[Git][java-team/bouncycastle][master] 6 commits: Corrected constant time equals (CVE-2020-28052) (Closes: #977683)

Tony Mancill gitlab at salsa.debian.org
Mon Jan 4 03:25:26 GMT 2021 


Tony Mancill pushed to branch master at Debian Java Maintainers / bouncycastle


Commits:
c5e89481 by tony mancill at 2021-01-03T18:35:25-08:00
Corrected constant time equals (CVE-2020-28052) (Closes: #977683)

Thank you to Salvatore Bonaccorso <carnil at debian.org>

- - - - -
730dfa24 by tony mancill at 2021-01-03T18:36:33-08:00
Use debhelper-compat 13

- - - - -
0585da93 by tony mancill at 2021-01-03T18:37:10-08:00
Bump Standards-Version to 4.5.1

- - - - -
23777154 by tony mancill at 2021-01-03T18:38:50-08:00
Use https URLs in copyright, control and watch

- - - - -
d0c25b84 by tony mancill at 2021-01-03T18:58:38-08:00
Set Rules-Requires-Root: no in debian/control

- - - - -
b6adfb4e by tony mancill at 2021-01-03T18:58:38-08:00
prepare changelog for upload to unstable

- - - - -


6 changed files:

- debian/changelog
- debian/control
- debian/copyright
- + debian/patches/corrected-constant-time-equals.patch
- debian/patches/series
- debian/watch


Changes:

=====================================
debian/changelog
=====================================
@@ -1,3 +1,15 @@
+bouncycastle (1.65-2) unstable; urgency=medium
+
+  * Team upload
+  * Corrected constant time equals (CVE-2020-28052) (Closes: #977683)
+    Thank you to Salvatore Bonaccorso for the patch.
+  * Bump Standards-Version to 4.5.1
+  * Use https URLs in copyright, control and watch
+  * Use debhelper-compat 13
+  * Set Rules-Requires-Root: no in debian/control
+
+ -- tony mancill <tmancill at debian.org>  Sun, 03 Jan 2021 18:39:32 -0800
+
 bouncycastle (1.65-1) unstable; urgency=medium
 
   * Team upload.


=====================================
debian/control
=====================================
@@ -5,16 +5,17 @@ Maintainer: Debian Java Maintainers <pkg-java-maintainers at lists.alioth.debian.or
 Uploaders: Emmanuel Bourg <ebourg at apache.org>
 Build-Depends: ant,
                ant-optional,
-               debhelper-compat (= 12),
+               debhelper-compat (= 13),
                default-jdk (>= 1:1.6),
                javahelper,
                junit4,
                libmail-java,
                maven-repo-helper
-Standards-Version: 4.5.0
+Standards-Version: 4.5.1
 Vcs-Git: https://salsa.debian.org/java-team/bouncycastle.git
 Vcs-Browser: https://salsa.debian.org/java-team/bouncycastle
-Homepage: http://www.bouncycastle.org
+Homepage: https://www.bouncycastle.org
+Rules-Requires-Root: no
 
 Package: libbcprov-java
 Architecture: all


=====================================
debian/copyright
=====================================
@@ -1,6 +1,6 @@
 Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
 Upstream-Name: Bouncy Castle Java cryptography APIs
-Source: http://www.bouncycastle.org
+Source: https://www.bouncycastle.org
 Files-Excluded: .classpath
                 .project
                 .gradle


