Implement [Helper Function] "DecodeBase32WithPadding" (#183)

* Implement [Helper Function] "DecodeBase32WithPadding"

* Fix Testing

Author: H0llyW00dzZ

internal/otpverifier/hotp.go

@@ -8,7 +8,6 @@ import (
 	"container/ring"
 	"crypto/hmac"
 	"crypto/subtle"
-	"encoding/base32"
 	"fmt"
 	"sync"
 	"time"
@@ -245,8 +244,7 @@ func (v *HOTPVerifier) GenerateTokenWithSignature() (string, string) {
 
 // generateSignature generates an HMAC signature for the given token using the secret key.
 func (v *HOTPVerifier) generateSignature(token string) string {
-	key, _ := base32.StdEncoding.DecodeString(v.config.Secret)
-	h := hmac.New(v.config.Hasher.Digest, key)
+	h := hmac.New(v.config.Hasher.Digest, v.config.DecodeBase32WithPadding())
 	h.Write([]byte(token))
 	return fmt.Sprintf("%x", h.Sum(nil))
 }

internal/otpverifier/hotp_ocra.go

@@ -10,7 +10,6 @@ import (
 	"crypto/sha256"
 	"crypto/sha512"
 	"crypto/subtle"
-	"encoding/base32"
 	"encoding/binary"
 	"fmt"
 	"hash"
@@ -112,8 +111,7 @@ func (v *OCRAVerifier) generateOCRA(counter uint64, question string, hash func()
 	data := append(counterBytes, questionBytes...)
 
 	// Generate the HMAC hash
-	secret, _ := base32.StdEncoding.DecodeString(v.config.Secret)
-	hmacHash := hmac.New(hash, secret)
+	hmacHash := hmac.New(hash, v.config.DecodeBase32WithPadding())
 	hmacHash.Write(data)
 	hashValue := hmacHash.Sum(nil)
 

internal/otpverifier/otpverifier.go

@@ -9,12 +9,14 @@ import (
 	"crypto/sha1"
 	"crypto/sha256"
 	"crypto/sha512"
+	"encoding/base32"
 	"fmt"
 	"image"
 	"image/color"
 	"io"
 	"math/big"
 	"net/url"
+	"strings"
 	"time"
 
 	blake2botp "github.com/H0llyW00dzZ/fiber2fa/internal/crypto/hash/blake2botp"
@@ -482,3 +484,22 @@ func (v *Config) TOTPTime() time.Time {
 	location, _ := time.LoadLocation("Antarctica/South_Pole")
 	return time.Now().In(location).UTC()
 }
+
+// DecodeBase32WithPadding decodes a base32-encoded secret, adding padding as necessary.
+func (v *Config) DecodeBase32WithPadding() []byte {
+	// Calculate the number of missing padding characters.
+	missingPadding := len(v.Secret) & 2 // Should be work, if it doesn't work then your machine is bad.
+
+	// Add padding if necessary.
+	if missingPadding != 0 {
+		v.Secret = v.Secret + strings.Repeat("=", 8-missingPadding)
+	}
+
+	// Decode the base32 encoded secret.
+	bytes, err := base32.StdEncoding.DecodeString(v.Secret)
+	if err != nil {
+		panic("DecodeBase32WithPadding: illegal base32 data")
+	}
+
+	return bytes
+}

internal/otpverifier/otpverifier_test.go

@@ -10,7 +10,6 @@ import (
 	"crypto/sha1"
 	"crypto/sha256"
 	"crypto/sha512"
-	"encoding/base32"
 	"fmt"
 	"hash"
 	"image/color"
@@ -1015,24 +1014,22 @@ func TestHOTPVerifier_VerifySyncWindowWithSignature(t *testing.T) {
 
 		// Helper function to generate a signature for a token
 		generateSignature := func(token string) string {
-			key, _ := base32.StdEncoding.DecodeString(secret)
+			key := config.DecodeBase32WithPadding()
 			h := hmac.New(otpverifier.Hashers[hashFunc].Digest, key)
 			h.Write([]byte(token))
 			return fmt.Sprintf("%x", h.Sum(nil))
 		}
 
 		// Generate a token and signature for the current counter value
-		currentToken := verifier.Hotp.At(int(initialCounter))
-		currentSignature := generateSignature(currentToken)
+		currentToken, currentSignature := verifier.GenerateTokenWithSignature()
 
 		// Verify this token and signature should pass
 		if !verifier.Verify(currentToken, currentSignature) {
 			t.Errorf("Current token did not verify with signature but should have (hash function: %s)", hashFunc)
 		}
 
 		// Generate a token and signature for a counter value within the sync window
-		withinWindowToken := verifier.Hotp.At(int(initialCounter) + otpverifier.HighStrict)
-		withinWindowSignature := generateSignature(withinWindowToken)
+		withinWindowToken, withinWindowSignature := verifier.GenerateTokenWithSignature()
 
 		// Verify this token and signature should also pass
 		if !verifier.Verify(withinWindowToken, withinWindowSignature) {
@@ -1771,3 +1768,24 @@ func TestOCRAVerifier_GenerateToken_Panics(t *testing.T) {
 		})
 	}
 }
+
+func TestDecodeBase32WithPadding_Crash(t *testing.T) {
+
+	HelperFunction := otpverifier.Config{
+		Secret: "ILLEGAL BASE32",
+		Hash:   otpverifier.SHA256,
+	}
+
+	defer func() {
+		if r := recover(); r == nil {
+			t.Errorf("Expected DecodeBase32WithPadding to panic with ILLEGAL BASE32, but it didn't")
+		} else {
+			expectedPanicMessage := "DecodeBase32WithPadding: illegal base32 data"
+			if r != expectedPanicMessage {
+				t.Errorf("Expected panic message: %s, but got: %s", expectedPanicMessage, r)
+			}
+		}
+	}()
+
+	HelperFunction.DecodeBase32WithPadding()
+}

internal/otpverifier/totp.go

@@ -7,7 +7,6 @@ package otpverifier
 import (
 	"crypto/hmac"
 	"crypto/subtle"
-	"encoding/base32"
 	"fmt"
 	"sync"
 	"time"
@@ -205,8 +204,7 @@ func (v *TOTPVerifier) GenerateTokenWithSignature() (string, string) {
 
 // generateSignature generates an HMAC signature for the given token using the secret key.
 func (v *TOTPVerifier) generateSignature(token string) string {
-	key, _ := base32.StdEncoding.DecodeString(v.config.Secret)
-	h := hmac.New(v.config.Hasher.Digest, key)
+	h := hmac.New(v.config.Hasher.Digest, v.config.DecodeBase32WithPadding())
 	h.Write([]byte(token))
 	return fmt.Sprintf("%x", h.Sum(nil))
 }