Add test to ensure constant time comparison stays constant

bdewater · arrtchiu · bdewater · commit 0c1a44525dfd · 2019-08-19T22:57:23.000-04:00
Co-authored-by: arrtchiu &lt;arrtchiu@gmail.com&gt;
diff --git a/test/test_ossl.rb b/test/test_ossl.rb
@@ -1,6 +1,8 @@
 # frozen_string_literal: true
 require_relative "utils"
 
+require 'benchmark'
+
 if defined?(OpenSSL)
 
 class OpenSSL::OSSL < OpenSSL::SSLTestCase
@@ -23,6 +25,22 @@ def test_memcmp?
     refute OpenSSL.memcmp?("aaa", "bbb")
     assert_raises(ArgumentError) { OpenSSL.memcmp?("aaa", "bbbb") }
   end
+
+  def test_memcmp_timing
+    # ensure using consttime_bytes_eq? takes almost exactly the same amount of time to compare two
+    # different strings.
+    # NOTE: this test may be susceptible to noise if the system running the tests is otherwise under
+    # load.
+    a = "x" * 512_000
+    b = "#{a}y"
+    c = "y#{a}"
+    a = "#{a}x"
+
+    n = 10_000
+    a_b_time = Benchmark.measure { n.times { OpenSSL.memcmp?(a, b) } }.real
+    a_c_time = Benchmark.measure { n.times { OpenSSL.memcmp?(a, c) } }.real
+    assert_in_delta(a_b_time, a_c_time, 0.25, "memcmp? timing test failed")
+  end
 end
 
 end
