diff options
author | Jason A. Donenfeld | 2019-01-03 02:11:14 +0100 |
---|---|---|
committer | Jason A. Donenfeld | 2019-01-03 02:12:16 +0100 |
commit | 7d87cd3a215976a480b3c71b017a191597e5cb44 (patch) | |
tree | 70d600e62e9aaacc34993cc169a46f05cbe10f0e /filters/gentoo-ldap-authentication.lua | |
parent | ui-shared: fix broken sizeof in title setting and rewrite (diff) | |
download | cgit-7d87cd3a215976a480b3c71b017a191597e5cb44.tar.gz cgit-7d87cd3a215976a480b3c71b017a191597e5cb44.zip |
filters: migrate from luacrypto to luaossl
luaossl has no upstream anymore and doesn't support OpenSSL 1.1, whereas luaossl is quite active. Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Diffstat (limited to 'filters/gentoo-ldap-authentication.lua')
-rw-r--r-- | filters/gentoo-ldap-authentication.lua | 31 |
1 files changed, 19 insertions, 12 deletions
diff --git a/filters/gentoo-ldap-authentication.lua b/filters/gentoo-ldap-authentication.lua index b4d98c2..673c88d 100644 --- a/filters/gentoo-ldap-authentication.lua +++ b/filters/gentoo-ldap-authentication.lua | |||
@@ -1,8 +1,8 @@ | |||
1 | -- This script may be used with the auth-filter. Be sure to configure it as you wish. | 1 | -- This script may be used with the auth-filter. Be sure to configure it as you wish. |
2 | -- | 2 | -- |
3 | -- Requirements: | 3 | -- Requirements: |
4 | -- luacrypto >= 0.3 | 4 | -- luaossl |
5 | -- <http://mkottman.github.io/luacrypto/> | 5 | -- <http://25thandclement.com/~william/projects/luaossl.html> |
6 | -- lualdap >= 1.2 | 6 | -- lualdap >= 1.2 |
7 | -- <https://git.zx2c4.com/lualdap/about/> | 7 | -- <https://git.zx2c4.com/lualdap/about/> |
8 | -- luaposix | 8 | -- luaposix |
@@ -10,9 +10,9 @@ | |||
10 | -- | 10 | -- |
11 | local sysstat = require("posix.sys.stat") | 11 | local sysstat = require("posix.sys.stat") |
12 | local unistd = require("posix.unistd") | 12 | local unistd = require("posix.unistd") |
13 | local crypto = require("crypto") | ||
14 | local lualdap = require("lualdap") | 13 | local lualdap = require("lualdap") |
15 | 14 | local rand = require("openssl.rand") | |
15 | local hmac = require("openssl.hmac") | ||
16 | 16 | ||
17 | -- | 17 | -- |
18 | -- | 18 | -- |
@@ -226,6 +226,13 @@ function get_cookie(cookies, name) | |||
226 | return string.match(cookies, ";" .. name .. "=(.-);") | 226 | return string.match(cookies, ";" .. name .. "=(.-);") |
227 | end | 227 | end |
228 | 228 | ||
229 | function tohex(b) | ||
230 | local x = "" | ||
231 | for i = 1, #b do | ||
232 | x = x .. string.format("%.2x", string.byte(b, i)) | ||
233 | end | ||
234 | return x | ||
235 | end | ||
229 | 236 | ||
230 | -- | 237 | -- |
231 | -- | 238 | -- |
@@ -243,12 +250,12 @@ function get_secret() | |||
243 | local secret_file = io.open(secret_filename, "r") | 250 | local secret_file = io.open(secret_filename, "r") |
244 | if secret_file == nil then | 251 | if secret_file == nil then |
245 | local old_umask = sysstat.umask(63) | 252 | local old_umask = sysstat.umask(63) |
246 | local temporary_filename = secret_filename .. ".tmp." .. crypto.hex(crypto.rand.bytes(16)) | 253 | local temporary_filename = secret_filename .. ".tmp." .. tohex(rand.bytes(16)) |
247 | local temporary_file = io.open(temporary_filename, "w") | 254 | local temporary_file = io.open(temporary_filename, "w") |
248 | if temporary_file == nil then | 255 | if temporary_file == nil then |
249 | os.exit(177) | 256 | os.exit(177) |
250 | end | 257 | end |
251 | temporary_file:write(crypto.hex(crypto.rand.bytes(32))) | 258 | temporary_file:write(tohex(rand.bytes(32))) |
252 | temporary_file:close() | 259 | temporary_file:close() |
253 | unistd.link(temporary_filename, secret_filename) -- Intentionally fails in the case that another process is doing the same. | 260 | unistd.link(temporary_filename, secret_filename) -- Intentionally fails in the case that another process is doing the same. |
254 | unistd.unlink(temporary_filename) | 261 | unistd.unlink(temporary_filename) |
@@ -273,7 +280,7 @@ function validate_value(expected_field, cookie) | |||
273 | local field = "" | 280 | local field = "" |
274 | local expiration = 0 | 281 | local expiration = 0 |
275 | local salt = "" | 282 | local salt = "" |
276 | local hmac = "" | 283 | local chmac = "" |
277 | 284 | ||
278 | if cookie == nil or cookie:len() < 3 or cookie:sub(1, 1) == "|" then | 285 | if cookie == nil or cookie:len() < 3 or cookie:sub(1, 1) == "|" then |
279 | return nil | 286 | return nil |
@@ -292,19 +299,19 @@ function validate_value(expected_field, cookie) | |||
292 | elseif i == 3 then | 299 | elseif i == 3 then |
293 | salt = component | 300 | salt = component |
294 | elseif i == 4 then | 301 | elseif i == 4 then |
295 | hmac = component | 302 | chmac = component |
296 | else | 303 | else |
297 | break | 304 | break |
298 | end | 305 | end |
299 | i = i + 1 | 306 | i = i + 1 |
300 | end | 307 | end |
301 | 308 | ||
302 | if hmac == nil or hmac:len() == 0 then | 309 | if chmac == nil or chmac:len() == 0 then |
303 | return nil | 310 | return nil |
304 | end | 311 | end |
305 | 312 | ||
306 | -- Lua hashes strings, so these comparisons are time invariant. | 313 | -- Lua hashes strings, so these comparisons are time invariant. |
307 | if hmac ~= crypto.hmac.digest("sha256", field .. "|" .. value .. "|" .. tostring(expiration) .. "|" .. salt, get_secret()) then | 314 | if chmac ~= tohex(hmac.new(get_secret(), "sha256"):final(field .. "|" .. value .. "|" .. tostring(expiration) .. "|" .. salt)) then |
308 | return nil | 315 | return nil |
309 | end | 316 | end |
310 | 317 | ||
@@ -325,11 +332,11 @@ function secure_value(field, value, expiration) | |||
325 | end | 332 | end |
326 | 333 | ||
327 | local authstr = "" | 334 | local authstr = "" |
328 | local salt = crypto.hex(crypto.rand.bytes(16)) | 335 | local salt = tohex(rand.bytes(16)) |
329 | value = url_encode(value) | 336 | value = url_encode(value) |
330 | field = url_encode(field) | 337 | field = url_encode(field) |
331 | authstr = field .. "|" .. value .. "|" .. tostring(expiration) .. "|" .. salt | 338 | authstr = field .. "|" .. value .. "|" .. tostring(expiration) .. "|" .. salt |
332 | authstr = authstr .. "|" .. crypto.hmac.digest("sha256", authstr, get_secret()) | 339 | authstr = authstr .. "|" .. tohex(hmac.new(get_secret(), "sha256"):final(authstr)) |
333 | return authstr | 340 | return authstr |
334 | end | 341 | end |
335 | 342 | ||