123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650 |
- // Copyright 2012 The Gorilla Authors. All rights reserved.
- // Use of this source code is governed by a BSD-style
- // license that can be found in the LICENSE file.
- package securecookie
- import (
- "bytes"
- "crypto/aes"
- "crypto/cipher"
- "crypto/hmac"
- "crypto/rand"
- "crypto/sha256"
- "crypto/subtle"
- "encoding/base64"
- "encoding/gob"
- "encoding/json"
- "fmt"
- "hash"
- "io"
- "strconv"
- "strings"
- "time"
- )
- // Error is the interface of all errors returned by functions in this library.
- type Error interface {
- error
- // IsUsage returns true for errors indicating the client code probably
- // uses this library incorrectly. For example, the client may have
- // failed to provide a valid hash key, or may have failed to configure
- // the Serializer adequately for encoding value.
- IsUsage() bool
- // IsDecode returns true for errors indicating that a cookie could not
- // be decoded and validated. Since cookies are usually untrusted
- // user-provided input, errors of this type should be expected.
- // Usually, the proper action is simply to reject the request.
- IsDecode() bool
- // IsInternal returns true for unexpected errors occurring in the
- // securecookie implementation.
- IsInternal() bool
- // Cause, if it returns a non-nil value, indicates that this error was
- // propagated from some underlying library. If this method returns nil,
- // this error was raised directly by this library.
- //
- // Cause is provided principally for debugging/logging purposes; it is
- // rare that application logic should perform meaningfully different
- // logic based on Cause. See, for example, the caveats described on
- // (MultiError).Cause().
- Cause() error
- }
- // errorType is a bitmask giving the error type(s) of an cookieError value.
- type errorType int
- const (
- usageError = errorType(1 << iota)
- decodeError
- internalError
- )
- type cookieError struct {
- typ errorType
- msg string
- cause error
- }
- func (e cookieError) IsUsage() bool { return (e.typ & usageError) != 0 }
- func (e cookieError) IsDecode() bool { return (e.typ & decodeError) != 0 }
- func (e cookieError) IsInternal() bool { return (e.typ & internalError) != 0 }
- func (e cookieError) Cause() error { return e.cause }
- func (e cookieError) Error() string {
- parts := []string{"securecookie: "}
- if e.msg == "" {
- parts = append(parts, "error")
- } else {
- parts = append(parts, e.msg)
- }
- if c := e.Cause(); c != nil {
- parts = append(parts, " - caused by: ", c.Error())
- }
- return strings.Join(parts, "")
- }
- var (
- errGeneratingIV = cookieError{typ: internalError, msg: "failed to generate random iv"}
- errNoCodecs = cookieError{typ: usageError, msg: "no codecs provided"}
- errHashKeyNotSet = cookieError{typ: usageError, msg: "hash key is not set"}
- errBlockKeyNotSet = cookieError{typ: usageError, msg: "block key is not set"}
- errEncodedValueTooLong = cookieError{typ: usageError, msg: "the value is too long"}
- errValueToDecodeTooLong = cookieError{typ: decodeError, msg: "the value is too long"}
- errTimestampInvalid = cookieError{typ: decodeError, msg: "invalid timestamp"}
- errTimestampTooNew = cookieError{typ: decodeError, msg: "timestamp is too new"}
- errTimestampExpired = cookieError{typ: decodeError, msg: "expired timestamp"}
- errDecryptionFailed = cookieError{typ: decodeError, msg: "the value could not be decrypted"}
- errValueNotByte = cookieError{typ: decodeError, msg: "value not a []byte."}
- errValueNotBytePtr = cookieError{typ: decodeError, msg: "value not a pointer to []byte."}
- // ErrMacInvalid indicates that cookie decoding failed because the HMAC
- // could not be extracted and verified. Direct use of this error
- // variable is deprecated; it is public only for legacy compatibility,
- // and may be privatized in the future, as it is rarely useful to
- // distinguish between this error and other Error implementations.
- ErrMacInvalid = cookieError{typ: decodeError, msg: "the value is not valid"}
- )
- // Codec defines an interface to encode and decode cookie values.
- type Codec interface {
- Encode(name string, value interface{}) (string, error)
- Decode(name, value string, dst interface{}) error
- }
- // New returns a new SecureCookie.
- //
- // hashKey is required, used to authenticate values using HMAC. Create it using
- // GenerateRandomKey(). It is recommended to use a key with 32 or 64 bytes.
