123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187 |
- /**
- * Copyright 2014 Paul Querna
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- *
- */
- package hotp
- import (
- "github.com/pquerna/otp"
- "crypto/hmac"
- "crypto/rand"
- "crypto/subtle"
- "encoding/base32"
- "encoding/binary"
- "fmt"
- "math"
- "net/url"
- "strings"
- )
- const debug = false
- // Validate a HOTP passcode given a counter and secret.
- // This is a shortcut for ValidateCustom, with parameters that
- // are compataible with Google-Authenticator.
- func Validate(passcode string, counter uint64, secret string) bool {
- rv, _ := ValidateCustom(
- passcode,
- counter,
- secret,
- ValidateOpts{
- Digits: otp.DigitsSix,
- Algorithm: otp.AlgorithmSHA1,
- },
- )
- return rv
- }
- // ValidateOpts provides options for ValidateCustom().
- type ValidateOpts struct {
- // Digits as part of the input. Defaults to 6.
- Digits otp.Digits
- // Algorithm to use for HMAC. Defaults to SHA1.
- Algorithm otp.Algorithm
- }
- // GenerateCode creates a HOTP passcode given a counter and secret.
- // This is a shortcut for GenerateCodeCustom, with parameters that
- // are compataible with Google-Authenticator.
- func GenerateCode(secret string, counter uint64) (string, error) {
- return GenerateCodeCustom(secret, counter, ValidateOpts{
- Digits: otp.DigitsSix,
- Algorithm: otp.AlgorithmSHA1,
- })
- }
- // GenerateCodeCustom uses a counter and secret value and options struct to
- // create a passcode.
- func GenerateCodeCustom(secret string, counter uint64, opts ValidateOpts) (passcode string, err error) {
- // As noted in issue #10 this adds support for TOTP secrets that are
- // missing their padding.
- if n := len(secret) % 8; n != 0 {
- secret = secret + strings.Repeat("=", 8-n)
- }
- secretBytes, err := base32.StdEncoding.DecodeString(secret)
- if err != nil {
- return "", otp.ErrValidateSecretInvalidBase32
- }
- buf := make([]byte, 8)
- mac := hmac.New(opts.Algorithm.Hash, secretBytes)
- binary.BigEndian.PutUint64(buf, counter)
- if debug {
- fmt.Printf("counter=%v\n", counter)
- fmt.Printf("buf=%v\n", buf)
- }
- mac.Write(buf)
- sum := mac.Sum(nil)
- // "Dynamic truncation" in RFC 4226
- // http://tools.ietf.org/html/rfc4226#section-5.4
- offset := sum[len(sum)-1] & 0xf
- value := int64(((int(sum[offset]) & 0x7f) << 24) |
- ((int(sum[offset+1] & 0xff)) << 16) |
- ((int(sum[offset+2] & 0xff)) << 8) |
- (int(sum[offset+3]) & 0xff))
- l := opts.Digits.Length()
- mod := int32(value % int64(math.Pow10(l)))
- if debug {
- fmt.Printf("offset=%v\n", offset)
- fmt.Printf("value=%v\n", value)
- fmt.Printf("mod'ed=%v\n", mod)
- }
- return opts.Digits.Format(mod), nil
- }
- // ValidateCustom validates an HOTP with customizable options. Most users should
- // use Validate().
- func ValidateCustom(passcode string, counter uint64, secret string, opts ValidateOpts) (bool, error) {
- passcode = strings.TrimSpace(passcode)
- if len(passcode) != opts.Digits.Length() {
- return false, otp.ErrValidateInputInvalidLength
- }
- otpstr, err := GenerateCodeCustom(secret, counter, opts)
- if err != nil {
- return false, err
- }
- if subtle.ConstantTimeCompare([]byte(otpstr), []byte(passcode)) == 1 {
- return true, nil
- }
- return false, nil
- }
- // GenerateOpts provides options for .Generate()
- type GenerateOpts struct {
- // Name of the issuing Organization/Company.
- Issuer string
- // Name of the User's Account (eg, email address)
- AccountName string
- // Size in size of the generated Secret. Defaults to 10 bytes.
- SecretSize uint
- // Digits to request. Defaults to 6.
- Digits otp.Digits
- // Algorithm to use for HMAC. Defaults to SHA1.
- Algorithm otp.Algorithm
- }
- // Generate creates a new HOTP Key.
- func Generate(opts GenerateOpts) (*otp.Key, error) {
- // url encode the Issuer/AccountName
- if opts.Issuer == "" {
- return nil, otp.ErrGenerateMissingIssuer
- }
- if opts.AccountName == "" {
- return nil, otp.ErrGenerateMissingAccountName
- }
- if opts.SecretSize == 0 {
- opts.SecretSize = 10
- }
- // otpauth://totp/Example:alice@google.com?secret=JBSWY3DPEHPK3PXP&issuer=Example
- v := url.Values{}
- secret := make([]byte, opts.SecretSize)
- _, err := rand.Read(secret)
- if err != nil {
- return nil, err
- }
- v.Set("secret", base32.StdEncoding.EncodeToString(secret))
- v.Set("issuer", opts.Issuer)
- v.Set("algorithm", opts.Algorithm.String())
- v.Set("digits", opts.Digits.String())
- u := url.URL{
- Scheme: "otpauth",
- Host: "hotp",
- Path: "/" + opts.Issuer + ":" + opts.AccountName,
- RawQuery: v.Encode(),
- }
- return otp.NewKeyFromURL(u.String())
- }
|