srp-rb icon indicating copy to clipboard operation
srp-rb copied to clipboard
verified publisher icon lamikae

Some release issues with srp-rb

Open grempe opened this issue 9 years ago • 3 comments

Hello,

I've been taking a look at this interesting project. I've run into some issues though and noted some discrepancies that maybe you can help me understand.

I first noted that this command does not work with the version 1.0.1 code that I was trying out that had been installed with rubygems:

@auth = SRP::Verifier.new(prime_length).generate_userauth(username, password)

I was confused as to why and cloned the git repo locally. I ran all the tests fine locally. However, more digging revealed that the code, released as version 1.0.1 on December 8th, 2013, does not actually correspond to any of the commits in this github repo. It seems to have been pushed from some other code source, or perhaps some other unpublished branch?

It seems to have been released from some intermediate code between these two commits:

Mar 22, 2012 https://github.com/lamikae/srp-rb/commit/9087f1ef544e5e650f4693352a90c2cd0ea61ddc

Jan 18, 2014 https://github.com/lamikae/srp-rb/commit/38424af451e1b6faf7036c63af44e68a14f68861

But oddly also, the ruby gems released version contains some of the code from 38424af45, namely the use of OpenSSL digests. So its all a bit confused. I must admit I get a little freaked out with security related code that doesn't match any known public release.

It would be great if you could:

a) help clear up this discrepancy b) push a release to ruby gems that reflects the current code in the repository

Also, if I spend some time on modernizing the gem a bit, would you be interested in pulling those changes upstream?

Thanks,

Glenn

grempe avatar May 07 '16 22:05 grempe

FYI, I have made significant breaking changes in my own fork of this repository, which I now call 'SiRP', to modernize it, improve interoperability across language implementations, and fix some existing issues. There were breaking changes needed for interoperability and anyone who is interested can find those changes here:

https://github.com/grempe/sirp

It will be published shortly to RubyGems and much credit goes to Mikael, the owner of this repository, for his original implementation. All credit to him is retained and so is the license.

Cheers.

grempe avatar May 13 '16 19:05 grempe

Very good that the code has now been reviewed through an extra pair of eyes, and brought up to date. Thank you for your improvements. I'll take a look at your changelog and update a link to your fork from this project. Cheers!

lamikae avatar May 14 '16 11:05 lamikae

Thanks Mikael, I look forward to any feedback!

grempe avatar May 14 '16 16:05 grempe