From ac982162dfa56d25fecdb8b651e95f7253234b85 Mon Sep 17 00:00:00 2001
From: matsjj <matsjj@gmail.com>
Date: Fri, 28 Apr 2017 19:29:09 +0100
Subject: [PATCH] Replace HMAC check with time-constant check

---
 .../java/network/thunder/core/helper/crypto/CryptoTools.java  | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/thunder-core/src/main/java/network/thunder/core/helper/crypto/CryptoTools.java b/thunder-core/src/main/java/network/thunder/core/helper/crypto/CryptoTools.java
index bb130b3a..f17b3059 100644
--- a/thunder-core/src/main/java/network/thunder/core/helper/crypto/CryptoTools.java
+++ b/thunder-core/src/main/java/network/thunder/core/helper/crypto/CryptoTools.java
@@ -12,7 +12,6 @@
 import java.security.MessageDigest;
 import java.security.NoSuchAlgorithmException;
 import java.security.NoSuchProviderException;
-import java.util.Arrays;
 
 public class CryptoTools {
 
@@ -48,7 +47,8 @@ public static void checkHMAC (byte[] hmac, byte[] rest, byte[] keyBytes) {
             mac.init(keySpec);
             byte[] result = mac.doFinal(rest);
 
-            if (!Arrays.equals(result, hmac)) {
+
+            if (!MessageDigest.isEqual(result, hmac)){
                 throw new RuntimeException("HMAC does not match..");
             }
         } catch (Exception e) {