Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.Sign up
Bug in Two Step Enrollment Key #1347
Upon Token Enrollment, once the user scans the QR Code, privacyIDEA Authenticator generates the key.
But there is bug, wherein if the key generated in Authenticator is 12 character long, privacyIDEA accepts any character in the end.
For example if authenticator generates the key as AAA-BBB-CCC-DDD, but if user enters the key in privacyIDEA window as AAA-BBB-CCC-DDE its accepted and OTP works.
added a commit
Dec 20, 2018
I added a test for the client component check and everything works fine. Obviously it is due to a strange character alignment that in this corner case the base32 encoding encodes more than the payload.
In the tests you can see, that the payload is the same. This "collision" only happens with the last character. (Actually I never liked base32 encoding).
This looks good to me.
(It is important to note, that if you want to show this on a trade fair - either use a different client component length or change a character in the middle ;-)
Interesting! I was curious, so looked into this some more. For the record, this effect happens because of the payload length of 12 bytes (= 8 bytes client component + 4 bytes checksum), i.e. 96 bits. During encoding, base32 maps groups of 5 bits to one character. If the payload length is not divisible by 5, the payload is filled with zeros. When decoding, every character is converted back to a group of 5 bits. For the very last group, only the most significant bit matters. So replacing
>>> decode_base32check("TIXQW4ydvn2aos4cj6ta") '03ab74074b824fa6' >>> decode_base32check("TIXQW4ydvn2aos4cj6tq") Traceback (most recent call last): File "<stdin>", line 1, in <module> File "privacyidea/lib/utils.py", line 315, in decode_base32check raise ParameterError("Malformed base32check data: Incorrect checksum") privacyidea.lib.error.ParameterError: ERR905: Malformed base32check data: Incorrect checksum
So this is really only a problem when showing 2step enrollment at trade fairs :-)