[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#8230) [PATCH] totp: bug fixes and improvements

To: openldap-its@OpenLDAP.org
Subject: Re: (ITS#8230) [PATCH] totp: bug fixes and improvements
From: hyc@symas.com
Date: Fri, 25 Sep 2015 18:43:41 +0000
Auto-submitted: auto-generated (OpenLDAP-ITS)

peter@adpm.de wrote:
>>>       - allow padding to be omitted (totally, not only parts)
>>
>> Why?
> To allow using the keys encoded by other implementations that do
> not generate the padding (e.g. Perl's Convert::Base32).
> (e.g. in a mass-rollout that sets userPassword using LDIF)

We must reject this on security grounds. See RFC3548 Security Considerations. 
https://tools.ietf.org/html/rfc3548#page-10

Also, as already noted in the code comments, allowing partial bytes would open 
a subliminal channel allowing information leaks.

If Perl's encoder is being so careless then that is a security vulnerability.

The other 3 points on this ticket have been committed in master. I consider 
this ticket resolved.

-- 
   -- Howard Chu
   CTO, Symas Corp.           http://www.symas.com
   Director, Highland Sun     http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP  http://www.openldap.org/project/

Prev by Date: Re: (ITS#8256) Fix install for LMDB
Next by Date: Re: (ITS#8256) Fix install for LMDB
Index(es):
- Chronological
- Thread