-
Notifications
You must be signed in to change notification settings - Fork 68
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Switch to golang's crypto/rand #12
Conversation
} | ||
|
||
return string(bytes) | ||
return hex.EncodeToString(s[:length]) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
random secret should be base32 format according to OTP.secret.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
16 bytes with that constrained alphabet (base32) is probably not a large enough search space to be secure.
https://datatracker.ietf.org/doc/html/rfc4226#appendix-A.4.1
https://datatracker.ietf.org/doc/html/rfc6238
https://datatracker.ietf.org/doc/html/rfc4086#page-34
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
from https://github.com/pquerna/otp/blob/60112ee2a95553a491c22956619ef30260ec93e8/totp/totp.go#L150
var b32NoPadding = base32.StdEncoding.WithPadding(base32.NoPadding)
b32NoPadding(EncodeToString(secret))
Still needs to be 32 bytes though.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Trying to figure out how to edit this PR in the web UI without actually going to the trouble of cloning it locally haha
I am closing this pull request. I locally cloned your branch. Unfortunately it has some issues.
|
need to just add import "log" and import "hex" :) |
To close #3 . On a cloud server, there might be insufficient entropy available. Havaged is one option for that, but ultimately a hardware RNG would be a better option.