sirp 2.0.0.pre

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: 09ad55f348720fdef0cd77d90bc9f166db80cc59
+  data.tar.gz: 0b664333742d32311c3e6a8b3269cdd482fa395f
+SHA512:
+  metadata.gz: d89cecbbf3761e596eba3953adcb22af3ca25507068d0186728a6febb3fc72e6549885b04fa202d25eef736eab066eed22cdc59b4f2dfc59193bbd4a29a513c4
+  data.tar.gz: 9e0b5e09f86ec07eb5db4ad2c61509749ae7e38c36645b39101fa21ce2dd0ddb6692a984e9a6896ba61e6cbe376172ba0a14beaa698b7c268954d7e82e13c1b4

data.tar.gz.sig

@@ -0,0 +1 @@
+AL��[�o��k��N���V���7"��a*R}*ʶ�5�a�*�̞S���l��,k���È���"6:��v�H��1ۂ<�QC�����ifo�j�7(�A��#�����J��	~ӂb?��p�B��\r�e�	d���yq���)�N��jyMj���c�7#�Ʃ���	4�a'���n���{>"!g�h������D�[//�I�O�3��~ϋ����׾�.)#gRr

data/.coco.yml

@@ -0,0 +1,7 @@
+:include:
+  - lib
+:exclude:
+  - spec
+  - lib/sirp/version.rb
+:theme: dark
+:show_link_in_terminal: true

data/.gitignore

@@ -0,0 +1,11 @@
+/.bundle/
+/.yardoc
+/Gemfile.lock
+/_yardoc/
+/coverage/
+/doc/
+/pkg/
+/spec/reports/
+/tmp/
+/examples/.bundle/
+/examples/Gemfile.lock

data/.rubocop.yml

@@ -0,0 +1,32 @@
+AllCops:
+  # Exclude:
+    # - 'spec/**/*'
+  UseCache: false
+
+Style/VariableName:
+  Description: 'Use the configured style when naming variables.'
+  StyleGuide: 'https://github.com/bbatsov/ruby-style-guide#snake-case-symbols-methods-vars'
+  Enabled: false
+
+Metrics/ModuleLength:
+  Enabled: false
+
+Metrics/ParameterLists:
+  Enabled: false
+
+Metrics/LineLength:
+  Description: 'Limit lines to 80 characters.'
+  StyleGuide: 'https://github.com/bbatsov/ruby-style-guide#80-character-limits'
+  Enabled: false
+
+Style/Documentation:
+  Description: 'Document classes and non-namespace modules.'
+  Enabled: false
+
+Style/FormatString:
+  Description: 'Enforce the use of Kernel#sprintf, Kernel#format or String#%.'
+  StyleGuide: 'https://github.com/bbatsov/ruby-style-guide#sprintf'
+  Enabled: false
+
+Style/MethodName:
+  Enabled: false

data/.travis.yml

@@ -0,0 +1,6 @@
+language: ruby
+rvm:
+  - 2.1.0
+  - 2.2.4
+  - 2.3.1
+before_install: gem install bundler -v 1.12.1

data/CHANGELOG.md

@@ -0,0 +1,7 @@
+# CHANGELOG
+
+## v2.0.0.pre (5/13/2016)
+
+This is the initial pre-release of the sirp gem.
+
+It is for review only and should not yet be used in production.

data/Gemfile

@@ -0,0 +1,4 @@
+source 'https://rubygems.org'
+
+# Specify your gem's dependencies in sirp.gemspec
+gemspec

data/LICENSE.txt

@@ -0,0 +1,24 @@
+Copyright (c) 2016, Glenn Rempe, Mikael Lammentausta
+All rights reserved.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions are met:
+    * Redistributions of source code must retain the above copyright
+      notice, this list of conditions and the following disclaimer.
+    * Redistributions in binary form must reproduce the above copyright
+      notice, this list of conditions and the following disclaimer in the
+      documentation and/or other materials provided with the distribution.
+    * Neither the name of the <organization> nor the
+      names of its contributors may be used to endorse or promote products
+      derived from this software without specific prior written permission.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
+ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+DISCLAIMED. IN NO EVENT SHALL Glenn Rempe or Mikael Lammentausta BE LIABLE FOR ANY
+DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
+ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

