From d6138347d7676a11070ca1206c3ce926b282f3d6 Mon Sep 17 00:00:00 2001
From: Pepijn Verlaan <p.verlaan@ksyos.org>
Date: Thu, 7 Sep 2017 15:38:13 +0200
Subject: [PATCH 1/2] Remove bias when generating secrets

---
 index.js         | 16 ++++++++++------
 test/generate.js |  3 +--
 2 files changed, 11 insertions(+), 8 deletions(-)

diff --git a/index.js b/index.js
index 59eb6ad..a9ae067 100644
--- a/index.js
+++ b/index.js
@@ -511,13 +511,13 @@ exports.generateSecret = function generateSecret (options) {
   }
 
   // generate an ascii key
-  var key = this.generateSecretASCII(length, symbols);
+  var keyBytes = crypto.randomBytes(length || 32);
 
   // return a SecretKey with ascii, hex, and base32
   var SecretKey = {};
-  SecretKey.ascii = key;
-  SecretKey.hex = Buffer(key, 'ascii').toString('hex');
-  SecretKey.base32 = base32.encode(Buffer(key)).toString().replace(/=/g, '');
+  SecretKey.ascii = encodeASCII(keyBytes, symbols);
+  SecretKey.hex = keyBytes.toString('hex');
+  SecretKey.base32 = base32.encode(keyBytes).toString().replace(/=/g, '');
 
   // generate some qr codes if requested
   if (qr_codes) {
@@ -560,14 +560,18 @@ exports.generate_key = util.deprecate(function (options) {
  */
 exports.generateSecretASCII = function generateSecretASCII (length, symbols) {
   var bytes = crypto.randomBytes(length || 32);
-  var set = '0123456789ABCDEFGHIJKLMNOPQRSTUVWXTZabcdefghiklmnopqrstuvwxyz';
+  return encodeASCII(bytes, symbols);
+};
+
+function encodeASCII (bytes, symbols) {
+  var set = '0123456789ABCDEFGHIJKLMNOPQRSTUVWXTZabcdefghijklmnopqrstuvwxyz';
   if (symbols) {
     set += '!@#$%^&*()<>?/[]{},.:;';
   }
 
   var output = '';
   for (var i = 0, l = bytes.length; i < l; i++) {
-    output += set[Math.floor(bytes[i] / 255.0 * (set.length - 1))];
+    output += set[Math.floor(bytes[i] / 256.0 * set.length)];
   }
   return output;
 };
diff --git a/test/generate.js b/test/generate.js
index e0e7f25..257608a 100644
--- a/test/generate.js
+++ b/test/generate.js
@@ -23,8 +23,7 @@ describe('Generator tests', function () {
     assert.isUndefined(secret.google_auth_qr, 'Google Auth QR should not be returned');
 
     // check encodings
-    assert.equal(Buffer(secret.hex, 'hex').toString('ascii'), secret.ascii, 'Should have encoded correct hex string');
-    assert.equal(base32.decode(secret.base32).toString('ascii'), secret.ascii, 'Should have encoded correct base32 string');
+    assert.equal(base32.decode(secret.base32).toString('hex'), secret.hex, 'Should have encoded correct base32 string');
   });
 
   it('Generation with custom key length', function () {

From 9aee69d865eae942edcc4c39d4b42e7271809c6d Mon Sep 17 00:00:00 2001
From: Pepijn Verlaan <pepve@fastmail.com>
Date: Sat, 14 Jul 2018 02:44:20 +0200
Subject: [PATCH 2/2] Replace misplaced T with Y in set of characters

---
 index.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/index.js b/index.js
index a9ae067..60123de 100644
--- a/index.js
+++ b/index.js
@@ -564,7 +564,7 @@ exports.generateSecretASCII = function generateSecretASCII (length, symbols) {
 };
 
 function encodeASCII (bytes, symbols) {
-  var set = '0123456789ABCDEFGHIJKLMNOPQRSTUVWXTZabcdefghijklmnopqrstuvwxyz';
+  var set = '0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz';
   if (symbols) {
     set += '!@#$%^&*()<>?/[]{},.:;';
   }