libcotp4-4.0.1-1.1 RPM for x86_64

From OpenSuSE Tumbleweed for x86_64

libcotp C library for generating TOTP and HOTP according to RFC-6238.
It supports custom digits, (3 to 10) custom period (1 to 120 seconds) and
also Steam TOTP format.

Provides

• libcotp4
• libcotp.so.4()(64bit)
• libcotp4(x86-64)

Requires

• /sbin/ldconfig
• /sbin/ldconfig
• libc.so.6()(64bit)
• libc.so.6(GLIBC_2.2.5)(64bit)
• libc.so.6(GLIBC_2.25)(64bit)
• libc.so.6(GLIBC_2.3)(64bit)
• libc.so.6(GLIBC_2.3.4)(64bit)
• libc.so.6(GLIBC_2.4)(64bit)
• libgcrypt.so.20()(64bit)
• libgcrypt.so.20(GCRYPT_1.6)(64bit)
• rpmlib(CompressedFileNames) <= 3.0.4-1
• rpmlib(FileDigests) <= 4.6.0-1
• rpmlib(PayloadFilesHavePrefix) <= 4.0-1
• rpmlib(PayloadIsZstd) <= 5.4.18-1

License

Apache-2.0

Changelog

* Thu Apr 16 2026 Paolo Stivanin <info@paolostivanin.com>
  - Update to 4.0.1:
    Security Fixes
    * Fixed timing side-channel in validate_totp_in_window: comparison now uses min(gen_len, user_len) bytes to prevent reading past buffer bounds when lengths differ
    * Normalized secret key is now zeroed with cotp_secure_memzero before freeing in compute_hmac
    * Fixed memory leak in OpenSSL backend: EVP_MAC not freed when calloc fails in whmac_gethandle
    * Fixed memory leak in OpenSSL backend: EVP_MAC_CTX not freed in whmac_freehandle and on buffer-too-small error path in whmac_finalize
    * Added negative algorithm index validation (algo < 0) in all three HMAC backends (gcrypt, OpenSSL, MbedTLS)
    Hardening
    * All public symbols now use explicit __attribute__((visibility("default"))); library compiled with -fvisibility=hidden to minimize exported symbol surface
    * Added linker hardening flags: full RELRO (-Wl,-z,relro,-z,now) and non-executable stack (-Wl,-z,noexecstack)
    * REVERSE_BYTES macro wrapped in do { ... } while (0) for safe use in all statement contexts
    * CMake now detects explicit_bzero at configure time via check_function_exists
    Improvements
    * Base32 validation (valid_b32_str) now enforces RFC 4648 padding rules: rejects data characters after padding, validates padding count (0, 1, 3, 4, or 6), and requires padded strings to have length divisible by 8
    * check_input max_len parameter changed from int32_t to size_t for type correctness
* Wed Mar 04 2026 Paolo Stivanin <info@paolostivanin.com>
  - Update to 4.0.0:
    Breaking Changes
      + SHA1, SHA256, SHA512 renamed to COTP_SHA1, COTP_SHA256, COTP_SHA512 (thanks to @CppPhil)
      + MIN_DIGTS typo fixed to MIN_DIGITS
      + typedef unsigned char uchar removed; base32_encode now takes const uint8_t *, base32_decode returns uint8_t *
      + b32_alphabet is no longer exported (now static)
      + MSVC support dropped
      + get_hotp / get_totp / get_totp_at return NULL on all error paths; callers must check the return value and the cotp_error_t output parameter
      + The library no longer prints to stderr on errors; all diagnostics are reported via cotp_error_t
    New Features
      + Context API (cotp_ctx): ergonomic wrapper for repeated TOTP calls with the same configuration (cotp_ctx_create, cotp_ctx_totp, cotp_ctx_totp_at, cotp_ctx_free)
      + Optional validation helper (-DCOTP_ENABLE_VALIDATION=ON): validate_totp_in_window() for window-based TOTP verification with timing-safe comparison
      + CMake package config: consumers can now use find_package(COTP CONFIG) and link via COTP::cotp
    Improvements
      + otp_to_int() now validates input for NULL and non-digit characters before conversion
      + Base32 get_char_index and valid_b32_str use O(1) lookup tables instead of O(n) loops
      + Base32 decode buffer calculation uses exact integer arithmetic instead of floating-point approximation
      + islower()/toupper() calls cast to unsigned char to avoid undefined behaviour on signed char
    Security Fixes
      + Added runtime bounds checks in RFC 4226 truncation and Steam code paths (offset and length validated before array access)
