Use hmac.Write instead of hmac.Sum when verifying tokens

2 years ago · c0b675b011
2 changed files with 4 additions and 2 deletions
--- a/primitives/privacypass/token.go
+++ b/primitives/privacypass/token.go
@ -72,7 +72,8 @@ func (t *Token) unblindSignedToken(token SignedToken) {
 func (t *Token) SpendToken(data []byte) SpentToken {
 	key := sha3.Sum256(append(t.t, t.W.Encode(nil)...))
 	mac := hmac.New(sha3.New512, key[:])
-	return SpentToken{t.t, mac.Sum(data)}
+	mac.Write(data)
+	return SpentToken{t.t, mac.Sum(nil)}
 }

 // GenerateBlindedTokenBatch generates a batch of blinded tokens (and their unblinded equivalents)
--- a/primitives/privacypass/tokenserver.go
+++ b/primitives/privacypass/tokenserver.go
@ -136,7 +136,8 @@ func (ts *TokenServer) SpendToken(token SpentToken, data []byte) error {
 	W := new(ristretto.Element).ScalarMult(ts.k, T)
 	key := sha3.Sum256(append(token.T, W.Encode(nil)...))
 	mac := hmac.New(sha3.New512, key[:])
-	computedMAC := mac.Sum(data)
+	mac.Write(data)
+	computedMAC := mac.Sum(nil)
 	result := hmac.Equal(token.MAC, computedMAC)
 	if result == true {
 		if ts.persistanceService == nil {