altf4arnold/datatracker
1
0
Fork 0
Code Issues Pull requests Actions 4 Packages Projects Releases Wiki Activity

Merged in [19895] from jennifer@painless-security.com:

Browse source 
Look at v2 'title' attribute in reference type heuristics for XML drafts. Related to #3529.
 - Legacy-Id: 19897
Note: SVN reference [19895] has been migrated to Git commit ea79fe0dcc183bc5cd8b27da67865c300b9dce4e
This commit is contained in:
Robert Sparks 2022-01-31 16:54:14 +00:00
parent 5c0e5a3064
commit dd66187362
3 changed files with 49 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

41
ietf/utils/test_draft_with_references_v3.xml
View file

@ -149,5 +149,46 @@
<seriesInfo name='DOI' value='10.17487/RFC1207'/>
</reference>
</references>
<references title="Malformed Normative References">
<!-- title attribute was for references title was removed for v3, but should be recognized -->
<reference anchor='RFC4086' target='https://www.rfc-editor.org/info/rfc4086'>
<front>
<title>Randomness Requirements for Security</title>
<author initials='D.' surname='Eastlake 3rd' fullname='D. Eastlake 3rd'>
<organization/>
</author>
<author initials='J.' surname='Schiller' fullname='J. Schiller'>
<organization/>
</author>
<author initials='S.' surname='Crocker' fullname='S. Crocker'>
<organization/>
</author>
<date year='2005' month='June'/>
<abstract>
<t>Security systems are built on strong cryptographic algorithms that foil pattern analysis
attempts. However, the security of these systems is dependent on generating secret
quantities for passwords, cryptographic keys, and similar quantities. The use of
pseudo-random processes to generate secret quantities can result in pseudo-security. A
sophisticated attacker may find it easier to reproduce the environment that produced the
secret quantities and to search the resulting small set of possibilities than to locate the
quantities in the whole of the potential number space.
</t>
<t>Choosing random quantities to foil a resourceful and motivated adversary is surprisingly
difficult. This document points out many pitfalls in using poor entropy sources or
traditional pseudo-random number generation techniques for generating such quantities. It
recommends the use of truly random hardware techniques and shows that the existing hardware
on many systems can be used for this purpose. It provides suggestions to ameliorate the
problem when a hardware solution is not available, and it gives examples of how large such
quantities need to be for some applications. This document specifies an Internet Best
Current Practices for the Internet Community, and requests discussion and suggestions for
improvements.
</t>
</abstract>
</front>
<seriesInfo name='BCP' value='106'/>
<seriesInfo name='RFC' value='4086'/>
<seriesInfo name='DOI' value='10.17487/RFC4086'/>
</reference>
</references>
</back>
</rfc>

1
ietf/utils/tests.py
View file

@ -463,6 +463,7 @@ class XMLDraftTests(TestCase):
'rfc255': XMLDraft.REF_TYPE_INFORMATIVE,
'bcp6': XMLDraft.REF_TYPE_INFORMATIVE,
'rfc1207': XMLDraft.REF_TYPE_UNKNOWN,
'rfc4086': XMLDraft.REF_TYPE_NORMATIVE,
}
)

8
ietf/utils/xmldraft.py
View file

@ -77,12 +77,18 @@ class XMLDraft(Draft):
return self.REF_TYPE_INFORMATIVE
return self.REF_TYPE_UNKNOWN
def _reference_section_name(self, section_elt):
section_name = section_elt.findtext('name')
if section_name is None and 'title' in section_elt.keys():
section_name = section_elt.get('title') # fall back to title if we have it
return section_name
def get_refs(self):
"""Extract references from the draft"""
refs = {}
# accept nested <references> sections
for section in self.xmlroot.findall('back//references'):
ref_type = self._reference_section_type(section.findtext('name'))
ref_type = self._reference_section_type(self._reference_section_name(section))
for ref in (section.findall('./reference') + section.findall('./referencegroup')):
refs[self._document_name(ref.get('anchor'))] = ref_type
return refs