catalinux / rocketgit (public) (License: Affero GPLv3) (since 2015-03-19) (hash sha1)
Main RocketGit repo
Clone URLs: https://rocketgit.com/user/catalinux/rocketgit ssh://rocketgit@ssh.rocketgit.com/user/catalinux/rocketgit git://git.rocketgit.com/user/catalinux/rocketgit
v0.0 v0.1 v0.10 v0.11 v0.12 v0.13 v0.14 v0.15 v0.17 v0.18 v0.19 v0.2 v0.20 v0.21 v0.22 v0.23 v0.24 v0.25 v0.27 v0.28 v0.29 v0.31 v0.32 v0.33 v0.34 v0.35 v0.36 v0.38 v0.39 v0.40 v0.41 v0.42 v0.43 v0.44 v0.45 v0.46 v0.47 v0.48 v0.49 v0.50 v0.51 v0.52 v0.53 v0.54 v0.55 v0.56 v0.57 v0.58 v0.60 v0.61 v0.62 v0.63 v0.64 v0.65 v0.66 v0.67 v0.68 v0.69 v0.70 v0.71 v0.72 v0.73 v0.77 v0.78 v0.79 v0.80 group1/branch1 group2/subgroup1/branch2 main master release

/inc/token.inc.php (b13fc12bf1b52f5ceccf9d9f367f4b7e6edb5de0) (6037 bytes) (mode 100644) (type blob)

<?php
require_once(__DIR__ . '/util2.inc.php');
require_once(__DIR__ . '/log.inc.php');
require_once(__DIR__ . '/sql.inc.php');
require_once(__DIR__ . '/cache.inc.php');
require_once(__DIR__ . '/prof.inc.php');

$rg_token_error = "";

function rg_token_set_error($str)
{
	global $rg_token_error;
	$rg_token_error = $str;
	rg_log($str);
}

function rg_token_error()
{
	global $rg_token_error;
	return $rg_token_error;
}

/*
 * Delete a token
 */
function rg_token_delete($db, $sid, $token)
{
	rg_prof_start("token_delete");
	rg_log_enter("token_delete: sid=$sid token=$token");

	$ret = array();
	$ret['ok'] = 0;
	while (1) {
		$params = array("sid" => $sid);
		$add_token = "";
		if (!empty($token)) {
			$add_token = " AND token = @@token@@";
			$params['token'] = $token;
		}

		$sql = "DELETE FROM tokens"
			. " WHERE sid = @@sid@@"
			. $add_token;
		$res = rg_sql_query_params($db, $sql, $params);
		if ($res === FALSE) {
			rg_token_set_error("cannot delete token (" . rg_sql_error() . ")");
			break;
		}
		rg_sql_free_result($res);

		$ret['ok'] = 1;
		break;
	}

	rg_log_exit();
	rg_prof_end("token_delete");
	return $ret;
}

/*
 * This function will get the master key from db
 */
function rg_token_get_master($db)
{
	rg_prof_start("token_get_master");
	rg_log_enter("token_get_master");

	$ret = FALSE;
	while (1) {
		$key = rg_state_get($db, 'token_key');
		if ($key === FALSE) {
			rg_token_set_error("cannot get token_key:"
				. " " . rg_state_error());
			break;
		}

		if (empty($key)) {
			$key = rg_id(32);
			$r = rg_state_set($db, 'token_key', $key);
			if ($r !== TRUE) {
				rg_token_set_error("cannot set state:"
					. " " . rg_state_error());
				break;
			}
		}

		$ret = $key;
		break;
	}

	rg_log_exit();
	rg_prof_end("token_get_master");
	return $ret;
}

/*
 * Returns TRUE if the token is valid
 * @double_allowed - if TRUE, we will not mark the token as used
 * (for example, logout token does not have to be marked as used)
 */
function rg_token_valid($db, $rg, $tag, $double_allowed)
{
	global $rg_sid; // TODO: sess depends on token...

	rg_prof_start("token_valid");
	rg_log_enter('token_valid: sid=' . $rg_sid . ' token=' . $rg['token']
		. ' tag=' . $tag);