data/README.md

@@ -0,0 +1,231 @@
+# SiRP : Secure (interoperable) Remote Password Authentication
+
+[![Gem Version](https://badge.fury.io/rb/sirp.svg)](https://badge.fury.io/rb/sirp)
+[![Dependency Status](https://gemnasium.com/badges/github.com/grempe/sirp.svg)](https://gemnasium.com/github.com/grempe/sirp)
+[![Build Status](https://travis-ci.org/grempe/sirp.svg?branch=master)](https://travis-ci.org/grempe/sirp)
+[![Coverage Status](https://coveralls.io/repos/github/grempe/sirp/badge.svg?branch=master)](https://coveralls.io/github/grempe/sirp?branch=master)
+[![Code Climate](https://codeclimate.com/github/grempe/sirp/badges/gpa.svg)](https://codeclimate.com/github/grempe/sirp)
+[![Inline docs](http://inch-ci.org/github/grempe/sirp.svg?branch=master)](http://inch-ci.org/github/grempe/sirp)
+
+Ruby Docs : [http://www.rubydoc.info/gems/sirp](http://www.rubydoc.info/gems/sirp)
+
+
+This is a pure Ruby implementation of the
+[Secure Remote Password](http://srp.stanford.edu/) protocol (SRP-6a),
+which is a 'zero-knowledge' mutual authentication system.
+
+SiRP is an authentication method that allows the use of user names and passwords
+over an insecure network connection without revealing the password. If either the
+client lacks the user's password or the server lacks the proper verification
+key, the authentication will fail. This approach is much more secure than the
+vast majority of authentication systems in daily use since the password is
+***never*** sent over the wire, and is therefore impossible to intercept, and
+impossible to be revealed in a breach unless the verifier can be reversed. This
+attack would be of similar difficulty as deriving a private encryption key from
+its public key.
+
+Unlike other common challenge-response authentication protocols, such as
+Kerberos and SSL, SiRP does not rely on an external infrastructure of trusted
+key servers or complex certificate management.
+
+## Documentation
+
+There is pretty extensive inline documentation. You can view the latest
+auto-generated docs at [http://www.rubydoc.info/gems/sirp](http://www.rubydoc.info/gems/sirp)
+
+You can check my documentation quality score at
+[http://inch-ci.org/github/grempe/sirp](http://inch-ci.org/github/grempe/sirp?branch=master)
+
+## Supported Platforms
+
+SiRP is continuously integration tested on the following Ruby VMs:
+
+* MRI 2.1, 2.2, 2.3
+
+It may work on others as well.
+
+## Installation
+
+Add this line to your application's `Gemfile`:
+
+```ruby
+gem 'sirp', '~> 2.0'
+```
+
+And then execute:
+```sh
+$ bundle
+```
+
+Or install it yourself as:
+
+```sh
+$ gem install sirp
+```
+
+### Installation Security : Signed Ruby Gem
+
+The SiRP gem is cryptographically signed. To be sure the gem you install hasn’t
+been tampered with you can install it using the following method:
+
+Add my public key (if you haven’t already) as a trusted certificate
+
+```
+# Caveat: Gem certificates are trusted globally, such that adding a
+# cert.pem for one gem automatically trusts all gems signed by that cert.
+gem cert --add <(curl -Ls https://raw.github.com/grempe/sirp/master/certs/gem-public_cert_grempe.pem)
+```
+
+To install, it is possible to specify either `HighSecurity` or `MediumSecurity`
+mode. Since the `sirp` gem depends on one or more gems that are not cryptographically
+signed you will likely need to use `MediumSecurity`. You should receive a warning
+if any signed gem does not match its signature.
+
+```
+# All dependent gems must be signed and verified.
+gem install sirp -P HighSecurity
+```
+
+```
+# All signed dependent gems must be verified.
+gem install sirp -P MediumSecurity
+```
+
+```
+# Same as above, except Bundler only recognizes
+# the long --trust-policy flag, not the short -P
+bundle --trust-policy MediumSecurity
+```
+
+You can [learn more about security and signed Ruby Gems](http://guides.rubygems.org/security/).
+
+### Installation Security : Signed Git Commits
+
+Most, if not all, of the commits and tags to the repository for this code are
+signed with my PGP/GPG code signing key. I have uploaded my code signing public
+keys to GitHub and you can now verify those signatures with the GitHub UI.
+See [this list of commits](https://github.com/grempe/sirp/commits/master)
+and look for the `Verified` tag next to each commit. You can click on that tag
+for additional information.
+
+You can also clone the repository and verify the signatures locally using your
+own GnuPG installation. You can find my certificates and read about how to conduct
+this verification at [https://www.rempe.us/keys/](https://www.rempe.us/keys/).
+
+## Compatibility
+
+This implementation has been tested for compatibility with the following SRP-6a
+compliant third-party libraries:
+
+[JSRP / JavaScript](https://github.com/alax/jsrp)
+
+## Usage Example
+
+In this example the client and server steps are interleaved for demonstration
+purposes. See the `examples` dir for simple working client and server
+implementations.
+
+``` ruby
+require 'sirp'
+
+username     = 'user'
+password     = 'password'
+prime_length = 2048
+
+# The salt and verifier should be stored on the server database.
+@auth = SIRP::Verifier.new(prime_length).generate_userauth(username, password)
+# @auth is a hash containing :username, :verifier and :salt
+
+# ~~~ Begin Authentication ~~~
+
+client = SIRP::Client.new(prime_length)
+A = client.start_authentication
+
+# Client => Server: username, A
+
+# Server retrieves user's verifier and salt from the database.
+v    = @auth[:verifier]
+salt = @auth[:salt]
+
+# Server generates challenge for the client.
+verifier = SIRP::Verifier.new(prime_length)
+session = verifier.get_challenge_and_proof(username, v, salt, A)
+
+# Server has to persist proof to authenticate the client response later.
+@proof = session[:proof]
+
+# Server sends the challenge containing salt and B to client.
+response = session[:challenge]
+
+# Server => Client: salt, B
+
+# Client calculates M as a response to the challenge.
+client_M = client.process_challenge(username, password, salt, B)
+
+# Client => Server: username, M
+
+# Instantiate a new verifier on the server.
+verifier = SIRP::Verifier.new(prime_length)
+
+# Verify challenge response M.
+# The Verifier state is passed in @proof.
+server_H_AMK = verifier.verify_session(@proof, client_M)
+# Is false if authentication failed.
+
+# At this point, the client and server should have a common session key
+# that is secure (i.e. not known to an outside party).  To finish
+# authentication, they must prove to each other that their keys are
+# identical.
+
+# Server => Client: H(AMK)
+
+client.verify(server_H_AMK) == true
+
+```
+
+## History
+
+This gem is a fork of the [lamikae/srp-rb](https://github.com/lamikae/srp-rb)
+repository created by Mikael Lammentausta [@lamikae](https://github.com/lamikae).
+Significant changes were needed for my use-case which demanded breaking changes
+for the sake of greater interoperability. With these factors in mind, a hard
+fork seemed the most appropriate path to take. Much credit is due to Mikael for
+his original implementation.
+
+## Development
+
+After checking out the repo, run `bin/setup` to install dependencies. Then,
+run `bundle exec rake test` to run the tests. You can also run `bin/console` for an
+interactive prompt that will allow you to experiment.
+
+To install this gem onto your local machine, run `bundle exec rake install`.
+
+### Contributing
+
+Bug reports and pull requests are welcome on GitHub
+at [https://github.com/grempe/sirp](https://github.com/grempe/sirp). This
+project is intended to be a safe, welcoming space for collaboration, and
+contributors are expected to adhere to the
+[Contributor Covenant](http://contributor-covenant.org) code of conduct.
+
+## Legal
+
+### Copyright
+
+(c) 2016 Glenn Rempe <[glenn@rempe.us](mailto:glenn@rempe.us)> ([https://www.rempe.us/](https://www.rempe.us/))
+
+(c) 2012 Mikael Lammentausta
+
+### License
+
+The gem is available as open source under the terms of
+the [BSD 3-clause "New" or "Revised" License](https://spdx.org/licenses/BSD-3-Clause.html).
+
+### Warranty
+
+Unless required by applicable law or agreed to in writing,
+software distributed under the License is distributed on an
+"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND,
+either express or implied. See the LICENSE.txt file for the
+specific language governing permissions and limitations under
+the License.

