feat(mac) add reset API

fffonion · fffonion · commit 40fdbbbddc07 · 2023-12-28T14:36:22.000+08:00
diff --git a/README.md b/README.md
@@ -124,6 +124,7 @@ Table of Contents
     + [mac:gettable_params, mac:settable_params, mac:get_param, mac:set_params](#macgettable_params-macsettable_params-macget_param-macset_params)
     + [mac:update](#macupdate)
     + [mac:final](#macfinal)
+    + [mac:reset](#macreset)
   * [resty.openssl.kdf](#restyopensslkdf)
     + [kdf.derive (legacy)](#kdfderive-legacy)
     + [kdf.new](#kdfnew)
@@ -2111,10 +2112,13 @@ Module to interact with message authentication code (EVP_MAC).
 
 **syntax**: *h, err = mac.new(key, mac, cipher?, digest?, properties?)*
 
-Creates a mac instance. `mac` is a case-insensitive string of digest algorithm name.
+Creates a mac instance. `mac` is a case-insensitive string of MAC algorithm name.
 To view a list of digest algorithms implemented, use
 [openssl.list_mac_algorithms](#openssllist_mac_algorithms) or
 `openssl list -mac-algorithms`.
+
+At least one of `cipher` or `digest` must be specified.
+
 `cipher` is a case-insensitive string of digest algorithm name.
 To view a list of digest algorithms implemented, use
 [openssl.list_cipher_algorithms](#openssllist_cipher_algorithms) or
@@ -2181,6 +2185,16 @@ ngx.say(ngx.encode_base64(mac))
 
 [Back to TOC](#table-of-contents)
 
+### mac:reset
+
+**syntax**: *ok, err = mac:reset()*
+
+Reset the internal state of `mac` instance as it's just created by [mac.new](#macnew).
+It calls [EVP_MAC_Init](https://www.openssl.org/docs/manmaster/man3/EVP_MAC_init.html) under
+the hood.
+
+User must call this before reusing the same `mac` instance.
+
 ## resty.openssl.kdf
 
 Module to interact with KDF (key derivation function).
diff --git a/examples/perf/test_other_libs.lua b/examples/perf/test_other_libs.lua
@@ -6,12 +6,14 @@ local set_iteration = require "framework".set_iteration
 local write_seperator = require "framework".write_seperator
 local cipher = require "resty.openssl.cipher"
 local digest = require "resty.openssl.digest"
+local hmac = require "resty.openssl.hmac"
 local pkey = require "resty.openssl.pkey"
 local version = require "resty.openssl.version"
 local rand = require "resty.openssl.rand"
 local kdf = require "resty.openssl.kdf"
 local aes = require "resty.aes"
 local resty_rsa = require "resty.rsa"
+local to_hex = require "resty.string".to_hex
 
 -- ensure best performance
 require "framework".set_no_count_iter(true)
@@ -258,6 +260,54 @@ do
 
 end
 
+------------- hmac
+do
+    write_seperator()
+
+    local data = string.rep("1", 4096)
+    local key = rand.bytes(32)
+
+    local d = hmac.new(key, "sha256")
+
+    local expected = d:final(data)
+
+    test("lua-resty-openssl hmac sha256 on " .. #data .. " bytes", function()
+        d:reset()
+        return d:final(data)
+    end, nil, expected)
+
+    if version.OPENSSL_3X then
+        local mac = require "resty.openssl.mac"
+        local m = mac.new(key, "HMAC", nil, "sha256")
+        test("lua-resty-openssl hmac sha256 new API on " .. #data .. " bytes", function()
+            m:reset()
+            return m:final(data)
+        end, nil, expected)
+    end
+
+    if luaossl then
+        local _hmac = require "_openssl.hmac"
+        test("luaossl hmac sha256 " .. #data .. " bytes", function()
+            local hh = _hmac.new(key, "sha256")
+            return hh:final(data)
+        end, nil, expected)
+    end
+
+    if lua_openssl then
+        local hh = lua_openssl.hmac
+        test("lua_openssl hmac sha256 on " .. #data .. " bytes", function()
+            return hh.hmac("sha256", data, key)
+        end, nil, to_hex(expected))
+
+        if version.OPENSSL_3X then
+            local mm = lua_openssl.mac
+            test("lua_openssl hmac sha256 new API on " .. #data .. " bytes", function()
+                return mm.mac("sha256", data, key)
+            end, nil, to_hex(expected))
+        end
+    end
+end
+
 ------------- pkey
 do
     write_seperator()
diff --git a/lib/resty/openssl/mac.lua b/lib/resty/openssl/mac.lua
@@ -41,7 +41,8 @@ function _M.new(key, typ, cipher, digest, properties)
   params.cipher = cipher
   local p = param_lib.construct(params, 2, param_types)
 
-  local code = C.EVP_MAC_init(ctx, key, #key, p)
+  local keyl = #key
+  local code = C.EVP_MAC_init(ctx, key, keyl, p)
   if code ~= 1 then
     return nil, format_error(string.format("mac.new: invalid cipher or digest type"))
   end
@@ -53,6 +54,7 @@ function _M.new(key, typ, cipher, digest, properties)
     algo = algo,
     buf = ctypes.uchar_array(md_size),
     buf_size = md_size,
+    _reset = function() return C.EVP_MAC_init(ctx, key, keyl, p) end,
   }, mt), nil
 end
 
@@ -73,25 +75,33 @@ _M.settable_params, _M.set_params, _M.gettable_params, _M.get_param = param_lib.
 function _M:update(...)
   for _, s in ipairs({...}) do
     if C.EVP_MAC_update(self.ctx, s, #s) ~= 1 then
-      return false, format_error("digest:update")
+      return false, format_error("mac:update")
     end
   end
   return true, nil
 end
 
 function _M:final(s)
   if s then
-    local _, err = self:update(s)
-    if err then
-      return nil, err
+    if C.EVP_MAC_update(self.ctx, s, #s) ~= 1 then
+      return false, format_error("mac:final")
     end
   end
 
   local length = ctypes.ptr_of_size_t()
   if C.EVP_MAC_final(self.ctx, self.buf, length, self.buf_size) ~= 1 then
-    return nil, format_error("digest:final: EVP_MAC_final")
+    return nil, format_error("mac:final: EVP_MAC_final")
   end
   return ffi_str(self.buf, length[0])
 end
 
+function _M:reset()
+  local code = self._reset()
+  if code ~= 1 then
+    return false, format_error("mac:reset")
+  end
+
+  return true
+end
+
 return _M
