RubyGems - net-http-digest_auth - Versions diffs - 1.2.1 → 1.3 - Mend

net-http-digest_auth 1.2.1 → 1.3

Files changed (9) hide show

checksums.yaml +7 -0
checksums.yaml.gz.sig +0 -0
data.tar.gz.sig +0 -0
data/History.txt +10 -1
data/Rakefile +2 -0
data/lib/net/http/digest_auth.rb +21 -15
data/test/test_net_http_digest_auth.rb +13 -3
metadata +68 -89
metadata.gz.sig +4 -1

checksums.yaml ADDED

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: eb621ddbf77aa8455c2add5687d6ffb11ff5f3c6
+  data.tar.gz: 2a16c18f3591cb78ce5eb3a89f0bcda0ad5aa7d7
+SHA512:
+  metadata.gz: 1704fdbc76c94904ca541529d36d815f31b63cd5ffb2d5467661444d00aef0aef6d048510d6eec1f7d6dd4e6967dfb0e34d861cf9e33603fe2a2a58d5fc2095e
+  data.tar.gz: 71e3216a92033e862ff0f71dc3d85eca7119203fd29c402cf1fee5845df9d0902f4f5b2eb61b0317e0cf58b2a836d0d9fcbba0014f96ef5a3aaa71fa1a27d46d

checksums.yaml.gz.sig ADDED

Binary file

data.tar.gz.sig CHANGED

Binary file

data/History.txt CHANGED

@@ -1,4 +1,13 @@
-=== 1.2.1
+=== 1.3 / 2012-03-28
+* Minor enhancements
+  * The cnonce is regenerated for every request to improve security.
+  * SecureRandom is used to generate the cnonce instead of Kernel#rand
+* Bug fix
+  * cnonce and nonce-count are no longer sent when qop was not provided per
+    RFC 2617 section 3.2.2.
+=== 1.2.1 / 2012-05-18
 * Bug fix
   * Fixed -sess authentication.  This also fixes pull request #4 by joe81

data/Rakefile CHANGED

@@ -14,6 +14,8 @@ Hoe.spec 'net-http-digest_auth' do
     'docs.seattlerb.org:/data/www/docs.seattlerb.org/net-http-digest_auth/'
   rdoc_locations <<
     'rubyforge.org:/var/www/gforge-projects/seattlerb/net-http-digest_auth/'
+  self.spec_extras[:required_ruby_version] = '>= 1.8.7'
 end
 # vim: syntax=Ruby

