X-Git-Url: https://git.plutz.net/?p=cgilite;a=blobdiff_plain;f=session.sh;h=5b36ae032af4e818af91d4b73190a9f83614da15;hp=93cc2f4e93f88c46f3d4dfea29b79ef402b8cf09;hb=a76f6a5931782adbae717678f8f92569ed0d5bcb;hpb=621208650ef40272b76f4f649b461f47c33d97f9 diff --git a/session.sh b/session.sh index 93cc2f4..5b36ae0 100755 --- a/session.sh +++ b/session.sh @@ -6,6 +6,28 @@ include_session="$0" _DATE="$(date +%s)" SESSION_TIMEOUT="${SESSION_TIMEOUT:-7200}" +if ! which uuencode >/dev/null; then + uuencode() { busybox uuencode "$@"; } +fi +if ! which sha256sum >/dev/null; then + sha256sum() { busybox sha256sum "$@"; } +fi + +if which openssl >/dev/null; then + session_mac(){ { [ $# -gt 0 ] && printf %s "$*" || cat; } | openssl dgst -sha1 -hmac "$(server_key)" -binary |slopecode; } +else + # Gonzo MAC if openssl is unavailable + session_mac(){ + { server_key | dd status=none bs=256 count=1 skip=1 + { server_key | dd status=none bs=256 count=1 + [ $# -gt 0 ] && printf %s "$*" || cat + } \ + | sha256sum -; + } \ + | sha256sum | cut -d\ -f1 + } +fi + server_key(){ IDFILE="${IDFILE:-${_DATA:-.}/serverkey}" if [ "$(stat -c %s "$IDFILE")" -ne 512 ] || ! cat "$IDFILE"; then @@ -18,23 +40,13 @@ slopecode(){ # 6-Bit Code that retains sort order of input data, while beeing safe to use # in ascii transmissions, unix file names, HTTP URLs, and HTML attributes - uuencode -m - | sed ' + { [ $# -gt 0 ] && printf %s "$*" || cat; } \ + | uuencode -m - | sed ' 1d;$d; y;ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/;0123456789:=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz; ' } -session_mac(){ - local info - [ $# -eq 0 ] && info="$(cat)" || info="$*" - - if which openssl >/dev/null; then - printf %s "$info" |openssl dgst -sha1 -hmac "$(server_key)" -binary |slopecode - else - { printf %s "$info"; server_key; } |sha256sum |cut -d\ -f1 - fi -} - randomid(){ dd bs=12 count=1 if=/dev/urandom 2>&- \ | slopecode @@ -53,14 +65,14 @@ timeid(){ } | slopecode } -checkid(){ grep -m 1 -xE '[0-9a-zA-Z:=]{16}'; } - transid(){ # transaction ID to modify a given file local file="$1" session_mac "$(stat -c %F%i%n%N%s%Y "$file" 2>&-)" "$SESSION_ID" } +checkid(){ { [ $# -gt 0 ] && printf %s "$*" || cat; } | grep -m 1 -xE '[0-9a-zA-Z:=]{16}'; } + update_session(){ local session sid time sig checksig @@ -83,6 +95,30 @@ update_session(){ printf %s\\n "${sid} ${time} ${sig}" } +SESSION_BIND() { + # Set tamper-proof authenticated cookie + local key="$1" value="$2" + SET_COOKIE session "$key"="${value} $(session_mac "$value" "$SESSION_ID")" +} + +SESSION_VAR() { + # read authenticated cookie + # fail if value has been tampered with + local key="$1" value sig + value="$(COOKIE "$key")" + sig="${value##* }" value="${value% *}" + if [ "$sig" = "$(session_mac "$value" "$SESSION_ID")" ]; then + printf %s\\n "$value" + else + return 1 + fi +} + +SESSION_COOKIE() { + SET_COOKIE 0 session="$SESSION_KEY" Path=/ SameSite=Strict HttpOnly +} + SESSION_KEY="$(update_session)" -SET_COOKIE 0 session="$SESSION_KEY" Path=/ SameSite=Strict HttpOnly SESSION_ID="${SESSION_KEY%% *}" + +[ "$1" = nocookie ] || SESSION_COOKIE