diff options
author | Bart de Water <bartdewater@gmail.com> | 2019-10-26 12:13:25 -0400 |
---|---|---|
committer | Samuel Williams <samuel.williams@oriontransfer.co.nz> | 2019-10-28 17:54:29 +1300 |
commit | 308fb199811d085c771e421eb304b4aedf501262 (patch) | |
tree | 6d7c16c61506d537db049797d881e5a4c5a20fbe /lib | |
parent | 0faa750c223e2aec90637d895e23a3104266fd85 (diff) | |
download | ruby-openssl-308fb199811d085c771e421eb304b4aedf501262.tar.gz |
Add OpenSSL.secure_compare with same semantics as Active Support >= 5.2
secure_compare is for user input, fixed_length_secure_compare for already processed data that is known to have the same length
Diffstat (limited to 'lib')
-rw-r--r-- | lib/openssl.rb | 14 |
1 files changed, 14 insertions, 0 deletions
diff --git a/lib/openssl.rb b/lib/openssl.rb index 09142829..47a8fc49 100644 --- a/lib/openssl.rb +++ b/lib/openssl.rb @@ -20,3 +20,17 @@ require 'openssl/digest' require 'openssl/x509' require 'openssl/ssl' require 'openssl/pkcs5' + +module OpenSSL + # call-seq: + # OpenSSL.secure_compare(string, string) -> boolean + # + # Constant time memory comparison. Inputs are hashed using SHA-256 to mask + # the length of the secret. Returns +true+ if the strings are identical, + # +false+ otherwise. + def self.secure_compare(a, b) + hashed_a = OpenSSL::Digest::SHA256.digest(a) + hashed_b = OpenSSL::Digest::SHA256.digest(b) + OpenSSL.fixed_length_secure_compare(hashed_a, hashed_b) && a == b + end +end |