      + Fixed potential NULL dereference in OpenSSL backend (whmac_setkey error path now frees context and sets ctx = NULL)
      + Fixed OOB read in strip_char (Base32): lookup table was 128 bytes but indexed with full uint8_t range (0–255)
      + Fixed undefined behaviour in base32_encode: strlen() on potentially non-NUL-terminated binary input replaced with bounds-safe check
      + Added NULL guards to whmac_freehandle() across all three backends
      + Fixed MbedTLS whmac_finalize returning buflen instead of actual digest length
      + mbedtls_md_hmac_starts() return value is now checked
      + Timing-safe comparison (cotp_timing_safe_memcmp) used in TOTP window validation
      + cotp_secure_memzero() applied to decoded secrets and HMAC digests immediately after use
* Mon Dec 22 2025 Paolo Stivanin <info@paolostivanin.com>
  - Update to 3.1.1:
    * Security
      + Memory sanitization: Sensitive cryptographic data is now
      securely cleared from memory
      + Buffer safety: Fixed potential overflow in base32 decoding
    * Improvements
      + Type safety: Migrated to unsigned integers for crypto operations
      + Performance: Optimized base32 length calculations and removed
      redundant calls
      + Code quality: Simplified token formatting and enhanced
      error handling
* Thu Oct 10 2024 Paolo Stivanin <info@paolostivanin.com>
  - Update to 3.1.0:
    * add support for mbedtls (#69, thanks to @Rockyshen123)
    * add support for big endian archs (#68)-
* Mon Apr 08 2024 Paolo Stivanin <info@paolostivanin.com>
  - Disable tests since Criterion is not working after the update of
    nanomsg to 1.2.1 (https://github.com/Snaipe/Criterion/issues/518).
* Wed Dec 13 2023 Paolo Stivanin <info@paolostivanin.com>
  - Update to 3.0.0:
    * This release supersedes v2.1.0 and brings a new feature and
      some small code improvements:
      + Add support for OpenSSL (#52), by @mchalain
      + Fix base32 encoding and decoding of bytes array (#54)
      + make is_string_valid_b32 public
      + improve code readability
* Wed Dec 06 2023 Paolo Stivanin <info@paolostivanin.com>
  - Use correct library 'libcriterion-devel'.
* Tue Nov 28 2023 Paolo Stivanin <info@paolostivanin.com>
  - Update to 2.1.0:
    * Fix base32 encoding and decoding of bytes array (#54)
    * Add support for OpenSSL (#52), by @mchalain
* Thu Nov 09 2023 Dirk Müller <dmueller@suse.com>
  - update to 2.0.2:
    * Improved CMakeLists
    * Drop link_options, leave it up to every distro
* Tue May 02 2023 Paolo Stivanin <info@paolostivanin.com>
  - Update to 2.0.1:
    * If execution runs fine, set err_code to NO_ERROR in get_totp_at,
      get_steam_totp_at and otp_to_int.
  - Revert AVX2 change.
* Wed Mar 08 2023 Paolo Stivanin <info@paolostivanin.com>
  - Build AVX2 enabled hwcaps library for x86_64-v3
* Wed Feb 01 2023 Paolo Stivanin <info@paolostivanin.com>
  - Drop libbaseencode dep, since it's no longer necessary and obsolete it
  - Fix changelog typo
* Tue Jan 31 2023 Dirk Müller <dmueller@suse.com>
  - update to 2.0.0:
    * In particular, libbaseencode has been merged with libcotp, so now users
      can call base32 functions by just including `cotp.h`
    BREAKING CHANGES:
    * `totp_verify` has been removed
    * `hotp_verify` has been removed
    * `base64_encode` has been removed
    * `base64_decode` has been removed
    ADDED:
    * new API `otp_to_int`
    * `base32` encoding and decoding functions from libbaseencode
    * new tests for libcotp
    CHANGES:
    * the soversion is now set only from the `$major` version (e.g. `2`), and
      not from `$major$minor` (e.g. `12`) like it used to be.
* Sun Jan 08 2023 Paolo Stivanin <info@paolostivanin.com>
  - Update to 1.2.8:
    * this release fixes a regression brought by v1.2.7.
* Thu Jan 05 2023 Paolo Stivanin <info@paolostivanin.com>
  - Update to 1.2.7:
    * check return value for gcrypt functions

Files

/usr/lib64/libcotp.so.4
/usr/lib64/libcotp.so.4.0.1

Generated by rpm2html 1.8.1

Fabrice Bellet, Tue Apr 21 22:32:08 2026