On Fri, Jul 19, 2019 at 07:21:35PM +0200, Ond??ej Kuzn??k wrote: > > if (chk_totp(&passwd_otp, &cred_otp, mech, text) == LUTIL_PASSWD_OK > > && lutil_passwd(&passwd_pass, &cred_pass, NULL, > > text) > > == LUTIL_PASSWD_OK) > > rc = LUTIL_PASSWD_OK; > > This only checks the password if OTP check passed, right? So if checking > the password takes a measurable amount of time, an attacker can see if > they hit the right OTP token without it being voided.
Ah, yes, sorry I didn't quite catch what you were getting at previously there. I'll submit an updated patch shortly to fix this, as well as some documentation updates for issues pointed out. -- Greg Veldman
