replace zxq.co/ripple/hanayo

2019-02-23 13:29:15 +00:00
commit c3d206c173
5871 changed files with 1353715 additions and 0 deletions
--- a/vendor/github.com/pquerna/otp/hotp/hotp.go
+++ b/vendor/github.com/pquerna/otp/hotp/hotp.go
@@ -0,0 +1,188 @@
+/**
+ *  Copyright 2014 Paul Querna
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License");
+ *  you may not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS,
+ *  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ */
+
+package hotp
+
+import (
+	"github.com/pquerna/otp"
+
+	"crypto/hmac"
+	"crypto/rand"
+	"crypto/subtle"
+	"encoding/base32"
+	"encoding/binary"
+	"fmt"
+	"math"
+	"net/url"
+	"strings"
+)
+
+const debug = false
+
+// Validate a HOTP passcode given a counter and secret.
+// This is a shortcut for ValidateCustom, with parameters that
+// are compataible with Google-Authenticator.
+func Validate(passcode string, counter uint64, secret string) bool {
+	rv, _ := ValidateCustom(
+		passcode,
+		counter,
+		secret,
+		ValidateOpts{
+			Digits:    otp.DigitsSix,
+			Algorithm: otp.AlgorithmSHA1,
+		},
+	)
+	return rv
+}
+
+// ValidateOpts provides options for ValidateCustom().
+type ValidateOpts struct {
+	// Digits as part of the input. Defaults to 6.
+	Digits otp.Digits
+	// Algorithm to use for HMAC. Defaults to SHA1.
+	Algorithm otp.Algorithm
+}
+
+// GenerateCode creates a HOTP passcode given a counter and secret.
+// This is a shortcut for GenerateCodeCustom, with parameters that
+// are compataible with Google-Authenticator.
+func GenerateCode(secret string, counter uint64) (string, error) {
+	return GenerateCodeCustom(secret, counter, ValidateOpts{
+		Digits:    otp.DigitsSix,
+		Algorithm: otp.AlgorithmSHA1,
+	})
+}
+
+// GenerateCodeCustom uses a counter and secret value and options struct to
+// create a passcode.
+func GenerateCodeCustom(secret string, counter uint64, opts ValidateOpts) (passcode string, err error) {
+	// As noted in issue #10 and #17 this adds support for TOTP secrets that are
+	// missing their padding.
+	secret = strings.TrimSpace(secret)
+	if n := len(secret) % 8; n != 0 {
+		secret = secret + strings.Repeat("=", 8-n)
+	}
+
+	secretBytes, err := base32.StdEncoding.DecodeString(secret)
+	if err != nil {
+		return "", otp.ErrValidateSecretInvalidBase32
+	}
+
+	buf := make([]byte, 8)
+	mac := hmac.New(opts.Algorithm.Hash, secretBytes)
+	binary.BigEndian.PutUint64(buf, counter)
+	if debug {
+		fmt.Printf("counter=%v\n", counter)
+		fmt.Printf("buf=%v\n", buf)
+	}
+
+	mac.Write(buf)
+	sum := mac.Sum(nil)
+
+	// "Dynamic truncation" in RFC 4226
+	// http://tools.ietf.org/html/rfc4226#section-5.4
+	offset := sum[len(sum)-1] & 0xf
+	value := int64(((int(sum[offset]) & 0x7f) << 24) |
+		((int(sum[offset+1] & 0xff)) << 16) |
+		((int(sum[offset+2] & 0xff)) << 8) |
+		(int(sum[offset+3]) & 0xff))
+
+	l := opts.Digits.Length()
+	mod := int32(value % int64(math.Pow10(l)))
+
+	if debug {
+		fmt.Printf("offset=%v\n", offset)
+		fmt.Printf("value=%v\n", value)
+		fmt.Printf("mod'ed=%v\n", mod)
+	}
+
+	return opts.Digits.Format(mod), nil
+}
+
+// ValidateCustom validates an HOTP with customizable options. Most users should
+// use Validate().
