From 7832438b7abedf567ce6376f99949f419abcdff1 Mon Sep 17 00:00:00 2001
From: kkadosh
Date: Tue, 29 May 2018 19:34:16 +0000
Subject: Support session encryption

Implement session encryption.---
 src/tests/config/config_crypt_session.ini       |  2 +
 src/tests/config/config_crypt_session_simul.ini |  3 ++
 src/tests/crypt_session_invalid.phpt            | 24 ++++++++++++
 src/tests/crypt_session_invalid_simul.phpt      | 27 +++++++++++++
 src/tests/crypt_session_read_uncrypt.phpt       | 33 ++++++++++++++++
 src/tests/crypt_session_valid.phpt              | 27 +++++++++++++
 src/tests/crypt_session_valid_simul.phpt        | 27 +++++++++++++
 src/tests/samesite_cookies.phpt                 | 51 ++++++++++++++-----------
 8 files changed, 172 insertions(+), 22 deletions(-)
 create mode 100644 src/tests/config/config_crypt_session.ini
 create mode 100644 src/tests/config/config_crypt_session_simul.ini
 create mode 100644 src/tests/crypt_session_invalid.phpt
 create mode 100644 src/tests/crypt_session_invalid_simul.phpt
 create mode 100644 src/tests/crypt_session_read_uncrypt.phpt
 create mode 100644 src/tests/crypt_session_valid.phpt
 create mode 100644 src/tests/crypt_session_valid_simul.phpt

(limited to 'src/tests')

