jkeys089 / lua-resty-hmac Goto Github PK

View Code? Open in Web Editor NEW

157.0 157.0 100.0 35 KB

HMAC functions for ngx_lua and LuaJIT

Lua 35.62% Perl 57.08% Makefile 6.13% Dockerfile 1.17%

lua-resty-hmac's People

Contributors

Stargazers

Watchers

Forkers

arni-inaba neomantra ctwyw pahud guanlan erento joshcoughlan zyxtomcat vinsonzou mengskysama ryan007 toasttab weichangdong nosoloforks afghanistanyn showsmall rojeas hy05190134 partys88 ackomsft tanmaykm omonar kunpengzh onlyhelloworld revilwang shenshuangxi jkhhjkhiukhjhukjhkh vibrantbyte urchin99 ss1917 pengwang7 staticlikewater fanglq04 xinzf lvchenhui zhangjf2018 sc0ttbeardsley hubspot guanglinlv lijiejava starsz liulei18 zhangbao0325 alex3144 vviles w815 fishgege morningforever lolizeppelin jinjie2088 mjolkhare shranet liuwma altexy duongdoan apapacy niizawat hswgit123 fffonion billythedummy zhhlyl zaoshanghaoa xuxingxing1231 tvlc millken icodus daxilxl jxp98 liuhaicheng rainingmaster lanniu piaohong api7 349963022 onlypiglet rixk1943 fengfan0902 mhapdream eagleyinfz yinengmr zcaudate yangboyd yuz10 wintermin nnxu eailoo yoannguion nasajpls miaojordan skyebefreeman comeall axpwx edwinwang wjp1975 lygaret igot-ai killsen

lua-resty-hmac's Issues

使用master的0.04版本报错，描述如下

2020/04/15 19:34:18 [error] 7#7: *53 lua entry thread aborted: runtime error: /usr/local/openresty/lualib/resty/hmac.lua:106: size of C type is unknown or too large at line 39
stack traceback:
coroutine 0:

how to install?

You say "It is recommended to use the latest ngx_openresty bundle directly" Well, I do have the bundle installed, and yet I am getting:

2022/10/26 11:12:54 [error] 3649#3649: *33 lua entry thread aborted: runtime error: content_by_lua(nginx.conf:97):4: module 'resty.hmac' not found:
        no field package.preload['resty.hmac']
        no file '/usr/local/openresty/site/lualib/resty/hmac.ljbc'
        no file '/usr/local/openresty/site/lualib/resty/hmac/init.ljbc'
        no file '/usr/local/openresty/lualib/resty/hmac.ljbc'
        no file '/usr/local/openresty/lualib/resty/hmac/init.ljbc'
        no file '/usr/local/openresty/site/lualib/resty/hmac.lua'
        no file '/usr/local/openresty/site/lualib/resty/hmac/init.lua'
        no file '/usr/local/openresty/lualib/resty/hmac.lua'
        no file '/usr/local/openresty/lualib/resty/hmac/init.lua'
        no file './resty/hmac.lua'
        no file '/usr/local/openresty/luajit/share/luajit-2.1.0-beta3/resty/hmac.lua'
        no file '/usr/local/share/lua/5.1/resty/hmac.lua'
        no file '/usr/local/share/lua/5.1/resty/hmac/init.lua'
        no file '/usr/local/openresty/luajit/share/lua/5.1/resty/hmac.lua'
        no file '/usr/local/openresty/luajit/share/lua/5.1/resty/hmac/init.lua'
        no file '/usr/local/openresty/site/lualib/resty/hmac.so'
        no file '/usr/local/openresty/lualib/resty/hmac.so'
        no file './resty/hmac.so'
        no file '/usr/local/lib/lua/5.1/resty/hmac.so'
        no file '/usr/local/openresty/luajit/lib/lua/5.1/resty/hmac.so'
        no file '/usr/local/lib/lua/5.1/loadall.so'
        no file '/usr/local/openresty/site/lualib/resty.so'
        no file '/usr/local/openresty/lualib/resty.so'
        no file './resty.so'
        no file '/usr/local/lib/lua/5.1/resty.so'
        no file '/usr/local/openresty/luajit/lib/lua/5.1/resty.so'
        no file '/usr/local/lib/lua/5.1/loadall.so'

So is there any installation procedure?

feat: release version on Luarocks.org

Update to OpenSSL 1.1.1 HMAC API

We are evaluating OpenResty 1.19.9.x release in our product to be used as API Gateway. It has to perform JWT authentication for many HTTP requests. For JWT validation we are trying to use nginx-jwt which has dependency on lua-resty-hmac for signature creation.

The new version of OpenResty is compiled with OpenSSL 1.1.1. But I believe lua-resty-hmac was developed with older OpenSSL version. According to OpenSSL documentation the HMAC APIs have changed. So performing JWT validation always throws an error about missing HMAC function.

