From fc6a5d3bd2bb830fda0949944c1ba734d0deed1f Mon Sep 17 00:00:00 2001
From: Anthony Scarpino <ascarpino@openjdk.org>
Date: Mon, 21 Dec 2015 10:43:40 -0800
Subject: [PATCH] 8143945: Better GCM validation

Reviewed-by: xuelei, mullan
---
 .../com/sun/crypto/provider/GaloisCounterMode.java   | 12 +++++++++---
 1 file changed, 9 insertions(+), 3 deletions(-)

diff --git a/jdk/src/java.base/share/classes/com/sun/crypto/provider/GaloisCounterMode.java b/jdk/src/java.base/share/classes/com/sun/crypto/provider/GaloisCounterMode.java
index 9f8f54a1823..87fa4a383f3 100644
--- a/jdk/src/java.base/share/classes/com/sun/crypto/provider/GaloisCounterMode.java
+++ b/jdk/src/java.base/share/classes/com/sun/crypto/provider/GaloisCounterMode.java
@@ -512,11 +512,17 @@ final class GaloisCounterMode extends FeedbackCipher {
         byte[] sOut = new byte[s.length];
         GCTR gctrForSToTag = new GCTR(embeddedCipher, this.preCounterBlock);
         gctrForSToTag.doFinal(s, 0, s.length, sOut, 0);
+
+        // check entire authentication tag for time-consistency
+        int mismatch = 0;
         for (int i = 0; i < tagLenBytes; i++) {
-            if (tag[i] != sOut[i]) {
-                throw new AEADBadTagException("Tag mismatch!");
-            }
+            mismatch |= tag[i] ^ sOut[i];
         }
+
+        if (mismatch != 0) {
+            throw new AEADBadTagException("Tag mismatch!");
+        }
+
         return len;
     }