Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Full RFC6238 Compatibility #207

Open
wants to merge 8 commits into
base: master
Choose a base branch
from
Open

Full RFC6238 Compatibility #207

wants to merge 8 commits into from

Conversation

ericmann
Copy link
Collaborator

The full TOTP specification supports not only SHA1, but also SHA256 and SHA512. Up til now, the TOTP provider in this plugin (and most other PHP implementations) claims to support a specified hash type, but doesn't actually work with anything other than SHA1.

This is due to key lengths and hash lengths being different for the three hash variants.

This change introcudes support for both SHA256 and SHA512, porting the implementation directly from https://github.com/ericmann/totp.

See https://tools.ietf.org/html/rfc6238#section-1.2 for more information on the MAY USE notation for SHA256 and SHA512.

See https://tools.ietf.org/html/rfc6238#appendix-A for a fully compliant reference implementation in Java.

See https://tools.ietf.org/html/rfc6238#appendix-B for test vectors showing TOTPs generated for specific time values and the three hash variants.

See https://github.com/ericmann/totp/blob/master/test/phpunit/ReferenceTest.php for example unit tests verifying this particular implementation before it was ported to the plugin.

Full RFC6238 Compatibility
8374292 
The full TOTP specification supports not only SHA1, but also SHA256 and SHA512. Up til now, the TOTP provider in this plugin (and most other PHP implementations) claims to support a specified hash type, but doesn't actually work with anything other than SHA1.

This is due to key lengths and hash lengths being _different_ for the three hash variants.

This change introcudes support for both SHA256 and SHA512, porting the implementation directly from https://github.com/ericmann/totp.

See https://tools.ietf.org/html/rfc6238#section-1.2 for more information on the `MAY USE` notation for SHA256 and SHA512.

See https://tools.ietf.org/html/rfc6238#appendix-A for a fully compliant reference implementation in Java.

See https://tools.ietf.org/html/rfc6238#appendix-B for test vectors showing TOTPs generated for specific time values and the three hash variants.

See https://github.com/ericmann/totp/blob/master/test/phpunit/ReferenceTest.php for example unit tests verifying this particular implementation before it was ported to the plugin.
@kasparsd
Copy link
Collaborator

This looks good to me @ericmann! Could we include some tests for this since you already have them in the upstream repo.

@ericmann
Copy link
Collaborator Author

ericmann commented Mar 1, 2018

Good catch on the try/catch. I'll get that updated and pull in some tests soon, then we can move forward.

@ericmann
Copy link
Collaborator Author

ericmann commented Mar 2, 2018

@kasparsd Feedback addressed, and I pulled in the reference tests from the RFC spec.

Kind of frustrating to try to work around time() without namespaces, but I think this'll do it :-)

@karimqub
Copy link

karimqub commented Nov 6, 2018

Access

@jeffpaul jeffpaul requested a review from kasparsd April 9, 2021 20:27
@jeffpaul jeffpaul added this to the 0.8.0 milestone Apr 9, 2021
@jeffpaul
Copy link
Member

@kasparsd any thoughts on a review of this PR and whether it's ready for consideration in v0.8.0?

@jeffpaul jeffpaul requested a review from kasparsd May 18, 2021 19:16
kasparsd
kasparsd approved these changes May 18, 2021
View reviewed changes
Copy link
Collaborator

@kasparsd kasparsd left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This looks great! Thanks so much @ericmann!

@kasparsd
Copy link
Collaborator

Looks like Travis is no longer running the unit tests for this repo so I've created #405 to address it. Solving that first will allow us to ensure this change hasn't introduced a regression.

@jeffpaul
Copy link
Member

Per yesterday's bug scrub, we're punting this to a future release to allow for narrow focus on the U2F deprecation work in 0.8.0.

@jeffpaul jeffpaul modified the milestones: 0.8.0, Future Release Mar 24, 2022
@jeffpaul jeffpaul removed the request for review from georgestephanis March 24, 2022 18:30
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@kasparsd kasparsd kasparsd approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
Future Release
Development

Successfully merging this pull request may close these issues.
4 participants
@ericmann @kasparsd @karimqub @jeffpaul