From 4b11dea3917f2101d7125a967877abf19c36317a Mon Sep 17 00:00:00 2001
From: Guillermo Iguaran <guilleiguaran@gmail.com>
Date: Thu, 23 Oct 2014 10:58:43 -0300
Subject: Use AS secure_compare in AS::MessageVerifier

---
 activesupport/lib/active_support/message_verifier.rb | 14 ++------------
 1 file changed, 2 insertions(+), 12 deletions(-)

(limited to 'activesupport/lib/active_support/message_verifier.rb')

diff --git a/activesupport/lib/active_support/message_verifier.rb b/activesupport/lib/active_support/message_verifier.rb
index 6cb2884fb7..4e0796f4f8 100644
--- a/activesupport/lib/active_support/message_verifier.rb
+++ b/activesupport/lib/active_support/message_verifier.rb
@@ -1,5 +1,6 @@
 require 'base64'
 require 'active_support/core_ext/object/blank'
+require 'active_support/security_utils'
 
 module ActiveSupport
   # +MessageVerifier+ makes it easy to generate and verify messages which are
@@ -37,7 +38,7 @@ module ActiveSupport
       raise InvalidSignature if signed_message.blank?
 
       data, digest = signed_message.split("--")
-      if data.present? && digest.present? && secure_compare(digest, generate_digest(data))
+      if data.present? && digest.present? && ActiveSupport::SecurityUtils.secure_compare(digest, generate_digest(data))
         begin
           @serializer.load(::Base64.strict_decode64(data))
         rescue ArgumentError => argument_error
@@ -55,17 +56,6 @@ module ActiveSupport
     end
 
     private
-      # constant-time comparison algorithm to prevent timing attacks
-      def secure_compare(a, b)
-        return false unless a.bytesize == b.bytesize
-
-        l = a.unpack "C#{a.bytesize}"
-
-        res = 0
-        b.each_byte { |byte| res |= byte ^ l.shift }
-        res == 0
-      end
-
       def generate_digest(data)
         require 'openssl' unless defined?(OpenSSL)
         OpenSSL::HMAC.hexdigest(OpenSSL::Digest.const_get(@digest).new, @secret, data)
-- 
cgit v1.2.3