Hashed Modules Loader

wiki

Here is an example of a module loader that verifies the hash of the module before loading it. It's based on LuaCrypto [1]. It's not really secure, it has been created just as an illustration to show how to add new module loaders. (JeromeVuarand)

module(..., package.seeall)



local crypto = require 'crypto'



local dtypes = {"md5", "md4", "md2", "sha1", "sha", "sha256", "sha512"}



local function load(modulename)

  -- Find source

  local filename

  local file,hashfile,hashtype

  local errmsg = ""

  for path in string.gmatch(package.path..";", "([^;]*);") do

    filename = string.gsub(path, "%?", (string.gsub(modulename, "%.", "\\")))

    file = io.open(filename, "rb")

    -- If we found a module check if it has a hash file

    if file then

      for _,dtype in ipairs(dtypes) do

        hashfile = io.open(filename.."."..dtype, "rb")

        if hashfile then

          hashtype = dtype

          break

        end

      end

    end

    if hashfile then

      break

    end

    errmsg = errmsg.."\n\tno file '"..filename.."' (signed)"

  end

  if not file then

    return errmsg

  end

  -- Read source file

  local source = file:read("*a")

  -- Read saved hash

  local hash = hashfile:read("*a"):gsub("[^%x]", "")

  -- Check that the saved hash match the file hash

  assert(crypto.evp.digest(hashtype, source)==hash,

    "module "..modulename.." (from file '"..filename.."')"

    .." does not match its "..hashtype.." hash")

  -- Compile and return the module

  return assert(loadstring(source, filename))

end



-- Install the loader so that it's called just before the normal Lua loader

table.insert(package.loaders, 2, load)

You can find that code with sample modules and a test script in [hashedmodules-200705100234.zip].

RecentChanges · preferences
edit · history
Last edited February 27, 2008 4:36 pm GMT (diff)