@@ -25,10 +25,10 @@ module ActiveSupport def verify(signed_message) data, digest = signed_message.split("--") - if digest != generate_digest(data) - raise InvalidSignature - else + if secure_compare(digest, generate_digest(data)) Marshal.load(ActiveSupport::Base64.decode64(data)) + else + raise InvalidSignature end end @@ -38,6 +38,19 @@ module ActiveSupport end private + # constant-time comparison algorithm to prevent timing attacks + def secure_compare(a, b) + if a.length == b.length + result = 0 + for i in 0..(a.length - 1) + result |= a[i] ^ b[i] + end + result == 0 + else + false + end + end + def generate_digest(data) require 'openssl' unless defined?(OpenSSL) OpenSSL::HMAC.hexdigest(OpenSSL::Digest::Digest.new(@digest), @secret, data) activesupport/lib/active_support/message_verifier.rb bd97c3044a7b135f5b84f38c3dbdce2ccc793f70 Coda Hale codahale coda.hale@gmail.com http://github.com/rails/rails/commit/5e6dab8b34152bc48c89032d20e5bda1511e28fb 5e6dab8b34152bc48c89032d20e5bda1511e28fb 2009-09-03T14:25:38-07:00 2009-08-13T10:03:08-07:00 Fix timing attack vulnerability in ActiveSupport::MessageVerifier. Use a constant-time comparison algorithm to compare the candidate HMAC with the calculated HMAC to prevent leaking information about the calculated HMAC. Signed-off-by: Michael Koziarski <michael@koziarski.com> e07e5aaab885d847f4cdf7006b55fb0601d3b676 Michael Koziarski NZKoz michael@koziarski.com