feat(*) support BoringSSL

Author: fffonion

lib/resty/openssl/ec.lua

@@ -5,9 +5,11 @@ local ffi_gc = ffi.gc
 require "resty.openssl.include.ec"
 local bn_lib = require "resty.openssl.bn"
 local objects_lib = require "resty.openssl.objects"
+local ctypes = require "resty.openssl.aux.ctypes"
 
 local version_num = require("resty.openssl.version").version_num
 local format_error = require("resty.openssl.err").format_error
+local BORINGSSL = require("resty.openssl.version").BORINGSSL
 
 local _M = {}
 
@@ -36,11 +38,27 @@ function _M.get_parameters(ec_key_st)
         if point_form == nil then
           return nil, format_error("ec.get_parameters: EC_KEY_get_conv_form")
         end
-        bn = C.EC_POINT_point2bn(group, pub_point, point_form, nil, bn_lib.bn_ctx_tmp)
-        if bn == nil then
-          return nil, format_error("ec.get_parameters: EC_POINT_point2bn")
+        if BORINGSSL then
+          local sz = tonumber(C.EC_POINT_point2oct(group, pub_point, point_form, nil, 0, bn_lib.bn_ctx_tmp))
+          if sz <= 0 then
+            return nil, format_error("ec.get_parameters: EC_POINT_point2oct")
+          end
+          local buf = ctypes.uchar_array(sz)
+          C.EC_POINT_point2oct(group, pub_point, point_form, buf, sz, bn_lib.bn_ctx_tmp)
+          buf = ffi.string(buf, sz)
+          local err
+          bn, err = bn_lib.from_binary(buf)
+          if bn == nil then
+            return nil, "ec.get_parameters: bn_lib.from_binary: " .. err
+          end
+          return bn
+        else
+          bn = C.EC_POINT_point2bn(group, pub_point, point_form, nil, bn_lib.bn_ctx_tmp)
+          if bn == nil then
+            return nil, format_error("ec.get_parameters: EC_POINT_point2bn")
+          end
+          ffi_gc(bn, C.BN_free)
         end
-        ffi_gc(bn, C.BN_free)
       elseif k == 'private' or k == "priv_key" then
         -- get0, don't GC
         bn = C.EC_KEY_get0_private_key(ec_key_st)

lib/resty/openssl/include/ec.lua

@@ -31,6 +31,10 @@ ffi.cdef [[
 
   BIGNUM *EC_POINT_point2bn(const EC_GROUP *, const EC_POINT *,
     point_conversion_form_t form, BIGNUM *, BN_CTX *);
+  // for BoringSSL
+  size_t EC_POINT_point2oct(const EC_GROUP *group, const EC_POINT *p,
+        point_conversion_form_t form,
+        unsigned char *buf, size_t len, BN_CTX *ctx);
   // OpenSSL < 1.1.1
   int EC_POINT_get_affine_coordinates_GFp(const EC_GROUP *group,
     const EC_POINT *p,

lib/resty/openssl/include/evp.lua

@@ -1,11 +1,13 @@
 local ffi = require "ffi"
+local C = ffi.C
 local bit = require("bit")
 
 require "resty.openssl.include.ossl_typ"
 require "resty.openssl.include.objects"
 local OPENSSL_10 = require("resty.openssl.version").OPENSSL_10
 local OPENSSL_11_OR_LATER = require("resty.openssl.version").OPENSSL_11_OR_LATER
 local OPENSSL_30 = require("resty.openssl.version").OPENSSL_30
+local BORINGSSL = require("resty.openssl.version").BORINGSSL
 
 ffi.cdef [[
   EVP_PKEY *EVP_PKEY_new(void);
@@ -270,4 +272,67 @@ _M.ecx_curves = {
   X448 = _M.EVP_PKEY_X448,
 }
 
