feature: added new directive set_hmac_sha256. (#57)

README.markdown

@@ -37,6 +37,7 @@ Table of Contents
     * [set_sha1](#set_sha1)
     * [set_md5](#set_md5)
     * [set_hmac_sha1](#set_hmac_sha1)
+    * [set_hmac_sha256](#set_hmac_sha256)
     * [set_random](#set_random)
     * [set_secure_random_alphanum](#set_secure_random_alphanum)
     * [set_secure_random_lcalpha](#set_secure_random_lcalpha)
@@ -881,7 +882,48 @@ R/pvxzHC4NLtj7S+kXFg/NePTmk=
 
 Please note that we're using [echo-nginx-module](http://github.com/openresty/echo-nginx-module)'s [echo directive](http://github.com/openresty/echo-nginx-module#echo) here to output values of nginx variables directly.
 
-This directive requires the OpenSSL library enabled in your Nignx build (usually by passing the `--with-http_ssl_module` option to the `./configure` script).
+This directive requires the OpenSSL library enabled in your Nginx build (usually by passing the `--with-http_ssl_module` option to the `./configure` script).
+
+[Back to TOC](#table-of-contents)
+
+set_hmac_sha256
+---------------
+**syntax:** *set_hmac_sha256 $dst <secret_key> <src>*
+
+**syntax:** *set_hmac_sha256 $dst*
+
+**default:** *no*
+
+**context:** *location, location if*
+
+**phase:** *rewrite*
+
+Computes the [HMAC-SHA256](http://en.wikipedia.org/wiki/HMAC) digest of the argument `<src>` and assigns the result into the argument variable `$dst` with the secret key `<secret_key>`.
+
+The raw binary form of the `HMAC-SHA256` digest will be generated, use [set_encode_base64](#set_encode_base64), for example, to encode the result to a textual representation if desired.
+
+For example,
+
+```nginx
+
+ location /test {
+     set $secret 'thisisverysecretstuff';
+     set $string_to_sign 'some string we want to sign';
+     set_hmac_sha256 $signature $secret $string_to_sign;
+     set_encode_base64 $signature $signature;
+     echo $signature;
+ }
+```
+
+Then request `GET /test` will yield the following output
+
+```
+4pU3GRQrKKIoeLb9CqYsavHE2l6Hx+KMmRmesU+Cfrs=
+```
+
+Please note that we're using [echo-nginx-module](http://github.com/openresty/echo-nginx-module)'s [echo directive](http://github.com/openresty/echo-nginx-module#echo) here to output values of nginx variables directly.
+
+This directive requires the OpenSSL library enabled in your Nginx build (usually by passing the `--with-http_ssl_module` option to the `./configure` script).
 
 [Back to TOC](#table-of-contents)
 

src/ngx_http_set_hmac.c

@@ -12,16 +12,13 @@
 
 /* this function's implementation is partly borrowed from
  * https://github.com/anomalizer/ngx_aws_auth */
-ngx_int_t
-ngx_http_set_misc_set_hmac_sha1(ngx_http_request_t *r, ngx_str_t *res,
-    ngx_http_variable_value_t *v)
+static ngx_int_t
+ngx_http_set_misc_set_hmac(ngx_http_request_t *r, ngx_str_t *res,
+    ngx_http_variable_value_t *v, const EVP_MD *evp_md)
 {
     ngx_http_variable_value_t   *secret, *string_to_sign;
     unsigned int                 md_len = 0;
     unsigned char                md[EVP_MAX_MD_SIZE];
-    const EVP_MD                *evp_md;
-
-    evp_md = EVP_sha1();
 
     secret = v;
     string_to_sign = v + 1;
@@ -48,3 +45,18 @@ ngx_http_set_misc_set_hmac_sha1(ngx_http_request_t *r, ngx_str_t *res,
     return NGX_OK;
 }
 
