RFC Errata


Errata Search

 
Source of RFC  
Summary Table Full Records

RFC 6287, "OCRA: OATH Challenge-Response Algorithm", June 2011

Source of RFC: IETF - NON WORKING GROUP
Area Assignment: sec

Errata ID: 5625
Status: Reported
Type: Technical

Reported By: Emanuele Giacomelli
Date Reported: 2019-02-07

Section Appendix A says:

// put selected bytes into result int
int offset = hash[hash.length - 1] & 0xf;

int binary =
  ((hash[offset] & 0x7f) << 24) |
  ((hash[offset + 1] & 0xff) << 16) |
  ((hash[offset + 2] & 0xff) << 8) |
  (hash[offset + 3] & 0xff);

int otp = binary % DIGITS_POWER[codeDigits];

result = Integer.toString(otp);
while (result.length() < codeDigits) {
  result = "0" + result;
}
return result;

It should say:

if (codeDigits > 0) {
  // put selected bytes into result int
  int offset = hash[hash.length - 1] & 0xf;

  int binary =
      ((hash[offset] & 0x7f) << 24) |
      ((hash[offset + 1] & 0xff) << 16) |
      ((hash[offset + 2] & 0xff) << 8) |
      (hash[offset + 3] & 0xff);

  int otp = binary % DIGITS_POWER[codeDigits];

  result = Integer.toString(otp);
  while (result.length() < codeDigits) {
      result = "0" + result;
  }
  return result;
} else {
  return asHex(hash);
}

Notes:

The code does not honor what the RFC says in section 5.2:

3. t=0 means that no truncation is performed and the full HMAC value
is used for authentication purposes

and still applies dynamic truncation to suites requesting "0" digits.
As a result, the computation performs a "modulo 1" operation causing
the code to always return 0 for such suites.

The proposed patch explicitly disables dynamic truncation for such suites and returns the full HMAC
encoded as a Base16 string. The "asHex" function is the same defined in Appendix B.

Report New Errata