[PATCH] MINOR: crypto: Add digest and hmac converters

Wed, 22 Apr 2020 03:42:26 -0700 

Make the digest and HMAC function of OpenSSL accessible to the user via
converters. They can be used to sign and validate content.
---
 Makefile                            |  2 +-
 doc/configuration.txt               |  9 ++++
 reg-tests/sample_fetches/hashes.vtc | 22 ++++++++
 src/crypto.c                        | 84 +++++++++++++++++++++++++++++
 4 files changed, 116 insertions(+), 1 deletion(-)
 create mode 100644 src/crypto.c

diff --git a/Makefile b/Makefile
index 1e4213989..2dea46368 100644
--- a/Makefile
+++ b/Makefile
@@ -542,7 +542,7 @@ OPTIONS_LDFLAGS += $(if $(SSL_LIB),-L$(SSL_LIB)) -lssl 
-lcrypto
 ifneq ($(USE_DL),)
 OPTIONS_LDFLAGS += -ldl
 endif
-OPTIONS_OBJS  += src/ssl_sock.o
+OPTIONS_OBJS  += src/crypto.o src/ssl_sock.o
 endif
 
 # The private cache option affect the way the shctx is built
diff --git a/doc/configuration.txt b/doc/configuration.txt
index 2e548b66c..17b2debe5 100644
--- a/doc/configuration.txt
+++ b/doc/configuration.txt
@@ -13918,6 +13918,10 @@ debug([<prefix][,<destination>])
   Example:
     tcp-request connection track-sc0 src,debug(track-sc)
 
+digest(<algorithm>)
+  Converts a binary input sample to a message digest. The result is a binary
+  sample. The algorithm must be an OpenSSL message digest name (e.g sha256).
+
 div(<value>)
   Divides the input value of type signed integer by <value>, and returns the
   result as an signed integer. If <value> is null, the largest unsigned
@@ -13972,6 +13976,11 @@ hex2i
   Converts a hex string containing two hex digits per input byte to an
   integer. If the input value cannot be converted, then zero is returned.
 
+hmac(<algorithm>, <key>)
+  Converts a binary input sample to a message authentication code with the 
given
+  key. The result is  a binary sample. The algorithm must be one of the
+  registered OpenSSL message digest names (e.g sha256).
+
 http_date([<offset],[<unit>])
   Converts an integer supposed to contain a date since epoch to a string
   representing this date in a format suitable for use in HTTP header fields. If
diff --git a/reg-tests/sample_fetches/hashes.vtc 
b/reg-tests/sample_fetches/hashes.vtc
index 874f81e41..ca641f86c 100644
--- a/reg-tests/sample_fetches/hashes.vtc
+++ b/reg-tests/sample_fetches/hashes.vtc
@@ -38,6 +38,19 @@ haproxy h1 -conf {
         #http-response set-header x-sha2-384 "%[var(res.key),sha2(384),hex]"
         #http-response set-header x-sha2-512 "%[var(res.key),sha2(512),hex]"
 
+        # OpenSSL Digest
+        #http-response set-header x-digest-sha1 
"%[var(res.key),digest(sha1),hex]"
+        #http-response set-header x-digest-sha224 
"%[var(res.key),digest(sha224),hex]"
+        #http-response set-header x-digest-sha256 
"%[var(res.key),digest(sha256),hex]"
+        #http-response set-header x-digest-sha384 
"%[var(res.key),digest(sha384),hex]"
+        #http-response set-header x-digest-sha512 
"%[var(res.key),digest(sha512),hex]"
+
+        # OpenSSL HMAC
+        #http-response set-header x-hmac-sha1-short 
"%[var(res.key),hmac(sha1,key),hex]"
+        #http-response set-header x-hmac-sha1-long 
"%[var(res.key),hmac(sha1,my_super_secret_long_key),hex]"
+        #http-response set-header x-hmac-sha256-short 
"%[var(res.key),hmac(sha256,key),hex]"
+        #http-response set-header x-hmac-sha256-long 
"%[var(res.key),hmac(sha256,my_super_secret_long_key),hex]"
+
         # 32-bit hashes, and their avalanche variants
         http-response set-header x-crc32   "%[var(res.key),crc32]"
         http-response set-header x-crc32-1 "%[var(res.key),crc32(1)]"
@@ -80,6 +93,15 @@ client c1 -connect ${h1_fe_sock} {
     #expect resp.http.x-sha2-256 == 
"40AFF2E9D2D8922E47AFD4648E6967497158785FBD1DA870E7110266BF944880"
     #expect resp.http.x-sha2-384 == 
"FFDAEBFF65ED05CF400F0221C4CCFB4B2104FB6A51F87E40BE6C4309386BFDEC2892E9179B34632331A59592737DB5C5"
     #expect resp.http.x-sha2-512 == 
"1E7B80BC8EDC552C8FEEB2780E111477E5BC70465FAC1A77B29B35980C3F0CE4A036A6C9462036824BD56801E62AF7E9FEBA5C22ED8A5AF877BF7DE117DCAC6D"
+    #expect resp.http.x-digest-sha1 == resp.http.x-digest-sha1
+    #expect resp.http.x-digest-sha224 == resp.http.x-sha2-224
+    #expect resp.http.x-digest-sha256 == resp.http.x-sha2-256
+    #expect resp.http.x-digest-sha384 == resp.http.x-sha2-384
+    #expect resp.http.x-digest-sha512 == resp.http.x-sha2-512
+    #expect resp.http.x-hmac-sha1-short == 
"98C6C3B2F2701E0C7B0AC31C09C44EFF006C802C"
+    #expect resp.http.x-hmac-sha1-long == 
"0E153DC06F81DEC1352EA9394B12754C718E2600"
+    #expect resp.http.x-hmac-sha256-short == 
"6AD0A89813F79E827359742225B46DC811D35E920192CFDF60F4955F14A93680"
+    #expect resp.http.x-hmac-sha256-long == 
"C8E39024773AB08D937265FFAF22231F851CF00C96C6EE98DF9E0B66FFE7C089"
     expect resp.http.x-crc32 == "688229491"
     expect resp.http.x-crc32-1 == "4230317029"
     expect resp.http.x-crc32c == "2621708363"
diff --git a/src/crypto.c b/src/crypto.c
new file mode 100644
index 000000000..b4f2bfe32
--- /dev/null
+++ b/src/crypto.c
@@ -0,0 +1,84 @@
+/*
+ * Crypto converters
+ *
+ * Copyright 2018 Patrick Gansterer <[email protected]>
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License
+ * as published by the Free Software Foundation; either version
+ * 2 of the License, or (at your option) any later version.
+ *
+ */
+
+#include <common/chunk.h>
+
+#include <proto/arg.h>
+#include <proto/sample.h>
+
+#include <openssl/evp.h>
+#include <openssl/hmac.h>
+
+static int sample_conv_crypto_digest(const struct arg *args, struct sample 
*smp, void *private)
+{
+       struct buffer *trash = get_trash_chunk();
+       EVP_MD_CTX *ctx = EVP_MD_CTX_new();
+       const EVP_MD *evp = EVP_get_digestbyname(args[0].data.str.area);
+       unsigned char *md = (unsigned char*) trash->area;
+       unsigned int md_len = trash->size;
+
+       if (!ctx)
+               return 0;
+       if (!evp)
+               return 0;
+
+       if (!EVP_DigestInit(ctx, evp) ||
+           !EVP_DigestUpdate(ctx, smp->data.u.str.area, smp->data.u.str.data) 
||
+           !EVP_DigestFinal(ctx, md, &md_len)) {
+               EVP_MD_CTX_free(ctx);
+               return 0;
+       }
+
+       EVP_MD_CTX_free(ctx);
+
+       trash->data = md_len;
+       smp->data.u.str = *trash;
+       smp->data.type = SMP_T_BIN;
+       smp->flags &= ~SMP_F_CONST;
+       return 1;
+}
+
+static int sample_conv_crypto_hmac(const struct arg *args, struct sample *smp, 
void *private)
+{
+       struct buffer *trash = get_trash_chunk();
+       const EVP_MD *evp = EVP_get_digestbyname(args[0].data.str.area);
+       const char* key = args[1].data.str.area;
+       int key_len = args[1].data.str.data;
+       unsigned char *md = (unsigned char*) trash->area;
+       unsigned int md_len = trash->size;
+
+       trash->data = 0;
+
+       if (!evp)
+               return 0;
+
+       if (!HMAC(evp, key, key_len, (const unsigned char*) 
smp->data.u.str.area, smp->data.u.str.data, md, &md_len))
+               return 0;
+
+       trash->data = md_len;
+       smp->data.u.str = *trash;
+       smp->data.type = SMP_T_BIN;
+       smp->flags &= ~SMP_F_CONST;
+       return 1;
+}
+
+static struct sample_conv_kw_list sample_conv_kws = {ILH, {
+       { "digest", sample_conv_crypto_digest, ARG1(1,STR),     NULL, 
SMP_T_BIN, SMP_T_BIN },
+       { "hmac",   sample_conv_crypto_hmac,   ARG2(2,STR,STR), NULL, 
SMP_T_BIN, SMP_T_BIN },
+       { /* END */ },
+}};
+
+__attribute__((constructor))
+static void __crypto_init(void)
+{
+       sample_register_convs(&sample_conv_kws);
+}
-- 
2.26.1

Reply via email to