Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Full RFC6238 Compatibility #207

Closed
wants to merge 175 commits into from
Closed

Conversation

ericmann
Copy link
Collaborator

The full TOTP specification supports not only SHA1, but also SHA256 and SHA512. Up til now, the TOTP provider in this plugin (and most other PHP implementations) claims to support a specified hash type, but doesn't actually work with anything other than SHA1.

This is due to key lengths and hash lengths being different for the three hash variants.

This change introcudes support for both SHA256 and SHA512, porting the implementation directly from https://github.com/ericmann/totp.

See https://tools.ietf.org/html/rfc6238#section-1.2 for more information on the MAY USE notation for SHA256 and SHA512.

See https://tools.ietf.org/html/rfc6238#appendix-A for a fully compliant reference implementation in Java.

See https://tools.ietf.org/html/rfc6238#appendix-B for test vectors showing TOTPs generated for specific time values and the three hash variants.

See https://github.com/ericmann/totp/blob/master/test/phpunit/ReferenceTest.php for example unit tests verifying this particular implementation before it was ported to the plugin.

@kasparsd
Copy link
Collaborator

This looks good to me @ericmann! Could we include some tests for this since you already have them in the upstream repo.

@ericmann
Copy link
Collaborator Author

ericmann commented Mar 1, 2018

Good catch on the try/catch. I'll get that updated and pull in some tests soon, then we can move forward.

@ericmann ericmann force-pushed the totp-parity branch 2 times, most recently from 66a80c0 to 9c7d057 Compare March 2, 2018 05:24
@ericmann
Copy link
Collaborator Author

ericmann commented Mar 2, 2018

@kasparsd Feedback addressed, and I pulled in the reference tests from the RFC spec.

Kind of frustrating to try to work around time() without namespaces, but I think this'll do it :-)

@karimqub
Copy link

karimqub commented Nov 6, 2018

Access

@jeffpaul jeffpaul requested a review from kasparsd April 9, 2021 20:27
@jeffpaul jeffpaul added this to the 0.8.0 milestone Apr 9, 2021
@jeffpaul
Copy link
Member

@kasparsd any thoughts on a review of this PR and whether it's ready for consideration in v0.8.0?

providers/class-two-factor-totp.php Outdated Show resolved Hide resolved
providers/class-two-factor-totp.php Outdated Show resolved Hide resolved
@jeffpaul jeffpaul requested a review from kasparsd May 18, 2021 19:16
Copy link
Collaborator

@kasparsd kasparsd left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This looks great! Thanks so much @ericmann!

@kasparsd
Copy link
Collaborator

Looks like Travis is no longer running the unit tests for this repo so I've created #405 to address it. Solving that first will allow us to ensure this change hasn't introduced a regression.

@jeffpaul
Copy link
Member

Per yesterday's bug scrub, we're punting this to a future release to allow for narrow focus on the U2F deprecation work in 0.8.0.

@jeffpaul jeffpaul modified the milestones: 0.8.0, Future Release Mar 24, 2022
@jeffpaul jeffpaul removed the request for review from georgestephanis March 24, 2022 18:30
iandunn and others added 11 commits February 8, 2023 09:37
New tests were added for `rest_delete_totp` in WordPress#504 which cover the same functionality.

`generate_qr_code_url` was also refactored there, but a test wasn't included.
The internal function accepts a param for flexibility, but currently there's no use case for letting the user choose how many they want.
* Add a rate limit between two-factor login attempts.
* Add a warning upon login that the user previously failed to complete the two-factor prompt.
Co-authored-by: Ian Dunn <[email protected]>
TOTP: Prevent re-use of TOTP tokens, and prevent a previously-generated token being valid if a newer token is used to login.

Co-authored-by: Ian Dunn <[email protected]>
Previously the missing token wasn't tested for, and the FUT was passed an invalid data type for the user.
…Press#519)

* Include whitespace between the leading text and the code input.
* Switch from using <br> to using CSS.
* Add unit tests for Two_Factor_Provider::get_code().
* Add a test that validates an array of characters results in the correct character output
* Explicitly check the length of the generated codes, and add a test for a string input of valid characters.

---------

Co-authored-by: Ian Dunn <[email protected]>
This makes it convenient to check coverage locally, instead of having to go to Coveralls.
kasparsd and others added 19 commits September 19, 2024 10:20
Update screenshots to match the current UI
Collect all warnings into same place
Bumps [symfony/process](https://github.com/symfony/process) from 5.4.40 to 5.4.46.
- [Release notes](https://github.com/symfony/process/releases)
- [Changelog](https://github.com/symfony/process/blob/7.1/CHANGELOG.md)
- [Commits](symfony/process@v5.4.40...v5.4.46)

---
updated-dependencies:
- dependency-name: symfony/process
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <[email protected]>
…ymfony/process-5.4.46

Bump symfony/process from 5.4.40 to 5.4.46
@jeffpaul
Copy link
Member

jeffpaul commented Dec 3, 2024

@kasparsd seems like resolving merge conflicts here, checking that tests pass, could get this into the 0.11.0 release perhaps?

The full TOTP specification supports not only SHA1, but also SHA256 and SHA512. Up til now, the TOTP provider in this plugin (and most other PHP implementations) claims to support a specified hash type, but doesn't actually work with anything other than SHA1.

This is due to key lengths and hash lengths being _different_ for the three hash variants.

This change introcudes support for both SHA256 and SHA512, porting the implementation directly from https://github.com/ericmann/totp.

See https://tools.ietf.org/html/rfc6238#section-1.2 for more information on the `MAY USE` notation for SHA256 and SHA512.

See https://tools.ietf.org/html/rfc6238#appendix-A for a fully compliant reference implementation in Java.

See https://tools.ietf.org/html/rfc6238#appendix-B for test vectors showing TOTPs generated for specific time values and the three hash variants.

See https://github.com/ericmann/totp/blob/master/test/phpunit/ReferenceTest.php for example unit tests verifying this particular implementation before it was ported to the plugin.
According to the linter:

> Method name "Two_Factor_Totp::__set_time" is discouraged; PHP has reserved all method names with a double underscore prefix for future use.

Rename the function to make the linter happy.
@ericmann
Copy link
Collaborator Author

ericmann commented Dec 3, 2024

I have no idea why GH thinks I'm asking to merge so much - it's literally just the last 3 commits and they're rebased atop master already. A direct comparison of the same contribution shows the changes: https://github.com/WordPress/two-factor/compare/master...ericmann:two-factor:totp-parity?expand=1

@jeffpaul
Copy link
Member

jeffpaul commented Dec 3, 2024

@ericmann maybe an oddity with you originally pushing from a fork? perhaps a new PR that cherrypicks those last 3 commits will show "better" on GitHub?

@ericmann
Copy link
Collaborator Author

ericmann commented Dec 3, 2024

Closing this to fix the GH display oddity.

@ericmann ericmann closed this Dec 3, 2024
@jeffpaul jeffpaul removed this from the Future Release milestone Dec 3, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.