-
Notifications
You must be signed in to change notification settings - Fork 18
/
totp.php
86 lines (70 loc) · 3.07 KB
/
totp.php
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
<?php
/*
TOTP v0.3.0 - a simple TOTP (RFC 6238) class
(c) 2014 Robin Leffmann <djinn at stolendata dot net>
https://github.com/stolendata/totp/
Licensed under CC BY-NC-SA 4.0 - http://creativecommons.org/licenses/by-nc-sa/4.0/
*/
class TOTP
{
private static $base32Map = 'ABCDEFGHIJKLMNOPQRSTUVWXYZ234567';
private static function base32Decode( $in )
{
$l = strlen( $in );
$n = $bs = 0;
for( $i = 0; $i < $l; $i++ )
{
$n <<= 5;
$n += stripos( self::$base32Map, $in[$i] );
$bs = ( $bs + 5 ) % 8;
@$out .= $bs < 5 ? chr( ($n & (255 << $bs)) >> $bs ) : null;
}
return $out;
}
public static function getOTP( $secret, $digits = 6, $period = 30, $offset = 0, $algo = 'sha1' )
{
if( strlen($secret) < 16 || strlen($secret) % 8 != 0 )
return [ 'err'=>'length of secret must be a multiple of 8, and at least 16 characters' ];
if( preg_match('/[^a-z2-7]/i', $secret) === 1 )
return [ 'err'=>'secret contains non-base32 characters' ];
$digits = intval( $digits );
if( $digits < 6 || $digits > 8 )
return [ 'err'=>'digits must be 6, 7 or 8' ];
if( in_array(strtolower($algo), ['sha1', 'sha256', 'sha512']) === false )
return [ 'err'=>'algo must be SHA1, SHA256 or SHA512' ];
$seed = self::base32Decode( $secret );
$time = str_pad( pack('N', intval($offset + time() / $period)), 8, "\x00", STR_PAD_LEFT );
$hash = hash_hmac( strtolower($algo), $time, $seed, false );
$otp = ( hexdec(substr($hash, hexdec($hash[-1]) * 2, 8)) & 0x7fffffff ) % pow( 10, $digits );
return [ 'otp'=>sprintf("%'0{$digits}u", $otp) ];
}
public static function genSecret( $length = 24 )
{
if( $length < 16 || $length % 8 !== 0 )
return [ 'err'=>'length must be a multiple of 8, and at least 16' ];
while( $length-- )
{
$c = @gettimeofday()['usec'] % 53;
while( $c-- )
mt_rand();
@$secret .= self::$base32Map[mt_rand(0, 31)];
}
return [ 'secret'=>$secret ];
}
public static function genURI( $account, $secret, $digits = null, $period = null, $issuer = null, $algo = null )
{
if( empty($account) || empty($secret) )
return [ 'err'=>'you must provide at least an account and a secret' ];
if( mb_strpos($account . $issuer, ':') !== false )
return [ 'err'=>'neither account nor issuer can contain a colon (:) character' ];
$account = rawurlencode( $account );
$issuer = rawurlencode( $issuer );
$label = empty( $issuer ) ? $account : "$issuer:$account";
return [ 'uri'=>'otpauth://totp/' . $label . "?secret=$secret" .
(is_null($algo) ? '' : "&algorithm=$algo") .
(is_null($digits) ? '' : "&digits=$digits") .
(is_null($period) ? '' : "&period=$period") .
(empty($issuer) ? '' : "&issuer=$issuer") ];
}
}
?>