constant time auth

cryptomator · Nov 20, 2015 · d264fc4 · d264fc4
1 parent 15c697a
commit d264fc4
Show file tree

Hide file tree

Showing 3 changed files with 10 additions and 4 deletions.
diff --git a/README.md b/README.md
@@ -45,7 +45,7 @@ public void encryptWithAdditionalData() {
   <dependency>
     <groupId>org.cryptomator</groupId>
     <artifactId>siv-mode</artifactId>
-    <version>1.0.1</version>
+    <version>1.0.2</version>
   </dependency>
 </dependencies>
 ```

diff --git a/pom.xml b/pom.xml
@@ -4,7 +4,7 @@
 	<modelVersion>4.0.0</modelVersion>
 	<groupId>org.cryptomator</groupId>
 	<artifactId>siv-mode</artifactId>
-	<version>1.0.0</version>
+	<version>1.0.2</version>
 	<name>SIV Mode</name>
 	<description>RFC 5297 SIV mode: deterministic authenticated encryption</description>
 

diff --git a/src/main/java/org/cryptomator/siv/SivMode.java b/src/main/java/org/cryptomator/siv/SivMode.java
@@ -9,7 +9,6 @@
  ******************************************************************************/
 
 import java.nio.ByteBuffer;
-import java.security.MessageDigest;
 import java.util.Arrays;
 
 import javax.crypto.AEADBadTagException;
@@ -200,7 +199,14 @@ public byte[] decrypt(byte[] ctrKey, byte[] macKey, byte[] ciphertext, byte[]...
 
 		final byte[] control = s2v(macKey, plaintext, additionalData);
 
-		if (MessageDigest.isEqual(control, iv)) {
+		// time-constant comparison (taken from MessageDigest.isEqual in JDK8)
+		assert iv.length == control.length;
+		int diff = 0;
+		for (int i = 0; i < iv.length; i++) {
+			diff |= iv[i] ^ control[i];
+		}
+
+		if (diff == 0) {
 			return plaintext;
 		} else {
 			throw new AEADBadTagException("authentication in SIV decryption failed");