16 files changed, 291 insertions, 14 deletions

diff --git a/AUTHORS.rst b/AUTHORS.rst
index 86267cf1..e9c2f85f 100644
--- a/AUTHORS.rst
+++ b/AUTHORS.rst
@@ -14,3 +14,4 @@ PGP key fingerprints are enclosed in parentheses.
 * David Reid <dreid@dreid.org> (0F83 CC87 B32F 482B C726  B58A 9FBF D8F4 DA89 6D74)
 * Konstantinos Koukopoulos <koukopoulos@gmail.com> (D6BD 52B6 8C99 A91C E2C8  934D 3300 566B 3A46 726E)
 * Stephen Holsapple <sholsapp@gmail.com>
+* Terry Chia <terrycwk1994@gmail.com>
diff --git a/cryptography/__about__.py b/cryptography/__about__.py
index 2d2c698d..21e56ac0 100644
--- a/cryptography/__about__.py
+++ b/cryptography/__about__.py
@@ -22,7 +22,7 @@ __summary__ = ("cryptography is a package designed to expose cryptographic "
                "recipes and primitives to Python developers.")
 __uri__ = "https://github.com/pyca/cryptography"
 
-__version__ = "0.2"
+__version__ = "0.3.dev1"
 
 __author__ = "The cryptography developers"
 __email__ = "cryptography-dev@python.org"
diff --git a/cryptography/exceptions.py b/cryptography/exceptions.py
index e2542a1f..f9849e2f 100644
--- a/cryptography/exceptions.py
+++ b/cryptography/exceptions.py
@@ -42,3 +42,7 @@ class InternalError(Exception):
 
 class InvalidKey(Exception):
     pass
+
+
+class InvalidToken(Exception):
+    pass
diff --git a/cryptography/hazmat/backends/openssl/backend.py b/cryptography/hazmat/backends/openssl/backend.py
index 8a4aeac5..de6f841c 100644
--- a/cryptography/hazmat/backends/openssl/backend.py
+++ b/cryptography/hazmat/backends/openssl/backend.py
@@ -274,6 +274,20 @@ class Backend(object):
         self._lib.OPENSSL_free(hex_cdata)
         return int(hex_str, 16)
 
+    def _int_to_bn(self, num):
+        """
+        Converts a python integer to a BIGNUM. The returned BIGNUM will not
+        be garbage collected (to support adding them to structs that take
+        ownership of the object). Be sure to register it for GC if it will
+        be discarded after use.
+        """
+        hex_num = hex(num).rstrip("L").lstrip("0x").encode("ascii") or b"0"
+        bn_ptr = self._ffi.new("BIGNUM **")
+        res = self._lib.BN_hex2bn(bn_ptr, hex_num)
+        assert res != 0
+        assert bn_ptr[0] != self._ffi.NULL
+        return bn_ptr[0]
+
     def generate_rsa_private_key(self, public_exponent, key_size):
         if public_exponent < 3:
             raise ValueError("public_exponent must be >= 3")
@@ -284,18 +298,15 @@ class Backend(object):
         if key_size < 512:
             raise ValueError("key_size must be at least 512-bits")
 
-        ctx = backend._lib.RSA_new()
-        ctx = backend._ffi.gc(ctx, backend._lib.RSA_free)
-
-        bn = backend._lib.BN_new()
-        assert bn != self._ffi.NULL
-        bn = backend._ffi.gc(bn, backend._lib.BN_free)
+        ctx = self._lib.RSA_new()
+        assert ctx != self._ffi.NULL
+        ctx = self._ffi.gc(ctx, self._lib.RSA_free)
 
-        res = backend._lib.BN_set_word(bn, public_exponent)
-        assert res == 1
+        bn = self._int_to_bn(public_exponent)
+        bn = self._ffi.gc(bn, self._lib.BN_free)
 
