Waterfall/BungeeCord-Patches/0037-Security-enhancements-for-EncryptionUtil.patch
Jamie Mansfield b5d048b57a
Revert to BungeeCord behaviour for the 'not direct byte buf' business
Not worth the time wasted on closing invalid bug reports.
2017-10-23 19:53:51 +01:00

33 lines
1.5 KiB
Diff

From cfeb2afa090f3486d98dd8a83120756acb97e884 Mon Sep 17 00:00:00 2001
From: Tux <write@imaginarycode.com>
Date: Wed, 21 Dec 2016 04:07:26 -0500
Subject: [PATCH] Security enhancements for EncryptionUtil
Use a constant-time comparison in getSecret() and use SecureRandom for EncryptionRequest.
diff --git a/proxy/src/main/java/net/md_5/bungee/EncryptionUtil.java b/proxy/src/main/java/net/md_5/bungee/EncryptionUtil.java
index 871e4ad0..622a21da 100644
--- a/proxy/src/main/java/net/md_5/bungee/EncryptionUtil.java
+++ b/proxy/src/main/java/net/md_5/bungee/EncryptionUtil.java
@@ -27,7 +27,7 @@ import net.md_5.bungee.protocol.packet.EncryptionRequest;
public class EncryptionUtil
{
- private static final Random random = new Random();
+ private static final Random random = new java.security.SecureRandom(); // Waterfall - use SecureRandom
public static final KeyPair keys;
@Getter
private static final SecretKey secret = new SecretKeySpec( new byte[ 16 ], "AES" );
@@ -61,7 +61,7 @@ public class EncryptionUtil
cipher.init( Cipher.DECRYPT_MODE, keys.getPrivate() );
byte[] decrypted = cipher.doFinal( resp.getVerifyToken() );
- if ( !Arrays.equals( request.getVerifyToken(), decrypted ) )
+ if ( !java.security.MessageDigest.isEqual( request.getVerifyToken(), decrypted ) ) // Waterfall - use constant-time comparison
{
throw new IllegalStateException( "Key pairs do not match!" );
}
--
2.14.1