From c8c660002f4b0e9606de96325f20b95248b6ff2d Mon Sep 17 00:00:00 2001
From: Guillermo Iguaran <guilleiguaran@gmail.com>
Date: Thu, 23 Oct 2014 10:56:48 -0300
Subject: Add AS::SecurityUtils.secure_compare for constant time string
 comparison

---
 activesupport/lib/active_support/security_utils.rb | 20 ++++++++++++++++++++
 1 file changed, 20 insertions(+)
 create mode 100644 activesupport/lib/active_support/security_utils.rb

(limited to 'activesupport/lib/active_support')

diff --git a/activesupport/lib/active_support/security_utils.rb b/activesupport/lib/active_support/security_utils.rb
new file mode 100644
index 0000000000..64c4801179
--- /dev/null
+++ b/activesupport/lib/active_support/security_utils.rb
@@ -0,0 +1,20 @@
+module ActiveSupport
+  module SecurityUtils
+    # Constant time string comparison.
+    #
+    # The values compared should be of fixed length, such as strings
+    # that have already been processed by HMAC. This should not be used
+    # on variable length plaintext strings because it could leak length info
+    # via timing attacks.
+    def secure_compare(a, b)
+      return false unless a.bytesize == b.bytesize
+
+      l = a.unpack "C#{a.bytesize}"
+
+      res = 0
+      b.each_byte { |byte| res |= byte ^ l.shift }
+      res == 0
+    end
+    module_function :secure_compare
+  end
+end
-- 
cgit v1.2.3