I have managed to update the hmac.lua file directly and make the JWT auth work. But I am very new to Lua and OpenResty and not sure what I have done is correct. Below are the two changes I made to fix the problem. Please review, correct if required and merge so that anyone else can also get them if required.

Update ffi.cdef section with the new OpenSSL function declarations

HMAC_CTX* HMAC_CTX_new(void);
int HMAC_CTX_reset(HMAC_CTX *ctx);
void HMAC_CTX_free(HMAC_CTX *ctx);

Update the _M.new function with call to new HMAC functions

function _M.new(self, key, hash_algo)
    local ctx = C.HMAC_CTX_new()

    if ctx == nil then
        return nil
    end

    local _hash_algo = hash_algo or hashes.md5

    if C.HMAC_Init_ex(ctx, key, #key, _hash_algo, nil) == 0 then
        return nil
    end

    ffi_gc(ctx, C.HMAC_CTX_free)

    return setmetatable({ _ctx = ctx }, mt)
end

I will also request nginx-jwt project to pull the latest lua-resty-hmac so that I do not need to manually modify anything.

For LuaRocks users, would it be possible to publish a .src.rock file?

Could you post a .src.rock file of the project to https://luarocks.org/? Specifically the lua-resty-hmac-ffi flavor of this package.

This should be pretty easy. You can follow the documentation here. https://github.com/luarocks/luarocks/wiki/Creating-a-rock#upload-command.

This will help users who have to resolve your package using a binary repository like Artifactory.

Thank you!

Use "luaossl" package?

I saw the deprecation warning at https://github.com/starius/luacrypto from a dependency of the old version of this lib and I'm curious what we can do to just get behind https://luarocks.org/modules/daurnimator/luaossl as the latest and greatest?

ffi struct definition improvement

Hi,

Thank you providing this awesome library!
Since other ffi binding to openssl exists, some user found conflicts on ffi struct definition from this library and lua-resty-openssl. (See Kong/kong#5549)
As new version of openssl starts to use evp_md_ctx_st internally, it might make sense for ffi bindings to use the same name as well to avoid such conflict. And personally I'd also suggest only let ffi know the struct member if it really needs (e.g. when linked with openssl 1.0).

Is this something you would consider as a pull request? If so I can draft one. It's more like a compatibility improvement and is transparent to ffi itself.

Thank you

Bug when use default algorithm in hmac:new function

Hello, when i use hmac:new("xxx"). I found that there was a mistake in your code.

That in your code. hmac.lua:123

 local _hash_algo = hash_algo or hashes.md5

I think it should be

 local _hash_algo = hash_algo or hashes.MD5

how to use sha256 without key

I set the KEY to "", but the result is not right...How can i do..

luarocks: need to recreate again, make it as `root` project

make friends with you @jkeys089

hi:

I am yuansheng, the PMC of Apache APISIX.

We are using this library in APISIX now.

My email: [email protected] , I want to make friends with you.

Waiting for your response.

Push on OPM ?

Hello,

Currently, I'm using your library for an another project, I would like to import it from OPM.

Could you push your library on it please ?

Thank you.

CI: run the test case for each commit

digest is nil on Mac OSX

Hello,
I am using lua-resty-hmac as part of lua-resty-jwt but signature is always empty. It seems hmac is returning nil digest. but if I use resty.string sha1 algorithm, it works fine.

Below is my nginx/openresty version

/opt/openresty/bin/resty -V
resty 0.03
nginx version:nginx/1.9.3.1
built by clang 6.1.0 (clang-602.0.53) (based on LLVM 3.6.0svn)
built with OpenSSL 0.9.8zd 8 Jan 2015
TLS SNI support enabled
configure arguments: --prefix=/opt/openresty/nginx --with-cc-opt='-O2 -I/usr/local/include' --add-    module=../ngx_devel_kit-0.2.19 --add-module=../echo-nginx-module-0.58 --add-module=../xss-nginx-    module-0.05 --add-module=../ngx_coolkit-0.2rc3 --add-module=../set-misc-nginx-module-0.29 --add-    module=../form-input-nginx-module-0.11 --add-module=../encrypted-session-nginx-module-0.04 --add-module=../srcache-nginx-module-0.30 --add-module=../ngx_lua-0.9.16 --add-module=../ngx_lua_upstream-0.03 --add-module=../headers-more-nginx-module-0.26 --add-module=../array-var-nginx-module-0.04 --add-module=../memc-nginx-module-0.16 --add-module=../redis2-nginx-module-0.12 --add-module=../redis-nginx-module-0.3.7 --add-module=../rds-json-nginx-module-0.14 --add-module=../rds-csv-nginx-module-0.06 --with-ld-opt='-Wl,-rpath,/opt/openresty/luajit/lib -L/usr/local/lib' --with-http_ssl_module

resty.hmac

 local hmac = require "resty.hmac"
  local str = require "resty.string"

 local hmac_sha1 = hmac:new("secret_key", hmac.ALGOS.SHA1)
 if not hmac_sha1 then
   ngx.say("failed to create the hmac_sha1 object")
   return
end
local ok = hmac_sha1:update("hello ")
if not ok then
   ngx.say("Failed to update str")
   return
end
local digest = hmac_sha1:final("world",true)
ngx.say("hmac_sha1: ", digest)

resty.string sha1

local resty_sha1 = require "resty.sha1"
 local str = require "resty.string"
 local sha1 = resty_sha1:new()
 if not sha1 then
     ngx.say("failed to get sha1 object")
    return
  end

local ok = sha1:update("hello word")
if not ok then
   ngx.say("Failed to update str")
   return
end
local digest = sha1:final()  -- binary digest
ngx.say("sha1: ", str.to_hex(digest))

close to wrapping up OpenSSL 1.1.x dev for my module but need a tiny bit of help

A little context: openresty/openresty#372

Basically I have a proof of concept Dockerfile in there for latest version of OpenResty that comes with OpenSSL 1.1.0h bundled along for Trusty.

With v0.1.12 of my module (https://github.com/cdbattags/lua-resty-jwt/tree/v0.1.12) I introduced support the same way you did and for whatever reason I'm getting:

missing declaration for symbol 'HMAC_CTX_new'

Any idea?

Also, if it helps, plz see: cdbattags/lua-resty-jwt#2

Singleton buffer being reused?

Whilst I don't have a specific error case, I noticed what looks like a possible bug:

lua-resty-hmac/lib/resty/hmac.lua

Line 76 in b69abb8

local buf = ffi_new("unsigned char[64]")

Is this code defining a singleton buffer which is shared by all calls to final across all instances of hmac? That would be dangerous if so, right?

(p.s. I'm new to Lua as of this weekend)

Add this as a module in LuaRocks?

Mind uploading this to LuaRocks under your own name?

And possibly add all previous versions from the last owner as well? Trying to get this updated for https://github.com/zmartzone/lua-resty-openidc! I did the same with https://github.com/cdbattags/lua-resty-jwt.

Refer to luarocks/luarocks-site#133 for help.

release a new version

@jkeys089 you can create a new tag, then I'll submit a new luarocks file

HMAC_MD5 bad results

First, the documentation state that the default for new is "ALGOS.MD5"... in the code, line 123, there is a mistake... the default is "hashes.md5", should be "hashes.MD5"...

Pretty easy to fix.

Also, trying to use your module with NGINX to build a pop3 proxy... Trying to implement cram-md5 auth.

All Perl examples are able to compute the hash the same way Outlook and other mail clients are... but in LUA, I'm always getting a different result... don't know why...

Sample in Perl :

use Digest::HMAC_MD5;

my $clear = 'mypass';
my $salt = 'mysalt';
my $expected = '0c88761d58df73064d402f6774961030';

print("clear : $clear\n");
print("salt : $salt\n");
print("------------------------------------------------------------------\n");
print("expected : $expected\n");
print("got      : " . Digest::HMAC_MD5::hmac_md5_hex($salt, $clear) . "\n");

Perl output :

clear : mypass
salt : mysalt
------------------------------------------------------------------
expected : 0c88761d58df73064d402f6774961030
got      : 0c88761d58df73064d402f6774961030

LUA script under OpenResty :

local clear = "mypass"
local salt = "mysalt"
local expected = "0c88761d58df73064d402f6774961030"

ngx.say('clear : ', clear)
ngx.say('salt : ', salt)

local hmac = require "resty.hmac"

ngx.say("------------------------------------------------------------------")
ngx.say("expected : ", expected)

--bad result
local hmac_md5 = hmac:new("", hmac.ALGOS.MD5)
ngx.say("got      : ", hmac_md5:final(salt..clear, true))
hmac_md5:reset()

--bad result
local hmac_md5 = hmac:new(salt, hmac.ALGOS.MD5)
ngx.say("got      : ", hmac_md5:final(clear, true))
hmac_md5:reset()

--bad result
local hmac_md5 = hmac:new(salt..clear, hmac.ALGOS.MD5)
ngx.say("got      : ", hmac_md5:final(nil, true))
hmac_md5:reset()

LUA output :

clear : mypass
salt : mysalt
------------------------------------------------------------------
expected : 0c88761d58df73064d402f6774961030
got      : 7e3cedfb7b506b629c1165093753d31f
got      : 0ad5db465c62e82de746ae458a4799b3
got      : b13232a517d6532733f781647130bdbc

This scripts are using a "dummy salt", but I got the same bad result using the "real" salt and password capture from a mail client conversation... What's wrong?

