From 5eae70dad11060123fb40e65bd897a2d4eea29836d2f818ee8d597d95cc6f817 Mon Sep 17 00:00:00 2001 From: Pedro Monreal Gonzalez Date: Mon, 21 Dec 2020 15:42:49 +0000 Subject: [PATCH] Accepting request 857837 from home:pmonrealgonzalez:branches:Java:packages - Version update to 1.67 [bsc#1180215, CVE-2020-28052] * CVE-2020-28052: OpenBSDBCrypt.checkPassword utility method compared incorrect data when checking the password * Defects Fixed: - BCJSSE: SunJSSE compatibility fix - override of getChannel() removed and 'urgent data' behaviour should now conform to what the SunJSSE expects - Nested BER data could sometimes cause issues in octet strings - Certificates/CRLs with short signatures could cause an exception in toString() in the BC X509 Certificate implmentation - In line with latest changes in the JVM, SignatureSpis which don't require parameters now return null on engineGetParameters() - The RSA KeyFactory now always preferentially produces RSAPrivateCrtKey where it can on requests for a KeySpec based on an RSAPrivateKey - CMSTypedStream$FullReaderStream now handles zero length reads correctly - Unecessary padding was added on KMAC when the key string was block aligned - Zero length data would cause an unexpected exception from RFC5649WrapEngine - OpenBSDBcrypt was failing to handle some valid prefixes * Additional Features and Functionality - Performance improvement of Argon2 and Noekeon - A setSessionKeyObfuscation() method has been added to PublicKeyKeyEncryptionMethodGenerator to allow turning off of session key obfuscation (default is on, method primarily to get around early version GPG issues with AES-128 keys) - Implemented 'safegcd' constant-time modular inversion (as well as a variable-time variant). It has replaced Fermat inversion in all our EC code, and BigInteger.modInverse in several other places, particularly signers. This improves side-channel protection, and also gives a significant performance boost - Performance of custom binary ECC curves and Edwards Curves has been improved OBS-URL: https://build.opensuse.org/request/show/857837 OBS-URL: https://build.opensuse.org/package/show/Java:packages/bouncycastle?expand=0&rev=62 --- ...dk15on-1.66.pom => bcmail-jdk15on-1.67.pom | 6 +- ...-jdk15on-1.66.pom => bcpg-jdk15on-1.67.pom | 4 +- ...dk15on-1.66.pom => bcpkix-jdk15on-1.67.pom | 4 +- ...dk15on-1.66.pom => bcprov-jdk15on-1.67.pom | 2 +- ...jdk15on-1.66.pom => bctls-jdk15on-1.67.pom | 4 +- bouncycastle.changes | 55 ++++++++++++++++++- bouncycastle.spec | 6 +- r1rv66.tar.gz | 3 - r1rv67.tar.gz | 3 + 9 files changed, 70 insertions(+), 17 deletions(-) rename bcmail-jdk15on-1.66.pom => bcmail-jdk15on-1.67.pom (94%) rename bcpg-jdk15on-1.66.pom => bcpg-jdk15on-1.67.pom (96%) rename bcpkix-jdk15on-1.66.pom => bcpkix-jdk15on-1.67.pom (96%) rename bcprov-jdk15on-1.66.pom => bcprov-jdk15on-1.67.pom (97%) rename bctls-jdk15on-1.66.pom => bctls-jdk15on-1.67.pom (95%) delete mode 100644 r1rv66.tar.gz create mode 100644 r1rv67.tar.gz diff --git a/bcmail-jdk15on-1.66.pom b/bcmail-jdk15on-1.67.pom similarity index 94% rename from bcmail-jdk15on-1.66.pom rename to bcmail-jdk15on-1.67.pom index 7e62b4e..c49b077 100644 --- a/bcmail-jdk15on-1.66.pom +++ b/bcmail-jdk15on-1.67.pom @@ -5,7 +5,7 @@ bcmail-jdk15on jar Bouncy Castle S/MIME API - 1.66 + 1.67 The Bouncy Castle Java S/MIME APIs for handling S/MIME protocols. This jar contains S/MIME APIs for JDK 1.5 and up. The APIs can be used in conjunction with a JCE/JCA provider such as the one provided with the Bouncy Castle Cryptography APIs. The JavaMail API and the Java activation framework will also be needed. http://www.bouncycastle.org/java.html @@ -33,13 +33,13 @@ org.bouncycastle bcprov-jdk15on - 1.66 + 1.67 jar org.bouncycastle bcpkix-jdk15on - 1.66 + 1.67 jar diff --git a/bcpg-jdk15on-1.66.pom b/bcpg-jdk15on-1.67.pom similarity index 96% rename from bcpg-jdk15on-1.66.pom rename to bcpg-jdk15on-1.67.pom index 22a5756..f8d72b6 100644 --- a/bcpg-jdk15on-1.66.pom +++ b/bcpg-jdk15on-1.67.pom @@ -5,7 +5,7 @@ bcpg-jdk15on jar Bouncy Castle OpenPGP API - 1.66 + 1.67 The Bouncy Castle Java API for handling the OpenPGP protocol. This jar contains the OpenPGP API for JDK 1.5 and up. The APIs can be used in conjunction with a JCE/JCA provider such as the one provided with the Bouncy Castle Cryptography APIs. http://www.bouncycastle.org/java.html @@ -38,7 +38,7 @@ org.bouncycastle bcprov-jdk15on - 1.66 + 1.67 jar diff --git a/bcpkix-jdk15on-1.66.pom b/bcpkix-jdk15on-1.67.pom similarity index 96% rename from bcpkix-jdk15on-1.66.pom rename to bcpkix-jdk15on-1.67.pom index bf78f69..31481bc 100644 --- a/bcpkix-jdk15on-1.66.pom +++ b/bcpkix-jdk15on-1.67.pom @@ -5,7 +5,7 @@ bcpkix-jdk15on jar Bouncy Castle PKIX, CMS, EAC, TSP, PKCS, OCSP, CMP, and CRMF APIs - 1.66 + 1.67 The Bouncy Castle Java APIs for CMS, PKCS, EAC, TSP, CMP, CRMF, OCSP, and