bouncycastle.crypto.params.DHParameters;
++import org.bouncycastle.crypto.params.DHValidationParameters;
+
+ public class BCDHPublicKey
+ implements DHPublicKey
+@@ -28,6 +32,7 @@ public class BCDHPublicKey
+
+ private BigInteger y;
+
++ private transient DHPublicKeyParameters dhPublicKey;
+ private transient DHParameterSpec dhSpec;
+ private transient SubjectPublicKeyInfo info;
+
+@@ -36,6 +41,7 @@ public class BCDHPublicKey
+ {
+ this.y = spec.getY();
+ this.dhSpec = new DHParameterSpec(spec.getP(), spec.getG());
++ this.dhPublicKey = new DHPublicKeyParameters(y, new DHParameters(spec.getP(), spec.getG()));
+ }
+
+ BCDHPublicKey(
+@@ -43,6 +49,7 @@ public class BCDHPublicKey
+ {
+ this.y = key.getY();
+ this.dhSpec = key.getParams();
++ this.dhPublicKey = new DHPublicKeyParameters(y, new DHParameters(dhSpec.getP(), dhSpec.getG()));
+ }
+
+ BCDHPublicKey(
+@@ -50,6 +57,7 @@ public class BCDHPublicKey
+ {
+ this.y = params.getY();
+ this.dhSpec = new DHParameterSpec(params.getParameters().getP(), params.getParameters().getG(), params.getParameters().getL());
++ this.dhPublicKey = params;
+ }
+
+ BCDHPublicKey(
+@@ -58,6 +66,7 @@ public class BCDHPublicKey
+ {
+ this.y = y;
+ this.dhSpec = dhSpec;
++ this.dhPublicKey = new DHPublicKeyParameters(y, new DHParameters(dhSpec.getP(), dhSpec.getG()));
+ }
+
+ public BCDHPublicKey(
+@@ -93,12 +102,24 @@ public class BCDHPublicKey
+ {
+ this.dhSpec = new DHParameterSpec(params.getP(), params.getG());
+ }
++ this.dhPublicKey = new DHPublicKeyParameters(y, new DHParameters(dhSpec.getP(), dhSpec.getG()));
+ }
+ else if (id.equals(X9ObjectIdentifiers.dhpublicnumber))
+ {
+- DHDomainParameters params = DHDomainParameters.getInstance(seq);
++ DomainParameters params = DomainParameters.getInstance(seq);
++
++ this.dhSpec = new DHParameterSpec(params.getP(), params.getG());
++ ValidationParams validationParams = params.getValidationParams();
++ if (validationParams != null)
++ {
++ this.dhPublicKey = new DHPublicKeyParameters(y, new DHParameters(params.getP(), params.getG(), params.getQ(), params.getJ(),
++ new DHValidationParameters(validationParams.getSeed(), validationParams.getPgenCounter().intValue())));
++ }
++ else
++ {
++ this.dhPublicKey = new DHPublicKeyParameters(y, new DHParameters(params.getP(), params.getG(), params.getQ(), params.getJ(), null));
++ }
+
+- this.dhSpec = new DHParameterSpec(params.getP().getValue(), params.getG().getValue());
+ }
+ else
+ {
+@@ -136,6 +157,11 @@ public class BCDHPublicKey
+ return y;
+ }
+
++ public DHPublicKeyParameters engineGetKeyParameters()
++ {
++ return dhPublicKey;
++ }
++
+ private boolean isPKCSParam(ASN1Sequence seq)
+ {
+ if (seq.size() == 2)
+diff --git a/src/org/bouncycastle/jcajce/provider/asymmetric/dh/KeyFactorySpi.java b/src/org/bouncycastle/jcajce/provider/asymmetric/dh/KeyFactorySpi.java
+index 9565bd2..e422b65 100644
+--- a/src/org/bouncycastle/jcajce/provider/asymmetric/dh/KeyFactorySpi.java
++++ b/src/org/bouncycastle/jcajce/provider/asymmetric/dh/KeyFactorySpi.java
+@@ -82,7 +82,14 @@ public class KeyFactorySpi
+ {
+ if (keySpec instanceof DHPublicKeySpec)
+ {
+- return new BCDHPublicKey((DHPublicKeySpec)keySpec);
++ try
++ {
++ return new BCDHPublicKey((DHPublicKeySpec)keySpec);
++ }
++ catch (IllegalArgumentException e)
++ {
++ throw new InvalidKeySpecException(e.getMessage(), e);
++ }
+ }
+
+ return super.engineGeneratePublic(keySpec);
+diff --git a/src/org/bouncycastle/jcajce/provider/asymmetric/util/DHUtil.java b/src/org/bouncycastle/jcajce/provider/asymmetric/util/DHUtil.java
+index 52c84ec..07f8cfd 100644
+--- a/src/org/bouncycastle/jcajce/provider/asymmetric/util/DHUtil.java
++++ b/src/org/bouncycastle/jcajce/provider/asymmetric/util/DHUtil.java
+@@ -11,6 +11,7 @@ import org.bouncycastle.crypto.params.AsymmetricKeyParameter;
+ import org.bouncycastle.crypto.params.DHParameters;
+ import org.bouncycastle.crypto.params.DHPrivateKeyParameters;
+ import org.bouncycastle.crypto.params.DHPublicKeyParameters;
