From 59616f786efa2e02859cb8ba5695bd4faa775ff7 Mon Sep 17 00:00:00 2001
From: Rob van Son <r.j.j.h.vanson@gmail.com>
Date: Mon, 25 Jun 2012 10:31:18 +0200
Subject: [PATCH] Variable IP address capability

---
 CGIscriptor.pl                   | 38 ++++++++++++++++++++++++++++----------
 Private/.Passwords/testchallenge |  4 ++--
 2 files changed, 30 insertions(+), 12 deletions(-)

diff --git a/CGIscriptor.pl b/CGIscriptor.pl
index 0657251..2c726ec 100755
--- a/CGIscriptor.pl
+++ b/CGIscriptor.pl
@@ -3185,8 +3185,13 @@ sub Log_In_Access	# () -> 0 = Access Allowed, Login page if access is not allowe
 			# CHALLENGE
 			if($CHALLENGETICKET)
 			{
-				goto Login unless (-s "$SessionPath/$CHALLENGETICKET");		
-				my $ticket_valid = check_ticket_validity("CHALLENGE", "$SessionPath/$CHALLENGETICKET", $REMOTE_ADDR, $PATH_INFO);
+				goto Login unless (-s "$SessionPath/$CHALLENGETICKET");
+				my $address = $REMOTE_ADDR;
+				if($sessionContent->{Type}->[0] eq 'CHALLENGE' && grep(/^VariableREMOTE_ADDR$/, @{$authorization->{'Capabilities'}}))
+				{
+					$address = "";
+				};
+				my $ticket_valid = check_ticket_validity("CHALLENGE", "$SessionPath/$CHALLENGETICKET", $address, $PATH_INFO);
 				goto Login unless $ticket_valid;
 				
 				my $oldchallenge = read_ticket("$SessionPath/$CHALLENGETICKET");
@@ -3592,10 +3597,7 @@ sub create_session_file	#($sessionfile, $loginfile, $authorizationfile, $path) -
 	$sessionContent->{Session} = [$sessionid];
 	$sessionContent->{Time} = [time];
 	# Allow use of Tor if Session Type is CHALLENGE
-	unless($sessionContent->{Type}->[0] eq 'CHALLENGE' && grep(/^VariableREMOTE_ADDRESS$/, @{$authorization->{'Capabilities'}}))
-	{
-		$sessionContent->{IPaddress} = $loginticket->{'IPaddress'};
-	};
+	$sessionContent->{IPaddress} = $loginticket->{'IPaddress'};
 	$sessionContent->{Salt} = $authorization->{'Salt'};
 	$sessionContent->{Randomsalt} = $loginticket->{'Randomsalt'};
 	$sessionContent->{AllowedPaths} = $authorization->{'AllowedPaths'};
@@ -3634,10 +3636,18 @@ sub check_ticket_validity  # ($type, $ticketfile, $address, $path [, $unsigned])
 	
 	# There is a session ticket, is it linked to this IP address?
 	my $ticket = read_ticket($ticketfile);
-	return unless $ticket;
+	unless($ticket)
+	{
+		print STDERR "Ticket expired or empty: $ticketfile\n";
+		return;
+	};
 	
 	# Is this the right type of ticket
-	return unless $ticket && $ticket->{"Type"}->[0] eq $type;
+	unless($ticket && $ticket->{'Type'}->[0] eq $type)
+	{
+		print STDERR "Wrong ticket type: $ticket->{'Type'}->[0] eq $type\n";
+		return;
+	};
 	
 	# Does the IP address match?
 	my $IPmatches = 0;
@@ -3645,7 +3655,11 @@ sub check_ticket_validity  # ($type, $ticketfile, $address, $path [, $unsigned])
 	{
 		++$IPmatches if $address =~ m#^$IPpattern#ig;
 	};
-	return 0 unless !$ticket->{"IPaddress"} || $IPmatches;
+	if($address && ! $IPmatches)
+	{
+		print STDERR "Wrong REMOTE ADDR for $ticket->{'Username'}->[0]: $ticket->{'IPaddress'}->[0] vs $address\n";
+		return 0;
+	};
 	
 	# Is the path denied
 	my $Pathmatches = 0;
@@ -3665,7 +3679,11 @@ sub check_ticket_validity  # ($type, $ticketfile, $address, $path [, $unsigned])
 	
 	# Check signature if not told to use an unsigned ticket (dangerous)
 	my $Signature = TicketSignature($ticket, $ticket->{'Salt'}->[0]);
-	return 0 if (! $unsigned) && $Signature && $Signature ne $ticket->{'Signature'}->[0];
+	if((! $unsigned) && $Signature && $Signature ne $ticket->{'Signature'}->[0])
+	{
+		print STDERR "Invalid signature for $ticket->{'Type'}: $ticket->{'Username'}\n$ticketfile\n";
+		return 0;
+	};
 	
 	# Make login values available (will also protect against resetting by query)
 	$ENV{"LOGINUSERNAME"} = lc($ticket->{'Username'}->[0]);
diff --git a/Private/.Passwords/testchallenge b/Private/.Passwords/testchallenge
index 148c02d..443c747 100644
--- a/Private/.Passwords/testchallenge
+++ b/Private/.Passwords/testchallenge
@@ -5,8 +5,8 @@ IPaddress: 127.0.0.1
 AllowedPaths: ^/Private/index\.html$
 AllowedPaths: ^/Private/[^/]+\.html$
 AllowedPaths: ^/Private/?$
-Capabilities: VariableREMOTE_ADDRESS
+Capabilities: VariableREMOTE_ADDR
 Salt: e93cf858a1d5626bf095ea5c25df990dfa969ff5a5dc908b22c9a5229b525f65
 Session: CHALLENGE
-Signature: ca751911d3eab325431235b21a1f4cc65e4ad770ccf934f023aaf210cdde35e6
+Signature: eca5b95e3ff4a9628be4c6f1fca29ec2f5981cbbba0b29ce5b601055926a8720
 MaxLifetime: +45m
-- 
2.11.4.GIT