Support session encryption

Implement session encryption.
author: kkadosh 2018-05-29 19:34:16 +0000
committer: jvoisin 2018-05-29 19:34:16 +0000
commit: 7832438b7abedf567ce6376f99949f419abcdff1 (patch)
tree: 560e43918d1dc36ce4cf760a5b27aed0c563bc1c /src/tests
parent: 9eebe8c67e03e3041d454ea28e93996f7a67740b (diff)
8 files changed, 172 insertions, 22 deletions
diff --git a/src/tests/config/config_crypt_session.ini b/src/tests/config/config_crypt_session.ini
new file mode 100644
index 0000000..14b0c2c
--- /dev/null
+++ b/src/tests/config/config_crypt_session.ini
@@ -0,0 +1,2 @@
+sp.global.secret_key("abcdef").cookie_env_var("REMOTE_ADDR");
+sp.session.encrypt();
+\ No newline at end of file
diff --git a/src/tests/config/config_crypt_session_simul.ini b/src/tests/config/config_crypt_session_simul.ini
new file mode 100644
index 0000000..fbd43eb
--- /dev/null
+++ b/src/tests/config/config_crypt_session_simul.ini
@@ -0,0 +1,3 @@
+sp.global.secret_key("abcdef").cookie_env_var("REMOTE_ADDR");
+sp.session.encrypt();
+sp.session.simulation();
+\ No newline at end of file
diff --git a/src/tests/crypt_session_invalid.phpt b/src/tests/crypt_session_invalid.phpt
new file mode 100644
index 0000000..687a407
--- /dev/null
+++ b/src/tests/crypt_session_invalid.phpt
@@ -0,0 +1,24 @@
+--TEST--
+SESSION crypt and bad decrypt
+--SKIPIF--
+<?php if (!extension_loaded("snuffleupagus")) die "skip"; ?>
+--INI--
+sp.configuration_file={PWD}/config/config_crypt_session.ini
+--ENV--
+return <<<EOF
+REMOTE_ADDR=127.0.0.1
+EOF;
+--FILE--
+<?php
+// Do it like that to write (encrypt) the session and then to read (decrypt) the session
+session_start();                        // Start new_session , it will read an empty session
+$_SESSION["toto"] = "tata"; // Encrypt and write the session
+$id = session_id();             // Get the session_id to use it later
+session_write_close();          // Close the session
+putenv("REMOTE_ADDR=127.0.0.2");
+session_id($id);                        // Recover the session with the previous session_id
+session_start();                        // Re start the session, It will read and decrypt the non empty session
+var_dump($_SESSION);            // Dump the session
+?>
+--EXPECTF--
+[snuffleupagus][127.0.0.2][cookie_encryption][drop] Something went wrong with the decryption of the session.
