mirror of https://github.com/golang-jwt/jwt.git
Merge pull request #47 from kofalt/master
Fix timing side-channel attack in hmac comparison
This commit is contained in:
commit
7b97402710
3
hmac.go
3
hmac.go
|
@ -1,7 +1,6 @@
|
||||||
package jwt
|
package jwt
|
||||||
|
|
||||||
import (
|
import (
|
||||||
"bytes"
|
|
||||||
"crypto"
|
"crypto"
|
||||||
"crypto/hmac"
|
"crypto/hmac"
|
||||||
"errors"
|
"errors"
|
||||||
|
@ -57,7 +56,7 @@ func (m *SigningMethodHMAC) Verify(signingString, signature string, key interfac
|
||||||
hasher := hmac.New(m.Hash.New, keyBytes)
|
hasher := hmac.New(m.Hash.New, keyBytes)
|
||||||
hasher.Write([]byte(signingString))
|
hasher.Write([]byte(signingString))
|
||||||
|
|
||||||
if !bytes.Equal(sig, hasher.Sum(nil)) {
|
if !hmac.Equal(sig, hasher.Sum(nil)) {
|
||||||
err = ErrSignatureInvalid
|
err = ErrSignatureInvalid
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in New Issue