Implement blake3 cryptographic hash verification for query string.

This commit is contained in:
Kavin 2023-11-17 15:04:42 +00:00
parent c136f79cc2
commit faafbcb737
No known key found for this signature in database
GPG key ID: 6E4598CA5C92C41F
3 changed files with 78 additions and 1 deletions

27
Cargo.lock generated
View file

@ -256,6 +256,12 @@ dependencies = [
"syn 2.0.39", "syn 2.0.39",
] ]
[[package]]
name = "arrayref"
version = "0.3.7"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "6b4930d2cb77ce62f89ee5d5289b4ac049559b1c45539271f5ed4fdc7db34545"
[[package]] [[package]]
name = "arrayvec" name = "arrayvec"
version = "0.7.4" version = "0.7.4"
@ -349,6 +355,20 @@ version = "1.8.0"
source = "registry+https://github.com/rust-lang/crates.io-index" source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "02bef9e74b5908bed0360844109a55b62b07cc973274c11d3a577bda8cc1cf60" checksum = "02bef9e74b5908bed0360844109a55b62b07cc973274c11d3a577bda8cc1cf60"
[[package]]
name = "blake3"
version = "1.5.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "0231f06152bf547e9c2b5194f247cd97aacf6dcd8b15d8e5ec0663f64580da87"
dependencies = [
"arrayref",
"arrayvec",
"cc",
"cfg-if",
"constant_time_eq",
"rayon",
]
[[package]] [[package]]
name = "block-buffer" name = "block-buffer"
version = "0.10.4" version = "0.10.4"
@ -465,6 +485,12 @@ version = "1.1.0"
source = "registry+https://github.com/rust-lang/crates.io-index" source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "3d7b894f5411737b7867f4827955924d7c254fc9f4d91a6aad6b097804b1018b" checksum = "3d7b894f5411737b7867f4827955924d7c254fc9f4d91a6aad6b097804b1018b"
[[package]]
name = "constant_time_eq"
version = "0.3.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "f7144d30dcf0fafbce74250a3963025d8d52177934239851c917d29f1df280c2"
[[package]] [[package]]
name = "convert_case" name = "convert_case"
version = "0.4.0" version = "0.4.0"
@ -1380,6 +1406,7 @@ name = "piped-proxy"
version = "0.1.0" version = "0.1.0"
dependencies = [ dependencies = [
"actix-web", "actix-web",
"blake3",
"image", "image",
"libwebp-sys", "libwebp-sys",
"mimalloc", "mimalloc",

View file

@ -23,9 +23,10 @@ rgb = { version = "0.8.37", optional = true }
once_cell = "1.18.0" once_cell = "1.18.0"
regex = "1.10.2" regex = "1.10.2"
blake3 = { version = "1.5.0", features = ["rayon"], optional = true }
[features] [features]
default = ["webp", "mimalloc", "reqwest-rustls"] default = ["webp", "mimalloc", "reqwest-rustls", "qhash"]
reqwest-rustls = ["reqwest/rustls-tls"] reqwest-rustls = ["reqwest/rustls-tls"]
reqwest-native-tls = ["reqwest/default-tls"] reqwest-native-tls = ["reqwest/default-tls"]
@ -37,5 +38,7 @@ mimalloc = ["dep:mimalloc"]
optimized = ["libwebp-sys?/sse41", "libwebp-sys?/avx2", "libwebp-sys?/neon"] optimized = ["libwebp-sys?/sse41", "libwebp-sys?/avx2", "libwebp-sys?/neon"]
qhash = ["blake3"]
[profile.release] [profile.release]
lto = true lto = true

View file

@ -137,6 +137,53 @@ async fn index(req: HttpRequest) -> Result<HttpResponse, Box<dyn Error>> {
// parse query string // parse query string
let query = QString::from(req.query_string()); let query = QString::from(req.query_string());
#[cfg(feature = "qhash")]
{
use std::collections::BTreeSet;
let secret = env::var("HASH_SECRET");
if let Ok(secret) = secret {
let qhash = query.get("qhash");
if qhash.is_none() {
return Err("No qhash provided".into());
}
let qhash = qhash.unwrap();
// check that qhash is valid
if qhash.len() != 8 {
return Err("Invalid qhash provided".into());
}
// store sorted key-value pairs
let mut set = BTreeSet::new();
query.to_pairs().iter().for_each(|(key, value)| {
if matches!(*key, "qhash" | "range" | "rewrite") {
return;
}
set.insert((key.as_bytes(), value.as_bytes()));
});
let mut hasher = blake3::Hasher::new();
for (key, value) in set {
hasher.update(key);
hasher.update(value);
}
hasher.update(secret.as_bytes());
let hash = hasher.finalize().to_hex();
let hash = &hash[..8];
if hash != qhash {
return Err("Invalid qhash provided".into());
}
}
}
let res = query.get("host"); let res = query.get("host");
let res = res.map(|s| s.to_string()); let res = res.map(|s| s.to_string());