encrypted_cookie 0.0.3 → 0.0.4

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
data.tar.gz.sig CHANGED
Binary file
data/Manifest CHANGED
@@ -3,5 +3,4 @@ README.markdown
3
3
  Rakefile
4
4
  encrypted_cookie.gemspec
5
5
  lib/encrypted_cookie.rb
6
- pkg/encrypted_cookie-0.0.2.gem
7
6
  spec/encrypted_cookie_spec.rb
data/Rakefile CHANGED
@@ -2,7 +2,7 @@ require 'rubygems'
2
2
  require 'rake'
3
3
  require 'echoe'
4
4
 
5
- Echoe.new('encrypted_cookie', '0.0.3') do |p|
5
+ Echoe.new('encrypted_cookie', '0.0.4') do |p|
6
6
  p.description = "Encrypted session cookies for Rack"
7
7
  p.url = "http://github.com/cvonkleist/encrypted_cookie"
8
8
  p.author = "Christian von Kleist"
@@ -2,7 +2,7 @@
2
2
 
3
3
  Gem::Specification.new do |s|
4
4
  s.name = %q{encrypted_cookie}
5
- s.version = "0.0.3"
5
+ s.version = "0.0.4"
6
6
 
7
7
  s.required_rubygems_version = Gem::Requirement.new(">= 1.2") if s.respond_to? :required_rubygems_version=
8
8
  s.authors = ["Christian von Kleist"]
@@ -11,7 +11,7 @@ Gem::Specification.new do |s|
11
11
  s.description = %q{Encrypted session cookies for Rack}
12
12
  s.email = %q{cvonkleist at-a-place-called gmail.com}
13
13
  s.extra_rdoc_files = ["README.markdown", "lib/encrypted_cookie.rb"]
14
- s.files = ["Manifest", "README.markdown", "Rakefile", "encrypted_cookie.gemspec", "lib/encrypted_cookie.rb", "pkg/encrypted_cookie-0.0.2.gem", "spec/encrypted_cookie_spec.rb"]
14
+ s.files = ["Manifest", "README.markdown", "Rakefile", "encrypted_cookie.gemspec", "lib/encrypted_cookie.rb", "spec/encrypted_cookie_spec.rb"]
15
15
  s.homepage = %q{http://github.com/cvonkleist/encrypted_cookie}
16
16
  s.rdoc_options = ["--line-numbers", "--inline-source", "--title", "Encrypted_cookie", "--main", "README.markdown"]
17
17
  s.require_paths = ["lib"]
@@ -47,11 +47,10 @@ module Rack
47
47
  session_data = request.cookies[@key]
48
48
 
49
49
  if session_data
50
- #begin
51
- session_data = decrypt(session_data)
50
+ if session_data = decrypt(session_data)
52
51
  session_data, digest = session_data.split("--")
53
- session_data = nil unless digest == generate_hmac(session_data)
54
- #rescue OpenSSL::Cipher::Cipher
52
+ session_data = nil unless digest == generate_hmac(session_data)
53
+ end
55
54
  end
56
55
 
57
56
  begin
@@ -93,18 +92,29 @@ module Rack
93
92
  def encrypt(str)
94
93
  aes = OpenSSL::Cipher::Cipher.new('aes-128-cbc').encrypt
95
94
  aes.key = @secret
96
- salt = OpenSSL::Random.random_bytes(aes.key_len)
97
95
  iv = OpenSSL::Random.random_bytes(aes.iv_len)
96
+ aes.iv = iv
98
97
  [iv + (aes.update(str) << aes.final)].pack('m0')
99
98
  end
100
99
 
100
+ # decrypts string. returns nil if an error occurs
101
+ #
102
+ # returns nil if openssl raises an error during decryption (likely
103
+ # someone is tampering with the session data, or the sinatra user was
104
+ # previously using Cookie and has just switched to EncryptedCookie), and
105
+ # will also return nil if the text to decrypt is too short to possibly be
106
+ # good aes data.
101
107
  def decrypt(str)
102
108
  str = str.unpack('m0').first
103
109
  aes = OpenSSL::Cipher::Cipher.new('aes-128-cbc').decrypt
104
110
  aes.key = @secret
105
111
  iv = str[0, aes.iv_len]
112
+ aes.iv = iv
106
113
  crypted_text = str[aes.iv_len..-1]
114
+ return nil if crypted_text.nil? || iv.nil?
107
115
  aes.update(crypted_text) << aes.final
116
+ rescue
117
+ nil
108
118
  end
109
119
  end
110
120
  end
@@ -56,7 +56,7 @@ describe EncryptedApp do
56
56
  str = CGI.unescape(data).unpack('m0').first
57
57
  aes = OpenSSL::Cipher::Cipher.new('aes-128-cbc').decrypt
58
58
  aes.key = 'foo' * 10
59
- iv = str[0, aes.iv_len]
59
+ aes.iv = str[0, aes.iv_len]
60
60
  crypted_text = str[aes.iv_len..-1]
61
61
 
62
62
  plaintext = (aes.update(crypted_text) << aes.final)
@@ -86,7 +86,15 @@ describe EncryptedApp do
86
86
  get '/'
87
87
  last_response.body.should == 'session: {"foo"=>"bar"}'
88
88
 
89
- rack_mock_session.cookie_jar.instance_variable_get(:@cookies).first.instance_variable_set(:@name_and_value, 'rack.session=lkjsdlfkjsd')
89
+ # tamper with the cookie (too short to be aes data)
90
+ rack_mock_session.cookie_jar << Rack::Test::Cookie.new('rack.session=foo', URI.parse('http://example.org//'))
91
+
92
+ get '/'
93
+ last_response.body.should == 'session: {}'
94
+
95
+ # tamper with the cookie (long enough to attempt aes decryption)
96
+ rack_mock_session.cookie_jar << Rack::Test::Cookie.new('rack.session=foobarbaz', URI.parse('http://example.org//'))
97
+
90
98
  get '/'
91
99
  last_response.body.should == 'session: {}'
92
100
  end
metadata CHANGED
@@ -1,13 +1,13 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: encrypted_cookie
3
3
  version: !ruby/object:Gem::Version
4
- hash: 25
4
+ hash: 23
5
5
  prerelease: false
6
6
  segments:
7
7
  - 0
8
8
  - 0
9
- - 3
10
- version: 0.0.3
9
+ - 4
10
+ version: 0.0.4
11
11
  platform: ruby
12
12
  authors:
13
13
  - Christian von Kleist
@@ -55,7 +55,6 @@ files:
55
55
  - Rakefile
56
56
  - encrypted_cookie.gemspec
57
57
  - lib/encrypted_cookie.rb
58
- - pkg/encrypted_cookie-0.0.2.gem
59
58
  - spec/encrypted_cookie_spec.rb
60
59
  has_rdoc: true
61
60
  homepage: http://github.com/cvonkleist/encrypted_cookie
metadata.gz.sig CHANGED
Binary file