[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] Multiple issues in lemonldap-ng
From:       Raphael Geissert <geissert () debian ! org>
Date:       2019-11-28 19:46:55
Message-ID: CAA7hUgF2iQ+danfsTDqjY2weCXGay71363bbgBWbb_6kyiBNgg () mail ! gmail ! com
[Download RAW message or body]

Hi,

Looking at lemonldap-ng I noticed that it uses low-level crypto
primitives, not without some issues.
Notably:

* it uses AES in CBC mode directly without setting an IV to encrypt
data that is stored client-side
* that same data is not signed, only encrypted

Despite my strong recommendation to use a library that abstracts some
of the fine details, like NaCl, libsodium, etc, upstream has responded
to the issue by issuing version 2.0.5 with the following changes[1]:

* an IV is set but it might be generated with rand() and time() in
case of urandom being unavailable or in case the code asks for a "low"
mode
* using sha256 as a checksum (literally just sha256 of the data, not
HMAC-SHA256 despite the code using the name hmac in some places), as
in: message = ENCRYPT(SHA256(data) || data, key, iv). Upstream calling
this MtE and using this approach instead of my recommendation of using
EtM

Some "minor" issues were also fixed, like the use of a prng instead of a csprng.

Tracked with issue #1823 [2], the main issue is still open to possibly
use an abstraction library in a future version.

I've neglected making a public report of this but I hope that it is
going to help things move forward.

[1]https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/merge_requests/81/diffs
[2]https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/issues/1823

Cheers,
-- 
Raphael Geissert - Debian Developer
www.debian.org
[prev in list] [next in list] [prev in thread] [next in thread]