Skip to content

Use constant-time comparison for MAC verification#1656

Open
weebl2000 wants to merge 1 commit intomeshcore-dev:devfrom
weebl2000:fix/constant-time-mac-compare
Open

Use constant-time comparison for MAC verification#1656
weebl2000 wants to merge 1 commit intomeshcore-dev:devfrom
weebl2000:fix/constant-time-mac-compare

Conversation

@weebl2000
Copy link
Contributor

@weebl2000 weebl2000 commented Feb 11, 2026

Severity: High

Summary

The HMAC verification in MACThenDecrypt uses standard memcmp(), which short-circuits on the first mismatched byte. The time taken to return reveals how many leading bytes of the MAC were correct, leaking information through a timing side-channel.

How this can be exploited

MeshCore uses a 2-byte MAC (65,536 possible values). With a timing-variable comparison, an attacker can break the MAC verification into two sequential brute-forces:

  1. First byte — send 256 packets, each with a different first MAC byte and an arbitrary second byte. The packet where memcmp takes slightly longer to reject reveals the correct first byte (because it proceeded to compare the second byte before failing).
  2. Second byte — with the first byte known, send up to 256 more packets varying the second byte. The one that triggers decryption (noticeably slower due to AES work) reveals the correct second byte.

Total: ~384 attempts on average instead of ~32,768 for blind brute-force.

On local interfaces (BLE, WiFi, serial) the timing difference between a 1-byte and 2-byte comparison is measurable with sub-millisecond precision. Over RF the timing window is harder to exploit directly, but a BLE-connected attacker (e.g. a compromised phone app, or someone within Bluetooth range of a companion radio) could:

  • Forge messages from any known contact — craft packets that pass MAC verification without knowing the shared secret, then inject arbitrary text messages, commands, or requests that appear to come from a trusted peer
  • Forge admin commands — if the attacker can target a repeater or room server's BLE interface, they can forge REQ packets to execute privileged operations (config changes, ACL modifications)
  • Replay with modification — combine with the ECB encryption mode to splice known ciphertext blocks into forged packets with valid MACs

Fix

Replace memcmp with a constant-time XOR-accumulate loop. The comparison now always examines every byte regardless of where the first mismatch occurs, eliminating the timing signal.

Test plan

  • Normal encrypted message exchange still works (send/receive between peers)
  • Invalid MACs still rejected (packets with wrong shared secret don't decrypt)
  • Build tested on Heltec_v3_companion_radio_ble

@weebl2000
use constant-time comparison for MAC verification
761f018 
The HMAC check in MACThenDecrypt used standard memcmp(), which
short-circuits on the first mismatched byte. This makes the comparison
time dependent on how many bytes of the MAC are correct, leaking
information through a timing side-channel.

With a 2-byte MAC (65,536 possible values), an attacker on a local
interface (serial, BLE, or WiFi) can measure response latency to
distinguish "first byte wrong" from "first byte correct, second wrong".
This reduces a brute-force from 65,536 attempts down to roughly 384
(256 + 128 on average), making MAC forgery practical. An attacker could
use this to forge packets that pass MAC verification without knowing the
shared secret, allowing them to inject arbitrary messages that appear to
come from a trusted peer.

Replace memcmp with a constant-time XOR-accumulate loop so the
comparison always takes the same time regardless of which bytes match.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@weebl2000