rotp 1.6.1 → 2.0.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 925325389a0599d8e3d5fa61035be448cba2d26d
-  data.tar.gz: e5639873115b3f91ff962250c1e0528e332a225c
+  metadata.gz: 5c42bc8b1ce8ab11bb556cef750ae50187a6640d
+  data.tar.gz: 165cbc7edb89427967f2777b7d8705b45486f18d
 SHA512:
-  metadata.gz: 5b377c8eedeb3de0c68ccbb8f2c6896bdfe58bf62259129583bc1933685e4f5a9ee34e3b9e1558f747935f2b1214ed08b2fba64061ba81d6f648885a04eaf4d4
-  data.tar.gz: e781069e1760f538924cecf5476eecabdf19423e8289a933ff824ce7b3c788b8369835d5f91a804ef3a9267e62688fd06a86d9fa300dddff65b2dc06d3e5aa79
+  metadata.gz: ac2979aa19949bedb563e5fc407171efec7d80785e0246d19fed92bc78fca4b64eacdd1ef5c01a848f37c77a7d5bbbc03dc84e1e49d5f84bd55710ffc36b33af
+  data.tar.gz: 8349669bdc320ff49ec55eb487eaaf38c352a52faa95bde3cfa8fde06b5ed7b889db670a254d2b2fd8b36286cb13bbaf03b86579466430e6b3d4850db1b0a770

data/.travis.yml

@@ -3,4 +3,3 @@ rvm:
   - 2.1.0
   - 2.0.0
   - 1.9.3
-  - 1.8.7

data/README.markdown

@@ -25,23 +25,23 @@ This is compatible with Google Authenticator apps available for Android and iPho
 ### Time based OTP's
 
     totp = ROTP::TOTP.new("base32secret3232")
-    totp.now # => 492039
+    totp.now # => "492039"
 
     # OTP verified for current time
-    totp.verify(492039) # => true
+    totp.verify("492039") # => true
     sleep 30
-    totp.verify(492039) # => false
+    totp.verify("492039") # => false
 
 ### Counter based OTP's
 
     hotp = ROTP::HOTP.new("base32secretkey3232")
-    hotp.at(0) # => 260182
-    hotp.at(1) # => 55283
-    hotp.at(1401) # => 316439
+    hotp.at(0) # => "260182"
+    hotp.at(1) # => "055283"
+    hotp.at(1401) # => "316439"
 
     # OTP verified with a counter
-    totp.verify(316439, 1401) # => true
-    totp.verify(316439, 1402) # => false
+    totp.verify("316439", 1401) # => true
+    totp.verify("316439", 1402) # => false
 
 ### Generating a Base32 Secret key
 
@@ -92,6 +92,19 @@ Now run the following and compare the output
 
 ### Changelog
 
+
+#### 2.0.0
+
+- Move to only comparing string OTP's.
+
+#### 1.7.1
+
+- Revert to former API
+
+#### 1.7.0
+
+- Move to only comparing string OTP's. See mdp/rotp/issues/32 - Moved to 2.0.0
+
 #### 1.6.1
 
 - Remove deprecation warning in Ruby 2.1.0 (@ylansegal)

data/lib/rotp/base32.rb

@@ -40,11 +40,7 @@ module ROTP
       end
 
       def decode_quint(q)
-        if d = CHARS.index(q.downcase)
-          d
-        else
-          raise Base32Error, "Invalid Base32 Character - '#{q}'"
-        end
+        CHARS.index(q.downcase) or raise(Base32Error, "Invalid Base32 Character - '#{q}'")
       end
 
     end

data/lib/rotp/hotp.rb

@@ -4,7 +4,7 @@ module ROTP
     # @param [Integer] count counter
     # @option [Boolean] padding (false) Issue the number as a 0 padded string
     # @returns [Integer] OTP
-    def at(count, padding=false)
+    def at(count, padding=true)
       generate_otp(count, padding)
     end
 

data/lib/rotp/otp.rb

@@ -20,7 +20,7 @@ module ROTP
     # @option padded [Boolean] (false) Output the otp as a 0 padded string
     # Usually either the counter, or the computed integer
     # based on the Unix timestamp
-    def generate_otp(input, padded=false)
+    def generate_otp(input, padded=true)
       hmac = OpenSSL::HMAC.digest(
         OpenSSL::Digest.new(digest),
         byte_secret,
@@ -42,7 +42,10 @@ module ROTP
     private
 
     def verify(input, generated)
-      input.to_i == generated
+      unless input.is_a?(String) && generated.is_a?(String)
+        raise ArgumentError, "ROTP only verifies strings - See: https://github.com/mdp/rotp/issues/32"
+      end
+      time_constant_compare(input, generated)
     end
 
     def byte_secret
@@ -74,5 +77,16 @@ module ROTP
       uri + params_str
     end
 
+    private
+
+    # constant-time compare the strings
+    def time_constant_compare(a, b)
+      return false if a.empty? || b.empty? || a.bytesize != b.bytesize
+      l = a.unpack "C#{a.bytesize}"
+      res = 0
+      b.each_byte { |byte| res |= byte ^ l.shift }
+      res == 0
+    end
+
   end
 end

data/lib/rotp/totp.rb

@@ -15,8 +15,8 @@ module ROTP
     # Accepts either a Unix timestamp integer or a Time object.
     # Time objects will be adjusted to UTC automatically
     # @param [Time/Integer] time the time to generate an OTP for
-    # @option [Boolean] padding (false) Issue the number as a 0 padded string
-    def at(time, padding=false)
+    # @option [Boolean] padding (true) Issue the number as a 0 padded string
+    def at(time, padding=true)
       unless time.class == Time
         time = Time.at(time.to_i)
       end
@@ -25,7 +25,7 @@ module ROTP
 
