Use a constant time equality check for HMAC signature verification

2014-08-30 15:36:51 -03:00 · 2014-08-30 15:36:51 -03:00 · 8e6be13652
commit 8e6be13652
parent 96e515d257
2 changed files with 5 additions and 3 deletions
--- a/project.clj
+++ b/project.clj
@ -1,4 +1,4 @@
-(defproject clj-jwt "0.0.9"
+(defproject clj-jwt "0.0.10"
  :description  "Clojure library for JSON Web Token(JWT)"
  :url          "https://github.com/liquidz/clj-jwt"
  :license      {:name "Eclipse Public License"
@ -7,6 +7,7 @@
                 [org.clojure/data.json "0.2.5"]
                 [org.clojure/data.codec "0.1.0"]
                 [org.bouncycastle/bcprov-jdk15 "1.46"]
+                 [crypto-equality "1.0.0"]
                 [clj-time "0.8.0"]]

  :profiles {:dev {:dependencies [[midje "1.6.3"  :exclusions [org.clojure/clojure]]]}}
--- a/src/clj_jwt/sign.clj
+++ b/src/clj_jwt/sign.clj
@ -1,6 +1,7 @@
 (ns clj-jwt.sign
  (:require
-    [clj-jwt.base64 :refer [url-safe-encode-str url-safe-decode]]))
+    [clj-jwt.base64 :refer [url-safe-encode-str url-safe-decode]]
+    [crypto.equality :as creq]))

 (java.security.Security/addProvider
 (org.bouncycastle.jce.provider.BouncyCastleProvider.))
@ -17,7 +18,7 @@
 (defn- hmac-verify
  "Function to verify data and signature with HMAC algorithm."
  [alg key body signature & {:keys [charset] :or {charset "UTF-8"}}]
-  (= signature (hmac-sign alg key body :charset charset)))
+  (creq/eq? signature (hmac-sign alg key body :charset charset)))

 ; RSA
 (defn- rsa-sign