forked from mirror/jwt
Fix timing side-channel attack in hmac comparison
This commit is contained in:
parent
d9679c1420
commit
9a3c6fd1e3
3
hmac.go
3
hmac.go
|
@ -1,7 +1,6 @@
|
|||
package jwt
|
||||
|
||||
import (
|
||||
"bytes"
|
||||
"crypto"
|
||||
"crypto/hmac"
|
||||
"errors"
|
||||
|
@ -57,7 +56,7 @@ func (m *SigningMethodHMAC) Verify(signingString, signature string, key interfac
|
|||
hasher := hmac.New(m.Hash.New, keyBytes)
|
||||
hasher.Write([]byte(signingString))
|
||||
|
||||
if !bytes.Equal(sig, hasher.Sum(nil)) {
|
||||
if !hmac.Equal(sig, hasher.Sum(nil)) {
|
||||
err = ErrSignatureInvalid
|
||||
}
|
||||
}
|
||||
|
|
Loading…
Reference in New Issue