++import org.bouncycastle.jcajce.provider.asymmetric.dh.BCDHPublicKey;
+
+ /**
+ * utility class for converting jce/jca DH objects
+@@ -22,6 +23,10 @@ public class DHUtil
+ PublicKey key)
+ throws InvalidKeyException
+ {
++ if (key instanceof BCDHPublicKey)
++ {
++ return ((BCDHPublicKey)key).engineGetKeyParameters();
++ }
+ if (key instanceof DHPublicKey)
+ {
+ DHPublicKey k = (DHPublicKey)key;
+diff --git a/src/org/bouncycastle/jcajce/provider/symmetric/AES.java b/src/org/bouncycastle/jcajce/provider/symmetric/AES.java
+index 7a6f7b0..3bd5eff 100644
+--- a/src/org/bouncycastle/jcajce/provider/symmetric/AES.java
++++ b/src/org/bouncycastle/jcajce/provider/symmetric/AES.java
+@@ -12,7 +12,7 @@ import org.bouncycastle.asn1.nist.NISTObjectIdentifiers;
+ import org.bouncycastle.crypto.BlockCipher;
+ import org.bouncycastle.crypto.BufferedBlockCipher;
+ import org.bouncycastle.crypto.CipherKeyGenerator;
+-import org.bouncycastle.crypto.engines.AESFastEngine;
++import org.bouncycastle.crypto.engines.AESEngine;
+ import org.bouncycastle.crypto.engines.AESWrapEngine;
+ import org.bouncycastle.crypto.engines.RFC3211WrapEngine;
+ import org.bouncycastle.crypto.macs.CMac;
+@@ -47,7 +47,7 @@ public final class AES
+ {
+ public BlockCipher get()
+ {
+- return new AESFastEngine();
++ return new AESEngine();
+ }
+ });
+ }
+@@ -58,7 +58,7 @@ public final class AES
+ {
+ public CBC()
+ {
+- super(new CBCBlockCipher(new AESFastEngine()), 128);
++ super(new CBCBlockCipher(new AESEngine()), 128);
+ }
+ }
+
+@@ -67,7 +67,7 @@ public final class AES
+ {
+ public CFB()
+ {
+- super(new BufferedBlockCipher(new CFBBlockCipher(new AESFastEngine(), 128)), 128);
++ super(new BufferedBlockCipher(new CFBBlockCipher(new AESEngine(), 128)), 128);
+ }
+ }
+
+@@ -76,7 +76,7 @@ public final class AES
+ {
+ public OFB()
+ {
+- super(new BufferedBlockCipher(new OFBBlockCipher(new AESFastEngine(), 128)), 128);
++ super(new BufferedBlockCipher(new OFBBlockCipher(new AESEngine(), 128)), 128);
+ }
+ }
+
+@@ -85,7 +85,7 @@ public final class AES
+ {
+ public AESCMAC()
+ {
+- super(new CMac(new AESFastEngine()));
++ super(new CMac(new AESEngine()));
+ }
+ }
+
+@@ -94,7 +94,7 @@ public final class AES
+ {
+ public AESGMAC()
+ {
+- super(new GMac(new GCMBlockCipher(new AESFastEngine())));
++ super(new GMac(new GCMBlockCipher(new AESEngine())));
+ }
+ }
+
+@@ -112,7 +112,7 @@ public final class AES
+ {
+ public RFC3211Wrap()
+ {
+- super(new RFC3211WrapEngine(new AESFastEngine()), 16);
++ super(new RFC3211WrapEngine(new AESEngine()), 16);
+ }
+ }
+
+@@ -125,7 +125,7 @@ public final class AES
+ {
+ public PBEWithAESCBC()
+ {
+- super(new CBCBlockCipher(new AESFastEngine()));
++ super(new CBCBlockCipher(new AESEngine()));
+ }
+ }
+
=====================================
debian/patches/CVE-2016-1000341.patch
=====================================
--- /dev/null
+++ b/debian/patches/CVE-2016-1000341.patch
@@ -0,0 +1,45 @@
+From: Markus Koschany <apo at debian.org>
+Date: Fri, 8 Jun 2018 20:53:29 +0200
+Subject: CVE-2016-1000341
+
+Origin: https://github.com/bcgit/bc-java/commit/acaac81f96fec91ab45bd0412beaf9c3acd8defa
+---
+ src/org/bouncycastle/crypto/signers/DSASigner.java | 13 ++++++++++++-
+ 1 file changed, 12 insertions(+), 1 deletion(-)
+
+diff --git a/src/org/bouncycastle/crypto/signers/DSASigner.java b/src/org/bouncycastle/crypto/signers/DSASigner.java
+index a96cef0..cfe5aa6 100644
+--- a/src/org/bouncycastle/crypto/signers/DSASigner.java
++++ b/src/org/bouncycastle/crypto/signers/DSASigner.java
+@@ -58,6 +58,7 @@ public class DSASigner
+ byte[] message)
+ {
+ DSAParameters params = key.getParameters();
++ BigInteger q = params.getQ();
+ BigInteger m = calculateE(params.getQ(), message);
+ BigInteger k;
+ int qBitLength = params.getQ().bitLength();
+@@ -68,7 +69,8 @@ public class DSASigner
+ }
+ while (k.compareTo(params.getQ()) >= 0);
+
+- BigInteger r = params.getG().modPow(k, params.getP()).mod(params.getQ());
++ // the randomizer is to conceal timing information related to k and x.
