1 files changed, 19 insertions, 12 deletions
diff --git a/filters/file-authentication.lua b/filters/file-authentication.lua
index 6ee1e19..0248804 100644
--- a/filters/file-authentication.lua
+++ b/filters/file-authentication.lua

@@ -1,15 +1,15 @@
 -- This script may be used with the auth-filter.
 --
 -- Requirements:
--      luacrypto >= 0.3
+--      luaossl
--      <http://mkottman.github.io/luacrypto/>
+--      <http://25thandclement.com/~william/projects/luaossl.html>
 --      luaposix
 --      <https://github.com/luaposix/luaposix>
 --
 local sysstat = require("posix.sys.stat")
 local unistd = require("posix.unistd")
-local crypto = require("crypto")
+local rand = require("openssl.rand")
+local hmac = require("openssl.hmac")
 -- This file should contain a series of lines in the form of:
 --      username1:hash1
@@ -225,6 +225,13 @@ function get_cookie(cookies, name)
        return url_decode(string.match(cookies, ";" .. name .. "=(.-);"))
 end
+function tohex(b)
+        local x = ""
+        for i = 1, #b do
+                x = x .. string.format("%.2x", string.byte(b, i))
+        end
+        return x
+end
 --
 --
@@ -242,12 +249,12 @@ function get_secret()
        local secret_file = io.open(secret_filename, "r")
        if secret_file == nil then
                local old_umask = sysstat.umask(63)
-                local temporary_filename = secret_filename .. ".tmp." .. crypto.hex(crypto.rand.bytes(16))
+                local temporary_filename = secret_filename .. ".tmp." .. tohex(rand.bytes(16))
                local temporary_file = io.open(temporary_filename, "w")
                if temporary_file == nil then
                        os.exit(177)
                end
-                temporary_file:write(crypto.hex(crypto.rand.bytes(32)))
+                temporary_file:write(tohex(rand.bytes(32)))
                temporary_file:close()
                unistd.link(temporary_filename, secret_filename) -- Intentionally fails in the case that another process is doing the same.
                unistd.unlink(temporary_filename)
@@ -272,7 +279,7 @@ function validate_value(expected_field, cookie)
        local field = ""
        local expiration = 0
        local salt = ""
-        local hmac = ""
+        local chmac = ""
        if cookie == nil or cookie:len() < 3 or cookie:sub(1, 1) == "|" then
                return nil
@@ -291,19 +298,19 @@ function validate_value(expected_field, cookie)
                elseif i == 3 then
                        salt = component
                elseif i == 4 then
-                        hmac = component
+                        chmac = component
                else
                        break
                end
                i = i + 1
        end
-        if hmac == nil or hmac:len() == 0 then
+        if chmac == nil or chmac:len() == 0 then
                return nil
        end
        -- Lua hashes strings, so these comparisons are time invariant.
-        if hmac ~= crypto.hmac.digest("sha256", field .. "|" .. value .. "|" .. tostring(expiration) .. "|" .. salt, get_secret()) then
+        if chmac ~= tohex(hmac.new(get_secret(), "sha256"):final(field .. "|" .. value .. "|" .. tostring(expiration) .. "|" .. salt)) then
                return nil
        end
@@ -324,11 +331,11 @@ function secure_value(field, value, expiration)
        end
        local authstr = ""
-        local salt = crypto.hex(crypto.rand.bytes(16))
+        local salt = tohex(rand.bytes(16))
        value = url_encode(value)
        field = url_encode(field)
        authstr = field .. "|" .. value .. "|" .. tostring(expiration) .. "|" .. salt
-        authstr = authstr .. "|" .. crypto.hmac.digest("sha256", authstr, get_secret())
+        authstr = authstr .. "|" .. tohex(hmac.new(get_secret(), "sha256"):final(authstr))
        return authstr
 end

diff --git a/filters/file-authentication.lua b/filters/file-authentication.lua index 6ee1e19..0248804 100644 --- a/filters/file-authentication.lua +++ b/filters/file-authentication.lua
@@ -1,15 +1,15 @@
1	-- This script may be used with the auth-filter.	1	-- This script may be used with the auth-filter.
