Here is an example of a module loader that verifies the hash of the module before loading it. It's based on LuaCrypto [1]. It's not really secure, it has been created just as an illustration to show how to add new module loaders. (JeromeVuarand)

module(..., package.seeall)
local crypto = require 'crypto'
local dtypes = {"md5", "md4", "md2", "sha1", "sha", "sha256", "sha512"}
local function load(modulename)
 -- Find source
 local filename
 local file,hashfile,hashtype
 local errmsg = ""
 for path in string.gmatch(package.path..";", "([^;]*);") do
 filename = string.gsub(path, "%?", (string.gsub(modulename, "%.", "\\")))
 file = io.open(filename, "rb")
 -- If we found a module check if it has a hash file
 if file then
 for _,dtype in ipairs(dtypes) do
 hashfile = io.open(filename.."."..dtype, "rb")
 if hashfile then
 hashtype = dtype
 break
 end
 end
 end
 if hashfile then
 break
 end
 errmsg = errmsg.."\n\tno file '"..filename.."' (signed)"
 end
 if not file then
 return errmsg
 end
 -- Read source file
 local source = file:read("*a")
 -- Read saved hash
 local hash = hashfile:read("*a"):gsub("[^%x]", "")
 -- Check that the saved hash match the file hash
 assert(crypto.evp.digest(hashtype, source)==hash,
 "module "..modulename.." (from file '"..filename.."')"
 .." does not match its "..hashtype.." hash")
 -- Compile and return the module
 return assert(loadstring(source, filename))
end
-- Install the loader so that it's called just before the normal Lua loader
table.insert(package.loaders, 2, load)

You can find that code with sample modules and a test script in [hashedmodules-200705100234.zip].

---

RecentChanges · preferences
edit · history
Last edited February 27, 2008 11:36 am GMT (diff)