File Coverage

blib/lib/Apache/AppSamurai/Session/Generate/HMAC_SHA.pm
Criterion Covered Total %
statement 25 27 92.5
branch 6 12 50.0
condition n/a
subroutine 7 7 100.0
pod 0 3 0.0
total 38 49 77.5


line stmt bran cond sub pod time code
1             # Apache::AppSamurai::Session::Generate::HMAC_SHA - Apache::Session generator
2             # module. Replaces MD5 generator with one that
3             # takes input server key and client session key
4             # and returns the SHAx HMAC of the two.
5              
6             # $Id: HMAC_SHA.pm,v 1.9 2008/04/30 21:40:10 pauldoom Exp $
7              
8             ##
9             # Copyright (c) 2008 Paul M. Hirsch (paul@voltagenoir.org).
10             # All rights reserved.
11             #
12             # This program is free software; you can redistribute it and/or modify it under
13             # the same terms as Perl itself.
14             ##
15              
16             package Apache::AppSamurai::Session::Generate::HMAC_SHA;
17 1     1   24280 use strict;
  1         4  
  1         36  
18 1     1   5 use warnings;
  1         2  
  1         27  
19              
20 1     1   4 use vars qw($VERSION);
  1         3  
  1         66  
21             $VERSION = substr(q$Revision: 1.9 $, 10, -1);
22              
23 1     1   1216 use Digest::SHA qw(sha256_hex hmac_sha256_hex);
  1         4372  
  1         312  
24              
25             # Instead of adding even more options, I decided to just use SHA-256.
26             # This is the length in hex digits.
27             my $length = 64;
28              
29             sub generate {
30 1     1 0 383 my $session = shift;
31 1         3 my $server_key = '';
32              
33 1 50       7 (exists $session->{args}->{ServerKey}) or die "HMAC session support requires a ServerKey";
34              
35             # ServerKey should already be hashed for us
36 1 50       6 (&checkhash($session->{args}->{ServerKey})) or die "Invalid ServerKey";
37            
38 1 50       7 (exists $session->{args}->{key}) or die "HMAC session support requires a per-session Authentication Key (key)";
39 1 50       5 (&checkhash($session->{args}->{key})) or die "Invalid Session Authentication Key";
40 1         45 $session->{data}->{_session_id} = hmac_sha256_hex($session->{args}->{key},$session->{args}->{ServerKey});
41              
42 1         10 return $session->{data}->{_session_id};
43             }
44              
45             sub validate {
46             #This routine checks to ensure that the session ID is in the form
47             #we expect. This must be called before we start diddling around
48             #in the database or the disk.
49              
50 2     2 0 4 my $session = shift;
51            
52 2 50       26 unless (&checkhash($session->{data}->{_session_id})) {
53 0         0 die "Invalid Session ID Value";
54             }
55             }
56              
57             # Check for a hex encoded hash of $length
58             sub checkhash {
59 3     3 0 7 my $hash = shift;
60              
61 3 50       65 if ($hash =~ /^[a-fA-F0-9]{$length}$/) {
62 3         22 return 1;
63             }
64 0           return 0;
65             }
66              
67             1; # End of Apache::AppSamurai::Session::Generate::HMAC_SHA
68              
69             __END__