[pve-devel] [PATCH access-control] fix #1062: use correct length for base32 keys

Wed Jul 20 15:27:50 CEST 2016

applied

On Wed, Jul 20, 2016 at 01:31:33PM +0200, Dominik Csapak wrote:
> we wrongly assumed the keys to be 32 chars long,
> instead of 16
> 
> Signed-off-by: Dominik Csapak <d.csapak at proxmox.com>
> ---
>  PVE/AccessControl.pm | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/PVE/AccessControl.pm b/PVE/AccessControl.pm
> index 0af92d7..0b64374 100644
> --- a/PVE/AccessControl.pm
> +++ b/PVE/AccessControl.pm
> @@ -1299,7 +1299,7 @@ sub oath_verify_otp {
>      foreach my $k (PVE::Tools::split_list($keys)) {
>  	# Note: we generate 3 values to allow small time drift
>  	my $binkey;
> -	if ($k =~ /^[A-Z2-7=]{32}$/) {
> +	if ($k =~ /^[A-Z2-7=]{16}$/) {
>  	    $binkey = MIME::Base32::decode_rfc3548($k);
>  	} elsif ($k =~ /^[A-Fa-f0-9]{40}$/) {
>  	    $binkey = pack('H*', $k);
> -- 
> 2.1.4