Make OpenSSL::HMAC#== compare in constant time instead of returning false

author: Bart de Water <bartdewater@gmail.com> 2019-11-03 10:18:36 -0500
committer: Samuel Williams <samuel.williams@oriontransfer.co.nz> 2019-11-04 06:55:39 +0900
commit: 664ba349e7a6995679e65db8deac6d11652f4697 (patch)
tree: 1da70bf8dac72fd7ed14201101437ade9101cc87 /lib
parent: 18a5b5e5ee6b937eccaab090eb4e5f82c8737fb7 (diff)
download: ruby-openssl-664ba349e7a6995679e65db8deac6d11652f4697.tar.gz
2 files changed, 14 insertions, 0 deletions
diff --git a/lib/openssl.rb b/lib/openssl.rb
index ec143bc7..be296955 100644
--- a/lib/openssl.rb
+++ b/lib/openssl.rb
@@ -17,6 +17,7 @@ require_relative 'openssl/pkey'
 require_relative 'openssl/cipher'
 require_relative 'openssl/config'
 require_relative 'openssl/digest'
+require_relative 'openssl/hmac'
 require_relative 'openssl/x509'
 require_relative 'openssl/ssl'
 require_relative 'openssl/pkcs5'
diff --git a/lib/openssl/hmac.rb b/lib/openssl/hmac.rb
new file mode 100644
index 00000000..3d442761
--- /dev/null
+++ b/lib/openssl/hmac.rb
@@ -0,0 +1,13 @@
+# frozen_string_literal: true
+
+module OpenSSL
+  class HMAC
+    # Securely compare with another HMAC instance in constant time.
+    def ==(other)
+      return false unless HMAC === other
+      return false unless self.digest.bytesize == other.digest.bytesize
+
+      OpenSSL.fixed_length_secure_compare(self.digest, other.digest)
+    end
+  end
+end
author	Bart de Water <bartdewater@gmail.com>	2019-11-03 10:18:36 -0500
committer	Samuel Williams <samuel.williams@oriontransfer.co.nz>	2019-11-04 06:55:39 +0900
commit	664ba349e7a6995679e65db8deac6d11652f4697 (patch)
tree	1da70bf8dac72fd7ed14201101437ade9101cc87 /lib
parent	18a5b5e5ee6b937eccaab090eb4e5f82c8737fb7 (diff)
download	ruby-openssl-664ba349e7a6995679e65db8deac6d11652f4697.tar.gz