Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

TOTP generation with bare secret in otp property #9847

Closed
silmaril42 opened this issue Sep 15, 2023 · 3 comments · Fixed by #9874
Closed

TOTP generation with bare secret in otp property #9847

silmaril42 opened this issue Sep 15, 2023 · 3 comments · Fixed by #9874

Comments

@silmaril42
Copy link

Summary

This is a little compatibility issue concerning TOTP handling of different KeePass clients.

Examples

The attached ZIP contains a KDBX file, which demonstrates different ways of storing TOTP configurations for default RFC 6238 cases. The DB password is HelloWorld.

There are two entries with the same TOTP secret JBSWY3DPEHPK3PXP stored in the property otp.

The first uses the format from KeePassXC: otpauth://totp/TOTP%20KeePassXC:none?secret=JBSWY3DPEHPK3PXP&period=30&digits=6&issuer=TOTP%20KeePassXC

The second one uses the format from KeeWeb: JBSWY3DPEHPK3PXP

In KeeWeb, both entries show identical (correct) TOTP values.

In KeePassXC, the simple format produces a different (wrong) TOTP value. This is exactly the same value that is produced for the third entry, which also has the otp property, but with an empty value.

Suggested solution

I think there are two things that can be done here:

  1. Don't generate TOTP at all if the secret is empty.
  2. If the otp property doesn't contain a known format (eg. the correct form of otpauth:// URL), assume the complete property value is the secret to be used with default RFC 6238 parameters.

TOTPProblem.zip
@droidmonkey
Copy link
Member

KeeWeb is abandoned fwiw

@silmaril42
Copy link
Author

That might be a reason for not putting to much work into this.

I just took a quick look into totp.cpp and found this:

 QVariant secret = Base32::decode(Base32::sanitizeInput(settings->key.toLatin1()));
    if (secret.isNull()) {
        return QObject::tr("Invalid Key", "TOTP");
    }

I guess for an empty string in settings->key this would lead to a zero-length secret?
Maybe we could extend the if condition to return "Invalid Key" for those cases, too.

My main concern is, that currently KeePassXC acts as if it was generating meaningful TOTP values, when it's acutally using an empty secret for the calculation. It's not easy for users to recognize this - which might lead to a lot of confusion (and in a case I wittnessed it led to a server being unreachable for some time because of a security mechanism that reacted to too many authentication failures).

@droidmonkey
Copy link
Member

Oh yes, there is a bug here, which is to not just generate a totp without full verification of the input.

droidmonkey added a commit that referenced this issue Sep 24, 2023
@droidmonkey
Fix multiple TOTP issues
85b8eec 
* Fix #9847 - don't provide TOTP values if settings are blank or completely wrong
* Fix #6838 - don't reset the ui when creating a new entry and applying TOTP to it
droidmonkey added a commit that referenced this issue Sep 24, 2023
@droidmonkey
Fix multiple TOTP issues
8dea0e4 
* Fix #9847 - don't provide TOTP values if settings are blank or completely wrong
* Fix #6838 - don't reset the ui when creating a new entry and applying TOTP to it
* Move totp source into the core folder
@droidmonkey droidmonkey mentioned this issue Sep 24, 2023
Merged
droidmonkey added a commit that referenced this issue Nov 29, 2023
@droidmonkey
Fix multiple TOTP issues
3282fd6 
* Fix #9847 - don't provide TOTP values if settings are blank or completely wrong
* Fix #6838 - don't reset the ui when creating a new entry and applying TOTP to it
* Move totp source into the core folder
droidmonkey added a commit that referenced this issue Jan 6, 2024
@droidmonkey
Fix multiple TOTP issues
30c696c 
* Fix #9847 - don't provide TOTP values if settings are blank or completely wrong
* Fix #6838 - don't reset the ui when creating a new entry and applying TOTP to it
* Move totp source into the core folder
droidmonkey added a commit that referenced this issue Jan 6, 2024
@droidmonkey
Fix multiple TOTP issues
9f3b4dc 
* Fix #9847 - don't provide TOTP values if settings are blank or completely wrong
* Fix #6838 - don't reset the ui when creating a new entry and applying TOTP to it
* Move totp source into the core folder
droidmonkey added a commit that referenced this issue Jan 30, 2024
@droidmonkey
Fix multiple TOTP issues
a0af093 
* Fix #9847 - don't provide TOTP values if settings are blank or completely wrong
* Fix #6838 - don't reset the ui when creating a new entry and applying TOTP to it
* Move totp source into the core folder
droidmonkey added a commit that referenced this issue Feb 4, 2024
@droidmonkey
Fix multiple TOTP issues
b1168d0 
* Fix #9847 - don't provide TOTP values if settings are blank or completely wrong
* Fix #6838 - don't reset the ui when creating a new entry and applying TOTP to it
* Move totp source into the core folder
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fix multiple TOTP issues keepassxreboot/keepassxc
2 participants
@droidmonkey @silmaril42