The oath app attempts to shorten secrets (by hashing them) if they exceed a specific length.
This change adjusts the calculation so that it uses the block size of the hash algorithm to decide when to shorten the secret.
Previously, the output size was used, instead of the block size. This meant that secrets that were added to the device that exceeded the output size, but not the block size, would end up getting hashed twice.
I ran into this issue when trying to add my Amazon account. I had to manually add padding to my base32 secret, which was a bit unexpected. Once I got past that, I found that the OATH-TOTP codes were not working. After enabling trace logging, I found that my secret wasn't getting sent to (or stored on) my device, but rather the hashed version of it, even though it didn't exceed the block size. After making this change, I was able to successfully register my Amazon account and get valid TOTP codes.
nickray
commented
2 years ago
The oath app attempts to shorten secrets (by hashing them) if they exceed a specific length.
This change adjusts the calculation so that it uses the block size of the hash algorithm to decide when to shorten the secret.
Previously, the output size was used, instead of the block size. This meant that secrets that were added to the device that exceeded the output size, but not the block size, would end up getting hashed twice.
I ran into this issue when trying to add my Amazon account. I had to manually add padding to my base32 secret, which was a bit unexpected. Once I got past that, I found that the OATH-TOTP codes were not working. After enabling trace logging, I found that my secret wasn't getting sent to (or stored on) my device, but rather the hashed version of it, even though it didn't exceed the block size. After making this change, I was able to successfully register my Amazon account and get valid TOTP codes.