+
+ngx_int_t
+ngx_http_set_misc_set_hmac_sha1(ngx_http_request_t *r, ngx_str_t *res,
+    ngx_http_variable_value_t *v)
+{
+    return ngx_http_set_misc_set_hmac(r, res, v, EVP_sha1());
+}
+
+
+ngx_int_t
+ngx_http_set_misc_set_hmac_sha256(ngx_http_request_t *r, ngx_str_t *res,
+    ngx_http_variable_value_t *v)
+{
+    return ngx_http_set_misc_set_hmac(r, res, v, EVP_sha256());
+}

src/ngx_http_set_hmac.h

@@ -5,3 +5,5 @@
 ngx_int_t ngx_http_set_misc_set_hmac_sha1(ngx_http_request_t *r,
         ngx_str_t *res, ngx_http_variable_value_t *v);
 
+ngx_int_t ngx_http_set_misc_set_hmac_sha256(ngx_http_request_t *r,
+        ngx_str_t *res, ngx_http_variable_value_t *v);

src/ngx_http_set_misc_module.c

@@ -80,6 +80,14 @@ static ndk_set_var_t  ngx_http_set_misc_set_hmac_sha1_filter = {
     2,
     NULL
 };
+
+
+static ndk_set_var_t  ngx_http_set_misc_set_hmac_sha256_filter = {
+    NDK_SET_VAR_MULTI_VALUE,
+    (void *) ngx_http_set_misc_set_hmac_sha256,
+    2,
+    NULL
+};
 #endif
 
 
@@ -249,6 +257,14 @@ static ngx_command_t  ngx_http_set_misc_commands[] = {
         0,
         &ngx_http_set_misc_set_hmac_sha1_filter
     },
+    {   ngx_string ("set_hmac_sha256"),
+        NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_SIF_CONF
+            |NGX_HTTP_LOC_CONF|NGX_HTTP_LIF_CONF|NGX_CONF_TAKE3,
+        ndk_set_var_multi_value,
+        0,
+        0,
+        &ngx_http_set_misc_set_hmac_sha256_filter
+    },
 #endif
 #ifndef NGX_HTTP_SET_HASH
     {   ngx_string ("set_md5"),

t/hmac.t

@@ -15,7 +15,7 @@ run_tests();
 
 __DATA__
 
-=== TEST 1: hmac
+=== TEST 1: hmac_sha1
 --- config
     location /bar {
         set $secret 'thisisverysecretstuff';
@@ -31,7 +31,7 @@ R/pvxzHC4NLtj7S+kXFg/NePTmk=
 
 
 
-=== TEST 2: hmac empty vars
+=== TEST 2: hmac_sha1 empty vars
 --- config
     location /bar {
         set $secret '';
@@ -44,3 +44,35 @@ R/pvxzHC4NLtj7S+kXFg/NePTmk=
     GET /bar
 --- response_body
 +9sdGxiqbAgyS31ktx+3Y3BpDh0=
+
+
+
+=== TEST 3: hmac_sha256
+--- config
+    location /bar {
+        set $secret 'thisisverysecretstuff';
+        set $string_to_sign 'some string we want to sign';
+        set_hmac_sha256 $signature $secret $string_to_sign;
+        set_encode_base64 $signature $signature;
+        echo $signature;
+    }
+--- request
+    GET /bar
+--- response_body
+4pU3GRQrKKIoeLb9CqYsavHE2l6Hx+KMmRmesU+Cfrs=
+
+
+
+=== TEST 4: hmac_sha256 empty vars
+--- config
+    location /bar {
+        set $secret '';
+        set $string_to_sign '';
+        set_hmac_sha256 $signature $secret $string_to_sign;
+        set_encode_base64 $signature $signature;
+        echo $signature;
+    }
+--- request
+    GET /bar
+--- response_body
+thNnmggU2ex3L5XXeMNfxf8Wl8STcVZTxscSFEKSxa0=