rotp 4.0.0 → 6.3.0

data/lib/rotp/base32.rb

@@ -1,50 +1,76 @@
+require 'securerandom'
+
 module ROTP
   class Base32
     class Base32Error < RuntimeError; end
-    CHARS = "abcdefghijklmnopqrstuvwxyz234567".each_char.to_a
+    CHARS = 'ABCDEFGHIJKLMNOPQRSTUVWXYZ234567'.each_char.to_a
+    SHIFT = 5
+    MASK = 31
 
     class << self
+
       def decode(str)
-        str = str.tr('=','')
-        output = []
-        str.scan(/.{1,8}/).each do |block|
-          char_array = decode_block(block).map{|c| c.chr}
-          output << char_array
+        buffer = 0
+        idx = 0
+        bits_left = 0
+        str = str.tr('=', '').upcase
+        result = []
+        str.split('').each do |char|
+          buffer = buffer << SHIFT
+          buffer = buffer | (decode_quint(char) & MASK)
+          bits_left = bits_left + SHIFT
+          if bits_left >= 8
+            result[idx] = (buffer >> (bits_left - 8)) & 255
+            idx = idx + 1
+            bits_left = bits_left - 8
+          end
         end
-        output.join
+        result.pack('c*')
       end
 
-      def random_base32(length=32)
-        b32 = String.new
-        SecureRandom.random_bytes(length).each_byte do |b|
-          b32 << CHARS[b % 32]
+      def encode(b)
+        data = b.unpack('c*')
+        out = String.new
+        buffer = data[0]
+        idx = 1
+        bits_left = 8
+        while bits_left > 0 || idx < data.length
+          if bits_left < SHIFT
+            if idx < data.length
+              buffer = buffer << 8
+              buffer = buffer | (data[idx] & 255)
+              bits_left = bits_left + 8
+              idx = idx + 1
+            else
+              pad = SHIFT - bits_left
+              buffer = buffer << pad
+              bits_left = bits_left + pad
+            end
+          end
+          val = MASK & (buffer >> (bits_left - SHIFT))
+          bits_left = bits_left - SHIFT
+          out.concat(CHARS[val])
         end
-        b32
+        return out
       end
 
-      private
+      # Defaults to 160 bit long secret (meaning a 32 character long base32 secret)
+      def random(byte_length = 20)
+       rand_bytes = SecureRandom.random_bytes(byte_length)
+       self.encode(rand_bytes)
+      end
 
-      def decode_block(block)
-        length = block.scan(/[^=]/).length
-        quints = block.each_char.map {|c| decode_quint(c)}
-        bytes = []
-        bytes[0] = (quints[0] << 3) + (quints[1] ? quints[1] >> 2 : 0)
-        return bytes if length < 3
-        bytes[1] = ((quints[1] & 3) << 6) + (quints[2] << 1) + (quints[3] ? quints[3] >> 4 : 0)
-        return bytes if length < 4
-        bytes[2] = ((quints[3] & 15) << 4) + (quints[4] ? quints[4] >> 1 : 0)
-        return bytes if length < 6
-        bytes[3] = ((quints[4] & 1) << 7) + (quints[5] << 2) + (quints[6] ? quints[6] >> 3 : 0)
-        return bytes if length < 7
-        bytes[4] = ((quints[6] & 7) << 5) + (quints[7] || 0)
-        bytes
+      # Prevent breaking changes
+      def random_base32(str_len = 32)
+        byte_length = str_len * 5/8
+        random(byte_length)
       end
 
