aboutsummaryrefslogtreecommitdiffstats
path: root/filters
diff options
context:
space:
mode:
authorJason A. Donenfeld2019-01-03 02:11:14 +0100
committerJason A. Donenfeld2019-01-03 02:12:16 +0100
commit7d87cd3a215976a480b3c71b017a191597e5cb44 (patch)
tree70d600e62e9aaacc34993cc169a46f05cbe10f0e /filters
parente23f63461f17aeb770d47d9c3134414e549d1f0e (diff)
downloadcgit-7d87cd3a215976a480b3c71b017a191597e5cb44.tar.gz
cgit-7d87cd3a215976a480b3c71b017a191597e5cb44.tar.bz2
cgit-7d87cd3a215976a480b3c71b017a191597e5cb44.zip
filters: migrate from luacrypto to luaossl
luaossl has no upstream anymore and doesn't support OpenSSL 1.1, whereas luaossl is quite active. Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Diffstat (limited to 'filters')
-rw-r--r--filters/email-gravatar.lua17
-rw-r--r--filters/email-libravatar.lua17
-rw-r--r--filters/file-authentication.lua31
-rw-r--r--filters/gentoo-ldap-authentication.lua31
-rw-r--r--filters/simple-authentication.lua31
5 files changed, 83 insertions, 44 deletions
diff --git a/filters/email-gravatar.lua b/filters/email-gravatar.lua
index 52cf426..c39b490 100644
--- a/filters/email-gravatar.lua
+++ b/filters/email-gravatar.lua
@@ -3,15 +3,24 @@
3-- prefix in filters. It is much faster than the corresponding python script. 3-- prefix in filters. It is much faster than the corresponding python script.
4-- 4--
5-- Requirements: 5-- Requirements:
6-- luacrypto >= 0.3 6-- luaossl
7-- <http://mkottman.github.io/luacrypto/> 7-- <http://25thandclement.com/~william/projects/luaossl.html>
8-- 8--
9 9
10local crypto = require("crypto") 10local digest = require("openssl.digest")
11
12function md5_hex(input)
13 local b = digest.new("md5"):final(input)
14 local x = ""
15 for i = 1, #b do
16 x = x .. string.format("%.2x", string.byte(b, i))
17 end
18 return x
19end
11 20
12function filter_open(email, page) 21function filter_open(email, page)
13 buffer = "" 22 buffer = ""
14 md5 = crypto.digest("md5", email:sub(2, -2):lower()) 23 md5 = md5_hex(email:sub(2, -2):lower())
15end 24end
16 25
17function filter_close() 26function filter_close()
diff --git a/filters/email-libravatar.lua b/filters/email-libravatar.lua
index b0e2447..7336baf 100644
--- a/filters/email-libravatar.lua
+++ b/filters/email-libravatar.lua
@@ -3,15 +3,24 @@
3-- prefix in filters. 3-- prefix in filters.
4-- 4--
5-- Requirements: 5-- Requirements:
6-- luacrypto >= 0.3 6-- luaossl
7-- <http://mkottman.github.io/luacrypto/> 7-- <http://25thandclement.com/~william/projects/luaossl.html>
8-- 8--
9 9
10local crypto = require("crypto") 10local digest = require("openssl.digest")
11
12function md5_hex(input)
13 local b = digest.new("md5"):final(input)
14 local x = ""
15 for i = 1, #b do
16 x = x .. string.format("%.2x", string.byte(b, i))
17 end
18 return x
19end
11 20
12function filter_open(email, page) 21function filter_open(email, page)
13 buffer = "" 22 buffer = ""
14 md5 = crypto.digest("md5", email:sub(2, -2):lower()) 23 md5 = md5_hex(email:sub(2, -2):lower())
15end 24end
16 25
17function filter_close() 26function filter_close()
diff --git a/filters/file-authentication.lua b/filters/file-authentication.lua
index 6ee1e19..0248804 100644
--- a/filters/file-authentication.lua
+++ b/filters/file-authentication.lua
@@ -1,15 +1,15 @@
1-- This script may be used with the auth-filter. 1-- This script may be used with the auth-filter.
2-- 2--
3-- Requirements: 3-- Requirements:
4-- luacrypto >= 0.3 4-- luaossl
5-- <http://mkottman.github.io/luacrypto/> 5-- <http://25thandclement.com/~william/projects/luaossl.html>
6-- luaposix 6-- luaposix
7-- <https://github.com/luaposix/luaposix> 7-- <https://github.com/luaposix/luaposix>
8-- 8--
9local sysstat = require("posix.sys.stat") 9local sysstat = require("posix.sys.stat")
10local unistd = require("posix.unistd") 10local unistd = require("posix.unistd")
11local crypto = require("crypto") 11local rand = require("openssl.rand")
12 12local hmac = require("openssl.hmac")
13 13
14-- This file should contain a series of lines in the form of: 14-- This file should contain a series of lines in the form of:
15-- username1:hash1 15-- username1:hash1
@@ -225,6 +225,13 @@ function get_cookie(cookies, name)
225 return url_decode(string.match(cookies, ";" .. name .. "=(.-);")) 225 return url_decode(string.match(cookies, ";" .. name .. "=(.-);"))
226end 226end
227 227
228function tohex(b)
229 local x = ""
230 for i = 1, #b do
231 x = x .. string.format("%.2x", string.byte(b, i))
232 end
233 return x
234end
228 235
229-- 236--
230-- 237--
@@ -242,12 +249,12 @@ function get_secret()
242 local secret_file = io.open(secret_filename, "r") 249 local secret_file = io.open(secret_filename, "r")
243 if secret_file == nil then 250 if secret_file == nil then
244 local old_umask = sysstat.umask(63) 251 local old_umask = sysstat.umask(63)
245 local temporary_filename = secret_filename .. ".tmp." .. crypto.hex(crypto.rand.bytes(16)) 252 local temporary_filename = secret_filename .. ".tmp." .. tohex(rand.bytes(16))
246 local temporary_file = io.open(temporary_filename, "w") 253 local temporary_file = io.open(temporary_filename, "w")
247 if temporary_file == nil then 254 if temporary_file == nil then
248 os.exit(177) 255 os.exit(177)
249 end 256 end
250 temporary_file:write(crypto.hex(crypto.rand.bytes(32))) 257 temporary_file:write(tohex(rand.bytes(32)))
251 temporary_file:close() 258 temporary_file:close()
252 unistd.link(temporary_filename, secret_filename) -- Intentionally fails in the case that another process is doing the same. 259 unistd.link(temporary_filename, secret_filename) -- Intentionally fails in the case that another process is doing the same.
253 unistd.unlink(temporary_filename) 260 unistd.unlink(temporary_filename)
@@ -272,7 +279,7 @@ function validate_value(expected_field, cookie)
272 local field = "" 279 local field = ""
273 local expiration = 0 280 local expiration = 0
274 local salt = "" 281 local salt = ""
275 local hmac = "" 282 local chmac = ""
276 283
277 if cookie == nil or cookie:len() < 3 or cookie:sub(1, 1) == "|" then 284 if cookie == nil or cookie:len() < 3 or cookie:sub(1, 1) == "|" then
278 return nil 285 return nil
@@ -291,19 +298,19 @@ function validate_value(expected_field, cookie)
291 elseif i == 3 then 298 elseif i == 3 then
292 salt = component 299 salt = component
293 elseif i == 4 then 300 elseif i == 4 then
294 hmac = component 301 chmac = component
295 else 302 else
296 break 303 break
297 end 304 end
298 i = i + 1 305 i = i + 1
299 end 306 end
300 307
301 if hmac == nil or hmac:len() == 0 then 308 if chmac == nil or chmac:len() == 0 then
302 return nil 309 return nil
303 end 310 end
304 311
305 -- Lua hashes strings, so these comparisons are time invariant. 312 -- Lua hashes strings, so these comparisons are time invariant.
306 if hmac ~= crypto.hmac.digest("sha256", field .. "|" .. value .. "|" .. tostring(expiration) .. "|" .. salt, get_secret()) then 313 if chmac ~= tohex(hmac.new(get_secret(), "sha256"):final(field .. "|" .. value .. "|" .. tostring(expiration) .. "|" .. salt)) then
307 return nil 314 return nil
308 end 315 end
309 316
@@ -324,11 +331,11 @@ function secure_value(field, value, expiration)
324 end 331 end
325 332
326 local authstr = "" 333 local authstr = ""
327 local salt = crypto.hex(crypto.rand.bytes(16)) 334 local salt = tohex(rand.bytes(16))
328 value = url_encode(value) 335 value = url_encode(value)
329 field = url_encode(field) 336 field = url_encode(field)
330 authstr = field .. "|" .. value .. "|" .. tostring(expiration) .. "|" .. salt 337 authstr = field .. "|" .. value .. "|" .. tostring(expiration) .. "|" .. salt
331 authstr = authstr .. "|" .. crypto.hmac.digest("sha256", authstr, get_secret()) 338 authstr = authstr .. "|" .. tohex(hmac.new(get_secret(), "sha256"):final(authstr))
332 return authstr 339 return authstr
333end 340end
334 341
diff --git a/filters/gentoo-ldap-authentication.lua b/filters/gentoo-ldap-authentication.lua
index b4d98c2..673c88d 100644
--- a/filters/gentoo-ldap-authentication.lua
+++ b/filters/gentoo-ldap-authentication.lua
@@ -1,8 +1,8 @@
1-- This script may be used with the auth-filter. Be sure to configure it as you wish. 1-- This script may be used with the auth-filter. Be sure to configure it as you wish.
2-- 2--
3-- Requirements: 3-- Requirements:
4-- luacrypto >= 0.3 4-- luaossl
5-- <http://mkottman.github.io/luacrypto/> 5-- <http://25thandclement.com/~william/projects/luaossl.html>
6-- lualdap >= 1.2 6-- lualdap >= 1.2
7-- <https://git.zx2c4.com/lualdap/about/> 7-- <https://git.zx2c4.com/lualdap/about/>
8-- luaposix 8-- luaposix
@@ -10,9 +10,9 @@
10-- 10--
11local sysstat = require("posix.sys.stat") 11local sysstat = require("posix.sys.stat")
12local unistd = require("posix.unistd") 12local unistd = require("posix.unistd")
13local crypto = require("crypto")
14local lualdap = require("lualdap") 13local lualdap = require("lualdap")
15 14local rand = require("openssl.rand")
15local hmac = require("openssl.hmac")
16 16
17-- 17--
18-- 18--
@@ -226,6 +226,13 @@ function get_cookie(cookies, name)
226 return string.match(cookies, ";" .. name .. "=(.-);") 226 return string.match(cookies, ";" .. name .. "=(.-);")
227end 227end
228 228
229function tohex(b)
230 local x = ""
231 for i = 1, #b do
232 x = x .. string.format("%.2x", string.byte(b, i))
233 end
234 return x
235end
229 236
230-- 237--
231-- 238--
@@ -243,12 +250,12 @@ function get_secret()
243 local secret_file = io.open(secret_filename, "r") 250 local secret_file = io.open(secret_filename, "r")
244 if secret_file == nil then 251 if secret_file == nil then
245 local old_umask = sysstat.umask(63) 252 local old_umask = sysstat.umask(63)
246 local temporary_filename = secret_filename .. ".tmp." .. crypto.hex(crypto.rand.bytes(16)) 253 local temporary_filename = secret_filename .. ".tmp." .. tohex(rand.bytes(16))
247 local temporary_file = io.open(temporary_filename, "w") 254 local temporary_file = io.open(temporary_filename, "w")
248 if temporary_file == nil then 255 if temporary_file == nil then
249 os.exit(177) 256 os.exit(177)
250 end 257 end
251 temporary_file:write(crypto.hex(crypto.rand.bytes(32))) 258 temporary_file:write(tohex(rand.bytes(32)))
252 temporary_file:close() 259 temporary_file:close()
253 unistd.link(temporary_filename, secret_filename) -- Intentionally fails in the case that another process is doing the same. 260 unistd.link(temporary_filename, secret_filename) -- Intentionally fails in the case that another process is doing the same.
254 unistd.unlink(temporary_filename) 261 unistd.unlink(temporary_filename)
@@ -273,7 +280,7 @@ function validate_value(expected_field, cookie)
273 local field = "" 280 local field = ""
274 local expiration = 0 281 local expiration = 0
275 local salt = "" 282 local salt = ""
276 local hmac = "" 283 local chmac = ""
277 284
278 if cookie == nil or cookie:len() < 3 or cookie:sub(1, 1) == "|" then 285 if cookie == nil or cookie:len() < 3 or cookie:sub(1, 1) == "|" then
279 return nil 286 return nil
@@ -292,19 +299,19 @@ function validate_value(expected_field, cookie)
292 elseif i == 3 then 299 elseif i == 3 then
293 salt = component 300 salt = component
294 elseif i == 4 then 301 elseif i == 4 then
295 hmac = component 302 chmac = component
296 else 303 else
297 break 304 break
298 end 305 end
299 i = i + 1 306 i = i + 1
300 end 307 end
301 308
302 if hmac == nil or hmac:len() == 0 then 309 if chmac == nil or chmac:len() == 0 then
303 return nil 310 return nil
304 end 311 end
305 312
306 -- Lua hashes strings, so these comparisons are time invariant. 313 -- Lua hashes strings, so these comparisons are time invariant.
307 if hmac ~= crypto.hmac.digest("sha256", field .. "|" .. value .. "|" .. tostring(expiration) .. "|" .. salt, get_secret()) then 314 if chmac ~= tohex(hmac.new(get_secret(), "sha256"):final(field .. "|" .. value .. "|" .. tostring(expiration) .. "|" .. salt)) then
308 return nil 315 return nil
309 end 316 end
310 317
@@ -325,11 +332,11 @@ function secure_value(field, value, expiration)
325 end 332 end
326 333
327 local authstr = "" 334 local authstr = ""
328 local salt = crypto.hex(crypto.rand.bytes(16)) 335 local salt = tohex(rand.bytes(16))
329 value = url_encode(value) 336 value = url_encode(value)
330 field = url_encode(field) 337 field = url_encode(field)
331 authstr = field .. "|" .. value .. "|" .. tostring(expiration) .. "|" .. salt 338 authstr = field .. "|" .. value .. "|" .. tostring(expiration) .. "|" .. salt
332 authstr = authstr .. "|" .. crypto.hmac.digest("sha256", authstr, get_secret()) 339 authstr = authstr .. "|" .. tohex(hmac.new(get_secret(), "sha256"):final(authstr))
333 return authstr 340 return authstr
334end 341end
335 342
diff --git a/filters/simple-authentication.lua b/filters/simple-authentication.lua
index 77d1fd0..23d3457 100644
--- a/filters/simple-authentication.lua
+++ b/filters/simple-authentication.lua
@@ -1,15 +1,15 @@
1-- This script may be used with the auth-filter. Be sure to configure it as you wish. 1-- This script may be used with the auth-filter. Be sure to configure it as you wish.
2-- 2--
3-- Requirements: 3-- Requirements:
4-- luacrypto >= 0.3 4-- luaossl
5-- <http://mkottman.github.io/luacrypto/> 5-- <http://25thandclement.com/~william/projects/luaossl.html>
6-- luaposix 6-- luaposix
7-- <https://github.com/luaposix/luaposix> 7-- <https://github.com/luaposix/luaposix>
8-- 8--
9local sysstat = require("posix.sys.stat") 9local sysstat = require("posix.sys.stat")
10local unistd = require("posix.unistd") 10local unistd = require("posix.unistd")
11local crypto = require("crypto") 11local rand = require("openssl.rand")
12 12local hmac = require("openssl.hmac")
13 13
14-- 14--
15-- 15--
@@ -180,6 +180,13 @@ function get_cookie(cookies, name)
180 return url_decode(string.match(cookies, ";" .. name .. "=(.-);")) 180 return url_decode(string.match(cookies, ";" .. name .. "=(.-);"))
181end 181end
182 182
183function tohex(b)
184 local x = ""
185 for i = 1, #b do
186 x = x .. string.format("%.2x", string.byte(b, i))
187 end
188 return x
189end
183 190
184-- 191--
185-- 192--
@@ -197,12 +204,12 @@ function get_secret()
197 local secret_file = io.open(secret_filename, "r") 204 local secret_file = io.open(secret_filename, "r")
198 if secret_file == nil then 205 if secret_file == nil then
199 local old_umask = sysstat.umask(63) 206 local old_umask = sysstat.umask(63)
200 local temporary_filename = secret_filename .. ".tmp." .. crypto.hex(crypto.rand.bytes(16)) 207 local temporary_filename = secret_filename .. ".tmp." .. tohex(rand.bytes(16))
201 local temporary_file = io.open(temporary_filename, "w") 208 local temporary_file = io.open(temporary_filename, "w")
202 if temporary_file == nil then 209 if temporary_file == nil then
203 os.exit(177) 210 os.exit(177)
204 end 211 end
205 temporary_file:write(crypto.hex(crypto.rand.bytes(32))) 212 temporary_file:write(tohex(rand.bytes(32)))
206 temporary_file:close() 213 temporary_file:close()
207 unistd.link(temporary_filename, secret_filename) -- Intentionally fails in the case that another process is doing the same. 214 unistd.link(temporary_filename, secret_filename) -- Intentionally fails in the case that another process is doing the same.
208 unistd.unlink(temporary_filename) 215 unistd.unlink(temporary_filename)
@@ -227,7 +234,7 @@ function validate_value(expected_field, cookie)
227 local field = "" 234 local field = ""
228 local expiration = 0 235 local expiration = 0
229 local salt = "" 236 local salt = ""
230 local hmac = "" 237 local chmac = ""
231 238
232 if cookie == nil or cookie:len() < 3 or cookie:sub(1, 1) == "|" then 239 if cookie == nil or cookie:len() < 3 or cookie:sub(1, 1) == "|" then
233 return nil 240 return nil
@@ -246,19 +253,19 @@ function validate_value(expected_field, cookie)
246 elseif i == 3 then 253 elseif i == 3 then
247 salt = component 254 salt = component
248 elseif i == 4 then 255 elseif i == 4 then
249 hmac = component 256 chmac = component
250 else 257 else
251 break 258 break
252 end 259 end
253 i = i + 1 260 i = i + 1
254 end 261 end
255 262
256 if hmac == nil or hmac:len() == 0 then 263 if chmac == nil or chmac:len() == 0 then
257 return nil 264 return nil
258 end 265 end
259 266
260 -- Lua hashes strings, so these comparisons are time invariant. 267 -- Lua hashes strings, so these comparisons are time invariant.
261 if hmac ~= crypto.hmac.digest("sha256", field .. "|" .. value .. "|" .. tostring(expiration) .. "|" .. salt, get_secret()) then 268 if chmac ~= tohex(hmac.new(get_secret(), "sha256"):final(field .. "|" .. value .. "|" .. tostring(expiration) .. "|" .. salt)) then
262 return nil 269 return nil
263 end 270 end
264 271
@@ -279,11 +286,11 @@ function secure_value(field, value, expiration)
279 end 286 end
280 287
281 local authstr = "" 288 local authstr = ""
282 local salt = crypto.hex(crypto.rand.bytes(16)) 289 local salt = tohex(rand.bytes(16))
283 value = url_encode(value) 290 value = url_encode(value)
284 field = url_encode(field) 291 field = url_encode(field)
285 authstr = field .. "|" .. value .. "|" .. tostring(expiration) .. "|" .. salt 292 authstr = field .. "|" .. value .. "|" .. tostring(expiration) .. "|" .. salt
286 authstr = authstr .. "|" .. crypto.hmac.digest("sha256", authstr, get_secret()) 293 authstr = authstr .. "|" .. tohex(hmac.new(get_secret(), "sha256"):final(authstr))
287 return authstr 294 return authstr
288end 295end
289 296