data/lib/net/http/digest_auth.rb CHANGED

@@ -1,7 +1,8 @@
 require 'cgi'
 require 'digest'
-require 'net/http'
 require 'monitor'
+require 'net/http'
+require 'securerandom'
 ##
 # An implementation of RFC 2617 Digest Access Authentication.
@@ -48,18 +49,14 @@ class Net::HTTP::DigestAuth
   ##
   # Version of Net::HTTP::DigestAuth you are using
-  VERSION = '1.2.1'
+  VERSION = '1.3'
   ##
   # Creates a new DigestAuth header creator.
-  #
-  # +cnonce+ is the client nonce value.  This should be an MD5 hexdigest of a
-  # secret value.
-  def initialize cnonce = make_cnonce
+  def initialize ignored = :ignored
     mon_initialize
     @nonce_count = -1
-    @cnonce = cnonce
   end
   ##
@@ -107,22 +104,23 @@ class Net::HTTP::DigestAuth
       sess = $2
     end
+    qop = params['qop']
+    cnonce = make_cnonce if qop or sess
     a1 = if sess then
            [ algorithm.hexdigest("#{user}:#{params['realm']}:#{password}"),
              params['nonce'],
-             @cnonce,
+             cnonce,
            ].join ':'
          else
            "#{user}:#{params['realm']}:#{password}"
          end
-    qop = params['qop']
     ha1 = algorithm.hexdigest a1
     ha2 = algorithm.hexdigest "#{method}:#{uri.request_uri}"
     request_digest = [ha1, params['nonce']]
-    request_digest.push(('%08x' % nonce_count), @cnonce, qop) if qop
+    request_digest.push(('%08x' % nonce_count), cnonce, qop) if qop
     request_digest << ha2
     request_digest = request_digest.join ':'
@@ -138,8 +136,12 @@ class Net::HTTP::DigestAuth
       end,
       "uri=\"#{uri.request_uri}\"",
       "nonce=\"#{params['nonce']}\"",
-      "nc=#{'%08x' % @nonce_count}",
-      "cnonce=\"#{@cnonce}\"",
+      if qop then
+        [
+          "nc=#{'%08x' % @nonce_count}",
+          "cnonce=\"#{cnonce}\"",
+        ]
+      end,
       "response=\"#{algorithm.hexdigest(request_digest)[0, 32]}\"",
       if params.key? 'opaque' then
         "opaque=\"#{params['opaque']}\""
@@ -151,10 +153,14 @@ class Net::HTTP::DigestAuth
   ##
   # Creates a client nonce value that is used across all requests based on the
-  # current time.
+  # current time, process id and a random number
   def make_cnonce
-    Digest::MD5.hexdigest "%x" % (Time.now.to_i + rand(65535))
+    Digest::MD5.hexdigest [
+      Time.now.to_i,
+      $$,
+      SecureRandom.random_number(2**32),
+    ].join ':'
   end
   def next_nonce

data/test/test_net_http_digest_auth.rb CHANGED

@@ -28,7 +28,11 @@ class TestNetHttpDigestAuth < MiniTest::Unit::TestCase
       'response="67be92a5e7b38d08679957db04f5da04"'
     ]
-    @da = Net::HTTP::DigestAuth.new @cnonce
+    @da = Net::HTTP::DigestAuth.new
+    def @da.make_cnonce
+      '9ea5ff3bd34554a4165bbdc1df91dcff'
+    end
   end
   def expected
@@ -54,7 +58,9 @@ class TestNetHttpDigestAuth < MiniTest::Unit::TestCase
     @header.sub! ' qop="auth",', ''
     @expected[8] = 'response="32f6ca1631ccf7c42a8075deff44e470"'
-    @expected.slice! 3
+    @expected.delete 'qop=auth'
+    @expected.delete 'cnonce="9ea5ff3bd34554a4165bbdc1df91dcff"'
+    @expected.delete 'nc=00000000'
     assert_equal expected, @da.auth_header(@uri, @header, 'GET')
   end
@@ -101,7 +107,11 @@ class TestNetHttpDigestAuth < MiniTest::Unit::TestCase
   end
   def test_make_cnonce
-    assert_match %r%\A[a-f\d]{32}\z%, @da.make_cnonce
+    da = Net::HTTP::DigestAuth.new
+    cnonce = da.make_cnonce
+    assert_match %r%\A[a-f\d]{32}\z%, cnonce
+    refute_equal cnonce, da.make_cnonce
   end
   def test_next_nonce

