Closed dominicgermain closed 6 years ago
It looks to me like it is probably caused by the order of arguments.
The perl module expects hmac_md5_hex($data, $key)
but your example code has those swapped.
you're right!!!
doing so give the same result as Perl
local hmac_md5 = hmac:new(clear, hmac.ALGOS.MD5)
ngx.say("got : ", hmac_md5:final(salt, true))
hmac_md5:reset()
I've try everything about "where to put params", but nothing about the order.
thanks!
FYI, I just implement CRAM-MD5 alongside with APOP support and it works great with Apple Mail and Outlook 👍
Just to give back... part of my LUA code :
-- work with major email clients (Apple Mail and Outlook)
--get params from nginx...
if authmethod == 'plain' then
computedpass = clear
elseif authmethod == 'apop' then
local str = require "resty.string"
local resty_md5 = require "resty.md5"
local md5 = resty_md5:new()
md5:update(authsalt)
md5:update(clear)
computedpass = str.to_hex(md5:final())
elseif authmethod == 'cram-md5' then
local hmac = require "resty.hmac"
local hmac_md5 = hmac:new(clear, hmac.ALGOS.MD5)
computedpass = hmac_md5:final(authsalt, true)
else
ngx.header["Auth-Status"] = string.format("Unsupported authentication method [%s/%s]", authmethod, user)
return
end
--- compare computedpass to providedpass and take appropriate actions...
First, the documentation state that the default for new is "ALGOS.MD5"... in the code, line 123, there is a mistake... the default is "hashes.md5", should be "hashes.MD5"...
Pretty easy to fix.
Also, trying to use your module with NGINX to build a pop3 proxy... Trying to implement cram-md5 auth.
All Perl examples are able to compute the hash the same way Outlook and other mail clients are... but in LUA, I'm always getting a different result... don't know why...
Sample in Perl :
Perl output :
LUA script under OpenResty :
LUA output :
This scripts are using a "dummy salt", but I got the same bad result using the "real" salt and password capture from a mail client conversation... What's wrong?
Note that I can easily reproduce your test result when using SHA1... I guest that my environnement is OK. Seems to be MD5 only issue...
My environnement