2016-08-06 11:58:50 -04:00
|
|
|
require "digest"
|
2015-10-29 13:42:44 -04:00
|
|
|
|
2014-10-23 09:56:48 -04:00
|
|
|
module ActiveSupport
|
|
|
|
module SecurityUtils
|
|
|
|
# Constant time string comparison.
|
|
|
|
#
|
|
|
|
# The values compared should be of fixed length, such as strings
|
|
|
|
# that have already been processed by HMAC. This should not be used
|
|
|
|
# on variable length plaintext strings because it could leak length info
|
|
|
|
# via timing attacks.
|
|
|
|
def secure_compare(a, b)
|
|
|
|
return false unless a.bytesize == b.bytesize
|
|
|
|
|
|
|
|
l = a.unpack "C#{a.bytesize}"
|
|
|
|
|
|
|
|
res = 0
|
|
|
|
b.each_byte { |byte| res |= byte ^ l.shift }
|
|
|
|
res == 0
|
|
|
|
end
|
|
|
|
module_function :secure_compare
|
2015-10-29 13:42:44 -04:00
|
|
|
|
|
|
|
def variable_size_secure_compare(a, b) # :nodoc:
|
|
|
|
secure_compare(::Digest::SHA256.hexdigest(a), ::Digest::SHA256.hexdigest(b))
|
|
|
|
end
|
|
|
|
module_function :variable_size_secure_compare
|
2014-10-23 09:56:48 -04:00
|
|
|
end
|
|
|
|
end
|