On Mon, Sep 09, 2019 at 04:01:59PM +0200, Ond??ej Kuzn??k wrote:

I mean the ber_str2bv(,,1,) in both new functions. Not sure which code you think would overwrite parts of the buffer? ber_str2bv(,,0,) never touches it, manually initialising the berval certainly wouldn't either. And then you have fewer memory regions to scrub.

Since you already know the length, you can also pass it in so ber_str2bv can skip its strlen() check (and since anything can be in a {PLAINTEXT} password, you're now embedded NUL safe).

Ah, OK, I didn't realize that would be NUL safe. I made an updated patch with that change[1].

I think I mentioned this before as something worth changing: rather than call time(0L), you can use op->o_time which is stable and the closest you can get to the time the operation was received.

Yes, sorry I did see that before just forgot to do it. It's also included in the latest update[1].

BTW, scinet.supercomputing.org's HTTPS cert is signed by Let's Encrypt Authority X3 as an intermediate, but isn't sending it during the handshake, so wget/curl aren't happy trusting it (I think browsers cache it or already have a copy).

Thank you, this has been corrected.

[1] https://scinet.supercomputing.org/~gv/slapd-totp-v5.txt