This is an automated email from the ASF dual-hosted git repository.
maskit pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/trafficserver.git
The following commit(s) were added to refs/heads/master by this push:
new 653157a80c Print the hash of secret data (#11310)
653157a80c is described below
commit 653157a80c728a4782343024009fa8dd57f7a840
Author: Masakazu Kitajo <[email protected]>
AuthorDate: Thu May 2 15:05:57 2024 -0600
Print the hash of secret data (#11310)
---
src/iocore/net/SSLSecret.cc | 30 ++++++++++++++++++++++++++++--
1 file changed, 28 insertions(+), 2 deletions(-)
diff --git a/src/iocore/net/SSLSecret.cc b/src/iocore/net/SSLSecret.cc
index 0e455e0d89..951016cb86 100644
--- a/src/iocore/net/SSLSecret.cc
+++ b/src/iocore/net/SSLSecret.cc
@@ -26,6 +26,7 @@
#include "P_SSLConfig.h"
#include <utility>
+#include <openssl/evp.h>
namespace
{
@@ -35,6 +36,20 @@ DbgCtl dbg_ctl_ssl_secret_err{"ssl_secret_err"};
} // end anonymous namespace
+static void
+get_hash_str(const std::string &input, char hash_str[EVP_MAX_MD_SIZE * 2],
unsigned int *hash_len)
+{
+ unsigned char hash[EVP_MAX_MD_SIZE];
+ EVP_Digest(input.c_str(), input.length(), hash, hash_len, EVP_md5(),
nullptr);
+ for (unsigned int i = 0; i < *hash_len; i++) {
+ hash_str[i * 2] = hash[i] >> 4;
+ hash_str[i * 2] += hash_str[i * 2] < 10 ? '0' : 'a' - 10;
+ hash_str[i * 2 + 1] = hash[i] & 0x0F;
+ hash_str[i * 2 + 1] += hash_str[i * 2 + 1] < 10 ? '0' : 'a' - 10;
+ }
+ *hash_len = *hash_len * 2;
+}
+
// NOTE: The secret_map_mutex should not be held by the caller of this
// function. The implementation of this function may call a plugin's
// TS_EVENT_SSL_SECRET handler which in turn may grab a lock for
@@ -82,7 +97,13 @@ SSLSecret::loadFile(const std::string &name)
Dbg(dbg_ctl_ssl_secret, "Loading file: %s failed ", name.c_str());
return std::string{};
}
- Dbg(dbg_ctl_ssl_secret, "Secret data: %.50s", data.c_str());
+ if (is_debug_tag_set("ssl_secret")) {
+ char hash_str[EVP_MAX_MD_SIZE * 2];
+ unsigned int hash_len;
+ get_hash_str(data, hash_str, &hash_len);
+ Dbg(dbg_ctl_ssl_secret, "Secret hash: %.*s", hash_len, hash_str);
+ Dbg(dbg_ctl_ssl_secret, "Secret data: %.50s", data.c_str());
+ }
if (SSLConfigParams::load_ssl_file_cb) {
SSLConfigParams::load_ssl_file_cb(name.c_str());
}
@@ -112,7 +133,12 @@ SSLSecret::getSecret(const std::string &name) const
return std::string{};
}
// The full secret data can be sensitive. Print only the first 50 bytes.
- Dbg(dbg_ctl_ssl_secret, "Get secret for %s: %.50s", name.c_str(),
iter->second.c_str());
+ if (is_debug_tag_set("ssl_secret")) {
+ char hash_str[EVP_MAX_MD_SIZE * 2];
+ unsigned int hash_len;
+ get_hash_str(iter->second, hash_str, &hash_len);
+ Dbg(dbg_ctl_ssl_secret, "Get secret for %s: hash=%.*s %.50s",
name.c_str(), hash_len, hash_str, iter->second.c_str());
+ }
return iter->second;
}
