ruby_rncryptor 3.0.0 → 3.0.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: c80019973b935b1f0e103db228bf56c895354819
-  data.tar.gz: da313bcf46200818efa308af74bc2606bb1df055
+  metadata.gz: 198670f6550021801e7a3d827685ea0aa692e318
+  data.tar.gz: f4d4c09d8961d704346ccffaa5935e40cbdf4ada
 SHA512:
-  metadata.gz: 659d506bc5e569e0a1c449dee320d3a0f228df995510ec5094a7a3d617982fe9bc257d2fc27318051ea9392c8bd0dfc8ecd1faf97a5246fc41c96d911876b975
-  data.tar.gz: 8c0dc3e406987daceeb3931abefe86b74f70c74f7649f80dfad1ee5f3243ae4401be4afe2a72115fa917e0eec2e8cf6481000936fa63c851d4327d2f9ded78b4
+  metadata.gz: f5c9127520297db15f116f6ad907a72d8fb5982e5e09f770d177ec74d364a621226c3b4eb85393c232ebfdfd5077296102c2724fabd84599aa9cfd079c25786d
+  data.tar.gz: b44a4ee39a11848f96c19fde168508ada4b99091d3c2ff7909cdf10145c8354038b08d7d37e20f787a756e072b9abd9dc18a2b0fa1418484c8a788a2f7aa7a37

data/lib/ruby_rncryptor.rb

@@ -14,7 +14,7 @@ class RubyRNCryptor
 		version =			data[0,1]
 		raise "RubyRNCryptor only decrypts version 2 or 3" unless (version == "\x02" || version == "\x03")
 		options =			data[1,1]
-		encryption_salt = 	data[2,8]
+		encryption_salt =	data[2,8]
 		hmac_salt =			data[10,8]
 		iv =				data[18,16]
 		cipher_text =		data[34,data.length-66]
@@ -24,13 +24,13 @@ class RubyRNCryptor
 		
 		# Verify password is correct. First try with correct encoding
 		hmac_key = PKCS5.pbkdf2_hmac_sha1(password, hmac_salt, 10000, 32)
-		verified = [HMAC.hexdigest('sha256', hmac_key, msg)].pack('H*') == hmac
+		verified = eql_time_cmp([HMAC.hexdigest('sha256', hmac_key, msg)].pack('H*'), hmac)
 
 		if !verified && version == "\x02"
 			# Version 2 Cocoa version truncated multibyte passwords, so try truncating.
 			password = RubyRNCryptor.truncate_multibyte_password(password)
 			hmac_key = PKCS5.pbkdf2_hmac_sha1(password, hmac_salt, 10000, 32)
-			verified = [HMAC.hexdigest('sha256', hmac_key, msg)].pack('H*') == hmac
+			verified = eql_time_cmp([HMAC.hexdigest('sha256', hmac_key, msg)].pack('H*'), hmac)
 		end
 		
 		raise "Password may be incorrect, or the data has been corrupted. (HMAC could not be verified)" unless verified
@@ -41,7 +41,7 @@ class RubyRNCryptor
 		cipher.iv = iv
 		cipher.key = PKCS5.pbkdf2_hmac_sha1(password, encryption_salt, 10000, 32)
 
-		return cipher.update(cipher_text) + cipher.final
+		cipher.update(cipher_text) + cipher.final
 	end
 
 	def self.encrypt(data, password, version = 3)
@@ -66,14 +66,26 @@ class RubyRNCryptor
 		msg = version + options + encryption_salt + hmac_salt + iv + cipher_text
 		hmac = [HMAC.hexdigest('sha256', hmac_key, msg)].pack('H*')
 
-		return msg + hmac		 
+		msg + hmac
 	end
 
 	def self.truncate_multibyte_password(str)
 		if str.bytes.to_a.count == str.length
 			return str
 		end
-		return str.bytes.to_a[0...str.length].map {|c| c.chr}.join
+		str.bytes.to_a[0...str.length].map {|c| c.chr}.join
 	end
 	
+	# From http://ruby-doc.org/stdlib-2.0.0/libdoc/openssl/rdoc/OpenSSL/PKCS5.html#module-OpenSSL::PKCS5-label-Important+Note+on+Checking+Passwords
+	def self.eql_time_cmp(a, b)
+		unless a.length == b.length
+			return false
+		end
+		cmp = b.bytes.to_a
+		result = 0
+		a.bytes.each_with_index {|c,i|
+			result |= c ^ cmp[i]
+		}
+		result == 0
+	end
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: ruby_rncryptor
 version: !ruby/object:Gem::Version
-  version: 3.0.0
+  version: 3.0.1
 platform: ruby
 authors:
 - Erik Wrenholt
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2013-12-20 00:00:00.000000000 Z
+date: 2016-01-25 00:00:00.000000000 Z
 dependencies: []
 description: Encrypt and Decrypt the RNCryptor format.
 email: erik@timestretch.com
@@ -17,7 +17,7 @@ extensions: []
 extra_rdoc_files: []
 files:
 - lib/ruby_rncryptor.rb
-homepage: https://github.com/timestretch/RNCryptor/tree/master/ruby
+homepage: https://github.com/RNCryptor/ruby_rncryptor
 licenses:
 - MIT
 metadata: {}