++ BigInteger r = params.getG().modPow(k.add(getRandomizer(q, random)), params.getP()).mod(q);
+
+ k = k.modInverse(params.getQ()).multiply(
+ m.add(((DSAPrivateKeyParameters)key).getX().multiply(r)));
+@@ -135,4 +137,13 @@ public class DSASigner
+ return new BigInteger(1, trunc);
+ }
+ }
++
++ private BigInteger getRandomizer(BigInteger q, SecureRandom provided)
++ {
++ // Calculate a random multiple of q to add to k. Note that g^q = 1 (mod p), so adding multiple of q to k does not change r.
++ int randomBits = 7;
++
++ return new BigInteger(randomBits, provided != null ? provided : new SecureRandom()).add(BigInteger.valueOf(128)).multiply(q);
++ }
++
+ }
=====================================
debian/patches/CVE-2016-1000342.patch
=====================================
--- /dev/null
+++ b/debian/patches/CVE-2016-1000342.patch
@@ -0,0 +1,133 @@
+From: Markus Koschany <apo at debian.org>
+Date: Fri, 6 Jul 2018 07:34:24 +0200
+Subject: CVE-2016-1000342
+
+Origin: https://github.com/bcgit/bc-java/commit/843c2e60f67d71faf81d236f448ebbe56c62c647
+---
+ src/org/bouncycastle/asn1/ASN1Enumerated.java | 13 +++++++++++++
+ src/org/bouncycastle/asn1/ASN1Integer.java | 13 +++++++++++++
+ .../jcajce/provider/asymmetric/dsa/DSASigner.java | 6 ++++++
+ .../jcajce/provider/asymmetric/ec/SignatureSpi.java | 12 +++++++++++-
+ 4 files changed, 43 insertions(+), 1 deletion(-)
+
+diff --git a/src/org/bouncycastle/asn1/ASN1Enumerated.java b/src/org/bouncycastle/asn1/ASN1Enumerated.java
+index d93fd91..9151540 100644
+--- a/src/org/bouncycastle/asn1/ASN1Enumerated.java
++++ b/src/org/bouncycastle/asn1/ASN1Enumerated.java
+@@ -1,6 +1,8 @@
+ package org.bouncycastle.asn1;
+
++import java.io.IOException;
+ import java.math.BigInteger;
++import org.bouncycastle.util.Arrays;
+
+ public class ASN1Enumerated
+ extends DEREnumerated
+@@ -8,6 +10,17 @@ public class ASN1Enumerated
+ ASN1Enumerated(byte[] bytes)
+ {
+ super(bytes);
++ if (bytes.length > 1)
++ {
++ if (bytes[0] == 0 && (bytes[1] & 0x80) == 0)
++ {
++ throw new IllegalArgumentException("malformed enumerated");
++ }
++ if (bytes[0] == (byte)0xff && (bytes[1] & 0x80) != 0)
++ {
++ throw new IllegalArgumentException("malformed enumerated");
++ }
++ }
+ }
+
+ public ASN1Enumerated(BigInteger value)
+diff --git a/src/org/bouncycastle/asn1/ASN1Integer.java b/src/org/bouncycastle/asn1/ASN1Integer.java
+index d60c6a8..c0c1bda 100644
+--- a/src/org/bouncycastle/asn1/ASN1Integer.java
++++ b/src/org/bouncycastle/asn1/ASN1Integer.java
+@@ -1,6 +1,8 @@
+ package org.bouncycastle.asn1;
+
++import java.io.IOException;
+ import java.math.BigInteger;
++import org.bouncycastle.util.Arrays;
+
+ public class ASN1Integer
+ extends DERInteger
+@@ -8,6 +10,17 @@ public class ASN1Integer
+ ASN1Integer(byte[] bytes)
+ {
+ super(bytes);
++ if (bytes.length > 1)
++ {
++ if (bytes[0] == 0 && (bytes[1] & 0x80) == 0)
++ {
++ throw new IllegalArgumentException("malformed integer");
++ }
++ if (bytes[0] == (byte)0xff && (bytes[1] & 0x80) != 0)
++ {
++ throw new IllegalArgumentException("malformed integer");
++ }
++ }
+ }
+
+ public ASN1Integer(BigInteger value)
+diff --git a/src/org/bouncycastle/jcajce/provider/asymmetric/dsa/DSASigner.java b/src/org/bouncycastle/jcajce/provider/asymmetric/dsa/DSASigner.java
+index ea46467..b985a8b 100644
+--- a/src/org/bouncycastle/jcajce/provider/asymmetric/dsa/DSASigner.java
++++ b/src/org/bouncycastle/jcajce/provider/asymmetric/dsa/DSASigner.java
+@@ -29,6 +29,7 @@ import org.bouncycastle.crypto.digests.SHA256Digest;
+ import org.bouncycastle.crypto.digests.SHA384Digest;
+ import org.bouncycastle.crypto.digests.SHA512Digest;
+ import org.bouncycastle.crypto.params.ParametersWithRandom;
++import org.bouncycastle.util.Arrays;
+
+ public class DSASigner
+ extends SignatureSpi
+@@ -210,6 +211,11 @@ public class DSASigner
+ throw new IOException("malformed signature");
+ }
+
++ if (!Arrays.areEqual(encoding, s.getEncoded(ASN1Encoding.DER)))
++ {
++ throw new IOException("malformed signature");
++ }
++
+ return new BigInteger[]{
+ ((ASN1Integer)s.getObjectAt(0)).getValue(),
