[ -n "$include_session" ] && return 0
include_session="$0"
+_DATE="$(date +%s)"
+SESSION_TIMEOUT="${SESSION_TIMEOUT:-7200}"
+
if ! which uuencode >/dev/null; then
uuencode() { busybox uuencode "$@"; }
fi
sha256sum() { busybox sha256sum "$@"; }
fi
-_DATE="$(date +%s)"
-SESSION_TIMEOUT="${SESSION_TIMEOUT:-7200}"
+if which openssl >/dev/null; then
+ session_mac(){ { [ $# -gt 0 ] && printf %s "$*" || cat; } | openssl dgst -sha1 -hmac "$(server_key)" -binary |slopecode; }
+else
+ # Gonzo MAC if openssl is unavailable
+ session_mac(){
+ { server_key | dd status=none bs=256 count=1 skip=1
+ { server_key | dd status=none bs=256 count=1
+ [ $# -gt 0 ] && printf %s "$*" || cat
+ } \
+ | sha256sum -;
+ } \
+ | sha256sum | cut -d\ -f1
+ }
+fi
server_key(){
IDFILE="${IDFILE:-${_DATA:-.}/serverkey}"
# 6-Bit Code that retains sort order of input data, while beeing safe to use
# in ascii transmissions, unix file names, HTTP URLs, and HTML attributes
- uuencode -m - | sed '
+ { [ $# -gt 0 ] && printf %s "$*" || cat; } \
+ | uuencode -m - | sed '
1d;$d;
y;ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/;0123456789:=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz;
'
}
-session_mac(){
- local info
- [ $# -eq 0 ] && info="$(cat)" || info="$*"
-
- if which openssl >/dev/null; then
- printf %s "$info" |openssl dgst -sha1 -hmac "$(server_key)" -binary |slopecode
- else
- { printf %s "$info"; server_key; } |sha256sum |cut -d\ -f1
- fi
-}
-
randomid(){
dd bs=12 count=1 if=/dev/urandom 2>&- \
| slopecode
} | slopecode
}
-checkid(){ grep -m 1 -xE '[0-9a-zA-Z:=]{16}'; }
-
transid(){
# transaction ID to modify a given file
local file="$1"
session_mac "$(stat -c %F%i%n%N%s%Y "$file" 2>&-)" "$SESSION_ID"
}
+checkid(){ { [ $# -gt 0 ] && printf %s "$*" || cat; } | grep -m 1 -xE '[0-9a-zA-Z:=]{16}'; }
+
update_session(){
local session sid time sig checksig
+ unset SESSION_KEY SESSION_ID
read -r sid time sig <<-END
$(POST session_key || COOKIE session)
checksig="$(session_mac "$sid" "$time")"
- if ! [ "$checksig" = "$sig" \
- -a "$time" -ge "$_DATE" \
- -a "$(printf %s "$sid" |checkid)" ] 2>&-
+ if [ "$checksig" = "$sig" \
+ -a "$time" -ge "$_DATE" \
+ -a "$(checkid "$sid")" ] 2>&-
then
- debug "Setting up new session"
- sid="$(randomid)"
+ time=$(( $_DATE + $SESSION_TIMEOUT ))
+ sig="$(session_mac "$sid" "$time")"
+
+ SESSION_KEY="${sid} ${time} ${sig}"
+ SESSION_ID="${sid}"
+ return 0
+ else
+ return 1
fi
+}
+
+new_session(){
+ local sid time sig
+
+ debug "Setting up new session"
+ sid="$(randomid)"
time=$(( $_DATE + $SESSION_TIMEOUT ))
sig="$(session_mac "$sid" "$time")"
- printf %s\\n "${sid} ${time} ${sig}"
-}
-SESSION_KEY="$(update_session)"
-SET_COOKIE 0 session="$SESSION_KEY" Path=/ SameSite=Strict HttpOnly
-SESSION_ID="${SESSION_KEY%% *}"
+ SESSION_KEY="${sid} ${time} ${sig}"
+ SESSION_ID="${sid}"
+}
SESSION_BIND() {
+ # Set tamper-proof authenticated cookie
local key="$1" value="$2"
- SET_COOKIE session "$key"="${value} $(session_mac "$value" "$SESSION_ID")"
+ SET_COOKIE session "$key"="${value} $(session_mac "$value" "$SESSION_ID")" Path="/${_BASE#/}" SameSite=Strict HttpOnly
}
SESSION_VAR() {
- local key="$1"
- local value sig
+ # read authenticated cookie
+ # fail if value has been tampered with
+ local key="$1" value sig
value="$(COOKIE "$key")"
sig="${value##* }" value="${value% *}"
if [ "$sig" = "$(session_mac "$value" "$SESSION_ID")" ]; then
return 1
fi
}
+
+SESSION_COOKIE() {
+ [ "$1" = new ] && new_session
+ SET_COOKIE 0 session="$SESSION_KEY" Path="/${_BASE#/}" SameSite=Strict HttpOnly
+}
+
+update_session || new_session