Fixed TOTP for client logins

2021-12-04 21:00:34 -05:00 · 2021-12-04 21:00:34 -05:00 · 53380718b1
parent e36739297d
commit 53380718b1
4 changed files with 98 additions and 3 deletions
--- a/client_logins.php
+++ b/client_logins.php
@ -1,4 +1,6 @@
-<?php 
+<?php
+
+require_once("rfc6238.php");

 //Paging
 if(isset($_GET['p'])){
@ -115,7 +117,7 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli,"SELECT FOUND_ROWS()"));
            if(empty($login_otp_secret)){
              $otp_display = "-";
            }else{
-              $otp = get_otp($login_otp_secret);
+              $otp = TokenAuth6238::getTokenCode($login_otp_secret,$rangein30s = 3);
              $otp_display = "<i class='far fa-clock text-secondary'></i> $otp<button class='btn btn-sm' data-clipboard-text='$otp'><i class='far fa-copy text-secondary'></i></button>";
            }
            $login_note = $row['login_note'];
--- a/settings-user.php
+++ b/settings-user.php
@ -87,12 +87,13 @@ $sql_recent_logs = mysqli_query($mysqli,"SELECT * FROM logs
          if(!empty($session_token)){ 
            //Generate QR Code based off the generated key
            print sprintf('<img src="%s"/>',TokenAuth6238::getBarCodeUrl('','',$session_token,$config_company_name));
+            
+            echo "<p class='text-secondary'>$secretkey</p>";
          }
    
        ?>
        
        <input type="hidden" name="token" value="<?php echo $secretkey; ?>">
-       
        <hr>

        <?php if(empty($session_token)){ ?>
--- a/totp-test.php
+++ b/totp-test.php
@ -0,0 +1,80 @@
+<?php
+
+
+
+
+function hotp (string $algo, string $key, int $count, int $length = 6)
+{
+  // hmac $count as uint64 (big endian) with binary $key
+  $hmac = hash_hmac($algo, pack("J", $count), $key, TRUE);
+
+  // get least significant nibble of our $hmac, yielding $offset values 0..15
+  $offset = unpack("C", $hmac, strlen($hmac)-1)[1] & 0x0F;
+
+  // extract a uint32 (big endian) from our $hmac, and mask the most significant bit (the sign bit)
+  $number = unpack("N", $hmac, $offset)[1] & 0x7FFFFFFF;
+
+  // return token based on $number in $length decimal digits, padded with leading zeros
+  return str_pad($number % (10 ** $length), $length, "0", STR_PAD_LEFT);
+}
+
+
+function totp (string $algo, string $key, int $unixtime, int $interval = 30, int $length = 6)
+{
+  return hotp($algo, $key, intdiv($unixtime, $interval), $length);
+}
+
+
+
+
+
+function hotp_token_ok (string $token, string $algo, string $key, int $count, int $window = 10, int $length = 6)
+{
+  $ok = FALSE;
+
+  for ($i = -$window; $i <= $window; $i++)
+  {
+    $ok |= hash_equals(hotp($algo, $key, ($count + $i), $length), $token);
+  }
+
+  return $ok;
+}
+
+
+function totp_token_ok (string $token, string $algo, string $key, int $unixtime, int $window = 300, int $interval = 30, int $length = 6)
+{
+  return hotp_token_ok($algo, $key, $token, intdiv($unixtime, $interval), intdiv($window, $interval), $length);
+}
+
+
+function key32gen()
+{
+    $chars = "ABCDEFGHIJKLMNOPQRSTUVWXYZ";
+    $chars .= "234567";
+    while (1) {
+        $key = '';
+        srand((double) microtime() * 1000000);
+        for ($i = 0; $i < 32; $i++) {
+            $key .= substr($chars, (rand() % (strlen($chars))), 1);
+        }
+        break;
+    }
+    return $key;
+}
+
+$unixtimestamp = time();
+//$unixtimestamp = "1638664893";
+//$secretkey = key32gen();
+$secretkey = "";
+
+echo "Unix Time is: $unixtimestamp<br>";
+
+echo "secret Key is: $secretkey<br>";
+
+
+$test = totp("sha1","$secretkey","$unixtimestamp",30,6);
+
+echo "<br>code is: $test";
+
+
+?>
--- a/totp-test2.php
+++ b/totp-test2.php
@ -0,0 +1,12 @@
+<?php
+
+require_once("rfc6238.php");
+
+
+$secretkey = "";
+
+$gen = TokenAuth6238::getTokenCode($secretkey,$rangein30s = 3);
+
+echo $gen;
+
+?>