Welcome! Log In Create A New Profile

Advanced

[PATCH] MINOR: crypto: Add digest and hmac converters

Posted by Patrick Gansterer 
Patrick Gansterer
[PATCH] MINOR: crypto: Add digest and hmac converters
June 17, 2018 11:30AM
Make the digest and HMAC function of OpenSSL accesable to the user via
converters. e.g. They can be used to sign and validate cookies.
---
Makefile | 2 +-
src/crypto.c | 84 ++++++++++++++++++++++++++++++++++++++++++++++++++++
2 files changed, 85 insertions(+), 1 deletion(-)
create mode 100644 src/crypto.c

diff --git a/Makefile b/Makefile
index 5d170041..9a3a5024 100644
--- a/Makefile
+++ b/Makefile
@@ -609,7 +609,7 @@ OPTIONS_LDFLAGS += $(if $(SSL_LIB),-L$(SSL_LIB)) -lssl -lcrypto
ifneq ($(USE_DL),)
OPTIONS_LDFLAGS += -ldl
endif
-OPTIONS_OBJS += src/ssl_sock.o
+OPTIONS_OBJS += src/crypto.o src/ssl_sock.o
endif

# The private cache option affect the way the shctx is built
diff --git a/src/crypto.c b/src/crypto.c
new file mode 100644
index 00000000..dcb343dc
--- /dev/null
+++ b/src/crypto.c
@@ -0,0 +1,84 @@
+/*
+ * Crypto converters
+ *
+ * Copyright 2018 Patrick Gansterer <[email protected]>
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License
+ * as published by the Free Software Foundation; either version
+ * 2 of the License, or (at your option) any later version.
+ *
+ */
+
+#include <common/chunk.h>
+
+#include <proto/arg.h>
+#include <proto/sample.h>
+
+#include <openssl/evp.h>
+#include <openssl/hmac.h>
+
+static int sample_conv_crypto_digest(const struct arg *args, struct sample *smp, void *private)
+{
+ struct chunk *trash = get_trash_chunk();
+ EVP_MD_CTX *ctx = EVP_MD_CTX_new();
+ const EVP_MD *evp = EVP_get_digestbyname(args[0].data.str.str);
+ unsigned char *md = (unsigned char*) trash->str;
+ unsigned int md_len = trash->size;
+
+ if (!ctx)
+ return 0;
+ if (!evp)
+ return 0;
+
+ if (!EVP_DigestInit(ctx, evp) ||
+ !EVP_DigestUpdate(ctx, smp->data.u.str.str, smp->data.u.str.len) ||
+ !EVP_DigestFinal(ctx, md, &md_len)) {
+ EVP_MD_CTX_free(ctx);
+ return 0;
+ }
+
+ EVP_MD_CTX_free(ctx);
+
+ trash->len = md_len;
+ smp->data.u.str = *trash;
+ smp->data.type = SMP_T_BIN;
+ smp->flags &= ~SMP_F_CONST;
+ return 1;
+}
+
+static int sample_conv_crypto_hmac(const struct arg *args, struct sample *smp, void *private)
+{
+ struct chunk *trash = get_trash_chunk();
+ const EVP_MD *evp = EVP_get_digestbyname(args[0].data.str.str);
+ const char* key = args[1].data.str.str;
+ int key_len = args[1].data.str.len;
+ unsigned char *md = (unsigned char*) trash->str;
+ unsigned int md_len = trash->size;
+
+ trash->len = 0;
+
+ if (!evp)
+ return 0;
+
+ if (!HMAC(evp, key, key_len, (const unsigned char*) smp->data.u.str.str, smp->data.u.str.len, md, &md_len))
+ return 0;
+
+ trash->len = md_len;
+ smp->data.u.str = *trash;
+ smp->data.type = SMP_T_BIN;
+ smp->flags &= ~SMP_F_CONST;
+ return 1;
+}
+
+static struct sample_conv_kw_list sample_conv_kws = {ILH, {
+ { "digest", sample_conv_crypto_digest, ARG1(1,STR), NULL, SMP_T_BIN, SMP_T_BIN },
+ { "hmac", sample_conv_crypto_hmac, ARG2(2,STR,STR), NULL, SMP_T_BIN, SMP_T_BIN },
+ { /* END */ },
+}};
+
+__attribute__((constructor))
+static void __crypto_init(void)
+{
+ sample_register_convs(&sample_conv_kws);
+}
--
2.17.1
On Sun, Jun 17, 2018 at 11:21 AM, Patrick Gansterer <[email protected]>
wrote:

