# HG changeset patch # User ascarpino # Date 1450723420 28800 # Node ID 839fba6035e9df0edd6f0d6a0ec68dd6d66cc3ba # Parent 561997281f4a89dd916ee200720921ce846216c8 8143945: Better GCM validation Reviewed-by: xuelei, mullan diff -r 561997281f4a -r 839fba6035e9 jdk/src/java.base/share/classes/com/sun/crypto/provider/GaloisCounterMode.java --- a/jdk/src/java.base/share/classes/com/sun/crypto/provider/GaloisCounterMode.java Tue Oct 20 12:08:44 2015 +0300 +++ b/jdk/src/java.base/share/classes/com/sun/crypto/provider/GaloisCounterMode.java Mon Dec 21 10:43:40 2015 -0800 @@ -512,11 +512,17 @@ byte[] sOut = new byte[s.length]; GCTR gctrForSToTag = new GCTR(embeddedCipher, this.preCounterBlock); gctrForSToTag.doFinal(s, 0, s.length, sOut, 0); + + // check entire authentication tag for time-consistency + int mismatch = 0; for (int i = 0; i < tagLenBytes; i++) { - if (tag[i] != sOut[i]) { - throw new AEADBadTagException("Tag mismatch!"); - } + mismatch |= tag[i] ^ sOut[i]; } + + if (mismatch != 0) { + throw new AEADBadTagException("Tag mismatch!"); + } + return len; }