New Upstream Snapshot - golang-github-fernet-fernet-go
Ready changes
Summary
Merged new upstream version: 0.0~git20211208.9f70042+ds (was: 0.0~git20180830.9eac43b).
Resulting package
Built on 2023-01-16T02:30 (took 9m39s)
The resulting binary packages can be installed (if you have the apt repository enabled) by running one of:
apt install -t fresh-snapshots fernet-goapt install -t fresh-snapshots golang-github-fernet-fernet-go-dev
Lintian Result
- fernet-go_0.0~git20211208.9f70042+ds-1~jan+nus1_amd64.deb
- golang-github-fernet-fernet-go-dev_0.0~git20211208.9f70042+ds-1~jan+nus1_all.deb
- golang-github-fernet-fernet-go_0.0~git20211208.9f70042+ds-1~jan+nus1.dsc
- golang-github-fernet-fernet-go_0.0~git20211208.9f70042+ds-1~jan+nus1_amd64.buildinfo
- golang-github-fernet-fernet-go_0.0~git20211208.9f70042+ds-1~jan+nus1_amd64.changes
Diff
diff --git a/debian/changelog b/debian/changelog
index 000544a..bb753b7 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,9 @@
+golang-github-fernet-fernet-go (0.0~git20211208.9f70042+ds-1) UNRELEASED; urgency=low
+
+ * New upstream snapshot.
+
+ -- Debian Janitor <janitor@jelmer.uk> Mon, 16 Jan 2023 02:21:19 -0000
+
golang-github-fernet-fernet-go (0.0~git20180830.9eac43b-3) unstable; urgency=medium
[ Debian Janitor ]
diff --git a/fernet.go b/fernet.go
index 9e4bcce..b35fdbb 100644
--- a/fernet.go
+++ b/fernet.go
@@ -30,6 +30,7 @@ const (
payOffset = ivOffset + aes.BlockSize
overhead = 1 + 8 + aes.BlockSize + sha256.Size // ver + ts + iv + hmac
maxClockSkew = 60 * time.Second
+ uint64Bytes = 8
)
var encoding = base64.URLEncoding
@@ -63,7 +64,7 @@ func decodedLen(n int) int {
// if msg is nil, decrypts in place and returns a slice of tok.
func verify(msg, tok []byte, ttl time.Duration, now time.Time, k *Key) []byte {
- if len(tok) < 1 || tok[0] != version {
+ if len(tok) < 1+uint64Bytes || tok[0] != version {
return nil
}
ts := time.Unix(int64(binary.BigEndian.Uint64(tok[1:])), 0)
@@ -71,6 +72,9 @@ func verify(msg, tok []byte, ttl time.Duration, now time.Time, k *Key) []byte {
return nil
}
n := len(tok) - sha256.Size
+ if n <= 0 {
+ return nil
+ }
var hmac [sha256.Size]byte
genhmac(hmac[:0], tok[:n], k.signBytes())
if subtle.ConstantTimeCompare(tok[n:], hmac[:]) != 1 {
diff --git a/invalid.json b/invalid.json
index d80e7b4..ec48ecc 100644
--- a/invalid.json
+++ b/invalid.json
@@ -54,5 +54,19 @@
"now": "1985-10-26T01:20:01-07:00",
"ttl_sec": 60,
"secret": "cw_0x689RpI-jtRR7oE8h_eQsKImvJapLeSbXpwF4e4="
+ },
+ {
+ "desc": "very short payload size",
+ "token": "gAAAAABdnQ1TUKh2OE_ggbyCIxfg",
+ "now": "1985-10-26T01:20:01-07:00",
+ "ttl_sec": 0,
+ "secret": "cw_0x689RpI-jtRR7oE8h_eQsKImvJapLeSbXpwF4e4="
+ },
+ {
+ "desc": "super short payload size",
+ "token": "gAAA",
+ "now": "1985-10-26T01:20:01-07:00",
+ "ttl_sec": 0,
+ "secret": "cw_0x689RpI-jtRR7oE8h_eQsKImvJapLeSbXpwF4e4="
}
]
Debdiff
File lists identical (after any substitutions)
Control files of package fernet-go: lines which differ (wdiff format)
Built-Using: golang-1.19 (= 1.19.5-1)Depends: libc6 (>= 2.34), libgcc-s1 (>= 3.3.1), libgo21
No differences were encountered between the control files of package golang-github-fernet-fernet-go-dev