[Date Prev][Date Next]
Re: (ITS#8230) [PATCH] totp: bug fixes and improvements
- To: openldap-its@OpenLDAP.org
- Subject: Re: (ITS#8230) [PATCH] totp: bug fixes and improvements
- From: firstname.lastname@example.org
- Date: Fri, 25 Sep 2015 18:43:41 +0000
- Auto-submitted: auto-generated (OpenLDAP-ITS)
>>> - allow padding to be omitted (totally, not only parts)
> To allow using the keys encoded by other implementations that do
> not generate the padding (e.g. Perl's Convert::Base32).
> (e.g. in a mass-rollout that sets userPassword using LDIF)
We must reject this on security grounds. See RFC3548 Security Considerations.
Also, as already noted in the code comments, allowing partial bytes would open
a subliminal channel allowing information leaks.
If Perl's encoder is being so careless then that is a security vulnerability.
The other 3 points on this ticket have been committed in master. I consider
this ticket resolved.
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/