filters: migrate from luacrypto to luaossl

luaossl has no upstream anymore and doesn't support OpenSSL 1.1, whereas luaossl is quite active. Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
author: Jason A. Donenfeld 2019-01-03 02:11:14 +0100
committer: Jason A. Donenfeld 2019-01-03 02:12:16 +0100
commit: 7d87cd3a215976a480b3c71b017a191597e5cb44 (patch)
tree: 70d600e62e9aaacc34993cc169a46f05cbe10f0e
parent: e23f63461f17aeb770d47d9c3134414e549d1f0e (diff)
download: cgit-7d87cd3a215976a480b3c71b017a191597e5cb44.tar.gz
cgit-7d87cd3a215976a480b3c71b017a191597e5cb44.tar.bz2
cgit-7d87cd3a215976a480b3c71b017a191597e5cb44.zip
5 files changed, 83 insertions, 44 deletions
diff --git a/filters/email-gravatar.lua b/filters/email-gravatar.lua
index 52cf426..c39b490 100644
--- a/filters/email-gravatar.lua
+++ b/filters/email-gravatar.lua
@@ -3,15 +3,24 @@
 -- prefix in filters. It is much faster than the corresponding python script.
 --
 -- Requirements:
--      luacrypto >= 0.3
+--      luaossl
--      <http://mkottman.github.io/luacrypto/>
+--      <http://25thandclement.com/~william/projects/luaossl.html>
 --
-local crypto = require("crypto")
+local digest = require("openssl.digest")
+function md5_hex(input)
+        local b = digest.new("md5"):final(input)
+        local x = ""
+        for i = 1, #b do
+                x = x .. string.format("%.2x", string.byte(b, i))
+        end
+        return x
+end
 function filter_open(email, page)
        buffer = ""
-        md5 = crypto.digest("md5", email:sub(2, -2):lower())
+        md5 = md5_hex(email:sub(2, -2):lower())
 end
 function filter_close()
diff --git a/filters/email-libravatar.lua b/filters/email-libravatar.lua
index b0e2447..7336baf 100644
--- a/filters/email-libravatar.lua
+++ b/filters/email-libravatar.lua
@@ -3,15 +3,24 @@
 -- prefix in filters.
 --
 -- Requirements:
--      luacrypto >= 0.3
+--      luaossl
--      <http://mkottman.github.io/luacrypto/>
+--      <http://25thandclement.com/~william/projects/luaossl.html>
 --
-local crypto = require("crypto")
+local digest = require("openssl.digest")
+function md5_hex(input)
+        local b = digest.new("md5"):final(input)
+        local x = ""
+        for i = 1, #b do
+                x = x .. string.format("%.2x", string.byte(b, i))
+        end
+        return x
+end
 function filter_open(email, page)
        buffer = ""
-        md5 = crypto.digest("md5", email:sub(2, -2):lower())
+        md5 = md5_hex(email:sub(2, -2):lower())
 end
 function filter_close()
diff --git a/filters/file-authentication.lua b/filters/file-authentication.lua
index 6ee1e19..0248804 100644
--- a/filters/file-authentication.lua
+++ b/filters/file-authentication.lua
@@ -1,15 +1,15 @@
 -- This script may be used with the auth-filter.
 --
 -- Requirements:
--      luacrypto >= 0.3
+--      luaossl
--      <http://mkottman.github.io/luacrypto/>
+--      <http://25thandclement.com/~william/projects/luaossl.html>
 --      luaposix
 --      <https://github.com/luaposix/luaposix>
 --
 local sysstat = require("posix.sys.stat")
 local unistd = require("posix.unistd")
-local crypto = require("crypto")
+local rand = require("openssl.rand")
+local hmac = require("openssl.hmac")
 -- This file should contain a series of lines in the form of:
 --      username1:hash1
@@ -225,6 +225,13 @@ function get_cookie(cookies, name)
        return url_decode(string.match(cookies, ";" .. name .. "=(.-);"))
 end
+function tohex(b)
+        local x = ""
+        for i = 1, #b do
+                x = x .. string.format("%.2x", string.byte(b, i))
+        end
+        return x
+end
 --
 --
@@ -242,12 +249,12 @@ function get_secret()
        local secret_file = io.open(secret_filename, "r")
        if secret_file == nil then
                local old_umask = sysstat.umask(63)
-                local temporary_filename = secret_filename .. ".tmp." .. crypto.hex(crypto.rand.bytes(16))
+                local temporary_filename = secret_filename .. ".tmp." .. tohex(rand.bytes(16))
                local temporary_file = io.open(temporary_filename, "w")
                if temporary_file == nil then
                        os.exit(177)
                end
-                temporary_file:write(crypto.hex(crypto.rand.bytes(32)))
+                temporary_file:write(tohex(rand.bytes(32)))
                temporary_file:close()
                unistd.link(temporary_filename, secret_filename) -- Intentionally fails in the case that another process is doing the same.
                unistd.unlink(temporary_filename)
@@ -272,7 +279,7 @@ function validate_value(expected_field, cookie)
        local field = ""
        local expiration = 0
        local salt = ""
-        local hmac = ""
+        local chmac = ""
        if cookie == nil or cookie:len() < 3 or cookie:sub(1, 1) == "|" then
                return nil
@@ -291,19 +298,19 @@ function validate_value(expected_field, cookie)
                elseif i == 3 then
                        salt = component
                elseif i == 4 then
-                        hmac = component
+                        chmac = component
                else
                        break
                end
                i = i + 1
        end
-        if hmac == nil or hmac:len() == 0 then
+        if chmac == nil or chmac:len() == 0 then
                return nil
        end
        -- Lua hashes strings, so these comparisons are time invariant.
-        if hmac ~= crypto.hmac.digest("sha256", field .. "|" .. value .. "|" .. tostring(expiration) .. "|" .. salt, get_secret()) then
+        if chmac ~= tohex(hmac.new(get_secret(), "sha256"):final(field .. "|" .. value .. "|" .. tostring(expiration) .. "|" .. salt)) then
                return nil
        end
@@ -324,11 +331,11 @@ function secure_value(field, value, expiration)
        end
        local authstr = ""
-        local salt = crypto.hex(crypto.rand.bytes(16))
+        local salt = tohex(rand.bytes(16))
        value = url_encode(value)
        field = url_encode(field)
        authstr = field .. "|" .. value .. "|" .. tostring(expiration) .. "|" .. salt
-        authstr = authstr .. "|" .. crypto.hmac.digest("sha256", authstr, get_secret())
+        authstr = authstr .. "|" .. tohex(hmac.new(get_secret(), "sha256"):final(authstr))
        return authstr
 end
diff --git a/filters/gentoo-ldap-authentication.lua b/filters/gentoo-ldap-authentication.lua
index b4d98c2..673c88d 100644
--- a/filters/gentoo-ldap-authentication.lua
+++ b/filters/gentoo-ldap-authentication.lua
@@ -1,8 +1,8 @@
 -- This script may be used with the auth-filter. Be sure to configure it as you wish.
 --
 -- Requirements:
--      luacrypto >= 0.3
+--      luaossl
--      <http://mkottman.github.io/luacrypto/>
+--      <http://25thandclement.com/~william/projects/luaossl.html>
 --      lualdap >= 1.2
 --      <https://git.zx2c4.com/lualdap/about/>
 --      luaposix
@@ -10,9 +10,9 @@
 --
 local sysstat = require("posix.sys.stat")
 local unistd = require("posix.unistd")
-local crypto = require("crypto")
 local lualdap = require("lualdap")
+local rand = require("openssl.rand")
+local hmac = require("openssl.hmac")
 --
 --
@@ -226,6 +226,13 @@ function get_cookie(cookies, name)
        return string.match(cookies, ";" .. name .. "=(.-);")
 end
+function tohex(b)
+        local x = ""
+        for i = 1, #b do
+                x = x .. string.format("%.2x", string.byte(b, i))
+        end
+        return x
+end
 --
 --
@@ -243,12 +250,12 @@ function get_secret()
        local secret_file = io.open(secret_filename, "r")
        if secret_file == nil then
                local old_umask = sysstat.umask(63)
-                local temporary_filename = secret_filename .. ".tmp." .. crypto.hex(crypto.rand.bytes(16))
+                local temporary_filename = secret_filename .. ".tmp." .. tohex(rand.bytes(16))
                local temporary_file = io.open(temporary_filename, "w")
                if temporary_file == nil then
                        os.exit(177)
                end
-                temporary_file:write(crypto.hex(crypto.rand.bytes(32)))
+                temporary_file:write(tohex(rand.bytes(32)))
                temporary_file:close()
                unistd.link(temporary_filename, secret_filename) -- Intentionally fails in the case that another process is doing the same.
                unistd.unlink(temporary_filename)
@@ -273,7 +280,7 @@ function validate_value(expected_field, cookie)
        local field = ""
        local expiration = 0
        local salt = ""
-        local hmac = ""
+        local chmac = ""
        if cookie == nil or cookie:len() < 3 or cookie:sub(1, 1) == "|" then
                return nil
@@ -292,19 +299,19 @@ function validate_value(expected_field, cookie)
                elseif i == 3 then
                        salt = component
                elseif i == 4 then
-                        hmac = component
+                        chmac = component
                else
                        break
                end
                i = i + 1
        end
-        if hmac == nil or hmac:len() == 0 then
+        if chmac == nil or chmac:len() == 0 then
                return nil
        end
        -- Lua hashes strings, so these comparisons are time invariant.
-        if hmac ~= crypto.hmac.digest("sha256", field .. "|" .. value .. "|" .. tostring(expiration) .. "|" .. salt, get_secret()) then
+        if chmac ~= tohex(hmac.new(get_secret(), "sha256"):final(field .. "|" .. value .. "|" .. tostring(expiration) .. "|" .. salt)) then
                return nil
        end
@@ -325,11 +332,11 @@ function secure_value(field, value, expiration)
        end
        local authstr = ""
-        local salt = crypto.hex(crypto.rand.bytes(16))
+        local salt = tohex(rand.bytes(16))
        value = url_encode(value)
        field = url_encode(field)
        authstr = field .. "|" .. value .. "|" .. tostring(expiration) .. "|" .. salt
-        authstr = authstr .. "|" .. crypto.hmac.digest("sha256", authstr, get_secret())
+        authstr = authstr .. "|" .. tohex(hmac.new(get_secret(), "sha256"):final(authstr))
        return authstr
 end
diff --git a/filters/simple-authentication.lua b/filters/simple-authentication.lua
index 77d1fd0..23d3457 100644
--- a/filters/simple-authentication.lua
+++ b/filters/simple-authentication.lua
@@ -1,15 +1,15 @@
 -- This script may be used with the auth-filter. Be sure to configure it as you wish.
 --
 -- Requirements:
--      luacrypto >= 0.3
+--      luaossl
--      <http://mkottman.github.io/luacrypto/>
+--      <http://25thandclement.com/~william/projects/luaossl.html>
 --      luaposix
 --      <https://github.com/luaposix/luaposix>
 --
 local sysstat = require("posix.sys.stat")
 local unistd = require("posix.unistd")
-local crypto = require("crypto")
+local rand = require("openssl.rand")
+local hmac = require("openssl.hmac")
 --
 --
@@ -180,6 +180,13 @@ function get_cookie(cookies, name)
        return url_decode(string.match(cookies, ";" .. name .. "=(.-);"))
 end
+function tohex(b)
+        local x = ""
+        for i = 1, #b do
+                x = x .. string.format("%.2x", string.byte(b, i))
+        end
+        return x
+end
 --
 --
@@ -197,12 +204,12 @@ function get_secret()
        local secret_file = io.open(secret_filename, "r")
        if secret_file == nil then
                local old_umask = sysstat.umask(63)
-                local temporary_filename = secret_filename .. ".tmp." .. crypto.hex(crypto.rand.bytes(16))
+                local temporary_filename = secret_filename .. ".tmp." .. tohex(rand.bytes(16))
                local temporary_file = io.open(temporary_filename, "w")
                if temporary_file == nil then
                        os.exit(177)
                end
-                temporary_file:write(crypto.hex(crypto.rand.bytes(32)))
+                temporary_file:write(tohex(rand.bytes(32)))
                temporary_file:close()
                unistd.link(temporary_filename, secret_filename) -- Intentionally fails in the case that another process is doing the same.
                unistd.unlink(temporary_filename)
@@ -227,7 +234,7 @@ function validate_value(expected_field, cookie)
        local field = ""
        local expiration = 0
        local salt = ""
-        local hmac = ""
+        local chmac = ""
        if cookie == nil or cookie:len() < 3 or cookie:sub(1, 1) == "|" then
                return nil
@@ -246,19 +253,19 @@ function validate_value(expected_field, cookie)
                elseif i == 3 then
                        salt = component
                elseif i == 4 then
-                        hmac = component
+                        chmac = component
                else
                        break
                end
                i = i + 1
        end
-        if hmac == nil or hmac:len() == 0 then
+        if chmac == nil or chmac:len() == 0 then
                return nil
        end
        -- Lua hashes strings, so these comparisons are time invariant.
-        if hmac ~= crypto.hmac.digest("sha256", field .. "|" .. value .. "|" .. tostring(expiration) .. "|" .. salt, get_secret()) then
+        if chmac ~= tohex(hmac.new(get_secret(), "sha256"):final(field .. "|" .. value .. "|" .. tostring(expiration) .. "|" .. salt)) then
                return nil
        end
@@ -279,11 +286,11 @@ function secure_value(field, value, expiration)
        end
        local authstr = ""
-        local salt = crypto.hex(crypto.rand.bytes(16))
+        local salt = tohex(rand.bytes(16))
        value = url_encode(value)
        field = url_encode(field)
        authstr = field .. "|" .. value .. "|" .. tostring(expiration) .. "|" .. salt
-        authstr = authstr .. "|" .. crypto.hmac.digest("sha256", authstr, get_secret())
+        authstr = authstr .. "|" .. tohex(hmac.new(get_secret(), "sha256"):final(authstr))
        return authstr
 end
author	Jason A. Donenfeld	2019-01-03 02:11:14 +0100
committer	Jason A. Donenfeld	2019-01-03 02:12:16 +0100
commit	7d87cd3a215976a480b3c71b017a191597e5cb44 (patch)
tree	70d600e62e9aaacc34993cc169a46f05cbe10f0e
parent	e23f63461f17aeb770d47d9c3134414e549d1f0e (diff)
download	cgit-7d87cd3a215976a480b3c71b017a191597e5cb44.tar.gz cgit-7d87cd3a215976a480b3c71b017a191597e5cb44.tar.bz2 cgit-7d87cd3a215976a480b3c71b017a191597e5cb44.zip

diff --git a/filters/email-gravatar.lua b/filters/email-gravatar.lua index 52cf426..c39b490 100644 --- a/filters/email-gravatar.lua +++ b/filters/email-gravatar.lua
@@ -3,15 +3,24 @@
3	-- prefix in filters. It is much faster than the corresponding python script.	3	-- prefix in filters. It is much faster than the corresponding python script.
4	--	4	--
5	-- Requirements:	5	-- Requirements:
6	-- luacrypto >= 0.3	6	-- luaossl
7	-- <http://mkottman.github.io/luacrypto/>	7	-- <http://25thandclement.com/~william/projects/luaossl.html>
8	--	8	--
9		9
10	local crypto = require("crypto")	10	local digest = require("openssl.digest")
		11
		12	function md5_hex(input)
		13	local b = digest.new("md5"):final(input)
		14	local x = ""
		15	for i = 1, #b do
		16	x = x .. string.format("%.2x", string.byte(b, i))
		17	end
		18	return x
		19	end
11		20
12	function filter_open(email, page)	21	function filter_open(email, page)
13	buffer = ""	22	buffer = ""
14	md5 = crypto.digest("md5", email:sub(2, -2):lower())	23	md5 = md5_hex(email:sub(2, -2):lower())
15	end	24	end
16		25
17	function filter_close()	26	function filter_close()


diff --git a/filters/email-libravatar.lua b/filters/email-libravatar.lua index b0e2447..7336baf 100644 --- a/filters/email-libravatar.lua +++ b/filters/email-libravatar.lua
@@ -3,15 +3,24 @@
3	-- prefix in filters.	3	-- prefix in filters.
4	--	4	--
5	-- Requirements:	5	-- Requirements:
6	-- luacrypto >= 0.3	6	-- luaossl
7	-- <http://mkottman.github.io/luacrypto/>	7	-- <http://25thandclement.com/~william/projects/luaossl.html>
8	--	8	--
9		9
10	local crypto = require("crypto")	10	local digest = require("openssl.digest")
		11
		12	function md5_hex(input)
		13	local b = digest.new("md5"):final(input)
		14	local x = ""
		15	for i = 1, #b do
		16	x = x .. string.format("%.2x", string.byte(b, i))
		17	end
		18	return x
		19	end
11		20
12	function filter_open(email, page)	21	function filter_open(email, page)
13	buffer = ""	22	buffer = ""
14	md5 = crypto.digest("md5", email:sub(2, -2):lower())	23	md5 = md5_hex(email:sub(2, -2):lower())
15	end	24	end
16		25
17	function filter_close()	26	function filter_close()


diff --git a/filters/file-authentication.lua b/filters/file-authentication.lua index 6ee1e19..0248804 100644 --- a/filters/file-authentication.lua +++ b/filters/file-authentication.lua
@@ -1,15 +1,15 @@
1	-- This script may be used with the auth-filter.	1	-- This script may be used with the auth-filter.
2	--	2	--
3	-- Requirements:	3	-- Requirements:
4	-- luacrypto >= 0.3	4	-- luaossl
5	-- <http://mkottman.github.io/luacrypto/>	5	-- <http://25thandclement.com/~william/projects/luaossl.html>
6	-- luaposix	6	-- luaposix
7	-- <https://github.com/luaposix/luaposix>	7	-- <https://github.com/luaposix/luaposix>
8	--	8	--
9	local sysstat = require("posix.sys.stat")	9	local sysstat = require("posix.sys.stat")
10	local unistd = require("posix.unistd")	10	local unistd = require("posix.unistd")
11	local crypto = require("crypto")	11	local rand = require("openssl.rand")
12		12	local hmac = require("openssl.hmac")
13		13
14	-- This file should contain a series of lines in the form of:	14	-- This file should contain a series of lines in the form of:
15	-- username1:hash1	15	-- username1:hash1
@@ -225,6 +225,13 @@ function get_cookie(cookies, name)
225	return url_decode(string.match(cookies, ";" .. name .. "=(.-);"))	225	return url_decode(string.match(cookies, ";" .. name .. "=(.-);"))
226	end	226	end
227		227
		228	function tohex(b)
		229	local x = ""
		230	for i = 1, #b do
		231	x = x .. string.format("%.2x", string.byte(b, i))
		232	end
		233	return x
		234	end
228		235
229	--	236	--
230	--	237	--
@@ -242,12 +249,12 @@ function get_secret()
242	local secret_file = io.open(secret_filename, "r")	249	local secret_file = io.open(secret_filename, "r")
243	if secret_file == nil then	250	if secret_file == nil then
244	local old_umask = sysstat.umask(63)	251	local old_umask = sysstat.umask(63)
245	local temporary_filename = secret_filename .. ".tmp." .. crypto.hex(crypto.rand.bytes(16))	252	local temporary_filename = secret_filename .. ".tmp." .. tohex(rand.bytes(16))
246	local temporary_file = io.open(temporary_filename, "w")	253	local temporary_file = io.open(temporary_filename, "w")
247	if temporary_file == nil then	254	if temporary_file == nil then
248	os.exit(177)	255	os.exit(177)
249	end	256	end
250	temporary_file:write(crypto.hex(crypto.rand.bytes(32)))	257	temporary_file:write(tohex(rand.bytes(32)))
251	temporary_file:close()	258	temporary_file:close()
252	unistd.link(temporary_filename, secret_filename) -- Intentionally fails in the case that another process is doing the same.	259	unistd.link(temporary_filename, secret_filename) -- Intentionally fails in the case that another process is doing the same.
253	unistd.unlink(temporary_filename)	260	unistd.unlink(temporary_filename)
@@ -272,7 +279,7 @@ function validate_value(expected_field, cookie)
272	local field = ""	279	local field = ""
273	local expiration = 0	280	local expiration = 0
274	local salt = ""	281	local salt = ""
275	local hmac = ""	282	local chmac = ""
276		283
277	if cookie == nil or cookie:len() < 3 or cookie:sub(1, 1) == "\|" then	284	if cookie == nil or cookie:len() < 3 or cookie:sub(1, 1) == "\|" then
278	return nil	285	return nil
@@ -291,19 +298,19 @@ function validate_value(expected_field, cookie)
291	elseif i == 3 then	298	elseif i == 3 then
292	salt = component	299	salt = component
293	elseif i == 4 then	300	elseif i == 4 then
294	hmac = component	301	chmac = component
295	else	302	else
296	break	303	break
297	end	304	end
298	i = i + 1	305	i = i + 1
299	end	306	end
300		307
301	if hmac == nil or hmac:len() == 0 then	308	if chmac == nil or chmac:len() == 0 then
302	return nil	309	return nil
303	end	310	end
304		311
305	-- Lua hashes strings, so these comparisons are time invariant.	312	-- Lua hashes strings, so these comparisons are time invariant.
