Constant time check for codes

6 files changed, 178 insertions, 8 deletions

diff --git a/TwoStepsAuthenticator.UnitTests/AuthenticatorTests.cs b/TwoStepsAuthenticator.UnitTests/AuthenticatorTests.cs
new file mode 100644
index 0000000..5c250b8
--- /dev/null
+++ b/TwoStepsAuthenticator.UnitTests/AuthenticatorTests.cs
@@ -0,0 +1,34 @@
+using System;
+using System.Collections.Generic;
+using System.Linq;
+using System.Text;
+using NUnit.Framework;
+
+namespace TwoStepsAuthenticator.UnitTests {
+    
+    [TestFixture]
+    public class AuthenticatorTests {
+
+        [Test]
+        public void CreateKey() {
+            var authenticator = new Authenticator();
+            var secret = authenticator.GenerateKey();
+            var code = authenticator.GetCode(secret);
+
+            Assert.IsTrue(authenticator.CheckCode(secret, code), "Generated Code doesn't verify");
+        }
+
+        // Test Vectors from http://tools.ietf.org/html/rfc6238#appendix-B have all length 8. We want a length of 6.
+        // This Test Vectors are from a Ruby implementation. They work with the Google Authentificator app.
+        [TestCase("DRMK64PPMMC7TDZF", "2013-12-04 18:33:01 +0100", "661188")]
+        [TestCase("EQOGSM3XZUH6SE2Y", "2013-12-04 18:34:56 +0100", "256804")]
+        [TestCase("4VU7EQACVDMFJSBG", "2013-12-04 18:36:16 +0100", "800872")]
+        public void VerifyKeys(string secret, string timeString, string code) {
+            var date = DateTime.Parse(timeString);
+
+            var authenticator = new Authenticator(() => date);
+            Assert.IsTrue(authenticator.CheckCode(secret, code));
+
+        }
+    }
+}
diff --git a/TwoStepsAuthenticator.UnitTests/Properties/AssemblyInfo.cs b/TwoStepsAuthenticator.UnitTests/Properties/AssemblyInfo.cs
new file mode 100644
index 0000000..9654c60
--- /dev/null
+++ b/TwoStepsAuthenticator.UnitTests/Properties/AssemblyInfo.cs
@@ -0,0 +1,36 @@
+using System.Reflection;
+using System.Runtime.CompilerServices;
+using System.Runtime.InteropServices;
+
+// General Information about an assembly is controlled through the following 
+// set of attributes. Change these attribute values to modify the information
+// associated with an assembly.
+[assembly: AssemblyTitle("TwoStepsAuthenticator.UnitTests")]
+[assembly: AssemblyDescription("")]
+[assembly: AssemblyConfiguration("")]
+[assembly: AssemblyCompany("Microsoft")]
+[assembly: AssemblyProduct("TwoStepsAuthenticator.UnitTests")]
+[assembly: AssemblyCopyright("Copyright © Microsoft 2013")]
+[assembly: AssemblyTrademark("")]
+[assembly: AssemblyCulture("")]
+
+// Setting ComVisible to false makes the types in this assembly not visible 
+// to COM components.  If you need to access a type in this assembly from 
+// COM, set the ComVisible attribute to true on that type.
+[assembly: ComVisible(false)]
+
+// The following GUID is for the ID of the typelib if this project is exposed to COM
+[assembly: Guid("257d7270-7a19-44d8-afdf-b21267fc0dda")]
+
+// Version information for an assembly consists of the following four values:
+//
+//      Major Version
+//      Minor Version 
+//      Build Number
+//      Revision
+//
+// You can specify all the values or you can default the Build and Revision Numbers 
+// by using the '*' as shown below:
+// [assembly: AssemblyVersion("1.0.*")]
+[assembly: AssemblyVersion("1.0.0.0")]
+[assembly: AssemblyFileVersion("1.0.0.0")]
diff --git a/TwoStepsAuthenticator.UnitTests/TwoStepsAuthenticator.UnitTests.csproj b/TwoStepsAuthenticator.UnitTests/TwoStepsAuthenticator.UnitTests.csproj
new file mode 100644
index 0000000..54dae80
--- /dev/null
+++ b/TwoStepsAuthenticator.UnitTests/TwoStepsAuthenticator.UnitTests.csproj
@@ -0,0 +1,73 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="4.0" DefaultTargets="Build" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <Import Project="$(MSBuildExtensionsPath)\$(MSBuildToolsVersion)\Microsoft.Common.props" Condition="Exists('$(MSBuildExtensionsPath)\$(MSBuildToolsVersion)\Microsoft.Common.props')" />
+  <PropertyGroup>
+    <Configuration Condition=" '$(Configuration)' == '' ">Debug</Configuration>
+    <Platform Condition=" '$(Platform)' == '' ">AnyCPU</Platform>
+    <ProjectGuid>{E936FFA0-2E6E-4CA7-9841-FB844A817E0C}</ProjectGuid>
+    <OutputType>Library</OutputType>
+    <AppDesignerFolder>Properties</AppDesignerFolder>
+    <RootNamespace>TwoStepsAuthenticator.UnitTests</RootNamespace>
+    <AssemblyName>TwoStepsAuthenticator.UnitTests</AssemblyName>
+    <TargetFrameworkVersion>v4.5</TargetFrameworkVersion>
+    <FileAlignment>512</FileAlignment>
+    <TargetFrameworkProfile />
+  </PropertyGroup>
+  <PropertyGroup Condition=" '$(Configuration)|$(Platform)' == 'Debug|AnyCPU' ">
+    <PlatformTarget>AnyCPU</PlatformTarget>