> Make the digest and HMAC function of OpenSSL accesable to the user via
> converters. e.g. They can be used to sign and validate cookies.
> ---
> Makefile | 2 +-
> src/crypto.c | 84 ++++++++++++++++++++++++++++++++++++++++++++++++++++
> 2 files changed, 85 insertions(+), 1 deletion(-)
> create mode 100644 src/crypto.c
>
> diff --git a/Makefile b/Makefile
> index 5d170041..9a3a5024 100644
> --- a/Makefile
> +++ b/Makefile
> @@ -609,7 +609,7 @@ OPTIONS_LDFLAGS += $(if $(SSL_LIB),-L$(SSL_LIB)) -lssl
> -lcrypto
> ifneq ($(USE_DL),)
> OPTIONS_LDFLAGS += -ldl
> endif
> -OPTIONS_OBJS += src/ssl_sock.o
> +OPTIONS_OBJS += src/crypto.o src/ssl_sock.o
> endif
>
> # The private cache option affect the way the shctx is built
> diff --git a/src/crypto.c b/src/crypto.c
> new file mode 100644
> index 00000000..dcb343dc
> --- /dev/null
> +++ b/src/crypto.c
> @@ -0,0 +1,84 @@
> +/*
> + * Crypto converters
> + *
> + * Copyright 2018 Patrick Gansterer <[email protected]>
> + *
> + * This program is free software; you can redistribute it and/or
> + * modify it under the terms of the GNU General Public License
> + * as published by the Free Software Foundation; either version
> + * 2 of the License, or (at your option) any later version.
> + *
> + */
> +
> +#include <common/chunk.h>
> +
> +#include <proto/arg.h>
> +#include <proto/sample.h>
> +
> +#include <openssl/evp.h>
> +#include <openssl/hmac.h>
> +
> +static int sample_conv_crypto_digest(const struct arg *args, struct
> sample *smp, void *private)
> +{
> + struct chunk *trash = get_trash_chunk();
> + EVP_MD_CTX *ctx = EVP_MD_CTX_new();
> + const EVP_MD *evp = EVP_get_digestbyname(args[0].data.str.str);
> + unsigned char *md = (unsigned char*) trash->str;
> + unsigned int md_len = trash->size;
> +
> + if (!ctx)
> + return 0;
> + if (!evp)
> + return 0;
> +
> + if (!EVP_DigestInit(ctx, evp) ||
> + !EVP_DigestUpdate(ctx, smp->data.u.str.str,
> smp->data.u.str.len) ||
> + !EVP_DigestFinal(ctx, md, &md_len)) {
> + EVP_MD_CTX_free(ctx);
> + return 0;
> + }
> +
> + EVP_MD_CTX_free(ctx);
> +
> + trash->len = md_len;
> + smp->data.u.str = *trash;
> + smp->data.type = SMP_T_BIN;
> + smp->flags &= ~SMP_F_CONST;
> + return 1;
> +}
> +
> +static int sample_conv_crypto_hmac(const struct arg *args, struct sample
> *smp, void *private)
> +{
> + struct chunk *trash = get_trash_chunk();
> + const EVP_MD *evp = EVP_get_digestbyname(args[0].data.str.str);
> + const char* key = args[1].data.str.str;
> + int key_len = args[1].data.str.len;
> + unsigned char *md = (unsigned char*) trash->str;
> + unsigned int md_len = trash->size;
> +
> + trash->len = 0;
> +
> + if (!evp)
> + return 0;
> +
> + if (!HMAC(evp, key, key_len, (const unsigned char*)
> smp->data.u.str.str, smp->data.u.str.len, md, &md_len))
> + return 0;
> +
> + trash->len = md_len;
> + smp->data.u.str = *trash;
> + smp->data.type = SMP_T_BIN;
> + smp->flags &= ~SMP_F_CONST;
> + return 1;
> +}
> +
> +static struct sample_conv_kw_list sample_conv_kws = {ILH, {
> + { "digest", sample_conv_crypto_digest, ARG1(1,STR), NULL,
> SMP_T_BIN, SMP_T_BIN },
> + { "hmac", sample_conv_crypto_hmac, ARG2(2,STR,STR), NULL,
> SMP_T_BIN, SMP_T_BIN },
> + { /* END */ },
> +}};
> +
> +__attribute__((constructor))
> +static void __crypto_init(void)
> +{
> + sample_register_convs(&sample_conv_kws);
> +}
> --
> 2.17.1
>

