Add constant-time method for verifying MACs.

2026-02-16 12:49:55 +01:00 · 2018-04-25 12:23:46 +01:00
parent 615f527270
commit 0217c205a1
20 changed files with 120 additions and 72 deletions
--- a/bramble-core/src/main/java/org/briarproject/bramble/client/ClientHelperImpl.java
+++ b/bramble-core/src/main/java/org/briarproject/bramble/client/ClientHelperImpl.java
@@ -381,9 +381,10 @@ class ClientHelperImpl implements ClientHelper {
 	}

 	@Override
-	public void verifySignature(String label, byte[] sig, byte[] publicKey,
-			BdfList signed) throws FormatException, GeneralSecurityException {
-		if (!crypto.verify(label, toByteArray(signed), publicKey, sig)) {
+	public void verifySignature(byte[] signature, String label, BdfList signed,
+			byte[] publicKey) throws FormatException, GeneralSecurityException {
+		if (!crypto.verifySignature(signature, label, toByteArray(signed),
+				publicKey)) {
 			throw new GeneralSecurityException("Invalid signature");
 		}
 	}
--- a/bramble-core/src/main/java/org/briarproject/bramble/contact/ContactExchangeTaskImpl.java
+++ b/bramble-core/src/main/java/org/briarproject/bramble/contact/ContactExchangeTaskImpl.java
@@ -251,7 +251,8 @@ class ContactExchangeTaskImpl extends Thread implements ContactExchangeTask {
 		r.readListEnd();
 		LOG.info("Received pseudonym");
 		// Verify the signature
-		if (!crypto.verify(SIGNING_LABEL_EXCHANGE, nonce, publicKey, sig)) {
+		if (!crypto.verifySignature(sig, SIGNING_LABEL_EXCHANGE, nonce,
+				publicKey)) {
 			if (LOG.isLoggable(INFO))
 				LOG.info("Invalid signature");
 			throw new GeneralSecurityException();
--- a/bramble-core/src/main/java/org/briarproject/bramble/crypto/CryptoComponentImpl.java
+++ b/bramble-core/src/main/java/org/briarproject/bramble/crypto/CryptoComponentImpl.java
@@ -205,12 +205,12 @@ class CryptoComponentImpl implements CryptoComponent {
 	}

 	@Override
-	public boolean verify(String label, byte[] signedData, byte[] publicKey,
-			byte[] signature) throws GeneralSecurityException {
+	public boolean verifySignature(byte[] signature, String label,
+			byte[] signed, byte[] publicKey) throws GeneralSecurityException {
 		PublicKey key = signatureKeyParser.parsePublicKey(publicKey);
 		Signature sig = new EdSignature();
 		sig.initVerify(key);
-		updateSignature(sig, label, signedData);
+		updateSignature(sig, label, signed);
 		return sig.verify(signature);
 	}

@@ -262,6 +262,17 @@ class CryptoComponentImpl implements CryptoComponent {
 		return output;
 	}

+	@Override
+	public boolean verifyMac(byte[] mac, String label, SecretKey macKey,
+			byte[]... inputs) {
+		byte[] expected = mac(label, macKey, inputs);
+		if (mac.length != expected.length) return false;
+		// Constant-time comparison
+		int cmp = 0;
+		for (int i = 0; i < mac.length; i++) cmp |= mac[i] ^ expected[i];
+		return cmp == 0;
+	}
+
 	@Override
 	public byte[] encryptWithPassword(byte[] input, String password) {
 		AuthenticatedCipher cipher = new XSalsa20Poly1305AuthenticatedCipher();