tsscmp-ruby 0.1.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: e0eeb7ed7d42f62404f62c36ac5dfbf489ae466e833e0047a6fc719f93723465
+  data.tar.gz: e8a08372125a3ff90b3f26ad2d5014514687b0eae8b9701996a45a1f4073531f
+SHA512:
+  metadata.gz: de7ec4cfa2b0a5d81478824d12f512a76faa17b8ff50afab7b6ed5daa0df30f3c58a1426a68e757796a114cb0c5aea197685cb78763fe264576e648a9eff1854
+  data.tar.gz: 21435b249a3088ad22675bd7257ac261701d050f7e570804fe9999ced76328c67be0889fd11b5d27feead86ef24f8ca987ece49dd11b048d4ec36935e0c8c654

data/.gitignore

@@ -0,0 +1,8 @@
+/.bundle/
+/.yardoc
+/_yardoc/
+/coverage/
+/doc/
+/pkg/
+/spec/reports/
+/tmp/

data/.rubocop.yml

@@ -0,0 +1,6 @@
+LineLength:
+  Max: 120
+Style/Documentation:
+  Enabled: false
+CyclomaticComplexity:
+  Max: 10

data/.travis.yml

@@ -0,0 +1,7 @@
+---
+sudo: false
+language: ruby
+cache: bundler
+rvm:
+  - 2.6.2
+before_install: gem install bundler -v 2.0.1

data/Gemfile

@@ -0,0 +1,8 @@
+source 'https://rubygems.org'
+
+# Specify your gem's dependencies in tsscmp-ruby.gemspec
+gemspec
+
+group :development do
+  gem 'rubocop', require: false
+end

data/Gemfile.lock

@@ -0,0 +1,40 @@
+PATH
+  remote: .
+  specs:
+    tsscmp-ruby (0.1.0)
+
+GEM
+  remote: https://rubygems.org/
+  specs:
+    ast (2.4.0)
+    jaro_winkler (1.5.2)
+    minitest (5.11.3)
+    parallel (1.17.0)
+    parser (2.6.2.1)
+      ast (~> 2.4.0)
+    psych (3.1.0)
+    rainbow (3.0.0)
+    rake (10.5.0)
+    rubocop (0.67.2)
+      jaro_winkler (~> 1.5.1)
+      parallel (~> 1.10)
+      parser (>= 2.5, != 2.5.1.1)
+      psych (>= 3.1.0)
+      rainbow (>= 2.2.2, < 4.0)
+      ruby-progressbar (~> 1.7)
+      unicode-display_width (>= 1.4.0, < 1.6)
+    ruby-progressbar (1.10.0)
+    unicode-display_width (1.5.0)
+
+PLATFORMS
+  ruby
+
+DEPENDENCIES
+  bundler (~> 2.0)
+  minitest (~> 5.0)
+  rake (~> 10.0)
+  rubocop
+  tsscmp-ruby!
+
+BUNDLED WITH
+   2.0.1

data/LICENSE.txt

@@ -0,0 +1,21 @@
+The MIT License (MIT)
+
+Copyright (c) 2019 saka1
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.

data/README.md

@@ -0,0 +1,43 @@
+# tsscmp-ruby
+
+This gem provides timing-safe string compare with [double HMAC pattern](https://www.nccgroup.trust/us/about-us/newsroom-and-events/blog/2011/february/double-hmac-verification/).
+It is inspired by [suryagh's tsscmp library](https://github.com/suryagh/tsscmp).
+
+## Installation
+
+Add this line to your application's Gemfile:
+
+```ruby
+gem 'tsscmp-ruby'
+```
+
+And then execute:
+
+    $ bundle
+
+Or install it yourself as:
+
+    $ gem install tsscmp-ruby
+
+## Usage
+
+```ruby
+require 'tsscmp-ruby'
+
+Tsscmp.compare("a", "a") #=> true
+Tsscmp.compare("a", "b") #=> false
+```
+
+## Contributing
+
+Bug reports and pull requests are welcome on GitHub at https://github.com/saka1/tsscmp-ruby.
+
+## License
+
+The gem is available as open source under the terms of the [MIT License](https://opensource.org/licenses/MIT).
+
+## TODO
+
+- Statistical tests on timing-safe
+- Remove dependency to openssl
+

data/Rakefile

@@ -0,0 +1,10 @@
+require 'bundler/gem_tasks'
+require 'rake/testtask'
+
+Rake::TestTask.new(:test) do |t|
+  t.libs << 'test'
+  t.libs << 'lib'
+  t.test_files = FileList['test/**/*_test.rb']
+end
+
+task default: :test

data/lib/tsscmp.rb

@@ -0,0 +1,31 @@
+require 'tsscmp/version'
+
+require 'securerandom'
+require 'openssl'
+
+module Tsscmp
+  module_function
+
+  # Constant time string comparison.
+  #
+  # Returns true if the two arguments have same value, otherwise false.
+  def compare(a, b) # rubocop:disable Naming/UncommunicativeMethodParamName:
+    return false if a.nil? || b.nil?
+
+    # assume the arguments is String
+    raise TypeError unless a.is_a?(String) || b.is_a?(String)
+    return false unless a.size == b.size
+
+    key = SecureRandom.random_bytes(32)
+    ah = OpenSSL::HMAC.hexdigest('sha256', key, a)
+    bh = OpenSSL::HMAC.hexdigest('sha256', key, b)
+
+    # Implementation Note:
+    # `&& a == b` is a very very conservative comparison.
+    # In my opnion, `ah == bh` is enough to compare securely although several other implementations use the strictly method such as:
+    #  - https://github.com/rails/rails/blob/v5.2.3/activesupport/lib/active_support/security_utils.rb#L27
+    #  - https://github.com/suryagh/tsscmp/blob/v1.0.6/lib/index.js#L35
+    # So, as of the present time, I add `&& a == b`.
+    ah == bh && a == b
+  end
+end

data/lib/tsscmp/version.rb

@@ -0,0 +1,3 @@
+module Tsscmp
+  VERSION = '0.1.0'.freeze
+end

data/tsscmp-ruby.gemspec

@@ -0,0 +1,41 @@
+lib = File.expand_path('lib', __dir__)
+$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
+require 'tsscmp/version'
+
+Gem::Specification.new do |spec|
+  spec.name          = 'tsscmp-ruby'
+  spec.version       = Tsscmp::VERSION
+  spec.authors       = ['saka1']
+  spec.email         = ['github@saka1.net']
+
+  spec.summary       = 'Timing safe string compare with double HMAC pattern'
+  spec.description   = 'Timing safe string compare with double HMAC pattern'
+  spec.homepage      = 'https://github.com/saka1/tsscmp-ruby'
+  spec.license       = 'MIT'
+
+  # Prevent pushing this gem to RubyGems.org. To allow pushes either set the 'allowed_push_host'
+  # to allow pushing to a single host or delete this section to allow pushing to any host.
+  if spec.respond_to?(:metadata)
+    #spec.metadata['allowed_push_host'] = "TODO: Set to 'http://mygemserver.com'"
+
+    spec.metadata['homepage_uri'] = spec.homepage
+    spec.metadata['source_code_uri'] = 'https://github.com/saka1/tsscmp-ruby'
+    spec.metadata['changelog_uri'] = 'https://github.com/saka1/tsscmp-ruby'
+  else
+    raise 'RubyGems 2.0 or newer is required to protect against ' \
+      'public gem pushes.'
+  end
+
+  # Specify which files should be added to the gem when it is released.
+  # The `git ls-files -z` loads the files in the RubyGem that have been added into git.
+  spec.files = Dir.chdir(File.expand_path(__dir__)) do
+    `git ls-files -z`.split("\x0").reject { |f| f.match(%r{^(test|spec|features)/}) }
+  end
+  spec.bindir        = 'exe'
+  spec.executables   = spec.files.grep(%r{^exe/}) { |f| File.basename(f) }
+  spec.require_paths = ['lib']
+
+  spec.add_development_dependency 'bundler', '~> 2.0'
+  spec.add_development_dependency 'minitest', '~> 5.0'
+  spec.add_development_dependency 'rake', '~> 10.0'
+end

metadata

@@ -0,0 +1,100 @@
+--- !ruby/object:Gem::Specification
+name: tsscmp-ruby
+version: !ruby/object:Gem::Version
+  version: 0.1.0
+platform: ruby
+authors:
+- saka1
+autorequire: 
+bindir: exe
+cert_chain: []
+date: 2019-04-09 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: bundler
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.0'
+- !ruby/object:Gem::Dependency
+  name: minitest
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '5.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '5.0'
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '10.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '10.0'
+description: Timing safe string compare with double HMAC pattern
+email:
+- github@saka1.net
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- ".gitignore"
+- ".rubocop.yml"
+- ".travis.yml"
+- Gemfile
+- Gemfile.lock
+- LICENSE.txt
+- README.md
+- Rakefile
+- lib/tsscmp.rb
+- lib/tsscmp/version.rb
+- tsscmp-ruby.gemspec
+homepage: https://github.com/saka1/tsscmp-ruby
+licenses:
+- MIT
+metadata:
+  homepage_uri: https://github.com/saka1/tsscmp-ruby
+  source_code_uri: https://github.com/saka1/tsscmp-ruby
+  changelog_uri: https://github.com/saka1/tsscmp-ruby
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 2.7.6
+signing_key: 
+specification_version: 4
+summary: Timing safe string compare with double HMAC pattern
+test_files: []