RubyGems - net-http-digest_auth - Versions diffs - 1.2.1 → 1.3 - Mend

net-http-digest_auth 1.2.1 → 1.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (9) hide show

checksums.yaml +7 -0
checksums.yaml.gz.sig +0 -0
data.tar.gz.sig +0 -0
data/History.txt +10 -1
data/Rakefile +2 -0
data/lib/net/http/digest_auth.rb +21 -15
data/test/test_net_http_digest_auth.rb +13 -3
metadata +68 -89
metadata.gz.sig +4 -1

checksums.yaml ADDED

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: eb621ddbf77aa8455c2add5687d6ffb11ff5f3c6
+  data.tar.gz: 2a16c18f3591cb78ce5eb3a89f0bcda0ad5aa7d7
+SHA512:
+  metadata.gz: 1704fdbc76c94904ca541529d36d815f31b63cd5ffb2d5467661444d00aef0aef6d048510d6eec1f7d6dd4e6967dfb0e34d861cf9e33603fe2a2a58d5fc2095e
+  data.tar.gz: 71e3216a92033e862ff0f71dc3d85eca7119203fd29c402cf1fee5845df9d0902f4f5b2eb61b0317e0cf58b2a836d0d9fcbba0014f96ef5a3aaa71fa1a27d46d

checksums.yaml.gz.sig ADDED

Binary file

data.tar.gz.sig CHANGED

Binary file

data/History.txt CHANGED

@@ -1,4 +1,13 @@
-=== 1.2.1
+=== 1.3 / 2012-03-28
+* Minor enhancements
+  * The cnonce is regenerated for every request to improve security.
+  * SecureRandom is used to generate the cnonce instead of Kernel#rand
+* Bug fix
+  * cnonce and nonce-count are no longer sent when qop was not provided per
+    RFC 2617 section 3.2.2.
+=== 1.2.1 / 2012-05-18
 * Bug fix
   * Fixed -sess authentication.  This also fixes pull request #4 by joe81

data/Rakefile CHANGED

@@ -14,6 +14,8 @@ Hoe.spec 'net-http-digest_auth' do
     'docs.seattlerb.org:/data/www/docs.seattlerb.org/net-http-digest_auth/'
   rdoc_locations <<
     'rubyforge.org:/var/www/gforge-projects/seattlerb/net-http-digest_auth/'
+  self.spec_extras[:required_ruby_version] = '>= 1.8.7'
 end
 # vim: syntax=Ruby

