mirror
/
jwt
mirror of https://github.com/golang-jwt/jwt.git
1
0
Fork 1
Code Issues Packages Projects Releases Wiki Activity

Fix timing side-channel attack in hmac comparison

This commit is contained in:
Nathaniel Kofalt 2014-12-28 19:31:54 -06:00
parent d9679c1420
commit 9a3c6fd1e3
1 changed files with 1 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
hmac.go
View File

@ -1,7 +1,6 @@
package jwt
import (
"bytes"
"crypto"
"crypto/hmac"
"errors"
@ -57,7 +56,7 @@ func (m *SigningMethodHMAC) Verify(signingString, signature string, key interfac
hasher := hmac.New(m.Hash.New, keyBytes)
hasher.Write([]byte(signingString))
if !bytes.Equal(sig, hasher.Sum(nil)) {
if !hmac.Equal(sig, hasher.Sum(nil)) {
err = ErrSignatureInvalid
}
}