7 * Error checking, lots of error checking
8 * have a way of encapsulating token data stright into a single field so it could be added
9 * in some way to a preexisting app without modifying the DB as such... or by just adding
10 * a single field to a user table...
11 * Remove all reliance on the SQLite database. Data should come from the encasultating application
12 * which will be expected to provde two function calls where it can get/store data - DONE
17 * For some reason i had it in my head to pass static functions into the construct
18 * of the class in order to hand data going in/out
19 * when in reality i should be making the data in/out func's abstract
20 * and getting implementors to extend the class
22 * For now im going to keep implementing it this way and thus my class will
23 * forever be an example of poor design choices. It'll change it very shortly though
27 * The way we should really be doing things is to have an array that encapsulates "normal" data (or a class?)
28 * and then just manipulate it, then use a checkin function to push the data base into the db...
30 class GoogleAuthenticator {
32 // first we init google authenticator by passing it a filename
33 // for its sqlite database.
34 // $getDataFunction expects 1 argument which defines what data it wants
35 // and can be "userlist" or "usertoken:username"
36 // $putDataFunciton expects 2 arguments, $1 is data type, $2 is the data
37 // $1 can be "changetoken:username", "removetoken:username", $2 is the token
38 // data in some encoded form
39 // tokenDATA will be like HOTP;KEY;CID where CID is the current counter value
40 // why encode like this? i cant think of a good reason tbh, i should probably just
41 // use php's arry encoder functions
42 function __construct($getDataFunction, $putDataFunction) {
43 $this->putDataFunction = $putDataFunction;
44 $this->getDataFunction = $getDataFunction;
47 // this could get ugly for large databases.. we'll worry about that if it ever happens.
48 function getUserList() {
49 $func = $this->getDataFunction;
50 return $func("userlist", "");
53 // set the token type the user it going to use.
54 // this defaults to HOTP - we only do 30s token
55 // so lets not be able to set that yet
56 function setupTokenType($username, $tokentype) {
57 if($tokentype!="HOTP" and $tokentype!="TOTP") {
58 $errorText = "Invalid Token Type";
62 $put["username"] = $username;
63 $put["tokentype"] = $tokentype;
64 $func = $this->putDataFunction;
65 $func("settokentype", $put);
71 // create "user" with insert
72 function setUser($username, $key = "", $ttype="HOTP") {
73 if($key == "") $key = $this->createBase32Key();
74 $hkey = $this->helperb322hex($key);
76 $token["username"] = $username;
77 $token["tokenkey"] = $hkey;
78 $token["tokentype"] = $ttype;
80 $func = $this->putDataFunction;
81 $func("setusertoken", $token);
87 // sets the key for a user - this is assuming you dont want
88 // to use one created by the application. returns false
89 // if the key is invalid or the user doesn't exist.
90 function setUserKey($username, $key) {
91 // consider scrapping this
96 function userExists($username) {
97 // need to think about this
102 function deleteUser($username) {
103 $func = $this->putDataFunction;
104 $func("deleteusertoken", $username);
107 // user has input their user name and some code, authenticate
109 function authenticateUser($username, $code) {
111 $func = $this->getDataFunction;
112 $tokendata = $func("gettoken", $username);
114 // TODO: check return value
115 $ttype = $tokendata["tokentype"];
116 $tlid = $tokendata["tokencounter"];
117 $tkey = $tokendata["tokenkey"];
122 for($i=$st; $i<$en; $i++) {
123 $stest = $this->oath_hotp($tkey, $i);
124 //error_log("code: $code, $stest, $tkey, $tid");
125 if($code == $stest) {
126 $tokenset["username"] = $username;
127 $tokenset["tokencounter"] = $i;
129 $func = $this->putDataFunction;
130 $func("settokencounter", $tokenset);
138 $t_ear = $t_now - 45;
139 $t_lat = $t_now + 60;
140 $t_st = ((int)($t_ear/30));
141 $t_en = ((int)($t_lat/30));
142 //error_log("kmac: $t_now, $t_ear, $t_lat, $t_st, $t_en");
143 for($i=$t_st; $i<=$t_en; $i++) {
144 $stest = $this->oath_hotp($tkey, $i);
145 //error_log("code: $code, $stest, $tkey\n");
146 if($code == $stest) {
152 echo "how the frig did i end up here?";
159 // this function allows a user to resync their key. If too
160 // many codes are called, we only check up to 20 codes in the future
161 // so if the user is at 21, they'll always fail.