Hi,

Nice ones.
Can they be used to validate oauth tokens too?

Note: maybe an update for configuration.txt would be helpful too.

Baptiste
Patrick Gansterer
[PATCH] MINOR: crypto: Add digest and hmac converters
June 17, 2018 02:10PM
Make the digest and HMAC function of OpenSSL accesable to the user via
converters. e.g. They can be used to sign and validate cookies.
---
Makefile | 2 +-
doc/configuration.txt | 9 +++++
src/crypto.c | 84 +++++++++++++++++++++++++++++++++++++++++++
3 files changed, 94 insertions(+), 1 deletion(-)
create mode 100644 src/crypto.c

diff --git a/Makefile b/Makefile
index 5d170041..9a3a5024 100644
--- a/Makefile
+++ b/Makefile
@@ -609,7 +609,7 @@ OPTIONS_LDFLAGS += $(if $(SSL_LIB),-L$(SSL_LIB)) -lssl -lcrypto
ifneq ($(USE_DL),)
OPTIONS_LDFLAGS += -ldl
endif
-OPTIONS_OBJS += src/ssl_sock.o
+OPTIONS_OBJS += src/crypto.o src/ssl_sock.o
endif

# The private cache option affect the way the shctx is built
diff --git a/doc/configuration.txt b/doc/configuration.txt
index e901d7ee..7c9eb55c 100644
--- a/doc/configuration.txt
+++ b/doc/configuration.txt
@@ -12909,6 +12909,10 @@ debug
type of the input sample. The sample is returned as is on its output. This
converter only exists when haproxy was built with debugging enabled.

+digest(<algorithm>)
+ Converts a binary input sample to a message digest. The result is a binary
+ sample. The alorithm must a OpenSSL message digest name (e.g sha256).
+
div(<value>)
Divides the input value of type signed integer by <value>, and returns the
result as an signed integer. If <value> is null, the largest unsigned
@@ -12963,6 +12967,11 @@ hex2i
Converts a hex string containing two hex digits per input byte to an
integer. If the input value can not be converted, then zero is returned.

