Add a Verify routine for HMAC

crypto/hmac.cc

 // Copyright (c) 2011 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "crypto/hmac.h"
 
 #include "base/logging.h"
 
 namespace crypto {
 
 size_t HMAC::DigestLength() const {
   switch (hash_alg_) {
     case SHA1:
       return 20;
     case SHA256:
       return 32;
     default:
       NOTREACHED();
       return 0;
   }
 }
 
+bool HMAC::Verify(const base::StringPiece& data,
+                  const base::StringPiece& digest) const {
+  if (digest.size() != DigestLength())
+    return false;
+  scoped_array<unsigned char> computed_digest(
+      new unsigned char[digest.size()]);
+  if (!Sign(data, computed_digest.get(), static_cast<int>(digest.size())))
+    return false;
+
+  // In order to avoid any timing attacks, this comparison must be constant
+  // time with respect to the input. Using a comparison such as memcmp() can
+  // cause a short-circuit once a differing byte is found, which can reveal
+  // to an attacker which byte (and possibly which bit) of the digest was
+  // invalid. See also:
+  // http://groups.google.com/group/keyczar-discuss/browse_thread/thread/5571eca0948b2a13

[wtc, 2011/07/14 00:49:42]

This URL doesn't work for me.

+  const unsigned char* digest_ptr =
+      reinterpret_cast<const unsigned char*>(digest.data());
+  const unsigned char* computed_ptr = computed_digest.get();
+  unsigned char tmp = 0;
+  for (size_t i = 0; i < digest.size(); ++i)
+    tmp |= *digest_ptr++ ^ *computed_ptr++;

[wtc, 2011/07/14 00:00:22]

We should add a SecureMemcmp function.

[Ryan Sleevi, 2011/07/14 00:18:19]

Was this remark for a high-level, crypto/ API, or just a function within this
file?

[wtc, 2011/07/14 00:49:42]

Sorry I wasn't clear.  I meant a function that can be used
by other files.  We can do this when some other file also
need a constant-time memcmp().

+
+  return tmp == 0;
+}
+
 }  // namespace crypto