+      private
+
       def decode_quint(q)
-        CHARS.index(q.downcase) or raise(Base32Error, "Invalid Base32 Character - '#{q}'")
+        CHARS.index(q) || raise(Base32Error, "Invalid Base32 Character - '#{q}'")
       end
-
     end
-
   end
 end

data/lib/rotp/cli.rb

@@ -16,10 +16,10 @@ module ROTP
     # :nocov:
 
     def errors
-      if [:time, :hmac].include?(options.mode)
+      if %i[time hmac].include?(options.mode)
         if options.secret.to_s == ''
           red 'You must also specify a --secret. Try --help for help.'
-        elsif options.secret.to_s.chars.any? { |c| ROTP::Base32::CHARS.index(c.downcase) == nil }
+        elsif options.secret.to_s.chars.any? { |c| ROTP::Base32::CHARS.index(c.upcase).nil? }
           red 'Secret must be in RFC4648 Base32 format - http://en.wikipedia.org/wiki/Base32#RFC_4648_Base32_alphabet'
         end
       end
@@ -31,9 +31,9 @@ module ROTP
       return arguments.to_s if options.mode == :help
 
       if options.mode == :time
-        ROTP::TOTP.new(options.secret).now
+        ROTP::TOTP.new(options.secret, options).now
       elsif options.mode == :hmac
-        ROTP::HOTP.new(options.secret).at options.counter
+        ROTP::HOTP.new(options.secret, options).at options.counter
       end
     end
 
@@ -48,6 +48,5 @@ module ROTP
     def red(string)
       "\033[31m#{string}\033[0m"
     end
-
   end
 end

data/lib/rotp/hotp.rb

@@ -12,10 +12,10 @@ module ROTP
     # @param counter [Integer] the counter of the OTP
     # @param retries [Integer] number of counters to incrementally retry
     def verify(otp, counter, retries: 0)
-      counters = (counter..counter+retries).to_a
-      counters.find { |c|
-        super(otp, self.at(c))
-      }
+      counters = (counter..counter + retries).to_a
+      counters.find do |c|
+        super(otp, at(c))
+      end
     end
 
     # Returns the provisioning URI for the OTP
@@ -24,15 +24,8 @@ module ROTP
     # @param [String] name of the account
     # @param [Integer] initial_count starting counter value, defaults to 0
     # @return [String] provisioning uri
-    def provisioning_uri(name, initial_count=0)
-      params = {
-        secret: secret,
-        counter: initial_count,
-        digits: digits == DEFAULT_DIGITS ? nil : digits
-      }
-      encode_params("otpauth://hotp/#{URI.encode(name)}", params)
+    def provisioning_uri(name = nil, initial_count = 0)
+      OTP::URI.new(self, account_name: name || @name, counter: initial_count).to_s
     end
-
   end
-
 end

data/lib/rotp/otp/uri.rb

@@ -0,0 +1,78 @@
+module ROTP
+  class OTP
+    # https://github.com/google/google-authenticator/wiki/Key-Uri-Format
+    class URI
+      def initialize(otp, account_name: nil, counter: nil)
+        @otp = otp
+        @account_name = account_name || ''
+        @counter = counter
+      end
+
+      def to_s
+        "otpauth://#{type}/#{label}?#{parameters}"
+      end
+
+      private
+
+      def algorithm
+        return unless %w[sha256 sha512].include?(@otp.digest)
+
+        @otp.digest.upcase
+      end
+
+      def counter
+        return if @otp.is_a?(TOTP)
+        fail if @counter.nil?
+
+        @counter
+      end
+
+      def digits
+        return if @otp.digits == DEFAULT_DIGITS
+
+        @otp.digits
+      end
+
+      def issuer
+        @otp.issuer&.strip&.tr(':', '_')
+      end
+
+      def label
+        [issuer, @account_name.rstrip]
+          .compact
+          .map { |s| s.tr(':', '_') }
+          .map { |s| ERB::Util.url_encode(s) }
+          .join(':')
+      end
+
+      def parameters
+        {
+          secret: @otp.secret,
+          issuer: issuer,
+          algorithm: algorithm,
+          digits: digits,
+          period: period,
+          counter: counter,
+        }
+          .merge(@otp.provisioning_params)
+          .reject { |_, v| v.nil? }
+          .map { |k, v| "#{k}=#{ERB::Util.url_encode(v)}" }
+          .join('&')
+      end
+
+      def period
+        return if @otp.is_a?(HOTP)
+        return if @otp.interval == DEFAULT_INTERVAL
+
+        @otp.interval
+      end
+
+      def type
+        case @otp
+        when TOTP then 'totp'
+        when HOTP then 'hotp'
+        end
+      end
+    end
+  end
+end

data/lib/rotp/otp.rb

@@ -1,24 +1,35 @@
 module ROTP
   class OTP
-    attr_reader :secret, :digits, :digest
+    attr_reader :secret, :digits, :digest, :name, :issuer, :provisioning_params
     DEFAULT_DIGITS = 6
 
