oss-sec mailing list archives
Re: Fixing the XML signature HMAC truncation authentication bypass
From: Robert Buchholz <rbu () gentoo org>
Date: Wed, 15 Jul 2009 02:51:46 +0200
On Wednesday 15 July 2009, Robert Buchholz wrote:
1) Apache Bug: https://issues.apache.org/bugzilla/show_bug.cgi?id=47526 Patch: http://svn.apache.org/viewvc?view=rev&revision=794013 It seems they disallow HMAC truncation completely. * In my personal opinion the best move (since we're dealing with XML, who cares about an additional <16 bytes?)
This was Java only, the C++ variant has this fix: http://svn.apache.org/viewvc?view=rev&revision=794017 which is 80/half. Robert
Attachment:
signature.asc
Description: This is a digitally signed message part.
Current thread:
- Fixing the XML signature HMAC truncation authentication bypass Florian Weimer (Jul 14)
- Re: Fixing the XML signature HMAC truncation authentication bypass Robert Buchholz (Jul 14)
- Re: Fixing the XML signature HMAC truncation authentication bypass Robert Buchholz (Jul 14)
- Re: Fixing the XML signature HMAC truncation authentication bypass Robert Buchholz (Jul 14)
- Re: Fixing the XML signature HMAC truncation authentication bypass Robert Buchholz (Jul 14)