diff options
author | Jason A. Donenfeld | 2019-01-03 02:11:14 +0100 |
---|---|---|
committer | Jason A. Donenfeld | 2019-01-03 02:12:16 +0100 |
commit | 7d87cd3a215976a480b3c71b017a191597e5cb44 (patch) | |
tree | 70d600e62e9aaacc34993cc169a46f05cbe10f0e /filters | |
parent | e23f63461f17aeb770d47d9c3134414e549d1f0e (diff) | |
download | cgit-7d87cd3a215976a480b3c71b017a191597e5cb44.tar.gz cgit-7d87cd3a215976a480b3c71b017a191597e5cb44.tar.bz2 cgit-7d87cd3a215976a480b3c71b017a191597e5cb44.zip |
filters: migrate from luacrypto to luaossl
luaossl has no upstream anymore and doesn't support OpenSSL 1.1,
whereas luaossl is quite active.
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Diffstat (limited to 'filters')
-rw-r--r-- | filters/email-gravatar.lua | 17 | ||||
-rw-r--r-- | filters/email-libravatar.lua | 17 | ||||
-rw-r--r-- | filters/file-authentication.lua | 31 | ||||
-rw-r--r-- | filters/gentoo-ldap-authentication.lua | 31 | ||||
-rw-r--r-- | filters/simple-authentication.lua | 31 |
5 files changed, 83 insertions, 44 deletions
diff --git a/filters/email-gravatar.lua b/filters/email-gravatar.lua index 52cf426..c39b490 100644 --- a/filters/email-gravatar.lua +++ b/filters/email-gravatar.lua | |||
@@ -3,15 +3,24 @@ | |||
3 | -- prefix in filters. It is much faster than the corresponding python script. | 3 | -- prefix in filters. It is much faster than the corresponding python script. |
4 | -- | 4 | -- |
5 | -- Requirements: | 5 | -- Requirements: |
6 | -- luacrypto >= 0.3 | 6 | -- luaossl |
7 | -- <http://mkottman.github.io/luacrypto/> | 7 | -- <http://25thandclement.com/~william/projects/luaossl.html> |
8 | -- | 8 | -- |
9 | 9 | ||
10 | local crypto = require("crypto") | 10 | local digest = require("openssl.digest") |
11 | |||
12 | function md5_hex(input) | ||
13 | local b = digest.new("md5"):final(input) | ||
14 | local x = "" | ||
15 | for i = 1, #b do | ||
16 | x = x .. string.format("%.2x", string.byte(b, i)) | ||
17 | end | ||
18 | return x | ||
19 | end | ||
11 | 20 | ||
12 | function filter_open(email, page) | 21 | function filter_open(email, page) |
13 | buffer = "" | 22 | buffer = "" |
14 | md5 = crypto.digest("md5", email:sub(2, -2):lower()) | 23 | md5 = md5_hex(email:sub(2, -2):lower()) |
15 | end | 24 | end |
16 | 25 | ||
17 | function filter_close() | 26 | function filter_close() |
diff --git a/filters/email-libravatar.lua b/filters/email-libravatar.lua index b0e2447..7336baf 100644 --- a/filters/email-libravatar.lua +++ b/filters/email-libravatar.lua | |||
@@ -3,15 +3,24 @@ | |||
3 | -- prefix in filters. | 3 | -- prefix in filters. |
4 | -- | 4 | -- |
5 | -- Requirements: | 5 | -- Requirements: |
6 | -- luacrypto >= 0.3 | 6 | -- luaossl |
7 | -- <http://mkottman.github.io/luacrypto/> | 7 | -- <http://25thandclement.com/~william/projects/luaossl.html> |
8 | -- | 8 | -- |
9 | 9 | ||
10 | local crypto = require("crypto") | 10 | local digest = require("openssl.digest") |
11 | |||
12 | function md5_hex(input) | ||
13 | local b = digest.new("md5"):final(input) | ||
14 | local x = "" | ||
15 | for i = 1, #b do | ||
16 | x = x .. string.format("%.2x", string.byte(b, i)) | ||
17 | end | ||
18 | return x | ||
19 | end | ||
11 | 20 | ||
12 | function filter_open(email, page) | 21 | function filter_open(email, page) |
13 | buffer = "" | 22 | buffer = "" |
14 | md5 = crypto.digest("md5", email:sub(2, -2):lower()) | 23 | md5 = md5_hex(email:sub(2, -2):lower()) |
15 | end | 24 | end |
16 | 25 | ||
17 | function filter_close() | 26 | function filter_close() |
diff --git a/filters/file-authentication.lua b/filters/file-authentication.lua index 6ee1e19..0248804 100644 --- a/filters/file-authentication.lua +++ b/filters/file-authentication.lua | |||
@@ -1,15 +1,15 @@ | |||
1 | -- This script may be used with the auth-filter. | 1 | -- This script may be used with the auth-filter. |
2 | -- | 2 | -- |
3 | -- Requirements: | 3 | -- Requirements: |
4 | -- luacrypto >= 0.3 | 4 | -- luaossl |
5 | -- <http://mkottman.github.io/luacrypto/> | 5 | -- <http://25thandclement.com/~william/projects/luaossl.html> |
6 | -- luaposix | 6 | -- luaposix |
7 | -- <https://github.com/luaposix/luaposix> | 7 | -- <https://github.com/luaposix/luaposix> |
8 | -- | 8 | -- |
9 | local sysstat = require("posix.sys.stat") | 9 | local sysstat = require("posix.sys.stat") |
10 | local unistd = require("posix.unistd") | 10 | local unistd = require("posix.unistd") |
11 | local crypto = require("crypto") | 11 | local rand = require("openssl.rand") |
12 | 12 | local hmac = require("openssl.hmac") | |
13 | 13 | ||
14 | -- This file should contain a series of lines in the form of: | 14 | -- This file should contain a series of lines in the form of: |
15 | -- username1:hash1 | 15 | -- username1:hash1 |
@@ -225,6 +225,13 @@ function get_cookie(cookies, name) | |||
225 | return url_decode(string.match(cookies, ";" .. name .. "=(.-);")) | 225 | return url_decode(string.match(cookies, ";" .. name .. "=(.-);")) |
226 | end | 226 | end |
227 | 227 | ||
228 | function tohex(b) | ||
229 | local x = "" | ||
230 | for i = 1, #b do | ||
231 | x = x .. string.format("%.2x", string.byte(b, i)) | ||
232 | end | ||
233 | return x | ||
234 | end | ||
228 | 235 | ||
229 | -- | 236 | -- |
230 | -- | 237 | -- |
@@ -242,12 +249,12 @@ function get_secret() | |||
242 | local secret_file = io.open(secret_filename, "r") | 249 | local secret_file = io.open(secret_filename, "r") |
243 | if secret_file == nil then | 250 | if secret_file == nil then |
244 | local old_umask = sysstat.umask(63) | 251 | local old_umask = sysstat.umask(63) |
245 | local temporary_filename = secret_filename .. ".tmp." .. crypto.hex(crypto.rand.bytes(16)) | 252 | local temporary_filename = secret_filename .. ".tmp." .. tohex(rand.bytes(16)) |
246 | local temporary_file = io.open(temporary_filename, "w") | 253 | local temporary_file = io.open(temporary_filename, "w") |
247 | if temporary_file == nil then | 254 | if temporary_file == nil then |
248 | os.exit(177) | 255 | os.exit(177) |
249 | end | 256 | end |
250 | temporary_file:write(crypto.hex(crypto.rand.bytes(32))) | 257 | temporary_file:write(tohex(rand.bytes(32))) |
251 | temporary_file:close() | 258 | temporary_file:close() |
252 | unistd.link(temporary_filename, secret_filename) -- Intentionally fails in the case that another process is doing the same. | 259 | unistd.link(temporary_filename, secret_filename) -- Intentionally fails in the case that another process is doing the same. |
253 | unistd.unlink(temporary_filename) | 260 | unistd.unlink(temporary_filename) |
@@ -272,7 +279,7 @@ function validate_value(expected_field, cookie) | |||
272 | local field = "" | 279 | local field = "" |
273 | local expiration = 0 | 280 | local expiration = 0 |
274 | local salt = "" | 281 | local salt = "" |
275 | local hmac = "" | 282 | local chmac = "" |
276 | 283 | ||
277 | if cookie == nil or cookie:len() < 3 or cookie:sub(1, 1) == "|" then | 284 | if cookie == nil or cookie:len() < 3 or cookie:sub(1, 1) == "|" then |
278 | return nil | 285 | return nil |
@@ -291,19 +298,19 @@ function validate_value(expected_field, cookie) | |||
291 | elseif i == 3 then | 298 | elseif i == 3 then |
292 | salt = component | 299 | salt = component |
293 | elseif i == 4 then | 300 | elseif i == 4 then |
294 | hmac = component | 301 | chmac = component |
295 | else | 302 | else |
296 | break | 303 | break |
297 | end | 304 | end |
298 | i = i + 1 | 305 | i = i + 1 |
299 | end | 306 | end |
300 | 307 | ||
301 | if hmac == nil or hmac:len() == 0 then | 308 | if chmac == nil or chmac:len() == 0 then |
302 | return nil | 309 | return nil |
303 | end | 310 | end |
304 | 311 | ||
305 | -- Lua hashes strings, so these comparisons are time invariant. | 312 | -- Lua hashes strings, so these comparisons are time invariant. |
306 | if hmac ~= crypto.hmac.digest("sha256", field .. "|" .. value .. "|" .. tostring(expiration) .. "|" .. salt, get_secret()) then | 313 | if chmac ~= tohex(hmac.new(get_secret(), "sha256"):final(field .. "|" .. value .. "|" .. tostring(expiration) .. "|" .. salt)) then |
307 | return nil | 314 | return nil |
308 | end | 315 | end |
309 | 316 | ||
@@ -324,11 +331,11 @@ function secure_value(field, value, expiration) | |||
324 | end | 331 | end |
325 | 332 | ||
326 | local authstr = "" | 333 | local authstr = "" |
327 | local salt = crypto.hex(crypto.rand.bytes(16)) | 334 | local salt = tohex(rand.bytes(16)) |
328 | value = url_encode(value) | 335 | value = url_encode(value) |
329 | field = url_encode(field) | 336 | field = url_encode(field) |
330 | authstr = field .. "|" .. value .. "|" .. tostring(expiration) .. "|" .. salt | 337 | authstr = field .. "|" .. value .. "|" .. tostring(expiration) .. "|" .. salt |
331 | authstr = authstr .. "|" .. crypto.hmac.digest("sha256", authstr, get_secret()) | 338 | authstr = authstr .. "|" .. tohex(hmac.new(get_secret(), "sha256"):final(authstr)) |
332 | return authstr | 339 | return authstr |
333 | end | 340 | end |
334 | 341 | ||
diff --git a/filters/gentoo-ldap-authentication.lua b/filters/gentoo-ldap-authentication.lua index b4d98c2..673c88d 100644 --- a/filters/gentoo-ldap-authentication.lua +++ b/filters/gentoo-ldap-authentication.lua | |||
@@ -1,8 +1,8 @@ | |||
1 | -- This script may be used with the auth-filter. Be sure to configure it as you wish. | 1 | -- This script may be used with the auth-filter. Be sure to configure it as you wish. |
2 | -- | 2 | -- |
3 | -- Requirements: | 3 | -- Requirements: |
4 | -- luacrypto >= 0.3 | 4 | -- luaossl |
5 | -- <http://mkottman.github.io/luacrypto/> | 5 | -- <http://25thandclement.com/~william/projects/luaossl.html> |
6 | -- lualdap >= 1.2 | 6 | -- lualdap >= 1.2 |
7 | -- <https://git.zx2c4.com/lualdap/about/> | 7 | -- <https://git.zx2c4.com/lualdap/about/> |
8 | -- luaposix | 8 | -- luaposix |
@@ -10,9 +10,9 @@ | |||
10 | -- | 10 | -- |
11 | local sysstat = require("posix.sys.stat") | 11 | local sysstat = require("posix.sys.stat") |
12 | local unistd = require("posix.unistd") | 12 | local unistd = require("posix.unistd") |
13 | local crypto = require("crypto") | ||
14 | local lualdap = require("lualdap") | 13 | local lualdap = require("lualdap") |
15 | 14 | local rand = require("openssl.rand") | |
15 | local hmac = require("openssl.hmac") | ||
16 | 16 | ||
17 | -- | 17 | -- |
18 | -- | 18 | -- |
@@ -226,6 +226,13 @@ function get_cookie(cookies, name) | |||
226 | return string.match(cookies, ";" .. name .. "=(.-);") | 226 | return string.match(cookies, ";" .. name .. "=(.-);") |
227 | end | 227 | end |
228 | 228 | ||
229 | function tohex(b) | ||
230 | local x = "" | ||
231 | for i = 1, #b do | ||
232 | x = x .. string.format("%.2x", string.byte(b, i)) | ||
233 | end | ||
234 | return x | ||
235 | end | ||
229 | 236 | ||
230 | -- | 237 | -- |
231 | -- | 238 | -- |
@@ -243,12 +250,12 @@ function get_secret() | |||
243 | local secret_file = io.open(secret_filename, "r") | 250 | local secret_file = io.open(secret_filename, "r") |
244 | if secret_file == nil then | 251 | if secret_file == nil then |
245 | local old_umask = sysstat.umask(63) | 252 | local old_umask = sysstat.umask(63) |
246 | local temporary_filename = secret_filename .. ".tmp." .. crypto.hex(crypto.rand.bytes(16)) | 253 | local temporary_filename = secret_filename .. ".tmp." .. tohex(rand.bytes(16)) |
247 | local temporary_file = io.open(temporary_filename, "w") | 254 | local temporary_file = io.open(temporary_filename, "w") |
248 | if temporary_file == nil then | 255 | if temporary_file == nil then |
249 | os.exit(177) | 256 | os.exit(177) |
250 | end | 257 | end |
251 | temporary_file:write(crypto.hex(crypto.rand.bytes(32))) | 258 | temporary_file:write(tohex(rand.bytes(32))) |
252 | temporary_file:close() | 259 | temporary_file:close() |
253 | unistd.link(temporary_filename, secret_filename) -- Intentionally fails in the case that another process is doing the same. | 260 | unistd.link(temporary_filename, secret_filename) -- Intentionally fails in the case that another process is doing the same. |
254 | unistd.unlink(temporary_filename) | 261 | unistd.unlink(temporary_filename) |
@@ -273,7 +280,7 @@ function validate_value(expected_field, cookie) | |||
273 | local field = "" | 280 | local field = "" |
274 | local expiration = 0 | 281 | local expiration = 0 |
275 | local salt = "" | 282 | local salt = "" |
276 | local hmac = "" | 283 | local chmac = "" |
277 | 284 | ||
278 | if cookie == nil or cookie:len() < 3 or cookie:sub(1, 1) == "|" then | 285 | if cookie == nil or cookie:len() < 3 or cookie:sub(1, 1) == "|" then |
279 | return nil | 286 | return nil |
@@ -292,19 +299,19 @@ function validate_value(expected_field, cookie) | |||
292 | elseif i == 3 then | 299 | elseif i == 3 then |
293 | salt = component | 300 | salt = component |
294 | elseif i == 4 then | 301 | elseif i == 4 then |
295 | hmac = component | 302 | chmac = component |
296 | else | 303 | else |
297 | break | 304 | break |
298 | end | 305 | end |
299 | i = i + 1 | 306 | i = i + 1 |
300 | end | 307 | end |
301 | 308 | ||
302 | if hmac == nil or hmac:len() == 0 then | 309 | if chmac == nil or chmac:len() == 0 then |
303 | return nil | 310 | return nil |
304 | end | 311 | end |
305 | 312 | ||
306 | -- Lua hashes strings, so these comparisons are time invariant. | 313 | -- Lua hashes strings, so these comparisons are time invariant. |
307 | if hmac ~= crypto.hmac.digest("sha256", field .. "|" .. value .. "|" .. tostring(expiration) .. "|" .. salt, get_secret()) then | 314 | if chmac ~= tohex(hmac.new(get_secret(), "sha256"):final(field .. "|" .. value .. "|" .. tostring(expiration) .. "|" .. salt)) then |
308 | return nil | 315 | return nil |
309 | end | 316 | end |
310 | 317 | ||
@@ -325,11 +332,11 @@ function secure_value(field, value, expiration) | |||
325 | end | 332 | end |
326 | 333 | ||
327 | local authstr = "" | 334 | local authstr = "" |
328 | local salt = crypto.hex(crypto.rand.bytes(16)) | 335 | local salt = tohex(rand.bytes(16)) |
329 | value = url_encode(value) | 336 | value = url_encode(value) |
330 | field = url_encode(field) | 337 | field = url_encode(field) |
331 | authstr = field .. "|" .. value .. "|" .. tostring(expiration) .. "|" .. salt | 338 | authstr = field .. "|" .. value .. "|" .. tostring(expiration) .. "|" .. salt |
332 | authstr = authstr .. "|" .. crypto.hmac.digest("sha256", authstr, get_secret()) | 339 | authstr = authstr .. "|" .. tohex(hmac.new(get_secret(), "sha256"):final(authstr)) |
333 | return authstr | 340 | return authstr |
334 | end | 341 | end |
335 | 342 | ||
diff --git a/filters/simple-authentication.lua b/filters/simple-authentication.lua index 77d1fd0..23d3457 100644 --- a/filters/simple-authentication.lua +++ b/filters/simple-authentication.lua | |||
@@ -1,15 +1,15 @@ | |||
1 | -- This script may be used with the auth-filter. Be sure to configure it as you wish. | 1 | -- This script may be used with the auth-filter. Be sure to configure it as you wish. |
2 | -- | 2 | -- |
3 | -- Requirements: | 3 | -- Requirements: |
4 | -- luacrypto >= 0.3 | 4 | -- luaossl |
5 | -- <http://mkottman.github.io/luacrypto/> | 5 | -- <http://25thandclement.com/~william/projects/luaossl.html> |
6 | -- luaposix | 6 | -- luaposix |
7 | -- <https://github.com/luaposix/luaposix> | 7 | -- <https://github.com/luaposix/luaposix> |
8 | -- | 8 | -- |
9 | local sysstat = require("posix.sys.stat") | 9 | local sysstat = require("posix.sys.stat") |
10 | local unistd = require("posix.unistd") | 10 | local unistd = require("posix.unistd") |
11 | local crypto = require("crypto") | 11 | local rand = require("openssl.rand") |
12 | 12 | local hmac = require("openssl.hmac") | |
13 | 13 | ||
14 | -- | 14 | -- |
15 | -- | 15 | -- |
@@ -180,6 +180,13 @@ function get_cookie(cookies, name) | |||
180 | return url_decode(string.match(cookies, ";" .. name .. "=(.-);")) | 180 | return url_decode(string.match(cookies, ";" .. name .. "=(.-);")) |
181 | end | 181 | end |
182 | 182 | ||
183 | function tohex(b) | ||
184 | local x = "" | ||
185 | for i = 1, #b do | ||
186 | x = x .. string.format("%.2x", string.byte(b, i)) | ||
187 | end | ||
188 | return x | ||
189 | end | ||
183 | 190 | ||
184 | -- | 191 | -- |
185 | -- | 192 | -- |
@@ -197,12 +204,12 @@ function get_secret() | |||
197 | local secret_file = io.open(secret_filename, "r") | 204 | local secret_file = io.open(secret_filename, "r") |
198 | if secret_file == nil then | 205 | if secret_file == nil then |
199 | local old_umask = sysstat.umask(63) | 206 | local old_umask = sysstat.umask(63) |
200 | local temporary_filename = secret_filename .. ".tmp." .. crypto.hex(crypto.rand.bytes(16)) | 207 | local temporary_filename = secret_filename .. ".tmp." .. tohex(rand.bytes(16)) |
201 | local temporary_file = io.open(temporary_filename, "w") | 208 | local temporary_file = io.open(temporary_filename, "w") |
202 | if temporary_file == nil then | 209 | if temporary_file == nil then |
203 | os.exit(177) | 210 | os.exit(177) |
204 | end | 211 | end |
205 | temporary_file:write(crypto.hex(crypto.rand.bytes(32))) | 212 | temporary_file:write(tohex(rand.bytes(32))) |
206 | temporary_file:close() | 213 | temporary_file:close() |
207 | unistd.link(temporary_filename, secret_filename) -- Intentionally fails in the case that another process is doing the same. | 214 | unistd.link(temporary_filename, secret_filename) -- Intentionally fails in the case that another process is doing the same. |
208 | unistd.unlink(temporary_filename) | 215 | unistd.unlink(temporary_filename) |
@@ -227,7 +234,7 @@ function validate_value(expected_field, cookie) | |||
227 | local field = "" | 234 | local field = "" |
228 | local expiration = 0 | 235 | local expiration = 0 |
229 | local salt = "" | 236 | local salt = "" |
230 | local hmac = "" | 237 | local chmac = "" |
231 | 238 | ||
232 | if cookie == nil or cookie:len() < 3 or cookie:sub(1, 1) == "|" then | 239 | if cookie == nil or cookie:len() < 3 or cookie:sub(1, 1) == "|" then |
233 | return nil | 240 | return nil |
@@ -246,19 +253,19 @@ function validate_value(expected_field, cookie) | |||
246 | elseif i == 3 then | 253 | elseif i == 3 then |
247 | salt = component | 254 | salt = component |
248 | elseif i == 4 then | 255 | elseif i == 4 then |
249 | hmac = component | 256 | chmac = component |
250 | else | 257 | else |
251 | break | 258 | break |
252 | end | 259 | end |
253 | i = i + 1 | 260 | i = i + 1 |
254 | end | 261 | end |
255 | 262 | ||
256 | if hmac == nil or hmac:len() == 0 then | 263 | if chmac == nil or chmac:len() == 0 then |
257 | return nil | 264 | return nil |
258 | end | 265 | end |
259 | 266 | ||
260 | -- Lua hashes strings, so these comparisons are time invariant. | 267 | -- Lua hashes strings, so these comparisons are time invariant. |
261 | if hmac ~= crypto.hmac.digest("sha256", field .. "|" .. value .. "|" .. tostring(expiration) .. "|" .. salt, get_secret()) then | 268 | if chmac ~= tohex(hmac.new(get_secret(), "sha256"):final(field .. "|" .. value .. "|" .. tostring(expiration) .. "|" .. salt)) then |
262 | return nil | 269 | return nil |
263 | end | 270 | end |
264 | 271 | ||
@@ -279,11 +286,11 @@ function secure_value(field, value, expiration) | |||
279 | end | 286 | end |
280 | 287 | ||
281 | local authstr = "" | 288 | local authstr = "" |
282 | local salt = crypto.hex(crypto.rand.bytes(16)) | 289 | local salt = tohex(rand.bytes(16)) |
283 | value = url_encode(value) | 290 | value = url_encode(value) |
284 | field = url_encode(field) | 291 | field = url_encode(field) |
285 | authstr = field .. "|" .. value .. "|" .. tostring(expiration) .. "|" .. salt | 292 | authstr = field .. "|" .. value .. "|" .. tostring(expiration) .. "|" .. salt |
286 | authstr = authstr .. "|" .. crypto.hmac.digest("sha256", authstr, get_secret()) | 293 | authstr = authstr .. "|" .. tohex(hmac.new(get_secret(), "sha256"):final(authstr)) |
287 | return authstr | 294 | return authstr |
288 | end | 295 | end |
289 | 296 | ||