Browse files

SecureRandom is now used to generate the cnonce

This provides better security than Kernel#rand which is a repeatable
sequence.  This change requires ruby 1.8.7 or newer.
  • Loading branch information...
1 parent 7b55d72 commit 62385e62276e1783bce746728406942caa32cab3 @drbrain committed May 18, 2012
Showing with 16 additions and 7 deletions.
  1. +5 −3 History.txt
  2. +2 −0 Rakefile
  3. +9 −4 lib/net/http/digest_auth.rb
View
8 History.txt
@@ -1,8 +1,10 @@
-=== 1.2.2
+=== 1.3
+* Minor enhancement
+ * SecureRandom is used to generate the cnonce instead of Kernel#rand
* Bug fix
- * cnonce and nonce-count are no longer sent when qop is missing per RFC 2617
- section 3.2.2.
+ * cnonce and nonce-count are no longer sent when qop was not provided per
+ RFC 2617 section 3.2.2.
=== 1.2.1 / 2012-05-18
View
2 Rakefile
@@ -14,6 +14,8 @@ Hoe.spec 'net-http-digest_auth' do
'docs.seattlerb.org:/data/www/docs.seattlerb.org/net-http-digest_auth/'
rdoc_locations <<
'rubyforge.org:/var/www/gforge-projects/seattlerb/net-http-digest_auth/'
+
+ self.spec_extras[:required_ruby_version] = '>= 1.8.7'
end
# vim: syntax=Ruby
View
13 lib/net/http/digest_auth.rb
@@ -1,7 +1,8 @@
require 'cgi'
require 'digest'
-require 'net/http'
require 'monitor'
+require 'net/http'
+require 'securerandom'
##
# An implementation of RFC 2617 Digest Access Authentication.
@@ -48,7 +49,7 @@ class Error < RuntimeError; end
##
# Version of Net::HTTP::DigestAuth you are using
- VERSION = '1.2.2'
+ VERSION = '1.3'
##
# Creates a new DigestAuth header creator.
@@ -155,10 +156,14 @@ def auth_header uri, www_authenticate, method, iis = false
##
# Creates a client nonce value that is used across all requests based on the
- # current time.
+ # current time, process id and a random number
def make_cnonce
- Digest::MD5.hexdigest "%x" % (Time.now.to_i + rand(65535))
+ Digest::MD5.hexdigest [
+ Time.now.to_i,
+ $$,
+ SecureRandom.random_number(2**32),
+ ].join ':'
end
def next_nonce

0 comments on commit 62385e6

Please sign in to comment.