feat(mac) add EVP_MAC

fffonion · fffonion · commit 0625be92e0ea · 2021-10-23T22:40:48.000+08:00
diff --git a/lib/resty/openssl/include/evp/mac.lua b/lib/resty/openssl/include/evp/mac.lua
@@ -0,0 +1,24 @@
+local ffi = require "ffi"
+
+require "resty.openssl.include.ossl_typ"
+require "resty.openssl.include.provider"
+
+ffi.cdef [[
+  typedef struct evp_mac_st EVP_MAC;
+  typedef struct evp_mac_ctx_st EVP_MAC_CTX;
+
+  EVP_MAC_CTX *EVP_MAC_CTX_new(EVP_MAC *mac);
+  void EVP_MAC_CTX_free(EVP_MAC_CTX *ctx);
+
+  const OSSL_PROVIDER *EVP_MAC_get0_provider(const EVP_MAC *mac);
+  EVP_MAC *EVP_MAC_fetch(OSSL_LIB_CTX *libctx, const char *algorithm,
+                          const char *properties);
+
+  int EVP_MAC_init(EVP_MAC_CTX *ctx, const unsigned char *key, size_t keylen,
+                    const OSSL_PARAM params[]);
+  int EVP_MAC_update(EVP_MAC_CTX *ctx, const unsigned char *data, size_t datalen);
+  int EVP_MAC_final(EVP_MAC_CTX *ctx,
+                    unsigned char *out, size_t *outl, size_t outsize);
+
+  size_t EVP_MAC_CTX_get_mac_size(EVP_MAC_CTX *ctx);
+]]
diff --git a/lib/resty/openssl/mac.lua b/lib/resty/openssl/mac.lua
@@ -0,0 +1,95 @@
+local ffi = require "ffi"
+local C = ffi.C
+local ffi_gc = ffi.gc
+local ffi_str = ffi.string
+
+require "resty.openssl.include.evp.mac"
+local params_macro = require "resty.openssl.include.param"
+local ctypes = require "resty.openssl.auxiliary.ctypes"
+local format_error = require("resty.openssl.err").format_error
+local OPENSSL_30 = require("resty.openssl.version").OPENSSL_30
+
+local _M = {}
+local mt = {__index = _M}
+
+local mac_ctx_ptr_ct = ffi.typeof('EVP_MAC*')
+local param_types = {
+  cipher = params_macro.OSSL_PARAM_UTF8_STRING,
+  digest = params_macro.OSSL_PARAM_UTF8_STRING,
+}
+local params = {}
+
+function _M.new(key, typ, cipher, digest, properties)
+  if not OPENSSL_30 then
+    return false, "EVP_MAC is only supported from OpenSSL 3.0"
+  end
+
+  local dtyp = C.EVP_MAC_fetch(nil, typ, properties)
+  if dtyp == nil then
+    return nil, format_error(string.format("mac.new: invalid mac type \"%s\"", typ))
+  end
+
+  local ctx = C.EVP_MAC_CTX_new(dtyp)
+  if ctx == nil then
+    return nil, "mac.new: failed to create EVP_MAC_CTX"
+  end
+  ffi_gc(ctx, C.EVP_MAC_CTX_free)
+  
+  params.digest = digest
+  params.cipher = cipher
+  local p = params_macro.construct(params, 2, param_types)
+
+  local code = C.EVP_MAC_init(ctx, key, #key, p)
+  if code ~= 1 then
+    return nil, format_error(string.format("mac.new: invalid cipher or digest type"))
+  end
+
+  local md_size = C.EVP_MAC_CTX_get_mac_size(ctx)
+
+  return setmetatable({
+    ctx = ctx,
+    dtyp = dtyp,
+    buf = ctypes.uchar_array(md_size),
+    buf_size = md_size,
+  }, mt), nil
+end
+
+function _M.istype(l)
+  return l and l.ctx and ffi.istype(mac_ctx_ptr_ct, l.ctx)
+end
+
+function _M:get_provider_name()
+  local p = C.EVP_MAC_get0_provider(self.dtyp)
+  if p == nil then
+    return nil
+  end
+  return ffi_str(C.OSSL_PROVIDER_get0_name(p))
+end
+
+function _M:update(...)
