[
https://issues.apache.org/jira/browse/DIRTSEC-4?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12498053
]
Alex Karasulu commented on DIRTSEC-4:
-------------------------------------
Javier could you supply a patch as attachment ... I will review and apply it.
Furthermore if you are interested in working on Tsec then please continue
contributing to become a committer. We could use a few good developers on this
front.
> Offset value set to 0 when extracting DBC from hmac-sha1 output
> ---------------------------------------------------------------
>
> Key: DIRTSEC-4
> URL: https://issues.apache.org/jira/browse/DIRTSEC-4
> Project: Triplesec
> Issue Type: Bug
> Environment: JavaME mobile phone platform and validation server.
> Reporter: javier tellez
>
> Hotp.java class implements RFC4226 "HOTP: An HMAC-Based One-Time Password
> Algorithm".
> In that class,
> hotp.generate(secret, counter, digits) uses
> int offset = 0;
> Section 5.4 from RFC
> "The following code example describes the extraction of a dynamic
> binary code given that hmac_result is a byte array with the HMACSHA-1 result:
> int offset = hmac_result[19] & 0xf ;
> int bin_code = (hmac_result[offset] & 0x7f) << 24
> | (hmac_result[offset+1] & 0xff) << 16
> | (hmac_result[offset+2] & 0xff) << 8
> | (hmac_result[offset+3] & 0xff)
> "
> that is, the offset is the least significant nibble from the last byte of
> hotp.stepOne() output (the 20 bytes from hmac-sha1(k,c))
> Solved by setting offset to this value
> int offset = hmac_result[19] & 0xf;
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
