jkeys089 / lua-resty-hmac Goto Github PK
View Code? Open in Web Editor NEWHMAC functions for ngx_lua and LuaJIT
HMAC functions for ngx_lua and LuaJIT
2020/04/15 19:34:18 [error] 7#7: *53 lua entry thread aborted: runtime error: /usr/local/openresty/lualib/resty/hmac.lua:106: size of C type is unknown or too large at line 39
stack traceback:
coroutine 0:
You say "It is recommended to use the latest ngx_openresty bundle directly" Well, I do have the bundle installed, and yet I am getting:
2022/10/26 11:12:54 [error] 3649#3649: *33 lua entry thread aborted: runtime error: content_by_lua(nginx.conf:97):4: module 'resty.hmac' not found:
no field package.preload['resty.hmac']
no file '/usr/local/openresty/site/lualib/resty/hmac.ljbc'
no file '/usr/local/openresty/site/lualib/resty/hmac/init.ljbc'
no file '/usr/local/openresty/lualib/resty/hmac.ljbc'
no file '/usr/local/openresty/lualib/resty/hmac/init.ljbc'
no file '/usr/local/openresty/site/lualib/resty/hmac.lua'
no file '/usr/local/openresty/site/lualib/resty/hmac/init.lua'
no file '/usr/local/openresty/lualib/resty/hmac.lua'
no file '/usr/local/openresty/lualib/resty/hmac/init.lua'
no file './resty/hmac.lua'
no file '/usr/local/openresty/luajit/share/luajit-2.1.0-beta3/resty/hmac.lua'
no file '/usr/local/share/lua/5.1/resty/hmac.lua'
no file '/usr/local/share/lua/5.1/resty/hmac/init.lua'
no file '/usr/local/openresty/luajit/share/lua/5.1/resty/hmac.lua'
no file '/usr/local/openresty/luajit/share/lua/5.1/resty/hmac/init.lua'
no file '/usr/local/openresty/site/lualib/resty/hmac.so'
no file '/usr/local/openresty/lualib/resty/hmac.so'
no file './resty/hmac.so'
no file '/usr/local/lib/lua/5.1/resty/hmac.so'
no file '/usr/local/openresty/luajit/lib/lua/5.1/resty/hmac.so'
no file '/usr/local/lib/lua/5.1/loadall.so'
no file '/usr/local/openresty/site/lualib/resty.so'
no file '/usr/local/openresty/lualib/resty.so'
no file './resty.so'
no file '/usr/local/lib/lua/5.1/resty.so'
no file '/usr/local/openresty/luajit/lib/lua/5.1/resty.so'
no file '/usr/local/lib/lua/5.1/loadall.so'
So is there any installation procedure?
We are evaluating OpenResty 1.19.9.x release in our product to be used as API Gateway. It has to perform JWT authentication for many HTTP requests. For JWT validation we are trying to use nginx-jwt which has dependency on lua-resty-hmac for signature creation.
The new version of OpenResty is compiled with OpenSSL 1.1.1. But I believe lua-resty-hmac was developed with older OpenSSL version. According to OpenSSL documentation the HMAC APIs have changed. So performing JWT validation always throws an error about missing HMAC function.
I have managed to update the hmac.lua file directly and make the JWT auth work. But I am very new to Lua and OpenResty and not sure what I have done is correct. Below are the two changes I made to fix the problem. Please review, correct if required and merge so that anyone else can also get them if required.
HMAC_CTX* HMAC_CTX_new(void);
int HMAC_CTX_reset(HMAC_CTX *ctx);
void HMAC_CTX_free(HMAC_CTX *ctx);
function _M.new(self, key, hash_algo)
local ctx = C.HMAC_CTX_new()
if ctx == nil then
return nil
end
local _hash_algo = hash_algo or hashes.md5
if C.HMAC_Init_ex(ctx, key, #key, _hash_algo, nil) == 0 then
return nil
end
ffi_gc(ctx, C.HMAC_CTX_free)
return setmetatable({ _ctx = ctx }, mt)
end
I will also request nginx-jwt project to pull the latest lua-resty-hmac so that I do not need to manually modify anything.
Could you post a .src.rock file of the project to https://luarocks.org/? Specifically the lua-resty-hmac-ffi flavor of this package.
This should be pretty easy. You can follow the documentation here. https://github.com/luarocks/luarocks/wiki/Creating-a-rock#upload-command.
This will help users who have to resolve your package using a binary repository like Artifactory.
Thank you!
I saw the deprecation warning at https://github.com/starius/luacrypto from a dependency of the old version of this lib and I'm curious what we can do to just get behind https://luarocks.org/modules/daurnimator/luaossl as the latest and greatest?
Hi,
Thank you providing this awesome library!
Since other ffi binding to openssl exists, some user found conflicts on ffi struct definition from this library and lua-resty-openssl. (See Kong/kong#5549)
As new version of openssl starts to use evp_md_ctx_st
internally, it might make sense for ffi bindings to use the same name as well to avoid such conflict. And personally I'd also suggest only let ffi know the struct member if it really needs (e.g. when linked with openssl 1.0).
Is this something you would consider as a pull request? If so I can draft one. It's more like a compatibility improvement and is transparent to ffi itself.
Thank you
Hello, when i use hmac:new("xxx"). I found that there was a mistake in your code.
That in your code. hmac.lua:123
local _hash_algo = hash_algo or hashes.md5
I think it should be
local _hash_algo = hash_algo or hashes.MD5
I set the KEY to "", but the result is not right...How can i do..
hi:
I am yuansheng, the PMC of Apache APISIX.
We are using this library in APISIX now.
My email: [email protected] , I want to make friends with you.
Waiting for your response.
Hello,
Currently, I'm using your library for an another project, I would like to import it from OPM.
Could you push your library on it please ?
Thank you.
Hello,
I am using lua-resty-hmac as part of lua-resty-jwt but signature is always empty. It seems hmac is returning nil digest. but if I use resty.string sha1 algorithm, it works fine.
Below is my nginx/openresty version
/opt/openresty/bin/resty -V
resty 0.03
nginx version:nginx/1.9.3.1
built by clang 6.1.0 (clang-602.0.53) (based on LLVM 3.6.0svn)
built with OpenSSL 0.9.8zd 8 Jan 2015
TLS SNI support enabled
configure arguments: --prefix=/opt/openresty/nginx --with-cc-opt='-O2 -I/usr/local/include' --add- module=../ngx_devel_kit-0.2.19 --add-module=../echo-nginx-module-0.58 --add-module=../xss-nginx- module-0.05 --add-module=../ngx_coolkit-0.2rc3 --add-module=../set-misc-nginx-module-0.29 --add- module=../form-input-nginx-module-0.11 --add-module=../encrypted-session-nginx-module-0.04 --add-module=../srcache-nginx-module-0.30 --add-module=../ngx_lua-0.9.16 --add-module=../ngx_lua_upstream-0.03 --add-module=../headers-more-nginx-module-0.26 --add-module=../array-var-nginx-module-0.04 --add-module=../memc-nginx-module-0.16 --add-module=../redis2-nginx-module-0.12 --add-module=../redis-nginx-module-0.3.7 --add-module=../rds-json-nginx-module-0.14 --add-module=../rds-csv-nginx-module-0.06 --with-ld-opt='-Wl,-rpath,/opt/openresty/luajit/lib -L/usr/local/lib' --with-http_ssl_module
local hmac = require "resty.hmac"
local str = require "resty.string"
local hmac_sha1 = hmac:new("secret_key", hmac.ALGOS.SHA1)
if not hmac_sha1 then
ngx.say("failed to create the hmac_sha1 object")
return
end
local ok = hmac_sha1:update("hello ")
if not ok then
ngx.say("Failed to update str")
return
end
local digest = hmac_sha1:final("world",true)
ngx.say("hmac_sha1: ", digest)
local resty_sha1 = require "resty.sha1"
local str = require "resty.string"
local sha1 = resty_sha1:new()
if not sha1 then
ngx.say("failed to get sha1 object")
return
end
local ok = sha1:update("hello word")
if not ok then
ngx.say("Failed to update str")
return
end
local digest = sha1:final() -- binary digest
ngx.say("sha1: ", str.to_hex(digest))
A little context: openresty/openresty#372
Basically I have a proof of concept Dockerfile in there for latest version of OpenResty that comes with OpenSSL 1.1.0h bundled along for Trusty.
With v0.1.12
of my module (https://github.com/cdbattags/lua-resty-jwt/tree/v0.1.12) I introduced support the same way you did and for whatever reason I'm getting:
missing declaration for symbol 'HMAC_CTX_new'
Any idea?
Also, if it helps, plz see: cdbattags/lua-resty-jwt#2
Whilst I don't have a specific error case, I noticed what looks like a possible bug:
lua-resty-hmac/lib/resty/hmac.lua
Line 76 in b69abb8
Is this code defining a singleton buffer
which is shared by all calls to final
across all instances of hmac
? That would be dangerous if so, right?
(p.s. I'm new to Lua as of this weekend)
Mind uploading this to LuaRocks under your own name?
And possibly add all previous versions from the last owner as well? Trying to get this updated for https://github.com/zmartzone/lua-resty-openidc! I did the same with https://github.com/cdbattags/lua-resty-jwt.
Refer to luarocks/luarocks-site#133 for help.
@jkeys089 you can create a new tag, then I'll submit a new luarocks file
First, the documentation state that the default for new is "ALGOS.MD5"... in the code, line 123, there is a mistake... the default is "hashes.md5", should be "hashes.MD5"...
Pretty easy to fix.
Also, trying to use your module with NGINX to build a pop3 proxy... Trying to implement cram-md5 auth.
All Perl examples are able to compute the hash the same way Outlook and other mail clients are... but in LUA, I'm always getting a different result... don't know why...
Sample in Perl :
use Digest::HMAC_MD5;
my $clear = 'mypass';
my $salt = 'mysalt';
my $expected = '0c88761d58df73064d402f6774961030';
print("clear : $clear\n");
print("salt : $salt\n");
print("------------------------------------------------------------------\n");
print("expected : $expected\n");
print("got : " . Digest::HMAC_MD5::hmac_md5_hex($salt, $clear) . "\n");
Perl output :
clear : mypass
salt : mysalt
------------------------------------------------------------------
expected : 0c88761d58df73064d402f6774961030
got : 0c88761d58df73064d402f6774961030
LUA script under OpenResty :
local clear = "mypass"
local salt = "mysalt"
local expected = "0c88761d58df73064d402f6774961030"
ngx.say('clear : ', clear)
ngx.say('salt : ', salt)
local hmac = require "resty.hmac"
ngx.say("------------------------------------------------------------------")
ngx.say("expected : ", expected)
--bad result
local hmac_md5 = hmac:new("", hmac.ALGOS.MD5)
ngx.say("got : ", hmac_md5:final(salt..clear, true))
hmac_md5:reset()
--bad result
local hmac_md5 = hmac:new(salt, hmac.ALGOS.MD5)
ngx.say("got : ", hmac_md5:final(clear, true))
hmac_md5:reset()
--bad result
local hmac_md5 = hmac:new(salt..clear, hmac.ALGOS.MD5)
ngx.say("got : ", hmac_md5:final(nil, true))
hmac_md5:reset()
LUA output :
clear : mypass
salt : mysalt
------------------------------------------------------------------
expected : 0c88761d58df73064d402f6774961030
got : 7e3cedfb7b506b629c1165093753d31f
got : 0ad5db465c62e82de746ae458a4799b3
got : b13232a517d6532733f781647130bdbc
This scripts are using a "dummy salt", but I got the same bad result using the "real" salt and password capture from a mail client conversation... What's wrong?
Note that I can easily reproduce your test result when using SHA1... I guest that my environnement is OK. Seems to be MD5 only issue...
