Merge pull request from kofalt/master

Fix timing side-channel attack in hmac comparison
This commit is contained in:
Dave Grijalva 2014-12-28 17:36:52 -08:00
commit 7b97402710
1 changed files with 1 additions and 2 deletions

View File

@ -1,7 +1,6 @@
package jwt
import (
"bytes"
"crypto"
"crypto/hmac"
"errors"
@ -57,7 +56,7 @@ func (m *SigningMethodHMAC) Verify(signingString, signature string, key interfac
hasher := hmac.New(m.Hash.New, keyBytes)
hasher.Write([]byte(signingString))
if !bytes.Equal(sig, hasher.Sum(nil)) {
if !hmac.Equal(sig, hasher.Sum(nil)) {
err = ErrSignatureInvalid
}
}