+ ((ASN1Integer)s.getObjectAt(1)).getValue()
+diff --git a/src/org/bouncycastle/jcajce/provider/asymmetric/ec/SignatureSpi.java b/src/org/bouncycastle/jcajce/provider/asymmetric/ec/SignatureSpi.java
+index 29c50f4..480f3fa 100644
+--- a/src/org/bouncycastle/jcajce/provider/asymmetric/ec/SignatureSpi.java
++++ b/src/org/bouncycastle/jcajce/provider/asymmetric/ec/SignatureSpi.java
+@@ -28,6 +28,7 @@ import org.bouncycastle.crypto.signers.ECNRSigner;
+ import org.bouncycastle.jcajce.provider.asymmetric.util.DSABase;
+ import org.bouncycastle.jcajce.provider.asymmetric.util.DSAEncoder;
+ import org.bouncycastle.jcajce.provider.asymmetric.util.ECUtil;
++import org.bouncycastle.util.Arrays;
+
+ public class SignatureSpi
+ extends DSABase
+@@ -238,6 +239,15 @@ public class SignatureSpi
+ throws IOException
+ {
+ ASN1Sequence s = (ASN1Sequence)ASN1Primitive.fromByteArray(encoding);
++ if (s.size() != 2)
++ {
++ throw new IOException("malformed signature");
++ }
++ if (!Arrays.areEqual(encoding, s.getEncoded(ASN1Encoding.DER)))
++ {
++ throw new IOException("malformed signature");
++ }
++
+ BigInteger[] sig = new BigInteger[2];
+
+ sig[0] = ASN1Integer.getInstance(s.getObjectAt(0)).getValue();
+@@ -309,4 +319,4 @@ public class SignatureSpi
+ return sig;
+ }
+ }
+-}
+\ No newline at end of file
++}
=====================================
debian/patches/CVE-2016-1000343.patch
=====================================
--- /dev/null
+++ b/debian/patches/CVE-2016-1000343.patch
@@ -0,0 +1,161 @@
+From: Markus Koschany <apo at debian.org>
+Date: Sun, 10 Jun 2018 18:36:31 +0200
+Subject: CVE-2016-1000343
+
+Origin: https://github.com/bcgit/bc-java/commit/50a53068c094d6cff37659da33c9b4505becd389
+---
+ .../asymmetric/dsa/KeyPairGeneratorSpi.java | 70 +++++++++++++++++++++-
+ src/org/bouncycastle/util/Properties.java | 36 +++++++++++
+ 2 files changed, 103 insertions(+), 3 deletions(-)
+ create mode 100644 src/org/bouncycastle/util/Properties.java
+
+diff --git a/src/org/bouncycastle/jcajce/provider/asymmetric/dsa/KeyPairGeneratorSpi.java b/src/org/bouncycastle/jcajce/provider/asymmetric/dsa/KeyPairGeneratorSpi.java
+index c6ddf9b..86e084e 100644
+--- a/src/org/bouncycastle/jcajce/provider/asymmetric/dsa/KeyPairGeneratorSpi.java
++++ b/src/org/bouncycastle/jcajce/provider/asymmetric/dsa/KeyPairGeneratorSpi.java
+@@ -6,18 +6,26 @@ import java.security.KeyPair;
+ import java.security.SecureRandom;
+ import java.security.spec.AlgorithmParameterSpec;
+ import java.security.spec.DSAParameterSpec;
++import java.util.Hashtable;
+
+ import org.bouncycastle.crypto.AsymmetricCipherKeyPair;
++import org.bouncycastle.crypto.digests.SHA256Digest;
+ import org.bouncycastle.crypto.generators.DSAKeyPairGenerator;
+ import org.bouncycastle.crypto.generators.DSAParametersGenerator;
+ import org.bouncycastle.crypto.params.DSAKeyGenerationParameters;
++import org.bouncycastle.crypto.params.DSAParameterGenerationParameters;
+ import org.bouncycastle.crypto.params.DSAParameters;
+ import org.bouncycastle.crypto.params.DSAPrivateKeyParameters;
+ import org.bouncycastle.crypto.params.DSAPublicKeyParameters;
++import org.bouncycastle.util.Integers;
++import org.bouncycastle.util.Properties;
+
+ public class KeyPairGeneratorSpi
+ extends java.security.KeyPairGenerator
+ {
++ private static Hashtable params = new Hashtable();
++ private static Object lock = new Object();
++
+ DSAKeyGenerationParameters param;
+ DSAKeyPairGenerator engine = new DSAKeyPairGenerator();
+ int strength = 1024;
+@@ -41,6 +49,7 @@ public class KeyPairGeneratorSpi
+
+ this.strength = strength;
+ this.random = random;
++ this.initialised = false;
+ }
+
+ public void initialize(
+@@ -64,10 +73,65 @@ public class KeyPairGeneratorSpi
+ {
+ if (!initialised)
+ {
+- DSAParametersGenerator pGen = new DSAParametersGenerator();
++ Integer paramStrength = Integers.valueOf(strength);
++
++ if (params.containsKey(paramStrength))
++ {
++ param = (DSAKeyGenerationParameters)params.get(paramStrength);
++ }
++ else
++ {
++ synchronized (lock)
++ {
++ // we do the check again in case we were blocked by a generator for
++ // our key size.