+hmac(<algorithm>, <key>)
+ Converts a binary input sample to a message authentication code with the given
+ key. The result is a binary sample. The alorithm must be of the registered
+ OpenSSL message digest names (e.g sha256).
+
http_date([<offset>])
Converts an integer supposed to contain a date since epoch to a string
representing this date in a format suitable for use in HTTP header fields. If
diff --git a/src/crypto.c b/src/crypto.c
new file mode 100644
index 00000000..e4a65557
--- /dev/null
+++ b/src/crypto.c
@@ -0,0 +1,84 @@
+/*
+ * Crypto converters
+ *
+ * Copyright 2018 Patrick Gansterer <[email protected]>
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License
+ * as published by the Free Software Foundation; either version
+ * 2 of the License, or (at your option) any later version.
+ *
+ */
+
+#include <common/chunk.h>
+
+#include <proto/arg.h>
+#include <proto/sample.h>
+
+#include <openssl/evp.h>
+#include <openssl/hmac.h>
+
+static int sample_conv_crypto_digest(const struct arg *args, struct sample *smp, void *private)
+{
+ struct chunk *trash = get_trash_chunk();
+ EVP_MD_CTX *ctx = EVP_MD_CTX_new();
+ const EVP_MD *evp = EVP_get_digestbyname(args[0].data.str.str);
+ unsigned char *md = (unsigned char*) trash->str;
+ unsigned int md_len = trash->size;
+
+ if (!ctx)
+ return 0;
+ if (!evp)
+ return 0;
+
+ if (!EVP_DigestInit(ctx, evp) ||
+ !EVP_DigestUpdate(ctx, smp->data.u.str.str, smp->data.u.str.len) ||
+ !EVP_DigestFinal(ctx, md, &md_len)) {
+ EVP_MD_CTX_free(ctx);
+ return 0;
+ }
+
+ EVP_MD_CTX_free(ctx);
+
+ trash->len = md_len;
+ smp->data.u.str = *trash;
+ smp->data.type = SMP_T_BIN;
+ smp->flags &= ~SMP_F_CONST;
+ return 1;
+}
+
+static int sample_conv_crypto_hmac(const struct arg *args, struct sample *smp, void *private)
+{
+ struct chunk *trash = get_trash_chunk();
+ const EVP_MD *evp = EVP_get_digestbyname(args[0].data.str.str);
+ const char* key = args[1].data.str.str;
+ int key_len = args[1].data.str.len;
+ unsigned char *md = (unsigned char*) trash->str;
+ unsigned int md_len = trash->size;
+
+ trash->len = 0;
+
+ if (!evp)
+ return 0;
+
+ if (!HMAC(evp, key, key_len, (const unsigned char*) smp->data.u.str.str, smp->data.u.str.len, md, &md_len))
+ return 0;
+
+ trash->len = md_len;
+ smp->data.u.str = *trash;
+ smp->data.type = SMP_T_BIN;
+ smp->flags &= ~SMP_F_CONST;
+ return 1;
+}
+
+static struct sample_conv_kw_list sample_conv_kws = {ILH, {
+ { "digest", sample_conv_crypto_digest, ARG1(1,STR), NULL, SMP_T_BIN, SMP_T_BIN },
+ { "hmac", sample_conv_crypto_hmac, ARG2(2,STR,STR), NULL, SMP_T_BIN, SMP_T_BIN },
+ { /* END */ },
+}};
+
+__attribute__((constructor))
+static void __crypto_init(void)
+{
+ sample_register_convs(&sample_conv_kws);
+}
--
2.17.1
Patrick Gansterer
Re: [PATCH] MINOR: crypto: Add digest and hmac converters
June 17, 2018 02:20PM
> On 17 Jun 2018, at 13:36, Baptiste <[email protected]> wrote:
>
> Can they be used to validate oauth tokens too?

Depends on the implementation of the tokens, but if they are HMACSHA256 signed JWT, it’s very easy to validate them in a lua script now.

> Note: maybe an update for configuration.txt would be helpful too.

Thx for the note. I’ve updated the patch.

- Patrick
Le dim. 17 juin 2018 à 14:10, Patrick Gansterer <[email protected]> a
écrit :

>
> > On 17 Jun 2018, at 13:36, Baptiste <[email protected]> wrote:
> >
> > Can they be used to validate oauth tokens too?
>
> Depends on the implementation of the tokens, but if they are HMACSHA256
> signed JWT, it’s very easy to validate them in a lua script now.
>

That's how I am doing it now.
Just wanted to know if a combination of http rules could do the job. And be
maybe faster.

Baptiste
Sorry, only registered users may post in this forum.

Click here to login