Assorted security improvements

We should consider using a stronger RSA key as well.
2025-02-17 20:31:22 +01:00 · 2016-12-21 04:09:09 -05:00 · 2016-12-21 04:09:09 -05:00 · 41ec1b302a
commit 41ec1b302a
parent 6fc2170f21
1 changed files with 32 additions and 0 deletions
--- a/BungeeCord-Patches/0041-Security-enhancements-for-EncryptionUtil.patch
+++ b/BungeeCord-Patches/0041-Security-enhancements-for-EncryptionUtil.patch
@ -0,0 +1,32 @@
+From 55ff4996e61c50acad85f3e3609c6563e2acc3ee Mon Sep 17 00:00:00 2001
+From: Tux <write@imaginarycode.com>
+Date: Wed, 21 Dec 2016 04:07:26 -0500
+Subject: [PATCH] Security enhancements for EncryptionUtil
+
+Use a constant-time comparison in getSecret() and use SecureRandom for EncryptionRequest.
+
+diff --git a/proxy/src/main/java/net/md_5/bungee/EncryptionUtil.java b/proxy/src/main/java/net/md_5/bungee/EncryptionUtil.java
+index 871e4ad..622a21d 100644
+--- a/proxy/src/main/java/net/md_5/bungee/EncryptionUtil.java
+++ b/proxy/src/main/java/net/md_5/bungee/EncryptionUtil.java
+@@ -27,7 +27,7 @@ import net.md_5.bungee.protocol.packet.EncryptionRequest;
+ public class EncryptionUtil
+ {
+ 
+-    private static final Random random = new Random();
+    private static final Random random = new java.security.SecureRandom(); // Waterfall - use SecureRandom
+     public static final KeyPair keys;
+     @Getter
+     private static final SecretKey secret = new SecretKeySpec( new byte[ 16 ], "AES" );
+@@ -61,7 +61,7 @@ public class EncryptionUtil
+         cipher.init( Cipher.DECRYPT_MODE, keys.getPrivate() );
+         byte[] decrypted = cipher.doFinal( resp.getVerifyToken() );
+ 
+-        if ( !Arrays.equals( request.getVerifyToken(), decrypted ) )
+        if ( !java.security.MessageDigest.isEqual( request.getVerifyToken(), decrypted ) ) // Waterfall - use constant-time comparison
+         {
+             throw new IllegalStateException( "Key pairs do not match!" );
+         }
+-- 
+2.7.4
+