0001-add-timing-safe-string-compare-method.patch

     AC_CHECK_FUNCS(utimes)
     AC_CHECK_FUNCS(wait4)
     AC_CHECK_FUNCS(waitpid)
     AC_CHECK_FUNCS(consttime_memequal)
     AC_CHECK_FUNCS(timingsafe_memcmp)
     AS_IF([test "$ac_cv_func_getcwd" = yes], [
         AC_CACHE_CHECK(if getcwd allocates buffer if NULL is given, [rb_cv_getcwd_malloc],

         return str_eql(str1, str2);
+    }
     static inline int
     rb_consttime_memequal(const char *buf1, const char *buf2, long len)
+    {
     #if defined(HAVE_TIMINGSAFE_MEMCMP)
         return (timingsafe_memcmp(buf1, buf2, len) == 0);
     #elif defined(HAVE_CONSTTIME_MEMEQUAL)
         return (consttime_memequal(buf1, buf2, len) != 0);
     #else
         VALUE result;
         long idx;
         result = 0;
         idx = 0;
         if (UNALIGNED_WORD_ACCESS || !((VALUE)buf1 % sizeof(VALUE)) && !((VALUE)buf2 % sizeof(VALUE))) {
             for (; idx < len; idx += sizeof(VALUE)) {
                 result |= *(const VALUE *)(buf1+idx) ^ *(const VALUE *)(buf2+idx);
+            }
+        }
         for (; idx < len; idx++) {
             result |= buf1[idx] ^ buf2[idx];
+        }
         return (result == 0);
     #endif
+    }
     /*
      * call-seq:
      *   str.consttime_bytes_eq?(other)   -> true or false
+     *
      * Ignoring encoding, compares each byte of +str+ against +other+ in constant time.
      */
     static VALUE
     rb_str_consttime_bytes_eq(VALUE str1, VALUE str2)
+    {
         long len;
         str2 = StringValue(str2);
         len = RSTRING_LEN(str1);
         if (RSTRING_LEN(str2) != len) return Qfalse;
         if (rb_consttime_memequal(RSTRING_PTR(str1), RSTRING_PTR(str2), len) != 0) return Qtrue;
         return Qfalse;
+    }
     /*
      *  call-seq:
      *     string <=> other_string   -> -1, 0, +1 or nil
-...
         rb_define_method(rb_cString, "==", rb_str_equal, 1);
         rb_define_method(rb_cString, "===", rb_str_equal, 1);
         rb_define_method(rb_cString, "eql?", rb_str_eql, 1);
         rb_define_method(rb_cString, "consttime_bytes_eq?", rb_str_consttime_bytes_eq, 1);
         rb_define_method(rb_cString, "hash", rb_str_hash_m, 0);
         rb_define_method(rb_cString, "casecmp", rb_str_casecmp, 1);
         rb_define_method(rb_cString, "+", rb_str_plus, 1);

     require 'test/unit'
     require_relative 'envutil'
     require 'benchmark'
     # use of $= is deprecated after 1.7.1
     def pre_1_7_1
-...
         casetest(S("CaT"), S('cAt'), true) # find these in the case.
       end
       def test_consttime_bytes_eq # 'consttime_bytes_eq?'
         assert_equal(true, S("foo").consttime_bytes_eq?(S("foo")))
         assert_equal(false, S("foo").consttime_bytes_eq?(S("foO")))
         assert_equal(true, S("f\x00oo").consttime_bytes_eq?(S("f\x00oo")))
         assert_equal(false, S("f\x00oo").consttime_bytes_eq?(S("f\x00oO")))
       end
       def test_consttime_bytes_eq_timing
         # ensure using consttime_bytes_eq? takes almost exactly the same amount of time to compare two
         # different strings.
         # NOTE: this test may be susceptible to noise if the system running the tests is otherwise under
         # load.
         a = "x"*1024_000
         b = a+"y"
         c = "y"+a
         a << "x"
         def measure(&block)
           Benchmark.measure(&block).real
         end
         n = 10_000
         a_b_time = measure { n.times { a.consttime_bytes_eq?(b) } }
         a_c_time = measure { n.times { a.consttime_bytes_eq?(c) } }
         assert_in_delta(a_b_time, a_c_time, 0.25, "consttime_bytes_eq? timing test failed")
       end
       def test_capitalize
         assert_equal(S("Hello"),  S("hello").capitalize)
         assert_equal(S("Hello"),  S("hELLO").capitalize)
+    -

Project

General

Profile

Ruby » Ruby trunk