My environnement
#resty -v
resty 0.20
nginx version: openresty/1.13.6.1
built by gcc 4.8.5 20150623 (Red Hat 4.8.5-16) (GCC)
built with OpenSSL 1.0.2k-fips 26 Jan 2017
TLS SNI support enabled
configure arguments: --prefix=/usr/local/openresty/nginx --with-cc-opt=-O2 --add-module=../ngx_devel_kit-0.3.0 --add-module=../echo-nginx-module-0.61 --add-module=../xss-nginx-module-0.05 --add-module=../ngx_coolkit-0.2rc3 --add-module=../set-misc-nginx-module-0.31 --add-module=../form-input-nginx-module-0.12 --add-module=../encrypted-session-nginx-module-0.07 --add-module=../srcache-nginx-module-0.31 --add-module=../ngx_lua-0.10.11 --add-module=../ngx_lua_upstream-0.07 --add-module=../headers-more-nginx-module-0.33 --add-module=../array-var-nginx-module-0.05 --add-module=../memc-nginx-module-0.18 --add-module=../redis2-nginx-module-0.14 --add-module=../redis-nginx-module-0.3.7 --add-module=../rds-json-nginx-module-0.15 --add-module=../rds-csv-nginx-module-0.08 --add-module=../ngx_stream_lua-0.0.3 --with-ld-opt=-Wl,-rpath,/usr/local/openresty/luajit/lib --with-mail --with-mail_ssl_module --with-stream --with-stream_ssl_module --with-http_ssl_module
Hi,
2018/12/17 14:08:49 [error] 618#618: *35 lua entry thread aborted: runtime error: /usr/local/openresty/site/lualib/resty/hmac.lua:136: attempt to get length of local 's' (a nil value)
stack traceback:
coroutine 0:
/usr/local/openresty/site/lualib/resty/hmac.lua: in function 'update'
/usr/local/openresty/site/lualib/resty/aws-signature.lua:33: in function 'get_derived_signing_key'
/usr/local/openresty/site/lualib/resty/aws-signature.lua:90: in function 'get_authorization'
/usr/local/openresty/site/lualib/resty/aws-signature.lua:125: in function 'aws_set_headers'
/usr/local/openresty/site/lualib/resty/aws-signature.lua:133: in function 's3_set_headers'
access_by_lua(default.conf:29):2: in function <access_by_lua(default.conf:29):1>, client: 172.17.0.1, server: localhost, request: "GET /dincer.png HTTP/1.1", host: "localhost:8000"
2018/12/17 14:08:49 [error] 618#618: *34 lua entry thread aborted: runtime error: /usr/local/openresty/site/lualib/resty/hmac.lua:136: attempt to get length of local 's' (a nil value)
stack traceback:
coroutine 0:
/usr/local/openresty/site/lualib/resty/hmac.lua: in function 'update'
/usr/local/openresty/site/lualib/resty/aws-signature.lua:33: in function 'get_derived_signing_key'
/usr/local/openresty/site/lualib/resty/aws-signature.lua:90: in function 'get_authorization'
/usr/local/openresty/site/lualib/resty/aws-signature.lua:125: in function 'aws_set_headers'
/usr/local/openresty/site/lualib/resty/aws-signature.lua:133: in function 's3_set_headers'
access_by_lua(default.conf:29):2: in function <access_by_lua(default.conf:29):1>, client: 172.17.0.1, server: localhost, request: "GET /favicon.ico HTTP/1.1", host: "localhost:8000", referrer: "http://localhost:8000/dincer.png"
Is there any reason for redefining env_md_ctx_st
@ https://github.com/jkeys089/lua-resty-hmac/blob/master/lib/resty/hmac.lua#L25
I am getting below error when loading lua-resty-jwt module (installed using luarocks) :
nginx: [error] init_by_lua error: /<custom-prefix>/luajit/share/lua/5.1/resty/hmac.lua:82: attempt to redefine 'env_md_ctx_st' at line 7
stack traceback:
[C]: in function 'cdef'
/<custom-prefix>/luajit/share/lua/5.1/resty/hmac.lua:82: in main chunk
[C]: in function 'require'
/<custom-prefix>/luajit/share/lua/5.1/resty/jwt.lua:5: in main chunk
[C]: in function 'require'
If I remove both struct
declaration then I don't get above error.
If you are fine, I can submit PR to remove these declaration.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.