Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Switch to golang's crypto/rand #12

Closed
wants to merge 1 commit into from
Closed

Switch to golang's crypto/rand #12

wants to merge 1 commit into from

Conversation

codewinch
Copy link

@codewinch codewinch commented Jan 4, 2022
edited
Loading

To close #3 . On a cloud server, there might be insufficient entropy available. Havaged is one option for that, but ultimately a hardware RNG would be a better option.

mergenchik
mergenchik reviewed Jan 5, 2022
View reviewed changes
utils.go
}

return string(bytes)
return hex.EncodeToString(s[:length])
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

random secret should be base32 format according to OTP.secret.

Copy link
Author

@codewinch codewinch Jan 5, 2022
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

16 bytes with that constrained alphabet (base32) is probably not a large enough search space to be secure.

https://datatracker.ietf.org/doc/html/rfc4226#appendix-A.4.1
https://datatracker.ietf.org/doc/html/rfc6238
https://datatracker.ietf.org/doc/html/rfc4086#page-34

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

from https://github.com/pquerna/otp/blob/60112ee2a95553a491c22956619ef30260ec93e8/totp/totp.go#L150

var b32NoPadding = base32.StdEncoding.WithPadding(base32.NoPadding)
b32NoPadding(EncodeToString(secret))

Still needs to be 32 bytes though.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Trying to figure out how to edit this PR in the web UI without actually going to the trouble of cloning it locally haha

This was referenced Jan 5, 2022
Closed
Closed
@mergenchik
Copy link
Collaborator

I am closing this pull request. I locally cloned your branch. Unfortunately it has some issues.

# github.com/codewitch/gotp [github.com/codewitch/gotp.test]
./utils.go:83:3: undefined: log
./utils.go:86:9: undefined: hex
FAIL	github.com/codewitch/gotp [build failed]

@mergenchik mergenchik closed this Jan 7, 2022
@codewinch
Copy link
Author

need to just add import "log" and import "hex" :)

@codewinch codewinch deleted the patch-1 branch January 7, 2022 15:10
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mergenchik mergenchik mergenchik left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Insecure Default RandomSecret() Generator
2 participants
@codewinch @mergenchik