     # @param [String] secret in the form of base32
     # @option options digits [Integer] (6)
-    #     Number of integers in the OTP
+    #     Number of integers in the OTP.
     #     Google Authenticate only supports 6 currently
     # @option options digest [String] (sha1)
-    #     Digest used in the HMAC
+    #     Digest used in the HMAC.
     #     Google Authenticate only supports 'sha1' currently
+    # @option options name [String]
+    #     The name of the account for the OTP.
+    #     Used in the provisioning URL
+    # @option options issuer [String]
+    #     The issuer of the OTP.
+    #     Used in the provisioning URL
+    # @option options provisioning_params [Hash] ({})
+    #     Additional non-standard params you may want appended to the
+    #     provisioning URI. Ex. `image: 'https://example.com/icon.png'`
     # @returns [OTP] OTP instantiation
     def initialize(s, options = {})
       @digits = options[:digits] || DEFAULT_DIGITS
-      @digest = options[:digest] || "sha1"
+      @digest = options[:digest] || 'sha1'
+      @name = options[:name]
+      @issuer = options[:issuer]
+      @provisioning_params = options[:provisioning_params] || {}
       @secret = s
     end
 
     # @param [Integer] input the number used seed the HMAC
-    # @option padded [Boolean] (false) Output the otp as a 0 padded string
     # Usually either the counter, or the computed integer
     # based on the Unix timestamp
     def generate_otp(input)
@@ -30,17 +41,19 @@ module ROTP
 
       offset = hmac[-1].ord & 0xf
       code = (hmac[offset].ord & 0x7f) << 24 |
-        (hmac[offset + 1].ord & 0xff) << 16 |
-        (hmac[offset + 2].ord & 0xff) << 8 |
-        (hmac[offset + 3].ord & 0xff)
-      (code % 10 ** digits).to_s.rjust(digits, '0')
+             (hmac[offset + 1].ord & 0xff) << 16 |
+             (hmac[offset + 2].ord & 0xff) << 8 |
+             (hmac[offset + 3].ord & 0xff)
+      code_str = (10 ** digits + (code % 10 ** digits)).to_s
+      code_str[-digits..-1]
     end
 
     private
 
     def verify(input, generated)
-      raise ArgumentError, "`otp` should be a String" unless
+      raise ArgumentError, '`otp` should be a String' unless
           input.is_a?(String)
+
       time_constant_compare(input, generated)
     end
 
@@ -54,37 +67,25 @@ module ROTP
     #
     def int_to_bytestring(int, padding = 8)
       unless int >= 0
-        raise ArgumentError, "#int_to_bytestring requires a positive number"
+        raise ArgumentError, '#int_to_bytestring requires a positive number'
       end
 
       result = []
       until int == 0
         result << (int & 0xFF).chr
-        int >>=  8
+        int >>= 8
       end
       result.reverse.join.rjust(padding, 0.chr)
     end
 
-    # A very simple param encoder
-    def encode_params(uri, params)
-      params_str = String.new("?")
-      params.each do |k,v|
-        if v
-          params_str << "#{k}=#{CGI::escape(v.to_s)}&"
-        end
-      end
-      params_str.chop!
-      uri + params_str
-    end
-
     # constant-time compare the strings
     def time_constant_compare(a, b)
       return false if a.empty? || b.empty? || a.bytesize != b.bytesize
+
       l = a.unpack "C#{a.bytesize}"
       res = 0
       b.each_byte { |byte| res |= byte ^ l.shift }
       res == 0
     end
-
   end
 end

data/lib/rotp/totp.rb

@@ -1,7 +1,6 @@
 module ROTP
   DEFAULT_INTERVAL = 30
   class TOTP < OTP
-
     attr_reader :interval, :issuer
 
     # @option options [Integer] interval (30) the time interval in seconds for OTP
@@ -21,7 +20,7 @@ module ROTP
 
     # Generate the current time OTP
     # @return [Integer] the OTP as an integer
-    def now()
+    def now
       generate_otp(timecode(Time.now))
     end
 
@@ -40,39 +39,22 @@ module ROTP
     def verify(otp, drift_ahead: 0, drift_behind: 0, after: nil, at: Time.now)
       timecodes = get_timecodes(at, drift_behind, drift_ahead)
 
-      if after
-        timecodes = timecodes.select { |t| t > timecode(after) }
-      end
+      timecodes = timecodes.select { |t| t > timecode(after) } if after
 
       result = nil
-      timecodes.each { |t|
-        if (super(otp, self.generate_otp(t)))
-          result = t * interval
-        end
-      }
-      return result
+      timecodes.each do |t|
+        result = t * interval if super(otp, generate_otp(t))
+      end
+      result
     end
 
-
     # Returns the provisioning URI for the OTP
     # This can then be encoded in a QR Code and used
     # to provision the Google Authenticator app
     # @param [String] name of the account
     # @return [String] provisioning URI
-    def provisioning_uri(name)
-      # The format of this URI is documented at:
-      # https://github.com/google/google-authenticator/wiki/Key-Uri-Format
-      # For compatibility the issuer appears both before that account name and also in the
-      # query string.
-      issuer_string = issuer.nil? ? "" : "#{URI.encode(issuer)}:"
-      params = {
-        secret: secret,
-        period: interval == 30 ? nil : interval,
-        issuer: issuer,
-        digits: digits == DEFAULT_DIGITS ? nil : digits,
-        algorithm: digest.upcase == 'SHA1' ? nil : digest.upcase,
-      }
-      encode_params("otpauth://totp/#{issuer_string}#{URI.encode(name)}", params)
+    def provisioning_uri(name = nil)
+      OTP::URI.new(self, account_name: name || @name).to_s
     end
 
     private
@@ -82,20 +64,18 @@ module ROTP
       now = timeint(at)
       timecode_start = timecode(now - drift_behind)
       timecode_end = timecode(now + drift_ahead)
-      return (timecode_start..timecode_end).step(1).to_a
+      (timecode_start..timecode_end).step(1).to_a
     end
 
     # Ensure UTC int
     def timeint(time)
-      unless time.class == Time
-        return time.to_i
-      end
-      return time.utc.to_i
+      return time.to_i unless time.class == Time
+
+      time.utc.to_i
     end
 
     def timecode(time)
-      return timeint(time) / interval
+      timeint(time) / interval
     end
-
   end
 end

data/lib/rotp/version.rb

@@ -1,3 +1,3 @@
 module ROTP
-  VERSION = "4.0.0"
+  VERSION = '6.3.0'.freeze
 end

data/lib/rotp.rb

@@ -1,12 +1,10 @@
-require 'cgi'
-require 'uri'
-require 'securerandom'
 require 'openssl'
+require 'erb'
 require 'rotp/base32'
 require 'rotp/otp'
+require 'rotp/otp/uri'
 require 'rotp/hotp'
 require 'rotp/totp'
 
-
 module ROTP
 end

data/release-please-config.json

@@ -0,0 +1,12 @@
+{
+  "packages": {
+    ".": {
+      "changelog-path": "CHANGELOG.md",
+      "bump-minor-pre-major": false,
+      "bump-patch-for-minor-pre-major": false,
+      "draft": false,
+      "prerelease": false
+    }
+  },
+  "$schema": "https://raw.githubusercontent.com/googleapis/release-please/main/schemas/config.json"
+}

data/rotp.gemspec

@@ -1,26 +1,24 @@
-# -*- encoding: utf-8 -*-
-require "./lib/rotp/version"
+require './lib/rotp/version'
 
