Add HMAC.verify() and HMAC.hexverify() with constant-time comparison

In the current implementation, it is left up to the caller
to assess if the locally computed MAC matches the MAC associated
to the received message.

However, the most natural way to do that (use == operator)
is also deepy unsecure, see here:

http://seb.dbzteam.org/crypto/python-oauth-timing-hmac.pdf

With this patch, the new HMAC.verify() method accepts
the given MAC and perform the check on behalf of the caller.
The method will use constant-time code (still dependent on the length
of the MAC, but not on the actual content).

[dlitz@dlitz.net: Modified commit message subject line.]
[dlitz@dlitz.net: Whitespace fixed with "git rebase --whitespace=fix"]

1 files changed, 12 insertions, 1 deletions

diff --git a/lib/Crypto/SelfTest/Hash/common.py b/lib/Crypto/SelfTest/Hash/common.py
index 48cebe7..4976690 100644
--- a/lib/Crypto/SelfTest/Hash/common.py
+++ b/lib/Crypto/SelfTest/Hash/common.py
@@ -43,6 +43,7 @@ if sys.hexversion < 0x02030000:
 else:
     dict = dict
 
+from Crypto.Util.strxor import strxor_c
 
 class HashDigestSizeSelfTest(unittest.TestCase):
     
@@ -184,9 +185,19 @@ class MACSelfTest(unittest.TestCase):
 
             h = self.hashmod.new(key, digestmod=hashmod)
             h.update(data)
-            out1 = binascii.b2a_hex(h.digest())
+            out1_bin = h.digest()
+            out1 = binascii.b2a_hex(out1_bin)
             out2 = h.hexdigest()
 
+            # Verify that correct MAC does not raise any exception
+            h.hexverify(out1)
+            h.verify(out1_bin)
+
+            # Verify that incorrect MAC does raise ValueError exception
+            wrong_mac = strxor_c(out1_bin, 255)
+            self.assertRaises(ValueError, h.verify, wrong_mac)
+            self.assertRaises(ValueError, h.hexverify, "4556")
+
             h = self.hashmod.new(key, data, hashmod)
 
             out3 = h.hexdigest()