data/RELEASE.md

@@ -0,0 +1,101 @@
+# Gem Release Process
+
+Don't use the `bundle exec rake release` task. It is more convenient,
+but it skips the process of signing the version release task.
+
+## Run Tests
+
+```sh
+$ bundle exec rake test
+$ bundle exec rake wwtd
+```
+
+## Git Push
+
+```sh
+$ git push
+```
+
+Check for regressions in automated tests covered by the README badges.
+
+## Bump Version Number and edit CHANGELOG.md
+
+```sh
+$ vi lib/sirp/version.rb
+$ git add lib/sirp/version.rb
+$ vi CHANGELOG.md
+$ git add CHANGELOG.md
+```
+
+## Local Build and Install w/ Signed Gem
+
+The `build` step should ask for PEM passphrase to sign gem. If it does
+not ask it means that the signing cert is not present.
+
+Build:
+
+```sh
+$ rake build
+Enter PEM pass phrase:
+sirp x.x.x built to pkg/sirp-x.x.x.gem
+```
+
+Install locally w/ Cert:
+
+```sh
+$ gem uninstall sirp
+$ rbenv rehash
+$ gem install pkg/tss-x.x.x.gem -P MediumSecurity
+Successfully installed sirp-x.x.x
+1 gem installed
+```
+
+## Git Commit Version and CHANGELOG Changes, Tag and push to Github
+
+```sh
+$ git add lib/tss/version.rb
+$ git add CHANGELOG.md
+$ git commit -m 'Bump version v2.0.0'
+$ git tag -s v2.0.0 -m "v2.0.0" SHA1_OF_COMMIT
+```
+
+Verify last commit and last tag are GPG signed:
+
+```
+$ git tag -v v2.0.0
+...
+gpg: Good signature from "Glenn Rempe (Code Signing Key) <glenn@rempe.us>" [ultimate]
+...
+```
+
+```
+$ git log --show-signature
+...
+gpg: Good signature from "Glenn Rempe (Code Signing Key) <glenn@rempe.us>" [ultimate]
+...
+```
+
+Push code and tags to GitHub:
+
+```
+$ git push
+$ git push --tags
+```
+
+## Push gem to Rubygems.org
+
+```sh
+$ gem push pkg/sirp-2.0.0.gem
+```
+
+Verify Gem Push at [https://rubygems.org/gems/sirp](https://rubygems.org/gems/sirp)
+
+## Create a GitHub Release
+
+Specify the tag we just pushed to attach release to. Copy notes from CHANGELOG.md
+
+[https://github.com/grempe/sirp/releases](https://github.com/grempe/sirp/releases)
+
+## Announce Release on Twitter
+
+The normal blah, blah, blah.