clientsession-0.7.2: src/Web/ClientSession.hs
{-# LANGUAGE FlexibleContexts #-}
{-# LANGUAGE ForeignFunctionInterface #-}
{-# LANGUAGE TemplateHaskell #-}
---------------------------------------------------------
--
-- |
--
-- Module : Web.ClientSession
-- Copyright : Michael Snoyman
-- License : BSD3
--
-- Maintainer : Michael Snoyman <michael@snoyman.com>
-- Stability : Stable
-- Portability : portable
--
-- Stores session data in a client cookie. In order to do so,
-- we:
--
-- * Encrypt the cookie data using AES in CBC mode. This allows
-- you to store sensitive information on the client side without
-- worrying about eavesdropping.
--
-- * Sign the encrypted cookie data using HMAC-SHA256. Besides
-- detecting potential errors in storage or transmission of the
-- cookies (integrity), the HMAC-SHA256 code also avoids
-- malicious modifications of the cookie data by assuring you
-- that the cookie data really was generated by this server
-- (authentication).
--
-- * Encode everything using Base64. Thus we avoid problems with
-- non-printable characters by giving the browser a simple
-- string.
--
-- Simple usage of the library involves just calling
-- 'getDefaultKey' on the startup of your server, 'encryptIO'
-- when serializing cookies and 'decrypt' when parsing then back.
--
---------------------------------------------------------
module Web.ClientSession
( -- * Automatic key generation
Key(..)
, IV
, randomIV
, mkIV
, getKey
, defaultKeyFile
, getDefaultKey
, initKey
-- * Actual encryption/decryption
, encrypt
, encryptIO
, decrypt
) where
import Control.Arrow (second)
import Control.Monad (guard)
import Data.Bits (xor)
import System.Directory (doesFileExist)
import qualified Data.ByteString as S
import qualified Crypto.Cipher.AES as A
import Crypto.Hash.SHA256 (SHA256)
import Crypto.HMAC (MacKey(..), hmac')
import qualified Data.ByteString.Base64 as B
import Crypto.Random (newGenIO, genBytes, SystemRandom)
import Data.Serialize (encode)
-- | The keys used to store the cookies. We have an AES key used
-- to encrypt the cookie and a HMAC-SHA256 key used verify the
-- authencity and integrity of the cookie. The AES key needs to
-- have exactly 32 bytes (256 bits). The HMAC-SHA256 should have
-- 64 bytes (512 bits), which is the block size of SHA256, but
-- any size may be used.
--
-- See also 'getDefaultKey' and 'initKey'.
data Key = Key { aesKey :: A.Key
, hmacKey :: MacKey }
deriving (Eq, Show)
-- | The initialization vector used by AES in CBC mode. Should
-- be exactly 16 bytes long.
newtype IV = IV S.ByteString
deriving Show
-- | Construct an initialization vector from a 'S.ByteString'.
-- Fails if there isn't exactly 16 bytes.
mkIV :: S.ByteString -> Maybe IV
mkIV bs
| S.length bs == 16 = Just $ IV bs
| otherwise = Nothing
-- | Randomly construct a fresh initialization vector. You
-- /should not/ reuse initialization vectors.
randomIV :: IO IV
randomIV = fmap IV $ randomBytes 16
-- | The default key file.
defaultKeyFile :: FilePath
defaultKeyFile = "client_session_key.aes"
-- | Simply calls 'getKey' 'defaultKeyFile'.
getDefaultKey :: IO Key
getDefaultKey = getKey defaultKeyFile
-- | Get a key from the given text file.
--
-- If the file does not exist or is corrupted a random key will
-- be generated and stored in that file.
getKey :: FilePath -- ^ File name where key is stored.
-> IO Key -- ^ The actual key.
getKey keyFile = do
exists <- doesFileExist keyFile
if exists
then S.readFile keyFile >>= either (const newKey) return . initKey
else newKey
where
newKey = do
(bs, key') <- randomKey
S.writeFile keyFile bs
return key'
-- | Generate the given number of random bytes.
randomBytes :: Int -> IO S.ByteString
randomBytes len = do
g <- newGenIO
either (error . show) (return . fst) $ genBytes len (g :: SystemRandom)
-- | Generate a random 'Key'. Besides the 'Key', the
-- 'ByteString' passed to 'initKey' is returned so that it can be
-- saved for later use.
randomKey :: IO (S.ByteString, Key)
randomKey = do
bs <- randomBytes 64
case initKey bs of
Left e -> error $ "Web.ClientSession.randomKey: never here, " ++ e
Right key -> return (bs, key)
-- | Initializes a 'Key' from a random 'S.ByteString'. It's
-- better to give a 'S.ByteString' with exactly 64 bytes, but
-- anything with at least 32 bytes will work.
initKey :: S.ByteString -> Either String Key
initKey bs | S.length bs < 32 = Left $ "Web.ClientSession.initKey: length of " ++
show (S.length bs) ++ " too small."
initKey bs = fmap mk $ A.initKey256 preAesKey
where
preAesKey | S.length bs >= 64 = S.pack $ uncurry (S.zipWith xor) $ S.splitAt 32 bs
| otherwise = S.take 32 bs
mk k = Key { aesKey = k
, hmacKey = MacKey bs }
-- It's okay to have a MacKey where bs doesn't
-- have exactly 512 bits, the size of the block
-- used in SHA-256. hmac' already deals with it.
-- | Same as 'encrypt', however randomly generates the
-- initialization vector for you.
encryptIO :: Key -> S.ByteString -> IO S.ByteString
encryptIO key x = do
iv <- randomIV
return $ encrypt key iv x
-- | Encrypt (AES-CBC), sign (HMAC-SHA256) and encode (Base64)
-- the given cookie data. The returned byte string is ready to
-- be used in a response header.
encrypt :: Key -- ^ Key of the server.
-> IV -- ^ New, random initialization vector (see 'randomIV').
-> S.ByteString -- ^ Serialized cookie data.
-> S.ByteString -- ^ Encoded cookie data to be given to
-- the client browser.
encrypt key (IV iv) x =
B.encode $ S.concat [iv, encode auth, encrypted]
where
toPad = 16 - S.length x `mod` 16
pad = S.replicate toPad $ fromIntegral toPad
y = pad `S.append` x
encrypted = A.encryptCBC (aesKey key) iv y
auth = hmac' (hmacKey key) encrypted :: SHA256
-- | Decode (Base64), verify the integrity and authenticity
-- (HMAC-SHA256) and decrypt (AES-CBC) the given encoded cookie
-- data. Returns the original serialized cookie data. Fails if
-- the data is corrupted.
decrypt :: Key -- ^ Key of the server.
-> S.ByteString -- ^ Encoded cookie data given by the browser.
-> Maybe S.ByteString -- ^ Serialized cookie data.
decrypt key dataBS64 = do
dataBS <- either (const Nothing) Just $ B.decode dataBS64
if S.length dataBS `mod` 16 /= 0 || S.length dataBS < 48
then Nothing
else do
let (iv, (auth, encrypted)) = second (S.splitAt 32) $ S.splitAt 16 dataBS
auth' = hmac' (hmacKey key) encrypted :: SHA256
guard (encode auth' == auth)
let x = A.decryptCBC (aesKey key) iv encrypted
(td, _) <- S.uncons x
guard (td > 0 && td <= 16)
return $ S.drop (fromIntegral td) x