[PATCH] MINOR: sample: Add sha2([]) converter

Mon, 17 Jun 2019 03:42:52 -0700 

This adds a converter for the SHA-2 family, supporting SHA-224, SHA-256
SHA-384 and SHA-512.

The converter relies on the OpenSSL implementation, thus only being available
when HAProxy is compiled with USE_OPENSSL.

See GitHub issue #123. The hypothetical `ssl_?_sha256` fetch can then be
simulated using `ssl_?_der,sha2(256)`:

  http-response set-header Server-Cert-FP %[ssl_f_der,sha2(256),hex]
---
 doc/configuration.txt        | 12 ++++++-
 reg-tests/converter/sha2.vtc | 60 ++++++++++++++++++++++++++++++++
 src/sample.c                 | 67 ++++++++++++++++++++++++++++++++++++
 3 files changed, 138 insertions(+), 1 deletion(-)
 create mode 100644 reg-tests/converter/sha2.vtc

diff --git a/doc/configuration.txt b/doc/configuration.txt
index 3e402fb92..2a09bab61 100644
--- a/doc/configuration.txt
+++ b/doc/configuration.txt
@@ -14086,9 +14086,19 @@ set-var(<var name>)
   contain characters 'a-z', 'A-Z', '0-9', '.' and '_'.
 
 sha1
-  Converts a binary input sample to a SHA1 digest. The result is a binary
+  Converts a binary input sample to a SHA-1 digest. The result is a binary
   sample with length of 20 bytes.
 
+sha2([<bits>])
+  Converts a binary input sample to a digest in the SHA-2 family. The result
+  is a binary sample with length of <bits>/8 bytes.
+
+  Valid values for <bits> are 224, 256, 384, 512, each corresponding to
+  SHA-<bits>. The default value is 256.
+
+  Please note that this converter is only available when haproxy has been
+  compiled with USE_OPENSSL.
+
 strcmp(<var>)
   Compares the contents of <var> with the input value of type string. Returns
   the result as a signed integer compatible with strcmp(3): 0 if both strings
diff --git a/reg-tests/converter/sha2.vtc b/reg-tests/converter/sha2.vtc
new file mode 100644
index 000000000..0354b0a20
--- /dev/null
+++ b/reg-tests/converter/sha2.vtc
@@ -0,0 +1,60 @@
+varnishtest "sha2 converter Test"
+
+#REQUIRE_VERSION=2.1
+#REQUIRE_OPTION=OPENSSL
+
+feature ignore_unknown_macro
+
+server s1 {
+       rxreq
+       txresp
+} -repeat 3 -start
+
+haproxy h1 -conf {
+    defaults
+       mode http
+       timeout connect 1s
+       timeout client  1s
+       timeout server  1s
+
+    frontend fe
+       bind "fd@${fe}"
+
+       #### requests
+       http-request  set-var(txn.hash) req.hdr(hash)
+
+       http-response set-header SHA2   "%[var(txn.hash),sha2,hex,lower]"
+       http-response set-header SHA2-224   
"%[var(txn.hash),sha2(224),hex,lower]"
+       http-response set-header SHA2-256   
"%[var(txn.hash),sha2(256),hex,lower]"
+       http-response set-header SHA2-384   
"%[var(txn.hash),sha2(384),hex,lower]"
+       http-response set-header SHA2-512   
"%[var(txn.hash),sha2(512),hex,lower]"
+       http-response set-header SHA2-invalid   
"%[var(txn.hash),sha2(1),hex,lower]"
+
+       default_backend be
+
+    backend be
+       server s1 ${s1_addr}:${s1_port}
+} -start
+
+client c1 -connect ${h1_fe_sock} {
+       txreq -url "/" \
+         -hdr "Hash: 1"
+       rxresp
+       expect resp.status == 200
+       expect resp.http.sha2 == 
"6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b"
+       expect resp.http.sha2-224 == 
"e25388fde8290dc286a6164fa2d97e551b53498dcbf7bc378eb1f178"
+       expect resp.http.sha2-256 == 
"6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b"
+       expect resp.http.sha2-384 == 
"47f05d367b0c32e438fb63e6cf4a5f35c2aa2f90dc7543f8a41a0f95ce8a40a313ab5cf36134a2068c4c969cb50db776"
+       expect resp.http.sha2-512 == 
"4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a"
+       expect resp.http.sha2-invalid == ""
+       txreq -url "/" \
+         -hdr "Hash: 2"
+       rxresp
+       expect resp.status == 200
+       expect resp.http.sha2 == 
"d4735e3a265e16eee03f59718b9b5d03019c07d8b6c51f90da3a666eec13ab35"
+       expect resp.http.sha2-224 == 
"58b2aaa0bfae7acc021b3260e941117b529b2e69de878fd7d45c61a9"
+       expect resp.http.sha2-256 == 
"d4735e3a265e16eee03f59718b9b5d03019c07d8b6c51f90da3a666eec13ab35"
+       expect resp.http.sha2-384 == 
"d063457705d66d6f016e4cdd747db3af8d70ebfd36badd63de6c8ca4a9d8bfb5d874e7fbd750aa804dcaddae7eeef51e"
+       expect resp.http.sha2-512 == 
"40b244112641dd78dd4f93b6c9190dd46e0099194d5a44257b7efad6ef9ff4683da1eda0244448cb343aa688f5d3efd7314dafe580ac0bcbf115aeca9e8dc114"
+       expect resp.http.sha2-invalid == ""
+} -run
diff --git a/src/sample.c b/src/sample.c
index 67f59e844..96102504b 100644
--- a/src/sample.c
+++ b/src/sample.c
@@ -1537,6 +1537,70 @@ static int sample_conv_sha1(const struct arg *arg_p, 
struct sample *smp, void *p
        return 1;
 }
 
