From 4b36a25512cb206334f72e27dc9dcce41eb31b03 Mon Sep 17 00:00:00 2001
From: rootvector2 <dxbnaveed.k@gmail.com>
Date: Tue, 9 Jun 2026 17:50:08 +0530
Subject: [PATCH] verify mls membership and confirmation tags in constant time

---
 .../main/java/org/bouncycastle/mls/codec/PublicMessage.java   | 2 +-
 mls/src/main/java/org/bouncycastle/mls/protocol/Group.java    | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/mls/src/main/java/org/bouncycastle/mls/codec/PublicMessage.java b/mls/src/main/java/org/bouncycastle/mls/codec/PublicMessage.java
index 6fe9780af2..84b53640b6 100644
--- a/mls/src/main/java/org/bouncycastle/mls/codec/PublicMessage.java
+++ b/mls/src/main/java/org/bouncycastle/mls/codec/PublicMessage.java
@@ -94,7 +94,7 @@ public AuthenticatedContent unprotect(MlsCipherSuite suite, Secret membership_ke
         if (content.sender.senderType == SenderType.MEMBER)
         {
             byte[] membershipTag = membershipMac(suite, membership_key, context);
-            if (!Arrays.areEqual(membershipTag, membership_tag))
+            if (!Arrays.constantTimeAreEqual(membershipTag, membership_tag))
             {
                 // throw tagMisMatch error!
                 throw new IOException("incorrect membership tag");
diff --git a/mls/src/main/java/org/bouncycastle/mls/protocol/Group.java b/mls/src/main/java/org/bouncycastle/mls/protocol/Group.java
index 04f3fbc08e..c43c49971b 100644
--- a/mls/src/main/java/org/bouncycastle/mls/protocol/Group.java
+++ b/mls/src/main/java/org/bouncycastle/mls/protocol/Group.java
@@ -624,7 +624,7 @@ public Group(
 
         // Verify confirmation tag
         byte[] confirmationTag = keySchedule.confirmationTag(transcriptHash.getConfirmed());
-        if (!Arrays.equals(confirmationTag, groupInfo.getConfirmationTag()))
+        if (!org.bouncycastle.util.Arrays.constantTimeAreEqual(confirmationTag, groupInfo.getConfirmationTag()))
         {
             throw new Exception("Confirmation failed to verify");
         }
@@ -820,7 +820,7 @@ public Group handle(AuthenticatedContent auth, Group cachedGroup, CommitParamete
         // Verify the confirmation MAC
         byte[] confirmationTag = next.keySchedule.confirmationTag(next.transcriptHash.getConfirmed());
 
-        if (!Arrays.equals(auth.getConfirmationTag(), confirmationTag))
+        if (!org.bouncycastle.util.Arrays.constantTimeAreEqual(confirmationTag, auth.getConfirmationTag()))
         {
             throw new Exception("Confirmation failed to verify");
         }