Merge pull request #9 from stevegraham/bugfix/constant-time-string-co…

…mparison Perform constant time string comparison when validating signatures
mloughran · Jan 5, 2015 · e0db71e · e0db71e
2 parents 41f6de0 + a8f9c92
commit e0db71e
Showing 1 changed file with 7 additions and 1 deletion.
diff --git a/lib/signature.rb b/lib/signature.rb
@@ -213,12 +213,18 @@ def validate_timestamp!(grace)
       end
 
       def validate_signature!(token)
-        unless @auth_hash["auth_signature"] == signature(token)
+        unless identical? @auth_hash["auth_signature"], signature(token)
           raise AuthenticationError, "Invalid signature: you should have "\
             "sent HmacSHA256Hex(#{string_to_sign.inspect}, your_secret_key)"\
             ", but you sent #{@auth_hash["auth_signature"].inspect}"
         end
         return true
       end
+
+      # Constant time string comparison
+      def identical?(a, b)
+        return false unless a.bytesize == b.bytesize
+        a.bytes.zip(b.bytes).reduce(0) { |memo, (a, b)| memo += a ^ b } == 0
+      end
   end
 end