++ if (params.containsKey(paramStrength))
++ {
++ param = (DSAKeyGenerationParameters)params.get(paramStrength);
++ }
++ else
++ {
++ DSAParametersGenerator pGen;
++ DSAParameterGenerationParameters dsaParams;
++
++ // Typical combination of keysize and size of q.
++ // keysize = 1024, q's size = 160
++ // keysize = 2048, q's size = 224
++ // keysize = 2048, q's size = 256
++ // keysize = 3072, q's size = 256
++ // For simplicity if keysize is greater than 1024 then we choose q's size to be 256.
++ // For legacy keysize that is less than 1024-bit, we just use the 186-2 style parameters
++ if (strength == 1024)
++ {
++ pGen = new DSAParametersGenerator();
++ if (Properties.isOverrideSet("org.bouncycastle.dsa.FIPS186-2for1024bits"))
++ {
++ pGen.init(strength, certainty, random);
++ }
++ else
++ {
++ dsaParams = new DSAParameterGenerationParameters(1024, 160, certainty, random);
++ pGen.init(dsaParams);
++ }
++ }
++ else if (strength > 1024)
++ {
++ dsaParams = new DSAParameterGenerationParameters(strength, 256, certainty, random);
++ pGen = new DSAParametersGenerator(new SHA256Digest());
++ pGen.init(dsaParams);
++ }
++ else
++ {
++ pGen = new DSAParametersGenerator();
++ pGen.init(strength, certainty, random);
++ }
++ param = new DSAKeyGenerationParameters(random, pGen.generateParameters());
++
++ params.put(paramStrength, param);
++ }
++ }
++ }
+
+- pGen.init(strength, certainty, random);
+- param = new DSAKeyGenerationParameters(random, pGen.generateParameters());
+ engine.init(param);
+ initialised = true;
+ }
+diff --git a/src/org/bouncycastle/util/Properties.java b/src/org/bouncycastle/util/Properties.java
+new file mode 100644
+index 0000000..96cef35
+--- /dev/null
++++ b/src/org/bouncycastle/util/Properties.java
+@@ -0,0 +1,36 @@
++package org.bouncycastle.util;
++
++import java.security.AccessControlException;
++import java.security.AccessController;
++import java.security.PrivilegedAction;
++
++/**
++ * Utility method for accessing system properties.
++ */
++public class Properties
++{
++ public static boolean isOverrideSet(final String propertyName)
++ {
++ try
++ {
++ return "true".equals(AccessController.doPrivileged(new PrivilegedAction()
++ {
++ // JDK 1.4 compatibility
++ public Object run()
++ {
++ String value = System.getProperty(propertyName);
++ if (value == null)
++ {
++ return null;
++ }
++
++ return Strings.toLowerCase(value);
++ }
++ }));
++ }
++ catch (AccessControlException e)
++ {
++ return false;
++ }
++ }
++}
=====================================
debian/patches/CVE-2016-1000345.patch
=====================================
--- /dev/null
+++ b/debian/patches/CVE-2016-1000345.patch
@@ -0,0 +1,214 @@
+From: Markus Koschany <apo at debian.org>
+Date: Sun, 10 Jun 2018 20:39:14 +0200
+Subject: CVE-2016-1000345
+
+Origin: https://github.com/bcgit/bc-java/commit/21dcb3d9744c83dcf2ff8fcee06dbca7bfa4ef35
+---
+ src/org/bouncycastle/crypto/engines/IESEngine.java | 25 ++++++++++++++--------
+ .../jcajce/provider/asymmetric/dh/IESCipher.java | 7 +++---
+ .../jcajce/provider/asymmetric/ec/IESCipher.java | 11 +++++-----
+ .../jcajce/provider/asymmetric/rsa/CipherSpi.java | 1 +
+ .../jcajce/provider/util/BadBlockException.java | 21 ++++++++++++++++++
+ 5 files changed, 48 insertions(+), 17 deletions(-)
+ create mode 100644 src/org/bouncycastle/jcajce/provider/util/BadBlockException.java
+
+diff --git a/src/org/bouncycastle/crypto/engines/IESEngine.java b/src/org/bouncycastle/crypto/engines/IESEngine.java
+index 5a9976c..323e605 100755
+--- a/src/org/bouncycastle/crypto/engines/IESEngine.java
++++ b/src/org/bouncycastle/crypto/engines/IESEngine.java
+@@ -66,8 +66,8 @@ public class IESEngine
+
+
+ /**
+- * set up for use in conjunction with a block cipher to handle the
+- * message.
++ * Set up for use in conjunction with a block cipher to handle the
++ * message.It is <b>strongly</b> recommended that the cipher is not in ECB mode.