metadata CHANGED

@@ -1,24 +1,18 @@
---- !ruby/object:Gem::Specification
+--- !ruby/object:Gem::Specification
 name: net-http-digest_auth
-version: !ruby/object:Gem::Version
-  hash: 29
-  prerelease:
-  segments:
-  - 1
-  - 2
-  - 1
-  version: 1.2.1
+version: !ruby/object:Gem::Version
+  version: '1.3'
 platform: ruby
-authors:
+authors:
 - Eric Hodel
 autorequire:
 bindir: bin
-cert_chain:
+cert_chain:
 - |
   -----BEGIN CERTIFICATE-----
   MIIDeDCCAmCgAwIBAgIBATANBgkqhkiG9w0BAQUFADBBMRAwDgYDVQQDDAdkcmJy
   YWluMRgwFgYKCZImiZPyLGQBGRYIc2VnbWVudDcxEzARBgoJkiaJk/IsZAEZFgNu
-  ZXQwHhcNMTIwMjI4MTc1NDI1WhcNMTMwMjI3MTc1NDI1WjBBMRAwDgYDVQQDDAdk
+  ZXQwHhcNMTMwMjI4MDUyMjA4WhcNMTQwMjI4MDUyMjA4WjBBMRAwDgYDVQQDDAdk
   cmJyYWluMRgwFgYKCZImiZPyLGQBGRYIc2VnbWVudDcxEzARBgoJkiaJk/IsZAEZ
   FgNuZXQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCbbgLrGLGIDE76
   LV/cvxdEzCuYuS3oG9PrSZnuDweySUfdp/so0cDq+j8bqy6OzZSw07gdjwFMSd6J
@@ -29,80 +23,74 @@ cert_chain:
   sCANiQ8BAgMBAAGjezB5MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgSwMB0GA1UdDgQW
   BBS5k4Z75VSpdM0AclG2UvzFA/VW5DAfBgNVHREEGDAWgRRkcmJyYWluQHNlZ21l
   bnQ3Lm5ldDAfBgNVHRIEGDAWgRRkcmJyYWluQHNlZ21lbnQ3Lm5ldDANBgkqhkiG
-  9w0BAQUFAAOCAQEAPeWzFnrcvC6eVzdlhmjUub2s6qieBkongKRDHQz5MEeQv4LS
-  SARnoHY+uCAVL/1xGAhmpzqQ3fJGWK9eBacW/e8E5GF9xQcV3mE1bA0WNaiDlX5j
-  U2aI+ZGSblqvHUCxKBHR1s7UMHsbz1saOmgdRTyPx0juJs68ocbUTeYBLWu9V4KP
-  zdGAG2JXO2gONg3b4tYDvpBLbry+KOX27iAJulUaH9TiTOULL4ITJVFsK0mYVqmR
-  Q8Tno9S3e4XGGP1ZWfLrTWEJbavFfhGHut2iMRwfC7s/YILAHNATopaJdH9DNpd1
-  U81zGHMUBOvz/VGT6wJwYJ3emS2nfA2NOHFfgA==
+  9w0BAQUFAAOCAQEAOflo4Md5aJF//EetzXIGZ2EI5PzKWX/mMpp7cxFyDcVPtTv0
+  js/6zWrWSbd60W9Kn4ch3nYiATFKhisgeYotDDz2/pb/x1ivJn4vEvs9kYKVvbF8
+  V7MV/O5HDW8Q0pA1SljI6GzcOgejtUMxZCyyyDdbUpyAMdt9UpqTZkZ5z1sicgQk
+  5o2XJ+OhceOIUVqVh1r6DNY5tLVaGJabtBmJAYFVznDcHiSFybGKBa5n25Egql1t
+  KDyY1VIazVgoC8XvR4h/95/iScPiuglzA+DBG1hip1xScAtw05BrXyUNrc9CEMYU
+  wgF94UVoHRp6ywo8I7NP3HcwFQDFNEZPNGXsng==
   -----END CERTIFICATE-----
-date: 2012-05-18 00:00:00 Z
-dependencies:
-- !ruby/object:Gem::Dependency
+date: 2013-03-29 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
   name: minitest
-  prerelease: false
-  requirement: &id001 !ruby/object:Gem::Requirement
-    none: false
-    requirements:
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
     - - ~>
-      - !ruby/object:Gem::Version
-        hash: 21
-        segments:
-        - 2
-        - 11
-        version: "2.11"
+      - !ruby/object:Gem::Version
+        version: '4.6'
   type: :development
-  version_requirements: *id001
-- !ruby/object:Gem::Dependency
-  name: rdoc
   prerelease: false
-  requirement: &id002 !ruby/object:Gem::Requirement
-    none: false
-    requirements:
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: '4.6'
+- !ruby/object:Gem::Dependency
+  name: rdoc
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
     - - ~>
-      - !ruby/object:Gem::Version
-        hash: 19
-        segments:
-        - 3
-        - 10
-        version: "3.10"
+      - !ruby/object:Gem::Version
