[fix] helpers.lua: openssl v3 support for hmac_sha512

This change is backward compatible with older openssl versions
This commit is contained in:
Cyril Romain 2022-11-06 19:37:45 +01:00
parent 81160e5d95
commit 7cd4965f6c

View file

@ -112,14 +112,15 @@ function hmac_sha512(key, message)
-- this is really dirty and probably leak the key and the message in the process list -- this is really dirty and probably leak the key and the message in the process list
-- but if someone got there I guess we really have other problems so this is acceptable -- but if someone got there I guess we really have other problems so this is acceptable
-- and also this is way better than the previous situation -- and also this is way better than the previous situation
local pipe = io.popen("echo -n '" ..message:gsub("'", "'\\''").. "' | openssl sha512 -hmac '" ..key:gsub("'", "'\\''").. "'") local pipe = io.popen("echo -n '" ..message:gsub("'", "'\\''").. "' | openssl dgst -sha512 -hmac '" ..key:gsub("'", "'\\''").. "'")
-- openssl returns something like this: -- openssl returns something like this:
-- root@yunohost:~# echo -n "qsd" | openssl sha512 -hmac "key" -- root@yunohost:~# echo -n "qsd" | openssl sha512 -hmac "key"
-- (stdin)= f1c2b1658fe64c5a3d16459f2f4eea213e4181905c190235b060ab2a4e7d6a41c15ea2c246828537a1e32ae524b7a7ed309e6d296089194c3e3e3efb98c1fbe3 -- SHA2-512(stdin)= f1c2b1658fe64c5a3d16459f2f4eea213e4181905c190235b060ab2a4e7d6a41c15ea2c246828537a1e32ae524b7a7ed309e6d296089194c3e3e3efb98c1fbe3
-- --
-- so we need to remove the "(stdin)= " at the beginning -- so we need to remove the "SHA2-512(stdin)= " at the beginning ("(stdin)= " on older openssl version)
local hash = pipe:read():sub(string.len("(stdin)= ") + 1) local line = pipe:read()
local hash = line:sub(line:find("=") + 2)
pipe:close() pipe:close()
cache:set(cache_key, hash, conf["session_timeout"]) cache:set(cache_key, hash, conf["session_timeout"])
@ -370,7 +371,7 @@ function authenticate(user, password)
end end
cache:add(user.."-password", password, conf["session_timeout"]) cache:add(user.."-password", password, conf["session_timeout"])
ngx.log(ngx.NOTICE, "Connected as: "..user) ngx.log(ngx.NOTICE, "Connected as: "..user)
logger.info("User "..user.." succesfully authenticated from "..ngx.var.remote_addr) logger.info("User "..user.." successfully authenticated from "..ngx.var.remote_addr)
return user return user
-- Else, the username/email or the password is wrong -- Else, the username/email or the password is wrong