This adds a converter for the SHA-2 family, supporting SHA-224, SHA-256
SHA-384 and SHA-512.
The converter relies on the OpenSSL implementation, thus only being available
when HAProxy is compiled with USE_OPENSSL.
See GitHub issue #123. The hypothetical ssl_?_sha256 fetch can then be
simulated using ssl_?_der,sha2(256):
http-response set-header Server-Cert-FP %[ssl_f_der,sha2(256),hex]
doc/configuration.txt | 12 ++++++-
reg-tests/converter/sha2.vtc | 60 ++++++++++++++++++++++++++++++++
src/sample.c | 67 ++++++++++++++++++++++++++++++++++++
3 files changed, 138 insertions(+), 1 deletion(-)
create mode 100644 reg-tests/converter/sha2.vtc
diff --git a/doc/configuration.txt b/doc/configuration.txt
index 3e402fb92..2a09bab61 100644
--- a/doc/configuration.txt
+++ b/doc/configuration.txt
@@ -14086,9 +14086,19 @@ set-var()
contain characters 'a-z', 'A-Z', '0-9', '.' and '_'.
sha1
- Converts a binary input sample to a SHA1 digest. The result is a binary
+ Converts a binary input sample to a SHA-1 digest. The result is a binary
sample with length of 20 bytes.
+sha2([])
- Converts a binary input sample to a digest in the SHA-2 family. The result
- is a binary sample with length of /8 bytes.
+
- Valid values for are 224, 256, 384, 512, each corresponding to
- SHA-. The default value is 256.
+
- Please note that this converter is only available when haproxy has been
- compiled with USE_OPENSSL.
+
strcmp()
Compares the contents of with the input value of type string. Returns
the result as a signed integer compatible with strcmp(3): 0 if both strings
diff --git a/reg-tests/converter/sha2.vtc b/reg-tests/converter/sha2.vtc
new file mode 100644
index 000000000..0354b0a20
--- /dev/null
+++ b/reg-tests/converter/sha2.vtc
@@ -0,0 +1,60 @@
+varnishtest "sha2 converter Test"
+
+#REQUIRE_VERSION=2.1
+#REQUIRE_OPTION=OPENSSL
+
+feature ignore_unknown_macro
+
+server s1 {
- rxreq
- txresp
+} -repeat 3 -start
+
+haproxy h1 -conf {
- defaults
- mode http
- timeout connect 1s
- timeout client 1s
- timeout server 1s
+
- frontend fe
- bind "fd@${fe}"
+
- #### requests
- http-request set-var(txn.hash) req.hdr(hash)
+
- http-response set-header SHA2 "%[var(txn.hash),sha2,hex,lower]"
- http-response set-header SHA2-224 "%[var(txn.hash),sha2(224),hex,lower]"
- http-response set-header SHA2-256 "%[var(txn.hash),sha2(256),hex,lower]"
- http-response set-header SHA2-384 "%[var(txn.hash),sha2(384),hex,lower]"
- http-response set-header SHA2-512 "%[var(txn.hash),sha2(512),hex,lower]"
- http-response set-header SHA2-invalid "%[var(txn.hash),sha2(1),hex,lower]"
+
- default_backend be
+
- backend be
- server s1 ${s1_addr}:${s1_port}
+} -start
+
+client c1 -connect ${h1_fe_sock} {
- txreq -url "/" \
- -hdr "Hash: 1"
- rxresp
- expect resp.status == 200
- expect resp.http.sha2 == "6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b"
- expect resp.http.sha2-224 == "e25388fde8290dc286a6164fa2d97e551b53498dcbf7bc378eb1f178"
- expect resp.http.sha2-256 == "6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b"
- expect resp.http.sha2-384 == "47f05d367b0c32e438fb63e6cf4a5f35c2aa2f90dc7543f8a41a0f95ce8a40a313ab5cf36134a2068c4c969cb50db776"
- expect resp.http.sha2-512 == "4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a"
- expect resp.http.sha2-invalid == ""