=====================================
debian/patches/corrected-constant-time-equals.patch
=====================================
@@ -0,0 +1,65 @@
+From: David Hook <dgh at cryptoworkshop.com>
+Date: Wed, 28 Oct 2020 09:37:17 +1100
+Subject: corrected constant time equals.
+Origin: https://github.com/bcgit/bc-java/commit/97578f9b7ed277e6ecb58834e85e3d18385a4219
+Bug-Debian: https://bugs.debian.org/977683
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2020-28052
+
+---
+ .../crypto/generators/OpenBSDBCrypt.java      |  2 +-
+ .../crypto/test/OpenBSDBCryptTest.java        | 20 +++++++++++++++++++
+ 2 files changed, 21 insertions(+), 1 deletion(-)
+
+diff --git a/core/src/main/java/org/bouncycastle/crypto/generators/OpenBSDBCrypt.java b/core/src/main/java/org/bouncycastle/crypto/generators/OpenBSDBCrypt.java
+index 64391ea039f3..4f3235e629fc 100644
+--- a/core/src/main/java/org/bouncycastle/crypto/generators/OpenBSDBCrypt.java
++++ b/core/src/main/java/org/bouncycastle/crypto/generators/OpenBSDBCrypt.java
+@@ -309,7 +309,7 @@ private static boolean doCheckPassword(
+         boolean isEqual = sLength == newBcryptString.length();
+         for (int i = 0; i != sLength; i++)
+         {
+-            isEqual &= (bcryptString.indexOf(i) == newBcryptString.indexOf(i));
++            isEqual &= (bcryptString.charAt(i) == newBcryptString.charAt(i));
+         }
+         return isEqual;
+     }
+diff --git a/core/src/test/java/org/bouncycastle/crypto/test/OpenBSDBCryptTest.java b/core/src/test/java/org/bouncycastle/crypto/test/OpenBSDBCryptTest.java
+index 8ccb679d88b4..8453d2fdb8a5 100644
+--- a/core/src/test/java/org/bouncycastle/crypto/test/OpenBSDBCryptTest.java
++++ b/core/src/test/java/org/bouncycastle/crypto/test/OpenBSDBCryptTest.java
+@@ -1,5 +1,7 @@
+ package org.bouncycastle.crypto.test;
+ 
++import java.security.SecureRandom;
++
+ import org.bouncycastle.crypto.generators.OpenBSDBCrypt;
+ import org.bouncycastle.util.Strings;
+ import org.bouncycastle.util.test.SimpleTest;
+@@ -199,6 +201,24 @@ public void performTest()
+                 fail("twoBVec mismatch: " + "[" + i + "] " + password);
+             }
+         }
++
++
++        int costFactor = 4;
++        SecureRandom random = new SecureRandom();
++        salt = new byte[16];
++        for (int i = 0; i < 1000; i++)
++        {
++            random.nextBytes(salt);
++            final String tokenString = OpenBSDBCrypt
++                .generate("test-token".toCharArray(), salt, costFactor);
++
++            isTrue(OpenBSDBCrypt.checkPassword(tokenString, "test-token".toCharArray()));
++            isTrue(!OpenBSDBCrypt.checkPassword(tokenString, "wrong-token".toCharArray()));
++        }
+     }
++
++
++
++
+ }
+ 
+-- 
+2.30.0
+


=====================================
debian/patches/series
=====================================
@@ -1,3 +1,4 @@
 02_index.patch
 fix-encoding.patch
 backward-compatibility.patch
+corrected-constant-time-equals.patch


=====================================
debian/watch
=====================================
@@ -1,3 +1,3 @@
 version=4
 opts=mode=git,repack,compression=xz,uversionmangle=s/rv/./g,dversionmangle=s/\+dfsg// \
-http://git.bouncycastle.org/repositories/bc-java refs/tags/r([\drv]+)
+https://git.bouncycastle.org/repositories/bc-java refs/tags/r([\drv]+)



View it on GitLab: https://salsa.debian.org/java-team/bouncycastle/-/compare/8ee435516b802724d65ee49fdc5be87a15cb7993...b6adfb4e66a552f4f67ae49a365f2473da390c54

-- 
View it on GitLab: https://salsa.debian.org/java-team/bouncycastle/-/compare/8ee435516b802724d65ee49fdc5be87a15cb7993...b6adfb4e66a552f4f67ae49a365f2473da390c54
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-java-commits/attachments/20210104/15d08665/attachment.html>

More information about the pkg-java-commits mailing list