+\ No newline at end of file
diff --git a/src/tests/crypt_session_invalid_simul.phpt b/src/tests/crypt_session_invalid_simul.phpt
new file mode 100644
index 0000000..7bfefcb
--- /dev/null
+++ b/src/tests/crypt_session_invalid_simul.phpt
@@ -0,0 +1,27 @@
+--TEST--
+SESSION crypt and bad decrypt
+--SKIPIF--
+<?php if (!extension_loaded("snuffleupagus")) die "skip"; ?>
+--INI--
+sp.configuration_file={PWD}/config/config_crypt_session_simul.ini
+--ENV--
+return <<<EOF
+REMOTE_ADDR=127.0.0.1
+EOF;
+--FILE--
+<?php
+// Do it like that to write (encrypt) the session and then to read (decrypt) the session
+session_start();                        // Start new_session , it will read an empty session
+$_SESSION["toto"] = "tata"; // Encrypt and write the session
+$id = session_id();             // Get the session_id to use it later
+session_write_close();          // Close the session
+putenv("REMOTE_ADDR=127.0.0.2");
+session_id($id);                        // Recover the session with the previous session_id
+session_start();                        // Re start the session, It will read and decrypt the non empty session
+var_dump($_SESSION);            // Dump the session
+?>
+--EXPECTF--
+array(1) {
+  ["toto"]=>
+  string(4) "tata"
+}
diff --git a/src/tests/crypt_session_read_uncrypt.phpt b/src/tests/crypt_session_read_uncrypt.phpt
new file mode 100644
index 0000000..f15d8b6
--- /dev/null
+++ b/src/tests/crypt_session_read_uncrypt.phpt
@@ -0,0 +1,33 @@
+--TEST--
+SESSION crypt/decrypt valid
+--SKIPIF--
+<?php if (!extension_loaded("snuffleupagus")) die "skip"; ?>
+--INI--
+sp.configuration_file={PWD}/config/config_crypt_session_simul.ini
+--ENV--
+return <<<EOF
+REMOTE_ADDR=127.0.0.1
+EOF;
+--FILE--
+<?php
+$current_path = dirname(getcwd()) . "/src/tests/" ;
+ini_set("session.save_path", $current_path);
+session_start();
+$id = session_id();                                                                                     // Get the session_id to use it later
+$filename_sess = $current_path . "sess_" . $id;
+file_put_contents($filename_sess, "toto|s:4:\"tata\";");                        // Write a unencrypted session
+session_write_close();                                                                                  // Close the session
+session_id($id);
+session_start();                                                                                                // Try to read the unencrypted session, it will fail to decrypt but it must return the session
+var_dump($_SESSION);
+echo "OK";
+unlink($filename_sess);
+?>
+--EXPECTF--
+array(1) {
+  ["toto"]=>
+  string(4) "tata"
+}
+OK
diff --git a/src/tests/crypt_session_valid.phpt b/src/tests/crypt_session_valid.phpt
new file mode 100644
index 0000000..bf9fea0
--- /dev/null
+++ b/src/tests/crypt_session_valid.phpt
@@ -0,0 +1,27 @@
+--TEST--
+SESSION crypt/decrypt valid
+--SKIPIF--
+<?php if (!extension_loaded("snuffleupagus")) die "skip"; ?>
+--INI--
+sp.configuration_file={PWD}/config/config_crypt_session.ini
+--ENV--
+return <<<EOF
+REMOTE_ADDR=127.0.0.1
+EOF;
+--FILE--
+<?php
+// Do it like that to write (encrypt) the session and then to read (decrypt) the session
+session_start();                        // Start new_session , it will read an empty session
+$_SESSION["toto"] = "tata"; // Encrypt and write the session
+$id = session_id();             // Get the session_id to use it later
+session_write_close();          // Close the session
+session_id($id);                        // Recover the session with the previous session_id