- //
- // blockKey is optional, used to encrypt values. Create it using
- // GenerateRandomKey(). The key length must correspond to the block size
- // of the encryption algorithm. For AES, used by default, valid lengths are
- // 16, 24, or 32 bytes to select AES-128, AES-192, or AES-256.
- // The default encoder used for cookie serialization is encoding/gob.
- //
- // Note that keys created using GenerateRandomKey() are not automatically
- // persisted. New keys will be created when the application is restarted, and
- // previously issued cookies will not be able to be decoded.
- func New(hashKey, blockKey []byte) *SecureCookie {
- s := &SecureCookie{
- hashKey: hashKey,
- blockKey: blockKey,
- hashFunc: sha256.New,
- maxAge: 86400 * 30,
- maxLength: 4096,
- sz: GobEncoder{},
- }
- if len(hashKey) == 0 {
- s.err = errHashKeyNotSet
- }
- if blockKey != nil {
- s.BlockFunc(aes.NewCipher)
- }
- return s
- }
- // SecureCookie encodes and decodes authenticated and optionally encrypted
- // cookie values.
- type SecureCookie struct {
- hashKey []byte
- hashFunc func() hash.Hash
- blockKey []byte
- block cipher.Block
- maxLength int
- maxAge int64
- minAge int64
- err error
- sz Serializer
- // For testing purposes, the function that returns the current timestamp.
- // If not set, it will use time.Now().UTC().Unix().
- timeFunc func() int64
- }
- // Serializer provides an interface for providing custom serializers for cookie
- // values.
- type Serializer interface {
- Serialize(src interface{}) ([]byte, error)
- Deserialize(src []byte, dst interface{}) error
- }
- // GobEncoder encodes cookie values using encoding/gob. This is the simplest
- // encoder and can handle complex types via gob.Register.
- type GobEncoder struct{}
- // JSONEncoder encodes cookie values using encoding/json. Users who wish to
- // encode complex types need to satisfy the json.Marshaller and
- // json.Unmarshaller interfaces.
- type JSONEncoder struct{}
- // NopEncoder does not encode cookie values, and instead simply accepts a []byte
- // (as an interface{}) and returns a []byte. This is particularly useful when
- // you encoding an object upstream and do not wish to re-encode it.
- type NopEncoder struct{}
- // MaxLength restricts the maximum length, in bytes, for the cookie value.
- //
- // Default is 4096, which is the maximum value accepted by Internet Explorer.
- func (s *SecureCookie) MaxLength(value int) *SecureCookie {
- s.maxLength = value
- return s
- }
- // MaxAge restricts the maximum age, in seconds, for the cookie value.
- //
- // Default is 86400 * 30. Set it to 0 for no restriction.
- func (s *SecureCookie) MaxAge(value int) *SecureCookie {
- s.maxAge = int64(value)
- return s
- }
- // MinAge restricts the minimum age, in seconds, for the cookie value.
- //
- // Default is 0 (no restriction).
- func (s *SecureCookie) MinAge(value int) *SecureCookie {
- s.minAge = int64(value)
- return s
- }
- // HashFunc sets the hash function used to create HMAC.
- //
- // Default is crypto/sha256.New.
- func (s *SecureCookie) HashFunc(f func() hash.Hash) *SecureCookie {
- s.hashFunc = f
- return s
- }
- // BlockFunc sets the encryption function used to create a cipher.Block.
- //
- // Default is crypto/aes.New.
- func (s *SecureCookie) BlockFunc(f func([]byte) (cipher.Block, error)) *SecureCookie {
- if s.blockKey == nil {
- s.err = errBlockKeyNotSet
- } else if block, err := f(s.blockKey); err == nil {
- s.block = block
- } else {
- s.err = cookieError{cause: err, typ: usageError}
- }
- return s
- }
- // Encoding sets the encoding/serialization method for cookies.
- //
- // Default is encoding/gob. To encode special structures using encoding/gob,
- // they must be registered first using gob.Register().
- func (s *SecureCookie) SetSerializer(sz Serializer) *SecureCookie {
- s.sz = sz
- return s
- }
- // Encode encodes a cookie value.
- //
- // It serializes, optionally encrypts, signs with a message authentication code,
- // and finally encodes the value.
- //
- // The name argument is the cookie name. It is stored with the encoded value.
