New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CVE-2015-6644 #177
Comments
There were a series of commits for GCMBlockCipher in Jan, 2016 that addressed this CVE: https://github.com/bcgit/bc-java/commits/master/core/src/main/java/org/bouncycastle/crypto/modes/GCMBlockCipher.java . We used a slightly different implementation and did not merge the commit you link to. |
Hi, From: Markus Koschany apo@debian.org src/org/bouncycastle/crypto/modes/GCMBlockCipher.java | 9 +++++++++ diff --git a/src/org/bouncycastle/crypto/modes/GCMBlockCipher.java b/src/org/bouncycastle/crypto/modes/GCMBlockCipher.java
@@ -428,6 +430,7 @@ public class GCMBlockCipher
@@ -494,6 +497,12 @@ public class GCMBlockCipher
|
This is more readable. https://gist.github.com/apoleon/8289870cacf3e8b107f1082b662da118 |
The linked gist/patch for 1.49 looks correct to me. I'd be inclined to just copy the entirety of the latest getNextCounterBlock back, since the other changes in that function are to perform a constant-time update of the counter block (but it's unrelated to the CVE). 1.44 is affected and should also be patched. I suggest again copying the latest getNextCounterBlock, adding the blocksRemaining declaration, init, reset lines. Then change (lines 326-341):
to
I'm happy to check a proposed 1.44 patch also. |
@apoleon Isn't gCTRBlock in 1.44 the getNextCounterBlock of later versions (so it's also affected)? |
Nope, in the latest code we see:
|
Thank your for the review and the advice. I followed your recommendation and just used the latest code of the getNextCounterBlock() function. What do you think about the following patches now? 1.44: 1.49: |
@apoleon I have reviewed both those patches and both look correct to me. |
@peterdettman Thank you very much for your assistance! |
Hi,
it seems the fix for the above CVE is not contained in upstream bouncycastle:
https://source.android.com/security/bulletin/2016-01-01.html#information_disclosure_vulnerability_in_bouncy_castle
https://android.googlesource.com/platform/external/bouncycastle/+/3e128c5fea3a0ca2d372aa09c4fd4bb0eadfbd3f
Isn't it needed there as well?
The text was updated successfully, but these errors were encountered: