tilkinsc / cotp Goto Github PK

A simple One Time Password (OTP) library in C, supports C++

License: MIT License

C 61.41% Batchfile 0.96% C++ 31.91% Makefile 4.78% Shell 0.95%

otp otpauth otp-server c cpp c-library cpp-library

cotp's Introduction

Skills

I'm a good humored, passionate software developer with experience in developing software and web applications. Further, I work with various programming languages, tools, and frameworks. I'm driven by learning and exploring new technologies to improve my skills and knowledge. I'm also an avid Lua lover and Reverse Engineering enthusiast. I love to know how something works internally, or even reviving old, dead games and their servers. I have been programming ever since I was 12 with strong interests in gaming. You can call me a strong advocate for free software and a contributor to the greater good. You may find me also monitoring the README's of projects for clarity and conciseness or even contributing to your project directly. I take my work very seriously.

I know the importance of good clean and concise code, documentation, deployment, testing before shipping, and creating quality products. You can count on me to find the median point between efficiency and robustness. Write a program too fast and its features are limited and buggy for other usecases. Write a program too slow and you miss deadlines or is overengineered for the client's needs. This is where DevOps shines in an Agile environment.

Currently, I am embracing AI to achieve tasks in record time that would take me hours to do. AI has opened a new dawn, especially in the right hands with someone knowledgable in prompt engineering. I do have to disclaim that AI is a tool and not a substituion for knowledge. I am a learner, and that won't change. You will find me implementing stacks to simply learn them.

Meerkats are my favorite animal.

My Projects

See my pinned repos below. I am quite proud of them.

cotp's People

Contributors

Stargazers

Watchers

Forkers

ppsilv zxvnme lpilp xox9001 sylphe88 feliwir otplibraries benjamin-loison gruelingpine185 blog2i2j orollo edwroland rotrida espins aodekirk88

cotp's Issues

Verification bug: Signed integer is casted to unsigned

When specifying a window in totp_verifyi a negative integer will be casted to an unsigned size_t in this line:
https://github.com/tilkinsc/COTP/blob/master/cotp.c#L233
This causes any window!=0 not to be working correctly.

Another issue i had when trying to specify a window was that there is not much documentation for that parameter. Only by reading the sourcecode myself i found out that this parameter is in seconds. I think a lot of the totp_comparei calls could be avoided when checking for the interval inside OTPData, so e.g. with an interval of 30s we would only need 1 call for a window of 30

Buffer or Stack overflow under 32bit

Hi,

i've found an issue with the following line:
https://github.com/tilkinsc/COTP/blob/71074479a7deb7534cec5425017ab22ee6778364/otpuri.c#L150C40-L150C45

The format length specifier 'z' is for size_t variables but uint64_t was given as parameter and under 32bit this will lead to buffer or stack overflow.

Doesn't use cryptographically safe random for time

We need to automate and implement (unit) testing via CI/CD

totp_verifyi doesn't take digit count into account

E.g. when having a digitcount of 6 and when the key is "025341", this will be 25341 as an integer. However the conversion from int to string does not care about the digitcount:

char* key_str = calloc(8, sizeof(char));
sprintf(key_str, "%d", key);

This will result in two different strings being compared: "25341" and "025341". I suggest comparing the integer keys instead of the strings. Another issue is that digitcount may never be larger than 7, since key_str is allocated with a fixed size. This should be DIGITCOUNT+1 everywhere. So every calloc(8, sizeof(char)); is potentially wrong within this library

SHA256 and SHA512 might be failing

I am not sure where the root cause is, but the SHA256 and SHA512 are failing in my tests with the test/main.c* programs.

Isolation necessary.

Code Generator not 100% compatible

Seems like there is an issue in the code generation algorithm in this library, which leads to incompatibilities when compared to other implementations (read "produces different codes than other libraries").

To make things worse this does not always happen, only about 1/10 of the time. Below is what I got when I compared the codes generated by this library with https://github.com/samdjstevens/java-totp (please note: it does not matter whether the secret is generated in COTP or in Java TOTP - the behaviour is the same in both cases).

FWIW: I used the otp-cli tool in my tests which is in https://github.com/OTPLibraries/COTP/pull/5

Here are the test results:

Starting 30 test(s) with dynamic secret(s)...
Fre Mär 19 10:43:13 CET 2021 Success: Code 346354 matches (secret = 'APGLZGHY3LIWP76N')
Fre Mär 19 10:43:17 CET 2021 Success: Code 493943 matches (secret = 'DMNZQPSQXANP3MP3')
Fre Mär 19 10:43:21 CET 2021 Success: Code 665198 matches (secret = '62JRHI76LTYAQTIK')
Fre Mär 19 10:43:25 CET 2021 Success: Code 621885 matches (secret = '7T7RLCNRVKFP34FA')
Fre Mär 19 10:43:29 CET 2021 Error: Code 082255 does not match with java version (java code = '528876', secret = 'TWH3C5SBQV2SW6HI')
Fre Mär 19 10:43:34 CET 2021 Error: Code 388616 does not match with java version (java code = '319556', secret = 'TWH3C5SBQV2SW6HI')
Fre Mär 19 10:43:38 CET 2021 Error: Code 388616 does not match with java version (java code = '319556', secret = 'TWH3C5SBQV2SW6HI')
Fre Mär 19 10:43:42 CET 2021 Error: Code 388616 does not match with java version (java code = '319556', secret = 'TWH3C5SBQV2SW6HI')
Fre Mär 19 10:43:46 CET 2021 Error: Code 388616 does not match with java version (java code = '319556', secret = 'TWH3C5SBQV2SW6HI')
Fre Mär 19 10:43:50 CET 2021 Error: Code 388616 does not match with java version (java code = '319556', secret = 'TWH3C5SBQV2SW6HI')
Fre Mär 19 10:43:54 CET 2021 Error: Code 388616 does not match with java version (java code = '319556', secret = 'TWH3C5SBQV2SW6HI')
Fre Mär 19 10:43:58 CET 2021 Error: Code 388616 does not match with java version (java code = '319556', secret = 'TWH3C5SBQV2SW6HI')
Fre Mär 19 10:44:02 CET 2021 Error: Code 420660 does not match with java version (java code = '029143', secret = 'TWH3C5SBQV2SW6HI')
Fre Mär 19 10:44:06 CET 2021 Error: Code 420660 does not match with java version (java code = '029143', secret = 'TWH3C5SBQV2SW6HI')
Fre Mär 19 10:44:10 CET 2021 Error: Code 420660 does not match with java version (java code = '029143', secret = 'TWH3C5SBQV2SW6HI')
Fre Mär 19 10:44:14 CET 2021 Too many retries for secret 'TWH3C5SBQV2SW6HI'... Giving up.
Fre Mär 19 10:44:14 CET 2021 Success: Code 409665 matches (secret = 'RSLXPFQLCURTL4EP')
Fre Mär 19 10:44:19 CET 2021 Success: Code 968733 matches (secret = 'DVUODLDV2IHU2JFI')
Fre Mär 19 10:44:23 CET 2021 Success: Code 947597 matches (secret = '4PRG3YINFDS335HU')
Fre Mär 19 10:44:27 CET 2021 Success: Code 493943 matches (secret = 'NARZDZDMY4QIUPXE')
Fre Mär 19 10:44:31 CET 2021 Success: Code 099346 matches (secret = '3YSUYMT53DVCOCFG')
Fre Mär 19 10:44:35 CET 2021 Success: Code 194446 matches (secret = 'B7XMT5M3XNIDTCCZ')
Fre Mär 19 10:44:39 CET 2021 Success: Code 167852 matches (secret = 'C5TBDBCUDLUQUYOK')
Fre Mär 19 10:44:43 CET 2021 Success: Code 861182 matches (secret = 'GDXSG2KHU7OGFRXH')
Fre Mär 19 10:44:47 CET 2021 Success: Code 280202 matches (secret = 'TQ76H5WTALISGMD6')
Fre Mär 19 10:44:51 CET 2021 Success: Code 659381 matches (secret = 'AHLMCMKW4EOGSOVR')
Fre Mär 19 10:44:55 CET 2021 Success: Code 275554 matches (secret = 'YCSQQBSJS2X2HCIK')
Fre Mär 19 10:45:00 CET 2021 Success: Code 018522 matches (secret = '7WES6H6473WA4RSZ')
Fre Mär 19 10:45:04 CET 2021 Success: Code 914032 matches (secret = 'GXMJQPHR5YK4QOPR')
Fre Mär 19 10:45:08 CET 2021 Success: Code 228612 matches (secret = 'HMZMPIUKFVXUF6UT')
Fre Mär 19 10:45:12 CET 2021 Success: Code 012979 matches (secret = '5ZMRZRXIBFXWEN7J')

Base32 decoder is broken

cotp.c otp_byte_secret needs rewritten to correctly decode a base32 string into bytes. Ref: #5 #12

Make Linux compatible

We need a makefile or cmake build script

R&D Time function for BASE32 Secret et. al

I have noticed that a BASE32 secret is generated based on the second, rather than milliseconds. This means that 10 users who generate a BASE32 in the same second will have the same BASE32. This isn't ideal due to users sharing keys.

My take is, the BASE32 should be both generated with time and a salt and perhaps an increment, so that there is little chance for collision. The poor parts of this implementation is that it can both be manipulated and it relies on saving state. In my eyes, saving state means unnecessary file io.

Perhaps we could leave it up to the user to design an implementation for the randomness.

I am open to solutions for an implementation that can generate a base32 string that is unique within the same millisecond but isn't manipulable by restarts and doesn't save state.

Add valid until function which returns a number that is guaranteed to work for until a time period

[https://github.com/pyauth/pyotp/pull/5]
It's a great idea to do, should be implemented.

totp_compares reads garbage from memory

Hey,

an issue related to string / keylength:
totp_compares reads beyond the end of the passed key. See https://github.com/tilkinsc/COTP/blob/master/cotp.c#L161
A fixed length of 8 is used - meaning when we have a DIGITCOUNT of 6 this will read 2 more characters with undefined content, resulting in a possible failure. This should check for the digitcount specified in otp_new