+if OPENSSL_30 or BORINGSSL then
+  ffi.cdef [[
+    int EVP_PKEY_CTX_set_ec_paramgen_curve_nid(EVP_PKEY_CTX *ctx, int nid);
+    int EVP_PKEY_CTX_set_ec_param_enc(EVP_PKEY_CTX *ctx, int param_enc);
+
+    int EVP_PKEY_CTX_set_rsa_keygen_bits(EVP_PKEY_CTX *ctx, int mbits);
+    int EVP_PKEY_CTX_set_rsa_keygen_pubexp(EVP_PKEY_CTX *ctx, BIGNUM *pubexp);
+    int EVP_PKEY_CTX_set_rsa_padding(EVP_PKEY_CTX *ctx, int pad);
+  ]]
+  _M.EVP_PKEY_CTX_set_ec_paramgen_curve_nid = function(pctx, nid)
+    return C.EVP_PKEY_CTX_set_ec_paramgen_curve_nid(pctx, nid)
+  end
+  _M.EVP_PKEY_CTX_set_ec_param_enc = function(pctx, param_enc)
+    return C.EVP_PKEY_CTX_set_ec_param_enc(pctx, param_enc)
+  end
+
+  _M.EVP_PKEY_CTX_set_rsa_keygen_bits = function(pctx, mbits)
+    return C.EVP_PKEY_CTX_set_rsa_keygen_bits(pctx, mbits)
+  end
+  _M.EVP_PKEY_CTX_set_rsa_keygen_pubexp = function(pctx, pubexp)
+    return C.EVP_PKEY_CTX_set_rsa_keygen_pubexp(pctx, pubexp)
+  end
+  _M.EVP_PKEY_CTX_set_rsa_padding = function(pctx, pad)
+    return C.EVP_PKEY_CTX_set_rsa_padding(pctx, pad)
+  end
+else
+  _M.EVP_PKEY_CTX_set_ec_paramgen_curve_nid = function(pctx, nid)
+    return C.EVP_PKEY_CTX_ctrl(pctx,
+                                _M.EVP_PKEY_EC,
+                                _M.EVP_PKEY_OP_PARAMGEN + _M.EVP_PKEY_OP_KEYGEN,
+                                _M.EVP_PKEY_CTRL_EC_PARAMGEN_CURVE_NID,
+                                nid, nil)
+  end
+  _M.EVP_PKEY_CTX_set_ec_param_enc = function(pctx, param_enc)
+    return C.EVP_PKEY_CTX_ctrl(pctx,
+                                _M.EVP_PKEY_EC,
+                                _M.EVP_PKEY_OP_PARAMGEN + _M.EVP_PKEY_OP_KEYGEN,
+                                _M.EVP_PKEY_CTRL_EC_PARAM_ENC,
+                                param_enc, nil)
+  end
+
+  _M.EVP_PKEY_CTX_set_rsa_keygen_bits = function(pctx, mbits)
+    return C.EVP_PKEY_CTX_ctrl(pctx,
+                                _M.EVP_PKEY_RSA,
+                                _M.EVP_PKEY_OP_KEYGEN,
+                                _M.EVP_PKEY_CTRL_RSA_KEYGEN_BITS,
+                                mbits, nil)
+  end
+  _M.EVP_PKEY_CTX_set_rsa_keygen_pubexp = function(pctx, pubexp)
+    return C.EVP_PKEY_CTX_ctrl(pctx,
+                                _M.EVP_PKEY_RSA, _M.EVP_PKEY_OP_KEYGEN,
+                                _M.EVP_PKEY_CTRL_RSA_KEYGEN_PUBEXP,
+                                0, pubexp)
+  end
+  _M.EVP_PKEY_CTX_set_rsa_padding = function(pctx, pad)
+    return C.EVP_PKEY_CTX_ctrl(pctx,
+                                _M.EVP_PKEY_RSA,
+                                -1,
+                                _M.EVP_PKEY_CTRL_RSA_PADDING,
+                                pad, nil)
+  end
+end
+
 return _M

lib/resty/openssl/include/stack.lua

@@ -11,14 +11,15 @@ local C = ffi.C
 require "resty.openssl.include.ossl_typ"
 local OPENSSL_10 = require("resty.openssl.version").OPENSSL_10
 local OPENSSL_11_OR_LATER = require("resty.openssl.version").OPENSSL_11_OR_LATER
+local BORINGSSL = require("resty.openssl.version").BORINGSSL
 
 local _M = {}
 
 ffi.cdef [[
   typedef char *OPENSSL_STRING;
 ]]
 
-if OPENSSL_11_OR_LATER then
+if OPENSSL_11_OR_LATER and not BORINGSSL then
   ffi.cdef [[
     typedef struct stack_st OPENSSL_STACK;
 
@@ -48,7 +49,7 @@ if OPENSSL_11_OR_LATER then
   _M.OPENSSL_sk_delete = C.OPENSSL_sk_delete
   _M.OPENSSL_sk_free = C.OPENSSL_sk_free
   _M.OPENSSL_sk_deep_copy = C.OPENSSL_sk_deep_copy
-elseif OPENSSL_10 then
+elseif OPENSSL_10 or BORINGSSL then
   ffi.cdef [[
     typedef struct stack_st _STACK;
     // i made this up

lib/resty/openssl/kdf.lua

@@ -9,6 +9,7 @@ local kdf_macro = require "resty.openssl.include.kdf"
 local format_error = require("resty.openssl.err").format_error
 local version_num = require("resty.openssl.version").version_num
 local version_text = require("resty.openssl.version").version_text
+local BORINGSSL = require("resty.openssl.version").BORINGSSL
 local ctypes = require "resty.openssl.aux.ctypes"
 local EVP_PKEY_OP_DERIVE = require("resty.openssl.include.evp").EVP_PKEY_OP_DERIVE
 
