ChunkedAesCmac: ensure that a provided tag is never changed in the Ve…

…rification object.

PiperOrigin-RevId: 480584755

java_src/src/main/java/com/google/crypto/tink/mac/internal/BUILD.bazel

@@ -79,7 +79,7 @@ java_library(
         ":chunked_aes_cmac_computation",
         "//src/main/java/com/google/crypto/tink/mac:aes_cmac_key",
         "//src/main/java/com/google/crypto/tink/mac:chunked_mac_verification",
-        "//src/main/java/com/google/crypto/tink/subtle:bytes",
+        "//src/main/java/com/google/crypto/tink/util:bytes",
     ],
 )
 
@@ -90,6 +90,6 @@ android_library(
         ":chunked_aes_cmac_computation-android",
         "//src/main/java/com/google/crypto/tink/mac:aes_cmac_key-android",
         "//src/main/java/com/google/crypto/tink/mac:chunked_mac_verification-android",
-        "//src/main/java/com/google/crypto/tink/subtle:bytes-android",
+        "//src/main/java/com/google/crypto/tink/util:bytes-android",
     ],
 )

java_src/src/main/java/com/google/crypto/tink/mac/internal/ChunkedAesCmacVerification.java

@@ -18,7 +18,7 @@
 
 import com.google.crypto.tink.mac.AesCmacKey;
 import com.google.crypto.tink.mac.ChunkedMacVerification;
-import com.google.crypto.tink.subtle.Bytes;
+import com.google.crypto.tink.util.Bytes;
 import java.nio.ByteBuffer;
 import java.security.GeneralSecurityException;
 
@@ -27,15 +27,15 @@
  * under the hood.
  */
 final class ChunkedAesCmacVerification implements ChunkedMacVerification {
-  private final byte[] tag;
+  private final Bytes tag;
   private final ChunkedAesCmacComputation aesCmacComputation;
 
   ChunkedAesCmacVerification(AesCmacKey key, byte[] tag)
       throws GeneralSecurityException {
     // Checks regarding tag and key sizes, as well as FIPS-compatibility, are performed by
     // ChunkedAesCmacImpl.
     aesCmacComputation = new ChunkedAesCmacComputation(key);
-    this.tag = tag;
+    this.tag = Bytes.copyFrom(tag);
   }
 
   @Override
@@ -47,7 +47,7 @@ public void update(final ByteBuffer data) throws GeneralSecurityException {
   @Override
   public void verifyMac() throws GeneralSecurityException {
     byte[] other = aesCmacComputation.computeMac();
-    if (!Bytes.equal(tag, other)) {
+    if (!tag.equals(Bytes.copyFrom(other))) {
       throw new GeneralSecurityException("invalid MAC");
     }
   }

java_src/src/test/java/com/google/crypto/tink/mac/internal/ChunkedAesCmacTest.java

@@ -179,7 +179,9 @@ public AesCmacTestVector(AesCmacKey key, String message, String tag) {
           + "bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb"
           + "bbbbbb",
       "139fce15a6f4a281ad22458d3d3cac26");
-  private static final AesCmacTestVector[] CMAC_IMPLEMENTATION_DETAIL_TEST_VECTORS =
+
+  @DataPoints("implementationTestVectors")
+  public static final AesCmacTestVector[] CMAC_IMPLEMENTATION_DETAIL_TEST_VECTORS =
       new AesCmacTestVector[] {
         NOT_OVERFLOWING_INTERNAL_STATE,
         FILL_UP_EXACTLY_INTERNAL_STATE,
@@ -790,4 +792,18 @@ private void testRandomized(AesCmacTestVector t) throws Exception {
       throw new AssertionError(debugReadSequence.toString(), e);
     }
   }
+
+  @Theory
+  public void testTagModificationAfterCreateVerification(
+      @FromDataPoints("implementationTestVectors") AesCmacTestVector t) throws Exception {
+    assumeFalse(TinkFips.useOnlyFips());
+
+    ChunkedMac mac = new ChunkedAesCmacImpl(t.key);
+
+    byte[] mutableTag = Arrays.copyOf(t.tag, t.tag.length);
+    ChunkedMacVerification macVerification = mac.createVerification(mutableTag);
+    mutableTag[0] ^= (byte) 0x01;
+    macVerification.update(ByteBuffer.wrap(t.message));
+    macVerification.verifyMac();
+  }
 }