	$ret = FALSE;
	while (1) {
		$len = strlen($rg['token']);
		if ($len < 32) {
			rg_token_set_error("invalid token");
			rg_security_violation_no_exit("invalid token ($len != 32)");
			break;
		}
		$rg['token'] = substr($rg['token'], 0, 32);

		$key = rg_token_get_master($db);
		if ($key === FALSE)
			break;

		$rand = substr($rg['token'], 0, 16);
		$sign = substr($rg['token'], 16, 16);

		$data = $rand . $rg_sid . $tag;
		$hash = hash_hmac('sha512', $data, $key);
		if ($hash === FALSE) {
			rg_token_set_error("cannot compute hmac");
			break;
		}

		$hash = substr($hash, 0, 16);
		if (strcmp($sign, $hash) != 0) {
			rg_log_debug('substr(token, 16, 16)=' . $sign . ' !='
				. ' hash_hmac(data,key)=' . $hash . ' data=' . $data);
			rg_token_set_error("token invalid");
			rg_security_violation_no_exit("invalid token (sign)");
			break;
		}

		$ukey = 'sess' . '::' . $rg_sid . '::' . 'used_tokens'
			. '::' . $rg['token'];
		$c = rg_cache_get($ukey);
		if ($c === '1') {
			rg_token_set_error("token already used");
			break;
		}

		$params = array("sid" => $rg_sid,
			"token" => $rg['token'],
			"expire" => time() + 24 * 3600);

		if ($c === FALSE) {
			// We check to see if token was already used
			$sql = "SELECT 1 FROM tokens"
				. " WHERE sid = @@sid@@"
				. " AND token = @@token@@";
			$res = rg_sql_query_params($db, $sql, $params);
			if ($res === FALSE) {
				rg_token_set_error("cannot check if token is used"
					. " (" . rg_sql_error() . ")");
				break;
			}
			$rows = rg_sql_num_rows($res);
			rg_sql_free_result($res);
			if ($rows == 1) {
				rg_token_set_error("token already used");
				break;
			}
		}

		// TODO: shouldn't we move this before the above query?!
		if (strncmp($rg_sid, "X", 1) == 0) {
			// We have a pre-login session: we do not have to mark
			// the token as used.
			$ret = TRUE;
			break;
		}

		if ($double_allowed) {
			$ret = TRUE;
			break;
		}

		// Unset cached token to generate a new one for this tag
		$tkey = 'sess' . '::' . $rg_sid . '::' . 'token'
			. '::' . $tag;
		rg_cache_unset($tkey, RG_SOCKET_NO_WAIT);

		$sql = "INSERT INTO tokens (sid, token, expire)"
			. " VALUES (@@sid@@, @@token@@, @@expire@@)";
		$res = rg_sql_query_params($db, $sql, $params);
		if ($res === FALSE) {
			rg_token_set_error("cannot insert token"
				. " (" . rg_sql_error() . ")");
			break;
		}
		rg_sql_free_result($res);

		// This is an optimization to not look next time in db
		rg_cache_set($ukey, '1', RG_SOCKET_NO_WAIT);

		$ret = TRUE;
		break;
	}

	rg_log_exit();
	rg_prof_end("token_valid");
	return $ret;
}

/*
 * Returns a token to be used on a form/url
 * We generate only one per form (tag is the id), but multiple per session.
 */
function rg_token_get($db, $rg, $tag)
{
	global $rg_sid;

	rg_log_enter('token_get: sid=' . $rg_sid . ' tag=' . $tag);

	$ret = FALSE;
	while (1) {
		if (empty($rg_sid)) {
			rg_token_set_error('empty sid');
			break;
		}

		$key = 'sess' . '::' . $rg_sid . '::' . 'token' . '::' . $tag;
		$c = rg_cache_get($key);
		if ($c !== FALSE) {
			$ret = $c;
			break;
		}

		$sign_key = rg_token_get_master($db);
		if ($sign_key === FALSE)
			break;

		// Add a random string to protect against BREACH attack
		$rand = rg_id(16);
		$data = $rand . $rg_sid . $tag;
		$sign = hash_hmac('sha512', $data, $sign_key);
		if ($sign === FALSE) {
			rg_token_set_error('cannot compute hmac');
			break;
		}
		$sign = substr($sign, 0, 16);
		$ret = $rand . $sign;
		rg_log_debug('generated token ' . $ret);
		$ret2 = $ret;

		if (rg_debug() > 0)
			$ret2 .= ':' . $tag;

		rg_cache_set($key, $ret2, RG_SOCKET_NO_WAIT);