@@ -30,7 +31,7 @@ if version_num >= 0x10002000 then
   NID_id_pbkdf2 = C.OBJ_txt2nid("PBKDF2")
   assert(NID_id_pbkdf2 > 0)
 end
-if version_num >= 0x10100000 then
+if version_num >= 0x10100000 and not BORINGSSL then
   NID_hkdf = C.OBJ_txt2nid("HKDF")
   assert(NID_hkdf > 0)
   NID_tls1_prf = C.OBJ_txt2nid("TLS1-PRF")

lib/resty/openssl/pkey.lua

@@ -27,6 +27,7 @@ local format_error = require("resty.openssl.err").format_error
 local OPENSSL_11_OR_LATER = require("resty.openssl.version").OPENSSL_11_OR_LATER
 local OPENSSL_111_OR_LATER = require("resty.openssl.version").OPENSSL_111_OR_LATER
 local OPENSSL_30 = require("resty.openssl.version").OPENSSL_30
+local BORINGSSL = require("resty.openssl.version").BORINGSSL
 
 local ptr_of_uint = ctypes.ptr_of_uint
 local ptr_of_size_t = ctypes.ptr_of_size_t
@@ -162,23 +163,16 @@ local function generate_param(key_type, config)
     if nid == 0 then
       return nil, "unknown curve " .. curve
     end
-    -- EVP_PKEY_CTX_set_ec_paramgen_curve_nid
-    if C.EVP_PKEY_CTX_ctrl(pctx,
-            evp_macro.EVP_PKEY_EC,
-            evp_macro.EVP_PKEY_OP_PARAMGEN + evp_macro.EVP_PKEY_OP_KEYGEN,
-            evp_macro.EVP_PKEY_CTRL_EC_PARAMGEN_CURVE_NID,
-            nid, nil) <= 0 then
+    if evp_macro.EVP_PKEY_CTX_set_ec_paramgen_curve_nid(pctx, nid) <= 0 then
       return nil, format_error("EVP_PKEY_CTX_ctrl: EC: curve_nid")
     end
-    -- use the named-curve encoding for best backward-compatibilty
-    -- and for playing well with go:crypto/x509
-    -- # define OPENSSL_EC_NAMED_CURVE  0x001
-    if C.EVP_PKEY_CTX_ctrl(pctx,
-            evp_macro.EVP_PKEY_EC,
-            evp_macro.EVP_PKEY_OP_PARAMGEN + evp_macro.EVP_PKEY_OP_KEYGEN,
-            evp_macro.EVP_PKEY_CTRL_EC_PARAM_ENC,
-            1, nil) <= 0 then
-      return nil, format_error("EVP_PKEY_CTX_ctrl: EC: param_enc")
+    if not BORINGSSL then
+      -- use the named-curve encoding for best backward-compatibilty
+      -- and for playing well with go:crypto/x509
+      -- # define OPENSSL_EC_NAMED_CURVE  0x001
+      if evp_macro.EVP_PKEY_CTX_set_ec_param_enc(pctx, 1) <= 0 then
+        return nil, format_error("EVP_PKEY_CTX_ctrl: EC: param_enc")
+      end
     end
   elseif key_type == evp_macro.EVP_PKEY_DH then
     local bits = config.bits
@@ -302,11 +296,7 @@ local function generate_key(config)
       return nil, "bits out of range"
     end
 
-    -- EVP_PKEY_CTX_set_rsa_keygen_bits
-    if C.EVP_PKEY_CTX_ctrl(pctx,
-              evp_macro.EVP_PKEY_RSA, evp_macro.EVP_PKEY_OP_KEYGEN,
-              evp_macro.EVP_PKEY_CTRL_RSA_KEYGEN_BITS,
-              bits, nil) <= 0 then
+    if evp_macro.EVP_PKEY_CTX_set_rsa_keygen_bits(pctx, bits) <= 0 then
       return nil, format_error("EVP_PKEY_CTX_ctrl: RSA: bits")
     end
 
