Sha256: 434f96318d05f0f671cac6deb7b50c4edae939e2cdf226c3b9e2fa9a22e4fc92
Contents?: true
Size: 1.25 KB
Versions: 123
Compression:
Stored size: 1.25 KB
Contents
# frozen_string_literal: true
module ActiveSupport
module SecurityUtils
# Constant time string comparison, for fixed length strings.
#
# The values compared should be of fixed length, such as strings
# that have already been processed by HMAC. Raises in case of length mismatch.
if defined?(OpenSSL.fixed_length_secure_compare)
def fixed_length_secure_compare(a, b)
OpenSSL.fixed_length_secure_compare(a, b)
end
else
def fixed_length_secure_compare(a, b)
raise ArgumentError, "string length mismatch." unless a.bytesize == b.bytesize
l = a.unpack "C#{a.bytesize}"
res = 0
b.each_byte { |byte| res |= byte ^ l.shift }
res == 0
end
end
module_function :fixed_length_secure_compare
# Secure string comparison for strings of variable length.
#
# While a timing attack would not be able to discern the content of
# a secret compared via secure_compare, it is possible to determine
# the secret length. This should be considered when using secure_compare
# to compare weak, short secrets to user input.
def secure_compare(a, b)
a.bytesize == b.bytesize && fixed_length_secure_compare(a, b)
end
module_function :secure_compare
end
end
Version data entries
123 entries across 117 versions & 17 rubygems