lua-resty-string icon indicating copy to clipboard operation
lua-resty-string copied to clipboard

Published 20 hours ago verified publisher icon openresty

use origin input key by default

Open haorenfsa opened this issue 8 years ago • 14 comments

this patch is mean to fix issues like #28, #19 and it's now compatite with openssl shell command and php note it's not related to pull request #35 : it's only about the key, not data.

things might concern :

  1. to compatite with former aes.lua version, one has to explicit write what hash method he/she need when using new() function, which is by default _M.hash.md5;

eg:

aes = require "resty.aes" aes:new("key", "salt", some_cipher, hash.md5, ....)

  1. readme might need to update

haorenfsa avatar Aug 19 '17 04:08 haorenfsa

eh, I'll take a look at test problems later

haorenfsa avatar Aug 19 '17 04:08 haorenfsa

@haorenfsa This would break backward compatibility, right? Better avoid breaking it even though the current impl is wrong.

agentzh avatar Aug 21 '17 20:08 agentzh

@chase Will you please review this PR? @haorenfsa found that you mistakenly use the MD5 digest of the user key instead of the user key itself in the resty.aes module.

agentzh avatar Aug 21 '17 20:08 agentzh

@agentzh okey, I'll check it later

haorenfsa avatar Aug 22 '17 03:08 haorenfsa

the CI test seems passed, but still showing pending

haorenfsa avatar Aug 24 '17 08:08 haorenfsa

@haorenfsa Yeah, seems like a github or travis bug.

agentzh avatar Aug 25 '17 02:08 agentzh

LGTM, and I apply the patch for my aes.lua

hy05190134 avatar Sep 07 '17 06:09 hy05190134

which version will include this change?

wenxzhen avatar Nov 28 '17 01:11 wenxzhen

If I recall correctly, the use of MD5 was for compatibility of some library or language which I cannot place exactly.

Security-wise, what I committed is quite a big mistake, even if it was for the sake of compatibility. If this matches the valid behavior of the most commonly integrated tools/languages, it should be merged.

That said, I do not have time to help maintain the code I contributed or do code reviews, unfortunately.

chase avatar Nov 28 '17 03:11 chase

almost forgot about this patch... I'll commit a update for tutorial in this patch later this week, and is there anything else need to be altered? @agentzh

@wenxzhen my team has been using this patch in production environment for several months, and it is doing well.

haorenfsa avatar Nov 28 '17 11:11 haorenfsa

Thanks to @shaoyue

On Tue, Nov 28, 2017 at 7:47 PM, shaoyue [email protected] wrote:

almost forgot about this patch... I'll commit a update for tutorial in this patch later this week, and is there anything else need to be altered? @agentzh https://github.com/agentzh

@wenxzhen https://github.com/wenxzhen my team has been using this patch in production environment for several months, and it is doing well.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/openresty/lua-resty-string/pull/46#issuecomment-347499286, or mute the thread https://github.com/notifications/unsubscribe-auth/AB-dn5LTegy1i5-tjMLk0HPozp8rCw0Aks5s6_LhgaJpZM4O8OP4 .

wenxzhen avatar Nov 28 '17 12:11 wenxzhen

@agentzh plz review again when you can spare some time? thanks for the attention

haorenfsa avatar Dec 07 '17 15:12 haorenfsa

@haorenfsa I'll look into this as soon as I can manage. Sorry for the delay on my side.

agentzh avatar Dec 07 '17 18:12 agentzh

same problem. I'm trying to decrypt data encrypted by crypto-js(AES-256, ECB) and worked around it with the following code local cipher = aes:new(key_encryption_key, nil, aes.cipher(256, 'ecb'), {method = function(key)return key end, iv = string.rep(string.char(0), 16)}) it will always call _hash.method (default MD5) on the key, thus a dummy method function may worked well. (although IV is not used in ECB mode but a dummy one should be provided, too)

fancy-rabbit avatar Mar 25 '20 04:03 fancy-rabbit