2	--	2	--
3	-- Requirements:	3	-- Requirements:
4	-- luacrypto >= 0.3	4	-- luaossl
5	-- <http://mkottman.github.io/luacrypto/>	5	-- <http://25thandclement.com/~william/projects/luaossl.html>
6	-- luaposix	6	-- luaposix
7	-- <https://github.com/luaposix/luaposix>	7	-- <https://github.com/luaposix/luaposix>
8	--	8	--
9	local sysstat = require("posix.sys.stat")	9	local sysstat = require("posix.sys.stat")
10	local unistd = require("posix.unistd")	10	local unistd = require("posix.unistd")
11	local crypto = require("crypto")	11	local rand = require("openssl.rand")
12		12	local hmac = require("openssl.hmac")
13		13
14	-- This file should contain a series of lines in the form of:	14	-- This file should contain a series of lines in the form of:
15	-- username1:hash1	15	-- username1:hash1
@@ -225,6 +225,13 @@ function get_cookie(cookies, name)
225	return url_decode(string.match(cookies, ";" .. name .. "=(.-);"))	225	return url_decode(string.match(cookies, ";" .. name .. "=(.-);"))
226	end	226	end
227		227
		228	function tohex(b)
		229	local x = ""
		230	for i = 1, #b do
		231	x = x .. string.format("%.2x", string.byte(b, i))
		232	end
		233	return x
		234	end
228		235
229	--	236	--
230	--	237	--
@@ -242,12 +249,12 @@ function get_secret()
242	local secret_file = io.open(secret_filename, "r")	249	local secret_file = io.open(secret_filename, "r")
243	if secret_file == nil then	250	if secret_file == nil then
244	local old_umask = sysstat.umask(63)	251	local old_umask = sysstat.umask(63)
245	local temporary_filename = secret_filename .. ".tmp." .. crypto.hex(crypto.rand.bytes(16))	252	local temporary_filename = secret_filename .. ".tmp." .. tohex(rand.bytes(16))
246	local temporary_file = io.open(temporary_filename, "w")	253	local temporary_file = io.open(temporary_filename, "w")
247	if temporary_file == nil then	254	if temporary_file == nil then
248	os.exit(177)	255	os.exit(177)
249	end	256	end
250	temporary_file:write(crypto.hex(crypto.rand.bytes(32)))	257	temporary_file:write(tohex(rand.bytes(32)))
251	temporary_file:close()	258	temporary_file:close()
252	unistd.link(temporary_filename, secret_filename) -- Intentionally fails in the case that another process is doing the same.	259	unistd.link(temporary_filename, secret_filename) -- Intentionally fails in the case that another process is doing the same.
253	unistd.unlink(temporary_filename)	260	unistd.unlink(temporary_filename)
@@ -272,7 +279,7 @@ function validate_value(expected_field, cookie)
272	local field = ""	279	local field = ""
273	local expiration = 0	280	local expiration = 0
274	local salt = ""	281	local salt = ""
275	local hmac = ""	282	local chmac = ""
276		283
277	if cookie == nil or cookie:len() < 3 or cookie:sub(1, 1) == "\|" then	284	if cookie == nil or cookie:len() < 3 or cookie:sub(1, 1) == "\|" then
278	return nil	285	return nil
@@ -291,19 +298,19 @@ function validate_value(expected_field, cookie)
291	elseif i == 3 then	298	elseif i == 3 then
292	salt = component	299	salt = component
293	elseif i == 4 then	300	elseif i == 4 then
294	hmac = component	301	chmac = component
295	else	302	else
296	break	303	break
297	end	304	end
298	i = i + 1	305	i = i + 1
299	end	306	end
300		307
301	if hmac == nil or hmac:len() == 0 then	308	if chmac == nil or chmac:len() == 0 then
302	return nil	309	return nil
303	end	310	end
304		311
305	-- Lua hashes strings, so these comparisons are time invariant.	312	-- Lua hashes strings, so these comparisons are time invariant.
306	if hmac ~= crypto.hmac.digest("sha256", field .. "\|" .. value .. "\|" .. tostring(expiration) .. "\|" .. salt, get_secret()) then	313	if chmac ~= tohex(hmac.new(get_secret(), "sha256"):final(field .. "\|" .. value .. "\|" .. tostring(expiration) .. "\|" .. salt)) then
307	return nil	314	return nil
308	end	315	end
309		316
@@ -324,11 +331,11 @@ function secure_value(field, value, expiration)
324	end	331	end
325		332
326	local authstr = ""	333	local authstr = ""
327	local salt = crypto.hex(crypto.rand.bytes(16))	334	local salt = tohex(rand.bytes(16))
328	value = url_encode(value)	335	value = url_encode(value)
329	field = url_encode(field)	336	field = url_encode(field)
330	authstr = field .. "\|" .. value .. "\|" .. tostring(expiration) .. "\|" .. salt	337	authstr = field .. "\|" .. value .. "\|" .. tostring(expiration) .. "\|" .. salt
331	authstr = authstr .. "\|" .. crypto.hmac.digest("sha256", authstr, get_secret())	338	authstr = authstr .. "\|" .. tohex(hmac.new(get_secret(), "sha256"):final(authstr))
332	return authstr	339	return authstr
333	end	340	end
334		341