- // The value argument is the value to be encoded. It can be any value that can
- // be encoded using the currently selected serializer; see SetSerializer().
- //
- // It is the client's responsibility to ensure that value, when encoded using
- // the current serialization/encryption settings on s and then base64-encoded,
- // is shorter than the maximum permissible length.
- func (s *SecureCookie) Encode(name string, value interface{}) (string, error) {
- if s.err != nil {
- return "", s.err
- }
- if s.hashKey == nil {
- s.err = errHashKeyNotSet
- return "", s.err
- }
- var err error
- var b []byte
- // 1. Serialize.
- if b, err = s.sz.Serialize(value); err != nil {
- return "", cookieError{cause: err, typ: usageError}
- }
- // 2. Encrypt (optional).
- if s.block != nil {
- if b, err = encrypt(s.block, b); err != nil {
- return "", cookieError{cause: err, typ: usageError}
- }
- }
- b = encode(b)
- // 3. Create MAC for "name|date|value". Extra pipe to be used later.
- b = []byte(fmt.Sprintf("%s|%d|%s|", name, s.timestamp(), b))
- mac := createMac(hmac.New(s.hashFunc, s.hashKey), b[:len(b)-1])
- // Append mac, remove name.
- b = append(b, mac...)[len(name)+1:]
- // 4. Encode to base64.
- b = encode(b)
- // 5. Check length.
- if s.maxLength != 0 && len(b) > s.maxLength {
- return "", errEncodedValueTooLong
- }
- // Done.
- return string(b), nil
- }
- // Decode decodes a cookie value.
- //
- // It decodes, verifies a message authentication code, optionally decrypts and
- // finally deserializes the value.
- //
- // The name argument is the cookie name. It must be the same name used when
- // it was stored. The value argument is the encoded cookie value. The dst
- // argument is where the cookie will be decoded. It must be a pointer.
- func (s *SecureCookie) Decode(name, value string, dst interface{}) error {
- if s.err != nil {
- return s.err
- }
- if s.hashKey == nil {
- s.err = errHashKeyNotSet
- return s.err
- }
- // 1. Check length.
- if s.maxLength != 0 && len(value) > s.maxLength {
- return errValueToDecodeTooLong
- }
- // 2. Decode from base64.
- b, err := decode([]byte(value))
- if err != nil {
- return err
- }
- // 3. Verify MAC. Value is "date|value|mac".
- parts := bytes.SplitN(b, []byte("|"), 3)
- if len(parts) != 3 {
- return ErrMacInvalid
- }
- h := hmac.New(s.hashFunc, s.hashKey)
- b = append([]byte(name+"|"), b[:len(b)-len(parts[2])-1]...)
- if err = verifyMac(h, b, parts[2]); err != nil {
- return err
- }
- // 4. Verify date ranges.
- var t1 int64
- if t1, err = strconv.ParseInt(string(parts[0]), 10, 64); err != nil {
- return errTimestampInvalid
- }
- t2 := s.timestamp()
- if s.minAge != 0 && t1 > t2-s.minAge {
- return errTimestampTooNew
- }
- if s.maxAge != 0 && t1 < t2-s.maxAge {
- return errTimestampExpired
- }
- // 5. Decrypt (optional).
- b, err = decode(parts[1])
- if err != nil {
- return err
- }
- if s.block != nil {
- if b, err = decrypt(s.block, b); err != nil {
- return err
- }
- }
- // 6. Deserialize.
- if err = s.sz.Deserialize(b, dst); err != nil {
- return cookieError{cause: err, typ: decodeError}
- }
- // Done.
- return nil
- }
- // timestamp returns the current timestamp, in seconds.
- //
- // For testing purposes, the function that generates the timestamp can be
- // overridden. If not set, it will return time.Now().UTC().Unix().
- func (s *SecureCookie) timestamp() int64 {
- if s.timeFunc == nil {
- return time.Now().UTC().Unix()
- }
- return s.timeFunc()
- }
- // Authentication -------------------------------------------------------------
- // createMac creates a message authentication code (MAC).
- func createMac(h hash.Hash, value []byte) []byte {
- h.Write(value)
- return h.Sum(nil)
- }
- // verifyMac verifies that a message authentication code (MAC) is valid.
- func verifyMac(h hash.Hash, value []byte, mac []byte) error {
- mac2 := createMac(h, value)
- // Check that both MACs are of equal length, as subtle.ConstantTimeCompare
- // does not do this prior to Go 1.4.
