Prevent timming attacks

nickelser · Nov 21, 2018 · 930918b · 930918b
1 parent d3a6fe5
commit 930918b
Show file tree

Hide file tree

Showing 2 changed files with 18 additions and 1 deletion.
diff --git a/lib/zhong/util.rb b/lib/zhong/util.rb
@@ -1,3 +1,5 @@
+require "digest"
+
 module Zhong
   module Util
     def safe_mget(keys)
@@ -9,5 +11,20 @@ def safe_mget(keys)
     end
 
     module_function :safe_mget
+
+    # Avoid timming attacks
+    # Based on: https://thisdata.com/blog/timing-attacks-against-string-comparison/
+    def safe_compare(a, b)
+      a = ::Digest::SHA256.hexdigest(a)
+      b = ::Digest::SHA256.hexdigest(b)
+
+      l = a.unpack "C#{a.bytesize}"
+
+      res = 0
+      b.each_byte { |byte| res |= byte ^ l.shift }
+      res == 0
+    end
+    module_function :safe_compare
+
   end
 end
diff --git a/lib/zhong/web.rb b/lib/zhong/web.rb
@@ -15,7 +15,7 @@ class Web < Sinatra::Base
     if ENV["ZHONG_WEB_USERNAME"] && ENV["ZHONG_WEB_PASSWORD"]
       # :nocov:
       use Rack::Auth::Basic, "Sorry." do |username, password|
-        username == ENV["ZHONG_WEB_USERNAME"] and password == ENV["ZHONG_WEB_PASSWORD"]
+        Zhong::Util.safe_compare(username, ENV["ZHONG_WEB_USERNAME"]) & Zhong::Util.safe_compare(password, ENV["ZHONG_WEB_PASSWORD"])
       end
       # :nocov:
     end