-
Notifications
You must be signed in to change notification settings - Fork 229
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
sha256/sha512 secret buffer size #77
sha256/sha512 secret buffer size #77
Conversation
…-time passcode to work correctly
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thank you for the pull request! Please see review comments for feedback.
index.js
Outdated
secret_buffer_size = 32; // 32 bytes | ||
} else if (algorithm === 'sha512') { | ||
secret_buffer_size = 64; // 64 bytes | ||
} else { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This case should check for sha1
. The default case should warn when an unsupported algorithm is given; the crypto
module accepts algorithms not officially supported by the spec. Throwing an exception would be safer, but would restrict usage. Thoughts?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
sha1 is not explicit rather than implied, also added a test for not throwing an error for unofficial algorithms
index.js
Outdated
@@ -40,6 +40,16 @@ exports.digest = function digest (options) { | |||
if (encoding === 'base32') { secret = base32.decode(secret); } | |||
secret = new Buffer(secret, encoding); | |||
} | |||
// pad the buffer to the correct size be repeating the secret | |||
var secret_buffer_size; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Initialize this variable to 0
or similar for 'no padding'.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I now handle a no padding state
index.js
Outdated
} else { | ||
secret_buffer_size = 20; // 20 bytes | ||
} | ||
secret = new Buffer(Array(secret_buffer_size).join(secret.toString('hex')).substr(0, secret_buffer_size * 2), 'hex'); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
For efficiency, when padding is not needed, this code should not run.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This step is only performed if the secret_buffer_size is now different from the secret.length
2 similar comments
…epeat the key rather than the end user
Super, thank you for the quick update! |
The secret buffer needs to be repeated to the proper size for the one-time passcode to work correctly. Resolves issue #76