Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse files

encryption: constant time hmac comparison

Change-Id: I262769378dc23ed6a0a0ebeb20ed5063403e33c8
  • Loading branch information...
commit 94acf5ad260f62fd2912065ba0ca30a0a74d4b63 1 parent 97dd234
@skaar skaar authored
View
11 encryption/lib/encryption/encryption_handler.rb
@@ -86,11 +86,20 @@ def verify_signature(data)
json_data = data["json_data"]
json_hmac = signature(json_data)
- unless hmac == json_hmac
+ unless constant_time_comparison(hmac, json_hmac)
raise SignatureError, "Expected hmac (#{hmac}), got (#{json_hmac})"
end
end
+ # constant time comparison snagged from activesupport
+ def constant_time_comparison(a, b)
+ return false unless a.bytesize == b.bytesize
+ l = a.unpack "C#{a.bytesize}"
+ res = 0
+ b.each_byte { |byte| res |= byte ^ l.shift }
+ res == 0
+ end
+
def verify_session(decrypted_data)
# If you are the receiver of a session - use session_id from payload
if @session_id.nil?
View
2  encryption/lib/encryption/version.rb
@@ -2,6 +2,6 @@
module Bosh
module Encryption
- VERSION = "0.0.3"
+ VERSION = "0.0.4"
end
end
Please sign in to comment.
Something went wrong with that request. Please try again.