-
Notifications
You must be signed in to change notification settings - Fork 2
/
Copy pathmfa.go
81 lines (71 loc) · 2.17 KB
/
mfa.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
package common
import (
"bytes"
"crypto/hmac"
"crypto/sha1" //nolint:gosec // G501: Blocklisted import crypto/md5: weak cryptographic primitive
"encoding/base32"
"encoding/binary"
"fmt"
"strconv"
"strings"
"time"
)
// Append extra 0s if the length of otp is less than 6
// If otp is "1234", it will return it as "001234".
func prefix0(otp string) string {
if len(otp) == 6 {
return otp
}
for i := 6 - len(otp); i > 0; i-- {
otp = "0" + otp
}
return otp
}
func getHOTPToken(secret string, interval int64) (string, error) {
// Converts secret to base32 Encoding. Base32 encoding desires a 32-character
// subset of the twenty-six letters A–Z and ten digits 0–9
key, err := base32.StdEncoding.DecodeString(strings.ToUpper(secret))
if err != nil {
return "", err
}
bs := make([]byte, 8)
binary.BigEndian.PutUint64(bs, uint64(interval))
// Signing the value using HMAC-SHA1 Algorithm
hash := hmac.New(sha1.New, key)
hash.Write(bs)
h := hash.Sum(nil)
// We're going to use a subset of the generated hash.
// Using the last nibble (half-byte) to choose the index to start from.
// This number is always appropriate as it's maximum decimal 15, the hash will
// have the maximum index 19 (20 bytes of SHA1) and we need 4 bytes.
o := h[19] & 15
var header uint32
// Get 32 bit chunk from hash starting at the o
r := bytes.NewReader(h[o : o+4])
err = binary.Read(r, binary.BigEndian, &header)
if err != nil {
return "", err
}
// Ignore most significant bits as per RFC 4226.
// Takes division from one million to generate a remainder less than < 7 digits
h12 := (int(header) & 0x7fffffff) % 1000000
// Converts number as a string
otp := strconv.Itoa(h12)
return prefix0(otp), nil
}
func getTOTPToken(secret string) (string, error) {
// The TOTP token is just a HOTP token seeded with every 30 seconds.
interval := time.Now().Unix() / 30
return getHOTPToken(secret, interval)
}
// MfaValidation validates TOTP mfa with given secret and token.
func MfaValidation(secret string, token string) error {
curToken, err := getTOTPToken(secret)
if err != nil {
return err
}
if curToken != token {
return fmt.Errorf("token is invalid or expired")
}
return nil
}