OPENAM-6768 FR-880

Based on:

commit a6671bb
Author: Jon Jonthomas <[email protected]>
Date:   Tue Oct 6 11:33:29 2015 +0000

Author: FireBurn

openam-authentication/openam-auth-oath/src/main/java/org/forgerock/openam/authentication/modules/oath/OATH.java

@@ -52,6 +52,7 @@
 import java.util.HashMap;
 import java.util.Collections;
 import java.util.ResourceBundle;
+import java.security.MessageDigest;
 import javax.security.auth.Subject;
 import javax.security.auth.callback.Callback;
 import javax.security.auth.callback.PasswordCallback;
@@ -516,7 +517,7 @@ private boolean checkOTP(String otp) throws AuthLoginException {
                             passLen,
                             checksum,
                             truncationOffset);
-                    if (otpGen.equals(otp)) {
+                    if (isEqual(otpGen, otp)) {
                         //OTP is correct set the counter value to counter+i
                         setCounterAttr(id, counter + i);
                         return true;
@@ -584,6 +585,11 @@ private boolean checkOTP(String otp) throws AuthLoginException {
                 long localTime = time;
                 localTime /= totpTimeStep;
 
+                if(lastLoginTime == localTime){
+                    debug.error("OATH.checkOTP(): Login failed attempting to use the same OTP in same Time Step: " + localTime);
+                    throw new InvalidPasswordException(amAuthOATH, "authFailed", null, userName, null);
+                }
+
                 boolean sameWindow = false;
 
                 //check if we are in the time window to prevent 2
@@ -603,7 +609,7 @@ private boolean checkOTP(String otp) throws AuthLoginException {
                 otpGen = TOTPAlgorithm.generateTOTP(secretKey,
                         Long.toHexString(localTime),
                         passLenStr);
-                if (otpGen.equals(otp)) {
+                if (isEqual(otpGen, otp)) {
                     setLoginTime(id, localTime);
                     return true;
                 }
@@ -616,7 +622,7 @@ private boolean checkOTP(String otp) throws AuthLoginException {
                     otpGen = TOTPAlgorithm.generateTOTP(secretKey,
                             Long.toHexString(time1),
                             passLenStr);
-                    if (otpGen.equals(otp)) {
+                    if (isEqual(otpGen, otp)) {
                         setLoginTime(id, time1);
                         return true;
                     }
@@ -626,12 +632,12 @@ private boolean checkOTP(String otp) throws AuthLoginException {
                     otpGen = TOTPAlgorithm.generateTOTP(secretKey, 
                                                         Long.toHexString(time2), 
                                                         passLenStr);
-                    if (otpGen.equals(otp) && sameWindow){
+                    if (isEqual(otpGen, otp) && sameWindow) {
                         debug.error("OATH" +
                                 ".checkOTP() : " +
-                                "Loging in in the same window with a OTP that is older than the current times OTP");
+                                "Login the same window with a OTP that is older than the current OTP");
                         return false;
-                    } else if(otpGen.equals(otp) && !sameWindow)  {
+                    } else if (isEqual(otpGen, otp) && !sameWindow) {
                         setLoginTime(id, time2);
                         return true;
                     }
@@ -769,4 +775,16 @@ private void setLoginTime(AMIdentity id, long time)
         }
         return;
     }
+
+    /**
+     * Perform time constant equality check.
+     * Both values should not be null.
+     *
+     * @param str1 first value
+     * @param str2 second vale
+     * @return true if values are equal
+     */
+    private boolean isEqual(String str1, String str2)   {
+         return MessageDigest.isEqual(str1.getBytes(StandardCharsets.UTF_8), str2.getBytes(StandardCharsets.UTF_8));
+    }
 }