Hashed Modules Loader

lua-users home

Here is an example of a module loader that verifies the hash of the module before loading it. It's based on LuaCrypto [1]. It's not really secure, it has been created just as an illustration to show how to add new module loaders. (JeromeVuarand)

module(..., package.seeall)

local crypto = require 'crypto'

local dtypes = {"md5", "md4", "md2", "sha1", "sha", "sha256", "sha512"}

local function load(modulename)
  -- Find source
  local filename
  local file,hashfile,hashtype
  local errmsg = ""
  for path in string.gmatch(package.path..";", "([^;]*);") do
    filename = string.gsub(path, "%?", (string.gsub(modulename, "%.", "\\")))
    file = io.open(filename, "rb")
    -- If we found a module check if it has a hash file
    if file then
      for _,dtype in ipairs(dtypes) do
        hashfile = io.open(filename.."."..dtype, "rb")
        if hashfile then
          hashtype = dtype
    if hashfile then
    errmsg = errmsg.."\n\tno file '"..filename.."' (signed)"
  if not file then
    return errmsg
  -- Read source file
  local source = file:read("*a")
  -- Read saved hash
  local hash = hashfile:read("*a"):gsub("[^%x]", "")
  -- Check that the saved hash match the file hash
  assert(crypto.evp.digest(hashtype, source)==hash,
    "module "..modulename.." (from file '"..filename.."')"
    .." does not match its "..hashtype.." hash")
  -- Compile and return the module
  return assert(loadstring(source, filename))

-- Install the loader so that it's called just before the normal Lua loader
table.insert(package.loaders, 2, load)

You can find that code with sample modules and a test script in [hashedmodules-200705100234.zip].

RecentChanges · preferences
edit · history
Last edited February 27, 2008 4:36 pm GMT (diff)