otpalgorithm.php

<?php
 
namespace Bitrix\Main\Security\Mfa;
 
use Bitrix\Main\ArgumentTypeException;
use Bitrix\Main\Security\OtpException;
use Bitrix\Main\Text\Base32;
 
abstract class OtpAlgorithm
{
    protected static $type = 'undefined';
    protected $digest = 'sha1';
    protected $digits = 6;
    protected $secret = null;
    protected $appScheme = 'otpauth';
    protected $requireTwoCode = true;
 
    abstract public function verify($input, $params = null);
 
    abstract public function getSyncParameters($inputA, $inputB);
 
    public function isTwoCodeRequired()
    {
        return $this->requireTwoCode;
    }
 
    public function setSecret($secret)
    {
        $this->secret = $secret;
 
        // Backward compatibility. Use sha256 for eToken with 256bits key
        if (strlen($this->secret) > 25)
        {
            $this->digest = 'sha256';
        }
 
        return $this;
    }
 
    public function getSecret()
    {
        return $this->secret;
    }
 
    public function generateUri($label, array $opts = [])
    {
        $positionalOpts = [
            // Don't change order!
            'secret' => Base32::encode($this->getSecret()),
        ];
 
        $opts['algorithm'] = $this->getDigest();
        // Digest must be in upper case for some OTP apps (e.g. Google Authenticator for iOS)
        $opts['algorithm'] = mb_strtoupper($opts['algorithm']);
        $opts['digits'] = $this->getDigits();
 
        ksort($opts);
 
        // Some devices require a specific order for some parameters (e.g. Microsoft Authenticator require "secret" at first place %) )
        $opts = array_merge(
            $positionalOpts,
            $opts
        );
 
        $params = http_build_query($opts, '', '&', PHP_QUERY_RFC3986);
 
        return sprintf(
            '%s://%s/%s?%s',
            $this->getAppScheme(),
            $this->getType(),
            rawurlencode($label),
            $params
        );
    }
 
    public function generateOTP($counter)
    {
        $hash = hash_hmac($this->getDigest(), static::toByte($counter), $this->getSecret());
        $hmac = [];
        foreach (str_split($hash, 2) as $hex)
        {
            $hmac[] = hexdec($hex);
        }
 
        $offset = $hmac[count($hmac) - 1] & 0xf;
        $code = ($hmac[$offset] & 0x7F) << 24;
        $code |= ($hmac[$offset + 1] & 0xFF) << 16;
        $code |= ($hmac[$offset + 2] & 0xFF) << 8;
        $code |= ($hmac[$offset + 3] & 0xFF);
 
        $otp = $code % pow(10, $this->getDigits());
        return str_pad($otp, $this->getDigits(), '0', STR_PAD_LEFT);
    }
 
    protected static function toByte($value)
    {
        $result = [];
        while ($value > 0)
        {
            $result[] = chr($value & 0xFF);
            $value >>= 8;
        }
 
        return str_pad(implode(array_reverse($result)), 8, "\000", STR_PAD_LEFT);
    }
 
    protected function isStringsEqual($expected, $actual)
    {
        if (!is_string($expected))
        {
            throw new ArgumentTypeException('expected', 'string');
        }
 
        if (!is_string($actual))
        {
            throw new ArgumentTypeException('actual', 'string');
        }
 
        $lenExpected = strlen($expected);
        $lenActual = strlen($actual);
 
        $status = $lenExpected ^ $lenActual;
        $len = min($lenExpected, $lenActual);
        for ($i = 0; $i < $len; $i++)
        {
            $status |= ord($expected[$i]) ^ ord($actual[$i]);
        }
 
        return $status === 0;
    }
 
    public function getDigest()
    {
        return $this->digest;
    }
 
    public function getDigits()
    {
        return $this->digits;
    }
 
    public function getType()
    {
        return static::$type;
    }
 
    public function getAppScheme()
    {
        return $this->appScheme;
    }
}