diff -Nru node-crypto-browserify-3.11.1/debian/changelog node-crypto-browserify-3.12.0/debian/changelog --- node-crypto-browserify-3.11.1/debian/changelog 2018-02-20 08:19:17.000000000 +0000 +++ node-crypto-browserify-3.12.0/debian/changelog 2018-03-21 11:36:00.000000000 +0000 @@ -1,8 +1,23 @@ -node-crypto-browserify (3.11.1-1ubuntu1) bionic; urgency=medium +node-crypto-browserify (3.12.0-3) unstable; urgency=medium - * debian/tests/control: suppress a failure caused by a deprecation warning. + * Remove node-diffie-hellman dependency (last upload only removed build + dependency) - -- Steve Langasek Tue, 20 Feb 2018 00:19:17 -0800 + -- Pirate Praveen Wed, 21 Mar 2018 17:06:00 +0530 + +node-crypto-browserify (3.12.0-2) unstable; urgency=medium + + * Remove diffie hellman support (its insecure, see #860939) + + -- Pirate Praveen Sat, 17 Mar 2018 17:40:36 +0530 + +node-crypto-browserify (3.12.0-1) unstable; urgency=medium + + * New upstream version 3.12.0 + * Add node-randomfill as dependency + * BUmp standards version to 4.1.3 and debhelper compat to 11 + + -- Pirate Praveen Tue, 27 Feb 2018 12:46:14 +0530 node-crypto-browserify (3.11.1-1) unstable; urgency=medium diff -Nru node-crypto-browserify-3.11.1/debian/compat node-crypto-browserify-3.12.0/debian/compat --- node-crypto-browserify-3.11.1/debian/compat 2017-12-30 09:53:17.000000000 +0000 +++ node-crypto-browserify-3.12.0/debian/compat 2018-03-21 11:36:00.000000000 +0000 @@ -1 +1 @@ -9 +11 diff -Nru node-crypto-browserify-3.11.1/debian/control node-crypto-browserify-3.12.0/debian/control --- node-crypto-browserify-3.11.1/debian/control 2018-02-20 08:19:17.000000000 +0000 +++ node-crypto-browserify-3.12.0/debian/control 2018-03-21 11:36:00.000000000 +0000 @@ -1,27 +1,26 @@ Source: node-crypto-browserify Section: javascript Priority: optional -Maintainer: Ubuntu Developers -XSBC-Original-Maintainer: Debian Javascript Maintainers +Maintainer: Debian Javascript Maintainers Uploaders: Pirate Praveen Build-Depends: - debhelper (>= 9) - , dh-buildinfo + debhelper (>= 11~) , nodejs , node-tape , node-pseudorandombytes , node-hash-test-vectors - , node-randombytes (>= 2.0.0) - , node-create-hmac (>= 1.1.0) - , node-browserify-sign (>= 4.0.0) - , node-diffie-hellman (>= 5.0.0) - , node-create-hash (>= 1.1.0) , node-browserify-cipher (>= 1.0.0) + , node-browserify-sign (>= 4.0.0) , node-create-ecdh (>= 4.0.0) - , node-pbkdf2 (>= 3.0.3) + , node-create-hash (>= 1.1.0) + , node-create-hmac (>= 1.1.0) +# , node-diffie-hellman (>= 5.0.0) , node-inherits (>= 2.0.1) + , node-pbkdf2 (>= 3.0.3) , node-public-encrypt (>= 4.0.0) -Standards-Version: 4.1.2 + , node-randombytes (>= 2.0.0) + , node-randomfill (>= 1.0.3) +Standards-Version: 4.1.3 Homepage: https://github.com/crypto-browserify/crypto-browserify Vcs-Git: https://anonscm.debian.org/git/pkg-javascript/node-crypto-browserify.git Vcs-Browser: https://anonscm.debian.org/cgit/pkg-javascript/node-crypto-browserify.git @@ -31,16 +30,17 @@ Depends: ${misc:Depends} , nodejs - , node-randombytes (>= 2.0.0) - , node-create-hmac (>= 1.1.0) - , node-browserify-sign (>= 4.0.0) - , node-diffie-hellman (>= 5.0.0) - , node-create-hash (>= 1.1.0) , node-browserify-cipher (>= 1.0.0) + , node-browserify-sign (>= 4.0.0) , node-create-ecdh (>= 4.0.0) - , node-pbkdf2 (>= 3.0.3) + , node-create-hash (>= 1.1.0) + , node-create-hmac (>= 1.1.0) +# , node-diffie-hellman (>= 5.0.0) , node-inherits (>= 2.0.1) + , node-pbkdf2 (>= 3.0.3) , node-public-encrypt (>= 4.0.0) + , node-randombytes (>= 2.0.0) + , node-randomfill (>= 1.0.3) Description: implementation of crypto for the browser This library is an implementation of node's crypto for the browser. . diff -Nru node-crypto-browserify-3.11.1/debian/patches/remove-diffie-hellman-support.patch node-crypto-browserify-3.12.0/debian/patches/remove-diffie-hellman-support.patch --- node-crypto-browserify-3.11.1/debian/patches/remove-diffie-hellman-support.patch 1970-01-01 00:00:00.000000000 +0000 +++ node-crypto-browserify-3.12.0/debian/patches/remove-diffie-hellman-support.patch 2018-03-21 11:36:00.000000000 +0000 @@ -0,0 +1,31 @@ +https://github.com/crypto-browserify/diffie-hellman/issues/22 + +--- a/index.js ++++ b/index.js +@@ -28,14 +28,6 @@ + exports.getCiphers = aes.getCiphers + exports.listCiphers = aes.listCiphers + +-var dh = require('diffie-hellman') +- +-exports.DiffieHellmanGroup = dh.DiffieHellmanGroup +-exports.createDiffieHellmanGroup = dh.createDiffieHellmanGroup +-exports.getDiffieHellman = dh.getDiffieHellman +-exports.createDiffieHellman = dh.createDiffieHellman +-exports.DiffieHellman = dh.DiffieHellman +- + var sign = require('browserify-sign') + + exports.createSign = sign.createSign +--- a/test/index.js ++++ b/test/index.js +@@ -1,9 +1,6 @@ + + require('./create-hash') + require('./create-hmac') +-if (!process.browser) { +- require('./dh') +-} + + require('./pbkdf2') + try { diff -Nru node-crypto-browserify-3.11.1/debian/patches/series node-crypto-browserify-3.12.0/debian/patches/series --- node-crypto-browserify-3.11.1/debian/patches/series 2018-02-20 08:19:17.000000000 +0000 +++ node-crypto-browserify-3.12.0/debian/patches/series 2018-03-21 11:36:00.000000000 +0000 @@ -1 +1,2 @@ test-with-unknown-ciphers.patch +remove-diffie-hellman-support.patch diff -Nru node-crypto-browserify-3.11.1/index.js node-crypto-browserify-3.12.0/index.js --- node-crypto-browserify-3.11.1/index.js 2017-12-30 10:16:50.000000000 +0000 +++ node-crypto-browserify-3.12.0/index.js 2017-11-02 15:21:18.000000000 +0000 @@ -65,6 +65,11 @@ // } // }) +var rf = require('randomfill') + +exports.randomFill = rf.randomFill +exports.randomFillSync = rf.randomFillSync + exports.createCredentials = function () { throw new Error([ 'sorry, createCredentials is not implemented yet', diff -Nru node-crypto-browserify-3.11.1/package.json node-crypto-browserify-3.12.0/package.json --- node-crypto-browserify-3.11.1/package.json 2017-12-30 10:16:50.000000000 +0000 +++ node-crypto-browserify-3.12.0/package.json 2017-11-02 15:21:18.000000000 +0000 @@ -2,7 +2,7 @@ "author": "Dominic Tarr (dominictarr.com)", "name": "crypto-browserify", "description": "implementation of crypto for the browser", - "version": "3.11.1", + "version": "3.12.0", "homepage": "https://github.com/crypto-browserify/crypto-browserify", "repository": { "type": "git", @@ -27,11 +27,13 @@ "inherits": "^2.0.1", "pbkdf2": "^3.0.3", "public-encrypt": "^4.0.0", - "randombytes": "^2.0.0" + "randombytes": "^2.0.0", + "randomfill": "^1.0.3" }, "devDependencies": { "hash-test-vectors": "~1.3.2", "pseudorandombytes": "^2.0.0", + "safe-buffer": "^5.1.1", "standard": "^5.0.2", "tape": "~2.3.2", "zuul": "^3.6.0" diff -Nru node-crypto-browserify-3.11.1/test/index.js node-crypto-browserify-3.12.0/test/index.js --- node-crypto-browserify-3.11.1/test/index.js 2017-12-30 10:16:50.000000000 +0000 +++ node-crypto-browserify-3.12.0/test/index.js 2017-11-02 15:21:18.000000000 +0000 @@ -12,6 +12,7 @@ require('./public-encrypt') require('./random-bytes') require('./sign') + require('./random-fill') } catch (e) { console.log('no secure rng avaiable') } diff -Nru node-crypto-browserify-3.11.1/test/random-fill.js node-crypto-browserify-3.12.0/test/random-fill.js --- node-crypto-browserify-3.11.1/test/random-fill.js 1970-01-01 00:00:00.000000000 +0000 +++ node-crypto-browserify-3.12.0/test/random-fill.js 2017-11-02 15:21:18.000000000 +0000 @@ -0,0 +1,53 @@ +var test = require('tape') +var crypto = require('../') +var Buffer = require('safe-buffer').Buffer + +test('get error message', function (t) { + try { + var b = crypto.randomFillSync(Buffer.alloc(10)) + t.ok(Buffer.isBuffer(b)) + t.end() + } catch (err) { + t.ok(/not supported/.test(err.message), '"not supported" is in error message') + t.end() + } +}) + +test('randomfill', function (t) { + t.plan(5) + t.equal(crypto.randomFillSync(Buffer.alloc(10)).length, 10) + t.ok(Buffer.isBuffer(crypto.randomFillSync(Buffer.alloc(10)))) + crypto.randomFill(Buffer.alloc(10), function (ex, bytes) { + t.error(ex) + t.equal(bytes.length, 10) + t.ok(Buffer.isBuffer(bytes)) + t.end() + }) +}) + +test('seems random', function (t) { + var L = 1000 + var b = crypto.randomFillSync(Buffer.alloc(L)) + + var mean = [].reduce.call(b, function (a, b) { + return a + b + }, 0) / L + + // test that the random numbers are plausably random. + // Math.random() will pass this, but this will catch + // terrible mistakes such as this blunder: + // https://github.com/dominictarr/crypto-browserify/commit/3267955e1df7edd1680e52aeede9a89506ed2464#commitcomment-7916835 + + // this doesn't check that the bytes are in a random *order* + // but it's better than nothing. + + var expected = 256 / 2 + var smean = Math.sqrt(mean) + + // console.log doesn't work right on testling, *grumble grumble* + console.log(JSON.stringify([expected - smean, mean, expected + smean])) + t.ok(mean < expected + smean) + t.ok(mean > expected - smean) + + t.end() +}) diff -Nru node-crypto-browserify-3.11.1/.travis.yml node-crypto-browserify-3.12.0/.travis.yml --- node-crypto-browserify-3.11.1/.travis.yml 2017-12-30 10:16:50.000000000 +0000 +++ node-crypto-browserify-3.12.0/.travis.yml 2017-11-02 15:21:18.000000000 +0000 @@ -17,7 +17,7 @@ - node_js: '4' env: TEST_SUITE=browser BROWSER_NAME=firefox BROWSER_VERSION="-2..latest" - node_js: '4' - env: TEST_SUITE=browser BROWSER_NAME=safari BROWSER_VERSION="5..latest" + env: TEST_SUITE=browser BROWSER_NAME=safari BROWSER_VERSION="7..latest" - node_js: '4' env: TEST_SUITE=browser BROWSER_NAME=android BROWSER_VERSION="5.0..latest" script: "npm run-script $TEST_SUITE"