+  for _, s in ipairs({...}) do
+    if C.EVP_MAC_update(self.ctx, s, #s) ~= 1 then
+      return false, format_error("digest:update")
+    end
+  end
+  return true, nil
+end
+
+function _M:final(s)
+  if s then
+    local _, err = self:update(s)
+    if err then
+      return nil, err
+    end
+  end
+
+  local length = ctypes.ptr_of_size_t()
+  -- no return value of EVP_DigestFinal_ex
+  C.EVP_MAC_final(self.ctx, self.buf, length, self.buf_size)
+  if length[0] == nil or length[0] <= 0 then
+    return nil, format_error("digest:final: EVP_MAC_final")
+  end
+  return ffi_str(self.buf, length[0])
+end
+
+return _M
diff --git a/t/openssl/mac.t b/t/openssl/mac.t
@@ -0,0 +1,134 @@
+# vim:set ft= ts=4 sw=4 et fdm=marker:
+
+use Test::Nginx::Socket::Lua 'no_plan';
+use Cwd qw(cwd);
+
+
+my $pwd = cwd();
+
+my $use_luacov = $ENV{'TEST_NGINX_USE_LUACOV'} // '';
+
+our $HttpConfig = qq{
+    lua_package_path "$pwd/t/openssl/?.lua;$pwd/lib/?.lua;$pwd/lib/?/init.lua;;";
+    init_by_lua_block {
+        if "1" == "$use_luacov" then
+            require 'luacov.tick'
+            jit.off()
+        end
+        _G.myassert = require("helper").myassert
+    }
+};
+
+run_tests();
+
+__DATA__
+=== TEST 1: Calculate hmac correctly
+--- http_config eval: $::HttpConfig
+--- config
+    location =/t {
+        content_by_lua_block {
+            if not require("resty.openssl.version").OPENSSL_30 then
+                ngx.say("kwUMjYrP0BSJb8cIJvWYoiM1Kc4mQxZOTwSiTTLRhDM=")
+                ngx.exit(0)
+            end
+
+            local hmac = myassert(require("resty.openssl.mac").new("goose", "HMAC", nil, "sha256"))
+
+            myassert(hmac:update("🦢🦢🦢🦢🦢🦢"))
+            ngx.print(ngx.encode_base64(myassert(hmac:final())))
+        }
+    }
+--- request
+    GET /t
+--- response_body_like eval
+"kwUMjYrP0BSJb8cIJvWYoiM1Kc4mQxZOTwSiTTLRhDM="
+--- no_error_log
+[error]
+
+=== TEST 2: Update accepts vardiac args
+--- http_config eval: $::HttpConfig
+--- config
+    location =/t {
+        content_by_lua_block {
+            if not require("resty.openssl.version").OPENSSL_30 then
+                ngx.say("kwUMjYrP0BSJb8cIJvWYoiM1Kc4mQxZOTwSiTTLRhDM=")
+                ngx.exit(0)
+            end
+
+            local hmac = myassert(require("resty.openssl.mac").new("goose", "HMAC", nil, "sha256"))
+
+            hmac:update("🦢", "🦢🦢", "🦢🦢", "🦢")
+            ngx.print(ngx.encode_base64(hmac:final()))
+        }
+    }
+--- request
+    GET /t
+--- response_body_like eval
+"kwUMjYrP0BSJb8cIJvWYoiM1Kc4mQxZOTwSiTTLRhDM="
+--- no_error_log
+[error]
+
+=== TEST 3: Final accepts optional arg
+--- http_config eval: $::HttpConfig
+--- config
+    location =/t {
+        content_by_lua_block {
+            if not require("resty.openssl.version").OPENSSL_30 then
+                ngx.say("kwUMjYrP0BSJb8cIJvWYoiM1Kc4mQxZOTwSiTTLRhDM=")
+                ngx.exit(0)
+            end
+
+            local hmac = myassert(require("resty.openssl.mac").new("goose", "HMAC", nil, "sha256"))
+
+            myassert(hmac:update("🦢", "🦢🦢", "🦢🦢"))
+            ngx.print(ngx.encode_base64(myassert(hmac:final("🦢"))))
+        }
+    }
+--- request
+    GET /t
+--- response_body_like eval
+"kwUMjYrP0BSJb8cIJvWYoiM1Kc4mQxZOTwSiTTLRhDM="
+--- no_error_log
+[error]
+
+=== TEST 4: Rejects unknown hash
+--- http_config eval: $::HttpConfig
+--- config
+    location =/t {
+        content_by_lua_block {
+            if not require("resty.openssl.version").OPENSSL_30 then
+                ngx.say("mac.new: invalid cipher or digest type")
+                ngx.exit(0)
+            end
+            local hmac, err = require("resty.openssl.mac").new("goose", "HMAC", nil, "sha257")
+            ngx.print(err)
+        }
+    }
+--- request
+    GET /t
+--- response_body_like eval
+"mac.new: invalid cipher or digest type.*"
+--- no_error_log
+[error]
+
+=== TEST 5: Returns provider
+--- http_config eval: $::HttpConfig
+--- config
+    location =/t {
+        content_by_lua_block {
+            if not require("resty.openssl.version").OPENSSL_30 then
+                ngx.say("default")
+                ngx.exit(0)
+            end
+
+            local mac = require("resty.openssl.mac")
+            local m = myassert(mac.new("goose", "HMAC", nil, "sha256"))
+            ngx.say(myassert(m:get_provider_name()))
+        }
+    }
+--- request
+    GET /t
+--- response_body
+default
+--- no_error_log
+[error]
