155 lines
5.5 KiB
RPMSpec
155 lines
5.5 KiB
RPMSpec
#
|
|
# spec file for package perl-Session-Storage-Secure
|
|
#
|
|
# Copyright (c) 2024 SUSE LLC
|
|
#
|
|
# All modifications and additions to the file contributed by third parties
|
|
# remain the property of their copyright owners, unless otherwise agreed
|
|
# upon. The license for this file, and modifications and additions to the
|
|
# file, is the same license as for the pristine package itself (unless the
|
|
# license for the pristine package is not an Open Source License, in which
|
|
# case the license is the MIT License). An "Open Source License" is a
|
|
# license that conforms to the Open Source Definition (Version 1.9)
|
|
# published by the Open Source Initiative.
|
|
|
|
# Please submit bugfixes or comments via https://bugs.opensuse.org/
|
|
#
|
|
|
|
|
|
%define cpan_name Session-Storage-Secure
|
|
Name: perl-Session-Storage-Secure
|
|
Version: 1.0.0
|
|
Release: 0
|
|
# 1.000 -> normalize -> 1.0.0
|
|
%define cpan_version 1.000
|
|
License: Apache-2.0
|
|
Summary: Encrypted, expiring, compressed, serialized session data with integrity
|
|
URL: https://metacpan.org/release/%{cpan_name}
|
|
Source0: https://cpan.metacpan.org/authors/id/D/DA/DAGOLDEN/%{cpan_name}-%{cpan_version}.tar.gz
|
|
Source1: cpanspec.yml
|
|
Source100: README.md
|
|
BuildArch: noarch
|
|
BuildRequires: perl
|
|
BuildRequires: perl-macros
|
|
BuildRequires: perl(Crypt::CBC) >= 3.01
|
|
BuildRequires: perl(Crypt::Rijndael)
|
|
BuildRequires: perl(Crypt::URandom)
|
|
BuildRequires: perl(Digest::SHA)
|
|
BuildRequires: perl(MIME::Base64) >= 3.12
|
|
BuildRequires: perl(Math::Random::ISAAC::XS)
|
|
BuildRequires: perl(Moo)
|
|
BuildRequires: perl(MooX::Types::MooseLike::Base) >= 0.16
|
|
BuildRequires: perl(Sereal::Decoder) >= 4.005
|
|
BuildRequires: perl(Sereal::Encoder) >= 4.005
|
|
BuildRequires: perl(String::Compare::ConstantTime)
|
|
BuildRequires: perl(Test::Deep)
|
|
BuildRequires: perl(Test::Fatal)
|
|
BuildRequires: perl(Test::More) >= 0.96
|
|
BuildRequires: perl(Test::Tolerant)
|
|
BuildRequires: perl(namespace::clean)
|
|
Requires: perl(Crypt::CBC) >= 3.01
|
|
Requires: perl(Crypt::Rijndael)
|
|
Requires: perl(Crypt::URandom)
|
|
Requires: perl(Digest::SHA)
|
|
Requires: perl(MIME::Base64) >= 3.12
|
|
Requires: perl(Math::Random::ISAAC::XS)
|
|
Requires: perl(Moo)
|
|
Requires: perl(MooX::Types::MooseLike::Base) >= 0.16
|
|
Requires: perl(Sereal::Decoder) >= 4.005
|
|
Requires: perl(Sereal::Encoder) >= 4.005
|
|
Requires: perl(String::Compare::ConstantTime)
|
|
Requires: perl(namespace::clean)
|
|
Provides: perl(Session::Storage::Secure) = %{version}
|
|
%undefine __perllib_provides
|
|
%{perl_requires}
|
|
|
|
%description
|
|
This module implements a secure way to encode session data. It is primarily
|
|
intended for storing session data in browser cookies, but could be used
|
|
with other backend storage where security of stored session data is
|
|
important.
|
|
|
|
Features include:
|
|
|
|
* Data serialization and compression using Sereal
|
|
|
|
* Data encryption using AES with a unique derived key per encoded session
|
|
|
|
* Enforced expiration timestamp (optional)
|
|
|
|
* Integrity protected with a message authentication code (MAC)
|
|
|
|
The storage protocol used in this module is based heavily on at
|
|
http://www.cse.msu.edu/~alexliu/publications/Cookie/Cookie_COMNET.pdf by
|
|
Alex Liu and others. Liu proposes a session cookie value as follows:
|
|
|
|
user|expiration|E(data,k)|HMAC(user|expiration|data|ssl-key,k)
|
|
|
|
where
|
|
|
|
| denotes concatenation with a separator character
|
|
E(p,q) is a symmetric encryption of p with key q
|
|
HMAC(p,q) is a keyed message hash of p with key q
|
|
k is HMAC(user|expiration, sk)
|
|
sk is a secret key shared by all servers
|
|
ssl-key is an SSL session key
|
|
|
|
Because SSL session keys are not readily available (and SSL termination may
|
|
happen prior to the application server), we omit 'ssl-key'. This weakens
|
|
protection against replay attacks if an attacker can break the SSL session
|
|
key and intercept messages.
|
|
|
|
Using 'user' and 'expiration' to generate the encryption and MAC keys was a
|
|
method proposed to ensure unique keys to defeat volume attacks against the
|
|
secret key. Rather than rely on those for uniqueness (with the unfortunate
|
|
side effect of revealing user names and prohibiting anonymous sessions), we
|
|
replace 'user' with a cryptographically-strong random salt value.
|
|
|
|
The original proposal also calculates a MAC based on unencrypted data. We
|
|
instead calculate the MAC based on the encrypted data. This avoids an extra
|
|
step decrypting invalid messages. Because the salt is already encoded into
|
|
the key, we omit it from the MAC input.
|
|
|
|
Therefore, the session storage protocol used by this module is as follows:
|
|
|
|
salt|expiration|E(data,k)|HMAC(expiration|E(data,k),k)
|
|
|
|
where
|
|
|
|
| denotes concatenation with a separator character
|
|
E(p,q) is a symmetric encryption of p with key q
|
|
HMAC(p,q) is a keyed message hash of p with key q
|
|
k is HMAC(salt, sk)
|
|
sk is a secret key shared by all servers
|
|
|
|
The salt value is generated using Math::Random::ISAAC::XS, seeded from
|
|
Crypt::URandom.
|
|
|
|
The HMAC algorithm is 'hmac_sha256' from Digest::SHA. Encryption is done by
|
|
Crypt::CBC using Crypt::Rijndael (AES). The ciphertext and MAC's in the
|
|
cookie are Base64 encoded by MIME::Base64 by default.
|
|
|
|
During session retrieval, if the MAC does not authenticate or if the
|
|
expiration is set and in the past, the session will be discarded.
|
|
|
|
%prep
|
|
%autosetup -n %{cpan_name}-%{cpan_version}
|
|
|
|
%build
|
|
perl Makefile.PL INSTALLDIRS=vendor
|
|
%make_build
|
|
|
|
%check
|
|
make test
|
|
|
|
%install
|
|
%perl_make_install
|
|
%perl_process_packlist
|
|
%perl_gen_filelist
|
|
|
|
%files -f %{name}.files
|
|
%doc Changes CONTRIBUTING.mkdn README
|
|
%license LICENSE
|
|
|
|
%changelog
|