-        res = backend._lib.RSA_generate_key_ex(
-            ctx, key_size, bn, backend._ffi.NULL
+        res = self._lib.RSA_generate_key_ex(
+            ctx, key_size, bn, self._ffi.NULL
         )
         assert res == 1
 
diff --git a/cryptography/hazmat/bindings/openssl/binding.py b/cryptography/hazmat/bindings/openssl/binding.py
index 714ecc07..0469a1ea 100644
--- a/cryptography/hazmat/bindings/openssl/binding.py
+++ b/cryptography/hazmat/bindings/openssl/binding.py
@@ -98,7 +98,7 @@ class Binding(object):
                                      _OSX_PRE_INCLUDE, _OSX_POST_INCLUDE,
                                      libraries)
         res = cls.lib.Cryptography_add_osrandom_engine()
-        assert res == 1
+        assert res != 0
 
     @classmethod
     def is_available(cls):
diff --git a/cryptography/hazmat/bindings/openssl/osrandom_engine.py b/cryptography/hazmat/bindings/openssl/osrandom_engine.py
index 23f2e17a..0903a4bf 100644
--- a/cryptography/hazmat/bindings/openssl/osrandom_engine.py
+++ b/cryptography/hazmat/bindings/openssl/osrandom_engine.py
@@ -174,8 +174,19 @@ static RAND_METHOD osrandom_rand = {
     osrandom_rand_status,
 };
 
+/* Returns 1 if successfully added, 2 if engine has previously been added,
+   and 0 for error. */
 int Cryptography_add_osrandom_engine(void) {
-    ENGINE *e = ENGINE_new();
+    ENGINE *e;
+    e = ENGINE_by_id(Cryptography_osrandom_engine_id);
+    if (e != NULL) {
+        ENGINE_free(e);
+        return 2;
+    } else {
+        ERR_clear_error();
+    }
+
+    e = ENGINE_new();
     if (e == NULL) {
         return 0;
     }
diff --git a/cryptography/hazmat/primitives/twofactor/__init__.py b/cryptography/hazmat/primitives/twofactor/__init__.py
new file mode 100644
index 00000000..e69de29b
--- /dev/null
+++ b/cryptography/hazmat/primitives/twofactor/__init__.py
diff --git a/cryptography/hazmat/primitives/twofactor/hotp.py b/cryptography/hazmat/primitives/twofactor/hotp.py
new file mode 100644
index 00000000..0bc4cc56
--- /dev/null
+++ b/cryptography/hazmat/primitives/twofactor/hotp.py
@@ -0,0 +1,54 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#    http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+# implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+import struct
+
+import six
+
+from cryptography.exceptions import InvalidToken
+from cryptography.hazmat.primitives import constant_time, hmac
+from cryptography.hazmat.primitives.hashes import SHA1
+
+
+class HOTP(object):
+    def __init__(self, key, length, backend):
+
+        if len(key) < 16:
+            raise ValueError("Key length has to be at least 128 bits.")
+
+        if length < 6 or length > 8:
+            raise ValueError("Length of HOTP has to be between 6 to 8.")
+
+        self._key = key
+        self._length = length
+        self._backend = backend
+
+    def generate(self, counter):
+        truncated_value = self._dynamic_truncate(counter)
+        hotp = truncated_value % (10**self._length)
+        return "{0:0{1}}".format(hotp, self._length).encode()
+
+    def verify(self, hotp, counter):
+        if not constant_time.bytes_eq(self.generate(counter), hotp):
+            raise InvalidToken("Supplied HOTP value does not match")
+
+    def _dynamic_truncate(self, counter):
+        ctx = hmac.HMAC(self._key, SHA1(), self._backend)
+        ctx.update(struct.pack(">Q", counter))
+        hmac_value = ctx.finalize()
+
+        offset_bits = six.indexbytes(hmac_value, 19) & 0b1111
+
+        offset = int(offset_bits)
+        P = hmac_value[offset:offset+4]
+        return struct.unpack(">I", P)[0] & 0x7fffffff
diff --git a/docs/changelog.rst b/docs/changelog.rst
index d800c77f..c59f2f51 100644
--- a/docs/changelog.rst
+++ b/docs/changelog.rst
@@ -1,6 +1,11 @@
 Changelog
 =========
 
