[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#9055) contrib/slapd-modules/passwd/totp improvements

To: openldap-its@OpenLDAP.org
Subject: Re: (ITS#9055) contrib/slapd-modules/passwd/totp improvements
From: gv@members.scinet.supercomputing.org
Date: Fri, 19 Jul 2019 18:30:51 +0000
Auto-submitted: auto-generated (OpenLDAP-ITS)

On Fri, Jul 19, 2019 at 07:21:35PM +0200, Ond??ej Kuzn??k wrote:
> >         if (chk_totp(&passwd_otp, &cred_otp, mech, text) == LUTIL_PASSWD_OK
> >                         && lutil_passwd(&passwd_pass, &cred_pass, NULL, text)
> >                         == LUTIL_PASSWD_OK)
> >                 rc = LUTIL_PASSWD_OK;
> 
> This only checks the password if OTP check passed, right? So if checking
> the password takes a measurable amount of time, an attacker can see if
> they hit the right OTP token without it being voided.

Ah, yes, sorry I didn't quite catch what you were getting at
previously there.  I'll submit an updated patch shortly to fix
this, as well as some documentation updates for issues pointed
out.

-- 
Greg Veldman

Prev by Date: Re: (ITS#9055) contrib/slapd-modules/passwd/totp improvements
Next by Date: Re: (ITS#9055) contrib/slapd-modules/passwd/totp improvements
Index(es):
- Chronological
- Thread