kislyuk
commented
1 year ago Thanks. The original implementation was modeled after the Java reference implementation in the RFC, which did not incorporate any constant time considerations. While I don't think it's possible to leverage this into a successful attack if the implementer follows the security guidance in the RFC and in PyOTP documentation (in particular, implements throttling), if that's not followed it may be feasible to do better-than-brute-force (though I still can't imagine building an attack from this with TOTP... maybe with HOTP if you can increment the oracle's counter at will - which implies violating other parts of the security guidance as well).
Changaco
This commit fixes the
OTP.generate_otp()method to run in constant time.