Permalink
Browse files

Add AS::SecurityUtils.secure_compare for constant time string comparison

  • Loading branch information...
guilleiguaran committed Oct 23, 2014
1 parent 5a16b5c commit c8c660002f4b0e9606de96325f20b95248b6ff2d
Showing with 29 additions and 0 deletions.
  1. +20 −0 activesupport/lib/active_support/security_utils.rb
  2. +9 −0 activesupport/test/security_utils_test.rb
@@ -0,0 +1,20 @@
module ActiveSupport
module SecurityUtils
# Constant time string comparison.
#
# The values compared should be of fixed length, such as strings
# that have already been processed by HMAC. This should not be used
# on variable length plaintext strings because it could leak length info
# via timing attacks.
def secure_compare(a, b)
return false unless a.bytesize == b.bytesize
l = a.unpack "C#{a.bytesize}"

This comment has been minimized.

Show comment
Hide comment
@dubek

dubek Jan 25, 2016

Contributor

Consider:

l = a.bytes
@dubek

dubek Jan 25, 2016

Contributor

Consider:

l = a.bytes
res = 0
b.each_byte { |byte| res |= byte ^ l.shift }
res == 0
end
module_function :secure_compare
end
end
@@ -0,0 +1,9 @@
require 'abstract_unit'
require 'active_support/security_utils'
class SecurityUtilsTest < ActiveSupport::TestCase
def test_secure_compare_should_perform_string_comparison
assert ActiveSupport::SecurityUtils.secure_compare('a', 'a')
assert !ActiveSupport::SecurityUtils.secure_compare('a', 'b')
end
end

0 comments on commit c8c6600

Please sign in to comment.