From 1390df48b686c808ee8b36c32455903ed3cbe1cd Mon Sep 17 00:00:00 2001
From: Kyle Spearrin <kyle.spearrin@gmail.com>
Date: Thu, 18 Jan 2018 09:31:22 -0500
Subject: [PATCH] use random key for double hmac comparisons

---
 src/App/Services/CryptoService.cs | 2 +-
 src/App/Utilities/Crypto.cs       | 7 ++++---
 2 files changed, 5 insertions(+), 4 deletions(-)

diff --git a/src/App/Services/CryptoService.cs b/src/App/Services/CryptoService.cs
index af175a798..4d488a56c 100644
--- a/src/App/Services/CryptoService.cs
+++ b/src/App/Services/CryptoService.cs
@@ -386,7 +386,7 @@ namespace Bit.App.Services
             if(EncKey?.MacKey != null && !string.IsNullOrWhiteSpace(encyptedValue.Mac))
             {
                 var computedMacBytes = Crypto.ComputeMac(encyptedValue.CipherTextBytes, EncKey.MacKey);
-                if(!Crypto.MacsEqual(EncKey.MacKey, computedMacBytes, encyptedValue.MacBytes))
+                if(!Crypto.MacsEqual(computedMacBytes, encyptedValue.MacBytes))
                 {
                     throw new InvalidOperationException("MAC failed.");
                 }
diff --git a/src/App/Utilities/Crypto.cs b/src/App/Utilities/Crypto.cs
index 36eb9f8b8..55a1cf48a 100644
--- a/src/App/Utilities/Crypto.cs
+++ b/src/App/Utilities/Crypto.cs
@@ -95,7 +95,7 @@ namespace Bit.App.Utilities
             if(key.MacKey != null && mac != null)
             {
                 var computedMacBytes = ComputeMac(ct, iv, key.MacKey);
-                if(!MacsEqual(key.MacKey, computedMacBytes, mac))
+                if(!MacsEqual(computedMacBytes, mac))
                 {
                     throw new InvalidOperationException("MAC failed.");
                 }
@@ -148,10 +148,11 @@ namespace Bit.App.Utilities
 
         // Safely compare two MACs in a way that protects against timing attacks (Double HMAC Verification).
         // ref: https://www.nccgroup.trust/us/about-us/newsroom-and-events/blog/2011/february/double-hmac-verification/
-        public static bool MacsEqual(byte[] macKey, byte[] mac1, byte[] mac2)
+        // ref: https://paragonie.com/blog/2015/11/preventing-timing-attacks-on-string-comparison-with-double-hmac-strategy
+        public static bool MacsEqual(byte[] mac1, byte[] mac2)
         {
             var algorithm = WinRTCrypto.MacAlgorithmProvider.OpenAlgorithm(MacAlgorithm.HmacSha256);
-            var hasher = algorithm.CreateHash(macKey);
+            var hasher = algorithm.CreateHash(RandomBytes(32));
 
             hasher.Append(mac1);
             mac1 = hasher.GetValueAndReset();