[email protected] wrote: >>> - allow padding to be omitted (totally, not only parts) >> >> Why? > To allow using the keys encoded by other implementations that do > not generate the padding (e.g. Perl's Convert::Base32). > (e.g. in a mass-rollout that sets userPassword using LDIF)
We must reject this on security grounds. See RFC3548 Security Considerations. https://tools.ietf.org/html/rfc3548#page-10 Also, as already noted in the code comments, allowing partial bytes would open a subliminal channel allowing information leaks. If Perl's encoder is being so careless then that is a security vulnerability. The other 3 points on this ticket have been committed in master. I consider this ticket resolved. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
