JNI: use constant-time comparison for GMAC tag verification (F-1519)

cconlon · cconlon · commit 56b795a3dc31 · 2026-03-30T11:39:01.000-06:00
diff --git a/IDE/WIN/wolfcryptjni.vcxproj b/IDE/WIN/wolfcryptjni.vcxproj
@@ -71,6 +71,7 @@
     <ClInclude Include="..\..\jni\include\wolfcrypt_jni_debug.h" />
     <ClInclude Include="..\..\jni\include\wolfcrypt_jni_error.h" />
     <ClInclude Include="..\..\jni\include\wolfcrypt_jni_NativeStruct.h" />
+    <ClInclude Include="..\..\jni\include\wolfcrypt_jni_util.h" />
   </ItemGroup>
   <ItemGroup>
     <ClCompile Include="..\..\jni\jni_aes.c" />
diff --git a/IDE/WIN/wolfcryptjni.vcxproj.filters b/IDE/WIN/wolfcryptjni.vcxproj.filters
@@ -120,6 +120,9 @@
     <ClInclude Include="..\..\jni\include\wolfcrypt_jni_NativeStruct.h">
       <Filter>Header Files</Filter>
     </ClInclude>
+    <ClInclude Include="..\..\jni\include\wolfcrypt_jni_util.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
   </ItemGroup>
   <ItemGroup>
     <ClCompile Include="..\..\jni\jni_aes.c">
diff --git a/jni/include/wolfcrypt_jni_util.h b/jni/include/wolfcrypt_jni_util.h
@@ -0,0 +1,48 @@
+/* wolfcrypt_jni_util.h
+ *
+ * Copyright (C) 2006-2026 wolfSSL Inc.
+ *
+ * This file is part of wolfSSL.
+ *
+ * wolfSSL is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * wolfSSL is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
+ */
+
+#ifndef _Included_wolfcrypt_jni_util
+#define _Included_wolfcrypt_jni_util
+
+#include <wolfssl/wolfcrypt/types.h>
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/* check all length bytes for equality, return 0 on success */
+static WC_INLINE int ConstantCompare(const byte* a, const byte* b, int length)
+{
+    int i;
+    int compareSum = 0;
+
+    for (i = 0; i < length; i++) {
+        compareSum |= a[i] ^ b[i];
+    }
+
+    return compareSum;
+}
+
+#ifdef __cplusplus
+}
+#endif
+#endif
+
diff --git a/jni/jni_aesgmac.c b/jni/jni_aesgmac.c
@@ -34,6 +34,7 @@
 
 /* #define WOLFCRYPT_JNI_DEBUG_ON */
 #include <wolfcrypt_jni_debug.h>
+#include <wolfcrypt_jni_util.h>
 
 JNIEXPORT jlong JNICALL Java_com_wolfssl_wolfcrypt_AesGmac_mallocNativeStruct_1internal(
     JNIEnv* env, jobject this)
@@ -326,7 +327,8 @@ JNIEXPORT jint JNICALL Java_com_wolfssl_wolfcrypt_AesGmac_wc_1GmacVerify(
 
                 if (ret == 0) {
                     /* Compare the computed tag with the provided tag */
-                    if (XMEMCMP(computedTag, authTag, authTagSz) != 0) {
+                    if (ConstantCompare(computedTag, authTag,
+                        authTagSz) != 0) {
                         ret = AES_GCM_AUTH_E; /* Authentication failure */
                     }
                 }

Original file line number	Diff line number	Diff line change
`@@ -34,6 +34,7 @@`
`34`	`34`
`35`	`35`	`/* #define WOLFCRYPT_JNI_DEBUG_ON */`
`36`	`36`	`#include <wolfcrypt_jni_debug.h>`
	`37`	`+#include <wolfcrypt_jni_util.h>`
`37`	`38`
`38`	`39`	`JNIEXPORT jlong JNICALL Java_com_wolfssl_wolfcrypt_AesGmac_mallocNativeStruct_1internal(`
`39`	`40`	`JNIEnv* env, jobject this)`
`@@ -326,7 +327,8 @@ JNIEXPORT jint JNICALL Java_com_wolfssl_wolfcrypt_AesGmac_wc_1GmacVerify(`
`326`	`327`
`327`	`328`	`if (ret == 0) {`
`328`	`329`	`/* Compare the computed tag with the provided tag */`
`329`		`- if (XMEMCMP(computedTag, authTag, authTagSz) != 0) {`
	`330`	`+ if (ConstantCompare(computedTag, authTag,`
	`331`	`+ authTagSz) != 0) {`
`330`	`332`	`ret = AES_GCM_AUTH_E; /* Authentication failure */`
`331`	`333`	`}`
`332`	`334`	`}`