25 Sep
2015
25 Sep
'15
11:43 a.m.
peter@adpm.de wrote:
- allow padding to be omitted (totally, not only parts)Why?
To allow using the keys encoded by other implementations that do not generate the padding (e.g. Perl's Convert::Base32). (e.g. in a mass-rollout that sets userPassword using LDIF)
We must reject this on security grounds. See RFC3548 Security Considerations. https://tools.ietf.org/html/rfc3548#page-10
Also, as already noted in the code comments, allowing partial bytes would open a subliminal channel allowing information leaks.
If Perl's encoder is being so careless then that is a security vulnerability.
The other 3 points on this ticket have been committed in master. I consider this ticket resolved.
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
3348
Age (days ago)
3348
Last active (days ago)
0 comments
1 participants
participants (1)
-
hyc@symas.com