+session_start();                        // Re start the session, It will read and decrypt the non empty session
+var_dump($_SESSION);            // Dump the session
+?>
+--EXPECTF--
+array(1) {
+  ["toto"]=>
+  string(4) "tata"
+}
diff --git a/src/tests/crypt_session_valid_simul.phpt b/src/tests/crypt_session_valid_simul.phpt
new file mode 100644
index 0000000..28083cf
--- /dev/null
+++ b/src/tests/crypt_session_valid_simul.phpt
@@ -0,0 +1,27 @@
+--TEST--
+SESSION crypt/decrypt valid
+--SKIPIF--
+<?php if (!extension_loaded("snuffleupagus")) die "skip"; ?>
+--INI--
+sp.configuration_file={PWD}/config/config_crypt_session_simul.ini
+--ENV--
+return <<<EOF
+REMOTE_ADDR=127.0.0.1
+EOF;
+--FILE--
+<?php
+// Do it like that to write (encrypt) the session and then to read (decrypt) the session
+session_start();                        // Start new_session , it will read an empty session
+$_SESSION["toto"] = "tata"; // Encrypt and write the session
+$id = session_id();             // Get the session_id to use it later
+session_write_close();          // Close the session
+session_id($id);                        // Recover the session with the previous session_id
+session_start();                        // Re start the session, It will read and decrypt the non empty session
+var_dump($_SESSION);            // Dump the session
+?>
+--EXPECTF--
+array(1) {
+  ["toto"]=>
+  string(4) "tata"
+}
diff --git a/src/tests/samesite_cookies.phpt b/src/tests/samesite_cookies.phpt
index fe74172..d010963 100644
--- a/src/tests/samesite_cookies.phpt
+++ b/src/tests/samesite_cookies.phpt
@@ -27,12 +27,13 @@ if (!setcookie("nice_cookie", "nice_value", 1, "1", "1", true, true)) {
  echo "setcookie failed.\n";
 }
+// If the cookie value start with "!", it means that we don't want the value in the headers, but the encrypted cookie
 $expected = array(
-    'Set-Cookie: super_cookie=super_value; path=; samesite=Lax',
+  "awful_cookie" => "!awful_value",
-    'Set-Cookie: awful_cookie=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAFyZcYjfEskB0AU0V3%2BvwazcRuU%2Ft6KpcUahvxw%3D; path=; samesite=Strict; HttpOnly',
+  "not_encrypted" => "test_value",
-    'Set-Cookie: not_encrypted=test_value; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=1; domain=1; HttpOnly',
+  "nice_cookie" => "!nice_value",
-    'Set-Cookie: nice_cookie=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAJ8ko%2ByA4y%2Bmw5MGBx8fgc3TWOAvhIu%2BfF%2Bx2g%3D%3D; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=1; samesite=Strict; domain=1; secure; HttpOnly',
+  "super_cookie" => "super_value",
-    );
+);
 $headers = headers_list();
 if (($i = count($expected)) > count($headers))
@@ -41,31 +42,37 @@ if (($i = count($expected)) > count($headers))
  return;
 }
-do
+$i = 0;
-{
+do {
  if (strncmp(current($headers), 'Set-Cookie:', 11) !== 0)
  {
    continue;
  }
+  foreach ($expected as $key => $value) {
-  if (current($headers) === current($expected))
+    if (strpos(current($headers), $key) !== false) {                         // If the header contains the cookie
-  {
+      if (substr($value, 0, 1) === "!") {                                   // ! is because we don't want to see the cookie value in plaintext, it must be encrypted
-    $i--;
+        if (strpos(current($headers), substr($value,1,-1)) === false) {      // If the header doesn't contain de cookie value, it's good
+          $i++;
+          break;
+        }
+        echo "Received : " . current($headers) . " and the cookie isn't encrypted . \n";
+      } else {
