From: arrtchiu@...
Date: 2014-07-29T05:59:23+00:00
Subject: [ruby-core:64114] [ruby-trunk - Feature #10098] [PATCH] Timing-safe string comparison for OpenSSL::HMAC

Issue #10098 has been updated by Matt U.


Nobuyoshi Nakada wrote:
> According to [notes on timingsafe_memcmp](http://www.tedunangst.com/flak/post/notes-on-timingsafe-memcmp),
> OpenBSD has [`timingsafe_memcmp()`](http://openbsd.cs.toronto.edu/cgi-bin/cvsweb/src/lib/libc/string/timingsafe_memcmp.c), and NetBSD has [`consttime_memequal()`](http://netbsd.gw.com/cgi-bin/man-cgi?consttime_memequal+3+NetBSD-current).

Wow, thank you for such detailed and valuable feedback (and an awesome patch!)

What do you think about extracting this to an (inline) method like `rb_timingsafe_memcmp(..)` which can then use the system-provided ones if they exist? Since this is moving into distro/platform-specific territory I'm not sure how this fits with Ruby's coding guidelines.

----------------------------------------
Feature #10098: [PATCH] Timing-safe string comparison for OpenSSL::HMAC
https://bugs.ruby-lang.org/issues/10098#change-48125

* Author: Matt U
* Status: Open
* Priority: Normal
* Assignee: 
* Category: ext/openssl
* Target version: next minor
----------------------------------------
I could be totally wrong, but it seems the standard library doesn't provide a reliable way of comparing hashes in constant-time.

* The docs for `OpenSSL::HMAC` encourage the use of `Digest#to_s` (see: http://ruby-doc.org/stdlib-2.1.0/libdoc/openssl/rdoc/OpenSSL/HMAC.html#method-c-new )
* Ruby's string comparison uses memcmp, which isn't timing safe (see: http://rxr.whitequark.org/mri/source/string.c#2382 )

With this patch I propose to add an additional method, `OpenSSL::HMAC#verify`, which takes a binary string with a digest and compares it against the computed hash.


---Files--------------------------------
hmac-timing.patch (2.5 KB)
hmac-timing.patch (2.48 KB)
tsafe_eql.patch (2.48 KB)


-- 
https://bugs.ruby-lang.org/