thodg/totp-rs

Browse

Commit cf8c0651b9a0d381118890c1fb89707ef99b498e

Cléo REBERT 2023-05-15T14:57:12

fix(#58): Fix overflow Signed-off-by: Cléo REBERT <cleo.rebert-ext@treezor.com> 

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27

diff --git a/src/lib.rs b/src/lib.rs
index c6a9b14..0526c53 100644
--- a/src/lib.rs
+++ b/src/lib.rs
@@ -449,7 +449,7 @@ impl TOTP {
     /// Will check if token is valid given the provided timestamp in seconds, accounting [skew](struct.TOTP.html#structfield.skew)
     pub fn check(&self, token: &str, time: u64) -> bool {
         let basestep = time / self.step - (self.skew as u64);
-        for i in 0..self.skew * 2 + 1 {
+        for i in 0..(self.skew as u16) * 2 + 1 {
             let step_time = (basestep + (i as u64)) * (self.step as u64);
 
             if constant_time_eq(self.generate(step_time).as_bytes(), token.as_bytes()) {
@@ -1019,6 +1019,13 @@ mod tests {
 
     #[test]
     #[cfg(not(feature = "otpauth"))]
+    fn checks_token_big_skew() {
+        let totp = TOTP::new(Algorithm::SHA1, 6, 255, 1, "TestSecretSuperSecret".into()).unwrap();
+        assert!(totp.check("659761", 1000));
+    }
+
+    #[test]
+    #[cfg(not(feature = "otpauth"))]
     fn checks_token_current() {
         let totp = TOTP::new(Algorithm::SHA1, 6, 0, 1, "TestSecretSuperSecret".into()).unwrap();
         assert!(totp
kmx.io     mail     discord kmxgit v0.4.0