arrtchiu (Matt U)

	open	closed	Total
Assigned issues	0	0	0
Reported issues	0	2	2

09:51 AM Ruby Feature #10098: [PATCH] Timing-safe string comparison for OpenSSL::HMAC: Yui, I'm a little confused. The patch you have in your comment looks timing-safe to me. Also I suggest taking a look at Nobu's improvements to my code, I definitely learned a lot more about speed after reading it.
Other things that do... arrtchiu (Matt U)

07:01 AM Ruby Bug #12109 (Rejected): Exception during class load can cause partially-loaded class: I noticed this bug using Rails, which lazy-loads classes (via ActiveSupport.)
Here's a minimal test case:
~~~ruby
#!/usr/bin/env ruby
begin
# simulate loading a class from file at runtime
eval %q{
class Foo
de... arrtchiu (Matt U)
06:42 AM Ruby Feature #10098: [PATCH] Timing-safe string comparison for OpenSSL::HMAC: Aleksandrs Ļedovskis wrote:
> Can someone clarify, what state is this feature in? Do we still need to get Matz's approval of String API change, or in light of Zachary's change "openssl" group gives the final call?
While still useful ... arrtchiu (Matt U)

09:50 AM Ruby Feature #10098: [PATCH] Timing-safe string comparison for OpenSSL::HMAC: Keen to hear feedback if any. Completely understand there are many more important tickets than this one, but it would be great to see this feature in MRI soon!

Devise, one of the most popular frameworks currently implements a timing-... arrtchiu (Matt U)

09:12 AM Ruby Feature #10098: [PATCH] Timing-safe string comparison for OpenSSL::HMAC: Changelog:
* Renamed `rb_tsafe_eql` => `rb_consttime_memequal`.
* Renamed `rb_str_tsafe_eql` => `rb_str_consttime_bytes_eq`.
* Renamed `tsafe_eql?` => `consttime_bytes_eq?`.
* `rb_consttime_memequal` now has return type `int`.
* U... arrtchiu (Matt U)

02:07 AM Ruby Feature #10098: [PATCH] Timing-safe string comparison for OpenSSL::HMAC: Nobuyoshi Nakada wrote:
> `rb_tsafe_eql()` doesn't need to be `VALUE`, `int` is OK.
> ...
I'll get these done. Your benchmark code demonstrated this pretty well so (if it's ok with you) I'll use that as a starting point.
cremno phob... arrtchiu (Matt U)

10:30 AM Ruby Feature #10098: [PATCH] Timing-safe string comparison for OpenSSL::HMAC: What's your thoughts on this new patch?
At the moment I'm using OSX and Linux, unable to test `timingsafe_memcmp()` and `consttime_memequal()`. arrtchiu (Matt U)
05:59 AM Ruby Feature #10098: [PATCH] Timing-safe string comparison for OpenSSL::HMAC: Nobuyoshi Nakada wrote:
> According to [notes on timingsafe_memcmp](http://www.tedunangst.com/flak/post/notes-on-timingsafe-memcmp),
> ...
Wow, thank you for such detailed and valuable feedback (and an awesome patch!)
What do you th... arrtchiu (Matt U)
03:56 AM Ruby Feature #10098: [PATCH] Timing-safe string comparison for OpenSSL::HMAC: Nobuyoshi Nakada wrote:
> `slow` is not the main concern here, IMHO.
> ...
Cleaned up (hopefully correctly) and moved to `String#tsafe_eql?`. Any ideas for a better name?
arrtchiu (Matt U)
01:39 AM Ruby Feature #10098: [PATCH] Timing-safe string comparison for OpenSSL::HMAC: Thanks for the feedback!
Nobuyoshi Nakada wrote:
> * Indent style mismatch
> ...
Will fix - sorry, this is my first contribution!
> * Why HMAC only? Other digests don't need it?
Good point, I thought since HMAC is for both re... arrtchiu (Matt U)

Also available in: Atom

Ruby Issue Tracking System