search

jkeys089 / lua-resty-hmac

HMAC functions for ngx_lua and LuaJIT
160 stars 99 forks source link

Update to OpenSSL 1.1.1 HMAC API #34

Closed abhishekvk closed 2 years ago

abhishekvk commented 2 years ago

We are evaluating OpenResty 1.19.9.x release in our product to be used as API Gateway. It has to perform JWT authentication for many HTTP requests. For JWT validation we are trying to use nginx-jwt which has dependency on lua-resty-hmac for signature creation.

The new version of OpenResty is compiled with OpenSSL 1.1.1. But I believe lua-resty-hmac was developed with older OpenSSL version. According to OpenSSL documentation the HMAC APIs have changed. So performing JWT validation always throws an error about missing HMAC function.

I have managed to update the hmac.lua file directly and make the JWT auth work. But I am very new to Lua and OpenResty and not sure what I have done is correct. Below are the two changes I made to fix the problem. Please review, correct if required and merge so that anyone else can also get them if required.

  1. Update ffi.cdef section with the new OpenSSL function declarations

    HMAC_CTX* HMAC_CTX_new(void);
int HMAC_CTX_reset(HMAC_CTX *ctx);
void HMAC_CTX_free(HMAC_CTX *ctx);

  2. Update the _M.new function with call to new HMAC functions

    function _M.new(self, key, hash_algo)
local ctx = C.HMAC_CTX_new()

if ctx == nil then
    return nil
end

local _hash_algo = hash_algo or hashes.md5

if C.HMAC_Init_ex(ctx, key, #key, _hash_algo, nil) == 0 then
    return nil
end

ffi_gc(ctx, C.HMAC_CTX_free)

return setmetatable({ _ctx = ctx }, mt)
end

I will also request nginx-jwt project to pull the latest lua-resty-hmac so that I do not need to manually modify anything.

jkeys089 commented 2 years ago

@abhishekvk it looks like nginx-jwt is no longer maintained and it has pinned an old version of lua-resty-hmac. If you upgrade to the latest lua-resty-hmac version I think you won’t have this problem.

abhishekvk commented 2 years ago

@jkeys089 Thanks for your suggestion. I will update the lua-resty-hmac on my side. I will check if somebody can update it in nignx-jwt.

Closing the issue as it is problem with nignx-jwt not using new version of lua-resty-hmac.