From 6d0df734840985a7be88a2d54443bbf892d50b9a Mon Sep 17 00:00:00 2001
From: Brian Terlson <brian.terlson@gmail.com>
Date: Fri, 27 Mar 2009 11:15:07 -0500
Subject: [PATCH] Calculate a our own nonce for cnonce rather than using the
 server's nonce. More secure, and more compatible.

---
 lib/httpclient/auth.rb | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/lib/httpclient/auth.rb b/lib/httpclient/auth.rb
index 1b2717e..81ecc51 100644
--- a/lib/httpclient/auth.rb
+++ b/lib/httpclient/auth.rb
@@ -317,12 +317,13 @@ def challenge(uri, param_str)
     def calc_cred(method, uri, user, passwd, param)
       a_1 = "#{user}:#{param['realm']}:#{passwd}"
       a_2 = "#{method}:#{uri.path}"
+      cnonce = Digest::MD5.hexdigest(Time.now.to_s + rand(65535).to_s)
       @nonce_count += 1
       message_digest = []
       message_digest << Digest::MD5.hexdigest(a_1)
       message_digest << param['nonce']
       message_digest << ('%08x' % @nonce_count)
-      message_digest << param['nonce']
+      message_digest << cnonce
       message_digest << param['qop']
       message_digest << Digest::MD5.hexdigest(a_2)
       header = []
@@ -330,7 +331,7 @@ def calc_cred(method, uri, user, passwd, param)
       header << "realm=\"#{param['realm']}\""
       header << "nonce=\"#{param['nonce']}\""
       header << "uri=\"#{uri.path}\""
-      header << "cnonce=\"#{param['nonce']}\""
+      header << "cnonce=\"#{cnonce}\""
       header << "nc=#{'%08x' % @nonce_count}"
       header << "qop=\"#{param['qop']}\""
       header << "response=\"#{Digest::MD5.hexdigest(message_digest.join(":"))}\""