[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: OTP broken?

To: openldap-technical@openldap.org
Subject: Re: OTP broken?
From: manu@netbsd.org (Emmanuel Dreyfus)
Date: Sat, 7 Nov 2015 15:34:04 +0100
In-reply-to: <20151106085534.GD26689@homeworld.netbsd.org>
User-agent: MacSOUP/2.7 (unregistered for 3213 days)

Emmanuel Dreyfus <manu@netbsd.org> wrote:

> $ ldapwhomai -Y OTP -X dn:${user_dn}
> SASL/OTP authentication started
> (delay)
> ldap_sasl_interactive_bind_s: Server is unavailable (52)
>         additional info: SASL(-8): transient failure (e.g., weak key):
>         simultaneous OTP authentications not permitted

I made some progress, with a fix in cyrus SASL (I also include my added
SHA2 support just in case someone has a comment on it). 

This was a signedness problem in the timeout parameter: readed as signed
on a machines with 32 bits time_t, it get always in a far future.
Scanning it as unsigned fixes the problem.

--- plugins/otp.c.orig  2012-10-12 16:05:48.000000000 +0200
+++ plugins/otp.c       2015-11-07 15:19:43.000000000 +0100
@@ -92,8 +92,12 @@
 static algorithm_option_t algorithm_options[] = {
     {"md4",    0,      "md4"},
     {"md5",    0,      "md5"},
     {"sha1",   4,      "sha1"},
+    {"sha224", 4,      "sha224"},
+    {"sha256", 4,      "sha256"},
+    {"sha384", 4,      "sha384"},
+    {"sha512", 4,      "sha512"},
     {NULL,     0,      NULL}
 };
 
 /* Convert the binary data into ASCII hex */
@@ -675,9 +679,9 @@
            SETERROR(utils, "OTP secret too short");
            return SASL_FAIL;
        }
        
-       sscanf(secret, "%s\t%04d\t%s\t%s\t%020ld",
+       sscanf(secret, "%s\t%04d\t%s\t%s\t%020lu",
               alg, seq, seed, buf, timeout);
        
        hex2bin(buf, otp, OTP_HASH_SIZE);
      

-- 
Emmanuel Dreyfus
http://hcpnet.free.fr/pubz
manu@netbsd.org

References:
- OTP broken?
  - From: Emmanuel Dreyfus <manu@netbsd.org>

Prev by Date: Re: OTP broken?
Next by Date: Re: Controlling rootdn access
Index(es):
- Chronological
- Thread