Add OpenSSL.secure_compare with same semantics as Active Support >= 5.2

secure_compare is for user input, fixed_length_secure_compare for already processed data that is known to have the same length
author: Bart de Water <bartdewater@gmail.com> 2019-10-26 12:13:25 -0400
committer: Samuel Williams <samuel.williams@oriontransfer.co.nz> 2019-10-28 17:54:29 +1300
commit: 308fb199811d085c771e421eb304b4aedf501262 (patch)
tree: 6d7c16c61506d537db049797d881e5a4c5a20fbe /lib/openssl.rb
parent: 0faa750c223e2aec90637d895e23a3104266fd85 (diff)
download: ruby-openssl-308fb199811d085c771e421eb304b4aedf501262.tar.gz
1 files changed, 14 insertions, 0 deletions
diff --git a/lib/openssl.rb b/lib/openssl.rb
index 09142829..47a8fc49 100644
--- a/lib/openssl.rb
+++ b/lib/openssl.rb
@@ -20,3 +20,17 @@ require 'openssl/digest'
 require 'openssl/x509'
 require 'openssl/ssl'
 require 'openssl/pkcs5'
+
+module OpenSSL
+  # call-seq:
+  #   OpenSSL.secure_compare(string, string) -> boolean
+  #
+  # Constant time memory comparison. Inputs are hashed using SHA-256 to mask
+  # the length of the secret. Returns +true+ if the strings are identical,
+  # +false+ otherwise.
+  def self.secure_compare(a, b)
+    hashed_a = OpenSSL::Digest::SHA256.digest(a)
+    hashed_b = OpenSSL::Digest::SHA256.digest(b)
+    OpenSSL.fixed_length_secure_compare(hashed_a, hashed_b) && a == b
+  end
+end
author	Bart de Water <bartdewater@gmail.com>	2019-10-26 12:13:25 -0400
committer	Samuel Williams <samuel.williams@oriontransfer.co.nz>	2019-10-28 17:54:29 +1300
commit	308fb199811d085c771e421eb304b4aedf501262 (patch)
tree	6d7c16c61506d537db049797d881e5a4c5a20fbe /lib/openssl.rb
parent	0faa750c223e2aec90637d895e23a3104266fd85 (diff)
download	ruby-openssl-308fb199811d085c771e421eb304b4aedf501262.tar.gz