[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: OTP broken?
Emmanuel Dreyfus <manu@netbsd.org> wrote:
> $ ldapwhomai -Y OTP -X dn:${user_dn}
> SASL/OTP authentication started
> (delay)
> ldap_sasl_interactive_bind_s: Server is unavailable (52)
> additional info: SASL(-8): transient failure (e.g., weak key):
> simultaneous OTP authentications not permitted
I made some progress, with a fix in cyrus SASL (I also include my added
SHA2 support just in case someone has a comment on it).
This was a signedness problem in the timeout parameter: readed as signed
on a machines with 32 bits time_t, it get always in a far future.
Scanning it as unsigned fixes the problem.
--- plugins/otp.c.orig 2012-10-12 16:05:48.000000000 +0200
+++ plugins/otp.c 2015-11-07 15:19:43.000000000 +0100
@@ -92,8 +92,12 @@
static algorithm_option_t algorithm_options[] = {
{"md4", 0, "md4"},
{"md5", 0, "md5"},
{"sha1", 4, "sha1"},
+ {"sha224", 4, "sha224"},
+ {"sha256", 4, "sha256"},
+ {"sha384", 4, "sha384"},
+ {"sha512", 4, "sha512"},
{NULL, 0, NULL}
};
/* Convert the binary data into ASCII hex */
@@ -675,9 +679,9 @@
SETERROR(utils, "OTP secret too short");
return SASL_FAIL;
}
- sscanf(secret, "%s\t%04d\t%s\t%s\t%020ld",
+ sscanf(secret, "%s\t%04d\t%s\t%s\t%020lu",
alg, seq, seed, buf, timeout);
hex2bin(buf, otp, OTP_HASH_SIZE);
--
Emmanuel Dreyfus
http://hcpnet.free.fr/pubz
manu@netbsd.org