		// Optimization to not look in database next time
		$key = 'sess' . '::' . $rg_sid . '::' . 'used_tokens'
			. '::' . $ret;
		rg_cache_set($key, '0', RG_SOCKET_NO_WAIT);

		$ret = $ret2;
		break;
	}

	rg_log_exit();
	return $ret;
}

Mode Type Size Ref File
100644 blob 9 f3c7a7c5da68804a1bdf391127ba34aed33c3cca .exclude
100644 blob 108 acc2186b1d357966e09df32afcea14933f5f0c78 .gitignore
100644 blob 375 1f425bcd2049c526744d449511094fc045ceac74 AUTHORS
100644 blob 2375 07d4a2277dd1c385e2562a9ac7c636bcdd084c18 History.txt
100644 blob 34520 dba13ed2ddf783ee8118c6a581dbf75305f816a3 LICENSE
100644 blob 3632 f216d8f6ca7180c095ee4fcbe96d8fc2ca2b0dee Makefile.in
100644 blob 5325 96c40d868ce10b715299085ccffb30f96a730cf3 README
100644 blob 192509 58df4c67a312c3a7dc7d0f102b55e90b9127bc87 TODO
100644 blob 1294 f22911eb777f0695fcf81ad686eac133eb11fcc4 TODO-plans
100644 blob 203 a2863c67c3da44126b61a15a6f09738c25e0fbe0 TODO.perf
100644 blob 967 56bbaa7c937381fb10a2907b6bbe056ef8cc824a TODO.vm
040000 tree - 21928e906ad2907a55c2e81c2a8b0502b586b8a0 artwork
100644 blob 5328 d5be4cc3f15d059ad8d267d800c602e9774816a8 compare.csv
100755 blob 30 92c4bc48245c00408cd7e1fd89bc1a03058f4ce4 configure
040000 tree - 0a74883db0753f35db9a227ed8f0f46e3c8b1746 debian
040000 tree - fa4b417ddd8b9684c764ea6f1c96065c4d9427b1 docker
040000 tree - f67d3605efbd6422a8acdd953578991139266391 docs
100755 blob 18252 e2438615edba7066a730ed6a796a5302263f1f37 duilder
100644 blob 536 4d35fc700881fc03e043a4c22d8770baa298d093 duilder.conf
040000 tree - 73914e7faf49474a12b29e936ae77006254cc1a1 hooks
040000 tree - 343af578d66f98094554d1c45d863a21f2dfbf2f inc
040000 tree - e255ce234c3993998edc12bc7e93fff555376eda misc
100644 blob 6307 67d5e75076766ad844969abaff446face8ca9eff rocketgit.spec
040000 tree - 459cf6e889bc65568b4fe8d99774380bd2844b39 root
040000 tree - b6db32295abaf3229561581e7577da53af8caf47 samples
040000 tree - 3e6d3d08c1a0baea952bada0f36e29ad9f82d778 scripts
040000 tree - 454044f7e286fe13ec18598fce6b613190f52e5e selinux
100755 blob 256 462ccd108c431f54e380cdac2329129875a318b5 spell_check.sh
040000 tree - d9260d3cf0d6490be720312893600a8041bf991b techdocs
040000 tree - fae18775ac52de4a170fcd1baa733433f31b9559 tests
040000 tree - e810d7397575886ef495708d571eb3675f6928ba tools
Hints:
Before first commit, do not forget to setup your git environment:
git config --global user.name "your_name_here"
git config --global user.email "your@email_here"

Clone this repository using HTTP(S):
git clone https://rocketgit.com/user/catalinux/rocketgit

Clone this repository using ssh (do not forget to upload a key first):
git clone ssh://rocketgit@ssh.rocketgit.com/user/catalinux/rocketgit

Clone this repository using git:
git clone git://git.rocketgit.com/user/catalinux/rocketgit

You are allowed to anonymously push to this repository.
This means that your pushed commits will automatically be transformed into a merge request:
... clone the repository ...
... make some changes and some commits ...
git push origin main