+#ifdef USE_OPENSSL
+static int sample_conv_sha2(const struct arg *arg_p, struct sample *smp, void 
*private)
+{
+       struct buffer *trash = get_trash_chunk();
+       int bits = 256;
+       if (arg_p && arg_p->data.sint)
+               bits = arg_p->data.sint;
+
+       switch (bits) {
+       case 224: {
+               SHA256_CTX ctx;
+
+               memset(&ctx, 0, sizeof(ctx));
+
+               SHA224_Init(&ctx);
+               SHA224_Update(&ctx, smp->data.u.str.area, smp->data.u.str.data);
+               SHA224_Final((unsigned char *) trash->area, &ctx);
+               trash->data = SHA224_DIGEST_LENGTH;
+               break;
+       }
+       case 256: {
+               SHA256_CTX ctx;
+
+               memset(&ctx, 0, sizeof(ctx));
+
+               SHA256_Init(&ctx);
+               SHA256_Update(&ctx, smp->data.u.str.area, smp->data.u.str.data);
+               SHA256_Final((unsigned char *) trash->area, &ctx);
+               trash->data = SHA256_DIGEST_LENGTH;
+               break;
+       }
+       case 384: {
+               SHA512_CTX ctx;
+
+               memset(&ctx, 0, sizeof(ctx));
+
+               SHA384_Init(&ctx);
+               SHA384_Update(&ctx, smp->data.u.str.area, smp->data.u.str.data);
+               SHA384_Final((unsigned char *) trash->area, &ctx);
+               trash->data = SHA384_DIGEST_LENGTH;
+               break;
+       }
+       case 512: {
+               SHA512_CTX ctx;
+
+               memset(&ctx, 0, sizeof(ctx));
+
+               SHA512_Init(&ctx);
+               SHA512_Update(&ctx, smp->data.u.str.area, smp->data.u.str.data);
+               SHA512_Final((unsigned char *) trash->area, &ctx);
+               trash->data = SHA512_DIGEST_LENGTH;
+               break;
+       }
+       default:
+               return 0;
+       }
+
+       smp->data.u.str = *trash;
+       smp->data.type = SMP_T_BIN;
+       smp->flags &= ~SMP_F_CONST;
+       return 1;
+}
+#endif
+
 static int sample_conv_bin2hex(const struct arg *arg_p, struct sample *smp, 
void *private)
 {
        struct buffer *trash = get_trash_chunk();
@@ -3203,6 +3267,9 @@ static struct sample_conv_kw_list sample_conv_kws = {ILH, 
{
        { "word",   sample_conv_word,      ARG3(2,SINT,STR,SINT), 
sample_conv_field_check, SMP_T_STR,  SMP_T_STR },
        { "regsub", sample_conv_regsub,    ARG3(2,REG,STR,STR), 
sample_conv_regsub_check, SMP_T_STR, SMP_T_STR },
        { "sha1",   sample_conv_sha1,      0,            NULL, SMP_T_BIN,  
SMP_T_BIN  },
+#ifdef USE_OPENSSL
+       { "sha2",   sample_conv_sha2,      ARG1(0, SINT),            NULL, 
SMP_T_BIN,  SMP_T_BIN  },
+#endif
        { "concat", sample_conv_concat,    ARG3(1,STR,STR,STR), 
smp_check_concat, SMP_T_STR,  SMP_T_STR },
        { "strcmp", sample_conv_strcmp,    ARG1(1,STR), smp_check_strcmp, 
SMP_T_STR,  SMP_T_SINT },
 
-- 
2.21.0

Reply via email to