[Feature] Add tooling to encrypt strings in Lua

* [Fix] Provide support for OpenSSL 3.0 * [Feature] Provide function to encode header with configured public key * [Feature] Provide function to decode header with configured public key * [Test] Add tests for maybe encode/decode header * [Minor] Fix tests for encode/decode header * [Minor] Small clean up * [Minor] Small clean up * [Minor] Small fix for OpenSSL 3.0 support * [Minor] Provide logging * [Minor] Small fix * [Fix] Fix typo error * [Fix] Another typo * [Minor] Little clean up * [Minor] Little fix * [Minor] Small fix * [Minor] Small fix * [Minor] Rewrite the arguments of secretbox:encrypt/decrypt functions to a more understandable format * [Fix] Fix problem with nonce was not provided * [Test] Add test for nonce * [Minor] Little clean up * [Minor] Little clean up * [Test] Test * [Test] Test * [Test] Test * [Minor] Little fix * [Minor] Small fix * [Minor] Small fix * [Test] Small fix * [Test] Test * [Test] Test * [Test] Test * [Test] Test * [Minor] Small fix for fips provider * [Minor] Change provider apply logic * [Test] Little fix for provider * [Minor] Provide OpenSSL <3.0 support * [Test] Possible provider fix * [Test] Possible provider fix * [Test] Little fix * [Minor] Fix provider issue * [Minor] Small clean up * [Minor] Change logging errors * Update lualib/lua_util.lua --------- Co-authored-by: Vsevolod Stakhov <vsevolod@rspamd.com>
author: Ivan Stakhov <50211739+LeftTry@users.noreply.github.com> 2024-09-05 13:48:22 +0300
committer: GitHub <noreply@github.com> 2024-09-05 11:48:22 +0100
commit: bb6604f2a6439613fa6546e5e8ec8b61006ec208 (patch)
tree: 6fcbe4a0f104fe14296d1acc88561ac43e95bc64 /lualib
parent: 40a6ddd69be80e6a4ad8a29053bbfa18d24b3bd8 (diff)
download: rspamd-bb6604f2a6439613fa6546e5e8ec8b61006ec208.tar.gz
rspamd-bb6604f2a6439613fa6546e5e8ec8b61006ec208.zip
1 files changed, 78 insertions, 0 deletions
diff --git a/lualib/lua_util.lua b/lualib/lua_util.lua
index 470925b95..ffc07842e 100644
--- a/lualib/lua_util.lua
+++ b/lualib/lua_util.lua
@@ -1292,6 +1292,84 @@ exports.maybe_obfuscate_string = function(subject, settings, prefix)
 end
 
 ---[[[
+-- @function lua_util.maybe_encrypt_header(header, settings, prefix)
+-- Encode header with configured public key if enabled in settings.
+-- If header is not set then nil is returned. If pub_key is empty then header is returned.
+-- Supported settings:
+-- * <prefix>_encrypt = false - no need for encryption of a header
+-- * <prefix>_key = 'key' - key that is used encrypt header
+-- * <prefix>_nonce = 'nonce' - nonce to encrypt header(optional)
+-- @return encrypted header
+---]]]
+exports.maybe_encrypt_header = function(header, settings, prefix)
+  local rspamd_secretbox = require "rspamd_cryptobox_secretbox"
+
+  if not header or header == '' then
+    logger.errx(rspamd_config, "Header: %s is empty or nil", header)
+    return nil
+  elseif settings[prefix .. '_encrypt'] then
+    local key = settings[prefix .. '_key']
+    if not key or key == '' then
+      logger.errx(rspamd_config, "Key: %s is empty or nil", key)
+      return header
+    end
+    local cryptobox = rspamd_secretbox.create(key)
+
+    local nonce = settings[prefix .. '_nonce']
+    local encrypted_header = ''
+    if not nonce or nonce == '' then
+      encrypted_header, nonce = cryptobox:encrypt(header)
+    else
+      encrypted_header = cryptobox:encrypt(header, nonce)
+    end
+    return encrypted_header, nonce
+  end
+end
+
+---[[[
+-- @function lua_util.maybe_decrypt_header(header, settings, prefix, nonce)
+-- Decode enoced with configured public_key header if enabled in settings.
+-- If encoded header is not set then nil is returned. If pub_key is empty then encoded header is returned.
+-- Supported settings:
+-- * <prefix>_encrypt = false - no need for decryption of a header
+-- * <prefix>_key = 'key' - key that is used decrypt header
+-- * <prefix>_nonce = 'nonce' - nonce used to encrypt header(optional)
+-- Nonce is an optional argument if <prefix>_nonce is provided, otherwise it is an required argument
+-- and <prefix>_nonce is an optional
+-- @return decrypted header
+---]]]
+exports.maybe_decrypt_header = function(encrypted_header, settings, prefix, nonce)
+  local rspamd_secretbox = require "rspamd_cryptobox_secretbox"
+
+  if not encrypted_header or encrypted_header == '' then
+    logger.errx(rspamd_config, "Encoded header: %s is empty or nil")
+    return nil
+  elseif settings[prefix .. '_encrypt'] then
+    local key = settings[prefix .. '_key']
+    if not key or key == '' then
+      logger.errx(rspamd_config, "Key: %s is empty or nil")
+      return encrypted_header
+    end
+    local cryptobox = rspamd_secretbox.create(key)
+
+    local result = false
+    local header = ''
+    if not nonce then
+      result, header = cryptobox:decrypt(encrypted_header, settings[prefix .. '_nonce'])
+    else
+      result, header = cryptobox:decrypt(encrypted_header, nonce)
+    end
+
+    if not result then
+      logger.infox(rspamd_config, "Decryption is failed with result: %s and decrypted header: %s", result, header)
+      return nil
+    end
+
+    return header
+  end
+end
+
+---[[[
 -- @function lua_util.callback_from_string(str)
 -- Converts a string like `return function(...) end` to lua function and return true and this function
 -- or returns false + error message
author	Ivan Stakhov <50211739+LeftTry@users.noreply.github.com>	2024-09-05 13:48:22 +0300
committer	GitHub <noreply@github.com>	2024-09-05 11:48:22 +0100
commit	bb6604f2a6439613fa6546e5e8ec8b61006ec208 (patch)
tree	6fcbe4a0f104fe14296d1acc88561ac43e95bc64 /lualib
parent	40a6ddd69be80e6a4ad8a29053bbfa18d24b3bd8 (diff)
download	rspamd-bb6604f2a6439613fa6546e5e8ec8b61006ec208.tar.gz rspamd-bb6604f2a6439613fa6546e5e8ec8b61006ec208.zip