From cd3732456bda55d4cde9d20651560496c0ab9322 Mon Sep 17 00:00:00 2001
From: Tim Duesterhus <tim@bastelstu.be>
Date: Tue, 17 Dec 2019 12:31:20 +0100
Subject: [PATCH] MINOR: sample: Validate the number of bits for the sha2
 converter

Instead of failing the conversion when an invalid number of bits is
given the sha2 converter now fails with an appropriate error message
during startup.

The sha2 converter was introduced in d4376302377e4f51f43a183c2c91d929b27e1ae3,
which is in 2.1 and higher.
---
 reg-tests/converter/sha2.vtc |  5 +----
 src/sample.c                 | 25 ++++++++++++++++++++++++-
 2 files changed, 25 insertions(+), 5 deletions(-)

diff --git a/reg-tests/converter/sha2.vtc b/reg-tests/converter/sha2.vtc
index 0354b0a209..6ca021a8b7 100644
--- a/reg-tests/converter/sha2.vtc
+++ b/reg-tests/converter/sha2.vtc
@@ -8,7 +8,7 @@ feature ignore_unknown_macro
 server s1 {
 	rxreq
 	txresp
-} -repeat 3 -start
+} -repeat 2 -start
 
 haproxy h1 -conf {
     defaults
@@ -28,7 +28,6 @@ haproxy h1 -conf {
 	http-response set-header SHA2-256   "%[var(txn.hash),sha2(256),hex,lower]"
 	http-response set-header SHA2-384   "%[var(txn.hash),sha2(384),hex,lower]"
 	http-response set-header SHA2-512   "%[var(txn.hash),sha2(512),hex,lower]"
-	http-response set-header SHA2-invalid   "%[var(txn.hash),sha2(1),hex,lower]"
 
 	default_backend be
 
@@ -46,7 +45,6 @@ client c1 -connect ${h1_fe_sock} {
 	expect resp.http.sha2-256 == "6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b"
 	expect resp.http.sha2-384 == "47f05d367b0c32e438fb63e6cf4a5f35c2aa2f90dc7543f8a41a0f95ce8a40a313ab5cf36134a2068c4c969cb50db776"
 	expect resp.http.sha2-512 == "4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a"
-	expect resp.http.sha2-invalid == ""
 	txreq -url "/" \
 	  -hdr "Hash: 2"
 	rxresp
@@ -56,5 +54,4 @@ client c1 -connect ${h1_fe_sock} {
 	expect resp.http.sha2-256 == "d4735e3a265e16eee03f59718b9b5d03019c07d8b6c51f90da3a666eec13ab35"
 	expect resp.http.sha2-384 == "d063457705d66d6f016e4cdd747db3af8d70ebfd36badd63de6c8ca4a9d8bfb5d874e7fbd750aa804dcaddae7eeef51e"
 	expect resp.http.sha2-512 == "40b244112641dd78dd4f93b6c9190dd46e0099194d5a44257b7efad6ef9ff4683da1eda0244448cb343aa688f5d3efd7314dafe580ac0bcbf115aeca9e8dc114"
-	expect resp.http.sha2-invalid == ""
 } -run
diff --git a/src/sample.c b/src/sample.c
index b124c4b861..82078fce1d 100644
--- a/src/sample.c
+++ b/src/sample.c
@@ -1531,6 +1531,29 @@ static int sample_conv_sha1(const struct arg *arg_p, struct sample *smp, void *p
 }
 
 #ifdef USE_OPENSSL
+static int smp_check_sha2(struct arg *args, struct sample_conv *conv,
+                          const char *file, int line, char **err)
+{
+	if (args[0].type == ARGT_STOP)
+		return 1;
+	if (args[0].type != ARGT_SINT) {
+		memprintf(err, "Invalid type '%s'", arg_type_names[args[0].type]);
+		return 0;
+	}
+
+	switch (args[0].data.sint) {
+		case 224:
+		case 256:
+		case 384:
+		case 512:
+			/* this is okay */
+			return 1;
+		default:
+			memprintf(err, "Unsupported number of bits: '%lld'", args[0].data.sint);
+			return 0;
+	}
+}
+
 static int sample_conv_sha2(const struct arg *arg_p, struct sample *smp, void *private)
 {
 	struct buffer *trash = get_trash_chunk();
@@ -3362,7 +3385,7 @@ static struct sample_conv_kw_list sample_conv_kws = {ILH, {
 	{ "regsub", sample_conv_regsub,    ARG3(2,REG,STR,STR), sample_conv_regsub_check, SMP_T_STR, SMP_T_STR },
 	{ "sha1",   sample_conv_sha1,      0,            NULL, SMP_T_BIN,  SMP_T_BIN  },
 #ifdef USE_OPENSSL
-	{ "sha2",   sample_conv_sha2,      ARG1(0, SINT),            NULL, SMP_T_BIN,  SMP_T_BIN  },
+	{ "sha2",   sample_conv_sha2,      ARG1(0, SINT), smp_check_sha2, SMP_T_BIN,  SMP_T_BIN  },
 #endif
 	{ "concat", sample_conv_concat,    ARG3(1,STR,STR,STR), smp_check_concat, SMP_T_STR,  SMP_T_STR },
 	{ "strcmp", sample_conv_strcmp,    ARG1(1,STR), smp_check_strcmp, SMP_T_STR,  SMP_T_SINT },