+        if (strpos(current($headers), $value) !== false) {
+          $i++;
+          break;
+        }
+        echo "Received : " . current($headers) . " and the cookie value of " . $key . " doesn't match it's value. \n";
+      }
+      break;
+    }
  }
-  else
-  {
-    echo "Header mismatch:\n\tExpected: "
-      .current($expected)
-      ."\n\tReceived: ".current($headers)."\n";
-  }
-  next($expected);
 }
-while (next($headers) !== FALSE);
+while (next($headers));
-echo ($i === 0)
+echo ($i === 4)
  ? 'OK'
-  : 'A total of '.$i.' errors found.';
+  : 'A total of '. (count($expected) - $i) .' errors found.';
 ?>
 --EXPECT--
 OK
author	kkadosh	2018-05-29 19:34:16 +0000
committer	jvoisin	2018-05-29 19:34:16 +0000
commit	7832438b7abedf567ce6376f99949f419abcdff1 (patch)
tree	560e43918d1dc36ce4cf760a5b27aed0c563bc1c /src/tests
parent	9eebe8c67e03e3041d454ea28e93996f7a67740b (diff)

diff --git a/src/tests/config/config_crypt_session.ini b/src/tests/config/config_crypt_session.ini new file mode 100644 index 0000000..14b0c2c --- /dev/null +++ b/src/tests/config/config_crypt_session.ini
@@ -0,0 +1,2 @@
		1	sp.global.secret_key("abcdef").cookie_env_var("REMOTE_ADDR");
		2	sp.session.encrypt(); \ No newline at end of file


diff --git a/src/tests/config/config_crypt_session_simul.ini b/src/tests/config/config_crypt_session_simul.ini new file mode 100644 index 0000000..fbd43eb --- /dev/null +++ b/src/tests/config/config_crypt_session_simul.ini
@@ -0,0 +1,3 @@
		1	sp.global.secret_key("abcdef").cookie_env_var("REMOTE_ADDR");
		2	sp.session.encrypt();
		3	sp.session.simulation(); \ No newline at end of file


diff --git a/src/tests/crypt_session_invalid.phpt b/src/tests/crypt_session_invalid.phpt new file mode 100644 index 0000000..687a407 --- /dev/null +++ b/src/tests/crypt_session_invalid.phpt
@@ -0,0 +1,24 @@
		1	--TEST--
		2	SESSION crypt and bad decrypt
		3	--SKIPIF--
		4	<?php if (!extension_loaded("snuffleupagus")) die "skip"; ?>
		5	--INI--
		6	sp.configuration_file={PWD}/config/config_crypt_session.ini
		7	--ENV--
		8	return <<<EOF
		9	REMOTE_ADDR=127.0.0.1
		10	EOF;
		11	--FILE--
		12	<?php
		13	// Do it like that to write (encrypt) the session and then to read (decrypt) the session
		14	session_start(); // Start new_session , it will read an empty session
		15	$_SESSION["toto"] = "tata"; // Encrypt and write the session
		16	$id = session_id(); // Get the session_id to use it later
		17	session_write_close(); // Close the session
		18	putenv("REMOTE_ADDR=127.0.0.2");
		19	session_id($id); // Recover the session with the previous session_id
		20	session_start(); // Re start the session, It will read and decrypt the non empty session
		21	var_dump($_SESSION); // Dump the session
		22	?>
		23	--EXPECTF--
		24	[snuffleupagus][127.0.0.2][cookie_encryption][drop] Something went wrong with the decryption of the session. \ No newline at end of file


diff --git a/src/tests/crypt_session_invalid_simul.phpt b/src/tests/crypt_session_invalid_simul.phpt new file mode 100644 index 0000000..7bfefcb --- /dev/null +++ b/src/tests/crypt_session_invalid_simul.phpt
@@ -0,0 +1,27 @@
		1	--TEST--
		2	SESSION crypt and bad decrypt
		3	--SKIPIF--
		4	<?php if (!extension_loaded("snuffleupagus")) die "skip"; ?>
		5	--INI--
		6	sp.configuration_file={PWD}/config/config_crypt_session_simul.ini
		7	--ENV--
		8	return <<<EOF
		9	REMOTE_ADDR=127.0.0.1
		10	EOF;
		11	--FILE--
		12	<?php
		13	// Do it like that to write (encrypt) the session and then to read (decrypt) the session
		14	session_start(); // Start new_session , it will read an empty session
