On Fri, Sep 13, 2019 at 11:57:14AM -0400, Greg Veldman wrote:
On Mon, Sep 09, 2019 at 04:01:59PM +0200, Ond??ej Kuzn??k wrote:
I mean the ber_str2bv(,,1,) in both new functions. Not sure which code you think would overwrite parts of the buffer? ber_str2bv(,,0,) never touches it, manually initialising the berval certainly wouldn't either. And then you have fewer memory regions to scrub.
Since you already know the length, you can also pass it in so ber_str2bv can skip its strlen() check (and since anything can be in a {PLAINTEXT} password, you're now embedded NUL safe).
Ah, OK, I didn't realize that would be NUL safe. I made an updated patch with that change[1].
I think I mentioned this before as something worth changing: rather than call time(0L), you can use op->o_time which is stable and the closest you can get to the time the operation was received.
Yes, sorry I did see that before just forgot to do it. It's also included in the latest update[1].
Hi Greg, thanks for both, I should merge that soon.
On a side note, any ideas how to deal with ppolicy's pwdHistory here so it can reject changing the password to an old one? AFAIK using these schemas will prevent slap_passwd_check() from working and there isn't an obvious way to proceed.
Thanks,