Make OpenSSL::HMAC#== compare in constant time instead of returning false

author: Bart de Water <bartdewater@gmail.com> 2019-11-03 10:18:36 -0500
committer: Samuel Williams <samuel.williams@oriontransfer.co.nz> 2019-11-04 06:55:39 +0900
commit: 664ba349e7a6995679e65db8deac6d11652f4697 (patch)
tree: 1da70bf8dac72fd7ed14201101437ade9101cc87 /ext
parent: 18a5b5e5ee6b937eccaab090eb4e5f82c8737fb7 (diff)
download: ruby-openssl-664ba349e7a6995679e65db8deac6d11652f4697.tar.gz
1 files changed, 2 insertions, 10 deletions
diff --git a/ext/openssl/ossl_hmac.c b/ext/openssl/ossl_hmac.c
index 757754cd..2ac2e5c6 100644
--- a/ext/openssl/ossl_hmac.c
+++ b/ext/openssl/ossl_hmac.c
@@ -84,20 +84,12 @@ ossl_hmac_alloc(VALUE klass)
  *
  * === A note about comparisons
  *
- * Two instances won't be equal when they're compared, even if they have the
- * same value. For example:
+ * Two instances can be securely compared with #== in constant time:
  *
  *	other_instance = OpenSSL::HMAC.new('key', OpenSSL::Digest.new('sha1'))
  *  #=> f42bb0eeb018ebbd4597ae7213711ec60760843f
- *  instance
- *  #=> f42bb0eeb018ebbd4597ae7213711ec60760843f
  *  instance == other_instance
- *  #=> false
- *
- * Use #digest and compare in constant time:
- *
- *	OpenSSL.fixed_length_secure_compare(instance.digest, other_instance.digest)
- *	#=> true
+ *  #=> true
  *
  */
 static VALUE
author	Bart de Water <bartdewater@gmail.com>	2019-11-03 10:18:36 -0500
committer	Samuel Williams <samuel.williams@oriontransfer.co.nz>	2019-11-04 06:55:39 +0900
commit	664ba349e7a6995679e65db8deac6d11652f4697 (patch)
tree	1da70bf8dac72fd7ed14201101437ade9101cc87 /ext
parent	18a5b5e5ee6b937eccaab090eb4e5f82c8737fb7 (diff)
download	ruby-openssl-664ba349e7a6995679e65db8deac6d11652f4697.tar.gz