diff options
author | Jason A. Donenfeld | 2019-01-03 02:11:14 +0100 |
---|---|---|
committer | Jason A. Donenfeld | 2019-01-03 02:12:16 +0100 |
commit | 7d87cd3a215976a480b3c71b017a191597e5cb44 (patch) | |
tree | 70d600e62e9aaacc34993cc169a46f05cbe10f0e /filters/file-authentication.lua | |
parent | ui-shared: fix broken sizeof in title setting and rewrite (diff) | |
download | cgit-7d87cd3a215976a480b3c71b017a191597e5cb44.tar.gz cgit-7d87cd3a215976a480b3c71b017a191597e5cb44.zip |
filters: migrate from luacrypto to luaossl
luaossl has no upstream anymore and doesn't support OpenSSL 1.1, whereas luaossl is quite active. Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Diffstat (limited to 'filters/file-authentication.lua')
-rw-r--r-- | filters/file-authentication.lua | 31 |
1 files changed, 19 insertions, 12 deletions
diff --git a/filters/file-authentication.lua b/filters/file-authentication.lua index 6ee1e19..0248804 100644 --- a/filters/file-authentication.lua +++ b/filters/file-authentication.lua | |||
@@ -1,15 +1,15 @@ | |||
1 | -- This script may be used with the auth-filter. | 1 | -- This script may be used with the auth-filter. |
2 | -- | 2 | -- |
3 | -- Requirements: | 3 | -- Requirements: |
4 | -- luacrypto >= 0.3 | 4 | -- luaossl |
5 | -- <http://mkottman.github.io/luacrypto/> | 5 | -- <http://25thandclement.com/~william/projects/luaossl.html> |
6 | -- luaposix | 6 | -- luaposix |
7 | -- <https://github.com/luaposix/luaposix> | 7 | -- <https://github.com/luaposix/luaposix> |
8 | -- | 8 | -- |
9 | local sysstat = require("posix.sys.stat") | 9 | local sysstat = require("posix.sys.stat") |
10 | local unistd = require("posix.unistd") | 10 | local unistd = require("posix.unistd") |
11 | local crypto = require("crypto") | 11 | local rand = require("openssl.rand") |
12 | 12 | local hmac = require("openssl.hmac") | |
13 | 13 | ||
14 | -- This file should contain a series of lines in the form of: | 14 | -- This file should contain a series of lines in the form of: |
15 | -- username1:hash1 | 15 | -- username1:hash1 |
@@ -225,6 +225,13 @@ function get_cookie(cookies, name) | |||
225 | return url_decode(string.match(cookies, ";" .. name .. "=(.-);")) | 225 | return url_decode(string.match(cookies, ";" .. name .. "=(.-);")) |
226 | end | 226 | end |
227 | 227 | ||
228 | function tohex(b) | ||
229 | local x = "" | ||
230 | for i = 1, #b do | ||
231 | x = x .. string.format("%.2x", string.byte(b, i)) | ||
232 | end | ||
233 | return x | ||
234 | end | ||
228 | 235 | ||
229 | -- | 236 | -- |
230 | -- | 237 | -- |
@@ -242,12 +249,12 @@ function get_secret() | |||
242 | local secret_file = io.open(secret_filename, "r") | 249 | local secret_file = io.open(secret_filename, "r") |
243 | if secret_file == nil then | 250 | if secret_file == nil then |
244 | local old_umask = sysstat.umask(63) | 251 | local old_umask = sysstat.umask(63) |
245 | local temporary_filename = secret_filename .. ".tmp." .. crypto.hex(crypto.rand.bytes(16)) | 252 | local temporary_filename = secret_filename .. ".tmp." .. tohex(rand.bytes(16)) |
246 | local temporary_file = io.open(temporary_filename, "w") | 253 | local temporary_file = io.open(temporary_filename, "w") |
247 | if temporary_file == nil then | 254 | if temporary_file == nil then |
248 | os.exit(177) | 255 | os.exit(177) |
249 | end | 256 | end |
250 | temporary_file:write(crypto.hex(crypto.rand.bytes(32))) | 257 | temporary_file:write(tohex(rand.bytes(32))) |
251 | temporary_file:close() | 258 | temporary_file:close() |
252 | unistd.link(temporary_filename, secret_filename) -- Intentionally fails in the case that another process is doing the same. | 259 | unistd.link(temporary_filename, secret_filename) -- Intentionally fails in the case that another process is doing the same. |
253 | unistd.unlink(temporary_filename) | 260 | unistd.unlink(temporary_filename) |
@@ -272,7 +279,7 @@ function validate_value(expected_field, cookie) | |||
272 | local field = "" | 279 | local field = "" |
273 | local expiration = 0 | 280 | local expiration = 0 |
274 | local salt = "" | 281 | local salt = "" |
275 | local hmac = "" | 282 | local chmac = "" |
276 | 283 | ||
277 | if cookie == nil or cookie:len() < 3 or cookie:sub(1, 1) == "|" then | 284 | if cookie == nil or cookie:len() < 3 or cookie:sub(1, 1) == "|" then |
278 | return nil | 285 | return nil |
@@ -291,19 +298,19 @@ function validate_value(expected_field, cookie) | |||
291 | elseif i == 3 then | 298 | elseif i == 3 then |
292 | salt = component | 299 | salt = component |
293 | elseif i == 4 then | 300 | elseif i == 4 then |
294 | hmac = component | 301 | chmac = component |
295 | else | 302 | else |
296 | break | 303 | break |
297 | end | 304 | end |
298 | i = i + 1 | 305 | i = i + 1 |
299 | end | 306 | end |
300 | 307 | ||
301 | if hmac == nil or hmac:len() == 0 then | 308 | if chmac == nil or chmac:len() == 0 then |
302 | return nil | 309 | return nil |
303 | end | 310 | end |
304 | 311 | ||
305 | -- Lua hashes strings, so these comparisons are time invariant. | 312 | -- Lua hashes strings, so these comparisons are time invariant. |
306 | if hmac ~= crypto.hmac.digest("sha256", field .. "|" .. value .. "|" .. tostring(expiration) .. "|" .. salt, get_secret()) then | 313 | if chmac ~= tohex(hmac.new(get_secret(), "sha256"):final(field .. "|" .. value .. "|" .. tostring(expiration) .. "|" .. salt)) then |
307 | return nil | 314 | return nil |
308 | end | 315 | end |
309 | 316 | ||
@@ -324,11 +331,11 @@ function secure_value(field, value, expiration) | |||
324 | end | 331 | end |
325 | 332 | ||
326 | local authstr = "" | 333 | local authstr = "" |
327 | local salt = crypto.hex(crypto.rand.bytes(16)) | 334 | local salt = tohex(rand.bytes(16)) |
328 | value = url_encode(value) | 335 | value = url_encode(value) |
329 | field = url_encode(field) | 336 | field = url_encode(field) |
330 | authstr = field .. "|" .. value .. "|" .. tostring(expiration) .. "|" .. salt | 337 | authstr = field .. "|" .. value .. "|" .. tostring(expiration) .. "|" .. salt |
331 | authstr = authstr .. "|" .. crypto.hmac.digest("sha256", authstr, get_secret()) | 338 | authstr = authstr .. "|" .. tohex(hmac.new(get_secret(), "sha256"):final(authstr)) |
332 | return authstr | 339 | return authstr |
333 | end | 340 | end |
334 | 341 | ||