 Gem::Specification.new do |s|
-  s.name        = "rotp"
+  s.name        = 'rotp'
   s.version     = ROTP::VERSION
   s.platform    = Gem::Platform::RUBY
-  s.license     = "MIT"
-  s.authors     = ["Mark Percival"]
-  s.email       = ["mark@markpercival.us"]
-  s.homepage    = "http://github.com/mdp/rotp"
-  s.summary     = %q{A Ruby library for generating and verifying one time passwords}
-  s.description = %q{Works for both HOTP and TOTP, and includes QR Code provisioning}
-
-  s.rubyforge_project = "rotp"
+  s.required_ruby_version = '>= 2.3'
+  s.license     = 'MIT'
+  s.authors     = ['Mark Percival']
+  s.email       = ['mark@markpercival.us']
+  s.homepage    = 'https://github.com/mdp/rotp'
+  s.summary     = 'A Ruby library for generating and verifying one time passwords'
+  s.description = 'Works for both HOTP and TOTP, and includes QR Code provisioning'
 
   s.files         = `git ls-files`.split("\n")
   s.test_files    = `git ls-files -- {test,spec,features}/*`.split("\n")
-  s.executables   = `git ls-files -- bin/*`.split("\n").map{ |f| File.basename(f) }
-  s.require_paths = ["lib"]
+  s.executables   = `git ls-files -- bin/*`.split("\n").map { |f| File.basename(f) }
+  s.require_paths = ['lib']
 
-  s.add_development_dependency 'rake', '~> 10.5'
+  s.add_development_dependency "rake", "~> 13.0"
   s.add_development_dependency 'rspec', '~> 3.5'
-  s.add_development_dependency 'timecop', '~> 0.8'
   s.add_development_dependency 'simplecov', '~> 0.12'
+  s.add_development_dependency 'timecop', '~> 0.8'
 end

data/spec/lib/rotp/arguments_spec.rb

@@ -24,7 +24,7 @@ RSpec.describe ROTP::Arguments do
   end
 
   context 'unknown arguments' do
-    let(:argv) { %w(--does-not-exist -xyz) }
+    let(:argv) { %w[--does-not-exist -xyz] }
 
     describe '#options' do
       it 'is in help mode' do
@@ -48,7 +48,7 @@ RSpec.describe ROTP::Arguments do
   end
 
   context 'asking for help' do
-    let(:argv) { %w(--help) }
+    let(:argv) { %w[--help] }
 
     describe '#options' do
       it 'is in help mode' do
@@ -58,7 +58,7 @@ RSpec.describe ROTP::Arguments do
   end
 
   context 'generating a counter based secret' do
-    let(:argv) { %w(--hmac --secret s3same) }
+    let(:argv) { %w[--hmac --secret s3same] }
 
     describe '#options' do
       it 'is in hmac mode' do
@@ -72,7 +72,7 @@ RSpec.describe ROTP::Arguments do
   end
 
   context 'generating a counter based secret' do
-    let(:argv) { %w(--time --secret s3same) }
+    let(:argv) { %w[--time --secret s3same] }
 
     describe '#options' do
       it 'is in hmac mode' do
@@ -86,7 +86,7 @@ RSpec.describe ROTP::Arguments do
   end
 
   context 'generating a time based secret' do
-    let(:argv) { %w(--secret s3same) }
+    let(:argv) { %w[--secret s3same] }
 
     describe '#options' do
       it 'is in time mode' do
@@ -98,5 +98,4 @@ RSpec.describe ROTP::Arguments do
       end
     end
   end
-
 end

data/spec/lib/rotp/base32_spec.rb

@@ -1,25 +1,33 @@
 require 'spec_helper'
 
 RSpec.describe ROTP::Base32 do
-
-  describe '.random_base32' do
+  describe '.random' do
     context 'without arguments' do
-      let(:base32) { ROTP::Base32.random_base32 }
+      let(:base32) { ROTP::Base32.random }
 
-      it 'is 32 characters long' do
+      it 'is 20 bytes (160 bits) long (resulting in a 32 character base32 code)' do
+        expect(ROTP::Base32.decode(base32).length).to eq 20
         expect(base32.length).to eq 32
       end
 