- if len(mac) == len(mac2) && subtle.ConstantTimeCompare(mac, mac2) == 1 {
- return nil
- }
- return ErrMacInvalid
- }
- // Encryption -----------------------------------------------------------------
- // encrypt encrypts a value using the given block in counter mode.
- //
- // A random initialization vector (http://goo.gl/zF67k) with the length of the
- // block size is prepended to the resulting ciphertext.
- func encrypt(block cipher.Block, value []byte) ([]byte, error) {
- iv := GenerateRandomKey(block.BlockSize())
- if iv == nil {
- return nil, errGeneratingIV
- }
- // Encrypt it.
- stream := cipher.NewCTR(block, iv)
- stream.XORKeyStream(value, value)
- // Return iv + ciphertext.
- return append(iv, value...), nil
- }
- // decrypt decrypts a value using the given block in counter mode.
- //
- // The value to be decrypted must be prepended by a initialization vector
- // (http://goo.gl/zF67k) with the length of the block size.
- func decrypt(block cipher.Block, value []byte) ([]byte, error) {
- size := block.BlockSize()
- if len(value) > size {
- // Extract iv.
- iv := value[:size]
- // Extract ciphertext.
- value = value[size:]
- // Decrypt it.
- stream := cipher.NewCTR(block, iv)
- stream.XORKeyStream(value, value)
- return value, nil
- }
- return nil, errDecryptionFailed
- }
- // Serialization --------------------------------------------------------------
- // Serialize encodes a value using gob.
- func (e GobEncoder) Serialize(src interface{}) ([]byte, error) {
- buf := new(bytes.Buffer)
- enc := gob.NewEncoder(buf)
- if err := enc.Encode(src); err != nil {
- return nil, cookieError{cause: err, typ: usageError}
- }
- return buf.Bytes(), nil
- }
- // Deserialize decodes a value using gob.
- func (e GobEncoder) Deserialize(src []byte, dst interface{}) error {
- dec := gob.NewDecoder(bytes.NewBuffer(src))
- if err := dec.Decode(dst); err != nil {
- return cookieError{cause: err, typ: decodeError}
- }
- return nil
- }
- // Serialize encodes a value using encoding/json.
- func (e JSONEncoder) Serialize(src interface{}) ([]byte, error) {
- buf := new(bytes.Buffer)
- enc := json.NewEncoder(buf)
- if err := enc.Encode(src); err != nil {
- return nil, cookieError{cause: err, typ: usageError}
- }
- return buf.Bytes(), nil
- }
- // Deserialize decodes a value using encoding/json.
- func (e JSONEncoder) Deserialize(src []byte, dst interface{}) error {
- dec := json.NewDecoder(bytes.NewReader(src))
- if err := dec.Decode(dst); err != nil {
- return cookieError{cause: err, typ: decodeError}
- }
- return nil
- }
- // Serialize passes a []byte through as-is.
- func (e NopEncoder) Serialize(src interface{}) ([]byte, error) {
- if b, ok := src.([]byte); ok {
- return b, nil
- }
- return nil, errValueNotByte
- }
- // Deserialize passes a []byte through as-is.
- func (e NopEncoder) Deserialize(src []byte, dst interface{}) error {
- if dat, ok := dst.(*[]byte); ok {
- *dat = src
- return nil
- }
- return errValueNotBytePtr
- }
- // Encoding -------------------------------------------------------------------
- // encode encodes a value using base64.
- func encode(value []byte) []byte {
- encoded := make([]byte, base64.URLEncoding.EncodedLen(len(value)))
- base64.URLEncoding.Encode(encoded, value)
- return encoded
- }
- // decode decodes a cookie using base64.
- func decode(value []byte) ([]byte, error) {
- decoded := make([]byte, base64.URLEncoding.DecodedLen(len(value)))
- b, err := base64.URLEncoding.Decode(decoded, value)
- if err != nil {
- return nil, cookieError{cause: err, typ: decodeError, msg: "base64 decode failed"}
- }
- return decoded[:b], nil
- }
- // Helpers --------------------------------------------------------------------
- // GenerateRandomKey creates a random key with the given length in bytes.
- // On failure, returns nil.
- //
- // Note that keys created using `GenerateRandomKey()` are not automatically
- // persisted. New keys will be created when the application is restarted, and
- // previously issued cookies will not be able to be decoded.
