Forum Discussion

gpoverland's avatar
gpoverland
Icon for Nimbostratus rankNimbostratus
Feb 03, 2016

F5 iRule Example integrating HMAC

I currently utilize a static key value to create a custom encrypted cookie to validate user session authenticity via cookie values. I would like to move over to using an HMAC solution, but having iss...
iRules
LTM
security
Kai_Wilke's avatar
Kai_Wilke
Icon for MVP rankMVP
Feb 10, 2016

Hi Dtwesten,

I really appreciate your idea to sign session cookies based on certificate information. It allow us to bind a usual session cookie (e.g. requiring AuthXYZ) to a specific certificate without touching the app at all. I'm somewhat sure that I'll use this method in the near future... 😉

You may take a deeply look below. Its a quick coding in notepad (did not tested the iRule) to outline how I would implement such a functionality. It borows your idea to HMAC sign a cookie based on available certificate information, but also fixes the HMAC cookie problematic which I've mentioned in my previous comment...

V10.x

 

when CLIENTSSL_HANDSHAKE {
    if { [SSL::cert count] > 0 } then {
        if { [set cert_value [X509::subject [SSL::cert 0]]] eq "" } then {
            reject
        }
    } else {
         reject
    }
}
when HTTP_REQUEST {
    if { ( [set app_cookie [HTTP::cookie value "app"]] ne "" ) and 
         ( [set hmac_input [HTTP::cookie value "hmac_01"]] ne "" ) } then {
        set message "$app_cookie:$cert_value"
        set prekey "12345678"
        eval $static::crypto_verify
        if { not $hmac_valid } then {
            HTTP::cookie remove "app"
        }
    } else {
        HTTP::cookie remove "app"
    }
    HTTP::cookie remove "hmac_01"
}
when HTTP_RESPONSE {
    if { [set app_cookie [HTTP::cookie value "app"]] ne "" } then {
        set message "$app_cookie:$cert_value"
        set prekey "12345678"
        eval $static::crypto_sign
        HTTP::header insert "Set-Cookie" "hmac_01=$hmac_output; HttpOnly; Secure; Path=/"
    }
}

 

V11.x+

 

when CLIENTSSL_HANDSHAKE {
    if { [SSL::cert count] > 0 } then {
        if { [set cert_value [X509::subject [SSL::cert 0]]] eq "" } then {
            reject
        }
    } else {
         reject
    }
}
when HTTP_REQUEST {
    if { ( [set app_cookie [HTTP::cookie value "app"]] ne "" ) and 
         ( [set hmac_input [HTTP::cookie value "hmac_01"]] ne "" ) } then {
        if { not [CRYPTO::verify -alg hmac-sha256 -key "12345678" -signature $hmac_input "$app_cookie:$cert_value"] } then {
            HTTP::cookie remove "app"
        }
    } else {
        HTTP::cookie remove "app"
    }
    HTTP::cookie remove "hmac_01"
}
when HTTP_RESPONSE {
    if { [set app_cookie [HTTP::cookie value "app"]] ne "" } then {
        binary scan [CRYPTO::sign -alg hmac-sha256 -key "12345678" "$app_cookie:$cert_value"] H* hmac_output
        HTTP::header insert "Set-Cookie" "hmac_01=$hmac_output; HttpOnly; Secure; Path=/"
    }
}

 

Note: The next step would be to add some short living [table] or TMM caches to offload the per-request verification and (hopefully not) a per-response cookie generation...

Thanks and Cheers, Kai