1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
|
package dgoogauth
import (
"strconv"
"testing"
"time"
)
// Test vectors via:
// http://code.google.com/p/google-authenticator/source/browse/libpam/pam_google_authenticator_unittest.c
// https://google-authenticator.googlecode.com/hg/libpam/totp.html
var codeTests = []struct {
secret string
value int64
code int
}{
{"2SH3V3GDW7ZNMGYE", 1, 293240},
{"2SH3V3GDW7ZNMGYE", 5, 932068},
{"2SH3V3GDW7ZNMGYE", 10000, 50548},
}
func TestCode(t *testing.T) {
for _, v := range codeTests {
c := ComputeCode(v.secret, v.value)
if c != v.code {
t.Errorf("computeCode(%s, %d): got %d expected %d\n", v.secret, v.value, c, v.code)
}
}
}
func TestScratchCode(t *testing.T) {
var cotp OTPConfig
cotp.ScratchCodes = []int{11112222, 22223333}
var scratchTests = []struct {
code int
result bool
}{
{33334444, false},
{11112222, true},
{11112222, false},
{22223333, true},
{22223333, false},
{33334444, false},
}
for _, s := range scratchTests {
r := cotp.checkScratchCodes(s.code)
if r != s.result {
t.Errorf("scratchcode(%d) failed: got %t expected %t", s.code, r, s.result)
}
}
}
func TestHotpCode(t *testing.T) {
var cotp OTPConfig
// reuse our test values from above
// perhaps create more?
cotp.Secret = "2SH3V3GDW7ZNMGYE"
cotp.HotpCounter = 1
cotp.WindowSize = 3
var counterCodes = []struct {
code int
result bool
counter int
}{
{ /* 1 */ 293240, true, 2}, // increments on success
{ /* 1 */ 293240, false, 3}, // and failure
{ /* 5 */ 932068, true, 6}, // inside of window
{ /* 10 */ 481725, false, 7}, // outside of window
{ /* 10 */ 481725, false, 8}, // outside of window
{ /* 10 */ 481725, true, 11}, // now inside of window
}
for i, s := range counterCodes {
r := cotp.checkHotpCode(s.code)
if r != s.result {
t.Errorf("counterCode(%d) (step %d) failed: got %t expected %t", s.code, i, r, s.result)
}
if cotp.HotpCounter != s.counter {
t.Errorf("hotpCounter incremented poorly: got %d expected %d", cotp.HotpCounter, s.counter)
}
}
}
func TestTotpCode(t *testing.T) {
var cotp OTPConfig
// reuse our test values from above
cotp.Secret = "2SH3V3GDW7ZNMGYE"
cotp.WindowSize = 5
var windowTest = []struct {
code int
t0 int
result bool
}{
{50548, 9997, false},
{50548, 9998, true},
{50548, 9999, true},
{50548, 10000, true},
{50548, 10001, true},
{50548, 10002, true},
{50548, 10003, false},
}
for i, s := range windowTest {
r := cotp.checkTotpCode(s.t0, s.code)
if r != s.result {
t.Errorf("counterCode(%d) (step %d) failed: got %t expected %t", s.code, i, r, s.result)
}
}
cotp.DisallowReuse = make([]int, 0)
var noreuseTest = []struct {
code int
t0 int
result bool
disallowed []int
}{
{50548 /* 10000 */, 9997, false, []int{}},
{50548 /* 10000 */, 9998, true, []int{10000}},
{50548 /* 10000 */, 9999, false, []int{10000}},
{478726 /* 10001 */, 10001, true, []int{10000, 10001}},
{646986 /* 10002 */, 10002, true, []int{10000, 10001, 10002}},
{842639 /* 10003 */, 10003, true, []int{10001, 10002, 10003}},
}
for i, s := range noreuseTest {
r := cotp.checkTotpCode(s.t0, s.code)
if r != s.result {
t.Errorf("timeCode(%d) (step %d) failed: got %t expected %t", s.code, i, r, s.result)
}
if len(cotp.DisallowReuse) != len(s.disallowed) {
t.Errorf("timeCode(%d) (step %d) failed: disallowReuse len mismatch: got %d expected %d", s.code, i, len(cotp.DisallowReuse), len(s.disallowed))
} else {
same := true
for j := range s.disallowed {
if s.disallowed[j] != cotp.DisallowReuse[j] {
same = false
}
}
if !same {
t.Errorf("timeCode(%d) (step %d) failed: disallowReused: got %v expected %v", s.code, i, cotp.DisallowReuse, s.disallowed)
}
}
}
}
func TestAuthenticate(t *testing.T) {
otpconf := &OTPConfig{
Secret: "2SH3V3GDW7ZNMGYE",
WindowSize: 3,
HotpCounter: 1,
ScratchCodes: []int{11112222, 22223333},
}
type attempt struct {
code string
result bool
}
var attempts = []attempt{
{"foobar", false}, // not digits
{"1fooba", false}, // not valid number
{"1111111", false}, // bad length
{ /* 1 */ "293240", true}, // hopt increments on success
{ /* 1 */ "293240", false}, // hopt failure
{"33334444", false}, // scratch
{"11112222", true},
{"11112222", false},
}
for _, a := range attempts {
r, _ := otpconf.Authenticate(a.code)
if r != a.result {
t.Errorf("bad result from code=%s: got %t expected %t\n", a.code, r, a.result)
}
}
// let's check some time-based codes
otpconf.HotpCounter = 0
// I haven't mocked the clock, so we'll just compute one
var t0 int64
if otpconf.UTC {
t0 = int64(time.Now().UTC().Unix() / 30)
} else {
t0 = int64(time.Now().Unix() / 30)
}
c := ComputeCode(otpconf.Secret, t0)
invalid := c + 1
attempts = []attempt{
{strconv.Itoa(invalid), false},
{strconv.Itoa(c), true},
}
for _, a := range attempts {
r, _ := otpconf.Authenticate(a.code)
if r != a.result {
t.Errorf("bad result from code=%s: got %t expected %t\n", a.code, r, a.result)
}
otpconf.UTC = true
r, _ = otpconf.Authenticate(a.code)
if r != a.result {
t.Errorf("bad result from code=%s: got %t expected %t\n", a.code, r, a.result)
}
otpconf.UTC = false
}
}
func TestProvisionURI(t *testing.T) {
otpconf := OTPConfig{
Secret: "x",
}
cases := []struct {
user, iss string
hotp bool
out string
}{
{"test", "", false, "otpauth://totp/test?secret=x"},
{"test", "", true, "otpauth://hotp/test?counter=1&secret=x"},
{"test", "Company", true, "otpauth://hotp/Company:test?counter=1&issuer=Company&secret=x"},
{"test", "Company", false, "otpauth://totp/Company:test?issuer=Company&secret=x"},
}
for i, c := range cases {
otpconf.HotpCounter = 0
if c.hotp {
otpconf.HotpCounter = 1
}
got := otpconf.ProvisionURIWithIssuer(c.user, c.iss)
if got != c.out {
t.Errorf("%d: want %q, got %q", i, c.out, got)
}
}
}
|