+    <DebugSymbols>true</DebugSymbols>
+    <DebugType>full</DebugType>
+    <Optimize>false</Optimize>
+    <OutputPath>bin\Debug\</OutputPath>
+    <DefineConstants>DEBUG;TRACE</DefineConstants>
+    <ErrorReport>prompt</ErrorReport>
+    <WarningLevel>4</WarningLevel>
+    <Prefer32Bit>false</Prefer32Bit>
+  </PropertyGroup>
+  <PropertyGroup Condition=" '$(Configuration)|$(Platform)' == 'Release|AnyCPU' ">
+    <PlatformTarget>AnyCPU</PlatformTarget>
+    <DebugType>pdbonly</DebugType>
+    <Optimize>true</Optimize>
+    <OutputPath>bin\Release\</OutputPath>
+    <DefineConstants>TRACE</DefineConstants>
+    <ErrorReport>prompt</ErrorReport>
+    <WarningLevel>4</WarningLevel>
+    <Prefer32Bit>false</Prefer32Bit>
+  </PropertyGroup>
+  <PropertyGroup>
+    <StartupObject />
+  </PropertyGroup>
+  <ItemGroup>
+    <Reference Include="nunit.framework">
+      <HintPath>..\packages\NUnit.2.6.3\lib\nunit.framework.dll</HintPath>
+    </Reference>
+    <Reference Include="System" />
+    <Reference Include="System.Core" />
+    <Reference Include="System.Xml.Linq" />
+    <Reference Include="System.Data.DataSetExtensions" />
+    <Reference Include="Microsoft.CSharp" />
+    <Reference Include="System.Data" />
+    <Reference Include="System.Xml" />
+  </ItemGroup>
+  <ItemGroup>
+    <Compile Include="AuthenticatorTests.cs" />
+    <Compile Include="Properties\AssemblyInfo.cs" />
+  </ItemGroup>
+  <ItemGroup>
+    <None Include="packages.config" />
+  </ItemGroup>
+  <ItemGroup>
+    <ProjectReference Include="..\TwoStepsAuthenticator\TwoStepsAuthenticator.csproj">
+      <Project>{6c898cd1-0bf3-4711-847e-ad7dac815cd8}</Project>
+      <Name>TwoStepsAuthenticator</Name>
+    </ProjectReference>
+  </ItemGroup>
+  <Import Project="$(MSBuildToolsPath)\Microsoft.CSharp.targets" />
+  <!-- To modify your build process, add your task inside one of the targets below and uncomment it. 
+       Other similar extension points exist, see Microsoft.Common.targets.
+  <Target Name="BeforeBuild">
+  </Target>
+  <Target Name="AfterBuild">
+  </Target>
+  -->
+</Project>
\ No newline at end of file
diff --git a/TwoStepsAuthenticator.UnitTests/packages.config b/TwoStepsAuthenticator.UnitTests/packages.config
new file mode 100644
index 0000000..967502d
--- /dev/null
+++ b/TwoStepsAuthenticator.UnitTests/packages.config
@@ -0,0 +1,4 @@
+<?xml version="1.0" encoding="utf-8"?>
+<packages>
+  <package id="NUnit" version="2.6.3" targetFramework="net40" />
+</packages>
\ No newline at end of file
diff --git a/TwoStepsAuthenticator.sln b/TwoStepsAuthenticator.sln
index a23c14e..6963eba 100644
--- a/TwoStepsAuthenticator.sln
+++ b/TwoStepsAuthenticator.sln
@@ -7,6 +7,8 @@ Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "TwoStepsAuthenticator.TestA
 EndProject
 Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "TwoStepsAuthenticator.TestWebsite", "TwoStepsAuthenticator.TestWebsite\TwoStepsAuthenticator.TestWebsite.csproj", "{38058CE1-D82E-4C9D-B07D-293EAEC66878}"
 EndProject
+Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "TwoStepsAuthenticator.UnitTests", "TwoStepsAuthenticator.UnitTests\TwoStepsAuthenticator.UnitTests.csproj", "{E936FFA0-2E6E-4CA7-9841-FB844A817E0C}"
+EndProject
 Global
 	GlobalSection(SolutionConfigurationPlatforms) = preSolution
 		Debug|Any CPU = Debug|Any CPU
@@ -25,6 +27,10 @@ Global
 		{38058CE1-D82E-4C9D-B07D-293EAEC66878}.Debug|Any CPU.Build.0 = Debug|Any CPU
 		{38058CE1-D82E-4C9D-B07D-293EAEC66878}.Release|Any CPU.ActiveCfg = Release|Any CPU
 		{38058CE1-D82E-4C9D-B07D-293EAEC66878}.Release|Any CPU.Build.0 = Release|Any CPU
+		{E936FFA0-2E6E-4CA7-9841-FB844A817E0C}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
+		{E936FFA0-2E6E-4CA7-9841-FB844A817E0C}.Debug|Any CPU.Build.0 = Debug|Any CPU
+		{E936FFA0-2E6E-4CA7-9841-FB844A817E0C}.Release|Any CPU.ActiveCfg = Release|Any CPU
+		{E936FFA0-2E6E-4CA7-9841-FB844A817E0C}.Release|Any CPU.Build.0 = Release|Any CPU
 	EndGlobalSection
 	GlobalSection(SolutionProperties) = preSolution
 		HideSolutionNode = FALSE
diff --git a/TwoStepsAuthenticator/Authenticator.cs b/TwoStepsAuthenticator/Authenticator.cs
index 3e263e6..8ab1747 100644
--- a/TwoStepsAuthenticator/Authenticator.cs
+++ b/TwoStepsAuthenticator/Authenticator.cs
@@ -13,6 +13,11 @@ namespace TwoStepsAuthenticator
         private static readonly RNGCryptoServiceProvider Random = new RNGCryptoServiceProvider();    // Is Thread-Safe
         private static readonly int KeyLength = 16;
         private static readonly string AvailableKeyChars = "ABCDEFGHIJKLMNOPQRSTUVWXYZ234567";
+        private readonly Func<DateTime> NowFunc;
+
+        public Authenticator(Func<DateTime> nowFunc = null) {
+            this.NowFunc = (nowFunc == null) ? () => DateTime.Now : nowFunc;
+        }
 
