Tony Mancill pushed to branch master at Debian Java Maintainers / bouncycastle
Commits: c5e89481 by tony mancill at 2021-01-03T18:35:25-08:00 Corrected constant time equals (CVE-2020-28052) (Closes: #977683) Thank you to Salvatore Bonaccorso <[email protected]> - - - - - 730dfa24 by tony mancill at 2021-01-03T18:36:33-08:00 Use debhelper-compat 13 - - - - - 0585da93 by tony mancill at 2021-01-03T18:37:10-08:00 Bump Standards-Version to 4.5.1 - - - - - 23777154 by tony mancill at 2021-01-03T18:38:50-08:00 Use https URLs in copyright, control and watch - - - - - d0c25b84 by tony mancill at 2021-01-03T18:58:38-08:00 Set Rules-Requires-Root: no in debian/control - - - - - b6adfb4e by tony mancill at 2021-01-03T18:58:38-08:00 prepare changelog for upload to unstable - - - - - 6 changed files: - debian/changelog - debian/control - debian/copyright - + debian/patches/corrected-constant-time-equals.patch - debian/patches/series - debian/watch Changes: ===================================== debian/changelog ===================================== @@ -1,3 +1,15 @@ +bouncycastle (1.65-2) unstable; urgency=medium + + * Team upload + * Corrected constant time equals (CVE-2020-28052) (Closes: #977683) + Thank you to Salvatore Bonaccorso for the patch. + * Bump Standards-Version to 4.5.1 + * Use https URLs in copyright, control and watch + * Use debhelper-compat 13 + * Set Rules-Requires-Root: no in debian/control + + -- tony mancill <[email protected]> Sun, 03 Jan 2021 18:39:32 -0800 + bouncycastle (1.65-1) unstable; urgency=medium * Team upload. ===================================== debian/control ===================================== @@ -5,16 +5,17 @@ Maintainer: Debian Java Maintainers <[email protected] Uploaders: Emmanuel Bourg <[email protected]> Build-Depends: ant, ant-optional, - debhelper-compat (= 12), + debhelper-compat (= 13), default-jdk (>= 1:1.6), javahelper, junit4, libmail-java, maven-repo-helper -Standards-Version: 4.5.0 +Standards-Version: 4.5.1 Vcs-Git: https://salsa.debian.org/java-team/bouncycastle.git Vcs-Browser: https://salsa.debian.org/java-team/bouncycastle -Homepage: http://www.bouncycastle.org +Homepage: https://www.bouncycastle.org +Rules-Requires-Root: no Package: libbcprov-java Architecture: all ===================================== debian/copyright ===================================== @@ -1,6 +1,6 @@ Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/ Upstream-Name: Bouncy Castle Java cryptography APIs -Source: http://www.bouncycastle.org +Source: https://www.bouncycastle.org Files-Excluded: .classpath .project .gradle ===================================== debian/patches/corrected-constant-time-equals.patch ===================================== @@ -0,0 +1,65 @@ +From: David Hook <[email protected]> +Date: Wed, 28 Oct 2020 09:37:17 +1100 +Subject: corrected constant time equals. +Origin: https://github.com/bcgit/bc-java/commit/97578f9b7ed277e6ecb58834e85e3d18385a4219 +Bug-Debian: https://bugs.debian.org/977683 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2020-28052 + +--- + .../crypto/generators/OpenBSDBCrypt.java | 2 +- + .../crypto/test/OpenBSDBCryptTest.java | 20 +++++++++++++++++++ + 2 files changed, 21 insertions(+), 1 deletion(-) + +diff --git a/core/src/main/java/org/bouncycastle/crypto/generators/OpenBSDBCrypt.java b/core/src/main/java/org/bouncycastle/crypto/generators/OpenBSDBCrypt.java +index 64391ea039f3..4f3235e629fc 100644 +--- a/core/src/main/java/org/bouncycastle/crypto/generators/OpenBSDBCrypt.java ++++ b/core/src/main/java/org/bouncycastle/crypto/generators/OpenBSDBCrypt.java +@@ -309,7 +309,7 @@ private static boolean doCheckPassword( + boolean isEqual = sLength == newBcryptString.length(); + for (int i = 0; i != sLength; i++) + { +- isEqual &= (bcryptString.indexOf(i) == newBcryptString.indexOf(i)); ++ isEqual &= (bcryptString.charAt(i) == newBcryptString.charAt(i)); + } + return isEqual; + } +diff --git a/core/src/test/java/org/bouncycastle/crypto/test/OpenBSDBCryptTest.java b/core/src/test/java/org/bouncycastle/crypto/test/OpenBSDBCryptTest.java +index 8ccb679d88b4..8453d2fdb8a5 100644 +--- a/core/src/test/java/org/bouncycastle/crypto/test/OpenBSDBCryptTest.java ++++ b/core/src/test/java/org/bouncycastle/crypto/test/OpenBSDBCryptTest.java +@@ -1,5 +1,7 @@ + package org.bouncycastle.crypto.test; + ++import java.security.SecureRandom; ++ + import org.bouncycastle.crypto.generators.OpenBSDBCrypt; + import org.bouncycastle.util.Strings; + import org.bouncycastle.util.test.SimpleTest; +@@ -199,6 +201,24 @@ public void performTest() + fail("twoBVec mismatch: " + "[" + i + "] " + password); + } + } ++ ++ ++ int costFactor = 4; ++ SecureRandom random = new SecureRandom(); ++ salt = new byte[16]; ++ for (int i = 0; i < 1000; i++) ++ { ++ random.nextBytes(salt); ++ final String tokenString = OpenBSDBCrypt ++ .generate("test-token".toCharArray(), salt, costFactor); ++ ++ isTrue(OpenBSDBCrypt.checkPassword(tokenString, "test-token".toCharArray())); ++ isTrue(!OpenBSDBCrypt.checkPassword(tokenString, "wrong-token".toCharArray())); ++ } + } ++ ++ ++ ++ + } + +-- +2.30.0 + ===================================== debian/patches/series ===================================== @@ -1,3 +1,4 @@ 02_index.patch fix-encoding.patch backward-compatibility.patch +corrected-constant-time-equals.patch ===================================== debian/watch ===================================== @@ -1,3 +1,3 @@ version=4 opts=mode=git,repack,compression=xz,uversionmangle=s/rv/./g,dversionmangle=s/\+dfsg// \ -http://git.bouncycastle.org/repositories/bc-java refs/tags/r([\drv]+) +https://git.bouncycastle.org/repositories/bc-java refs/tags/r([\drv]+) View it on GitLab: https://salsa.debian.org/java-team/bouncycastle/-/compare/8ee435516b802724d65ee49fdc5be87a15cb7993...b6adfb4e66a552f4f67ae49a365f2473da390c54 -- View it on GitLab: https://salsa.debian.org/java-team/bouncycastle/-/compare/8ee435516b802724d65ee49fdc5be87a15cb7993...b6adfb4e66a552f4f67ae49a365f2473da390c54 You're receiving this email because of your account on salsa.debian.org.
_______________________________________________ pkg-java-commits mailing list [email protected] https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-java-commits
