The new Base32 implementation doesn't accept spaces for decoding, breaking TOTP on some websites #1022
Comments
|
Hi @yan12125, there is indeed a regression that breaks compatibility with authenticator apps such as Google Authenticator. This issue is resolved in PR #1001, where a function, I agree with you in that displaying the error using a message dialog is more user friendly. |
|
@yan12125 Thanks for testing it, glad to hear it now works correctly. |
|
I'd be amazing if you could port back your fix to release/2.2.2 (without the QR code stuff). |
|
@phoerious No problem, I'll port that fix. |
|
From #keepassxc-dev of Freenode: I always build my own keepassxc version with a bunch of feature patches and bug fixes, yet I think merging this before 2.2.2 can help those who are unable to build themselves (e.g. those on Windows and don't have good network to install msys2+qt5) |
|
yup we have this marked for 2.2.2 |
|
Hello. I'll port the Base32 fixes from PR #1001 and submit a new PR. I'm planning on working on this tonight; should I base the new PR on develop instead of release/2.2.2? There's no new Base32 implementation in the current tree of release/2.2.2. |
|
See phoerious comment above, we would like your base32 implementation without the qr code in 2.2.2 (if possible) plus the fix for this issue. when we merge 2.2.2 into develop the fix will follow. |
|
Ok, thanks, I understand now. |
|
I have another problem with the new algorithm. I have a TOTP secret key with a length of 52 characters. But the new algorithm requires that the key length be a multiple of 8. 😒 if (encodedData.size() % 8 != 0)
return Optional<QByteArray>(); |
|
false alarm, I added four "equality signs" to the end of the private key, and everything works fine :) |
|
Base32/base64 require fixed-length blocks and strings of different lengths need padding. Perhaps we should pad the string to the correct length automatically to avoid confusion. |
|
@phoerious thanks for the explanation |
|
Fixed in #1069 |
Expected Behavior
For entries with TOTP secrets having spaces, they work just fine as before. For example, "jzls hdx6 fvhm yzpu c6o3 rybg 4ytt uuap" can be successfully decoded and give a 6-digit number.
(This is just a fake example. I didn't actually use this secret on any website.)
Current Behavior
The string "Invalid TOTP secret key" is copied to the clipboard after hitting Ctrl+T. If "Show TOTP" is selected, it says "Invalid TOT secret key" (a typo? :)
Possible Solution
I suggest to ignore specific characters like Google's implementation: 522e132#diff-18f0d04bfa499ef56a17c0ba1d834e78L34. I have at least 10 entries with TOTP settings, and I don't think it's a good idea to ask users to fix them one by one.
A minor point - don't place the error message to the clipboard. Show a popup instead!
Steps to Reproduce (for bugs)
Context
Quite a few websites are broken as they provide base32-encoded secrets with spaces on the webpage, like Google or BitBucket. I believe there are more such sites.
Debug Info
KeePassXC - Version 2.2.1
Revision: 14e3d9d
Libraries:
Operating system: Arch Linux
CPU architecture: x86_64
Kernel: linux 4.13.4-1-ARCH
Enabled extensions:
I built keepassxc from the AUR building script with my own patch proposed at #1017 (comment)
The text was updated successfully, but these errors were encountered: