Implement plulggable hmacs

Author: bungle

README.md

@@ -191,6 +191,21 @@ Strategy can be selected with configuration (if no configuration is present, the
 set $session_strategy regenerate;
 ```
 
+To implement a custom strategy, please checkout the existing ones.
+
+## Pluggable HMAC Algorithms
+
+If your strategy happens to be using `HMAC`, like the `default` and `regenerate` ones do,
+you can tell them what `HMAC` algorithm to use. At the moment only `HMAC SHA1` is available
+as that comes with OpenResty and works without additional dependencies. You may implement
+your own custom HMAC algorithms (preferrably binding to some existing crypto library,
+such as OpenSSL), and the strategies will pick up from there.
+
+HMAC can be selected with configuration (if no configuration is present, the `sha1` strategy is picked up):
+
+```nginx
+set $session_hmac sha1;
+```
 
 ## Pluggable Storage Adapters
 
@@ -953,6 +968,7 @@ set $session_name              session;
 set $session_secret            623q4hR325t36VsCD3g567922IC0073T;
 set $session_strategy          default;
 set $session_storage           cookie;
+set $session_hmac              sha1;
 set $session_cipher            aes;
 set $session_encoder           base64;
 set $session_serializer        json;

lib/resty/session.lua

@@ -178,6 +178,7 @@ local function init()
         serializer = var.session_serializer or "json",
         encoder    = var.session_encoder    or "base64",
         cipher     = var.session_cipher     or "aes",
+        hmac       = var.session_hmac       or "sha1",
         cookie = {
             persistent = enabled(var.session_cookie_persistent or false),
             discard    = tonumber(var.session_cookie_discard)  or 10,
@@ -222,12 +223,14 @@ function session.new(opts)
     local k, l = prequire("resty.session.ciphers.",     y.cipher     or z.cipher,     "aes")
     local m, n = prequire("resty.session.storage.",     y.storage    or z.storage,    "cookie")
     local o, p = prequire("resty.session.strategies.",  y.strategy   or z.strategy,   "default")
+    local q, r = prequire("resty.session.hmac.",        y.hmac       or z.hmac,       "sha1")
     local self = {
         name       = y.name   or z.name,
         identifier = e,
         serializer = g,
         strategy   = o,
         encoder    = i,
+        hmac       = q,
         data       = y.data   or {},
         secret     = y.secret or z.secret,
         cookie = {
@@ -254,6 +257,7 @@ function session.new(opts)
     if y[l] and not self[l] then self[l] = y[l] end
     if y[n] and not self[n] then self[n] = y[n] end
     if y[p] and not self[p] then self[p] = y[p] end
+    if y[r] and not self[r] then self[r] = y[r] end
     self.cipher  = k.new(self)
     self.storage = m.new(self)
     return setmetatable(self, session)

lib/resty/session/hmac/sha1.lua

@@ -0,0 +1 @@
+return ngx.hmac_sha1

lib/resty/session/strategies/default.lua

@@ -1,4 +1,3 @@
-local hmac   = ngx.hmac_sha1
 local type   = type
 local time   = ngx.time
 local concat = table.concat
@@ -7,18 +6,18 @@ local default = {}
 
 function default:save(close)
   local i, e, s = self.id, self.expires, self.storage
-  local k = hmac(self.secret, i .. e)
+  local k = self.hmac(self.secret, i .. e)
   local d = self.serializer.serialize(self.data)
-  local h = hmac(k, concat{ i, e, d, self.key })
+  local h = self.hmac(k, concat{ i, e, d, self.key })
   return s:save(i, e, self.cipher:encrypt(d, k, i, self.key), h, close)
 end
 
 function default:open(cookie)
   local i, e, d, h = self.storage:open(cookie, self.cookie.lifetime)
   if i and e and e > time() and d and h then
-    local k = hmac(self.secret, i .. e)
+    local k = self.hmac(self.secret, i .. e)
     d = self.cipher:decrypt(d, k, i, self.key)
-    if d and hmac(k, concat{ i, e, d, self.key }) == h then
+    if d and self.hmac(k, concat{ i, e, d, self.key }) == h then
       d = self.serializer.deserialize(d)
       self.id = i
       self.expires = e

lib/resty/session/strategies/regenerate.lua

@@ -1,4 +1,3 @@
-local hmac   = ngx.hmac_sha1
 local type   = type
 local time   = ngx.time
 local concat = table.concat
@@ -14,18 +13,18 @@ function regenerate:save(close)
   i = self:identifier()
   self.id = i
 
-  local k = hmac(self.secret, i)
+  local k = self.hmac(self.secret, i)
   local d = self.serializer.serialize(self.data)
-  local h = hmac(k, concat{ i, d, self.key })
+  local h = self.hmac(k, concat{ i, d, self.key })
   return s:save(i, e, self.cipher:encrypt(d, k, i, self.key), h, close)
 end
 
 function regenerate:open(cookie)
   local i, e, d, h = self.storage:open(cookie, self.cookie.lifetime)
   if i and e and e > time() and d and h then
-    local k = hmac(self.secret, i)
+    local k = self.hmac(self.secret, i)
     d = self.cipher:decrypt(d, k, i, self.key)
-    if d and hmac(k, concat{ i, d, self.key }) == h then
+    if d and self.hmac(k, concat{ i, d, self.key }) == h then
       d = self.serializer.deserialize(d)
       self.id = i
       self.expires = e

lua-resty-session-dev-1.rockspec

@@ -25,6 +25,7 @@ build = {
         ["resty.session.storage.memcached"]     = "lib/resty/session/storage/memcached.lua",
         ["resty.session.strategies.default"]    = "lib/resty/session/strategies/default.lua",
         ["resty.session.strategies.regenerate"] = "lib/resty/session/strategies/regenerate.lua",
+        ["resty.session.hmac.sha1"]             = "lib/resty/session/hmac/sha1.lua",
         ["resty.session.ciphers.aes"]           = "lib/resty/session/ciphers/aes.lua",
         ["resty.session.ciphers.none"]          = "lib/resty/session/ciphers/none.lua",
         ["resty.session.encoders.hex"]          = "lib/resty/session/encoders/hex.lua",