BUG/MINOR: jwt: don't try to load files with HMAC algorithm

When trying to use a HMAC algorithm (HS256, HS384, HS512) the sample_conv_jwt_verify_check() function of the converter tries to load a file even if it is only supposed to contain a secret instead of a path. When using lua, the check function is called at runtime so it even tries to load file at each call... This fixes the issue for HMAC algorithm but this is still a problem with the other algorithms, since we don't have a way of pre-loading files before the call. Another solution must be found to prevent disk IO with lua using other algorithms. Must be backported as far as 2.6.
2025-08-05 22:56:57 +02:00 · 2024-07-03 12:35:50 +02:00 · 2024-07-03 12:35:50 +02:00 · 883f1bdbce
commit 883f1bdbce
parent 50ae717624
1 changed files with 12 additions and 2 deletions
--- a/src/sample.c
+++ b/src/sample.c
@ -4262,11 +4262,12 @@ static int sample_conv_json_query(const struct arg *args, struct sample *smp, vo
 static int sample_conv_jwt_verify_check(struct arg *args, struct sample_conv *conv,
 					const char *file, int line, char **err)
 {
+	enum jwt_alg alg;
 	vars_check_arg(&args[0], NULL);
 	vars_check_arg(&args[1], NULL);

 	if (args[0].type == ARGT_STR) {
-		enum jwt_alg alg = jwt_parse_alg(args[0].data.str.area, args[0].data.str.data);
+		alg = jwt_parse_alg(args[0].data.str.area, args[0].data.str.data);

 		if (alg == JWT_ALG_DEFAULT) {
 			memprintf(err, "unknown JWT algorithm: %s", args[0].data.str.area);
@ -4275,7 +4276,16 @@ static int sample_conv_jwt_verify_check(struct arg *args, struct sample_conv *co
 	}

 	if (args[1].type == ARGT_STR) {
-		jwt_tree_load_cert(args[1].data.str.area, args[1].data.str.data, err);
+		switch (alg) {
+			JWS_ALG_HS256:
+			JWS_ALG_HS384:
+			JWS_ALG_HS512:
+			/* don't try to load a file with HMAC algorithms */
+				break;
+			default:
+				jwt_tree_load_cert(args[1].data.str.area, args[1].data.str.data, err);
+				break;
+		}
 	}

 	return 1;