+func ValidateCustom(passcode string, counter uint64, secret string, opts ValidateOpts) (bool, error) {
+	passcode = strings.TrimSpace(passcode)
+
+	if len(passcode) != opts.Digits.Length() {
+		return false, otp.ErrValidateInputInvalidLength
+	}
+
+	otpstr, err := GenerateCodeCustom(secret, counter, opts)
+	if err != nil {
+		return false, err
+	}
+
+	if subtle.ConstantTimeCompare([]byte(otpstr), []byte(passcode)) == 1 {
+		return true, nil
+	}
+
+	return false, nil
+}
+
+// GenerateOpts provides options for .Generate()
+type GenerateOpts struct {
+	// Name of the issuing Organization/Company.
+	Issuer string
+	// Name of the User's Account (eg, email address)
+	AccountName string
+	// Size in size of the generated Secret. Defaults to 10 bytes.
+	SecretSize uint
+	// Digits to request. Defaults to 6.
+	Digits otp.Digits
+	// Algorithm to use for HMAC. Defaults to SHA1.
+	Algorithm otp.Algorithm
+}
+
+// Generate creates a new HOTP Key.
+func Generate(opts GenerateOpts) (*otp.Key, error) {
+	// url encode the Issuer/AccountName
+	if opts.Issuer == "" {
+		return nil, otp.ErrGenerateMissingIssuer
+	}
+
+	if opts.AccountName == "" {
+		return nil, otp.ErrGenerateMissingAccountName
+	}
+
+	if opts.SecretSize == 0 {
+		opts.SecretSize = 10
+	}
+
+	// otpauth://totp/Example:alice@google.com?secret=JBSWY3DPEHPK3PXP&issuer=Example
+
+	v := url.Values{}
+	secret := make([]byte, opts.SecretSize)
+	_, err := rand.Read(secret)
+	if err != nil {
+		return nil, err
+	}
+
+	v.Set("secret", strings.TrimRight(base32.StdEncoding.EncodeToString(secret), "="))
+	v.Set("issuer", opts.Issuer)
+	v.Set("algorithm", opts.Algorithm.String())
+	v.Set("digits", opts.Digits.String())
+
+	u := url.URL{
+		Scheme:   "otpauth",
+		Host:     "hotp",
+		Path:     "/" + opts.Issuer + ":" + opts.AccountName,
+		RawQuery: v.Encode(),
+	}
+
+	return otp.NewKeyFromURL(u.String())
+}
--- a/vendor/github.com/pquerna/otp/hotp/hotp_test.go
+++ b/vendor/github.com/pquerna/otp/hotp/hotp_test.go
@@ -0,0 +1,162 @@
+/**
+ *  Copyright 2014 Paul Querna
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License");
+ *  you may not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS,
+ *  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ */
+
+package hotp
+
+import (
+	"github.com/pquerna/otp"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+
+	"encoding/base32"
+	"testing"
+)
+
+type tc struct {
+	Counter uint64
+	TOTP    string
+	Mode    otp.Algorithm
+	Secret  string
+}
+
+var (
+	secSha1 = base32.StdEncoding.EncodeToString([]byte("12345678901234567890"))
+
+	rfcMatrixTCs = []tc{
+		tc{0, "755224", otp.AlgorithmSHA1, secSha1},
+		tc{1, "287082", otp.AlgorithmSHA1, secSha1},
+		tc{2, "359152", otp.AlgorithmSHA1, secSha1},
+		tc{3, "969429", otp.AlgorithmSHA1, secSha1},
+		tc{4, "338314", otp.AlgorithmSHA1, secSha1},
+		tc{5, "254676", otp.AlgorithmSHA1, secSha1},
+		tc{6, "287922", otp.AlgorithmSHA1, secSha1},
+		tc{7, "162583", otp.AlgorithmSHA1, secSha1},
+		tc{8, "399871", otp.AlgorithmSHA1, secSha1},
+		tc{9, "520489", otp.AlgorithmSHA1, secSha1},
+	}
+)
+
+// Test values from http://tools.ietf.org/html/rfc4226#appendix-D
+func TestValidateRFCMatrix(t *testing.T) {
+
+	for _, tx := range rfcMatrixTCs {
+		valid, err := ValidateCustom(tx.TOTP, tx.Counter, tx.Secret,
+			ValidateOpts{
+				Digits:    otp.DigitsSix,
+				Algorithm: tx.Mode,
+			})
+		require.NoError(t, err,
+			"unexpected error totp=%s mode=%v counter=%v", tx.TOTP, tx.Mode, tx.Counter)
+		require.True(t, valid,
+			"unexpected totp failure totp=%s mode=%v counter=%v", tx.TOTP, tx.Mode, tx.Counter)
+	}
+}
+
+func TestGenerateRFCMatrix(t *testing.T) {
+	for _, tx := range rfcMatrixTCs {
+		passcode, err := GenerateCodeCustom(tx.Secret, tx.Counter,
+			ValidateOpts{
+				Digits:    otp.DigitsSix,
+				Algorithm: tx.Mode,
+			})
+		assert.Nil(t, err)
+		assert.Equal(t, tx.TOTP, passcode)
+	}
+}
+
+func TestValidateInvalid(t *testing.T) {
+	secSha1 := base32.StdEncoding.EncodeToString([]byte("12345678901234567890"))
+
+	valid, err := ValidateCustom("foo", 11, secSha1,
+		ValidateOpts{
+			Digits:    otp.DigitsSix,
+			Algorithm: otp.AlgorithmSHA1,
+		})
+	require.Equal(t, otp.ErrValidateInputInvalidLength, err, "Expected Invalid length error.")
