| Index | index by Group | index by Distribution | index by Vendor | index by creation date | index by Name | Mirrors | Help | Search |
| Name: libcotp4 | Distribution: openSUSE Tumbleweed |
| Version: 4.0.0 | Vendor: openSUSE |
| Release: 1.1 | Build date: Wed Mar 4 08:38:33 2026 |
| Group: System/Libraries | Build host: reproducible |
| Size: 67496 | Source RPM: libcotp-4.0.0-1.1.src.rpm |
| Packager: http://bugs.opensuse.org | |
| Url: https://github.com/paolostivanin/libcotp | |
| Summary: C library for generating TOTP and HOTP | |
libcotp C library for generating TOTP and HOTP according to RFC-6238. It supports custom digits, (3 to 10) custom period (1 to 120 seconds) and also Steam TOTP format.
Apache-2.0
* Wed Mar 04 2026 Paolo Stivanin <info@paolostivanin.com>
- Update to 4.0.0:
Breaking Changes
+ SHA1, SHA256, SHA512 renamed to COTP_SHA1, COTP_SHA256, COTP_SHA512 (thanks to @CppPhil)
+ MIN_DIGTS typo fixed to MIN_DIGITS
+ typedef unsigned char uchar removed; base32_encode now takes const uint8_t *, base32_decode returns uint8_t *
+ b32_alphabet is no longer exported (now static)
+ MSVC support dropped
+ get_hotp / get_totp / get_totp_at return NULL on all error paths; callers must check the return value and the cotp_error_t output parameter
+ The library no longer prints to stderr on errors; all diagnostics are reported via cotp_error_t
New Features
+ Context API (cotp_ctx): ergonomic wrapper for repeated TOTP calls with the same configuration (cotp_ctx_create, cotp_ctx_totp, cotp_ctx_totp_at, cotp_ctx_free)
+ Optional validation helper (-DCOTP_ENABLE_VALIDATION=ON): validate_totp_in_window() for window-based TOTP verification with timing-safe comparison
+ CMake package config: consumers can now use find_package(COTP CONFIG) and link via COTP::cotp
Improvements
+ otp_to_int() now validates input for NULL and non-digit characters before conversion
+ Base32 get_char_index and valid_b32_str use O(1) lookup tables instead of O(n) loops
+ Base32 decode buffer calculation uses exact integer arithmetic instead of floating-point approximation
+ islower()/toupper() calls cast to unsigned char to avoid undefined behaviour on signed char
Security Fixes
+ Added runtime bounds checks in RFC 4226 truncation and Steam code paths (offset and length validated before array access)
+ Fixed potential NULL dereference in OpenSSL backend (whmac_setkey error path now frees context and sets ctx = NULL)
+ Fixed OOB read in strip_char (Base32): lookup table was 128 bytes but indexed with full uint8_t range (0–255)
+ Fixed undefined behaviour in base32_encode: strlen() on potentially non-NUL-terminated binary input replaced with bounds-safe check
+ Added NULL guards to whmac_freehandle() across all three backends
+ Fixed MbedTLS whmac_finalize returning buflen instead of actual digest length
+ mbedtls_md_hmac_starts() return value is now checked
+ Timing-safe comparison (cotp_timing_safe_memcmp) used in TOTP window validation
+ cotp_secure_memzero() applied to decoded secrets and HMAC digests immediately after use
* Mon Dec 22 2025 Paolo Stivanin <info@paolostivanin.com>
- Update to 3.1.1:
* Security
+ Memory sanitization: Sensitive cryptographic data is now
securely cleared from memory
+ Buffer safety: Fixed potential overflow in base32 decoding
* Improvements
+ Type safety: Migrated to unsigned integers for crypto operations
+ Performance: Optimized base32 length calculations and removed
redundant calls
+ Code quality: Simplified token formatting and enhanced
error handling
* Thu Oct 10 2024 Paolo Stivanin <info@paolostivanin.com>
- Update to 3.1.0:
* add support for mbedtls (#69, thanks to @Rockyshen123)
* add support for big endian archs (#68)-
* Mon Apr 08 2024 Paolo Stivanin <info@paolostivanin.com>
- Disable tests since Criterion is not working after the update of
nanomsg to 1.2.1 (https://github.com/Snaipe/Criterion/issues/518).
* Wed Dec 13 2023 Paolo Stivanin <info@paolostivanin.com>
- Update to 3.0.0:
* This release supersedes v2.1.0 and brings a new feature and
some small code improvements:
+ Add support for OpenSSL (#52), by @mchalain
+ Fix base32 encoding and decoding of bytes array (#54)
+ make is_string_valid_b32 public
+ improve code readability
* Wed Dec 06 2023 Paolo Stivanin <info@paolostivanin.com>
- Use correct library 'libcriterion-devel'.
* Tue Nov 28 2023 Paolo Stivanin <info@paolostivanin.com>
- Update to 2.1.0:
* Fix base32 encoding and decoding of bytes array (#54)
* Add support for OpenSSL (#52), by @mchalain
* Thu Nov 09 2023 Dirk Müller <dmueller@suse.com>
- update to 2.0.2:
* Improved CMakeLists
* Drop link_options, leave it up to every distro
* Tue May 02 2023 Paolo Stivanin <info@paolostivanin.com>
- Update to 2.0.1:
* If execution runs fine, set err_code to NO_ERROR in get_totp_at,
get_steam_totp_at and otp_to_int.
- Revert AVX2 change.
* Wed Mar 08 2023 Paolo Stivanin <info@paolostivanin.com>
- Build AVX2 enabled hwcaps library for x86_64-v3
* Wed Feb 01 2023 Paolo Stivanin <info@paolostivanin.com>
- Drop libbaseencode dep, since it's no longer necessary and obsolete it
- Fix changelog typo
* Tue Jan 31 2023 Dirk Müller <dmueller@suse.com>
- update to 2.0.0:
* In particular, libbaseencode has been merged with libcotp, so now users
can call base32 functions by just including `cotp.h`
BREAKING CHANGES:
* `totp_verify` has been removed
* `hotp_verify` has been removed
* `base64_encode` has been removed
* `base64_decode` has been removed
ADDED:
* new API `otp_to_int`
* `base32` encoding and decoding functions from libbaseencode
* new tests for libcotp
CHANGES:
* the soversion is now set only from the `$major` version (e.g. `2`), and
not from `$major$minor` (e.g. `12`) like it used to be.
* Sun Jan 08 2023 Paolo Stivanin <info@paolostivanin.com>
- Update to 1.2.8:
* this release fixes a regression brought by v1.2.7.
* Thu Jan 05 2023 Paolo Stivanin <info@paolostivanin.com>
- Update to 1.2.7:
* check return value for gcrypt functions
/usr/lib64/libcotp.so.4 /usr/lib64/libcotp.so.4.0.0
Generated by rpm2html 1.8.1
Fabrice Bellet, Mon Apr 27 23:28:50 2026