         public string GenerateKey()
         {
@@ -26,7 +31,7 @@ namespace TwoStepsAuthenticator
 
         public string GetCode(string secret)
         {
-            return GetCode(secret, DateTime.Now);
+            return GetCode(secret, NowFunc());
         }
 
         public string GetCode(string secret, DateTime date)
@@ -42,8 +47,7 @@ namespace TwoStepsAuthenticator
 
             long chlg = interval;
             byte[] challenge = new byte[8];
-            for (int j = 7; j >= 0; j--)
-            {
+            for (int j = 7; j >= 0; j--) {
                 challenge[j] = (byte)((int)chlg & 0xff);
                 chlg >>= 8;
             }
@@ -72,21 +76,34 @@ namespace TwoStepsAuthenticator
             if (usedCodes.Value.IsCodeUsed(secret, code))
                 return false;
 
-            var baseTime = DateTime.Now;
+            var baseTime = NowFunc();
+
+            // We need to do this in constant time
+            var codeMatch = false;
             for (int i = -2; i <= 1; i++)
             {
                 var checkTime = baseTime.AddSeconds(30 * i);
-                if (GetCode(secret, checkTime) == code)
+                if (ConstantTimeEquals(GetCode(secret, checkTime), code))
                 {
+                    codeMatch = true;
                     usedCodes.Value.AddCode(secret, code);
-                    return true;
                 }
             }
 
-            return false;
+            return codeMatch;
+        }
+
+        private bool ConstantTimeEquals(string a, string b) {
+            uint diff = (uint)a.Length ^ (uint)b.Length;
+
+            for (int i = 0; i < a.Length && i < b.Length; i++) {
+                diff |= (uint)a[i] ^ (uint)b[i];
+            }
+
+            return diff == 0;
         }
 
-        public int RandomInt(int max) {
+        private int RandomInt(int max) {
             var randomBytes = new byte[4];
             Random.GetBytes(randomBytes);