2018-07-20 03:30:56 +02:00
|
|
|
From 4c43c251127a974d64a86192d81c32c30f63f01c Mon Sep 17 00:00:00 2001
|
2016-12-21 10:09:09 +01:00
|
|
|
From: Tux <write@imaginarycode.com>
|
|
|
|
Date: Wed, 21 Dec 2016 04:07:26 -0500
|
|
|
|
Subject: [PATCH] Security enhancements for EncryptionUtil
|
|
|
|
|
|
|
|
Use a constant-time comparison in getSecret() and use SecureRandom for EncryptionRequest.
|
|
|
|
|
|
|
|
diff --git a/proxy/src/main/java/net/md_5/bungee/EncryptionUtil.java b/proxy/src/main/java/net/md_5/bungee/EncryptionUtil.java
|
2018-07-18 19:46:20 +02:00
|
|
|
index 0b4732cd..e1ff4afb 100644
|
2016-12-21 10:09:09 +01:00
|
|
|
--- a/proxy/src/main/java/net/md_5/bungee/EncryptionUtil.java
|
|
|
|
+++ b/proxy/src/main/java/net/md_5/bungee/EncryptionUtil.java
|
|
|
|
@@ -27,7 +27,7 @@ import net.md_5.bungee.protocol.packet.EncryptionRequest;
|
|
|
|
public class EncryptionUtil
|
|
|
|
{
|
|
|
|
|
|
|
|
- private static final Random random = new Random();
|
|
|
|
+ private static final Random random = new java.security.SecureRandom(); // Waterfall - use SecureRandom
|
|
|
|
public static final KeyPair keys;
|
|
|
|
@Getter
|
|
|
|
private static final SecretKey secret = new SecretKeySpec( new byte[ 16 ], "AES" );
|
|
|
|
@@ -61,7 +61,7 @@ public class EncryptionUtil
|
|
|
|
cipher.init( Cipher.DECRYPT_MODE, keys.getPrivate() );
|
|
|
|
byte[] decrypted = cipher.doFinal( resp.getVerifyToken() );
|
|
|
|
|
|
|
|
- if ( !Arrays.equals( request.getVerifyToken(), decrypted ) )
|
|
|
|
+ if ( !java.security.MessageDigest.isEqual( request.getVerifyToken(), decrypted ) ) // Waterfall - use constant-time comparison
|
|
|
|
{
|
|
|
|
throw new IllegalStateException( "Key pairs do not match!" );
|
|
|
|
}
|
|
|
|
--
|
2018-07-18 19:46:20 +02:00
|
|
|
2.18.0
|
2016-12-21 10:09:09 +01:00
|
|
|
|