OTP slot names with 15 < length <= 30 are truncated without warning #196
Comments
|
Example code: #include <stdio.h>
#include <stdlib.h>
#include "../NK_C_API.h"
int main(void)
{
if (NK_login_auto() != 1) {
fprintf(stderr, "No Nitrokey device found.\n");
return 1;
}
int result = NK_first_authenticate("12345678", "temppw");
if (result) {
fprintf(stderr, "Authentication failed: %x\n", result);
return 1;
}
result = NK_write_totp_slot(0, "12345678901234567890", "deadbeef",
30, false, false, false, "", "temppw");
if (result) {
fprintf(stderr, "Writing OTP slot failed: %x\n", result);
return 1;
}
char *name = NK_get_totp_slot_name(0);
if (!name) {
fprintf(stderr, "Querying OTP slot failed: %x\n",
NK_get_last_command_status());
return 1;
}
printf("Slot name: %s\n", name);
free(name);
result = NK_write_totp_slot(0,
"12345678901234567890123456789012345678901234567890",
"deadbeef", 30, false, false, false, "", "temppw");
if (result) {
fprintf(stderr, "Writing OTP slot failed: %x\n", result);
return 1;
}
NK_logout();
return 0;
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
The OTP slot name is sent to the device using the
SendOTPDatacommand which can store 30 bytes of data. Yet the firmware only stores the first 15 bytes of the slot name.For slot names with more than 30 bytes, libnitrokey will raise a
TooLongStringExceptioninstrcpyTcalled here. For slot names with more than 15 but less than or exactly 30 bytes, libnitrokey will not raise an error and just send the full data to the device which will then truncate the slot name.In my opinion, libnitrokey should check the slot name length and raise a
TooLongStringExceptionif the slot name is too long.The text was updated successfully, but these errors were encountered: