securecompare-1.0.0/0000755000175600017570000000000012732311161013403 5ustar pravipravisecurecompare-1.0.0/LICENSE0000644000175600017570000000205712732311161014414 0ustar pravipraviCopyright (c) 2013 Samuel Kadolph MIT License Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. securecompare-1.0.0/.travis.yml0000644000175600017570000000011512732311161015511 0ustar pravipravilanguage: ruby rvm: - 1.9.3 - jruby-19mode script: bundle exec rake test securecompare-1.0.0/README.md0000644000175600017570000000362712732311161014672 0ustar pravipravi[![Build Status](https://secure.travis-ci.org/samuelkadolph/securecompare.png?branch=master)](http://travis-ci.org/samuelkadolph/securecompare) [![Gem Version](https://badge.fury.io/rb/securecompare.png)](http://badge.fury.io/rb/securecompare) [![Dependency Status](https://gemnasium.com/samuelkadolph/securecompare.png)](https://gemnasium.com/samuelkadolph/securecompare) [![Code Climate](https://codeclimate.com/github/samuelkadolph/securecompare.png)](https://codeclimate.com/github/samuelkadolph/securecompare) # securecompare securecompare is a gem that implements a constant time string comparison method safe for use in cryptographic functions. ## Description securecompare borrows the `secure_compare` private method from `ActiveSupport::MessageVerifier` which lets you do safely compare strings without being vulnerable to timing attacks. Useful for Basic HTTP Authentication in your rack/rails application. ## Installation Add this line to your application's Gemfile: ```ruby gem "securecompare" ``` And then execute: ``` $ bundle install ``` Or install it yourself as: ``` $ gem install securecompare ``` ## Usage ```ruby require "securecompare" SecureCompare.compare("password", "password") # => true SecureCompare.compare("password", "passw0rd") # => false ``` ```ruby require "securecompare" class Password < String include SecureCompare def ==(other) secure_compare(self, other) end end Password.new("password") == "password" # => true Password.new("password") == "passw0rd" # => false ``` ```ruby require "securecompare" class ApplicationController < ActionController::Base include SecureCompare before_filter :authenticate proctected def authenticate authenticate_or_request_with_http_basic("My Rails App") do |username, password| secure_compare(username, "username") & secure_compare(password, "password") end end end ``` ## Contributing Fork, branch & pull request. securecompare-1.0.0/.gemspec.rb0000644000175600017570000000160512732311161015433 0ustar pravipraviclass Readme < String attr_reader :path def initialize(path) @path = path super(File.read(self.path)) end def summary if self =~ /^# (?:\S+)\s+(.+?)\s{2,}/m scrub $1 else raise "could not find summary in #{path}" end end def description if self =~ /^## Description\s+(.+?)\s{2,}/m scrub $1 else raise "could not find description in #{path}" end end private def scrub(string) string.delete("\\`").gsub(/\[([^\]]+)\]\([^)]*\)/, "\\1").tr("\n", " ").to_s end end class Files < Array def executables grep(%r{^bin/}) { |f| File.basename(f) } end def requires ["lib"] end def tests grep(%r{^(test|spec|features)/}) end end def files @files ||= Files.new(`git ls-files`.split($/)) end def readme(path = File.expand_path("./README.md")) (@readmes ||= {})[path] ||= Readme.new(path) end securecompare-1.0.0/test/0000755000175600017570000000000012732311161014362 5ustar pravipravisecurecompare-1.0.0/test/securecompare_test.rb0000644000175600017570000000143212732311161020603 0ustar pravipravirequire "test_helper" describe SecureCompare do it "should return true for equal strings" do SecureCompare.secure_compare("abc", "abc").must_equal(true) end it "should return false for not equal strings" do SecureCompare.secure_compare("abc", "def").must_equal(false) end it "should respond to compare" do SecureCompare.must_respond_to(:compare) end it "should add secure_compare to anything that includes it" do klass = Class.new klass.send(:include, SecureCompare) klass.private_instance_methods.include?(:secure_compare).must_equal(true) end it "should add secure_compare to anything that extends it" do klass = Class.new klass.send(:extend, SecureCompare) klass.private_methods.include?(:secure_compare).must_equal(true) end end securecompare-1.0.0/test/test_helper.rb0000644000175600017570000000015012732311161017221 0ustar pravipravirequire "minitest/autorun" require "minitest/benchmark" require "minitest/spec" require "securecompare" securecompare-1.0.0/Gemfile0000644000175600017570000000004712732311161014677 0ustar pravipravisource "https://rubygems.org" gemspec securecompare-1.0.0/lib/0000755000175600017570000000000012732311161014151 5ustar pravipravisecurecompare-1.0.0/lib/securecompare.rb0000644000175600017570000000072012732311161017332 0ustar pravipravimodule SecureCompare require "securecompare/version" # constant-time comparison algorithm to prevent timing attacks; borrowed from ActiveSupport::MessageVerifier def secure_compare(a, b) return false unless a.bytesize == b.bytesize l = a.unpack("C#{a.bytesize}") res = 0 b.each_byte { |byte| res |= byte ^ l.shift } res == 0 end module_function :secure_compare class << self alias_method :compare, :secure_compare end end securecompare-1.0.0/lib/securecompare/0000755000175600017570000000000012732311161017006 5ustar pravipravisecurecompare-1.0.0/lib/securecompare/version.rb0000644000175600017570000000005512732311161021020 0ustar pravipravimodule SecureCompare VERSION = "1.0.0" end securecompare-1.0.0/securecompare.gemspec0000644000175600017570000000143012732311161017603 0ustar pravipravirequire File.expand_path("../.gemspec", __FILE__) require File.expand_path("../lib/securecompare/version", __FILE__) Gem::Specification.new do |spec| spec.name = "securecompare" spec.version = SecureCompare::VERSION spec.authors = ["Samuel Kadolph"] spec.email = ["samuel@kadolph.com"] spec.description = readme.description spec.summary = readme.summary spec.homepage = "https://github.com/samuelkadolph/securecompare" spec.license = "MIT" spec.files = files spec.executables = files.executables spec.test_files = files.tests spec.require_paths = files.requires spec.required_ruby_version = ">= 1.9.3" spec.add_development_dependency "bundler", "~> 1.3" spec.add_development_dependency "rake" end securecompare-1.0.0/Rakefile0000644000175600017570000000030412732311161015045 0ustar pravipravi#!/usr/bin/env rake require "bundler/gem_tasks" require "rake/testtask" Rake::TestTask.new do |task| task.libs << "test" task.test_files = Dir["test/**/*_test.rb"] task.verbose = true end securecompare-1.0.0/.gitignore0000644000175600017570000000002312732311161015366 0ustar pravipravi/Gemfile.lock /pkg