Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
home:Tomcat42
perl-Session-Storage-Secure
perl-Session-Storage-Secure.spec
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File perl-Session-Storage-Secure.spec of Package perl-Session-Storage-Secure
# # spec file for package perl-Session-Storage-Secure # # Copyright (c) 2021 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed # upon. The license for this file, and modifications and additions to the # file, is the same license as for the pristine package itself (unless the # license for the pristine package is not an Open Source License, in which # case the license is the MIT License). An "Open Source License" is a # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. # Please submit bugfixes or comments via https://bugs.opensuse.org/ # %define cpan_name Session-Storage-Secure Name: perl-Session-Storage-Secure Version: 1.000 Release: 0 Summary: Encrypted, expiring, compressed, serialized session data with integrity License: Apache-2.0 URL: https://metacpan.org/release/%{cpan_name} Source0: https://cpan.metacpan.org/authors/id/D/DA/DAGOLDEN/%{cpan_name}-%{version}.tar.gz Source1: cpanspec.yml BuildArch: noarch BuildRequires: perl BuildRequires: perl-macros BuildRequires: perl(Crypt::CBC) >= 3.01 BuildRequires: perl(Crypt::Rijndael) BuildRequires: perl(Crypt::URandom) BuildRequires: perl(Digest::SHA) BuildRequires: perl(MIME::Base64) >= 3.12 BuildRequires: perl(Math::Random::ISAAC::XS) BuildRequires: perl(Moo) BuildRequires: perl(MooX::Types::MooseLike::Base) >= 0.16 BuildRequires: perl(Sereal::Decoder) >= 4.005 BuildRequires: perl(Sereal::Encoder) >= 4.005 BuildRequires: perl(String::Compare::ConstantTime) BuildRequires: perl(Test::Deep) BuildRequires: perl(Test::Fatal) BuildRequires: perl(Test::More) >= 0.96 BuildRequires: perl(Test::Tolerant) BuildRequires: perl(namespace::clean) Requires: perl(Crypt::CBC) >= 3.01 Requires: perl(Crypt::Rijndael) Requires: perl(Crypt::URandom) Requires: perl(Digest::SHA) Requires: perl(MIME::Base64) >= 3.12 Requires: perl(Math::Random::ISAAC::XS) Requires: perl(Moo) Requires: perl(MooX::Types::MooseLike::Base) >= 0.16 Requires: perl(Sereal::Decoder) >= 4.005 Requires: perl(Sereal::Encoder) >= 4.005 Requires: perl(String::Compare::ConstantTime) Requires: perl(namespace::clean) %{perl_requires} %description This module implements a secure way to encode session data. It is primarily intended for storing session data in browser cookies, but could be used with other backend storage where security of stored session data is important. Features include: * Data serialization and compression using Sereal * Data encryption using AES with a unique derived key per encoded session * Enforced expiration timestamp (optional) * Integrity protected with a message authentication code (MAC) The storage protocol used in this module is based heavily on at http://www.cse.msu.edu/~alexliu/publications/Cookie/Cookie_COMNET.pdf by Alex Liu and others. Liu proposes a session cookie value as follows: user|expiration|E(data,k)|HMAC(user|expiration|data|ssl-key,k) where | denotes concatenation with a separator character E(p,q) is a symmetric encryption of p with key q HMAC(p,q) is a keyed message hash of p with key q k is HMAC(user|expiration, sk) sk is a secret key shared by all servers ssl-key is an SSL session key Because SSL session keys are not readily available (and SSL termination may happen prior to the application server), we omit 'ssl-key'. This weakens protection against replay attacks if an attacker can break the SSL session key and intercept messages. Using 'user' and 'expiration' to generate the encryption and MAC keys was a method proposed to ensure unique keys to defeat volume attacks against the secret key. Rather than rely on those for uniqueness (with the unfortunate side effect of revealing user names and prohibiting anonymous sessions), we replace 'user' with a cryptographically-strong random salt value. The original proposal also calculates a MAC based on unencrypted data. We instead calculate the MAC based on the encrypted data. This avoids an extra step decrypting invalid messages. Because the salt is already encoded into the key, we omit it from the MAC input. Therefore, the session storage protocol used by this module is as follows: salt|expiration|E(data,k)|HMAC(expiration|E(data,k),k) where | denotes concatenation with a separator character E(p,q) is a symmetric encryption of p with key q HMAC(p,q) is a keyed message hash of p with key q k is HMAC(salt, sk) sk is a secret key shared by all servers The salt value is generated using Math::Random::ISAAC::XS, seeded from Crypt::URandom. The HMAC algorithm is 'hmac_sha256' from Digest::SHA. Encryption is done by Crypt::CBC using Crypt::Rijndael (AES). The ciphertext and MAC's in the cookie are Base64 encoded by MIME::Base64 by default. During session retrieval, if the MAC does not authenticate or if the expiration is set and in the past, the session will be discarded. %prep %autosetup -n %{cpan_name}-%{version} %build perl Makefile.PL INSTALLDIRS=vendor %make_build %check make test %install %perl_make_install %perl_process_packlist %perl_gen_filelist %files -f %{name}.files %doc Changes CONTRIBUTING.mkdn README %license LICENSE %changelog
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor