Issue #10098 has been updated by Matt U.


Thanks for the feedback!

Nobuyoshi Nakada wrote:
> * Indent style mismatch
> * Should try to convert the argument with `StringValue()`
Will fix - sorry, this is my first contribution!

> * Why HMAC only?  Other digests don't need it?
Good point, I thought since HMAC is for both redundancy and message authentication it made most sense on HMAC rather than all digests - but - I can see there would be use-cases for comparing other digests or other strings in a timing-safe manner.

> * Probably we should provide timing-safe binary compare function?
I think this makes the most sense :)
How about moving this to a method on `String` - e.g. `String#slow_eql?` or `String::timing_safe_eql?`? I'm terrible at naming things :)

----------------------------------------
Feature #10098: [PATCH] Timing-safe string comparison for OpenSSL::HMAC
https://bugs.ruby-lang.org/issues/10098#change-48118

* Author: Matt U
* Status: Open
* Priority: Normal
* Assignee: 
* Category: ext/openssl
* Target version: next minor
----------------------------------------
I could be totally wrong, but it seems the standard library doesn't provide a reliable way of comparing hashes in constant-time.

* The docs for `OpenSSL::HMAC` encourage the use of `Digest#to_s` (see: http://ruby-doc.org/stdlib-2.1.0/libdoc/openssl/rdoc/OpenSSL/HMAC.html#method-c-new )
* Ruby's string comparison uses memcmp, which isn't timing safe (see: http://rxr.whitequark.org/mri/source/string.c#2382 )

With this patch I propose to add an additional method, `OpenSSL::HMAC#verify`, which takes a binary string with a digest and compares it against the computed hash.


---Files--------------------------------
hmac-timing.patch (2.5 KB)
hmac-timing.patch (2.48 KB)


-- 
https://bugs.ruby-lang.org/