data/lib/net/http/digest_auth.rb CHANGED

@@ -1,7 +1,8 @@
 require 'cgi'
 require 'digest'
-require 'net/http'
 require 'monitor'
+require 'net/http'
+require 'securerandom'
 ##
 # An implementation of RFC 2617 Digest Access Authentication.
@@ -48,18 +49,14 @@ class Net::HTTP::DigestAuth
   ##
   # Version of Net::HTTP::DigestAuth you are using
-  VERSION = '1.2.1'
+  VERSION = '1.3'
   ##
   # Creates a new DigestAuth header creator.
-  #
-  # +cnonce+ is the client nonce value.  This should be an MD5 hexdigest of a
-  # secret value.
-  def initialize cnonce = make_cnonce
+  def initialize ignored = :ignored
     mon_initialize
     @nonce_count = -1
-    @cnonce = cnonce
   end
   ##
@@ -107,22 +104,23 @@ class Net::HTTP::DigestAuth
       sess = $2
     end
+    qop = params['qop']
+    cnonce = make_cnonce if qop or sess
     a1 = if sess then
            [ algorithm.hexdigest("#{user}:#{params['realm']}:#{password}"),
              params['nonce'],
-             @cnonce,
+             cnonce,
            ].join ':'
          else
            "#{user}:#{params['realm']}:#{password}"
          end
-    qop = params['qop']
     ha1 = algorithm.hexdigest a1
     ha2 = algorithm.hexdigest "#{method}:#{uri.request_uri}"
     request_digest = [ha1, params['nonce']]
-    request_digest.push(('%08x' % nonce_count), @cnonce, qop) if qop
+    request_digest.push(('%08x' % nonce_count), cnonce, qop) if qop
     request_digest << ha2
     request_digest = request_digest.join ':'
@@ -138,8 +136,12 @@ class Net::HTTP::DigestAuth
       end,
       "uri=\"#{uri.request_uri}\"",
       "nonce=\"#{params['nonce']}\"",
-      "nc=#{'%08x' % @nonce_count}",
-      "cnonce=\"#{@cnonce}\"",
+      if qop then
+        [
+          "nc=#{'%08x' % @nonce_count}",
+          "cnonce=\"#{cnonce}\"",
+        ]
+      end,
       "response=\"#{algorithm.hexdigest(request_digest)[0, 32]}\"",
       if params.key? 'opaque' then
         "opaque=\"#{params['opaque']}\""
@@ -151,10 +153,14 @@ class Net::HTTP::DigestAuth
   ##
   # Creates a client nonce value that is used across all requests based on the
-  # current time.
+  # current time, process id and a random number
   def make_cnonce
-    Digest::MD5.hexdigest "%x" % (Time.now.to_i + rand(65535))
+    Digest::MD5.hexdigest [
+      Time.now.to_i,
+      $$,
+      SecureRandom.random_number(2**32),
+    ].join ':'
   end
   def next_nonce

data/test/test_net_http_digest_auth.rb CHANGED

@@ -28,7 +28,11 @@ class TestNetHttpDigestAuth < MiniTest::Unit::TestCase
       'response="67be92a5e7b38d08679957db04f5da04"'
     ]
-    @da = Net::HTTP::DigestAuth.new @cnonce
+    @da = Net::HTTP::DigestAuth.new
+    def @da.make_cnonce
+      '9ea5ff3bd34554a4165bbdc1df91dcff'
+    end
   end
   def expected
@@ -54,7 +58,9 @@ class TestNetHttpDigestAuth < MiniTest::Unit::TestCase
     @header.sub! ' qop="auth",', ''
     @expected[8] = 'response="32f6ca1631ccf7c42a8075deff44e470"'
-    @expected.slice! 3
+    @expected.delete 'qop=auth'
+    @expected.delete 'cnonce="9ea5ff3bd34554a4165bbdc1df91dcff"'
+    @expected.delete 'nc=00000000'
     assert_equal expected, @da.auth_header(@uri, @header, 'GET')
   end
@@ -101,7 +107,11 @@ class TestNetHttpDigestAuth < MiniTest::Unit::TestCase
   end
   def test_make_cnonce
-    assert_match %r%\A[a-f\d]{32}\z%, @da.make_cnonce
+    da = Net::HTTP::DigestAuth.new
+    cnonce = da.make_cnonce
+    assert_match %r%\A[a-f\d]{32}\z%, cnonce
+    refute_equal cnonce, da.make_cnonce
   end
   def test_next_nonce