@@ -317,11 +307,8 @@ local function generate_key(config)
         return nil, "BN_new() failed"
       end
       C.BN_set_word(exp, config.exp)
-      -- EVP_PKEY_CTX_set_rsa_keygen_pubexp
-      if C.EVP_PKEY_CTX_ctrl(pctx,
-                evp_macro.EVP_PKEY_RSA, evp_macro.EVP_PKEY_OP_KEYGEN,
-                evp_macro.EVP_PKEY_CTRL_RSA_KEYGEN_PUBEXP,
-                0, exp) <= 0 then
+
+      if evp_macro.EVP_PKEY_CTX_set_rsa_keygen_pubexp(pctx, exp) <= 0 then
         return nil, format_error("EVP_PKEY_CTX_ctrl: RSA: exp")
       end
     end
@@ -608,15 +595,7 @@ local function asymmetric_routine(self, s, op, padding)
 
   -- EVP_PKEY_CTX_ctrl must be called after *_init
   if self.key_type == evp_macro.EVP_PKEY_RSA and padding then
-    local code
-    if OPENSSL_30 then
-      code = C.EVP_PKEY_CTX_set_rsa_padding(pkey_ctx, padding)
-    else
-      code = C.EVP_PKEY_CTX_ctrl(pkey_ctx, evp_macro.EVP_PKEY_RSA, -1,
-                          evp_macro.EVP_PKEY_CTRL_RSA_PADDING,
-                          padding, nil)
-    end
-    if code ~= 1 then
+    if evp_macro.EVP_PKEY_CTX_set_rsa_padding(pkey_ctx, padding) ~= 1 then
       return nil, format_error("pkey:asymmetric_routine EVP_PKEY_CTX_ctrl")
     end
     self.rsa_padding = padding

lib/resty/openssl/version.lua

@@ -12,6 +12,8 @@ ffi.cdef[[
   const char *OpenSSL_version(int t);
   // >= 3.0
   const char *OPENSSL_info(int t);
+  // BoringSSL
+  int BORINGSSL_self_test(void);
 ]]
 
 local version_func, info_func
@@ -85,6 +87,12 @@ else
   end
 end
 
+local BORINGSSL = false
+pcall(function()
+  local _ = C.BORINGSSL_self_test
+  BORINGSSL = true
+end)
+
 return setmetatable({
     version_num = tonumber(version_num),
     version_text = ffi_str(version_func(0)),
@@ -100,6 +108,7 @@ return setmetatable({
     OPENSSL_11_OR_LATER = version_num >= 0x10100000 and version_num < 0x30100000,
     OPENSSL_111_OR_LATER = version_num >= 0x10101000 and version_num < 0x30100000,
     OPENSSL_10 = version_num < 0x10100000 and version_num > 0x10000000,
+    BORINGSSL = BORINGSSL,
   }, {
     __index = types_table,
 })

lib/resty/openssl/x509/extension.lua

@@ -15,6 +15,7 @@ local objects_lib = require "resty.openssl.objects"
 local stack_lib = require("resty.openssl.stack")
 local util = require "resty.openssl.util"
 local format_error = require("resty.openssl.err").format_error
+local BORINGSSL = require("resty.openssl.version").BORINGSSL
 
 local _M = {}
 local mt = { __index = _M }
@@ -28,15 +29,22 @@ local extension_types = {
   crl     = "resty.openssl.x509.crl",
 }
 
-local function nconf_load(conf, str)
-  local bio = C.BIO_new_mem_buf(str, #str)
-  if bio == nil then
-    return format_error("BIO_new_mem_buf")
+local nconf_load
+if BORINGSSL then
+  nconf_load = function()
+    return nil, "NCONF_load_bio not exported in BoringSSL"
   end
-  ffi_gc(bio, C.BIO_free)
+else
+  nconf_load = function(conf, str)
+    local bio = C.BIO_new_mem_buf(str, #str)
+    if bio == nil then
+      return format_error("BIO_new_mem_buf")
+    end
+    ffi_gc(bio, C.BIO_free)
 
-  if C.NCONF_load_bio(conf, bio, nil) ~= 1 then
-    return format_error("NCONF_load_bio")
+    if C.NCONF_load_bio(conf, bio, nil) ~= 1 then
+      return format_error("NCONF_load_bio")
+    end
   end
 end
 

scripts/types_test.py

@@ -3,7 +3,7 @@
 {
     "bn": {
         "new_from": "new(math.random(1, 2333333))",
-        "print": "to_hex",
+        "print": "to_hex():upper",
     },
     "number": {
         "new_from": "ngx.time()",

t/openssl/bn.t

@@ -150,8 +150,8 @@ bn:to_binary failed
     }
 --- request
     GET /t
---- response_body eval
-"5B25"
+--- response_body_like eval
+"5[Bb]25"
 --- no_error_log
 [error]