[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#9055) contrib/slapd-modules/passwd/totp improvements

To: openldap-its@OpenLDAP.org
Subject: Re: (ITS#9055) contrib/slapd-modules/passwd/totp improvements
From: ondra@mistotebe.net
Date: Mon, 23 Sep 2019 15:08:42 +0000
Auto-submitted: auto-generated (OpenLDAP-ITS)

On Fri, Sep 13, 2019 at 11:57:14AM -0400, Greg Veldman wrote:
> On Mon, Sep 09, 2019 at 04:01:59PM +0200, Ond??ej Kuzn??k wrote:
>> I mean the ber_str2bv(,,1,) in both new functions. Not sure which code
>> you think would overwrite parts of the buffer? ber_str2bv(,,0,) never
>> touches it, manually initialising the berval certainly wouldn't either.
>> And then you have fewer memory regions to scrub.
>> 
>> Since you already know the length, you can also pass it in so ber_str2bv
>> can skip its strlen() check (and since anything can be in a {PLAINTEXT}
>> password, you're now embedded NUL safe).
> 
> Ah, OK, I didn't realize that would be NUL safe.  I made an
> updated patch with that change[1].
> 
>> I think I mentioned this before as something worth changing: rather
>> than call time(0L), you can use op->o_time which is stable and the
>> closest you can get to the time the operation was received.
> 
> Yes, sorry I did see that before just forgot to do it.  It's
> also included in the latest update[1].

Hi Greg,
thanks for both, I should merge that soon.

On a side note, any ideas how to deal with ppolicy's pwdHistory here so
it can reject changing the password to an old one? AFAIK using these
schemas will prevent slap_passwd_check() from working and there isn't an
obvious way to proceed.

Thanks,

-- 
OndÅ?ej KuznÃk
Senior Software Engineer
Symas Corporation                       http://www.symas.com
Packaged, certified, and supported LDAP solutions powered by OpenLDAP

Prev by Date: (ITS#9088) Concurrency not seen in OpenLDAP 2.4.44
Next by Date: Re: (ITS#9088) Concurrency not seen in OpenLDAP 2.4.44
Index(es):
- Chronological
- Thread