protect mac comparisons from timing attacks

2024-11-06 09:20:43 +01:00 · 2017-04-27 12:00:32 -04:00 · 2017-04-27 12:00:32 -04:00 · 7d0a34fceb
commit 7d0a34fceb
parent b3e94b13f7
1 changed files with 13 additions and 11 deletions
--- a/src/app/services/cryptoService.js
+++ b/src/app/services/cryptoService.js
@ -358,7 +358,7 @@ angular
            if (key.macKey && encPieces.length > 2) {
                var macBytes = forge.util.decode64(encPieces[2]);
                var computedMacBytes = computeMac(ctBytes, ivBytes, key.macKey, false);
-                if (!bytesAreEqual(macBytes, computedMacBytes)) {
+                if (!macsEqual(key.macKey, macBytes, computedMacBytes)) {
                    console.error('MAC failed.');
                    return null;
                }
@ -431,18 +431,20 @@ angular
            return b64Output ? forge.util.encode64(mac.getBytes()) : mac.getBytes();
        }

-        // Constant time comparison. This removes the early-out optimizations of normal equality checks.
-        function bytesAreEqual(a, b) {
-            if (a.length !== b.length) {
-                return false;
-            }
+        // Safely compare two MACs in a way that protects against timing attacks.
+        // ref: https://www.nccgroup.trust/us/about-us/newsroom-and-events/blog/2011/february/double-hmac-verification/
+        function macsEqual(macKey, mac1, mac2) {
+            var hmac = forge.hmac.create();

-            var result = 0;
-            for (var i = 0; i < a.length; i++) {
-                result |= a[i] ^ b[i];
-            }
+            hmac.start('sha256', macKey);
+            hmac.update(mac1);
+            mac1 = hmac.digest().getBytes();

-            return result === 0;
+            hmac.start(null, null);
+            hmac.update(mac2);
+            mac2 = hmac.digest().getBytes();
+
+            return mac1 === mac2;
        }

        function SymmetricCryptoKey(keyBytes, b64KeyBytes, encType) {