TOTP Demo Application for Google Authenticator NAME submission AUTHOR Zach Colbert <colbertz@oregonstate.edu> SYNOPSIS ./submission --generate-qr | --get-otp DESCRIPTION To compile, run `make`. The QR code generation feature generates a random 256-bit key with OpenSSL. It then encodes the key base-32, and collects some information about the current user and host to generate an otpauth URI. Using the qrcodegen library (by @nayuki), the URI is converted to a QR code and printed to the console. (See NOTES). This application only supports one user/key at a time. Each time the QR code generator is executed, the previously generated symmetric key is overwritten. This key is stored in the "secret" file by default, in plaintext, with restricted access permissions. The get-otp feature has only been partially implemented. It can successfully read the key from the key file, calculate the time value T, and truncate the result of HMAC(K, T) to calculate a TOTP value. However, the HMAC implementation I'm using seems to be returning the same digest for every message (T) I input with the same key (K). I have been unable to determine why this is, and have not found many good examples on how to use the openssl/hmac library. To clean up executables and build files, run `make clean`. NOTES I was unable to find a method in C for generating JPG or SVG images in a timely fashion. Instead, I took after an example from the qrcodegen library (by @nayuki on GitHub) and print the QR code to the console. Because the code is made up of literal '#' chars and there's a fair amount of data stored in the code (plus error correction), the QR code comes out fairly large. If you find yourself unable to see the entire code, please resize your terminal window. All of the code contained here was tested on the COE flip server, so I recommend compiling and running it there. I do not have access to an Android device, so this application was tested using the iOS version of Google Authenticator. For the entire day I've been finishing this submission, I have been fighting a >100-degree fever. Please forgive me if you find any funky code or something doesn't make sense. COPYRIGHT See LICENSE file.