From a59b7f298e02efd262225e97fe8036c61172aad8 Mon Sep 17 00:00:00 2001 From: Armin Schrenk Date: Thu, 13 Oct 2022 17:39:38 +0200 Subject: [PATCH 1/6] bump versions of used gh actions (#33) --- .github/workflows/build.yml | 18 +++++++----------- .github/workflows/codeql-analysis.yml | 16 ++++++---------- .github/workflows/publish-central.yml | 12 ++++-------- .github/workflows/publish-github.yml | 12 ++++-------- 4 files changed, 21 insertions(+), 37 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index c58804c..11573e8 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -7,20 +7,16 @@ jobs: runs-on: ubuntu-latest if: "!contains(github.event.head_commit.message, '[ci skip]') && !contains(github.event.head_commit.message, '[skip ci]')" steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 with: fetch-depth: 0 - - uses: actions/setup-java@v1 + - uses: actions/setup-java@v3 with: java-version: 11 - - uses: actions/cache@v2 - with: - path: ~/.m2/repository - key: ${{ runner.os }}-maven-${{ hashFiles('**/pom.xml') }} - restore-keys: | - ${{ runner.os }}-maven- + distribution: 'temurin' + cache: 'maven' - name: Cache SonarCloud packages - uses: actions/cache@v2 + uses: actions/cache@v3 with: path: ~/.sonar/cache key: ${{ runner.os }}-sonar @@ -47,12 +43,12 @@ jobs: env: CODACY_PROJECT_TOKEN: ${{ secrets.CODACY_PROJECT_TOKEN }} continue-on-error: true - - uses: actions/upload-artifact@v2 + - uses: actions/upload-artifact@v3 with: name: artifacts path: target/*.jar - name: Create Release - uses: actions/create-release@v1 + uses: actions/create-release@v1 # NOTE: action is unmaintained and repo archived if: startsWith(github.ref, 'refs/tags/') env: GITHUB_TOKEN: ${{ secrets.CRYPTOBOT_RELEASE_TOKEN }} # release as "cryptobot" diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index cd8fbb5..223b46a 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -15,23 +15,19 @@ jobs: runs-on: ubuntu-latest if: "!contains(github.event.head_commit.message, '[ci skip]') && !contains(github.event.head_commit.message, '[skip ci]')" steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 with: fetch-depth: 2 - - uses: actions/setup-java@v1 + - uses: actions/setup-java@v3 with: java-version: 11 - - uses: actions/cache@v2 - with: - path: ~/.m2/repository - key: ${{ runner.os }}-maven-${{ hashFiles('**/pom.xml') }} - restore-keys: | - ${{ runner.os }}-maven- + distribution: 'temurin' + cache: 'maven' - name: Initialize CodeQL - uses: github/codeql-action/init@v1 + uses: github/codeql-action/init@v2 with: languages: java - name: Build and Test run: mvn -B install -DskipTests - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v1 \ No newline at end of file + uses: github/codeql-action/analyze@v2 \ No newline at end of file diff --git a/.github/workflows/publish-central.yml b/.github/workflows/publish-central.yml index f22b7a9..526cc8d 100644 --- a/.github/workflows/publish-central.yml +++ b/.github/workflows/publish-central.yml @@ -10,23 +10,19 @@ jobs: publish: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 with: ref: "refs/tags/${{ github.event.inputs.tag }}" - - uses: actions/setup-java@v1 + - uses: actions/setup-java@v3 with: java-version: 11 + distribution: 'temurin' + cache: 'maven' server-id: ossrh # Value of the distributionManagement/repository/id field of the pom.xml server-username: MAVEN_USERNAME # env variable for username in deploy server-password: MAVEN_PASSWORD # env variable for token in deploy gpg-private-key: ${{ secrets.RELEASES_GPG_PRIVATE_KEY }} # Value of the GPG private key to import gpg-passphrase: MAVEN_GPG_PASSPHRASE # env variable for GPG private key passphrase - - uses: actions/cache@v2 - with: - path: ~/.m2/repository - key: ${{ runner.os }}-maven-${{ hashFiles('**/pom.xml') }} - restore-keys: | - ${{ runner.os }}-maven- - name: Enforce project version ${{ github.event.inputs.tag }} run: mvn versions:set -B -DnewVersion=${{ github.event.inputs.tag }} - name: Deploy diff --git a/.github/workflows/publish-github.yml b/.github/workflows/publish-github.yml index c74c504..d195008 100644 --- a/.github/workflows/publish-github.yml +++ b/.github/workflows/publish-github.yml @@ -7,18 +7,14 @@ jobs: runs-on: ubuntu-latest if: startsWith(github.ref, 'refs/tags/') # only allow publishing tagged versions steps: - - uses: actions/checkout@v2 - - uses: actions/setup-java@v1 + - uses: actions/checkout@v3 + - uses: actions/setup-java@v3 with: java-version: 11 + distribution: 'temurin' + cache: 'maven' gpg-private-key: ${{ secrets.RELEASES_GPG_PRIVATE_KEY }} # Value of the GPG private key to import gpg-passphrase: MAVEN_GPG_PASSPHRASE # env variable for GPG private key passphrase - - uses: actions/cache@v2 - with: - path: ~/.m2/repository - key: ${{ runner.os }}-maven-${{ hashFiles('**/pom.xml') }} - restore-keys: | - ${{ runner.os }}-maven- - name: Enforce project version ${{ github.event.release.tag_name }} run: mvn versions:set -B -DnewVersion=${{ github.event.release.tag_name }} - name: Deploy From 6c1d9ea31fe38e94485cc4cba0b0559e68da9e0d Mon Sep 17 00:00:00 2001 From: Armin Schrenk Date: Wed, 23 Nov 2022 16:18:40 +0100 Subject: [PATCH 2/6] remove codacy coverage upload --- .github/workflows/build.yml | 6 ------ 1 file changed, 6 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 11573e8..2c4e4a0 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -37,12 +37,6 @@ jobs: env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Needed to get PR information, if any SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} - - name: Upload code coverage report - id: codacyCoverageReporter - run: bash <(curl -Ls https://coverage.codacy.com/get.sh) - env: - CODACY_PROJECT_TOKEN: ${{ secrets.CODACY_PROJECT_TOKEN }} - continue-on-error: true - uses: actions/upload-artifact@v3 with: name: artifacts From 9097dc3aac5290df80734c41464785c60298aa71 Mon Sep 17 00:00:00 2001 From: Sebastian Stenzel Date: Thu, 9 Feb 2023 08:30:05 +0100 Subject: [PATCH 3/6] fixed incorrect `TAG_POS` (fortunately unused) --- .../java/org/cryptomator/cryptolib/v2/FileHeaderImpl.java | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/main/java/org/cryptomator/cryptolib/v2/FileHeaderImpl.java b/src/main/java/org/cryptomator/cryptolib/v2/FileHeaderImpl.java index 6389fd1..39bcbbc 100644 --- a/src/main/java/org/cryptomator/cryptolib/v2/FileHeaderImpl.java +++ b/src/main/java/org/cryptomator/cryptolib/v2/FileHeaderImpl.java @@ -19,9 +19,9 @@ class FileHeaderImpl implements FileHeader, Destroyable { static final int NONCE_POS = 0; static final int NONCE_LEN = Constants.GCM_NONCE_SIZE; - static final int PAYLOAD_POS = 12; + static final int PAYLOAD_POS = NONCE_POS + NONCE_LEN; // 12 static final int PAYLOAD_LEN = Payload.SIZE; - static final int TAG_POS = 56; + static final int TAG_POS = PAYLOAD_POS + PAYLOAD_LEN; // 52 static final int TAG_LEN = Constants.GCM_TAG_SIZE; static final int SIZE = NONCE_LEN + PAYLOAD_LEN + TAG_LEN; From e05d909df60c6fe7da31b6ae65f136b92e41937d Mon Sep 17 00:00:00 2001 From: