Replace HMAC check with time-constant check

blockchain · Apr 28, 2017 · ac98216 · Hnriqun · Aug 7, 2021 · ac98216
1 parent 33c985a
commit ac98216
Showing 1 changed file with 2 additions and 2 deletions.
diff --git a/thunder-core/src/main/java/network/thunder/core/helper/crypto/CryptoTools.java b/thunder-core/src/main/java/network/thunder/core/helper/crypto/CryptoTools.java
@@ -12,7 +12,6 @@
 import java.security.MessageDigest;
 import java.security.NoSuchAlgorithmException;
 import java.security.NoSuchProviderException;
-import java.util.Arrays;
 
 public class CryptoTools {
 
@@ -48,7 +47,8 @@ public static void checkHMAC (byte[] hmac, byte[] rest, byte[] keyBytes) {
             mac.init(keySpec);
             byte[] result = mac.doFinal(rest);
 
-            if (!Arrays.equals(result, hmac)) {
+
+            if (!MessageDigest.isEqual(result, hmac)){
                 throw new RuntimeException("HMAC does not match..");
             }
         } catch (Exception e) {