-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathotp.php
145 lines (145 loc) · 4.79 KB
/
otp.php
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
<?php
session_start();
include_once("config.php");
class Google2FA {
const keyRegeneration = 30; // Interval between key regeneration
const otpLength = 6; // Length of the Token generated
private static $lut = array( // Lookup needed for Base32 encoding
"A" => 0, "B" => 1,
"C" => 2, "D" => 3,
"E" => 4, "F" => 5,
"G" => 6, "H" => 7,
"I" => 8, "J" => 9,
"K" => 10, "L" => 11,
"M" => 12, "N" => 13,
"O" => 14, "P" => 15,
"Q" => 16, "R" => 17,
"S" => 18, "T" => 19,
"U" => 20, "V" => 21,
"W" => 22, "X" => 23,
"Y" => 24, "Z" => 25,
"2" => 26, "3" => 27,
"4" => 28, "5" => 29,
"6" => 30, "7" => 31
);
/**
* Generates a 16 digit secret key in base32 format
* @return string
**/
public static function generate_secret_key($length = 16) {
$b32 = "234567QWERTYUIOPASDFGHJKLZXCVBNM";
$s = "";
for ($i = 0; $i < $length; $i++)
$s .= $b32[rand(0,31)];
return $s;
}
/**
* Returns the current Unix Timestamp devided by the keyRegeneration
* period.
* @return integer
**/
public static function get_timestamp() {
return floor(microtime(true)/self::keyRegeneration);
}
/**
* Decodes a base32 string into a binary string.
**/
public static function base32_decode($b32) {
$b32 = strtoupper($b32);
if (!preg_match('/^[A-Z2-7]+$/', $b32, $match))
throw new Exception('Invalid characters in the base32 string.');
$l = strlen($b32);
$n = 0;
$j = 0;
$binary = "";
for ($i = 0; $i < $l; $i++) {
$n = $n << 5; // Move buffer left by 5 to make room
$n = $n + self::$lut[$b32[$i]]; // Add value into buffer
$j = $j + 5; // Keep track of number of bits in buffer
if ($j >= 8) {
$j = $j - 8;
$binary .= chr(($n & (0xFF << $j)) >> $j);
}
}
return $binary;
}
/**
* Takes the secret key and the timestamp and returns the one time
* password.
*
* @param binary $key - Secret key in binary form.
* @param integer $counter - Timestamp as returned by get_timestamp.
* @return string
**/
public static function oath_hotp($key, $counter)
{
if (strlen($key) < 8)
throw new Exception('Secret key is too short. Must be at least 16 base 32 characters');
$bin_counter = pack('N*', 0) . pack('N*', $counter); // Counter must be 64-bit int
$hash = hash_hmac ('sha1', $bin_counter, $key, true);
return str_pad(self::oath_truncate($hash), self::otpLength, '0', STR_PAD_LEFT);
}
/**
* Verifys a user inputted key against the current timestamp. Checks $window
* keys either side of the timestamp.
*
* @param string $b32seed
* @param string $key - User specified key
* @param integer $window
* @param boolean $useTimeStamp
* @return boolean
**/
public static function verify_key($b32seed, $key, $window = 4, $useTimeStamp = true) {
$timeStamp = self::get_timestamp();
if ($useTimeStamp !== true) $timeStamp = (int)$useTimeStamp;
$binarySeed = self::base32_decode($b32seed);
for ($ts = $timeStamp - $window; $ts <= $timeStamp + $window; $ts++)
if (self::oath_hotp($binarySeed, $ts) == $key)
return true;
return false;
}
/**
* Extracts the OTP from the SHA1 hash.
* @param binary $hash
* @return integer
**/
public static function oath_truncate($hash)
{
$offset = ord($hash[19]) & 0xf;
return (
((ord($hash[$offset+0]) & 0x7f) << 24 ) |
((ord($hash[$offset+1]) & 0xff) << 16 ) |
((ord($hash[$offset+2]) & 0xff) << 8 ) |
(ord($hash[$offset+3]) & 0xff)
) % pow(10, self::otpLength);
}
}
$InitalizationKey = Google2FA::generate_secret_key(); // Set the inital key
$TimeStamp = Google2FA::get_timestamp();
$secretkey = Google2FA::base32_decode($InitalizationKey); // Decode it into binary
$otp = Google2FA::oath_hotp($secretkey, $TimeStamp);
$_SESSION["OTP"]=$otp;
// Get current token
// echo("Init key: $InitalizationKey\n");
// echo("Timestamp: $TimeStamp\n");
// echo("One time password: $otp\n");
// Use this to verify a key as it allows for some time drift.
$result = Google2FA::verify_key($InitalizationKey, "123456");
// $_SESSION["OTP"]=$otp;
$query="SELECT * FROM OTP_Details WHERE Username='".$_SESSION['Username']."'";
// $query="SELECT * FROM OTP_Details WHERE Username='abhi1289'";
$res=mysqli_query($db,$query);
$num=mysqli_num_rows($res);
if($num==0){
$query1="INSERT INTO OTP_Details (OTP,Username) VALUES ('".$otp."','".$_SESSION['Username']."')";
$res1=mysqli_query($db,$query1);
}
else if($num>0)
{
$query2="UPDATE OTP_Details SET OTP='".$otp."' WHERE Username='".$_SESSION['Username']."'";
// $query2="UPDATE OTP_Details SET OTP='".$otp."' WHERE Username='abhi1289'";
$res2=mysqli_query($db,$query2);
}
// echo 'Your OTP for login to SecureIt.com is " '.$otp.'"';
// var_dump($result);
?>