FreeRadius TOTP authenticate fail passcode validation

[Alan DeKok]

On Jun 23, 2023, at 7:32 AM, João Miguel Regateiro <jmregateiro at gmail.com> wrote:
> Thanks for the previous response. Now I came across with two different
> problems, the first is with building the rlm_totp module and the second is
> during decoding the totp secret.
> 
> I was able to get the correct totp and authenticate successfully even
> though the make totp returned some errors. The passcode was indeed
> incorrect because the module was generating the totp based on the system
> time. I changed the mods-available/date and set utc=yes and that fixed the
> problem (that was a misconfiguration on Universal Time vs System Time).

  Im not sure how that fixes the problem.  The date module and the totp module are completely independent.  Setting "utc=yes" in the date module just changes the configuration for the date module.

> I tried to build the rlm_totp (make totp) and got the following errors on
> undefined references ("fr_hmac_sha1" and "fr_digest_cmp"):
> ,,,
> At top level:
> 
> rlm_totp.c:50:32: warning: ‘method_env’ defined but not used
> [-Wunused-const-variable=]
> 
>   50 | static const call_method_env_t method_env = {
> 
>      |                                ^~~~~~~~~~

  You're building from the "master" branch.   Use the v3.2.x branch.

> In the last email I was using a standard shared secret just for testing
> purposes but my TOTP generator creates a 56 characters secret so I am using
> that and getting this message - “totp: TOTP-Secret cannot be decoded”. I’ve
> tried smaller secrets and it is always able to decode the secret which made
> me wonder if you have any restrictions on the secret length?

  The source code is available...

  There is no limit on the TOTP secret.  If it says "cannot be decoded", then it's because the base32 decode fails.

  You should put the decoded key into TOTP-Key, and the base32 secret into TOTP-Secret.  If you mix that up, then that could explain the issue.

  Alan DeKok.