Date: Thu, 28 Nov 2019 20:46:55 +0100 From: Raphael Geissert <geissert@...ian.org> To: Open Source Security <oss-security@...ts.openwall.com> Cc: yadd@...ian.org Subject: Multiple issues in lemonldap-ng Hi, Looking at lemonldap-ng I noticed that it uses low-level crypto primitives, not without some issues. Notably: * it uses AES in CBC mode directly without setting an IV to encrypt data that is stored client-side * that same data is not signed, only encrypted Despite my strong recommendation to use a library that abstracts some of the fine details, like NaCl, libsodium, etc, upstream has responded to the issue by issuing version 2.0.5 with the following changes: * an IV is set but it might be generated with rand() and time() in case of urandom being unavailable or in case the code asks for a "low" mode * using sha256 as a checksum (literally just sha256 of the data, not HMAC-SHA256 despite the code using the name hmac in some places), as in: message = ENCRYPT(SHA256(data) || data, key, iv). Upstream calling this MtE and using this approach instead of my recommendation of using EtM Some "minor" issues were also fixed, like the use of a prng instead of a csprng. Tracked with issue #1823 , the main issue is still open to possibly use an abstraction library in a future version. I've neglected making a public report of this but I hope that it is going to help things move forward. https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/merge_requests/81/diffs https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/issues/1823 Cheers, -- Raphael Geissert - Debian Developer www.debian.org
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.