changeset 14251:371a178f9368

8143945: Better GCM validation Reviewed-by: xuelei, mullan
author ascarpino
date Mon, 21 Dec 2015 10:43:40 -0800
parents 95dca8033930
children 8bfed52ded34
files src/java.base/share/classes/com/sun/crypto/provider/GaloisCounterMode.java
diffstat 1 files changed, 9 insertions(+), 3 deletions(-) [+]
line wrap: on
line diff
--- a/src/java.base/share/classes/com/sun/crypto/provider/GaloisCounterMode.java	Tue Oct 20 12:08:44 2015 +0300
+++ b/src/java.base/share/classes/com/sun/crypto/provider/GaloisCounterMode.java	Mon Dec 21 10:43:40 2015 -0800
@@ -512,11 +512,17 @@
         byte[] sOut = new byte[s.length];
         GCTR gctrForSToTag = new GCTR(embeddedCipher, this.preCounterBlock);
         gctrForSToTag.doFinal(s, 0, s.length, sOut, 0);
+
+        // check entire authentication tag for time-consistency
+        int mismatch = 0;
         for (int i = 0; i < tagLenBytes; i++) {
-            if (tag[i] != sOut[i]) {
-                throw new AEADBadTagException("Tag mismatch!");
-            }
+            mismatch |= tag[i] ^ sOut[i];
         }
+
+        if (mismatch != 0) {
+            throw new AEADBadTagException("Tag mismatch!");
+        }
+
         return len;
     }