RubyGems - webauthn - Versions diffs - 1.7.0 → 1.8.0 - Mend

webauthn 1.7.0 → 1.8.0

Files changed (15) hide show

checksums.yaml +4 -4
data/.travis.yml +7 -2
data/CHANGELOG.md +12 -0
data/README.md +4 -0
data/lib/webauthn.rb +1 -0
data/lib/webauthn/attestation_statement.rb +3 -1
data/lib/webauthn/attestation_statement/base.rb +3 -1
data/lib/webauthn/authenticator_data/attested_credential_data.rb +1 -5
data/lib/webauthn/authenticator_response.rb +1 -1
data/lib/webauthn/client_data.rb +4 -1
data/lib/webauthn/error.rb +5 -0
data/lib/webauthn/security_utils.rb +35 -0
data/lib/webauthn/version.rb +1 -1
data/webauthn.gemspec +4 -4
metadata +21 -14

checksums.yaml CHANGED

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 861ba8a05d52230a89d8ba009d93e656c42c7f9add389767f0cd3cf6bf97c8c2
-  data.tar.gz: a3c7d357340f381c4ea06e3ed8aa5711549573eb9f59e591a332f7224a55a2dd
+  metadata.gz: 0e9c0949f662e12a84d1810c564633cd6feec64b1f4ed9352a19260a1840d6fc
+  data.tar.gz: 30725d9ebd21ce4b77b548807a9c57014983e245183bc2c1179e7eb1580d0583
 SHA512:
-  metadata.gz: dcad6286a076eea7af7d3bfde6c708cb291a2d8102c8722db8a6372baedf6541df470d54717ed2c347a2f0e703a7bcf190cffbef9c8f90cbe6475064ee00f542
-  data.tar.gz: 8b28576e8ce15e632ca54e78fd4cf94ac2c34a506c84b085baa19623787e50d60eb0ed7253edbd87523639353a4cdb448c7bfc94dedf1563ae764e9ff1e4cd28
+  metadata.gz: f0499fa6c77cc863dfd325ad84e7bf746377b18e6260cbad692add3ac3a1e1508b5652e1536ef9f72a2614026c95ab71a026a73b96212bd54ab4e088e3ad9dd5
+  data.tar.gz: 122fd1cd5689b051a9c39744ee3d02dce099ff9f226d4b2278ae3baf2fe2aff0d1e6dc218bed9e19f3703eafb7a0e0d142055c01c5219449ac5f118a21b94813

data/.travis.yml CHANGED

@@ -1,12 +1,17 @@
+dist: xenial
 sudo: false
 language: ruby
 cache: bundler
 rvm:
-  - 2.6.0-preview3
+  - ruby-head
+  - 2.6.0
   - 2.5.3
   - 2.4.5
   - 2.3.8
 matrix:
   fast_finish: true
   allow_failures:
-    - rvm: 2.6.0-preview3
+    - rvm: ruby-head
+before_install:
+  - gem install bundler -v "~> 2.0"

data/CHANGELOG.md CHANGED

@@ -1,5 +1,16 @@
 # Changelog
+## [v1.8.0] - 2019-01-17
+### Added
+- Make challenge validation inside `#valid?` method resistant to timing attacks. Thank you @tomek-bt!
+- Support for ruby 2.6
+### Changed
+- Make current raised exception errors a bit more meaningful to aid debugging
 ## [v1.7.0] - 2018-11-08
 ### Added
@@ -104,6 +115,7 @@ Note: Both additions should help making it compatible with Chrome for Android 70
   - `WebAuthn::AuthenticatorAttestationResponse.valid?` can be used to validate fido-u2f attestations returned by the browser
 - Works with ruby 2.5
+[v1.8.0]: https://github.com/cedarcode/webauthn-ruby/compare/v1.7.0...v1.8.0/
 [v1.7.0]: https://github.com/cedarcode/webauthn-ruby/compare/v1.6.0...v1.7.0/
 [v1.6.0]: https://github.com/cedarcode/webauthn-ruby/compare/v1.5.0...v1.6.0/
 [v1.5.0]: https://github.com/cedarcode/webauthn-ruby/compare/v1.4.0...v1.5.0/

data/README.md CHANGED

@@ -198,6 +198,10 @@ Inspired in a subset of [Angular's Commit Message Guidelines](https://github.com
 Bug reports and pull requests are welcome on GitHub at https://github.com/cedarcode/webauthn-ruby.
+### Security
+If you have discovered a security bug, please send an email to security@cedarcode.com instead of posting to the GitHub issue tracker.
 ## License
 The gem is available as open source under the terms of the [MIT License](https://opensource.org/licenses/MIT).