		15	$_SESSION["toto"] = "tata"; // Encrypt and write the session
		16	$id = session_id(); // Get the session_id to use it later
		17	session_write_close(); // Close the session
		18	putenv("REMOTE_ADDR=127.0.0.2");
		19	session_id($id); // Recover the session with the previous session_id
		20	session_start(); // Re start the session, It will read and decrypt the non empty session
		21	var_dump($_SESSION); // Dump the session
		22	?>
		23	--EXPECTF--
		24	array(1) {
		25	["toto"]=>
		26	string(4) "tata"
		27	}


diff --git a/src/tests/crypt_session_read_uncrypt.phpt b/src/tests/crypt_session_read_uncrypt.phpt new file mode 100644 index 0000000..f15d8b6 --- /dev/null +++ b/src/tests/crypt_session_read_uncrypt.phpt
@@ -0,0 +1,33 @@
		1	--TEST--
		2	SESSION crypt/decrypt valid
		3	--SKIPIF--
		4	<?php if (!extension_loaded("snuffleupagus")) die "skip"; ?>
		5	--INI--
		6	sp.configuration_file={PWD}/config/config_crypt_session_simul.ini
		7	--ENV--
		8	return <<<EOF
		9	REMOTE_ADDR=127.0.0.1
		10	EOF;
		11	--FILE--
		12	<?php
		13	$current_path = dirname(getcwd()) . "/src/tests/" ;
		14	ini_set("session.save_path", $current_path);
		15
		16	session_start();
		17	$id = session_id(); // Get the session_id to use it later
		18	$filename_sess = $current_path . "sess_" . $id;
		19	file_put_contents($filename_sess, "toto\|s:4:\"tata\";"); // Write a unencrypted session
		20	session_write_close(); // Close the session
		21
		22	session_id($id);
		23	session_start(); // Try to read the unencrypted session, it will fail to decrypt but it must return the session
		24	var_dump($_SESSION);
		25	echo "OK";
		26	unlink($filename_sess);
		27	?>
		28	--EXPECTF--
		29	array(1) {
		30	["toto"]=>
		31	string(4) "tata"
		32	}
		33	OK


diff --git a/src/tests/crypt_session_valid.phpt b/src/tests/crypt_session_valid.phpt new file mode 100644 index 0000000..bf9fea0 --- /dev/null +++ b/src/tests/crypt_session_valid.phpt
@@ -0,0 +1,27 @@
		1	--TEST--
		2	SESSION crypt/decrypt valid
		3	--SKIPIF--
		4	<?php if (!extension_loaded("snuffleupagus")) die "skip"; ?>
		5	--INI--
		6	sp.configuration_file={PWD}/config/config_crypt_session.ini
		7	--ENV--
		8	return <<<EOF
		9	REMOTE_ADDR=127.0.0.1
		10	EOF;
		11	--FILE--
		12	<?php
		13	// Do it like that to write (encrypt) the session and then to read (decrypt) the session
		14	session_start(); // Start new_session , it will read an empty session
		15	$_SESSION["toto"] = "tata"; // Encrypt and write the session
		16	$id = session_id(); // Get the session_id to use it later
		17
		18	session_write_close(); // Close the session
		19	session_id($id); // Recover the session with the previous session_id
		20	session_start(); // Re start the session, It will read and decrypt the non empty session
		21	var_dump($_SESSION); // Dump the session
		22	?>
		23	--EXPECTF--
		24	array(1) {
		25	["toto"]=>
		26	string(4) "tata"
		27	}


diff --git a/src/tests/crypt_session_valid_simul.phpt b/src/tests/crypt_session_valid_simul.phpt new file mode 100644 index 0000000..28083cf --- /dev/null +++ b/src/tests/crypt_session_valid_simul.phpt
@@ -0,0 +1,27 @@
		1	--TEST--
		2	SESSION crypt/decrypt valid
		3	--SKIPIF--
		4	<?php if (!extension_loaded("snuffleupagus")) die "skip"; ?>
		5	--INI--
		6	sp.configuration_file={PWD}/config/config_crypt_session_simul.ini
		7	--ENV--
		8	return <<<EOF
		9	REMOTE_ADDR=127.0.0.1
		10	EOF;
		11	--FILE--
		12	<?php
		13	// Do it like that to write (encrypt) the session and then to read (decrypt) the session