+ *
+ * @param agree the key agreement used as the basis for the encryption
+ * @param kdf the key derivation function used for byte generation
+@@ -244,8 +244,8 @@ public class IESEngine
+ int inLen)
+ throws InvalidCipherTextException
+ {
+- byte[] M = null, K = null, K1 = null, K2 = null;
+- int len;
++ byte[] M, K, K1, K2;
++ int len = 0;
+
+ if (cipher == null)
+ {
+@@ -267,14 +267,13 @@ public class IESEngine
+ System.arraycopy(K, K1.length, K2, 0, K2.length);
+ }
+
++ // process the message
+ M = new byte[K1.length];
+
+ for (int i = 0; i != K1.length; i++)
+ {
+ M[i] = (byte)(in_enc[inOff + V.length + i] ^ K1[i]);
+ }
+-
+- len = K1.length;
+ }
+ else
+ {
+@@ -291,7 +290,6 @@ public class IESEngine
+
+ M = new byte[cipher.getOutputSize(inLen - V.length - mac.getMacSize())];
+ len = cipher.processBytes(in_enc, inOff + V.length, inLen - V.length - mac.getMacSize(), M, 0);
+- len += cipher.doFinal(M, len);
+ }
+
+
+@@ -328,8 +326,17 @@ public class IESEngine
+ }
+
+
+- // Output the message.
+- return Arrays.copyOfRange(M, 0, len);
++ if (cipher == null)
++ {
++ return M;
++ }
++ else
++ {
++ len += cipher.doFinal(M, len);
++
++ return Arrays.copyOfRange(M, 0, len);
++ }
++
+ }
+
+
+diff --git a/src/org/bouncycastle/jcajce/provider/asymmetric/dh/IESCipher.java b/src/org/bouncycastle/jcajce/provider/asymmetric/dh/IESCipher.java
+index c29ff2d..3809aa6 100644
+--- a/src/org/bouncycastle/jcajce/provider/asymmetric/dh/IESCipher.java
++++ b/src/org/bouncycastle/jcajce/provider/asymmetric/dh/IESCipher.java
+@@ -43,6 +43,7 @@ import org.bouncycastle.crypto.params.IESWithCipherParameters;
+ import org.bouncycastle.crypto.parsers.DHIESPublicKeyParser;
+ import org.bouncycastle.jcajce.provider.asymmetric.util.DHUtil;
+ import org.bouncycastle.jcajce.provider.asymmetric.util.IESUtil;
++import org.bouncycastle.jcajce.provider.util.BadBlockException;
+ import org.bouncycastle.jce.interfaces.IESKey;
+ import org.bouncycastle.jce.provider.BouncyCastleProvider;
+ import org.bouncycastle.jce.spec.IESParameterSpec;
+@@ -386,7 +387,7 @@ public class IESCipher
+ }
+ catch (Exception e)
+ {
+- throw new BadPaddingException(e.getMessage());
++ throw new BadBlockException("unable to process block", e);
+ }
+ }
+
+@@ -425,7 +426,7 @@ public class IESCipher
+ }
+ catch (Exception e)
+ {
+- throw new BadPaddingException(e.getMessage());
++ throw new BadBlockException("unable to process block", e);
+ }
+ }
+ else if (state == Cipher.DECRYPT_MODE || state == Cipher.UNWRAP_MODE)
+@@ -439,7 +440,7 @@ public class IESCipher
+ }
+ catch (InvalidCipherTextException e)
+ {
+- throw new BadPaddingException(e.getMessage());
++ throw new BadBlockException("unable to process block", e);
+ }
+ }
+ else
+diff --git a/src/org/bouncycastle/jcajce/provider/asymmetric/ec/IESCipher.java b/src/org/bouncycastle/jcajce/provider/asymmetric/ec/IESCipher.java
+index 4ad0512..18017c9 100644
+--- a/src/org/bouncycastle/jcajce/provider/asymmetric/ec/IESCipher.java
++++ b/src/org/bouncycastle/jcajce/provider/asymmetric/ec/IESCipher.java
+@@ -40,6 +40,7 @@ import org.bouncycastle.crypto.params.IESWithCipherParameters;
+ import org.bouncycastle.crypto.parsers.ECIESPublicKeyParser;
+ import org.bouncycastle.jcajce.provider.asymmetric.util.ECUtil;
+ import org.bouncycastle.jcajce.provider.asymmetric.util.IESUtil;
++import org.bouncycastle.jcajce.provider.util.BadBlockException;
+ import org.bouncycastle.jce.interfaces.ECKey;
+ import org.bouncycastle.jce.interfaces.ECPrivateKey;
+ import org.bouncycastle.jce.interfaces.ECPublicKey;
+@@ -49,6 +50,7 @@ import org.bouncycastle.jce.spec.IESParameterSpec;
+ import org.bouncycastle.util.Strings;
+
+
++
+ public class IESCipher
+ extends CipherSpi
+ {
+@@ -393,7 +395,7 @@ public class IESCipher
+ }
+ catch (Exception e)
+ {
+- throw new BadPaddingException(e.getMessage());
++ throw new BadBlockException("unable to process block", e);
+ }
+ }
+
+@@ -418,11 +420,10 @@ public class IESCipher
+
+ return engine.processBlock(in, 0, in.length);
+ }
+- catch (Exception e)
++ catch (final Exception e)
+ {
+- throw new BadPaddingException(e.getMessage());