data/lib/webauthn.rb CHANGED

@@ -3,6 +3,7 @@
 require "cose/ecdsa"
 require "webauthn/authenticator_attestation_response"
 require "webauthn/authenticator_assertion_response"
+require "webauthn/security_utils"
 require "webauthn/version"
 require "base64"

data/lib/webauthn/attestation_statement.rb CHANGED

@@ -1,8 +1,10 @@
 # frozen_string_literal: true
+require "webauthn/error"
 module WebAuthn
   module AttestationStatement
-    class FormatNotSupportedError < StandardError; end
+    class FormatNotSupportedError < Error; end
     ATTESTATION_FORMAT_NONE = "none"
     ATTESTATION_FORMAT_FIDO_U2F = "fido-u2f"

data/lib/webauthn/attestation_statement/base.rb CHANGED

@@ -1,9 +1,11 @@
 # frozen_string_literal: true
+require "webauthn/error"
 module WebAuthn
   module AttestationStatement
     class Base
-      class NotSupportedError < StandardError; end
+      class NotSupportedError < Error; end
       def initialize(statement)
         @statement = statement

data/lib/webauthn/authenticator_data/attested_credential_data.rb CHANGED

@@ -51,7 +51,7 @@ module WebAuthn
       end
       def public_key
-        @public_key ||= PublicKeyU2f.new(data_at(public_key_position, public_key_length))
+        @public_key ||= PublicKeyU2f.new(data_at(public_key_position))
       end
       def id_position
@@ -70,10 +70,6 @@ module WebAuthn
         id_position + id_length
       end
-      def public_key_length
-        data.size - (AAGUID_LENGTH + ID_LENGTH_LENGTH + id_length)
-      end
       def data_at(position, length = nil)
         length ||= data.size - position

data/lib/webauthn/authenticator_response.rb CHANGED

@@ -28,7 +28,7 @@ module WebAuthn
     end
     def valid_challenge?(original_challenge)
-      Base64.urlsafe_decode64(client_data.challenge) == original_challenge
+      WebAuthn::SecurityUtils.secure_compare(Base64.urlsafe_decode64(client_data.challenge), original_challenge)
     end
     def valid_origin?(original_origin)

data/lib/webauthn/client_data.rb CHANGED

@@ -1,8 +1,11 @@
 # frozen_string_literal: true
 require "openssl"
+require "webauthn/error"
 module WebAuthn
+  class ClientDataMissingError < Error; end
   class ClientData
     def initialize(client_data_json)
       @client_data_json = client_data_json
@@ -34,7 +37,7 @@ module WebAuthn
           if client_data_json
             JSON.parse(client_data_json)
           else
-            raise "Missing client_data_json"
+            raise ClientDataMissingError, "Client Data JSON is missing"
           end
         end
     end

data/lib/webauthn/error.rb ADDED

@@ -0,0 +1,5 @@
+# frozen_string_literal: true
+module WebAuthn
+  class Error < StandardError; end
+end

data/lib/webauthn/security_utils.rb ADDED

@@ -0,0 +1,35 @@
+# frozen_string_literal: true
+module WebAuthn
+  module SecurityUtils
+    # Constant time string comparison, for variable length strings.
+    # This code was adapted from Rails ActiveSupport::SecurityUtils
+    #
+    # The values are first processed by SHA256, so that we don't leak length info
+    # via timing attacks.
+    def secure_compare(first_string, second_string)
+      first_string_sha256 = ::Digest::SHA256.hexdigest(first_string)
+      second_string_sha256 = ::Digest::SHA256.hexdigest(second_string)
+      fixed_length_secure_compare(first_string_sha256, second_string_sha256) && first_string == second_string
+    end
+    module_function :secure_compare
+    private
+    # Constant time string comparison, for fixed length strings.
+    # This code was adapted from Rails ActiveSupport::SecurityUtils
+    #
+    # The values compared should be of fixed length, such as strings
+    # that have already been processed by HMAC. Raises in case of length mismatch.
+    def fixed_length_secure_compare(first_string, second_string)
+      raise ArgumentError, "string length mismatch." unless first_string.bytesize == second_string.bytesize
+      l = first_string.unpack "C#{first_string.bytesize}"
+      res = 0
+      second_string.each_byte { |byte| res |= byte ^ l.shift }
+      res == 0
+    end
+    module_function :fixed_length_secure_compare
+  end
+end

data/lib/webauthn/version.rb CHANGED

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 module WebAuthn
-  VERSION = "1.7.0"
+  VERSION = "1.8.0"
 end

data/webauthn.gemspec CHANGED

@@ -34,9 +34,9 @@ Gem::Specification.new do |spec|
   spec.add_dependency "jwt", [">= 1.5", "< 3.0"]
   spec.add_dependency "openssl", "~> 2.0"
-  spec.add_development_dependency "bundler", "~> 1.16"
+  spec.add_development_dependency "bundler", ">= 1.17", "< 3.0"
   spec.add_development_dependency "byebug", "~> 10.0"
-  spec.add_development_dependency "rake", "~> 12.0"
-  spec.add_development_dependency "rspec", "~> 3.0"
-  spec.add_development_dependency "rubocop", "0.60.0"
+  spec.add_development_dependency "rake", "~> 12.3"
+  spec.add_development_dependency "rspec", "~> 3.8"
+  spec.add_development_dependency "rubocop", "0.61.1"
 end

metadata CHANGED

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: webauthn
 version: !ruby/object:Gem::Version
-  version: 1.7.0
+  version: 1.8.0
 platform: ruby
 authors:
 - Gonzalo Rodriguez
@@ -9,7 +9,7 @@ authors:
 autorequire:
 bindir: exe
 cert_chain: []
-date: 2018-11-08 00:00:00.000000000 Z
+date: 2019-01-17 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: cbor
@@ -77,16 +77,22 @@ dependencies:
   name: bundler
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '1.17'
+    - - "<"
       - !ruby/object:Gem::Version
-        version: '1.16'
+        version: '3.0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '1.17'
+    - - "<"
       - !ruby/object:Gem::Version
-        version: '1.16'
+        version: '3.0'
 - !ruby/object:Gem::Dependency
   name: byebug
   requirement: !ruby/object:Gem::Requirement
@@ -107,42 +113,42 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '12.0'
+        version: '12.3'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '12.0'
+        version: '12.3'
 - !ruby/object:Gem::Dependency
   name: rspec
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '3.0'
+        version: '3.8'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '3.0'
+        version: '3.8'
 - !ruby/object:Gem::Dependency
   name: rubocop
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.60.0
+        version: 0.61.1
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.60.0
+        version: 0.61.1
 description:
 email:
 - gonzalo@cedarcode.com
@@ -177,7 +183,9 @@ files:
 - lib/webauthn/authenticator_data/attested_credential_data/public_key_u2f.rb
 - lib/webauthn/authenticator_response.rb
 - lib/webauthn/client_data.rb
+- lib/webauthn/error.rb
 - lib/webauthn/fake_authenticator.rb
+- lib/webauthn/security_utils.rb
 - lib/webauthn/version.rb
 - webauthn.gemspec
 homepage: https://github.com/cedarcode/webauthn-ruby
@@ -202,8 +210,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubyforge_project:
-rubygems_version: 2.7.7
+rubygems_version: 3.0.2
 signing_key:
 specification_version: 4
 summary: WebAuthn in ruby ― Ruby implementation of a WebAuthn Relying Party