+0.3 - 2014-XX-XX
+~~~~~~~~~~~~~~~~
+
+* Added :class:`~cryptography.hazmat.primitives.twofactor.hotp.HOTP`.
+
 0.2 - 2014-02-20
 ~~~~~~~~~~~~~~~~
 
diff --git a/docs/exceptions.rst b/docs/exceptions.rst
index 1e31e31c..8ca9df29 100644
--- a/docs/exceptions.rst
+++ b/docs/exceptions.rst
@@ -36,3 +36,9 @@ Exceptions
 
     This is raised when the verify method of a key derivation function's
     computed key does not match the expected key.
+
+
+.. class:: InvalidToken
+
+    This is raised when the verify method of a one time password function's
+    computed token does not match the expected token.
diff --git a/docs/hazmat/primitives/index.rst b/docs/hazmat/primitives/index.rst
index 38ed24c9..5199d493 100644
--- a/docs/hazmat/primitives/index.rst
+++ b/docs/hazmat/primitives/index.rst
@@ -14,3 +14,4 @@ Primitives
     rsa
     constant-time
     interfaces
+    twofactor
diff --git a/docs/hazmat/primitives/twofactor.rst b/docs/hazmat/primitives/twofactor.rst
new file mode 100644
index 00000000..9d661612
--- /dev/null
+++ b/docs/hazmat/primitives/twofactor.rst
@@ -0,0 +1,96 @@
+.. hazmat::
+
+Two-factor Authentication
+=========================
+
+.. currentmodule:: cryptography.hazmat.primitives.twofactor
+
+This module contains algorithms related to two-factor authentication.
+
+Currently, it contains an algorithm for generating and verifying
+one time password values based on Hash-based message authentication
+codes (HMAC).
+
+.. currentmodule:: cryptography.hazmat.primitives.twofactor.hotp
+
+.. class:: HOTP(key, length, backend)
+
+    .. versionadded:: 0.3
+
+    HOTP objects take a ``key`` and ``length`` parameter. The ``key``
+    should be randomly generated bytes and is recommended to be 160 bits in
+    length. The ``length`` parameter controls the length of the generated
+    one time password and must be >= 6 and <= 8.
+
+    This is an implementation of :rfc:`4226`.
+
+    .. doctest::
+
+        >>> import os
+        >>> from cryptography.hazmat.backends import default_backend
+        >>> from cryptography.hazmat.primitives.twofactor.hotp import HOTP
+
+        >>> key = b"12345678901234567890"
+        >>> hotp = HOTP(key, 6, backend=default_backend())
+        >>> hotp.generate(0)
+        '755224'
+        >>> hotp.verify(b"755224", 0)
+
+    :param bytes key: Secret key as ``bytes``. This value must be generated in a
+                      cryptographically secure fashion and be at least 128 bits.
+                      It is recommended that the key be 160 bits.
+    :param int length: Length of generated one time password as ``int``.
+    :param backend: A
+        :class:`~cryptography.hazmat.backends.interfaces.HMACBackend`
+        provider.
+    :raises ValueError: This is raised if the provided ``key`` is shorter 128 bits
+                        or if the ``length`` parameter is not between 6 to 8.
+
+
+    .. method:: generate(counter)
+
+        :param int counter: The counter value used to generate the one time password.
+        :return bytes: A one time password value.
+
+    .. method:: verify(hotp, counter)
+
+        :param bytes hotp: The one time password value to validate.
+        :param bytes counter: The counter value to validate against.
+        :raises cryptography.exceptions.InvalidToken: This is raised when the supplied HOTP
+                                                      does not match the expected HOTP.
+
+Throttling
+----------
+
+Due to the fact that the HOTP algorithm generates rather short tokens that are 6 - 8 digits
+long, brute force attacks are possible. It is highly recommended that the server that
+validates the token implement a throttling scheme that locks out the account for a period of
+time after a number of failed attempts. The number of allowed attempts should be as low as
+possible while still ensuring that usability is not significantly impacted.
+
+Re-synchronization of the Counter
+---------------------------------
+
+The server's counter value should only be incremented on a successful HOTP authentication.
+However, the counter on the client is incremented every time a new HOTP value is requested.
+This can lead to the counter value being out of synchronization between the client and server.
+
+Due to this, it is highly recommended that the server sets a look-ahead window that allows the
