Permalink
Browse files

encryption: constant time hmac comparison

Change-Id: I262769378dc23ed6a0a0ebeb20ed5063403e33c8
  • Loading branch information...
1 parent 97dd234 commit 94acf5ad260f62fd2912065ba0ca30a0a74d4b63 @skaar skaar committed Oct 29, 2012
Showing with 11 additions and 2 deletions.
  1. +10 −1 encryption/lib/encryption/encryption_handler.rb
  2. +1 −1 encryption/lib/encryption/version.rb
@@ -86,11 +86,20 @@ def verify_signature(data)
json_data = data["json_data"]
json_hmac = signature(json_data)
- unless hmac == json_hmac
+ unless constant_time_comparison(hmac, json_hmac)
raise SignatureError, "Expected hmac (#{hmac}), got (#{json_hmac})"
end
end
+ # constant time comparison snagged from activesupport
+ def constant_time_comparison(a, b)
+ return false unless a.bytesize == b.bytesize
+ l = a.unpack "C#{a.bytesize}"
+ res = 0
+ b.each_byte { |byte| res |= byte ^ l.shift }
+ res == 0
+ end
+
def verify_session(decrypted_data)
# If you are the receiver of a session - use session_id from payload
if @session_id.nil?
@@ -2,6 +2,6 @@
module Bosh
module Encryption
- VERSION = "0.0.3"
+ VERSION = "0.0.4"
end
end

0 comments on commit 94acf5a

Please sign in to comment.