Make GCM tag check "constant-time"

2013-08-31 16:37:46 +02:00 · 2013-08-31 16:37:46 +02:00 · 20d6a17af9
commit 20d6a17af9
parent 07f8fa5a69
1 changed files with 11 additions and 4 deletions
--- a/library/gcm.c
+++ b/library/gcm.c
@ -357,15 +357,22 @@ int gcm_auth_decrypt( gcm_context *ctx,
                      unsigned char *output )
 {
    unsigned char check_tag[16];
+    size_t i;
+    int diff;

    gcm_crypt_and_tag( ctx, GCM_DECRYPT, length, iv, iv_len, add, add_len, input, output, tag_len, check_tag );

-    if( memcmp( check_tag, tag, tag_len ) == 0 )
-        return( 0 );
+    /* Check tag in "constant-time" */
+    for( diff = 0, i = 0; i < tag_len; i++ )
+        diff |= tag[i] ^ check_tag[i];

-    memset( output, 0, length );
+    if( diff != 0 )
+    {
+        memset( output, 0, length );
+        return( POLARSSL_ERR_GCM_AUTH_FAILED );
+    }

-    return( POLARSSL_ERR_GCM_AUTH_FAILED );
+    return( 0 );
 }

 #if defined(POLARSSL_SELF_TEST)