search

Tiqr / tiqr

Obsolete Github repo for the tiqr.org project. Note that the repository is split into several individual repos, all with a tiqr- prefix
35 stars 16 forks source link

Does tiqr server now require OCRA's session information everytime? #52

Open dmiyakawa opened 9 years ago

dmiyakawa commented 9 years ago

OCRA (RFC 6287) does not require session information, while tiqr server (Tiqr/Service.php) seems to.

To be more specific, Tiqr_Service::_uniqueSessionKey() in 1.0.0 has used the following code

protected function _uniqueSessionKey($prefix)
{
    $value = 1;
    while ($value!=NULL) {
        $sessionKey = Tiqr_Random::randomHexString(self::SESSIONKEY_SIZE);
        $value = $this->_stateStorage->getValue($prefix.$sessionKey);
    }
    return $sessionKey;
}

SESSIONKEY_SIZE is irrelevant to OCRA, so this is fine.

On the other hand the current master's equivalent is as follows:

protected function _uniqueSessionKey($prefix)
{
    $value = 1;
    while ($value!=NULL) {
        $sessionKey = $this->_ocraWrapper->generateSessionKey();
        $value = $this->_stateStorage->getValue($prefix.$sessionKey);
    }
    return $sessionKey;
}

Now generateSessionKey() throws an exception when session information is not embedded in an OCRA suite. I'm using "OCRA-1:HOTP-SHA1-6:QH10" for an example suite.

OCRAParser and OCRAWrapper seems fine. Following php script works without any exception.

<?php
require_once("Tiqr/OATH/OCRAWrapper.php");
$suite = 'OCRA-1:HOTP-SHA1-6:QH10';
$ocraParser = new OATH_OCRAParser($suite);
echo "challenge: " . $ocraParser->generateChallenge() . "\n";
$ocraWrapper = new Tiqr_OCRAWrapper($suite);
echo "challenge: " . $ocraWrapper->generateChallenge() . "\n";

Here is an example result:

$ php test.php
challenge: c32bfb0b1d
challenge: e4ca828e2f

I'm very new to OCRA and tiqr, so correct me if I'm wrong.

ijansch commented 9 years ago

Hi,

Thanks, we'll investigate this. We generalized the way the keys are generated to be more pluggable. Potentially we made a mistake here by making the session key required in one of the abstractions. If so, it should be a fairly easy fix. We'll have a look at it.

Greetings, Ivo

On Fri, Dec 12, 2014 at 2:22 PM, Daisuke Miyakawa notifications@github.com wrote:

OCRA (RFC 6287) does not require session information, while tiqr server (Tiqr/Service.php) seems to.

To be more specific, Tiqr_Service::_uniqueSessionKey() in 1.0.0 has used the following code

protected function _uniqueSessionKey($prefix) { $value = 1; while ($value!=NULL) { $sessionKey = Tiqr_Random::randomHexString(self::SESSIONKEY_SIZE); $value = $this->_stateStorage->getValue($prefix.$sessionKey); } return $sessionKey; }

SESSIONKEY_SIZE is irrelevant to OCRA, so this is fine.

On the other hand the current master's equivalent is as follows:

protected function _uniqueSessionKey($prefix) { $value = 1; while ($value!=NULL) { $sessionKey = $this->_ocraWrapper->generateSessionKey(); $value = $this->_stateStorage->getValue($prefix.$sessionKey); } return $sessionKey; }

Now generateSessionKey() throws an exception when session information is not embedded in an OCRA suite. I'm using "OCRA-1:HOTP-SHA1-6:QH10" for an example suite.

OCRAParser and OCRAWrapper seems fine. Following php script works without any exception.

<?php require_once("Tiqr/OATH/OCRAWrapper.php"); $suite = 'OCRA-1:HOTP-SHA1-6:QH10'; $ocraParser = new OATH_OCRAParser($suite); echo "challenge: " . $ocraParser->generateChallenge() . "\n"; $ocraWrapper = new Tiqr_OCRAWrapper($suite); echo "challenge: " . $ocraWrapper->generateChallenge() . "\n";

Here is an example result:

$ php test.php challenge: c32bfb0b1d challenge: e4ca828e2f

I'm very new to OCRA and tiqr, so correct me if I'm wrong.

— Reply to this email directly or view it on GitHub https://github.com/SURFnet/tiqr/issues/52.

Ivo Jansch Egeniq CEO / Co-founder ivo@egeniq.com www.egeniq.com +31681450625