oss-sec mailing list archives

Re: Fixing the XML signature HMAC truncation authentication bypass

From: Robert Buchholz <rbu () gentoo org>
Date: Wed, 15 Jul 2009 02:51:46 +0200

On Wednesday 15 July 2009, Robert Buchholz wrote:

1) Apache
Bug:
https://issues.apache.org/bugzilla/show_bug.cgi?id=47526
Patch:
http://svn.apache.org/viewvc?view=rev&revision=794013

It seems they disallow HMAC truncation completely.
* In my personal opinion the best move (since we're dealing with XML,
  who cares about an additional <16 bytes?)


This was Java only, the C++ variant has this fix:
http://svn.apache.org/viewvc?view=rev&revision=794017

which is 80/half.


Robert

Attachment: signature.asc
Description: This is a digitally signed message part.

Current thread:

Fixing the XML signature HMAC truncation authentication bypass Florian Weimer (Jul 14)
- Re: Fixing the XML signature HMAC truncation authentication bypass Robert Buchholz (Jul 14)
  - Re: Fixing the XML signature HMAC truncation authentication bypass Robert Buchholz (Jul 14)
  - Re: Fixing the XML signature HMAC truncation authentication bypass Robert Buchholz (Jul 14)