162 function resyncCode($username, $code1, $code2) {
163 // here we'll go from 0 all the way thru to 200k.. if we cant find the code, so be it, they'll need a new one
164 // for HOTP tokens we start at x and go to x+20
166 // for TOTP we go +/-1min TODO = remember that +/- 1min should
167 // be changed based on stepping if we change the expiration time
170 // $this->dbConnector->query('CREATE TABLE "tokens" ("token_id" INTEGER PRIMARY KEY AUTOINCREMENT,"token_key" TEXT NOT NULL, "token_type" TEXT NOT NULL, "token_lastid" INTEGER NOT NULL)');
172 $func = $this->getDataFunction;
173 $tokendata = $func("gettoken", $username);
175 // TODO: check return value
176 $ttype = $tokendata["tokentype"];
177 $tlid = $tokendata["tokencounter"];
178 $tkey = $tokendata["tokenkey"];
184 for($i=$st; $i<$en; $i++) {
185 $stest = $this->oath_hotp($tkey, $i);
186 //echo "code: $code, $stest, $tkey\n";
187 if($code1 == $stest) {
188 $stest2 = $this->oath_hotp($tkey, $i+1);
189 if($code2 == $stest2) {
190 $tokenset["username"] = $username;
191 $tokenset["tokencounter"] = $i+1;
193 $func = $this->putDataFunction;
194 $func("settokencounter", $tokenset);
204 echo "how the frig did i end up here?";
211 // gets the error text associated with the last error
212 function getErrorText() {
213 return $this->errorText;
216 // create a url compatibile with google authenticator.
217 function createURL($user, $key,$toktype = "HOTP") {
218 // oddity in the google authenticator... hotp needs to be lowercase.
219 $toktype = strtolower($toktype);
220 if($toktype == "hotp") {
221 $url = "otpauth://$toktype/$user?secret=$key&counter=1";
223 $url = "otpauth://$toktype/$user?secret=$key";
225 //echo "url: $url\n";
229 // creeates a base 32 key (random)
230 function createBase32Key() {
231 $alphabet = "ABCDEFGHIJKLMNOPQRSTUVWXYZ234567";
233 for($i=0; $i<16; $i++) {
234 $offset = rand(0,strlen($alphabet)-1);
235 //echo "$i off is $offset\n";
236 $key .= $alphabet[$offset];
243 function helperb322hex($b32) {
244 $alphabet = "ABCDEFGHIJKLMNOPQRSTUVWXYZ234567";
249 for($i = 0; $i < strlen($b32); $i++) {
250 $in = strrpos($alphabet, $b32[$i]);
251 $b = str_pad(base_convert($in, 10, 2), 5, "0", STR_PAD_LEFT);
256 $ar = str_split($out,20);
258 //echo "$dous, $b\n";
262 foreach($ar as $val) {
263 $rv = str_pad(base_convert($val, 2, 16), 5, "0", STR_PAD_LEFT);
264 //echo "rv: $rv from $val\n";
273 function helperhex2b32($hex) {
274 $alphabet = "ABCDEFGHIJKLMNOPQRSTUVWXYZ234567";
276 $ar = str_split($hex, 5);
279 foreach($ar as $var) {
280 $bc = base_convert($var, 16, 2);
281 $bin = str_pad($bc, 20, "0", STR_PAD_LEFT);
283 //echo "$bc was, $var is, $bin are\n";
287 $ar2 = str_split($out, 5);
288 foreach($ar2 as $var2) {
289 $bc = base_convert($var2, 2, 10);
290 $out2 .= $alphabet[$bc];
296 function oath_hotp($key, $counter)
298 $key = pack("H*", $key);
299 $cur_counter = array(0,0,0,0,0,0,0,0);
302 $cur_counter[$i] = pack ('C*', $counter);
303 $counter = $counter >> 8;
305 $bin_counter = implode($cur_counter);
307 if (strlen ($bin_counter) < 8)
309 $bin_counter = str_repeat (chr(0), 8 - strlen ($bin_counter)) . $bin_counter;
313 $hash = hash_hmac ('sha1', $bin_counter, $key);
314 return str_pad($this->oath_truncate($hash), 6, "0", STR_PAD_LEFT);
317 function oath_truncate($hash, $length = 6)
320 foreach(str_split($hash,2) as $hex)
322 $hmac_result[]=hexdec($hex);
326 $offset = $hmac_result[19] & 0xf;
328 // Algorithm from RFC
331 (($hmac_result[$offset+0] & 0x7f) << 24 ) |
332 (($hmac_result[$offset+1] & 0xff) << 16 ) |
333 (($hmac_result[$offset+2] & 0xff) << 8 ) |
334 ($hmac_result[$offset+3] & 0xff)
339 // some private data bits.
340 private $getDatafunction;
341 private $putDatafunction;