+server to calculate the next ``x`` HOTP values and check them against the supplied HOTP value.
+This can be accomplished with something similar to the following code.
+
+.. code-block:: python
+
+    def verify(hotp, counter, look_ahead):
+        assert look_ahead >= 0
+        correct_counter = None
+
+        otp = HOTP(key, 6, default_backend())
+        for count in range(counter, counter+look_ahead):
+            try:
+                otp.verify(hotp, count)
+                correct_counter = count
+            except InvalidToken:
+                pass
+
+        return correct_counter
\ No newline at end of file
diff --git a/tasks.py b/tasks.py
index 8c7dc40a..242f2536 100644
--- a/tasks.py
+++ b/tasks.py
@@ -86,7 +86,7 @@ def release(version):
     invoke.run("python setup.py sdist")
     invoke.run("twine upload -s dist/cryptography-{0}*".format(version))
 
-    token = getpass.getpass("Input the Jenkins token")
+    token = getpass.getpass("Input the Jenkins token: ")
     response = requests.post(
         "{0}/build".format(JENKINS_URL),
         params={
diff --git a/tests/hazmat/bindings/test_openssl.py b/tests/hazmat/bindings/test_openssl.py
index 35eb7e8d..c476390b 100644
--- a/tests/hazmat/bindings/test_openssl.py
+++ b/tests/hazmat/bindings/test_openssl.py
@@ -96,3 +96,8 @@ class TestOpenSSL(object):
         # unlocked
         assert lock.acquire(False)
         lock.release()
+
+    def test_add_engine_more_than_once(self):
+        b = Binding()
+        res = b.lib.Cryptography_add_osrandom_engine()
+        assert res == 2
diff --git a/tests/hazmat/primitives/twofactor/__init__.py b/tests/hazmat/primitives/twofactor/__init__.py
new file mode 100644
index 00000000..e69de29b
--- /dev/null
+++ b/tests/hazmat/primitives/twofactor/__init__.py
diff --git a/tests/hazmat/primitives/twofactor/test_hotp.py b/tests/hazmat/primitives/twofactor/test_hotp.py
new file mode 100644
index 00000000..ec619b55
--- /dev/null
+++ b/tests/hazmat/primitives/twofactor/test_hotp.py
@@ -0,0 +1,83 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#    http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+# implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+import os
+
+import pytest
+
+from cryptography.exceptions import InvalidToken
+from cryptography.hazmat.primitives.twofactor.hotp import HOTP
+from cryptography.hazmat.primitives import hashes
+from tests.utils import load_vectors_from_file, load_nist_vectors
+
+vectors = load_vectors_from_file(
+    "twofactor/rfc-4226.txt", load_nist_vectors)
+
+
+@pytest.mark.supported(
+    only_if=lambda backend: backend.hmac_supported(hashes.SHA1()),
+    skip_message="Does not support HMAC-SHA1."
+)
+@pytest.mark.hmac
+class TestHOTP(object):
+
+    def test_invalid_key_length(self, backend):
+        secret = os.urandom(10)
+
+        with pytest.raises(ValueError):
+            HOTP(secret, 6, backend)
+
+    def test_invalid_hotp_length(self, backend):
+        secret = os.urandom(16)
+
+        with pytest.raises(ValueError):
+            HOTP(secret, 4, backend)
+
+    @pytest.mark.parametrize("params", vectors)
+    def test_truncate(self, backend, params):
+        secret = params["secret"]
+        counter = int(params["counter"])
+        truncated = params["truncated"]
+
+        hotp = HOTP(secret, 6, backend)
+
+        assert hotp._dynamic_truncate(counter) == int(truncated.decode(), 16)
+
+    @pytest.mark.parametrize("params", vectors)
+    def test_generate(self, backend, params):
+        secret = params["secret"]
+        counter = int(params["counter"])
+        hotp_value = params["hotp"]
+
+        hotp = HOTP(secret, 6, backend)
+
+        assert hotp.generate(counter) == hotp_value
+
+    @pytest.mark.parametrize("params", vectors)
+    def test_verify(self, backend, params):
+        secret = params["secret"]
+        counter = int(params["counter"])
+        hotp_value = params["hotp"]
+
+        hotp = HOTP(secret, 6, backend)
+
+        assert hotp.verify(hotp_value, counter) is None
+
+    def test_invalid_verify(self, backend):
+        secret = b"12345678901234567890"
+        counter = 0
+
+        hotp = HOTP(secret, 6, backend)
+
+        with pytest.raises(InvalidToken):
+            hotp.verify(b"123456", counter)