forked from matthauck/bash-totp
-
Notifications
You must be signed in to change notification settings - Fork 0
/
totp
executable file
·123 lines (108 loc) · 3.24 KB
/
totp
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
#!/bin/sh
set -e
# Before we get the token, redirect stdout to stderr.
exec 3>&1 1>&2
export LC_ALL=C
echo() {
printf '%s\n' "$*"
}
help() {
echo "Time-based One-time Password Generator"
echo
echo "USAGE: totp <key> [server] [interval]"
echo
echo "The default update interval is 30 seconds."
echo
echo "Supported servers: Google, GitHub, GitLab, Bitbucket"
exit 1
}
TOTP_SECRET="$1"
TOTP_SERVER="${2:-Google}"
TOTP_INTERVAL="${3:-30}"
if [ -z "${TOTP_SECRET}" ]; then
help
fi
TOTP_SECRET="$(echo "${TOTP_SECRET}" | tr -d ' ')"
TOTP_SERVER="$(echo "${TOTP_SERVER}" | tr A-Z a-z)"
if [ ! "${TOTP_INTERVAL}" -gt 0 ] 2>&-; then
echo "The update interval must be a positive integer: ${TOTP_INTERVAL}"
echo
help
else # Remove leading zeros.
TOTP_INTERVAL="$(echo "${TOTP_INTERVAL}" | sed 's/^00*//')"
fi
TOTP_PERIOD="$(( ($(date +%s)) / TOTP_INTERVAL ))"
hex_pack() {
if type xxd >&- 2>&-; then
xxd -p | tr -cd 0-9A-Fa-f
else
od -A n -t x1 -v | tr -cd 0-9A-Fa-f
fi
}
hex_unpack() {
if type xxd >&- 2>&-; then
xxd -r -p
else
awk '
function hex2num(hex, num,map,len,i,c)
{
map = "123456789ABCDEF"
len = length(hex)
num = 0
for (i = 1; i <= len; i++) {
c = toupper(substr(hex, i, 1))
num = num * 16 + index(map, c)
}
return num
}
{
gsub(/[^0-9A-Fa-f]+/, " ") # split digits by non-digit
gsub(/[0-9A-Fa-f]{2} */, "& ") # group every two consecutive digits
gsub(/^ +| [^ ] | +[^ ]?$/, "") # trim spaces and single digit groups
n = split($0, hh, " ")
for (i = 1; i <= n; i++) printf "%c", hex2num(hh[i])
}
'
fi
}
gen_digest() {
local hexkey="$1" period="$2"
printf %016X "${period}" |
hex_unpack |
{
# NUL is considered harmful. Avoid -hmac <binarykey>!
if [ -n "$(echo "${hexkey}" | sed -n 's/../&_/g;/00_/p;/_0$/p')" ]; then
openssl dgst -sha1 -mac hmac -macopt "hexkey:${hexkey}"
else # especially for old versions from OSX/BSD!
openssl dgst -sha1 -hmac "$(echo "${hexkey}" | hex_unpack)"
fi
} |
cut -d' ' -f2
}
# https://tools.ietf.org/html/rfc6238
gen_token() {
local secret="$1" server="$2" period="$3"
case "${server}" in
# https://github.com/google/google-authenticator/wiki/Key-Uri-Format
google | github | gitlab | bitbucket)
local key="$(echo "${secret}" | base32 -d | hex_pack)"
[ -z "${key}" ] && exit 2
# The digest is a 160-bit hexadecimal number string.
local digest="$(gen_digest "${key}" "${period}" | tr -cd 0-9A-Fa-f)"
[ "${#digest}" -ne 40 ] && exit 3
# Read the last 4 bits and convert it into an unsigned integer.
local start="$(( (0x$(echo "${digest}" | cut -b 40)) * 2 + 1))"
[ "${start}" -gt 33 ] && exit 4
# Read a 32-bit positive integer and take at most six rightmost digits.
local hexes="$(echo "${digest}" | cut -b "${start}-$(( start + 7 ))")"
local token="$(( ((0x${hexes}) & 0x7FFFFFFF) % 1000000 ))"
# Pad the token number with leading zeros if needed.
printf '%06d\n' "${token}" >&3
;;
*)
echo "Your server is not supported: ${server}"
echo
help
esac
}
gen_token "${TOTP_SECRET}" "${TOTP_SERVER}" "${TOTP_PERIOD}"