[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: (ITS#9055) contrib/slapd-modules/passwd/totp improvements
On Fri, Sep 13, 2019 at 11:57:14AM -0400, Greg Veldman wrote:
> On Mon, Sep 09, 2019 at 04:01:59PM +0200, Ond??ej Kuzn??k wrote:
>> I mean the ber_str2bv(,,1,) in both new functions. Not sure which code
>> you think would overwrite parts of the buffer? ber_str2bv(,,0,) never
>> touches it, manually initialising the berval certainly wouldn't either.
>> And then you have fewer memory regions to scrub.
>>
>> Since you already know the length, you can also pass it in so ber_str2bv
>> can skip its strlen() check (and since anything can be in a {PLAINTEXT}
>> password, you're now embedded NUL safe).
>
> Ah, OK, I didn't realize that would be NUL safe. I made an
> updated patch with that change[1].
>
>> I think I mentioned this before as something worth changing: rather
>> than call time(0L), you can use op->o_time which is stable and the
>> closest you can get to the time the operation was received.
>
> Yes, sorry I did see that before just forgot to do it. It's
> also included in the latest update[1].
Hi Greg,
thanks for both, I should merge that soon.
On a side note, any ideas how to deal with ppolicy's pwdHistory here so
it can reject changing the password to an old one? AFAIK using these
schemas will prevent slap_passwd_check() from working and there isn't an
obvious way to proceed.
Thanks,
--
OndÅ?ej KuznÃk
Senior Software Engineer
Symas Corporation http://www.symas.com
Packaged, certified, and supported LDAP solutions powered by OpenLDAP