diff --git a/src/tests/config/config_crypt_session.ini b/src/tests/config/config_crypt_session.ini
new file mode 100644
index 0000000..14b0c2c
--- /dev/null
+++ b/src/tests/config/config_crypt_session.ini
@@ -0,0 +1,2 @@
+sp.global.secret_key("abcdef").cookie_env_var("REMOTE_ADDR");
+sp.session.encrypt();
\ No newline at end of file
diff --git a/src/tests/config/config_crypt_session_simul.ini b/src/tests/config/config_crypt_session_simul.ini
new file mode 100644
index 0000000..fbd43eb
--- /dev/null
+++ b/src/tests/config/config_crypt_session_simul.ini
@@ -0,0 +1,3 @@
+sp.global.secret_key("abcdef").cookie_env_var("REMOTE_ADDR");
+sp.session.encrypt();
+sp.session.simulation();
\ No newline at end of file
diff --git a/src/tests/crypt_session_invalid.phpt b/src/tests/crypt_session_invalid.phpt
new file mode 100644
index 0000000..687a407
--- /dev/null
+++ b/src/tests/crypt_session_invalid.phpt
@@ -0,0 +1,24 @@
+--TEST--
+SESSION crypt and bad decrypt
+--SKIPIF--
+<?php if (!extension_loaded("snuffleupagus")) die "skip"; ?>
+--INI--
+sp.configuration_file={PWD}/config/config_crypt_session.ini
+--ENV--
+return <<<EOF
+REMOTE_ADDR=127.0.0.1
+EOF;
+--FILE--
+<?php
+// Do it like that to write (encrypt) the session and then to read (decrypt) the session
+session_start();			// Start new_session , it will read an empty session
+$_SESSION["toto"] = "tata"; // Encrypt and write the session
+$id = session_id(); 		// Get the session_id to use it later
+session_write_close(); 		// Close the session
+putenv("REMOTE_ADDR=127.0.0.2");
+session_id($id); 			// Recover the session with the previous session_id
+session_start(); 			// Re start the session, It will read and decrypt the non empty session
+var_dump($_SESSION); 		// Dump the session
+?>
+--EXPECTF--
+[snuffleupagus][127.0.0.2][cookie_encryption][drop] Something went wrong with the decryption of the session.
\ No newline at end of file
diff --git a/src/tests/crypt_session_invalid_simul.phpt b/src/tests/crypt_session_invalid_simul.phpt
new file mode 100644
index 0000000..7bfefcb
--- /dev/null
+++ b/src/tests/crypt_session_invalid_simul.phpt
@@ -0,0 +1,27 @@
+--TEST--
+SESSION crypt and bad decrypt
+--SKIPIF--
+<?php if (!extension_loaded("snuffleupagus")) die "skip"; ?>
+--INI--
+sp.configuration_file={PWD}/config/config_crypt_session_simul.ini
+--ENV--
+return <<<EOF
+REMOTE_ADDR=127.0.0.1
+EOF;
+--FILE--
+<?php
+// Do it like that to write (encrypt) the session and then to read (decrypt) the session
+session_start();			// Start new_session , it will read an empty session
+$_SESSION["toto"] = "tata"; // Encrypt and write the session
+$id = session_id(); 		// Get the session_id to use it later
+session_write_close(); 		// Close the session
+putenv("REMOTE_ADDR=127.0.0.2");
+session_id($id); 			// Recover the session with the previous session_id
+session_start(); 			// Re start the session, It will read and decrypt the non empty session
+var_dump($_SESSION); 		// Dump the session
+?>
+--EXPECTF--
+array(1) {
+  ["toto"]=>
+  string(4) "tata"
+}
diff --git a/src/tests/crypt_session_read_uncrypt.phpt b/src/tests/crypt_session_read_uncrypt.phpt
new file mode 100644
index 0000000..f15d8b6
--- /dev/null
+++ b/src/tests/crypt_session_read_uncrypt.phpt
@@ -0,0 +1,33 @@
+--TEST--
+SESSION crypt/decrypt valid
+--SKIPIF--
+<?php if (!extension_loaded("snuffleupagus")) die "skip"; ?>
+--INI--
+sp.configuration_file={PWD}/config/config_crypt_session_simul.ini
+--ENV--
+return <<<EOF
+REMOTE_ADDR=127.0.0.1
+EOF;
+--FILE--
+<?php
+$current_path = dirname(getcwd()) . "/src/tests/" ;
+ini_set("session.save_path", $current_path);
+
+session_start();
+$id = session_id(); 											// Get the session_id to use it later
+$filename_sess = $current_path . "sess_" . $id;
+file_put_contents($filename_sess, "toto|s:4:\"tata\";"); 			// Write a unencrypted session
+session_write_close(); 											// Close the session
+
+session_id($id);
+session_start();												// Try to read the unencrypted session, it will fail to decrypt but it must return the session
+var_dump($_SESSION);
+echo "OK";
+unlink($filename_sess);
+?>
+--EXPECTF--
+array(1) {
+  ["toto"]=>
+  string(4) "tata"
+}
+OK
diff --git a/src/tests/crypt_session_valid.phpt b/src/tests/crypt_session_valid.phpt
new file mode 100644
index 0000000..bf9fea0
--- /dev/null
+++ b/src/tests/crypt_session_valid.phpt
@@ -0,0 +1,27 @@
+--TEST--
+SESSION crypt/decrypt valid
+--SKIPIF--
+<?php if (!extension_loaded("snuffleupagus")) die "skip"; ?>
+--INI--
+sp.configuration_file={PWD}/config/config_crypt_session.ini
+--ENV--
+return <<<EOF
+REMOTE_ADDR=127.0.0.1
+EOF;
+--FILE--
+<?php
+// Do it like that to write (encrypt) the session and then to read (decrypt) the session
+session_start();			// Start new_session , it will read an empty session
+$_SESSION["toto"] = "tata"; // Encrypt and write the session
+$id = session_id(); 		// Get the session_id to use it later
+
+session_write_close(); 		// Close the session
+session_id($id); 			// Recover the session with the previous session_id
+session_start(); 			// Re start the session, It will read and decrypt the non empty session
+var_dump($_SESSION); 		// Dump the session
+?>
+--EXPECTF--
+array(1) {
+  ["toto"]=>
+  string(4) "tata"
+}
diff --git a/src/tests/crypt_session_valid_simul.phpt b/src/tests/crypt_session_valid_simul.phpt
new file mode 100644
index 0000000..28083cf
--- /dev/null
+++ b/src/tests/crypt_session_valid_simul.phpt
@@ -0,0 +1,27 @@
+--TEST--
+SESSION crypt/decrypt valid
+--SKIPIF--
+<?php if (!extension_loaded("snuffleupagus")) die "skip"; ?>
+--INI--
+sp.configuration_file={PWD}/config/config_crypt_session_simul.ini
+--ENV--
+return <<<EOF
+REMOTE_ADDR=127.0.0.1
+EOF;
+--FILE--
+<?php
+// Do it like that to write (encrypt) the session and then to read (decrypt) the session
+session_start();			// Start new_session , it will read an empty session
+$_SESSION["toto"] = "tata"; // Encrypt and write the session
+$id = session_id(); 		// Get the session_id to use it later
+session_write_close(); 		// Close the session
+
+session_id($id); 			// Recover the session with the previous session_id
+session_start(); 			// Re start the session, It will read and decrypt the non empty session
+var_dump($_SESSION); 		// Dump the session
+?>
+--EXPECTF--
+array(1) {
+  ["toto"]=>
+  string(4) "tata"
+}
diff --git a/src/tests/samesite_cookies.phpt b/src/tests/samesite_cookies.phpt
index fe74172..d010963 100644
--- a/src/tests/samesite_cookies.phpt
+++ b/src/tests/samesite_cookies.phpt
@@ -27,12 +27,13 @@ if (!setcookie("nice_cookie", "nice_value", 1, "1", "1", true, true)) {
   echo "setcookie failed.\n";
 }
 