++ throw new BadBlockException("unable to process block", e);
+ }
+-
+ }
+ else if (state == Cipher.DECRYPT_MODE || state == Cipher.UNWRAP_MODE)
+ {
+@@ -435,7 +436,7 @@ public class IESCipher
+ }
+ catch (InvalidCipherTextException e)
+ {
+- throw new BadPaddingException(e.getMessage());
++ throw new BadBlockException("unable to process block", e);
+ }
+ }
+ else
+diff --git a/src/org/bouncycastle/jcajce/provider/asymmetric/rsa/CipherSpi.java b/src/org/bouncycastle/jcajce/provider/asymmetric/rsa/CipherSpi.java
+index dc8dcb2..57be4f4 100644
+--- a/src/org/bouncycastle/jcajce/provider/asymmetric/rsa/CipherSpi.java
++++ b/src/org/bouncycastle/jcajce/provider/asymmetric/rsa/CipherSpi.java
+@@ -32,6 +32,7 @@ import org.bouncycastle.crypto.encodings.PKCS1Encoding;
+ import org.bouncycastle.crypto.engines.RSABlindedEngine;
+ import org.bouncycastle.crypto.params.ParametersWithRandom;
+ import org.bouncycastle.jcajce.provider.asymmetric.util.BaseCipherSpi;
++import org.bouncycastle.jcajce.provider.util.BadBlockException;
+ import org.bouncycastle.jcajce.provider.util.DigestFactory;
+ import org.bouncycastle.jce.provider.BouncyCastleProvider;
+ import org.bouncycastle.util.Strings;
+diff --git a/src/org/bouncycastle/jcajce/provider/util/BadBlockException.java b/src/org/bouncycastle/jcajce/provider/util/BadBlockException.java
+new file mode 100644
+index 0000000..e2a8d63
+--- /dev/null
++++ b/src/org/bouncycastle/jcajce/provider/util/BadBlockException.java
+@@ -0,0 +1,21 @@
++package org.bouncycastle.jcajce.provider.util;
++
++import javax.crypto.BadPaddingException;
++
++public class BadBlockException
++ extends BadPaddingException
++{
++ private final Throwable cause;
++
++ public BadBlockException(String msg, Throwable cause)
++ {
++ super(msg);
++
++ this.cause = cause;
++ }
++
++ public Throwable getCause()
++ {
++ return cause;
++ }
++}
=====================================
debian/patches/CVE-2016-1000346.patch
=====================================
--- /dev/null
+++ b/debian/patches/CVE-2016-1000346.patch
@@ -0,0 +1,137 @@
+From: Markus Koschany <apo at debian.org>
+Date: Mon, 11 Jun 2018 13:15:18 +0200
+Subject: CVE-2016-1000346
+
+Origin: https://github.com/bcgit/bc-java/commit/1127131c89021612c6eefa26dbe5714c194e7495
+---
+ .../bouncycastle/crypto/agreement/DHAgreement.java | 14 +++++++++++---
+ .../crypto/agreement/DHBasicAgreement.java | 10 +++++++++-
+ src/org/bouncycastle/crypto/engines/IESEngine.java | 4 ++++
+ .../provider/asymmetric/dh/KeyAgreementSpi.java | 21 ++++++++++++++++-----
+ 4 files changed, 40 insertions(+), 9 deletions(-)
+
+diff --git a/src/org/bouncycastle/crypto/agreement/DHAgreement.java b/src/org/bouncycastle/crypto/agreement/DHAgreement.java
+index 021a715..84c5839 100644
+--- a/src/org/bouncycastle/crypto/agreement/DHAgreement.java
++++ b/src/org/bouncycastle/crypto/agreement/DHAgreement.java
+@@ -6,11 +6,11 @@ import java.security.SecureRandom;
+ import org.bouncycastle.crypto.AsymmetricCipherKeyPair;
+ import org.bouncycastle.crypto.CipherParameters;
+ import org.bouncycastle.crypto.generators.DHKeyPairGenerator;
++import org.bouncycastle.crypto.params.AsymmetricKeyParameter;
+ import org.bouncycastle.crypto.params.DHKeyGenerationParameters;
+ import org.bouncycastle.crypto.params.DHParameters;
+-import org.bouncycastle.crypto.params.DHPublicKeyParameters;
+ import org.bouncycastle.crypto.params.DHPrivateKeyParameters;
+-import org.bouncycastle.crypto.params.AsymmetricKeyParameter;
++import org.bouncycastle.crypto.params.DHPublicKeyParameters;
+ import org.bouncycastle.crypto.params.ParametersWithRandom;
+
+ /**
+@@ -26,6 +26,8 @@ import org.bouncycastle.crypto.params.ParametersWithRandom;
+ */
+ public class DHAgreement
+ {
++ private static final BigInteger ONE = BigInteger.valueOf(1);
++
+ private DHPrivateKeyParameters key;
+ private DHParameters dhParams;
+ private BigInteger privateValue;
+@@ -89,6 +91,12 @@ public class DHAgreement
+
+ BigInteger p = dhParams.getP();
+
+- return message.modPow(key.getX(), p).multiply(pub.getY().modPow(privateValue, p)).mod(p);
++ BigInteger result = pub.getY().modPow(privateValue, p);