Note that I can easily reproduce your test result when using SHA1... I guest that my environnement is OK. Seems to be MD5 only issue...

My environnement

#resty -v
resty 0.20
nginx version: openresty/1.13.6.1
built by gcc 4.8.5 20150623 (Red Hat 4.8.5-16) (GCC) 
built with OpenSSL 1.0.2k-fips  26 Jan 2017
TLS SNI support enabled
configure arguments: --prefix=/usr/local/openresty/nginx --with-cc-opt=-O2 --add-module=../ngx_devel_kit-0.3.0 --add-module=../echo-nginx-module-0.61 --add-module=../xss-nginx-module-0.05 --add-module=../ngx_coolkit-0.2rc3 --add-module=../set-misc-nginx-module-0.31 --add-module=../form-input-nginx-module-0.12 --add-module=../encrypted-session-nginx-module-0.07 --add-module=../srcache-nginx-module-0.31 --add-module=../ngx_lua-0.10.11 --add-module=../ngx_lua_upstream-0.07 --add-module=../headers-more-nginx-module-0.33 --add-module=../array-var-nginx-module-0.05 --add-module=../memc-nginx-module-0.18 --add-module=../redis2-nginx-module-0.14 --add-module=../redis-nginx-module-0.3.7 --add-module=../rds-json-nginx-module-0.15 --add-module=../rds-csv-nginx-module-0.08 --add-module=../ngx_stream_lua-0.0.3 --with-ld-opt=-Wl,-rpath,/usr/local/openresty/luajit/lib --with-mail --with-mail_ssl_module --with-stream --with-stream_ssl_module --with-http_ssl_module

hmac.lua:136: attempt to get length of local 's' (a nil value)

Hi,

2018/12/17 14:08:49 [error] 618#618: *35 lua entry thread aborted: runtime error: /usr/local/openresty/site/lualib/resty/hmac.lua:136: attempt to get length of local 's' (a nil value)
stack traceback:
coroutine 0:
	/usr/local/openresty/site/lualib/resty/hmac.lua: in function 'update'
	/usr/local/openresty/site/lualib/resty/aws-signature.lua:33: in function 'get_derived_signing_key'
	/usr/local/openresty/site/lualib/resty/aws-signature.lua:90: in function 'get_authorization'
	/usr/local/openresty/site/lualib/resty/aws-signature.lua:125: in function 'aws_set_headers'
	/usr/local/openresty/site/lualib/resty/aws-signature.lua:133: in function 's3_set_headers'
	access_by_lua(default.conf:29):2: in function <access_by_lua(default.conf:29):1>, client: 172.17.0.1, server: localhost, request: "GET /dincer.png HTTP/1.1", host: "localhost:8000"
2018/12/17 14:08:49 [error] 618#618: *34 lua entry thread aborted: runtime error: /usr/local/openresty/site/lualib/resty/hmac.lua:136: attempt to get length of local 's' (a nil value)
stack traceback:
coroutine 0:
	/usr/local/openresty/site/lualib/resty/hmac.lua: in function 'update'
	/usr/local/openresty/site/lualib/resty/aws-signature.lua:33: in function 'get_derived_signing_key'
	/usr/local/openresty/site/lualib/resty/aws-signature.lua:90: in function 'get_authorization'
	/usr/local/openresty/site/lualib/resty/aws-signature.lua:125: in function 'aws_set_headers'
	/usr/local/openresty/site/lualib/resty/aws-signature.lua:133: in function 's3_set_headers'
	access_by_lua(default.conf:29):2: in function <access_by_lua(default.conf:29):1>, client: 172.17.0.1, server: localhost, request: "GET /favicon.ico HTTP/1.1", host: "localhost:8000", referrer: "http://localhost:8000/dincer.png"

error : attempt to redefine 'env_md_ctx_st'

Is there any reason for redefining env_md_ctx_st @ https://github.com/jkeys089/lua-resty-hmac/blob/master/lib/resty/hmac.lua#L25

I am getting below error when loading lua-resty-jwt module (installed using luarocks) :

nginx: [error] init_by_lua error: /<custom-prefix>/luajit/share/lua/5.1/resty/hmac.lua:82: attempt to redefine 'env_md_ctx_st' at line 7
stack traceback:
	[C]: in function 'cdef'
	/<custom-prefix>/luajit/share/lua/5.1/resty/hmac.lua:82: in main chunk
	[C]: in function 'require'
	/<custom-prefix>/luajit/share/lua/5.1/resty/jwt.lua:5: in main chunk
	[C]: in function 'require'

If I remove both struct declaration then I don't get above error.

If you are fine, I can submit PR to remove these declaration.