[Git][java-team/bouncycastle][master] 6 commits: Corrected constant time equals (CVE-2020-28052) (Closes: #977683)
Tony Mancill
gitlab at salsa.debian.org
Mon Jan 4 03:25:26 GMT 2021
Tony Mancill pushed to branch master at Debian Java Maintainers / bouncycastle
Commits:
c5e89481 by tony mancill at 2021-01-03T18:35:25-08:00
Corrected constant time equals (CVE-2020-28052) (Closes: #977683)
Thank you to Salvatore Bonaccorso <carnil at debian.org>
- - - - -
730dfa24 by tony mancill at 2021-01-03T18:36:33-08:00
Use debhelper-compat 13
- - - - -
0585da93 by tony mancill at 2021-01-03T18:37:10-08:00
Bump Standards-Version to 4.5.1
- - - - -
23777154 by tony mancill at 2021-01-03T18:38:50-08:00
Use https URLs in copyright, control and watch
- - - - -
d0c25b84 by tony mancill at 2021-01-03T18:58:38-08:00
Set Rules-Requires-Root: no in debian/control
- - - - -
b6adfb4e by tony mancill at 2021-01-03T18:58:38-08:00
prepare changelog for upload to unstable
- - - - -
6 changed files:
- debian/changelog
- debian/control
- debian/copyright
- + debian/patches/corrected-constant-time-equals.patch
- debian/patches/series
- debian/watch
Changes:
=====================================
debian/changelog
=====================================
@@ -1,3 +1,15 @@
+bouncycastle (1.65-2) unstable; urgency=medium
+
+ * Team upload
+ * Corrected constant time equals (CVE-2020-28052) (Closes: #977683)
+ Thank you to Salvatore Bonaccorso for the patch.
+ * Bump Standards-Version to 4.5.1
+ * Use https URLs in copyright, control and watch
+ * Use debhelper-compat 13
+ * Set Rules-Requires-Root: no in debian/control
+
+ -- tony mancill <tmancill at debian.org> Sun, 03 Jan 2021 18:39:32 -0800
+
bouncycastle (1.65-1) unstable; urgency=medium
* Team upload.
=====================================
debian/control
=====================================
@@ -5,16 +5,17 @@ Maintainer: Debian Java Maintainers <pkg-java-maintainers at lists.alioth.debian.or
Uploaders: Emmanuel Bourg <ebourg at apache.org>
Build-Depends: ant,
ant-optional,
- debhelper-compat (= 12),
+ debhelper-compat (= 13),
default-jdk (>= 1:1.6),
javahelper,
junit4,
libmail-java,
maven-repo-helper
-Standards-Version: 4.5.0
+Standards-Version: 4.5.1
Vcs-Git: https://salsa.debian.org/java-team/bouncycastle.git
Vcs-Browser: https://salsa.debian.org/java-team/bouncycastle
-Homepage: http://www.bouncycastle.org
+Homepage: https://www.bouncycastle.org
+Rules-Requires-Root: no
Package: libbcprov-java
Architecture: all
=====================================
debian/copyright
=====================================
@@ -1,6 +1,6 @@
Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
Upstream-Name: Bouncy Castle Java cryptography APIs
-Source: http://www.bouncycastle.org
+Source: https://www.bouncycastle.org
Files-Excluded: .classpath
.project
.gradle
=====================================
debian/patches/corrected-constant-time-equals.patch
=====================================
@@ -0,0 +1,65 @@
+From: David Hook <dgh at cryptoworkshop.com>
+Date: Wed, 28 Oct 2020 09:37:17 +1100
+Subject: corrected constant time equals.
