RT 4.2.14 Documentation

RT::Util

Go to latest version →

# mimic our own recommended_filename # since MIME-tools 5.501, head->recommended_filename requires the head are # mime encoded, we don't meet this yet.

constant_time_eq($a, $b)

Compares two strings for equality in constant-time. Replacement for the eq operator designed to avoid timing side-channel vulnerabilities. Returns zero or one.

This is intended for use in cryptographic subsystems for comparing well-formed data such as hashes - not for direct use with user input or as a general replacement for the eq operator.

The two string arguments MUST be of equal length. If the lengths differ, this function will call die(), as proceeding with execution would create a timing vulnerability. Length is defined by characters, not bytes.

Strings that should be treated as binary octets rather than Unicode text should pass a true value for the binary flag.

This code has been tested to do what it claims. Do not change it without thorough statistical timing analysis to validate the changes.

Added to resolve CVE-2017-5361

For more on timing attacks, see this Wikipedia article: https://en.wikipedia.org/wiki/Timing_attack

← Back to index