- txreq -url "/" \
- -hdr "Hash: 2"
- rxresp
- expect resp.status == 200
- expect resp.http.sha2 == "d4735e3a265e16eee03f59718b9b5d03019c07d8b6c51f90da3a666eec13ab35"
- expect resp.http.sha2-224 == "58b2aaa0bfae7acc021b3260e941117b529b2e69de878fd7d45c61a9"
- expect resp.http.sha2-256 == "d4735e3a265e16eee03f59718b9b5d03019c07d8b6c51f90da3a666eec13ab35"
- expect resp.http.sha2-384 == "d063457705d66d6f016e4cdd747db3af8d70ebfd36badd63de6c8ca4a9d8bfb5d874e7fbd750aa804dcaddae7eeef51e"
- expect resp.http.sha2-512 == "40b244112641dd78dd4f93b6c9190dd46e0099194d5a44257b7efad6ef9ff4683da1eda0244448cb343aa688f5d3efd7314dafe580ac0bcbf115aeca9e8dc114"
- expect resp.http.sha2-invalid == ""
+} -run
diff --git a/src/sample.c b/src/sample.c
index 67f59e844..96102504b 100644
--- a/src/sample.c
+++ b/src/sample.c
@@ -1537,6 +1537,70 @@ static int sample_conv_sha1(const struct arg *arg_p, struct sample *smp, void *p
return 1;
}
+#ifdef USE_OPENSSL
+static int sample_conv_sha2(const struct arg *arg_p, struct sample *smp, void *private)
+{
- struct buffer *trash = get_trash_chunk();
- int bits = 256;
- if (arg_p && arg_p->data.sint)
- bits = arg_p->data.sint;
+
- switch (bits) {
- case 224: {
- SHA256_CTX ctx;
+
- memset(&ctx, 0, sizeof(ctx));
+
- SHA224_Init(&ctx);
- SHA224_Update(&ctx, smp->data.u.str.area, smp->data.u.str.data);
- SHA224_Final((unsigned char *) trash->area, &ctx);
- trash->data = SHA224_DIGEST_LENGTH;
- break;
- }
- case 256: {
- SHA256_CTX ctx;
+
- memset(&ctx, 0, sizeof(ctx));
+
- SHA256_Init(&ctx);
- SHA256_Update(&ctx, smp->data.u.str.area, smp->data.u.str.data);
- SHA256_Final((unsigned char *) trash->area, &ctx);
- trash->data = SHA256_DIGEST_LENGTH;
- break;
- }
- case 384: {
- SHA512_CTX ctx;
+
- memset(&ctx, 0, sizeof(ctx));
+
- SHA384_Init(&ctx);
- SHA384_Update(&ctx, smp->data.u.str.area, smp->data.u.str.data);
- SHA384_Final((unsigned char *) trash->area, &ctx);
- trash->data = SHA384_DIGEST_LENGTH;
- break;
- }
- case 512: {
- SHA512_CTX ctx;
+
- memset(&ctx, 0, sizeof(ctx));
+
- SHA512_Init(&ctx);
- SHA512_Update(&ctx, smp->data.u.str.area, smp->data.u.str.data);
- SHA512_Final((unsigned char *) trash->area, &ctx);
- trash->data = SHA512_DIGEST_LENGTH;
- break;
- }
- default:
- return 0;
- }
+
- smp->data.u.str = *trash;
- smp->data.type = SMP_T_BIN;
- smp->flags &= ~SMP_F_CONST;
- return 1;
+}
+#endif
+
static int sample_conv_bin2hex(const struct arg *arg_p, struct sample *smp, void *private)
{
struct buffer *trash = get_trash_chunk();
@@ -3203,6 +3267,9 @@ static struct sample_conv_kw_list sample_conv_kws = {ILH, {
{ "word", sample_conv_word, ARG3(2,SINT,STR,SINT), sample_conv_field_check, SMP_T_STR, SMP_T_STR },
{ "regsub", sample_conv_regsub, ARG3(2,REG,STR,STR), sample_conv_regsub_check, SMP_T_STR, SMP_T_STR },
{ "sha1", sample_conv_sha1, 0, NULL, SMP_T_BIN, SMP_T_BIN },
+#ifdef USE_OPENSSL
- { "sha2", sample_conv_sha2, ARG1(0, SINT), NULL, SMP_T_BIN, SMP_T_BIN },
+#endif
{ "concat", sample_conv_concat, ARG3(1,STR,STR,STR), smp_check_concat, SMP_T_STR, SMP_T_STR },
{ "strcmp", sample_conv_strcmp, ARG1(1,STR), smp_check_strcmp, SMP_T_STR, SMP_T_SINT },
--
2.21.0
Most helpful comment
The patch will be included in HAProxy 2.1. I guess it can be trivially applied to 2.0 if you are willing to compile your own HAProxy.