diff options
| author | Christian Riesen <chris.riesen@gmail.com> | 2017-03-16 16:46:10 +0100 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2017-03-16 16:46:10 +0100 |
| commit | f29c9eb9f9a7117a9e9912dac2f474120061260d (patch) | |
| tree | ec9bb9249ab8e40ec76764f7b1b1835cb73f2873 | |
| parent | 83f941e1ad6f7a2ff318e30cbf5b3219e63a9a62 (diff) | |
| parent | 34bcbead1414383a0f2fc98fabf98acd2b9a3ae8 (diff) | |
| download | otp-origin/HEAD.zip otp-origin/HEAD.tar.gz otp-origin/HEAD.tar.bz2 | |
Merge pull request #18 from fkooman/random_compatHEAD2.4.0origin/masterorigin/HEADmaster
use paragonie/random_compat
| -rw-r--r-- | README.md | 14 | ||||
| -rw-r--r-- | composer.json | 6 | ||||
| -rw-r--r-- | example/index.php | 6 | ||||
| -rw-r--r-- | src/GoogleAuthenticator.php | 32 |
4 files changed, 14 insertions, 44 deletions
@@ -26,9 +26,7 @@ Usage use Otp\Otp; use Otp\GoogleAuthenticator; - -// Seperate class, see https://github.com/ChristianRiesen/base32, requirement for this one -use Base32\Base32; +use ParagonIE\ConstantTime\Encoding; // Get a Pseudo Secret // Defaults to 16 characters @@ -48,7 +46,7 @@ $otp = new Otp(); // Assuming this is present and sanitized // Allows for a 1 code time drift by default // Third parameter can alter that behavior -if ($otp->checkTotp(Base32::decode($secret), $key)) { +if ($otp->checkTotp(Encoding::base32Decode($secret), $key)) { // Correct key // IMPORTANT! Note this key as being used // so nobody could launch a replay attack. @@ -59,7 +57,7 @@ if ($otp->checkTotp(Base32::decode($secret), $key)) { } // Just to create a key for display (testing) -$key = $otp->totp(Base32::decode($secret)); +$key = $otp->totp(Encoding::base32Decode($secret)); ``` @@ -75,9 +73,7 @@ Class GoogleAuthenticator Static function class to generate a correct url for the QR code, so you can easy scan it with your device. Google Authenticator is avaiaible as application for iPhone and Android. This removes the burden to create such an app from the developers of websites by using this set of classes. -There are also older open source versions of the Google Authenticator app for both [iPhone](https://github.com/google/google-authenticator) and [Android](https://github.com/google/google-authenticator-android) - -This helper class uses the random_int function from PHP7, or the polyfill method from [paragonie/random_compat](https://packagist.org/packages/paragonie/random_compat) if present and falls back on other (less "secure") random generators. +There are also older open source versions of the Google Authenticator app for both [iPhone](https://github.com/google/google-authenticator) and [Android](https://github.com/google/google-authenticator-android). About ===== @@ -87,7 +83,7 @@ Requirements PHP 5.4.x+ -Uses [Base32 class](https://github.com/ChristianRiesen/base32). +Uses [paragonie/random_compat](https://github.com/paragonie/random_compat) and [paragonie/constant_time_encoding](https://github.com/paragonie/constant_time_encoding). If you want to run the tests, PHPUnit 3.6 or up is required. diff --git a/composer.json b/composer.json index e434580..b3e78c3 100644 --- a/composer.json +++ b/composer.json @@ -15,7 +15,8 @@ ], "require": { "php": ">=5.4.0", - "christian-riesen/base32": "^1.0" + "paragonie/constant_time_encoding": "^1|^2", + "paragonie/random_compat": "^1|^2" }, "require-dev": { "phpunit/phpunit": "^4.8" @@ -30,9 +31,6 @@ "Otp\\Tests\\": "tests/" } }, - "suggest": { - "paragonie/random_compat": "Optional polyfill for a more secure random generator for pre PHP7 versions" - }, "extra": { "branch-alias": { "dev-master": "2.x-dev" diff --git a/example/index.php b/example/index.php index 4da362c..e5e9b7f 100644 --- a/example/index.php +++ b/example/index.php @@ -6,7 +6,7 @@ require_once __DIR__ . '/../vendor/autoload.php'; use Otp\Otp; use Otp\GoogleAuthenticator; -use Base32\Base32; +use ParagonIE\ConstantTime\Encoding; // Getting a secret, either by generating or from storage // DON'T use sessions as storage for this in production!!! @@ -25,7 +25,7 @@ if (strlen($secret) != 16) { // To use it in totp though we need to decode it into the original $otp = new Otp(); -$currentTotp = $otp->totp(Base32::decode($secret)); +$currentTotp = $otp->totp(Encoding::base32DecodeUpper($secret)); $qrCode = GoogleAuthenticator::getQrCodeUrl('totp', 'otpsample@cr', $secret); $keyUri = GoogleAuthenticator::getKeyUri('totp', 'otpsample@cr', $secret); @@ -79,7 +79,7 @@ if (isset($_POST['otpkey'])) { if (strlen($key) == 6) { // Remember that the secret is a base32 string that needs decoding // to use it here! - if ($otp->checkTotp(Base32::decode($secret), $key)) { + if ($otp->checkTotp(Encoding::base32DecodeUpper($secret), $key)) { echo 'Key correct!'; // Add here something that makes note of this key and will not allow // the use of it, for this user for the next 2 minutes. This way you diff --git a/src/GoogleAuthenticator.php b/src/GoogleAuthenticator.php index 0925510..48b0a6f 100644 --- a/src/GoogleAuthenticator.php +++ b/src/GoogleAuthenticator.php @@ -2,6 +2,8 @@ namespace Otp; +use ParagonIE\ConstantTime\Encoding; + /** * Google Authenticator * @@ -161,7 +163,7 @@ class GoogleAuthenticator $string = ''; for ($i = 0; $i < $length; $i++) { - $string .= $keys[self::getRand()]; + $string .= $keys[random_int(0, 31)]; } return $string; @@ -187,7 +189,7 @@ class GoogleAuthenticator // Generate codes $code = ''; for ($i = 1; $i <= $length; $i++) { - $code .= self::getRand(9); + $code .= random_int(0, 9); } // To make sure no duplicates get in @@ -198,30 +200,4 @@ class GoogleAuthenticator return $codes; } - - /** - * Get random number - * - * @return integer Random number between 0 and 31 (including) - */ - private static function getRand($max = 31) - { - if (function_exists('random_int')) { - // Uses either the PHP7 internal function or the polyfill if present - return random_int(0, $max); - } elseif (function_exists('openssl_random_pseudo_bytes')) { - // For those not wanting either PHP7 or the polyfill, this works well enough - $bytes = openssl_random_pseudo_bytes(2); - $number = hexdec(bin2hex($bytes)); - - if ($number > $max) { - $number = $number % ($max + 1); - } - - return $number; - } else { - // And last case, this does the trick too - return mt_rand(0, $max); - } - } } |