306	if hmac ~= crypto.hmac.digest("sha256", field .. "\|" .. value .. "\|" .. tostring(expiration) .. "\|" .. salt, get_secret()) then	313	if chmac ~= tohex(hmac.new(get_secret(), "sha256"):final(field .. "\|" .. value .. "\|" .. tostring(expiration) .. "\|" .. salt)) then
307	return nil	314	return nil
308	end	315	end
309		316
@@ -324,11 +331,11 @@ function secure_value(field, value, expiration)
324	end	331	end
325		332
326	local authstr = ""	333	local authstr = ""
327	local salt = crypto.hex(crypto.rand.bytes(16))	334	local salt = tohex(rand.bytes(16))
328	value = url_encode(value)	335	value = url_encode(value)
329	field = url_encode(field)	336	field = url_encode(field)
330	authstr = field .. "\|" .. value .. "\|" .. tostring(expiration) .. "\|" .. salt	337	authstr = field .. "\|" .. value .. "\|" .. tostring(expiration) .. "\|" .. salt
331	authstr = authstr .. "\|" .. crypto.hmac.digest("sha256", authstr, get_secret())	338	authstr = authstr .. "\|" .. tohex(hmac.new(get_secret(), "sha256"):final(authstr))
332	return authstr	339	return authstr
333	end	340	end
334		341


diff --git a/filters/gentoo-ldap-authentication.lua b/filters/gentoo-ldap-authentication.lua index b4d98c2..673c88d 100644 --- a/filters/gentoo-ldap-authentication.lua +++ b/filters/gentoo-ldap-authentication.lua
@@ -1,8 +1,8 @@
1	-- This script may be used with the auth-filter. Be sure to configure it as you wish.	1	-- This script may be used with the auth-filter. Be sure to configure it as you wish.
2	--	2	--
3	-- Requirements:	3	-- Requirements:
4	-- luacrypto >= 0.3	4	-- luaossl
5	-- <http://mkottman.github.io/luacrypto/>	5	-- <http://25thandclement.com/~william/projects/luaossl.html>
6	-- lualdap >= 1.2	6	-- lualdap >= 1.2
7	-- <https://git.zx2c4.com/lualdap/about/>	7	-- <https://git.zx2c4.com/lualdap/about/>
8	-- luaposix	8	-- luaposix
@@ -10,9 +10,9 @@
10	--	10	--
11	local sysstat = require("posix.sys.stat")	11	local sysstat = require("posix.sys.stat")
12	local unistd = require("posix.unistd")	12	local unistd = require("posix.unistd")
13	local crypto = require("crypto")
14	local lualdap = require("lualdap")	13	local lualdap = require("lualdap")
15		14	local rand = require("openssl.rand")
		15	local hmac = require("openssl.hmac")
16		16
17	--	17	--
18	--	18	--
@@ -226,6 +226,13 @@ function get_cookie(cookies, name)
226	return string.match(cookies, ";" .. name .. "=(.-);")	226	return string.match(cookies, ";" .. name .. "=(.-);")
227	end	227	end
228		228
		229	function tohex(b)
		230	local x = ""
		231	for i = 1, #b do
		232	x = x .. string.format("%.2x", string.byte(b, i))
		233	end
		234	return x
		235	end
229		236
230	--	237	--
231	--	238	--
@@ -243,12 +250,12 @@ function get_secret()
243	local secret_file = io.open(secret_filename, "r")	250	local secret_file = io.open(secret_filename, "r")
244	if secret_file == nil then	251	if secret_file == nil then
245	local old_umask = sysstat.umask(63)	252	local old_umask = sysstat.umask(63)
246	local temporary_filename = secret_filename .. ".tmp." .. crypto.hex(crypto.rand.bytes(16))	253	local temporary_filename = secret_filename .. ".tmp." .. tohex(rand.bytes(16))
247	local temporary_file = io.open(temporary_filename, "w")	254	local temporary_file = io.open(temporary_filename, "w")
248	if temporary_file == nil then	255	if temporary_file == nil then
249	os.exit(177)	256	os.exit(177)
250	end	257	end
251	temporary_file:write(crypto.hex(crypto.rand.bytes(32)))	258	temporary_file:write(tohex(rand.bytes(32)))
252	temporary_file:close()	259	temporary_file:close()
253	unistd.link(temporary_filename, secret_filename) -- Intentionally fails in the case that another process is doing the same.	260	unistd.link(temporary_filename, secret_filename) -- Intentionally fails in the case that another process is doing the same.
254	unistd.unlink(temporary_filename)	261	unistd.unlink(temporary_filename)
@@ -273,7 +280,7 @@ function validate_value(expected_field, cookie)
273	local field = ""	280	local field = ""
274	local expiration = 0	281	local expiration = 0
275	local salt = ""	282	local salt = ""
276	local hmac = ""	283	local chmac = ""
277		284
278	if cookie == nil or cookie:len() < 3 or cookie:sub(1, 1) == "\|" then	285	if cookie == nil or cookie:len() < 3 or cookie:sub(1, 1) == "\|" then
279	return nil	286	return nil
@@ -292,19 +299,19 @@ function validate_value(expected_field, cookie)
292	elseif i == 3 then	299	elseif i == 3 then
293	salt = component	300	salt = component
294	elseif i == 4 then	301	elseif i == 4 then
295	hmac = component	302	chmac = component
296	else	303	else
297	break	304	break
298	end	305	end
299	i = i + 1	306	i = i + 1
300	end	307	end
301		308
302	if hmac == nil or hmac:len() == 0 then	309	if chmac == nil or chmac:len() == 0 then
303	return nil	310	return nil
304	end	311	end
305		312
306	-- Lua hashes strings, so these comparisons are time invariant.	313	-- Lua hashes strings, so these comparisons are time invariant.
307	if hmac ~= crypto.hmac.digest("sha256", field .. "\|" .. value .. "\|" .. tostring(expiration) .. "\|" .. salt, get_secret()) then	314	if chmac ~= tohex(hmac.new(get_secret(), "sha256"):final(field .. "\|" .. value .. "\|" .. tostring(expiration) .. "\|" .. salt)) then
308	return nil	315	return nil
309	end	316	end
310		317
@@ -325,11 +332,11 @@ function secure_value(field, value, expiration)
325	end	332	end
326		333
327	local authstr = ""	334	local authstr = ""
328	local salt = crypto.hex(crypto.rand.bytes(16))	335	local salt = tohex(rand.bytes(16))
329	value = url_encode(value)	336	value = url_encode(value)
330	field = url_encode(field)	337	field = url_encode(field)
331	authstr = field .. "\|" .. value .. "\|" .. tostring(expiration) .. "\|" .. salt	338	authstr = field .. "\|" .. value .. "\|" .. tostring(expiration) .. "\|" .. salt
332	authstr = authstr .. "\|" .. crypto.hmac.digest("sha256", authstr, get_secret())	339	authstr = authstr .. "\|" .. tohex(hmac.new(get_secret(), "sha256"):final(authstr))
333	return authstr	340	return authstr
334	end	341	end
335		342


diff --git a/filters/simple-authentication.lua b/filters/simple-authentication.lua index 77d1fd0..23d3457 100644 --- a/filters/simple-authentication.lua +++ b/filters/simple-authentication.lua
@@ -1,15 +1,15 @@
1	-- This script may be used with the auth-filter. Be sure to configure it as you wish.	1	-- This script may be used with the auth-filter. Be sure to configure it as you wish.
2	--	2	--
3	-- Requirements:	3	-- Requirements:
4	-- luacrypto >= 0.3	4	-- luaossl
5	-- <http://mkottman.github.io/luacrypto/>	5	-- <http://25thandclement.com/~william/projects/luaossl.html>
6	-- luaposix	6	-- luaposix
7	-- <https://github.com/luaposix/luaposix>	7	-- <https://github.com/luaposix/luaposix>
8	--	8	--
9	local sysstat = require("posix.sys.stat")	9	local sysstat = require("posix.sys.stat")
10	local unistd = require("posix.unistd")	10	local unistd = require("posix.unistd")
11	local crypto = require("crypto")	11	local rand = require("openssl.rand")
12		12	local hmac = require("openssl.hmac")
13		13
14	--	14	--
15	--	15	--
@@ -180,6 +180,13 @@ function get_cookie(cookies, name)
180	return url_decode(string.match(cookies, ";" .. name .. "=(.-);"))	180	return url_decode(string.match(cookies, ";" .. name .. "=(.-);"))
181	end	181	end
182		182
		183	function tohex(b)
		184	local x = ""
		185	for i = 1, #b do
		186	x = x .. string.format("%.2x", string.byte(b, i))
		187	end
		188	return x
		189	end
183		190
184	--	191	--
185	--	192	--
@@ -197,12 +204,12 @@ function get_secret()
197	local secret_file = io.open(secret_filename, "r")	204	local secret_file = io.open(secret_filename, "r")
198	if secret_file == nil then	205	if secret_file == nil then
199	local old_umask = sysstat.umask(63)	206	local old_umask = sysstat.umask(63)
200	local temporary_filename = secret_filename .. ".tmp." .. crypto.hex(crypto.rand.bytes(16))	207	local temporary_filename = secret_filename .. ".tmp." .. tohex(rand.bytes(16))
201	local temporary_file = io.open(temporary_filename, "w")	208	local temporary_file = io.open(temporary_filename, "w")
202	if temporary_file == nil then	209	if temporary_file == nil then
203	os.exit(177)	210	os.exit(177)
204	end	211	end
205	temporary_file:write(crypto.hex(crypto.rand.bytes(32)))	212	temporary_file:write(tohex(rand.bytes(32)))
206	temporary_file:close()	213	temporary_file:close()
207	unistd.link(temporary_filename, secret_filename) -- Intentionally fails in the case that another process is doing the same.	214	unistd.link(temporary_filename, secret_filename) -- Intentionally fails in the case that another process is doing the same.
208	unistd.unlink(temporary_filename)	215	unistd.unlink(temporary_filename)
@@ -227,7 +234,7 @@ function validate_value(expected_field, cookie)
227	local field = ""	234	local field = ""
228	local expiration = 0	235	local expiration = 0
229	local salt = ""	236	local salt = ""
230	local hmac = ""	237	local chmac = ""
231		238
232	if cookie == nil or cookie:len() < 3 or cookie:sub(1, 1) == "\|" then	239	if cookie == nil or cookie:len() < 3 or cookie:sub(1, 1) == "\|" then
233	return nil	240	return nil
@@ -246,19 +253,19 @@ function validate_value(expected_field, cookie)
246	elseif i == 3 then	253	elseif i == 3 then
247	salt = component	254	salt = component
248	elseif i == 4 then	255	elseif i == 4 then
249	hmac = component	256	chmac = component
250	else	257	else
251	break	258	break
252	end	259	end
253	i = i + 1	260	i = i + 1
254	end	261	end
255		262
256	if hmac == nil or hmac:len() == 0 then	263	if chmac == nil or chmac:len() == 0 then
257	return nil	264	return nil
258	end	265	end
259		266
260	-- Lua hashes strings, so these comparisons are time invariant.	267	-- Lua hashes strings, so these comparisons are time invariant.
261	if hmac ~= crypto.hmac.digest("sha256", field .. "\|" .. value .. "\|" .. tostring(expiration) .. "\|" .. salt, get_secret()) then	268	if chmac ~= tohex(hmac.new(get_secret(), "sha256"):final(field .. "\|" .. value .. "\|" .. tostring(expiration) .. "\|" .. salt)) then
262	return nil	269	return nil
263	end	270	end
264		271
@@ -279,11 +286,11 @@ function secure_value(field, value, expiration)
279	end	286	end
280		287
281	local authstr = ""	288	local authstr = ""
282	local salt = crypto.hex(crypto.rand.bytes(16))	289	local salt = tohex(rand.bytes(16))
283	value = url_encode(value)	290	value = url_encode(value)
284	field = url_encode(field)	291	field = url_encode(field)
285	authstr = field .. "\|" .. value .. "\|" .. tostring(expiration) .. "\|" .. salt	292	authstr = field .. "\|" .. value .. "\|" .. tostring(expiration) .. "\|" .. salt
286	authstr = authstr .. "\|" .. crypto.hmac.digest("sha256", authstr, get_secret())	293	authstr = authstr .. "\|" .. tohex(hmac.new(get_secret(), "sha256"):final(authstr))
287	return authstr	294	return authstr
288	end	295	end
289		296