Refactor Verifier#signatures_match? protecting against timing attack

Implements constant time string comparisong by XORing each byte in the string with each byte in the candidate string and OR all of that together. If the result is zero, then the strings are identical.
fernet · Jul 20, 2012 · 051161d · 051161d
1 parent 5301e5b
commit 051161d
Showing 1 changed file with 5 additions and 1 deletion.
diff --git a/lib/fernet/verifier.rb b/lib/fernet/verifier.rb
@@ -35,7 +35,11 @@ def token_recent_enough?
     end
 
     def signatures_match?
-      @regenerated_mac == @received_signature
+      regenerated_bytes = @regenerated_mac.bytes.to_a
+      received_bytes    = @received_signature.bytes.to_a
+      received_bytes.inject(0) do |accum, byte|
+        accum |= byte ^ regenerated_bytes.shift
+      end.zero?
     end
   end
 end