You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I have just upgraded syspass to the newest version and everything seems to work fine except for the 2fa plugin. After installing the v2 version and enabling it in the admin menu, nobody is able to log in because the 2fa plugin outputs internal error on every log in attempt.
The reason for this is a change in IV processing for existing users/configurations. When the user attempts to verify a PIN, syspass will load the corresponding IV from the DB. In the old version, this raw IV is then encoded using Base2N and then passed to the google authentication. In the new version, the raw IV is sent directly to the google authenticator which raises an exception (Google2FA.php, line 100) since the raw IV contains invalid base32 characters, e.g. 5718d5e75278.....d3dfbdd4c9a.
To fix this, one has to emulate the old behavior and add this to AuthenticatorService.php:
public static function verifyKey(string $key, string $iv)
{
$base32 = new Base2n(
5,
'ABCDEFGHIJKLMNOPQRSTUVWXYZ234567',
false,
true,
true
);
$iv = substr($base32->encode($iv), 0, 16);
return Google2FA::verify_key($iv, $key);
}
After this change to verifyKey(), everything starts working.
Best regards,
David Fabian
The text was updated successfully, but these errors were encountered:
Hello, it's a nice hack, but unfortunately it will break current implementations in which old data do not exist. The root of this issue is that the old implementation stored the IV in raw mode, so it need to be encoded into base32 before checking, but the current one does store it in base32, so no encoding is needed when checking it.
I'll try to fix it by upgrading the old data instead.
the best solution would be to update the data during DB update. You are correct that my fix breaks the new implementation (I came across it today). In the meantime, I updated my hack to this
Hello,
I have just upgraded syspass to the newest version and everything seems to work fine except for the 2fa plugin. After installing the v2 version and enabling it in the admin menu, nobody is able to log in because the 2fa plugin outputs
internal error
on every log in attempt.The reason for this is a change in IV processing for existing users/configurations. When the user attempts to verify a PIN, syspass will load the corresponding IV from the DB. In the old version, this raw IV is then encoded using
Base2N
and then passed to the google authentication. In the new version, the raw IV is sent directly to the google authenticator which raises an exception (Google2FA.php, line 100) since the raw IV contains invalid base32 characters, e.g.5718d5e75278.....d3dfbdd4c9a
.To fix this, one has to emulate the old behavior and add this to AuthenticatorService.php:
After this change to
verifyKey()
, everything starts working.Best regards,
David Fabian
The text was updated successfully, but these errors were encountered: