Releases: ericmann/totp
Modern Build Pipelines
Modern PHP Update
This newest release bumps the minimum supported version of PHP to 7.2 and, since we're now on PHP 7, drops the dependency on random_compat.
Developers will also experience:
- More consistent code quality, enforced by PHP Code Sniffer
- A formal code of conduct for the project
- Contribution templates for GitHub
Multi-Hash Authentication Support
While creating TOTPs for all three hash variants was previously supported, we lacked support for authenticating TOTPs for anything except sha1. This version introduces optional parameters to support all three hashing variants where needed.
Stellar Code Coverage
Cover one final edge case where a broken invocation could trigger a divide-by-zero error. The library at this stage is stable, has 100% test coverage, and is compatible with PHP 5.6-7.2.
Key-length Padding
The HMAC algorithm requires a minimum key length for hashing, but doesn't specify a maximum. Rather than assume keys are generated to fit the spec, automatically pad them (with bytes from the key itself) until we've got to the correct length.
The following key lengths are needed for the various hashing algorithms:
- SHA1: 20 bytes
- SHA256: 32 bytes
- SHA512: 64 bytes
If the HMAC key specified is shorter than the length required for a given hash, we'll concatenate bytes from the key to make up length.
For example:
$secret = 'abcdef'; // 6 bytes
$hash = 'sha1';
$padded = EAMann\TOTP\pad_secret($secret, $hash);
// $padded => abcdefabcdefabcdefabHashing Update
Our initial implementation covered the SHA1 hash and, though it suggested coverage of SHA256/512, these implementations were broken.
This release shores up our hashing implementation to properly support the full set of available hashes for TOTP generation. It further leverages the test vectors included in Appendix B of the TOTP RFC spec to ensure proper coverage according to reference implementations.
PHP version compatibility is unchanged and no method signatures were updated.