Julian Raufelder Date: Wed, 8 Mar 2023 11:37:39 +0100 Subject: [PATCH 4/6] Fix decrypting the file content on Android API level pre 29 using GCM Fixes #35 and see https://issuetracker.google.com/issues/197534888 for more details --- .../org/cryptomator/cryptolib/v2/FileContentCryptorImpl.java | 3 ++- .../org/cryptomator/cryptolib/v2/FileHeaderCryptorImpl.java | 2 +- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/src/main/java/org/cryptomator/cryptolib/v2/FileContentCryptorImpl.java b/src/main/java/org/cryptomator/cryptolib/v2/FileContentCryptorImpl.java index affb486..45e6f79 100644 --- a/src/main/java/org/cryptomator/cryptolib/v2/FileContentCryptorImpl.java +++ b/src/main/java/org/cryptomator/cryptolib/v2/FileContentCryptorImpl.java @@ -75,7 +75,8 @@ public void encryptChunk(ByteBuffer cleartextChunk, ByteBuffer ciphertextChunk, @Override public ByteBuffer decryptChunk(ByteBuffer ciphertextChunk, long chunkNumber, FileHeader header, boolean authenticate) throws AuthenticationFailedException { - ByteBuffer cleartextChunk = ByteBuffer.allocate(PAYLOAD_SIZE); + // FileHeaderImpl.Payload.SIZE + GCM_TAG_SIZE is required to fix a bug in Android API level pre 29, see https://issuetracker.google.com/issues/197534888 and #35 + ByteBuffer cleartextChunk = ByteBuffer.allocate(PAYLOAD_SIZE + GCM_TAG_SIZE); decryptChunk(ciphertextChunk, cleartextChunk, chunkNumber, header, authenticate); cleartextChunk.flip(); return cleartextChunk; diff --git a/src/main/java/org/cryptomator/cryptolib/v2/FileHeaderCryptorImpl.java b/src/main/java/org/cryptomator/cryptolib/v2/FileHeaderCryptorImpl.java index e17d85b..35bebc1 100644 --- a/src/main/java/org/cryptomator/cryptolib/v2/FileHeaderCryptorImpl.java +++ b/src/main/java/org/cryptomator/cryptolib/v2/FileHeaderCryptorImpl.java @@ -90,7 +90,7 @@ public FileHeader decryptHeader(ByteBuffer ciphertextHeaderBuf) throws Authentic buf.position(FileHeaderImpl.PAYLOAD_POS); buf.get(ciphertextAndTag); - // FileHeaderImpl.Payload.SIZE + GCM_TAG_SIZE is required to fix a bug in Android API level pre 29, see https://issuetracker.google.com/issues/197534888 + // FileHeaderImpl.Payload.SIZE + GCM_TAG_SIZE is required to fix a bug in Android API level pre 29, see https://issuetracker.google.com/issues/197534888 and #24 ByteBuffer payloadCleartextBuf = ByteBuffer.allocate(FileHeaderImpl.Payload.SIZE + GCM_TAG_SIZE); try (DestroyableSecretKey ek = masterkey.getEncKey()) { // decrypt payload: From 4e31711c71c047b666aacf0da5236c25bc00f1a3 Mon Sep 17 00:00:00 2001 From: Julian Raufelder Date: Wed, 8 Mar 2023 12:23:37 +0100 Subject: [PATCH 5/6] Suppress false positive --- suppression.xml | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/suppression.xml b/suppression.xml index ebb877b..b4e9da1 100644 --- a/suppression.xml +++ b/suppression.xml @@ -9,4 +9,13 @@ cpe:/a:cryptomator:cryptomator CVE-2022-25366 + + + + ^pkg:maven/com\.google\.guava/guava@.*$ + CVE-2020-8908 + CVE-2020-8908 + \ No newline at end of file From 6e3fe63d578ded778b37bdd13c55a501965c7a09 Mon Sep 17 00:00:00 2001 From: Julian Raufelder Date: Wed, 8 Mar 2023 15:57:19 +0100 Subject: [PATCH 6/6] Prepare 2.1.2 --- pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pom.xml b/pom.xml index d187077..a1bd32d 100644 --- a/pom.xml +++ b/pom.xml @@ -2,7 +2,7 @@ 4.0.0 org.cryptomator cryptolib - 2.2.0-SNAPSHOT + 2.1.2 Cryptomator Crypto Library This library contains all cryptographic functions that are used by Cryptomator. https://github.com/cryptomator/cryptolib