Category Archives: Programming

Where Are The Constant Time Comparisons on .NET?

Written by William Roush on May 25, 2017 at 9:31 am

When cryptography is involved, a major rule is king: never write your own cryptography code. Well if this is the case why am I writing my own constant time comparisons in .NET?

StackOverflow took down my post as “Opinion based” so I’m posting it here so it doesn’t end up delisted on Google. I should probably do a write-up on why I struggle to contribute to StackOverflow at some point…

Constant-time comparisons are extremely important in cryptography code. A normal comparison will bail early from the comparison process if a mismatch is found, however this can leak information about how many bytes you got right before the comparison failed. If you’re guessing some kind of key (eg: comparing an API key), this can be catastrophic.

There are currently two open implementations for constant-time comparison methods, one in BouncyCastle and one in SecurityDriven.Inferno: -Org.BouncyCastle.Utilities.Arrays – SecurityDriven.Inferno.Utils.ConstantTimeEqual see: Constant-time Equality

My biggest hangup with SecurityDriven.Inferno is that ConstantTimeEqual will throw if the lengths aren’t the same. Throwing incurs a lot of overhead and disrupts program flow and I’d rather stay away from it. So generally your option is BouncyCastle (Edit: Lex pointed out below that BouncyCastle leaks the length of the byte array, so if that is a concern to you then Inferno is probably more of what you’re looking for).


Ignoring SSL Certificate Errors On .NET Core On HttpClient

Written by William Roush on December 20, 2016 at 8:28 pm

Had a certificate expire at 8PM EST tonight on a critical project I was supposed to demo, wasn’t going to stop me… lots of articles don’t really go over how to do this now on .NET Core 1.0, so lets cover the code to do so:

using (var httpClientHandler = new HttpClientHandler())
   httpClientHandler.ServerCertificateCustomValidationCallback = (message, cert, chain, errors) => { return true; };
   using (var client = new HttpClient(httpClientHandler))
       // Make request here.

Pretty simple, really.

RhodeCode Session Storage Growing Out Of Control

Written by William Roush on October 11, 2016 at 6:13 pm

Had a fun run in with RhodeCode recently, it’s session storage located at /home/rhodecode/.rccontrol/community-1/data/sessions was eating up 401981 inodes! Eek!

This is caused by the built-in default session manager lib not cleaning up old files, I had stumbled across this blog detailing how to “fix” it: and I ended up with this in my crontab:

0 1 * * * find /home/rhodecode/.rccontrol/community-1/data/sessions -type f -mtime +3 -exec rm {} \;

Alas this wasn’t really what I wanted, so I asked on the RhodeCode-Community Slack channel fix is to use something like the database for session storage as seen here:


A quick enabling of beaker’s database session storage and I was all better!


server.urls Paramter Not Working On Kestrel Server for dotnet Command on ASP.NET Core RC2

Written by William Roush on May 21, 2016 at 3:53 am

Was struggling really hard with getting this command to work:

dotnet run -- --server.urls http://*:5000

Simple command, but it isn’t taking! Well I missed one major thing when upgrading from RC1 to RC2, I need to now pass configuration down to the Kestrel stack, to do that is pretty easy:

        public static void Main(string[] args)
            var config = new ConfigurationBuilder()
                .AddEnvironmentVariables(prefix: "ASPNETCORE_")

            var host = new WebHostBuilder()


Needed to define the “config” variable and pass it to WebHostBuilder using UseConfiguration(). All fixed!