++ if (result.compareTo(ONE) == 0)
++ {
++ throw new IllegalStateException("Shared key can't be 1");
++ }
++
++ return message.modPow(key.getX(), p).multiply(result).mod(p);
+ }
+ }
+diff --git a/src/org/bouncycastle/crypto/agreement/DHBasicAgreement.java b/src/org/bouncycastle/crypto/agreement/DHBasicAgreement.java
+index d2e2a09..4dd80d0 100644
+--- a/src/org/bouncycastle/crypto/agreement/DHBasicAgreement.java
++++ b/src/org/bouncycastle/crypto/agreement/DHBasicAgreement.java
+@@ -20,6 +20,8 @@ import org.bouncycastle.crypto.params.ParametersWithRandom;
+ public class DHBasicAgreement
+ implements BasicAgreement
+ {
++ private static final BigInteger ONE = BigInteger.valueOf(1);
++
+ private DHPrivateKeyParameters key;
+ private DHParameters dhParams;
+
+@@ -66,6 +68,12 @@ public class DHBasicAgreement
+ throw new IllegalArgumentException("Diffie-Hellman public key has wrong parameters.");
+ }
+
+- return pub.getY().modPow(key.getX(), dhParams.getP());
++ BigInteger result = pub.getY().modPow(key.getX(), dhParams.getP());
++ if (result.compareTo(ONE) == 0)
++ {
++ throw new IllegalStateException("Shared key can't be 1");
++ }
++
++ return result;
+ }
+ }
+diff --git a/src/org/bouncycastle/crypto/engines/IESEngine.java b/src/org/bouncycastle/crypto/engines/IESEngine.java
+index ea8556d..5a9976c 100755
+--- a/src/org/bouncycastle/crypto/engines/IESEngine.java
++++ b/src/org/bouncycastle/crypto/engines/IESEngine.java
+@@ -363,6 +363,10 @@ public class IESEngine
+ {
+ throw new InvalidCipherTextException("unable to recover ephemeral public key: " + e.getMessage(), e);
+ }
++ catch (IllegalArgumentException e)
++ {
++ throw new InvalidCipherTextException("unable to recover ephemeral public key: " + e.getMessage(), e);
++ }
+
+ int encLength = (inLen - bIn.available());
+ this.V = Arrays.copyOfRange(in, inOff, inOff + encLength);
+diff --git a/src/org/bouncycastle/jcajce/provider/asymmetric/dh/KeyAgreementSpi.java b/src/org/bouncycastle/jcajce/provider/asymmetric/dh/KeyAgreementSpi.java
+index c9462a6..62a8d68 100644
+--- a/src/org/bouncycastle/jcajce/provider/asymmetric/dh/KeyAgreementSpi.java
++++ b/src/org/bouncycastle/jcajce/provider/asymmetric/dh/KeyAgreementSpi.java
+@@ -27,6 +27,9 @@ import org.bouncycastle.util.Strings;
+ public class KeyAgreementSpi
+ extends javax.crypto.KeyAgreementSpi
+ {
++ private static final BigInteger ONE = BigInteger.valueOf(1);
++ private static final BigInteger TWO = BigInteger.valueOf(2);
++
+ private BigInteger x;
+ private BigInteger p;
+ private BigInteger g;
+@@ -84,14 +87,22 @@ public class KeyAgreementSpi
+ throw new InvalidKeyException("DHPublicKey not for this KeyAgreement!");
+ }
+
+- if (lastPhase)
++ BigInteger peerY = ((DHPublicKey)key).getY();
++ if (peerY == null || peerY.compareTo(TWO) < 0
++ || peerY.compareTo(p.subtract(ONE)) >= 0)
+ {
+- result = ((DHPublicKey)key).getY().modPow(x, p);
+- return null;
++ throw new InvalidKeyException("Invalid DH PublicKey");
+ }
+- else
++
++ result = peerY.modPow(x, p);
++ if (result.compareTo(ONE) == 0)
+ {
+- result = ((DHPublicKey)key).getY().modPow(x, p);
++ throw new InvalidKeyException("Shared key can't be 1");
++ }
++
++ if (lastPhase)
++ {
++ return null;
+ }
+
+ return new BCDHPublicKey(result, pubKey.getParams());
=====================================
debian/patches/series
=====================================
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -4,3 +4,10 @@ CVE-2015-7940-1.patch
CVE-2015-7940-2.patch
CVE-2015-7940-3.patch
CVE-2015-6644.patch
+CVE-2016-1000338.patch
+CVE-2016-1000341.patch
+CVE-2016-1000343.patch
+CVE-2016-1000346.patch
+CVE-2016-1000339.patch
+CVE-2016-1000345.patch
+CVE-2016-1000342.patch
View it on GitLab: https://salsa.debian.org/java-team/bouncycastle/commit/e714c18b56c622b104b6376cd98a7f34d581ad54
--
View it on GitLab: https://salsa.debian.org/java-team/bouncycastle/commit/e714c18b56c622b104b6376cd98a7f34d581ad54
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-java-commits/attachments/20180707/efa74776/attachment.html>
More information about the pkg-java-commits
mailing list