     # Generate the current time OTP
     # @return [Integer] the OTP as an integer
-    def now(padding=false)
+    def now(padding=true)
       generate_otp(timecode(Time.now), padding)
     end
 
@@ -37,7 +37,7 @@ module ROTP
 
     # Verifies the OTP passed in against the current time OTP
     # and adjacent intervals up to +drift+.
-    # @param [String/Integer] otp the OTP to check against
+    # @param [String] otp the OTP to check against
     # @param [Integer] drift the number of seconds that the client
     #     and server are allowed to drift apart
     def verify_with_drift(otp, drift, time = Time.now)

data/lib/rotp/version.rb

@@ -1,3 +1,3 @@
 module ROTP
-  VERSION = "1.6.1"
+  VERSION = "2.0.0"
 end

data/rotp.gemspec

@@ -20,8 +20,8 @@ Gem::Specification.new do |s|
   s.executables   = `git ls-files -- bin/*`.split("\n").map{ |f| File.basename(f) }
   s.require_paths = ["lib"]
 
-  s.add_development_dependency('rake')
-  s.add_development_dependency('rspec')
+  s.add_development_dependency('rake', '~>10.1.0')
+  s.add_development_dependency('rspec', '~>2.13.0')
   if RUBY_VERSION < "1.9"
     s.add_development_dependency('timecop', "~>0.5.9.2")
   else

data/spec/base_spec.rb

@@ -9,7 +9,8 @@ describe "the Base32 implementation" do
     ROTP::Base32.random_base32(32).length.should == 32
   end
   it "raise a sane error on a bad decode" do
-    expect { ROTP::Base32.decode("4BCDEFG234BCDEF1") }.to raise_error(ROTP::Base32::Base32Error)
+    expect { ROTP::Base32.decode("4BCDEFG234BCDEF1") }.to \
+      raise_error(ROTP::Base32::Base32Error, "Invalid Base32 Character - '1'")
   end
   it "should correctly decode a string" do
     ROTP::Base32.decode("F").unpack('H*').first.should == "28"

data/spec/hotp_spec.rb

@@ -5,14 +5,16 @@ describe ROTP::HOTP do
 
   subject { ROTP::HOTP.new('a' * 32) }
 
-  it "should generate a number given a time" do
-    subject.at(@counter).should == 161024
+  it "should generate a string OTP given a count" do
+    subject.at(@counter).should == "161024"
   end
-  it "should generate a number as a string" do
-    subject.at(@counter, true).should == "161024"
+  it "should generate a number if padding is set to false" do
+    subject.at(@counter, false).should == 161024
   end
-  it "should verify a number" do
-    subject.verify(161024, @counter).should be_true
+  it "should not verify a number" do
+    expect {
+      subject.verify(161024, @counter)
+    }.to raise_error
   end
   it "should verify a string" do
     subject.verify("161024", @counter).should be_true
@@ -26,16 +28,16 @@ describe ROTP::HOTP do
 
   context "with retries" do
     it "should verify that retry is a valid number" do
-      subject.verify_with_retries(161024, @counter, -1).should be_false
-      subject.verify_with_retries(161024, @counter, 0).should be_false
+      subject.verify_with_retries("161024", @counter, -1).should be_false
+      subject.verify_with_retries("161024", @counter, 0).should be_false
     end
 
     it "should verify up to the total number of retries and return the counter" do
-      subject.verify_with_retries(161024, @counter - 10, 10).should == @counter
+      subject.verify_with_retries("161024", @counter - 10, 10).should == @counter
     end
 
     it "should verify that retry is a valid number" do
-      subject.verify_with_retries(161024, @counter - 20, 10).should be_false
+      subject.verify_with_retries("161024", @counter - 20, 10).should be_false
     end
   end
 end
@@ -45,20 +47,20 @@ describe "HOTP example values from the rfc" do
     # 12345678901234567890 in Base32
     # GEZDGNBVGY3TQOJQGEZDGNBVGY3TQOJQ
     hotp = ROTP::HOTP.new("GEZDGNBVGY3TQOJQGEZDGNBVGY3TQOJQ")
-    hotp.at(0).should ==(755224)
-    hotp.at(1).should ==(287082)
-    hotp.at(2).should ==(359152)
-    hotp.at(3).should ==(969429)
-    hotp.at(4).should ==(338314)
-    hotp.at(5).should ==(254676)
-    hotp.at(6).should ==(287922)
-    hotp.at(7).should ==(162583)
-    hotp.at(8).should ==(399871)
-    hotp.at(9).should ==(520489)
+    hotp.at(0).should ==("755224")
+    hotp.at(1).should ==("287082")
+    hotp.at(2).should ==("359152")
+    hotp.at(3).should ==("969429")
+    hotp.at(4).should ==("338314")
+    hotp.at(5).should ==("254676")
+    hotp.at(6).should ==("287922")
+    hotp.at(7).should ==("162583")
+    hotp.at(8).should ==("399871")
+    hotp.at(9).should ==("520489")
   end
   it "should verify an OTP and not allow reuse" do
     hotp = ROTP::HOTP.new("GEZDGNBVGY3TQOJQGEZDGNBVGY3TQOJQ")
-    hotp.verify(520489, 9).should be_true
-    hotp.verify(520489, 10).should be_false
+    hotp.verify("520489", 9).should be_true
+    hotp.verify("520489", 10).should be_false
   end
 end

data/spec/totp_spec.rb

@@ -6,16 +6,24 @@ describe ROTP::TOTP do
   subject { ROTP::TOTP.new("JBSWY3DPEHPK3PXP") }
 
   it "should generate a number given a number" do
-    subject.at(@now).should == 68212
+    subject.at(@now, false).should == 68212
   end
-  it "should generate a number as a padded string" do
-    subject.at(@now, true).should == "068212"
+
+  it "should generate a number as a padded string by default" do
+    subject.at(@now).should == "068212"
+  end
+
+  # Users of the lib
+  it "should not verify a number" do
+    expect {
+      subject.verify(68212, @now)
+    }.to raise_error
   end
-  it "should verify a number" do
-    subject.verify(68212, @now).should be_true
+  it "should not verify an unpadded string" do
+    subject.verify("68212", @now).should be_false
   end
   it "should verify a string" do
-    subject.verify("68212", @now).should be_true
+    subject.verify("068212", @now).should be_true
   end
 
   it "should output its provisioning URI" do
@@ -50,10 +58,10 @@ describe ROTP::TOTP do
 
   context "with drift" do
     it "should verify a number" do
-      subject.verify_with_drift(68212, 0, @now).should be_true
+      subject.verify_with_drift("068212", 0, @now).should be_true
     end
     it "should verify a string" do
-      subject.verify_with_drift("68212", 0, @now).should be_true
+      subject.verify_with_drift("068212", 0, @now).should be_true
     end
     it "should verify a slightly old number" do
       subject.verify_with_drift(subject.at(@now - 30), 60, @now).should be_true
@@ -78,30 +86,30 @@ end
 describe "TOTP example values from the documented output" do
   it "should match the RFC" do
     totp = ROTP::TOTP.new("GEZDGNBVGY3TQOJQGEZDGNBVGY3TQOJQ")
-    totp.at(1111111111).should ==(50471)
-    totp.at(1234567890).should ==(5924)
-    totp.at(2000000000).should ==(279037)
+    totp.at(1111111111).should ==("050471")
+    totp.at(1234567890).should ==("005924")
+    totp.at(2000000000).should ==("279037")
   end
 
   it "should match the Google Authenticator output" do
     totp = ROTP::TOTP.new("wrn3pqx5uqxqvnqr")
     Timecop.freeze(Time.at(1297553958)) do
-      totp.now.should ==(102705)
+      totp.now.should ==("102705")
     end
   end
   it "should match Dropbox 26 char secret output" do
     totp = ROTP::TOTP.new("tjtpqea6a42l56g5eym73go2oa")
     Timecop.freeze(Time.at(1378762454)) do
-      totp.now.should ==(747864)
+      totp.now.should ==("747864")
     end
   end
   it "should validate a time based OTP" do
     totp = ROTP::TOTP.new("wrn3pqx5uqxqvnqr")
     Timecop.freeze(Time.at(1297553958)) do
-      totp.verify(102705).should be_true
+      totp.verify("102705").should be_true
     end
     Timecop.freeze(Time.at(1297553958 + 30)) do
-      totp.verify(102705).should be_false
+      totp.verify("102705").should be_false
     end
   end
 end

metadata

@@ -1,43 +1,43 @@
 --- !ruby/object:Gem::Specification
 name: rotp
 version: !ruby/object:Gem::Version
-  version: 1.6.1
+  version: 2.0.0
 platform: ruby
 authors:
 - Mark Percival
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2014-01-03 00:00:00.000000000 Z
+date: 2014-07-22 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rake
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - '>='
+    - - ~>
       - !ruby/object:Gem::Version
-        version: '0'
+        version: 10.1.0
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - '>='
+    - - ~>
       - !ruby/object:Gem::Version
-        version: '0'
+        version: 10.1.0
 - !ruby/object:Gem::Dependency
   name: rspec
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - '>='
+    - - ~>
       - !ruby/object:Gem::Version
-        version: '0'
+        version: 2.13.0
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - '>='
+    - - ~>
       - !ruby/object:Gem::Version
-        version: '0'
+        version: 2.13.0
 - !ruby/object:Gem::Dependency
   name: timecop
   requirement: !ruby/object:Gem::Requirement