[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: (ITS#9055) contrib/slapd-modules/passwd/totp improvements
On Fri, Jul 19, 2019 at 07:21:35PM +0200, Ond??ej Kuzn??k wrote:
> > if (chk_totp(&passwd_otp, &cred_otp, mech, text) == LUTIL_PASSWD_OK
> > && lutil_passwd(&passwd_pass, &cred_pass, NULL, text)
> > == LUTIL_PASSWD_OK)
> > rc = LUTIL_PASSWD_OK;
>
> This only checks the password if OTP check passed, right? So if checking
> the password takes a measurable amount of time, an attacker can see if
> they hit the right OTP token without it being voided.
Ah, yes, sorry I didn't quite catch what you were getting at
previously there. I'll submit an updated patch shortly to fix
this, as well as some documentation updates for issues pointed
out.
--
Greg Veldman