fix(security): use constant-time MAC comparison to prevent timing oracle

kruton · claude · kruton · commit 3fa1c303e6ca · 2026-05-21T19:08:35.000-07:00
Replaced ByteArray.contentEquals() with MessageDigest.isEqual() in both
the encrypt-and-MAC and ETM packet receive paths. The non-constant-time
comparison could allow a network attacker to measure differences in
comparison time to forge valid MAC tags byte-by-byte.

Co-Authored-By: Claude Sonnet 4.6 &lt;noreply@anthropic.com&gt;
diff --git a/sshlib/src/main/kotlin/org/connectbot/sshlib/transport/PacketIO.kt b/sshlib/src/main/kotlin/org/connectbot/sshlib/transport/PacketIO.kt
@@ -1,6 +1,6 @@
 /*
  * ConnectBot SSH Library
- * Copyright 2025 Kenny Root
+ * Copyright 2025-2026 Kenny Root
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -27,6 +27,7 @@ import org.connectbot.sshlib.protocol.UnencryptedPacket
 import org.slf4j.LoggerFactory
 import java.io.ByteArrayOutputStream
 import java.nio.ByteBuffer
+import java.security.MessageDigest
 import kotlin.random.Random
 
 /**
@@ -321,7 +322,7 @@ internal class PacketIO(private val transport: Transport) {
 
         // Verify MAC (over plaintext for encrypt-and-MAC)
         val expectedMac = mac.compute(receiveSequenceNumber, decryptedPacket)
-        if (!receivedMac.contentEquals(expectedMac)) {
+        if (!MessageDigest.isEqual(receivedMac, expectedMac)) {
             logger.error("MAC verification failed for seq=$receiveSequenceNumber")
             logger.error("  Received MAC: ${receivedMac.joinToString("") { "%02x".format(it) }}")
             logger.error("  Expected MAC: ${expectedMac.joinToString("") { "%02x".format(it) }}")
@@ -361,7 +362,7 @@ internal class PacketIO(private val transport: Transport) {
 
         // Verify MAC (over sequence_number || length || encrypted_payload)
         val expectedMac = mac.computeEtm(receiveSequenceNumber, encryptedLength, encryptedPayload)
-        if (!receivedMac.contentEquals(expectedMac)) {
+        if (!MessageDigest.isEqual(receivedMac, expectedMac)) {
             logger.error("ETM MAC verification failed for seq=$receiveSequenceNumber")
             throw TransportException("ETM MAC verification failed")
         }
diff --git a/sshlib/src/test/kotlin/org/connectbot/sshlib/transport/PacketIOEtmTest.kt b/sshlib/src/test/kotlin/org/connectbot/sshlib/transport/PacketIOEtmTest.kt
@@ -1,6 +1,6 @@
 /*
  * ConnectBot SSH Library
- * Copyright 2025 Kenny Root
+ * Copyright 2025-2026 Kenny Root
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -24,6 +24,7 @@ import org.connectbot.sshlib.crypto.HmacSha256
 import org.connectbot.sshlib.crypto.TripleDesCbcCipher
 import org.connectbot.sshlib.protocol.SshEnums
 import org.junit.jupiter.api.Assertions.assertEquals
+import org.junit.jupiter.api.Assertions.assertThrows
 import org.junit.jupiter.api.Test
 
 class PacketIOEtmTest {
@@ -173,6 +174,41 @@ class PacketIOEtmTest {
         assertEquals(SshEnums.MessageType.SSH_MSG_NEWKEYS, parsed.messageType())
     }
 
