ey-hmac 0.0.3 → 0.0.4

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (3) hide show
  1. data/lib/ey-hmac/adapter.rb +14 -1
  2. data/lib/ey-hmac/version.rb +1 -1
  3. metadata +2 -2
data/lib/ey-hmac/adapter.rb CHANGED
@@ -112,7 +112,8 @@ class Ey::Hmac::Adapter
112
112
  signature_value = authorization_match[2]
113
113
 
114
114
  if key_secret = block.call(key_id)
115
- if signature_value == (calculated_signature = signature(key_secret))
115
+ calculated_signature = signature(key_secret)
116
+ if secure_compare(signature_value, calculated_signature)
116
117
  else raise(Ey::Hmac::SignatureMismatch, "Calculated siganature #{signature_value} does not match #{calculated_signature} using #{canonicalize.inspect}")
117
118
  end
118
119
  else raise(Ey::Hmac::MissingSecret, "Failed to find secret matching #{key_id.inspect}")
@@ -123,4 +124,16 @@ class Ey::Hmac::Adapter
123
124
  true
124
125
  end
125
126
  alias authenticate! authenticated!
127
+
128
+ # Constant time string comparison.
129
+ # pulled from https://github.com/rack/rack/blob/master/lib/rack/utils.rb#L399
130
+ def secure_compare(a, b)
131
+ return false unless a.bytesize == b.bytesize
132
+
133
+ l = a.unpack("C*")
134
+
135
+ r, i = 0, -1
136
+ b.each_byte { |v| r |= v ^ l[i+=1] }
137
+ r == 0
138
+ end
126
139
  end
data/lib/ey-hmac/version.rb CHANGED
@@ -1,5 +1,5 @@
1
1
  module Ey
2
2
  module Hmac
3
- VERSION = "0.0.3"
3
+ VERSION = "0.0.4"
4
4
  end
5
5
  end
metadata CHANGED
@@ -1,15 +1,15 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: ey-hmac
3
3
  version: !ruby/object:Gem::Version
4
+ version: 0.0.4
4
5
  prerelease:
5
- version: 0.0.3
6
6
  platform: ruby
7
7
  authors:
8
8
  - Josh Lane & Jason Hansen
9
9
  autorequire:
10
10
  bindir: bin
11
11
  cert_chain: []
12
- date: 2013-02-06 00:00:00.000000000 Z
12
+ date: 2013-02-08 00:00:00.000000000 Z
13
13
  dependencies: []
14
14
  description: Lightweight HMAC signing libraries and middleware for Farday and Rack
15
15
  email: