diff options
author | Jason A. Donenfeld | 2019-01-03 02:11:14 +0100 |
---|---|---|
committer | Jason A. Donenfeld | 2019-01-03 02:12:16 +0100 |
commit | 7d87cd3a215976a480b3c71b017a191597e5cb44 (patch) | |
tree | 70d600e62e9aaacc34993cc169a46f05cbe10f0e /filters/simple-authentication.lua | |
parent | ui-shared: fix broken sizeof in title setting and rewrite (diff) | |
download | cgit-7d87cd3a215976a480b3c71b017a191597e5cb44.tar.gz cgit-7d87cd3a215976a480b3c71b017a191597e5cb44.zip |
filters: migrate from luacrypto to luaossl
luaossl has no upstream anymore and doesn't support OpenSSL 1.1, whereas luaossl is quite active. Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Diffstat (limited to 'filters/simple-authentication.lua')
-rw-r--r-- | filters/simple-authentication.lua | 31 |
1 files changed, 19 insertions, 12 deletions
diff --git a/filters/simple-authentication.lua b/filters/simple-authentication.lua index 77d1fd0..23d3457 100644 --- a/filters/simple-authentication.lua +++ b/filters/simple-authentication.lua | |||
@@ -1,15 +1,15 @@ | |||
1 | -- This script may be used with the auth-filter. Be sure to configure it as you wish. | 1 | -- This script may be used with the auth-filter. Be sure to configure it as you wish. |
2 | -- | 2 | -- |
3 | -- Requirements: | 3 | -- Requirements: |
4 | -- luacrypto >= 0.3 | 4 | -- luaossl |
5 | -- <http://mkottman.github.io/luacrypto/> | 5 | -- <http://25thandclement.com/~william/projects/luaossl.html> |
6 | -- luaposix | 6 | -- luaposix |
7 | -- <https://github.com/luaposix/luaposix> | 7 | -- <https://github.com/luaposix/luaposix> |
8 | -- | 8 | -- |
9 | local sysstat = require("posix.sys.stat") | 9 | local sysstat = require("posix.sys.stat") |
10 | local unistd = require("posix.unistd") | 10 | local unistd = require("posix.unistd") |
11 | local crypto = require("crypto") | 11 | local rand = require("openssl.rand") |
12 | 12 | local hmac = require("openssl.hmac") | |
13 | 13 | ||
14 | -- | 14 | -- |
15 | -- | 15 | -- |
@@ -180,6 +180,13 @@ function get_cookie(cookies, name) | |||
180 | return url_decode(string.match(cookies, ";" .. name .. "=(.-);")) | 180 | return url_decode(string.match(cookies, ";" .. name .. "=(.-);")) |
181 | end | 181 | end |
182 | 182 | ||
183 | function tohex(b) | ||
184 | local x = "" | ||
185 | for i = 1, #b do | ||
186 | x = x .. string.format("%.2x", string.byte(b, i)) | ||
187 | end | ||
188 | return x | ||
189 | end | ||
183 | 190 | ||
184 | -- | 191 | -- |
185 | -- | 192 | -- |
@@ -197,12 +204,12 @@ function get_secret() | |||
197 | local secret_file = io.open(secret_filename, "r") | 204 | local secret_file = io.open(secret_filename, "r") |
198 | if secret_file == nil then | 205 | if secret_file == nil then |
199 | local old_umask = sysstat.umask(63) | 206 | local old_umask = sysstat.umask(63) |
200 | local temporary_filename = secret_filename .. ".tmp." .. crypto.hex(crypto.rand.bytes(16)) | 207 | local temporary_filename = secret_filename .. ".tmp." .. tohex(rand.bytes(16)) |
201 | local temporary_file = io.open(temporary_filename, "w") | 208 | local temporary_file = io.open(temporary_filename, "w") |
202 | if temporary_file == nil then | 209 | if temporary_file == nil then |
203 | os.exit(177) | 210 | os.exit(177) |
204 | end | 211 | end |
205 | temporary_file:write(crypto.hex(crypto.rand.bytes(32))) | 212 | temporary_file:write(tohex(rand.bytes(32))) |
206 | temporary_file:close() | 213 | temporary_file:close() |
207 | unistd.link(temporary_filename, secret_filename) -- Intentionally fails in the case that another process is doing the same. | 214 | unistd.link(temporary_filename, secret_filename) -- Intentionally fails in the case that another process is doing the same. |
208 | unistd.unlink(temporary_filename) | 215 | unistd.unlink(temporary_filename) |
@@ -227,7 +234,7 @@ function validate_value(expected_field, cookie) | |||
227 | local field = "" | 234 | local field = "" |
228 | local expiration = 0 | 235 | local expiration = 0 |
229 | local salt = "" | 236 | local salt = "" |
230 | local hmac = "" | 237 | local chmac = "" |
231 | 238 | ||
232 | if cookie == nil or cookie:len() < 3 or cookie:sub(1, 1) == "|" then | 239 | if cookie == nil or cookie:len() < 3 or cookie:sub(1, 1) == "|" then |
233 | return nil | 240 | return nil |
@@ -246,19 +253,19 @@ function validate_value(expected_field, cookie) | |||
246 | elseif i == 3 then | 253 | elseif i == 3 then |
247 | salt = component | 254 | salt = component |
248 | elseif i == 4 then | 255 | elseif i == 4 then |
249 | hmac = component | 256 | chmac = component |
250 | else | 257 | else |
251 | break | 258 | break |
252 | end | 259 | end |
253 | i = i + 1 | 260 | i = i + 1 |
254 | end | 261 | end |
255 | 262 | ||
256 | if hmac == nil or hmac:len() == 0 then | 263 | if chmac == nil or chmac:len() == 0 then |
257 | return nil | 264 | return nil |
258 | end | 265 | end |
259 | 266 | ||
260 | -- Lua hashes strings, so these comparisons are time invariant. | 267 | -- Lua hashes strings, so these comparisons are time invariant. |
261 | if hmac ~= crypto.hmac.digest("sha256", field .. "|" .. value .. "|" .. tostring(expiration) .. "|" .. salt, get_secret()) then | 268 | if chmac ~= tohex(hmac.new(get_secret(), "sha256"):final(field .. "|" .. value .. "|" .. tostring(expiration) .. "|" .. salt)) then |
262 | return nil | 269 | return nil |
263 | end | 270 | end |
264 | 271 | ||
@@ -279,11 +286,11 @@ function secure_value(field, value, expiration) | |||
279 | end | 286 | end |
280 | 287 | ||
281 | local authstr = "" | 288 | local authstr = "" |
282 | local salt = crypto.hex(crypto.rand.bytes(16)) | 289 | local salt = tohex(rand.bytes(16)) |
283 | value = url_encode(value) | 290 | value = url_encode(value) |
284 | field = url_encode(field) | 291 | field = url_encode(field) |
285 | authstr = field .. "|" .. value .. "|" .. tostring(expiration) .. "|" .. salt | 292 | authstr = field .. "|" .. value .. "|" .. tostring(expiration) .. "|" .. salt |
286 | authstr = authstr .. "|" .. crypto.hmac.digest("sha256", authstr, get_secret()) | 293 | authstr = authstr .. "|" .. tohex(hmac.new(get_secret(), "sha256"):final(authstr)) |
287 | return authstr | 294 | return authstr |
288 | end | 295 | end |
289 | 296 | ||