Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Full RFC6238 Compatibility #656

Open
wants to merge 3 commits into
base: master
Choose a base branch
from
Open

Conversation

ericmann
Copy link
Collaborator

@ericmann ericmann commented Dec 3, 2024

What?

Adds support for SHA256 and SHA512 hashes for the underlying TOTP algorithm to fully support the RFC6238 spec.

Replaces #207 for a cleaner GH expereince.

Why?

Up til now, the TOTP provider in this plugin (and most other PHP implementations) claims to support a specified hash type, but doesn't actually work with anything other than SHA1.

This is due to key lengths and hash lengths being different for the three hash variants.

How?

This change introcudes support for both SHA256 and SHA512, porting the implementation directly from https://github.com/ericmann/totp.

See https://tools.ietf.org/html/rfc6238#section-1.2 for more information on the MAY USE notation for SHA256 and SHA512.

See https://tools.ietf.org/html/rfc6238#appendix-A for a fully compliant reference implementation in Java.

Testing Instructions

See https://tools.ietf.org/html/rfc6238#appendix-B for test vectors showing TOTPs generated for specific time values and the three hash variants.

See https://github.com/ericmann/totp/blob/master/test/phpunit/ReferenceTest.php for example unit tests verifying this particular implementation before it was ported to the plugin.

Changelog Entry

Added support for SHA256 and SHA512 hashing within TOTP calculation/verification.

The full TOTP specification supports not only SHA1, but also SHA256 and SHA512. Up til now, the TOTP provider in this plugin (and most other PHP implementations) claims to support a specified hash type, but doesn't actually work with anything other than SHA1.

This is due to key lengths and hash lengths being _different_ for the three hash variants.

This change introcudes support for both SHA256 and SHA512, porting the implementation directly from https://github.com/ericmann/totp.

See https://tools.ietf.org/html/rfc6238#section-1.2 for more information on the `MAY USE` notation for SHA256 and SHA512.

See https://tools.ietf.org/html/rfc6238#appendix-A for a fully compliant reference implementation in Java.

See https://tools.ietf.org/html/rfc6238#appendix-B for test vectors showing TOTPs generated for specific time values and the three hash variants.

See https://github.com/ericmann/totp/blob/master/test/phpunit/ReferenceTest.php for example unit tests verifying this particular implementation before it was ported to the plugin.
According to the linter:

> Method name "Two_Factor_Totp::__set_time" is discouraged; PHP has reserved all method names with a double underscore prefix for future use.

Rename the function to make the linter happy.
@ericmann ericmann added the TOTP Time-based One-time Passwords label Dec 3, 2024
@ericmann ericmann added this to the 0.11.0 milestone Dec 3, 2024
@ericmann ericmann self-assigned this Dec 3, 2024
@jeffpaul jeffpaul requested a review from kasparsd December 3, 2024 22:11
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
TOTP Time-based One-time Passwords
Projects
None yet
Development

Successfully merging this pull request may close these issues.

1 participant