		14	session_start(); // Start new_session , it will read an empty session
		15	$_SESSION["toto"] = "tata"; // Encrypt and write the session
		16	$id = session_id(); // Get the session_id to use it later
		17	session_write_close(); // Close the session
		18
		19	session_id($id); // Recover the session with the previous session_id
		20	session_start(); // Re start the session, It will read and decrypt the non empty session
		21	var_dump($_SESSION); // Dump the session
		22	?>
		23	--EXPECTF--
		24	array(1) {
		25	["toto"]=>
		26	string(4) "tata"
		27	}


diff --git a/src/tests/samesite_cookies.phpt b/src/tests/samesite_cookies.phpt index fe74172..d010963 100644 --- a/src/tests/samesite_cookies.phpt +++ b/src/tests/samesite_cookies.phpt
@@ -27,12 +27,13 @@ if (!setcookie("nice_cookie", "nice_value", 1, "1", "1", true, true)) {
27	echo "setcookie failed.\n";	27	echo "setcookie failed.\n";
28	}	28	}
29		29
		30	// If the cookie value start with "!", it means that we don't want the value in the headers, but the encrypted cookie
30	$expected = array(	31	$expected = array(
31	'Set-Cookie: super_cookie=super_value; path=; samesite=Lax',	32	"awful_cookie" => "!awful_value",
32	'Set-Cookie: awful_cookie=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAFyZcYjfEskB0AU0V3%2BvwazcRuU%2Ft6KpcUahvxw%3D; path=; samesite=Strict; HttpOnly',	33	"not_encrypted" => "test_value",
33	'Set-Cookie: not_encrypted=test_value; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=1; domain=1; HttpOnly',	34	"nice_cookie" => "!nice_value",
34	'Set-Cookie: nice_cookie=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAJ8ko%2ByA4y%2Bmw5MGBx8fgc3TWOAvhIu%2BfF%2Bx2g%3D%3D; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=1; samesite=Strict; domain=1; secure; HttpOnly',	35	"super_cookie" => "super_value",
35	);	36	);
36		37
37	$headers = headers_list();	38	$headers = headers_list();
38	if (($i = count($expected)) > count($headers))	39	if (($i = count($expected)) > count($headers))
@@ -41,31 +42,37 @@ if (($i = count($expected)) > count($headers))
41	return;	42	return;
42	}	43	}
43		44
44	do	45	$i = 0;
45	{	46
		47	do {
46	if (strncmp(current($headers), 'Set-Cookie:', 11) !== 0)	48	if (strncmp(current($headers), 'Set-Cookie:', 11) !== 0)
47	{	49	{
48	continue;	50	continue;
49	}	51	}
50		52	foreach ($expected as $key => $value) {
51	if (current($headers) === current($expected))	53	if (strpos(current($headers), $key) !== false) { // If the header contains the cookie
52	{	54	if (substr($value, 0, 1) === "!") { // ! is because we don't want to see the cookie value in plaintext, it must be encrypted
53	$i--;	55	if (strpos(current($headers), substr($value,1,-1)) === false) { // If the header doesn't contain de cookie value, it's good
		56	$i++;
		57	break;
		58	}
		59	echo "Received : " . current($headers) . " and the cookie isn't encrypted . \n";
		60	} else {
		61	if (strpos(current($headers), $value) !== false) {
		62	$i++;
		63	break;
		64	}
		65	echo "Received : " . current($headers) . " and the cookie value of " . $key . " doesn't match it's value. \n";
		66	}
		67	break;
		68	}
54	}	69	}
55	else
56	{
57	echo "Header mismatch:\n\tExpected: "
58	.current($expected)
59	."\n\tReceived: ".current($headers)."\n";
60	}
61
62	next($expected);
63	}	70	}
64	while (next($headers) !== FALSE);	71	while (next($headers));
65		72
66	echo ($i === 0)	73	echo ($i === 4)
67	? 'OK'	74	? 'OK'
68	: 'A total of '.$i.' errors found.';	75	: 'A total of '. (count($expected) - $i) .' errors found.';
69	?>	76	?>
70	--EXPECT--	77	--EXPECT--
71	OK	78	OK