[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#8230) [PATCH] totp: bug fixes and improvements

peter@adpm.de wrote:
>>>       - allow padding to be omitted (totally, not only parts)
>> Why?
> To allow using the keys encoded by other implementations that do
> not generate the padding (e.g. Perl's Convert::Base32).
> (e.g. in a mass-rollout that sets userPassword using LDIF)

We must reject this on security grounds. See RFC3548 Security Considerations. 

Also, as already noted in the code comments, allowing partial bytes would open 
a subliminal channel allowing information leaks.

If Perl's encoder is being so careless then that is a security vulnerability.

The other 3 points on this ticket have been committed in master. I consider 
this ticket resolved.

   -- Howard Chu
   CTO, Symas Corp.           http://www.symas.com
   Director, Highland Sun     http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP  http://www.openldap.org/project/