Re: (ITS#9055) contrib/slapd-modules/passwd/totp improvements

[ondra@mistotebe.net]

On Wed, Jul 31, 2019 at 08:14:55PM +0000, gv@members.scinet.supercomputing.org wrote:
> v3 of the patch is available, which includes hashing functions
> and documents the expected input format when using those functions.
> I don't have the updated module on any of my servers yet, but
> running slappasswd from my build directory does seem to yield
> the same results as the non-password versions:
> 
> $ ../../../../servers/slapd/slappasswd -T passwd -o module-load=`pwd`/.libs/pw-totp.so -h "{TOTP1}"
> New password: 
> Re-enter new password: 
> {TOTP1}GAYA====
> 
> $ ../../../../servers/slapd/slappasswd -T passwd -o module-load=`pwd`/.libs/pw-totp.so -h "{TOTP1ANDPW}"
> New password: 
> Re-enter new password: 
> {TOTP1ANDPW}GAYA====|{SSHA}Qo6WiIWWsWohlwZSo9oQkImKvSNArGio
> 
> This is using an OTP seed of 00 and a password of foo
> 
> https://scinet.supercomputing.org/~gv/slapd-totp-v3.txt

Hi Greg,
looking at the code, I think I'd be ok with this functionality and
nothing major comes up for me.

I would like to see a few changes though:
- could you split it in two patches, one to check the previous time step
  (+doc) and one to support the new schemes (+doc)?
- I don't think you need to allocate a copy of the passwd just come in,
  you can just frame it into separate bervals reusing the provided
  buffer so long as you keep in mind they are not NUL-terminated
  properly.

Just a style note, if there's an else coming, could you make sure both
the if and the else blocks are in {}?

Regards,

-- 
OndÅ?ej Kuzník
Senior Software Engineer
Symas Corporation                       http://www.symas.com
Packaged, certified, and supported LDAP solutions powered by OpenLDAP