Does tiqr server now require OCRA's session information everytime?

[dmiyakawa]

OCRA (RFC 6287) does not require session information, while tiqr server (Tiqr/Service.php) seems to.

To be more specific, Tiqr_Service::_uniqueSessionKey() in 1.0.0 has used the following code

protected function _uniqueSessionKey($prefix)
{
    $value = 1;
    while ($value!=NULL) {
        $sessionKey = Tiqr_Random::randomHexString(self::SESSIONKEY_SIZE);
        $value = $this->_stateStorage->getValue($prefix.$sessionKey);
    }
    return $sessionKey;
}

SESSIONKEY_SIZE is irrelevant to OCRA, so this is fine.

On the other hand the current master's equivalent is as follows:

protected function _uniqueSessionKey($prefix)
{
    $value = 1;
    while ($value!=NULL) {
        $sessionKey = $this->_ocraWrapper->generateSessionKey();
        $value = $this->_stateStorage->getValue($prefix.$sessionKey);
    }
    return $sessionKey;
}

Now generateSessionKey() throws an exception when session information is not embedded in an OCRA suite. I'm using "OCRA-1:HOTP-SHA1-6:QH10" for an example suite.

OCRAParser and OCRAWrapper seems fine. Following php script works without any exception.

<?php
require_once("Tiqr/OATH/OCRAWrapper.php");
$suite = 'OCRA-1:HOTP-SHA1-6:QH10';
$ocraParser = new OATH_OCRAParser($suite);
echo "challenge: " . $ocraParser->generateChallenge() . "\n";
$ocraWrapper = new Tiqr_OCRAWrapper($suite);
echo "challenge: " . $ocraWrapper->generateChallenge() . "\n";

Here is an example result:

$ php test.php
challenge: c32bfb0b1d
challenge: e4ca828e2f

I'm very new to OCRA and tiqr, so correct me if I'm wrong.

[ijansch]

Hi,

Thanks, we'll investigate this. We generalized the way the keys are
generated to be more pluggable. Potentially we made a mistake here by
making the session key required in one of the abstractions. If so, it
should be a fairly easy fix. We'll have a look at it.

Greetings,
Ivo

On Fri, Dec 12, 2014 at 2:22 PM, Daisuke Miyakawa [email protected]
wrote:

OCRA (RFC 6287) does not require session information, while tiqr server
(Tiqr/Service.php) seems to.

To be more specific, Tiqr_Service::_uniqueSessionKey() in 1.0.0 has used
the following code

protected function _uniqueSessionKey($prefix)
{
$value = 1;
while ($value!=NULL) {
$sessionKey = Tiqr_Random::randomHexString(self::SESSIONKEY_SIZE);
$value = $this->_stateStorage->getValue($prefix.$sessionKey);
}
return $sessionKey;
}

SESSIONKEY_SIZE is irrelevant to OCRA, so this is fine.

On the other hand the current master's equivalent is as follows:

protected function _uniqueSessionKey($prefix)
{
$value = 1;
while ($value!=NULL) {
$sessionKey = $this->_ocraWrapper->generateSessionKey();
$value = $this->_stateStorage->getValue($prefix.$sessionKey);
}
return $sessionKey;
}

Now generateSessionKey() throws an exception when session information is
not embedded in an OCRA suite. I'm using "OCRA-1:HOTP-SHA1-6:QH10" for an
example suite.

OCRAParser and OCRAWrapper seems fine. Following php script works without
any exception.

generateChallenge() . "\n"; $ocraWrapper = new Tiqr_OCRAWrapper($suite); echo "challenge: " . $ocraWrapper->generateChallenge() . "\n"; Here is an example result: $ php test.php challenge: c32bfb0b1d challenge: e4ca828e2f I'm very new to OCRA and tiqr, so correct me if I'm wrong. — Reply to this email directly or view it on GitHub https://github.com//issues/52.

Ivo Jansch
Egeniq
CEO / Co-founder
[email protected]
www.egeniq.com
+31681450625