-      it 'is hexadecimal' do
-        expect(base32).to match %r{\A[a-z2-7]+\z}
+      it 'is base32 charset' do
+        expect(base32).to match(/\A[A-Z2-7]+\z/)
       end
     end
 
     context 'with arguments' do
-      let(:base32) { ROTP::Base32.random_base32 32 }
+      let(:base32) { ROTP::Base32.random 48 }
 
-      it 'allows a specific length' do
-        expect(base32.length).to eq 32
+      it 'returns the appropriate byte length code' do
+        expect(ROTP::Base32.decode(base32).length).to eq 48
+      end
+    end
+
+    context 'alias to older random_base32' do
+      let(:base32) { ROTP::Base32.random_base32(36) }
+      it 'is base32 charset' do
+        expect(base32.length).to eq 36
+        expect(ROTP::Base32.decode(base32).length).to eq 22
       end
     end
   end
@@ -34,22 +42,40 @@ RSpec.describe ROTP::Base32 do
 
     context 'valid input data' do
       it 'correctly decodes a string' do
-        expect(ROTP::Base32.decode('F').unpack('H*').first).to eq '28'
-        expect(ROTP::Base32.decode('23').unpack('H*').first).to eq 'd6'
-        expect(ROTP::Base32.decode('234').unpack('H*').first).to eq 'd6f8'
-        expect(ROTP::Base32.decode('234A').unpack('H*').first).to eq 'd6f800'
-        expect(ROTP::Base32.decode('234B').unpack('H*').first).to eq 'd6f810'
-        expect(ROTP::Base32.decode('234BCD').unpack('H*').first).to eq 'd6f8110c'
-        expect(ROTP::Base32.decode('234BCDE').unpack('H*').first).to eq 'd6f8110c80'
-        expect(ROTP::Base32.decode('234BCDEFG').unpack('H*').first).to eq 'd6f8110c8530'
-        expect(ROTP::Base32.decode('234BCDEFG234BCDEFG').unpack('H*').first).to eq 'd6f8110c8536b7c0886429'
+        expect(ROTP::Base32.decode('2EB7C66WC5TSO').unpack('H*').first).to eq 'd103f17bd6176727'
+        expect(ROTP::Base32.decode('Y6Y5ZCAC7NABCHSJ').unpack('H*').first).to eq 'c7b1dc8802fb40111e49'
+      end
+
+      it 'correctly decode strings with trailing bits (not a multiple of 8)' do
+        # Dropbox style 26 characters (26*5==130 bits or 16.25 bytes, but chopped to 128)
+        # Matches the behavior of Google Authenticator, drops extra 2 empty bits
+        expect(ROTP::Base32.decode('YVT6Z2XF4BQJNBMTD7M6QBQCEM').unpack('H*').first).to eq 'c567eceae5e0609685931fd9e8060223'
+
+        # For completeness, test all the possibilities allowed by Google Authenticator
+        # Drop the incomplete empty extra 4 bits (28*5==140bits or 17.5 bytes, chopped to 136 bits)
+        expect(ROTP::Base32.decode('5GGZQB3WN6LD7V3L5HPDYTQUANEQ').unpack('H*').first).to eq 'e98d9807766f963fd76be9de3c4e140349'
+
       end
 
       context 'with padding' do
         it 'correctly decodes a string' do
-          expect(ROTP::Base32.decode('F==').unpack('H*').first).to eq '28'
+          expect(ROTP::Base32.decode('234A===').unpack('H*').first).to eq 'd6f8'
         end
       end
+
+    end
+  end
+
+  describe '.encode' do
+    context 'encode input data' do
+      it 'correctly encodes data' do
+        expect(ROTP::Base32.encode(hex_to_bin('3c204da94294ff82103ee34e96f74b48'))).to eq 'HQQE3KKCST7YEEB64NHJN52LJA'
+      end
     end
   end
+
+end
+
+def hex_to_bin(s)
+  s.scan(/../).map { |x| x.hex }.pack('c*')
 end