Skip to content

Releases: nginx-modules/ngx_http_hmac_secure_link_module

ngx_http_hmac_secure_link_module v2.0.0

Choose a tag to compare

@denji denji released this 02 Apr 06:42

RFC 7231 timestamps, OpenSSL 3.x, 14 bug fixes, full test suite

Add RFC 7231/IMF-fixdate and ISO 8601 'Z' suffix timestamp parsing, port HMAC computation to the OpenSSL 3.0 EVP_MAC API, fix 14 correctness and safety bugs found during code review, and add a full Perl test suite with CI.

Timestamp Parsing

  • ISO 8601 Support: Added UTC 'Z' suffix support ("YYYY-MM-DDThh:mm:ssZ"). Previously, these strings fell through to the Unix branch and were silently misread.
  • RFC 7231 / IMF-fixdate: Added support for "Day, DD Mon YYYY hh:mm:ss GMT", including case-insensitive month-name lookup (per RFC 7231 §7.1.1.1).
  • Comma Parsing Fix: Resolved an internal-comma bug where the comma in "Sun, 06 Nov …" was mistaken for a field separator. It is now correctly skipped during boundary detection.
  • Validation Logic:
    • Extracted ngx_http_secure_link_gauss() to perform calendar-field range checks (Year ≥ 1970, Month 1–12, Day 1–31, etc.).
    • Centralized logic in ngx_http_secure_link_parse_ts(), which returns (time_t)-1 on any failure.

Security & Correctness

  • Y2038 Overflow Fix: Changed 365 * year (int calculation) to (time_t)year * 365. This promotes arithmetic to the wider type, preventing overflows on large dates.
  • Strict Unix Validation: Replaced sscanf "%llu" with a digit-only byte scan followed by ngx_atotm(). This prevents fragments like "2025" from being accepted as valid timestamps.
  • Type Mismatch Fix: Resolved a size_t vs unsigned int mismatch. Passing (u_int*)&hmac.len to HMAC() caused memory corruption on LP64 and Big-Endian systems. Now uses a local unsigned int hmac_len.
  • Variable Handling: Fixed $secure_link_hmac_expires incorrectly returning token bytes by ensuring ctx->expires points to the actual expiry-period substring.
  • OpenSSL Error Handling: Added checks for EVP_MD_size(). OpenSSL 3.0 returns -1 on error; previously, an unchecked cast produced a huge length passed to CRYPTO_memcmp.
  • Sign Logic: Refactored GMT-offset sign detection using if/else if/else to ensure unexpected characters cannot bypass the offset application.

OpenSSL Compatibility

  • API Migration: Wrapped HMAC computation in ngx_http_secure_link_hmac_compute().
    • Uses EVP_MAC on OpenSSL >= 3.0 to avoid deprecation warnings.
    • Falls back to HMAC() on OpenSSL 1.x.
  • Macro Wrappers: NGX_HMAC_MD_SIZE now abstracts EVP_MD_size (1.x) and EVP_MD_get_size (3.x).
  • Guard Rails: Added key.len overflow guards before narrowing size_t to int.

Code Quality

  • Portable sscanf: Removed incorrect (ngx_tm_t*) casts; used plain int* for %d compatibility across platforms.
  • Format String Fix: Changed %02d to %2d in sscanf. The 0 flag is a printf feature and is ignored by scanf.
  • Debug Logging: Fixed timestamp width in logs; it now uses the actual substring length (int)(ts_end - ts_start) instead of a hardcoded 25 bytes.
  • Static Analysis: Resolved all cppcheck --enable=all warnings by narrowing variable scopes and marking const pointers.

Documentation & Examples

  • Changelog: Replaced the verbose "BUGS FIXED" block with a concise summary; full rationale lives in CHANGELOG.md.
  • Separator Rules:
    • secure_link_hmac: Separator is always a comma (hardcoded).
    • secure_link_hmac_message: Separator is operator-defined (pipe, colon, slash, none, …).
  • Variable Docs: Detailed documentation for $secure_link_hmac, $secure_link_hmac_expires, and $secure_link_hmac_token regarding evaluation ordering.
  • Client Implementation Examples:
    • PHP: gmdate()
    • Node.js: toUTCString()
    • Python: isoformat() with 'Z' suffix.

ngx_http_hmac_secure_link_module v0.3

Choose a tag to compare

@denji denji released this 06 Mar 20:26
  • Added support for Unix Timestamp (#9)
  • Fixed format specifiers iso8601

ngx_http_hmac_secure_link_module v0.2

Choose a tag to compare

@denji denji released this 24 Feb 06:55
  • Compatibility with ngx_http_secure_link_module
  • Bugfix compilation on the latest gcc

ngx_http_hmac_secure_link_module v0.1

Choose a tag to compare

@denji denji released this 17 Nov 15:05
ac9bd5a
Update ngx_http_hmac_secure_link_module.c