[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#9055) contrib/slapd-modules/passwd/totp improvements

To: openldap-its@OpenLDAP.org
Subject: Re: (ITS#9055) contrib/slapd-modules/passwd/totp improvements
From: gv@members.scinet.supercomputing.org
Date: Fri, 13 Sep 2019 15:57:18 +0000
Auto-submitted: auto-generated (OpenLDAP-ITS)

On Mon, Sep 09, 2019 at 04:01:59PM +0200, Ond??ej Kuzn??k wrote:
> I mean the ber_str2bv(,,1,) in both new functions. Not sure which code
> you think would overwrite parts of the buffer? ber_str2bv(,,0,) never
> touches it, manually initialising the berval certainly wouldn't either.
> And then you have fewer memory regions to scrub.
> 
> Since you already know the length, you can also pass it in so ber_str2bv
> can skip its strlen() check (and since anything can be in a {PLAINTEXT}
> password, you're now embedded NUL safe).

Ah, OK, I didn't realize that would be NUL safe.  I made an
updated patch with that change[1].

> I think I mentioned this before as something worth changing: rather
> than call time(0L), you can use op->o_time which is stable and the
> closest you can get to the time the operation was received.

Yes, sorry I did see that before just forgot to do it.  It's
also included in the latest update[1].

> BTW, scinet.supercomputing.org's HTTPS cert is signed by Let's Encrypt
> Authority X3 as an intermediate, but isn't sending it during the
> handshake, so wget/curl aren't happy trusting it (I think browsers cache
> it or already have a copy).

Thank you, this has been corrected.

[1] https://scinet.supercomputing.org/~gv/slapd-totp-v5.txt

-- 
Greg Veldman

Prev by Date: (ITS#9486) slapo-unique spins its wheels on a non-trivial olcUniqueURI spec
Next by Date: (ITS#9487) Indices MDB
Index(es):
- Chronological
- Thread