+Origin: https://github.com/bcgit/bc-java/commit/97578f9b7ed277e6ecb58834e85e3d18385a4219
+Bug-Debian: https://bugs.debian.org/977683
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2020-28052
+
+---
+ .../crypto/generators/OpenBSDBCrypt.java | 2 +-
+ .../crypto/test/OpenBSDBCryptTest.java | 20 +++++++++++++++++++
+ 2 files changed, 21 insertions(+), 1 deletion(-)
+
+diff --git a/core/src/main/java/org/bouncycastle/crypto/generators/OpenBSDBCrypt.java b/core/src/main/java/org/bouncycastle/crypto/generators/OpenBSDBCrypt.java
+index 64391ea039f3..4f3235e629fc 100644
+--- a/core/src/main/java/org/bouncycastle/crypto/generators/OpenBSDBCrypt.java
++++ b/core/src/main/java/org/bouncycastle/crypto/generators/OpenBSDBCrypt.java
+@@ -309,7 +309,7 @@ private static boolean doCheckPassword(
+ boolean isEqual = sLength == newBcryptString.length();
+ for (int i = 0; i != sLength; i++)
+ {
+- isEqual &= (bcryptString.indexOf(i) == newBcryptString.indexOf(i));
++ isEqual &= (bcryptString.charAt(i) == newBcryptString.charAt(i));
+ }
+ return isEqual;
+ }
+diff --git a/core/src/test/java/org/bouncycastle/crypto/test/OpenBSDBCryptTest.java b/core/src/test/java/org/bouncycastle/crypto/test/OpenBSDBCryptTest.java
+index 8ccb679d88b4..8453d2fdb8a5 100644
+--- a/core/src/test/java/org/bouncycastle/crypto/test/OpenBSDBCryptTest.java
++++ b/core/src/test/java/org/bouncycastle/crypto/test/OpenBSDBCryptTest.java
+@@ -1,5 +1,7 @@
+ package org.bouncycastle.crypto.test;
+
++import java.security.SecureRandom;
++
+ import org.bouncycastle.crypto.generators.OpenBSDBCrypt;
+ import org.bouncycastle.util.Strings;
+ import org.bouncycastle.util.test.SimpleTest;
+@@ -199,6 +201,24 @@ public void performTest()
+ fail("twoBVec mismatch: " + "[" + i + "] " + password);
+ }
+ }
++
++
++ int costFactor = 4;
++ SecureRandom random = new SecureRandom();
++ salt = new byte[16];
++ for (int i = 0; i < 1000; i++)
++ {
++ random.nextBytes(salt);
++ final String tokenString = OpenBSDBCrypt
++ .generate("test-token".toCharArray(), salt, costFactor);
++
++ isTrue(OpenBSDBCrypt.checkPassword(tokenString, "test-token".toCharArray()));
++ isTrue(!OpenBSDBCrypt.checkPassword(tokenString, "wrong-token".toCharArray()));
++ }
+ }
++
++
++
++
+ }
+
+--
+2.30.0
+
=====================================
debian/patches/series
=====================================
@@ -1,3 +1,4 @@
02_index.patch
fix-encoding.patch
backward-compatibility.patch
+corrected-constant-time-equals.patch
=====================================
debian/watch
=====================================
@@ -1,3 +1,3 @@
version=4
opts=mode=git,repack,compression=xz,uversionmangle=s/rv/./g,dversionmangle=s/\+dfsg// \
-http://git.bouncycastle.org/repositories/bc-java refs/tags/r([\drv]+)
+https://git.bouncycastle.org/repositories/bc-java refs/tags/r([\drv]+)
View it on GitLab: https://salsa.debian.org/java-team/bouncycastle/-/compare/8ee435516b802724d65ee49fdc5be87a15cb7993...b6adfb4e66a552f4f67ae49a365f2473da390c54
--
View it on GitLab: https://salsa.debian.org/java-team/bouncycastle/-/compare/8ee435516b802724d65ee49fdc5be87a15cb7993...b6adfb4e66a552f4f67ae49a365f2473da390c54
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-java-commits/attachments/20210104/15d08665/attachment.html>
More information about the pkg-java-commits
mailing list