search

PHPGangsta / GoogleAuthenticator

PHP class to generate and verify Google Authenticator 2-factor authentication
http://phpgangsta.de/4376
BSD 2-Clause "Simplified" License
2.23k stars 689 forks source link

Add support for different HMAC algorithms. #63

Open ShaneMcC opened 5 years ago

ShaneMcC commented 5 years ago

RFC 6238 (https://tools.ietf.org/html/rfc6238) states:

TOTP implementations MAY use HMAC-SHA-256 or HMAC-SHA-512 functions, based on SHA-256 or SHA-512 [SHA2] hash functions, instead of the HMAC-SHA-1 function that has been specified for the HOTP computation in [RFC4226].

This PR adds support for that.

I've also added additional tests to codeProvider() based on the code and output of the sample code in the RFC to validate the changes.

As a side effect of implementing the above, I've also fixed the case where if you change the _codeLength, verifyCode() always returned false for any value other than 6, and added some boilerplate at the top of GoogleAuthenticatorTest.php to make the tests run under phpunit 6+

ShaneMcC commented 5 years ago

Looks like #55 also fixed the verifyCode() issue, didn't see it before I did this.

MarkMaldaba commented 3 years ago

Good idea, but I think this would be better if it was handled in the same way as code length, for consistency (and also for ease-of-use).

MarkMaldaba commented 3 years ago

Also, it might be sensible to validate the algorithm string, to avoid errors and potential URL-injection attacks.