General

Profile

arrtchiu (Matt U)

  • Login: arrtchiu
  • Email: arrtchiu@gmail.com
  • Registered on: 07/28/2014
  • Last sign in: 07/05/2016

Issues

open closed Total
Assigned issues 0 0 0
Reported issues 0 2 2

Activity

07/05/2016

09:51 AM Ruby Feature #10098: [PATCH] Timing-safe string comparison for OpenSSL::HMAC
Yui, I'm a little confused. The patch you have in your comment looks timing-safe to me. Also I suggest taking a look at Nobu's improvements to my code, I definitely learned a lot more about speed after reading it.
Other things that do...
arrtchiu (Matt U)

02/25/2016

07:01 AM Ruby Bug #12109 (Rejected): Exception during class load can cause partially-loaded class
I noticed this bug using Rails, which lazy-loads classes (via ActiveSupport.)
Here's a minimal test case:
~~~ruby
#!/usr/bin/env ruby
begin
# simulate loading a class from file at runtime
eval %q{
class Foo
de...
arrtchiu (Matt U)
06:42 AM Ruby Feature #10098: [PATCH] Timing-safe string comparison for OpenSSL::HMAC
Aleksandrs Ļedovskis wrote:
> Can someone clarify, what state is this feature in? Do we still need to get Matz's approval of String API change, or in light of Zachary's change "openssl" group gives the final call?
While still useful ...
arrtchiu (Matt U)

09/18/2014

09:50 AM Ruby Feature #10098: [PATCH] Timing-safe string comparison for OpenSSL::HMAC
Keen to hear feedback if any. Completely understand there are many more important tickets than this one, but it would be great to see this feature in MRI soon!

Devise, one of the most popular frameworks currently implements a timing-...
arrtchiu (Matt U)

08/23/2014

09:12 AM Ruby Feature #10098: [PATCH] Timing-safe string comparison for OpenSSL::HMAC
Changelog:
* Renamed `rb_tsafe_eql` => `rb_consttime_memequal`.
* Renamed `rb_str_tsafe_eql` => `rb_str_consttime_bytes_eq`.
* Renamed `tsafe_eql?` => `consttime_bytes_eq?`.
* `rb_consttime_memequal` now has return type `int`.
* U...
arrtchiu (Matt U)

07/30/2014

02:07 AM Ruby Feature #10098: [PATCH] Timing-safe string comparison for OpenSSL::HMAC
Nobuyoshi Nakada wrote:
> `rb_tsafe_eql()` doesn't need to be `VALUE`, `int` is OK.
> ...
I'll get these done. Your benchmark code demonstrated this pretty well so (if it's ok with you) I'll use that as a starting point.
cremno phob...
arrtchiu (Matt U)

07/29/2014

10:30 AM Ruby Feature #10098: [PATCH] Timing-safe string comparison for OpenSSL::HMAC
What's your thoughts on this new patch?
At the moment I'm using OSX and Linux, unable to test `timingsafe_memcmp()` and `consttime_memequal()`.
arrtchiu (Matt U)
05:59 AM Ruby Feature #10098: [PATCH] Timing-safe string comparison for OpenSSL::HMAC
Nobuyoshi Nakada wrote:
> According to [notes on timingsafe_memcmp](http://www.tedunangst.com/flak/post/notes-on-timingsafe-memcmp),
> ...
Wow, thank you for such detailed and valuable feedback (and an awesome patch!)
What do you th...
arrtchiu (Matt U)
03:56 AM Ruby Feature #10098: [PATCH] Timing-safe string comparison for OpenSSL::HMAC
Nobuyoshi Nakada wrote:
> `slow` is not the main concern here, IMHO.
> ...
Cleaned up (hopefully correctly) and moved to `String#tsafe_eql?`. Any ideas for a better name?
arrtchiu (Matt U)
01:39 AM Ruby Feature #10098: [PATCH] Timing-safe string comparison for OpenSSL::HMAC
Thanks for the feedback!
Nobuyoshi Nakada wrote:
> * Indent style mismatch
> ...
Will fix - sorry, this is my first contribution!
> * Why HMAC only? Other digests don't need it?
Good point, I thought since HMAC is for both re...
arrtchiu (Matt U)

Also available in: Atom