Module: JWT::JWA::Hmac::SecurityUtils

Defined in:
lib/jwt/jwa/hmac.rb

Overview

Copy of github.com/rails/rails/blob/v7.0.3.1/activesupport/lib/active_support/security_utils.rb rubocop:disable Naming/MethodParameterName, Style/StringLiterals, Style/NumericPredicate

Class Method Summary collapse

Class Method Details

.fixed_length_secure_compare(a, b) ⇒ Object

:nocov:

Raises:

  • (ArgumentError)


52
53
54
# File 'lib/jwt/jwa/hmac.rb', line 52

def fixed_length_secure_compare(a, b)
  OpenSSL.fixed_length_secure_compare(a, b)
end

.secure_compare(a, b) ⇒ Object

Secure string comparison for strings of variable length.

While a timing attack would not be able to discern the content of a secret compared via secure_compare, it is possible to determine the secret length. This should be considered when using secure_compare to compare weak, short secrets to user input.



71
72
73
# File 'lib/jwt/jwa/hmac.rb', line 71

def secure_compare(a, b)
  a.bytesize == b.bytesize && fixed_length_secure_compare(a, b)
end