+        version: '3.10'
   type: :development
-  version_requirements: *id002
-- !ruby/object:Gem::Dependency
-  name: hoe
   prerelease: false
-  requirement: &id003 !ruby/object:Gem::Requirement
-    none: false
-    requirements:
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: '3.10'
+- !ruby/object:Gem::Dependency
+  name: hoe
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
     - - ~>
-      - !ruby/object:Gem::Version
-        hash: 7
-        segments:
-        - 3
-        - 0
-        version: "3.0"
+      - !ruby/object:Gem::Version
+        version: '3.5'
   type: :development
-  version_requirements: *id003
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: '3.5'
 description: |-
   An implementation of RFC 2617 - Digest Access Authentication.  At this time
   the gem does not drop in to Net::HTTP and can be used for with other HTTP
   clients.
   In order to use net-http-digest_auth you'll need to perform some request
   wrangling on your own.  See the class documentation at Net::HTTP::DigestAuth
   for an example.
-email:
+email:
 - drbrain@segment7.net
 executables: []
 extensions: []
-extra_rdoc_files:
+extra_rdoc_files:
 - History.txt
 - Manifest.txt
 - README.txt
-files:
+files:
 - .autotest
 - History.txt
 - Manifest.txt
@@ -113,39 +101,30 @@ files:
 - sample/net_http_example.rb
 - test/test_net_http_digest_auth.rb
 - .gemtest
-homepage: http://docs.seattlerb.org/net-http-digest_auth
+homepage: http://github.com/drbrain/net-http-digest_auth
 licenses: []
+metadata: {}
 post_install_message:
-rdoc_options:
+rdoc_options:
 - --main
 - README.txt
-require_paths:
+require_paths:
 - lib
-required_ruby_version: !ruby/object:Gem::Requirement
-  none: false
-  requirements:
-  - - ">="
-    - !ruby/object:Gem::Version
-      hash: 3
-      segments:
-      - 0
-      version: "0"
-required_rubygems_version: !ruby/object:Gem::Requirement
-  none: false
-  requirements:
-  - - ">="
-    - !ruby/object:Gem::Version
-      hash: 3
-      segments:
-      - 0
-      version: "0"
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - '>='
+    - !ruby/object:Gem::Version
+      version: 1.8.7
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - '>='
+    - !ruby/object:Gem::Version
+      version: '0'
 requirements: []
 rubyforge_project: net-http-digest_auth
-rubygems_version: 1.8.21
+rubygems_version: 2.0.3
 signing_key:
-specification_version: 3
+specification_version: 4
 summary: An implementation of RFC 2617 - Digest Access Authentication
-test_files:
+test_files:
 - test/test_net_http_digest_auth.rb

metadata.gz.sig CHANGED

@@ -1 +1,4 @@
-3�l��)�s0�{p���*6�j��e�f?�<4m9�WE��%(�7�[߽���Pj/�\��)��_�v�dTϳeeIY�I�&����t�Pek���U��T��hN�36���W�ے��zt�2�ߞL���I#��ÈA�mtY{dH����V�s��0��ŌN�IwfX�=PS�>�b�O\����S.2����?)������_�J���޺�%�zH4�6�T)��&�El}+��_�7�A�;��Q5G�N歷�����ߕ
+�Zi:��X��bb��
+�6��S�lְ�뒠��)?��)���4&@�l�Bg!Z�w!phwzb����&{
+�Q���W7�C�0m|Od��$�+M�_�9*�#�x���9~�Ӿz˽�4?�[�^;
+5h�!L���Gi�/Z]�d��7���V�9럂L�k�8�k�pT-�7L��+���=�YR���Iq�"r��4Ns��\N]�jL�*��[O�,ϋv��{%��Y�ƍ.O�T_