+    @Test
+    fun `ETM rejects tampered MAC`() {
+        val (cipherKey, iv, macKey) = createKeyMaterial()
+
+        val writeTransport = ByteArrayTransport()
+        val writeIO = PacketIO(writeTransport)
+        writeIO.enableEncryption(
+            clientToServerCipher = AesCbcCipher(cipherKey, iv.copyOf(), forEncryption = true),
+            clientToServerMac = HmacSha256(macKey.copyOf()),
+            serverToClientCipher = AesCbcCipher(cipherKey, iv.copyOf(), forEncryption = false),
+            serverToClientMac = HmacSha256(macKey.copyOf()),
+            clientToServerEtm = true,
+            serverToClientEtm = true,
+        )
+        runBlocking { writeIO.writePacket(SshEnums.MessageType.SSH_MSG_NEWKEYS.id().toInt()) }
+
+        val wireData = writeTransport.getWrittenData().clone()
+        wireData[wireData.size - 1] = (wireData[wireData.size - 1].toInt() xor 0xFF).toByte()
+
+        val readTransport = ByteArrayTransport(wireData)
+        val readIO = PacketIO(readTransport)
+        readIO.enableEncryption(
+            clientToServerCipher = AesCbcCipher(cipherKey, iv.copyOf(), forEncryption = true),
+            clientToServerMac = HmacSha256(macKey.copyOf()),
+            serverToClientCipher = AesCbcCipher(cipherKey, iv.copyOf(), forEncryption = false),
+            serverToClientMac = HmacSha256(macKey.copyOf()),
+            clientToServerEtm = true,
+            serverToClientEtm = true,
+        )
+
+        assertThrows(TransportException::class.java) {
+            runBlocking { readIO.readPacket() }
+        }
+    }
+
     @Test
     fun `ETM multiple packets round trip with CBC`() = runBlocking {
         val (cipherKey, iv, macKey) = createKeyMaterial()
diff --git a/sshlib/src/test/kotlin/org/connectbot/sshlib/transport/PacketIOTest.kt b/sshlib/src/test/kotlin/org/connectbot/sshlib/transport/PacketIOTest.kt
@@ -1,6 +1,6 @@
 /*
  * ConnectBot SSH Library
- * Copyright 2025 Kenny Root
+ * Copyright 2025-2026 Kenny Root
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -18,6 +18,8 @@
 package org.connectbot.sshlib.transport
 
 import kotlinx.coroutines.runBlocking
+import org.connectbot.sshlib.crypto.AesCbcCipher
+import org.connectbot.sshlib.crypto.HmacSha256
 import org.connectbot.sshlib.protocol.SshEnums
 import org.junit.jupiter.api.Assertions.assertEquals
 import org.junit.jupiter.api.Assertions.assertThrows
@@ -169,6 +171,39 @@ class PacketIOTest {
         assertEquals(0L, io.bytesReceivedOnWire)
     }
 
+    @Test
+    fun `encrypt-and-MAC rejects tampered MAC`() {
+        val cipherKey = ByteArray(16) { it.toByte() }
+        val iv = ByteArray(16) { (it + 0x10).toByte() }
+        val macKey = ByteArray(32) { (it + 0x20).toByte() }
+
+        val writeTransport = ByteArrayTransport()
+        val writeIO = PacketIO(writeTransport)
+        writeIO.enableEncryption(
+            clientToServerCipher = AesCbcCipher(cipherKey, iv.copyOf(), forEncryption = true),
+            clientToServerMac = HmacSha256(macKey.copyOf()),
+            serverToClientCipher = AesCbcCipher(cipherKey, iv.copyOf(), forEncryption = false),
+            serverToClientMac = HmacSha256(macKey.copyOf()),
+        )
+        runBlocking { writeIO.writePacket(SshEnums.MessageType.SSH_MSG_NEWKEYS.id().toInt()) }
+
+        val wireData = writeTransport.getWrittenData().clone()
+        wireData[wireData.size - 1] = (wireData[wireData.size - 1].toInt() xor 0xFF).toByte()
+
+        val readTransport = ByteArrayTransport(wireData)
+        val readIO = PacketIO(readTransport)
+        readIO.enableEncryption(
+            clientToServerCipher = AesCbcCipher(cipherKey, iv.copyOf(), forEncryption = true),
+            clientToServerMac = HmacSha256(macKey.copyOf()),
+            serverToClientCipher = AesCbcCipher(cipherKey, iv.copyOf(), forEncryption = false),
+            serverToClientMac = HmacSha256(macKey.copyOf()),
+        )
+
+        assertThrows(TransportException::class.java) {
+            runBlocking { readIO.readPacket() }
+        }
+    }
+
     // calculatePaddingLength: totalLength = 4 + 1 + (1 + payload.size) = 6 + payload.size.
     // With blockSize=8: raw = if (totalLength%8==0) 8 else 8-(totalLength%8). Bump by 8 if raw<4.
     // Verifying the exact padding_length byte at wire[4] kills MathMutator and ConditionalsBoundaryMutator survivors.