metadata CHANGED

@@ -1,24 +1,18 @@
---- !ruby/object:Gem::Specification
+--- !ruby/object:Gem::Specification
 name: net-http-digest_auth
-version: !ruby/object:Gem::Version
-  hash: 29
-  prerelease:
-  segments:
-  - 1
-  - 2
-  - 1
-  version: 1.2.1
+version: !ruby/object:Gem::Version
+  version: '1.3'
 platform: ruby
-authors:
+authors:
 - Eric Hodel
 autorequire:
 bindir: bin
-cert_chain:
+cert_chain:
 - |
   -----BEGIN CERTIFICATE-----
   MIIDeDCCAmCgAwIBAgIBATANBgkqhkiG9w0BAQUFADBBMRAwDgYDVQQDDAdkcmJy
   YWluMRgwFgYKCZImiZPyLGQBGRYIc2VnbWVudDcxEzARBgoJkiaJk/IsZAEZFgNu
-  ZXQwHhcNMTIwMjI4MTc1NDI1WhcNMTMwMjI3MTc1NDI1WjBBMRAwDgYDVQQDDAdk
+  ZXQwHhcNMTMwMjI4MDUyMjA4WhcNMTQwMjI4MDUyMjA4WjBBMRAwDgYDVQQDDAdk
   cmJyYWluMRgwFgYKCZImiZPyLGQBGRYIc2VnbWVudDcxEzARBgoJkiaJk/IsZAEZ
   FgNuZXQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCbbgLrGLGIDE76
   LV/cvxdEzCuYuS3oG9PrSZnuDweySUfdp/so0cDq+j8bqy6OzZSw07gdjwFMSd6J
@@ -29,80 +23,74 @@ cert_chain:
   sCANiQ8BAgMBAAGjezB5MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgSwMB0GA1UdDgQW
   BBS5k4Z75VSpdM0AclG2UvzFA/VW5DAfBgNVHREEGDAWgRRkcmJyYWluQHNlZ21l
   bnQ3Lm5ldDAfBgNVHRIEGDAWgRRkcmJyYWluQHNlZ21lbnQ3Lm5ldDANBgkqhkiG
-  9w0BAQUFAAOCAQEAPeWzFnrcvC6eVzdlhmjUub2s6qieBkongKRDHQz5MEeQv4LS
-  SARnoHY+uCAVL/1xGAhmpzqQ3fJGWK9eBacW/e8E5GF9xQcV3mE1bA0WNaiDlX5j
-  U2aI+ZGSblqvHUCxKBHR1s7UMHsbz1saOmgdRTyPx0juJs68ocbUTeYBLWu9V4KP
-  zdGAG2JXO2gONg3b4tYDvpBLbry+KOX27iAJulUaH9TiTOULL4ITJVFsK0mYVqmR
-  Q8Tno9S3e4XGGP1ZWfLrTWEJbavFfhGHut2iMRwfC7s/YILAHNATopaJdH9DNpd1
-  U81zGHMUBOvz/VGT6wJwYJ3emS2nfA2NOHFfgA==
+  9w0BAQUFAAOCAQEAOflo4Md5aJF//EetzXIGZ2EI5PzKWX/mMpp7cxFyDcVPtTv0
+  js/6zWrWSbd60W9Kn4ch3nYiATFKhisgeYotDDz2/pb/x1ivJn4vEvs9kYKVvbF8
+  V7MV/O5HDW8Q0pA1SljI6GzcOgejtUMxZCyyyDdbUpyAMdt9UpqTZkZ5z1sicgQk
+  5o2XJ+OhceOIUVqVh1r6DNY5tLVaGJabtBmJAYFVznDcHiSFybGKBa5n25Egql1t
+  KDyY1VIazVgoC8XvR4h/95/iScPiuglzA+DBG1hip1xScAtw05BrXyUNrc9CEMYU
+  wgF94UVoHRp6ywo8I7NP3HcwFQDFNEZPNGXsng==
   -----END CERTIFICATE-----
-date: 2012-05-18 00:00:00 Z
-dependencies:
-- !ruby/object:Gem::Dependency
+date: 2013-03-29 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
   name: minitest
-  prerelease: false
-  requirement: &id001 !ruby/object:Gem::Requirement
-    none: false
-    requirements:
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
     - - ~>
-      - !ruby/object:Gem::Version
-        hash: 21
-        segments:
-        - 2
-        - 11
-        version: "2.11"
+      - !ruby/object:Gem::Version
+        version: '4.6'
   type: :development
-  version_requirements: *id001
-- !ruby/object:Gem::Dependency
-  name: rdoc
   prerelease: false
-  requirement: &id002 !ruby/object:Gem::Requirement
-    none: false
-    requirements:
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: '4.6'
+- !ruby/object:Gem::Dependency
+  name: rdoc
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
     - - ~>
-      - !ruby/object:Gem::Version
-        hash: 19
-        segments:
-        - 3
-        - 10
-        version: "3.10"
+      - !ruby/object:Gem::Version