- //
- // Callers should explicitly check for the possibility of a nil return, treat
- // it as a failure of the system random number generator, and not continue.
- func GenerateRandomKey(length int) []byte {
- k := make([]byte, length)
- if _, err := io.ReadFull(rand.Reader, k); err != nil {
- return nil
- }
- return k
- }
- // CodecsFromPairs returns a slice of SecureCookie instances.
- //
- // It is a convenience function to create a list of codecs for key rotation. Note
- // that the generated Codecs will have the default options applied: callers
- // should iterate over each Codec and type-assert the underlying *SecureCookie to
- // change these.
- //
- // Example:
- //
- // codecs := securecookie.CodecsFromPairs(
- // []byte("new-hash-key"),
- // []byte("new-block-key"),
- // []byte("old-hash-key"),
- // []byte("old-block-key"),
- // )
- //
- // // Modify each instance.
- // for _, s := range codecs {
- // if cookie, ok := s.(*securecookie.SecureCookie); ok {
- // cookie.MaxAge(86400 * 7)
- // cookie.SetSerializer(securecookie.JSONEncoder{})
- // cookie.HashFunc(sha512.New512_256)
- // }
- // }
- //
- func CodecsFromPairs(keyPairs ...[]byte) []Codec {
- codecs := make([]Codec, len(keyPairs)/2+len(keyPairs)%2)
- for i := 0; i < len(keyPairs); i += 2 {
- var blockKey []byte
- if i+1 < len(keyPairs) {
- blockKey = keyPairs[i+1]
- }
- codecs[i/2] = New(keyPairs[i], blockKey)
- }
- return codecs
- }
- // EncodeMulti encodes a cookie value using a group of codecs.
- //
- // The codecs are tried in order. Multiple codecs are accepted to allow
- // key rotation.
- //
- // On error, may return a MultiError.
- func EncodeMulti(name string, value interface{}, codecs ...Codec) (string, error) {
- if len(codecs) == 0 {
- return "", errNoCodecs
- }
- var errors MultiError
- for _, codec := range codecs {
- encoded, err := codec.Encode(name, value)
- if err == nil {
- return encoded, nil
- }
- errors = append(errors, err)
- }
- return "", errors
- }
- // DecodeMulti decodes a cookie value using a group of codecs.
- //
- // The codecs are tried in order. Multiple codecs are accepted to allow
- // key rotation.
- //
- // On error, may return a MultiError.
- func DecodeMulti(name string, value string, dst interface{}, codecs ...Codec) error {
- if len(codecs) == 0 {
- return errNoCodecs
- }
- var errors MultiError
- for _, codec := range codecs {
- err := codec.Decode(name, value, dst)
- if err == nil {
- return nil
- }
- errors = append(errors, err)
- }
- return errors
- }
- // MultiError groups multiple errors.
- type MultiError []error
- func (m MultiError) IsUsage() bool { return m.any(func(e Error) bool { return e.IsUsage() }) }
- func (m MultiError) IsDecode() bool { return m.any(func(e Error) bool { return e.IsDecode() }) }
- func (m MultiError) IsInternal() bool { return m.any(func(e Error) bool { return e.IsInternal() }) }
- // Cause returns nil for MultiError; there is no unique underlying cause in the
- // general case.
- //
- // Note: we could conceivably return a non-nil Cause only when there is exactly
- // one child error with a Cause. However, it would be brittle for client code
- // to rely on the arity of causes inside a MultiError, so we have opted not to
- // provide this functionality. Clients which really wish to access the Causes
- // of the underlying errors are free to iterate through the errors themselves.
- func (m MultiError) Cause() error { return nil }
- func (m MultiError) Error() string {
- s, n := "", 0
- for _, e := range m {
- if e != nil {
- if n == 0 {
- s = e.Error()
- }
- n++
- }
- }
- switch n {
- case 0:
- return "(0 errors)"
- case 1:
- return s
- case 2:
- return s + " (and 1 other error)"
- }
- return fmt.Sprintf("%s (and %d other errors)", s, n-1)
- }
- // any returns true if any element of m is an Error for which pred returns true.
- func (m MultiError) any(pred func(Error) bool) bool {
- for _, e := range m {
- if ourErr, ok := e.(Error); ok && pred(ourErr) {
- return true
- }
- }
- return false
- }
|