diff options
| -rw-r--r-- | cryptography/hazmat/primitives/twofactor/totp.py | 10 | ||||
| -rw-r--r-- | docs/hazmat/primitives/twofactor.rst | 11 |
2 files changed, 9 insertions, 12 deletions
diff --git a/cryptography/hazmat/primitives/twofactor/totp.py b/cryptography/hazmat/primitives/twofactor/totp.py index c9933d30..79752f3b 100644 --- a/cryptography/hazmat/primitives/twofactor/totp.py +++ b/cryptography/hazmat/primitives/twofactor/totp.py @@ -11,8 +11,6 @@ # See the License for the specific language governing permissions and # limitations under the License. -import math - from cryptography.exceptions import InvalidToken from cryptography.hazmat.primitives import constant_time from cryptography.hazmat.primitives.twofactor.hotp import HOTP @@ -22,12 +20,12 @@ class TOTP(object): def __init__(self, key, length, algorithm, time_step, backend): self._time_step = time_step - self.hotp = HOTP(key, length, algorithm, backend) + self._hotp = HOTP(key, length, algorithm, backend) def generate(self, time): - counter = int(math.floor(time/self._time_step)) - return self.hotp.generate(counter) + counter = int(time/self._time_step) + return self._hotp.generate(counter) def verify(self, totp, time): if not constant_time.bytes_eq(self.generate(time), totp): - raise InvalidToken("Supplied HOTP value does not match") + raise InvalidToken("Supplied TOTP value does not match") diff --git a/docs/hazmat/primitives/twofactor.rst b/docs/hazmat/primitives/twofactor.rst index 12277c8f..120beb06 100644 --- a/docs/hazmat/primitives/twofactor.rst +++ b/docs/hazmat/primitives/twofactor.rst @@ -105,8 +105,9 @@ This can be accomplished with something similar to the following code. TOTP objects take a ``key``, ``length``, ``algorithm`` and ``time_step`` parameter. The ``key`` should be randomly generated bytes and is recommended - to be 160 bits in length. The ``length`` parameter controls the length of the - generated one time password and must be >= 6 and <= 8. + to be as long as your hash function's output (e.g 256-bit for SHA256). + The ``length`` parameter controls the length of the generated one time + password and must be >= 6 and <= 8. This is an implementation of :rfc:`6238`. @@ -123,8 +124,8 @@ This can be accomplished with something similar to the following code. >>> totp.verify(b"94287082", 59) :param bytes key: Secret key as ``bytes``. This value must be generated in a - cryptographically secure fashion and be at least 128 bits. - It is recommended that the key be 160 bits. + cryptographically secure fashion and be as long as your hash + function's output (e.g 256-bit for SHA256). :param int length: Length of generated one time password as ``int``. :param algorithm: A :class:`~cryptography.hazmat.primitives.hashes` @@ -137,5 +138,3 @@ This can be accomplished with something similar to the following code. or if the ``length`` parameter is not between 6 to 8. :raises UnsupportedAlgorithm: This is raised if the provided ``algorithm`` is not ``SHA1()``, ``SHA256()`` or ``SHA512()``. - - |