+        version: '3.10'
   type: :development
-  version_requirements: *id002
-- !ruby/object:Gem::Dependency
-  name: hoe
   prerelease: false
-  requirement: &id003 !ruby/object:Gem::Requirement
-    none: false
-    requirements:
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: '3.10'
+- !ruby/object:Gem::Dependency
+  name: hoe
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
     - - ~>
-      - !ruby/object:Gem::Version
-        hash: 7
-        segments:
-        - 3
-        - 0
-        version: "3.0"
+      - !ruby/object:Gem::Version
+        version: '3.5'
   type: :development
-  version_requirements: *id003
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: '3.5'
 description: |-
   An implementation of RFC 2617 - Digest Access Authentication.  At this time
   the gem does not drop in to Net::HTTP and can be used for with other HTTP
   clients.
   In order to use net-http-digest_auth you'll need to perform some request
   wrangling on your own.  See the class documentation at Net::HTTP::DigestAuth
   for an example.
-email:
+email:
 - drbrain@segment7.net
 executables: []
 extensions: []
-extra_rdoc_files:
+extra_rdoc_files:
 - History.txt
 - Manifest.txt
 - README.txt
-files:
+files:
 - .autotest
 - History.txt
 - Manifest.txt
@@ -113,39 +101,30 @@ files:
 - sample/net_http_example.rb
 - test/test_net_http_digest_auth.rb
 - .gemtest
-homepage: http://docs.seattlerb.org/net-http-digest_auth
+homepage: http://github.com/drbrain/net-http-digest_auth
 licenses: []
+metadata: {}
 post_install_message:
-rdoc_options:
+rdoc_options:
 - --main
 - README.txt
-require_paths:
+require_paths:
 - lib
-required_ruby_version: !ruby/object:Gem::Requirement
-  none: false
-  requirements:
-  - - ">="
-    - !ruby/object:Gem::Version
-      hash: 3
-      segments:
-      - 0
-      version: "0"
-required_rubygems_version: !ruby/object:Gem::Requirement
-  none: false
-  requirements:
-  - - ">="
-    - !ruby/object:Gem::Version
-      hash: 3
-      segments:
-      - 0
-      version: "0"
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - '>='
+    - !ruby/object:Gem::Version
+      version: 1.8.7
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - '>='
+    - !ruby/object:Gem::Version
+      version: '0'
 requirements: []
 rubyforge_project: net-http-digest_auth
-rubygems_version: 1.8.21
+rubygems_version: 2.0.3
 signing_key:
-specification_version: 3
+specification_version: 4
 summary: An implementation of RFC 2617 - Digest Access Authentication
-test_files:
+test_files:
 - test/test_net_http_digest_auth.rb

metadata.gz.sig CHANGED

@@ -1 +1,4 @@
-3�l��)�s0�{p���*6�j��e�f?�<4m9�WE��%(�7�[߽���Pj/�\��)��_�v�dTϳeeIY�I�&����t�Pek���U��T��hN�36���W�ے��zt�2�ߞL���I#��ÈA�mtY{dH����V�s��0��ŌN�IwfX�=PS�>�b�O\����S.2����?)������_�J���޺�%�zH4�6�T)��&�El}+��_�7�A�;��Q5G�N歷�����ߕ
+�Zi:��X��bb��
+�6��S�lְ�뒠��)?��)���4&@�l�Bg!Z�w!phwzb����&{
+�Q���W7�C�0m|Od��$�+M�_�9*�#�x���9~�Ӿz˽�4?�[�^;
+5h�!L���Gi�/Z]�d��7���V�9럂L�k�8�k�pT-�7L��+���=�YR���Iq�"r��4Ns��\N]�jL�*��[O�,ϋv��{%��Y�ƍ.O�T_