certificate generation. This jar contains APIs for JDK 1.5 and up. The APIs can be used in conjunction with a JCE/JCA provider such as the one provided with the Bouncy Castle Cryptography APIs. http://www.bouncycastle.org/java.html @@ -33,7 +33,7 @@ org.bouncycastle bcprov-jdk15on - 1.66 + 1.67 jar diff --git a/bcprov-jdk15on-1.66.pom b/bcprov-jdk15on-1.67.pom similarity index 97% rename from bcprov-jdk15on-1.66.pom rename to bcprov-jdk15on-1.67.pom index 563a0d5..4c14cc8 100644 --- a/bcprov-jdk15on-1.66.pom +++ b/bcprov-jdk15on-1.67.pom @@ -5,7 +5,7 @@ bcprov-jdk15on jar Bouncy Castle Provider - 1.66 + 1.67 The Bouncy Castle Crypto package is a Java implementation of cryptographic algorithms. This jar contains JCE provider and lightweight API for the Bouncy Castle Cryptography APIs for JDK 1.5 and up. http://www.bouncycastle.org/java.html diff --git a/bctls-jdk15on-1.66.pom b/bctls-jdk15on-1.67.pom similarity index 95% rename from bctls-jdk15on-1.66.pom rename to bctls-jdk15on-1.67.pom index e1c8bb2..4dbf15d 100644 --- a/bctls-jdk15on-1.66.pom +++ b/bctls-jdk15on-1.67.pom @@ -5,7 +5,7 @@ bctls-jdk15on jar Bouncy Castle JSSE provider and TLS/DTLS API - 1.66 + 1.67 The Bouncy Castle Java APIs for TLS and DTLS, including a provider for the JSSE. http://www.bouncycastle.org/java.html @@ -33,7 +33,7 @@ org.bouncycastle bcprov-jdk15on - 1.66 + 1.67 jar diff --git a/bouncycastle.changes b/bouncycastle.changes index 95aa50c..de9d334 100644 --- a/bouncycastle.changes +++ b/bouncycastle.changes @@ -1,3 +1,56 @@ +------------------------------------------------------------------- +Mon Dec 21 10:54:33 UTC 2020 - Pedro Monreal + +- Version update to 1.67 [bsc#1180215, CVE-2020-28052] + * CVE-2020-28052: OpenBSDBCrypt.checkPassword utility method + compared incorrect data when checking the password + * Defects Fixed: + - BCJSSE: SunJSSE compatibility fix - override of getChannel() + removed and 'urgent data' behaviour should now conform to + what the SunJSSE expects + - Nested BER data could sometimes cause issues in octet strings + - Certificates/CRLs with short signatures could cause an exception + in toString() in the BC X509 Certificate implmentation + - In line with latest changes in the JVM, SignatureSpis which + don't require parameters now return null on engineGetParameters() + - The RSA KeyFactory now always preferentially produces RSAPrivateCrtKey + where it can on requests for a KeySpec based on an RSAPrivateKey + - CMSTypedStream$FullReaderStream now handles zero length reads correctly + - Unecessary padding was added on KMAC when the key string was block aligned + - Zero length data would cause an unexpected exception from RFC5649WrapEngine + - OpenBSDBcrypt was failing to handle some valid prefixes + * Additional Features and Functionality + - Performance improvement of Argon2 and Noekeon + - A setSessionKeyObfuscation() method has been added to + PublicKeyKeyEncryptionMethodGenerator to allow turning off of session key + obfuscation (default is on, method primarily to get around early version + GPG issues with AES-128 keys) + - Implemented 'safegcd' constant-time modular inversion (as well as a + variable-time variant). It has replaced Fermat inversion in all our EC + code, and BigInteger.modInverse in several other places, particularly + signers. This improves side-channel protection, and also gives a + significant performance boost + - Performance of custom binary ECC curves and Edwards Curves has been improved + - BCJSSE: New boolean system property 'org.bouncycastle.jsse.keyManager.checkEKU' + allows to disable ExtendedKeyUsage restrictions when selecting credentials + (although the peer may still complain) + - Initial support has been added for "Composite Keys and Signatures For Use + In Internet PKI" using the test OID. Please note there will be further + refinements to this as the draft is standardised + - The BC EdDSA signature API now supports keys implementing all methods on + the EdECKey and XECKey interfaces directly + - Work has begun on classes to support the ETSI TS 103 097, Intelligent + Transport Systems (ITS) in the bcpkix package + - Further optimization work has been done on GCM + - A NewHope based processor, similar to the one for Key Agreement has been + added for trying to "quantum hard" KEM algorithms + - PGP clear signed signatures now support SHA-224 + - Treating absent vs NULL as equivalent can now be configured by a system + property. By default this is not enabled + - Mode name checks in Cipher strings should now make sure an improper mode + name always results in a NoSuchAlgorithmException + - In line with changes in OpenSSL, the OpenSSLPBKDF now uses UTF8 encoding + ------------------------------------------------------------------- Tue Jul 28 18:50:39 UTC 2020 - Pedro Monreal @@ -134,7 +187,7 @@ Thu Oct 10 16:29:27 UTC 2019 - Pedro Monreal Gonzalez