Permalink
Browse files

Replace HMAC check with time-constant check

  • Loading branch information...
matsjj committed Apr 28, 2017
1 parent 33c985a commit ac982162dfa56d25fecdb8b651e95f7253234b85
Showing with 2 additions and 2 deletions.
  1. +2 −2 thunder-core/src/main/java/network/thunder/core/helper/crypto/CryptoTools.java
@@ -12,7 +12,6 @@
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.util.Arrays;
public class CryptoTools {
@@ -48,7 +47,8 @@ public static void checkHMAC (byte[] hmac, byte[] rest, byte[] keyBytes) {
mac.init(keySpec);
byte[] result = mac.doFinal(rest);
if (!Arrays.equals(result, hmac)) {
if (!MessageDigest.isEqual(result, hmac)){
throw new RuntimeException("HMAC does not match..");
}
} catch (Exception e) {

0 comments on commit ac98216

Please sign in to comment.