mirror of https://github.com/golang-jwt/jwt.git
Merge pull request #47 from kofalt/master
Fix timing side-channel attack in hmac comparison
This commit is contained in:
commit
7b97402710
3
hmac.go
3
hmac.go
|
@ -1,7 +1,6 @@
|
|||
package jwt
|
||||
|
||||
import (
|
||||
"bytes"
|
||||
"crypto"
|
||||
"crypto/hmac"
|
||||
"errors"
|
||||
|
@ -57,7 +56,7 @@ func (m *SigningMethodHMAC) Verify(signingString, signature string, key interfac
|
|||
hasher := hmac.New(m.Hash.New, keyBytes)
|
||||
hasher.Write([]byte(signingString))
|
||||
|
||||
if !bytes.Equal(sig, hasher.Sum(nil)) {
|
||||
if !hmac.Equal(sig, hasher.Sum(nil)) {
|
||||
err = ErrSignatureInvalid
|
||||
}
|
||||
}
|
||||
|
|
Loading…
Reference in New Issue