[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: (ITS#8230) [PATCH] totp: bug fixes and improvements
- To: openldap-its@OpenLDAP.org
- Subject: Re: (ITS#8230) [PATCH] totp: bug fixes and improvements
- From: hyc@symas.com
- Date: Fri, 25 Sep 2015 18:43:41 +0000
- Auto-submitted: auto-generated (OpenLDAP-ITS)
peter@adpm.de wrote:
>>> - allow padding to be omitted (totally, not only parts)
>>
>> Why?
> To allow using the keys encoded by other implementations that do
> not generate the padding (e.g. Perl's Convert::Base32).
> (e.g. in a mass-rollout that sets userPassword using LDIF)
We must reject this on security grounds. See RFC3548 Security Considerations.
https://tools.ietf.org/html/rfc3548#page-10
Also, as already noted in the code comments, allowing partial bytes would open
a subliminal channel allowing information leaks.
If Perl's encoder is being so careless then that is a security vulnerability.
The other 3 points on this ticket have been committed in master. I consider
this ticket resolved.
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/