From: shevegen@... Date: 2019-02-04T12:55:04+00:00 Subject: [ruby-core:91392] [Ruby trunk Feature#10098] [PATCH] Timing-safe string comparison for OpenSSL::HMAC Issue #10098 has been updated by shevegen (Robert A. Heiler). I think String#const_time_eql? is not an ideal name either. A problem with "secure" is that it can mean different things in different contexts; on class String this may be a bit more difficult since Strings in ruby can be so general purpose. Perhaps the OpenSSL namespace could have somewhat more freedom to also accept names that are not absolutely perfect? Just as comparison - although I don't think #const_time_eql? is a very good name, I think it would fit a lot better into OpenSSL than it may fit towards class String as such. > 'Secure' is a result of the fact it's a constant-time comparison. Now I think that will surprise some people since they may wonder what secure has to do with any constant-time comparison per se. :) (By the way, I think the word "compare", also as method name, is easier to reason for than e. g. "secure"; what would a "secure string" mean, for example? Would that be different or the same to a "tainted" string or is it a separate aspect? But that is just a side comment, I think Bart would like to see any forward decision towards the issue at hand considering he added it to the next upcoming developer meeting.) ---------------------------------------- Feature #10098: [PATCH] Timing-safe string comparison for OpenSSL::HMAC https://bugs.ruby-lang.org/issues/10098#change-76649 * Author: arrtchiu (Matt U) * Status: Feedback * Priority: Normal * Assignee: matz (Yukihiro Matsumoto) * Target version: ---------------------------------------- I could be totally wrong, but it seems the standard library doesn't provide a reliable way of comparing hashes in constant-time. * The docs for `OpenSSL::HMAC` encourage the use of `Digest#to_s` (see: http://ruby-doc.org/stdlib-2.1.0/libdoc/openssl/rdoc/OpenSSL/HMAC.html#method-c-new ) * Ruby's string comparison uses memcmp, which isn't timing safe (see: http://rxr.whitequark.org/mri/source/string.c#2382 ) With this patch I propose to add an additional method, `OpenSSL::HMAC#verify`, which takes a binary string with a digest and compares it against the computed hash. ---Files-------------------------------- hmac-timing.patch (2.5 KB) hmac-timing.patch (2.48 KB) tsafe_eql.patch (2.48 KB) tsafe_inline.patch (3.51 KB) 0001-add-timing-safe-string-compare-method.patch (4.31 KB) -- https://bugs.ruby-lang.org/ Unsubscribe: