encrypted_cookie 0.0.3 → 0.0.4

Sign up to get free protection for your applications and to get access to all the features.
Files changed (9) hide show
  1. data.tar.gz.sig +0 -0
  2. data/Manifest +0 -1
  3. data/Rakefile +1 -1
  4. data/encrypted_cookie.gemspec +2 -2
  5. data/lib/encrypted_cookie.rb +15 -5
  6. data/spec/encrypted_cookie_spec.rb +10 -2
  7. metadata +3 -4
  8. metadata.gz.sig +0 -0
  9. data/pkg/encrypted_cookie-0.0.2.gem +0 -0
data.tar.gz.sig CHANGED
Binary file
data/Manifest CHANGED
@@ -3,5 +3,4 @@ README.markdown
3
3
  Rakefile
4
4
  encrypted_cookie.gemspec
5
5
  lib/encrypted_cookie.rb
6
- pkg/encrypted_cookie-0.0.2.gem
7
6
  spec/encrypted_cookie_spec.rb
data/Rakefile CHANGED
@@ -2,7 +2,7 @@ require 'rubygems'
2
2
  require 'rake'
3
3
  require 'echoe'
4
4
 
5
- Echoe.new('encrypted_cookie', '0.0.3') do |p|
5
+ Echoe.new('encrypted_cookie', '0.0.4') do |p|
6
6
  p.description = "Encrypted session cookies for Rack"
7
7
  p.url = "http://github.com/cvonkleist/encrypted_cookie"
8
8
  p.author = "Christian von Kleist"
data/encrypted_cookie.gemspec CHANGED
@@ -2,7 +2,7 @@
2
2
 
3
3
  Gem::Specification.new do |s|
4
4
  s.name = %q{encrypted_cookie}
5
- s.version = "0.0.3"
5
+ s.version = "0.0.4"
6
6
 
7
7
  s.required_rubygems_version = Gem::Requirement.new(">= 1.2") if s.respond_to? :required_rubygems_version=
8
8
  s.authors = ["Christian von Kleist"]
@@ -11,7 +11,7 @@ Gem::Specification.new do |s|
11
11
  s.description = %q{Encrypted session cookies for Rack}
12
12
  s.email = %q{cvonkleist at-a-place-called gmail.com}
13
13
  s.extra_rdoc_files = ["README.markdown", "lib/encrypted_cookie.rb"]
14
- s.files = ["Manifest", "README.markdown", "Rakefile", "encrypted_cookie.gemspec", "lib/encrypted_cookie.rb", "pkg/encrypted_cookie-0.0.2.gem", "spec/encrypted_cookie_spec.rb"]
14
+ s.files = ["Manifest", "README.markdown", "Rakefile", "encrypted_cookie.gemspec", "lib/encrypted_cookie.rb", "spec/encrypted_cookie_spec.rb"]
15
15
  s.homepage = %q{http://github.com/cvonkleist/encrypted_cookie}
16
16
  s.rdoc_options = ["--line-numbers", "--inline-source", "--title", "Encrypted_cookie", "--main", "README.markdown"]
17
17
  s.require_paths = ["lib"]
data/lib/encrypted_cookie.rb CHANGED
@@ -47,11 +47,10 @@ module Rack
47
47
  session_data = request.cookies[@key]
48
48
 
49
49
  if session_data
50
- #begin
51
- session_data = decrypt(session_data)
50
+ if session_data = decrypt(session_data)
52
51
  session_data, digest = session_data.split("--")
53
- session_data = nil unless digest == generate_hmac(session_data)
54
- #rescue OpenSSL::Cipher::Cipher
52
+ session_data = nil unless digest == generate_hmac(session_data)
53
+ end
55
54
  end
56
55
 
57
56
  begin
@@ -93,18 +92,29 @@ module Rack
93
92
  def encrypt(str)
94
93
  aes = OpenSSL::Cipher::Cipher.new('aes-128-cbc').encrypt
95
94
  aes.key = @secret
96
- salt = OpenSSL::Random.random_bytes(aes.key_len)
97
95
  iv = OpenSSL::Random.random_bytes(aes.iv_len)
96
+ aes.iv = iv
98
97
  [iv + (aes.update(str) << aes.final)].pack('m0')
99
98
  end
100
99
 
100
+ # decrypts string. returns nil if an error occurs
101
+ #
102
+ # returns nil if openssl raises an error during decryption (likely
103
+ # someone is tampering with the session data, or the sinatra user was
104
+ # previously using Cookie and has just switched to EncryptedCookie), and
105
+ # will also return nil if the text to decrypt is too short to possibly be
106
+ # good aes data.
101
107
  def decrypt(str)
102
108
  str = str.unpack('m0').first
103
109
  aes = OpenSSL::Cipher::Cipher.new('aes-128-cbc').decrypt
104
110
  aes.key = @secret
105
111
  iv = str[0, aes.iv_len]
112
+ aes.iv = iv
106
113
  crypted_text = str[aes.iv_len..-1]
114
+ return nil if crypted_text.nil? || iv.nil?
107
115
  aes.update(crypted_text) << aes.final
116
+ rescue
117
+ nil
108
118
  end
109
119
  end
110
120
  end
data/spec/encrypted_cookie_spec.rb CHANGED
@@ -56,7 +56,7 @@ describe EncryptedApp do
56
56
  str = CGI.unescape(data).unpack('m0').first
57
57
  aes = OpenSSL::Cipher::Cipher.new('aes-128-cbc').decrypt
58
58
  aes.key = 'foo' * 10
59
- iv = str[0, aes.iv_len]
59
+ aes.iv = str[0, aes.iv_len]
60
60
  crypted_text = str[aes.iv_len..-1]
61
61
 
62
62
  plaintext = (aes.update(crypted_text) << aes.final)
@@ -86,7 +86,15 @@ describe EncryptedApp do
86
86
  get '/'
87
87
  last_response.body.should == 'session: {"foo"=>"bar"}'
88
88
 
89
- rack_mock_session.cookie_jar.instance_variable_get(:@cookies).first.instance_variable_set(:@name_and_value, 'rack.session=lkjsdlfkjsd')
89
+ # tamper with the cookie (too short to be aes data)
90
+ rack_mock_session.cookie_jar << Rack::Test::Cookie.new('rack.session=foo', URI.parse('http://example.org//'))
91
+
92
+ get '/'
93
+ last_response.body.should == 'session: {}'
94
+
95
+ # tamper with the cookie (long enough to attempt aes decryption)
96
+ rack_mock_session.cookie_jar << Rack::Test::Cookie.new('rack.session=foobarbaz', URI.parse('http://example.org//'))
97
+
90
98
  get '/'
91
99
  last_response.body.should == 'session: {}'
92
100
  end
metadata CHANGED
@@ -1,13 +1,13 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: encrypted_cookie
3
3
  version: !ruby/object:Gem::Version
4
- hash: 25
4
+ hash: 23
5
5
  prerelease: false
6
6
  segments:
7
7
  - 0
8
8
  - 0
9
- - 3
10
- version: 0.0.3
9
+ - 4
10
+ version: 0.0.4
11
11
  platform: ruby
12
12
  authors:
13
13
  - Christian von Kleist
@@ -55,7 +55,6 @@ files:
55
55
  - Rakefile
56
56
  - encrypted_cookie.gemspec
57
57
  - lib/encrypted_cookie.rb
58
- - pkg/encrypted_cookie-0.0.2.gem
59
58
  - spec/encrypted_cookie_spec.rb
60
59
  has_rdoc: true
61
60
  homepage: http://github.com/cvonkleist/encrypted_cookie
metadata.gz.sig CHANGED
Binary file