From 9a3c6fd1e3f70c801f1f8a6fe05d4a0135937aed Mon Sep 17 00:00:00 2001
From: Nathaniel Kofalt <nathaniel@kofalt.com>
Date: Sun, 28 Dec 2014 19:31:54 -0600
Subject: [PATCH] Fix timing side-channel attack in hmac comparison

---
 hmac.go | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/hmac.go b/hmac.go
index 166f517..2d7f1bf 100644
--- a/hmac.go
+++ b/hmac.go
@@ -1,7 +1,6 @@
 package jwt
 
 import (
-	"bytes"
 	"crypto"
 	"crypto/hmac"
 	"errors"
@@ -57,7 +56,7 @@ func (m *SigningMethodHMAC) Verify(signingString, signature string, key interfac
 			hasher := hmac.New(m.Hash.New, keyBytes)
 			hasher.Write([]byte(signingString))
 
-			if !bytes.Equal(sig, hasher.Sum(nil)) {
+			if !hmac.Equal(sig, hasher.Sum(nil)) {
 				err = ErrSignatureInvalid
 			}
 		}