+// If the cookie value start with "!", it means that we don't want the value in the headers, but the encrypted cookie
 $expected = array(
-    'Set-Cookie: super_cookie=super_value; path=; samesite=Lax',
-    'Set-Cookie: awful_cookie=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAFyZcYjfEskB0AU0V3%2BvwazcRuU%2Ft6KpcUahvxw%3D; path=; samesite=Strict; HttpOnly',
-    'Set-Cookie: not_encrypted=test_value; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=1; domain=1; HttpOnly',
-    'Set-Cookie: nice_cookie=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAJ8ko%2ByA4y%2Bmw5MGBx8fgc3TWOAvhIu%2BfF%2Bx2g%3D%3D; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=1; samesite=Strict; domain=1; secure; HttpOnly',
-    );
+  "awful_cookie" => "!awful_value",
+  "not_encrypted" => "test_value",
+  "nice_cookie" => "!nice_value",
+  "super_cookie" => "super_value",
+);
 
 $headers = headers_list();
 if (($i = count($expected)) > count($headers))
@@ -41,31 +42,37 @@ if (($i = count($expected)) > count($headers))
   return;
 }
 
-do
-{
+$i = 0;
+
+do {
   if (strncmp(current($headers), 'Set-Cookie:', 11) !== 0)
   {
     continue;
   }
-
-  if (current($headers) === current($expected))
-  {
-    $i--;
+  foreach ($expected as $key => $value) {
+    if (strpos(current($headers), $key) !== false) {                         // If the header contains the cookie
+      if (substr($value, 0, 1) === "!") {                                   // ! is because we don't want to see the cookie value in plaintext, it must be encrypted
+        if (strpos(current($headers), substr($value,1,-1)) === false) {      // If the header doesn't contain de cookie value, it's good
+          $i++;
+          break;
+        }
+        echo "Received : " . current($headers) . " and the cookie isn't encrypted . \n";
+      } else {
+        if (strpos(current($headers), $value) !== false) {
+          $i++;
+          break;
+        }
+        echo "Received : " . current($headers) . " and the cookie value of " . $key . " doesn't match it's value. \n";
+      }
+      break;
+    }
   }
-  else
-  {
-    echo "Header mismatch:\n\tExpected: "
-      .current($expected)
-      ."\n\tReceived: ".current($headers)."\n";
-  }
-
-  next($expected);
 }
-while (next($headers) !== FALSE);
+while (next($headers));
 
-echo ($i === 0)
+echo ($i === 4)
   ? 'OK'
-  : 'A total of '.$i.' errors found.';
+  : 'A total of '. (count($expected) - $i) .' errors found.';
 ?>
 --EXPECT--
 OK
-- 
cgit v1.3