C library that generates TOTP and HOTP according to RFC-6238
- libbaseencode
- GCC/Clang and CMake to build the library
$ git clone https://github.com/paolostivanin/libcotp.git
$ cd libcotp
$ mkdir build && cd $_
$ cmake -DCMAKE_INSTALL_PREFIX:PATH=/usr ../ # add -DBUILD_TESTING=ON if you want to compile also the tests
$ make
# make install
char *totp = get_totp (char *base32_encoded_secret, int digits, int algo, cotp_error_t *err);
free (totp);
char *hotp = get_hotp (char *base32_encoded_secret, long counter, int digits, int algo, cotp_error_t *err);
free (hotp);
char *get_totp_at (char *base32_encoded_secret, long target_date, int digits, int algo, cotp_error_t *err)
int is_valid = totp_verify (char *base32_encoded_secret, int digits, char *totp, int algo, cotp_error_t *err);
int is_valid = hotp_verify (char *base32_encoded_secret, long counter, digits, char *hotp, int algo, cotp_error_t *err);
where:
secret_keyis the base32 encoded secret. Usually, a website gives you the secret already base32 encoded, so you should pay attention to not encode the secret again. The format of the secret can either behxdm vjec jjwsorHXDMVJECJJWS. In the first case, the library will normalize the secret to second format before computing the OTP.digitsis either6or8counteris a value decided with the servertarget_dateis the target date specified as the unix epoch format in secondsalgois eitherSHA1,SHA256orSHA512
get_totp, get_hotp and get_totp_at return NULL if an error occurs and err is set accordingly. The following errors are currently supported:
GCRYPT_VERSION_MISMATCH, set if the installed Gcrypt library is too oldINVALID_B32_INPUT, set if the given input is not valid base32 textINVALID_ALGO, set if the given algo is not supported by the library
totp_verify and hotp_verify can return, in addition to one of the previous code, also the error INVALID_OTP if the given OTP doesn't match the computed one.
In case of success, the value returned by get_totp, get_hotp and get_totp_at must be freed once no longer needed.