+	require.Equal(t, false, valid, "Valid should be false when we have an error.")
+
+	valid, err = ValidateCustom("foo", 11, secSha1,
+		ValidateOpts{
+			Digits:    otp.DigitsEight,
+			Algorithm: otp.AlgorithmSHA1,
+		})
+	require.Equal(t, otp.ErrValidateInputInvalidLength, err, "Expected Invalid length error.")
+	require.Equal(t, false, valid, "Valid should be false when we have an error.")
+
+	valid, err = ValidateCustom("000000", 11, secSha1,
+		ValidateOpts{
+			Digits:    otp.DigitsSix,
+			Algorithm: otp.AlgorithmSHA1,
+		})
+	require.NoError(t, err, "Expected no error.")
+	require.Equal(t, false, valid, "Valid should be false.")
+
+	valid = Validate("000000", 11, secSha1)
+	require.Equal(t, false, valid, "Valid should be false.")
+}
+
+// This tests for issue #10 - secrets without padding
+func TestValidatePadding(t *testing.T) {
+	valid, err := ValidateCustom("831097", 0, "JBSWY3DPEHPK3PX",
+		ValidateOpts{
+			Digits:    otp.DigitsSix,
+			Algorithm: otp.AlgorithmSHA1,
+		})
+	require.NoError(t, err, "Expected no error.")
+	require.Equal(t, true, valid, "Valid should be true.")
+}
+
+func TestGenerate(t *testing.T) {
+	k, err := Generate(GenerateOpts{
+		Issuer:      "SnakeOil",
+		AccountName: "alice@example.com",
+	})
+	require.NoError(t, err, "generate basic TOTP")
+	require.Equal(t, "SnakeOil", k.Issuer(), "Extracting Issuer")
+	require.Equal(t, "alice@example.com", k.AccountName(), "Extracting Account Name")
+	require.Equal(t, 16, len(k.Secret()), "Secret is 16 bytes long as base32.")
+
+	k, err = Generate(GenerateOpts{
+		Issuer:      "SnakeOil",
+		AccountName: "alice@example.com",
+		SecretSize:  20,
+	})
+	require.NoError(t, err, "generate larger TOTP")
+	require.Equal(t, 32, len(k.Secret()), "Secret is 32 bytes long as base32.")
+
+	k, err = Generate(GenerateOpts{
+		Issuer:      "",
+		AccountName: "alice@example.com",
+	})
+	require.Equal(t, otp.ErrGenerateMissingIssuer, err, "generate missing issuer")
+	require.Nil(t, k, "key should be nil on error.")
+
+	k, err = Generate(GenerateOpts{
+		Issuer:      "Foobar, Inc",
+		AccountName: "",
+	})
+	require.Equal(t, otp.ErrGenerateMissingAccountName, err, "generate missing account name.")
+	require.Nil(t, k, "key should be nil on error.")
+
+	k, err = Generate(GenerateOpts{
+		Issuer:      "SnakeOil",
+		AccountName: "alice@example.com",
+		SecretSize:  17, // anything that is not divisable by 5, really
+	})
+	require.NoError(t, err, "Secret size is valid when length not divisable by 5.")
+	require.NotContains(t, k.Secret(), "=", "Secret has no escaped characters.")
+}