two-factor
two-factor copied to clipboard
Full RFC6238 Compatibility
The full TOTP specification supports not only SHA1, but also SHA256 and SHA512. Up til now, the TOTP provider in this plugin (and most other PHP implementations) claims to support a specified hash type, but doesn't actually work with anything other than SHA1.
This is due to key lengths and hash lengths being different for the three hash variants.
This change introcudes support for both SHA256 and SHA512, porting the implementation directly from https://github.com/ericmann/totp.
See https://tools.ietf.org/html/rfc6238#section-1.2 for more information on the MAY USE
notation for SHA256 and SHA512.
See https://tools.ietf.org/html/rfc6238#appendix-A for a fully compliant reference implementation in Java.
See https://tools.ietf.org/html/rfc6238#appendix-B for test vectors showing TOTPs generated for specific time values and the three hash variants.
See https://github.com/ericmann/totp/blob/master/test/phpunit/ReferenceTest.php for example unit tests verifying this particular implementation before it was ported to the plugin.
This looks good to me @ericmann! Could we include some tests for this since you already have them in the upstream repo.
Good catch on the try
/catch
. I'll get that updated and pull in some tests soon, then we can move forward.
@kasparsd Feedback addressed, and I pulled in the reference tests from the RFC spec.
Kind of frustrating to try to work around time()
without namespaces, but I think this'll do it :-)
Access
@kasparsd any thoughts on a review of this PR and whether it's ready for consideration in v0.8.0?
Looks like Travis is no longer running the unit tests for this repo so I've created #405 to address it. Solving that first will allow us to ensure this change hasn't introduced a regression.
Per yesterday's bug scrub, we're punting this to a future release to allow for narrow focus on the U2F deprecation work in 0.8.0.