25776463823

Committed 13 May 2026 03:28AM UTC coverage: 91.231% (-2.6%) from 93.832%

Build # 25776463823

Build Type

Pull #408

travis-ci

Committed by

zhaozg

Commit Message

feat(pqc): Phase 2.4 - Provider Management for PQC

Add PQC provider management capabilities to the provider module:

- Add `provider.query_pqc_algorithms()` to probe and list available PQC
  algorithms by attempting key generation for known PQC algorithm names
- Add `provider.load_pqc_providers()` to auto-detect and load common
  PQC providers (oqsprovider, liboqs, oqs, oqs-provider)
- Auto-load common PQC providers on module initialization (best-effort)
- Support both old OQS names (DILITHIUM2, KYBER768, etc.) and
  standardized NIST names (ML-DSA-44, ML-KEM-768, SLH-DSA-SHA2-*, etc.)
- Add comprehensive LDoc documentation for all new functions
- Add test suite covering query, load, and combined scenarios

This completes Phase 2.4 of the PQC implementation roadmap.

Pull Request Pull Request #408: Feat/pqc

Coverage Stats

913 of 1124 new or added lines in 10 files covered. (81.23%)

45 existing lines in 10 files now uncovered.

9519 of 10434 relevant lines covered (91.23%)

1598.73 hits per line

Source File
Press 'n' to go to next uncovered line, 'b' for previous

94.12

/src/kdf.c

/***
kdf module perform EVP_KDF operations.
It base on EVP_KDF in OpenSSL v3.

@module kdf
@author  george zhao <zhaozg(at)gmail.com>
@usage
  kdf = require('openssl').kdf
*/
#include "auxiliar.h"
#include "lua.h"
#include "openssl.h"
#include "private.h"

#if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
#include <openssl/core_names.h>
#include <openssl/kdf.h>

static EVP_KDF *
get_kdf(lua_State *L, int idx)
{
  EVP_KDF *kdf = NULL;
  switch (lua_type(L, idx)) {
  case LUA_TSTRING:
    kdf = EVP_KDF_fetch(NULL, lua_tostring(L, idx), NULL);
    break;
#if 0
  case LUA_TNUMBER:
    kdf = EVP_KDF_fetch(NULL, lua_tostring(L, idx), NULL);
    break;
#endif
  case LUA_TUSERDATA:
#if 0
    if (auxiliar_getclassudata(L, "openssl.asn1_object", idx))
      kdf = EVP_get_digestbyobj(CHECK_OBJECT(idx, ASN1_OBJECT, "openssl.asn1_object"));
    else
#endif
    if (auxiliar_getclassudata(L, "openssl.kdf", idx))
    {
      kdf = CHECK_OBJECT(idx, EVP_KDF, "openssl.kdf");
      if (kdf) {
        EVP_KDF_up_ref(kdf);
      }
    }
    break;
  }

  if (kdf == NULL) {
    luaL_argerror(L, idx, "must be a string for KDF method name");
  }

  return kdf;
}

/***
traverses all openssl.kdf, and calls fn with each openssl.kdf

@function iterator
@tparam function cb(openssl.kdf)
@treturn none
*/
static void
kdf_iterator_cb(EVP_KDF *kdf, void *data)
{
  lua_State *L = (lua_State *)data;
  int        typ = lua_rawgetp(L, LUA_REGISTRYINDEX, (void *)kdf_iterator_cb);
  assert(typ == LUA_TFUNCTION);

  EVP_KDF_up_ref(kdf);
  PUSH_OBJECT(kdf, "openssl.kdf");
  if (lua_pcall(L, 1, 1, 0) != 0) luaL_error(L, lua_tostring(L, -1));
}

static int
openssl_kdf_iterator_kdf(lua_State *L)
{
  luaL_checktype(L, 1, LUA_TFUNCTION);

  lua_pushvalue(L, 1);
  lua_rawsetp(L, LUA_REGISTRYINDEX, (void *)kdf_iterator_cb);

  EVP_KDF_do_all_provided(NULL, kdf_iterator_cb, openssl_mainthread(L));
  lua_pushnil(L);
  lua_rawsetp(L, LUA_REGISTRYINDEX, (void *)kdf_iterator_cb);
  return 0;
}

/***
fetch openssl.kdf object by name

@function fetch
@tparam string name
@treturn openssl.kdf
*/
static int
openssl_kdf_fetch(lua_State *L)
{
  const char *name = luaL_checkstring(L, 1);
  EVP_KDF    *kdf = EVP_KDF_fetch(NULL, name, NULL);
  PUSH_OBJECT(kdf, "openssl.kdf");

  return 1;
}

static int
openssl_kdf_free(lua_State *L)
{
  EVP_KDF *kdf = CHECK_OBJECT(1, EVP_KDF, "openssl.kdf");
  EVP_KDF_free(kdf);

  return 0;
}
#endif

/***
compute KDF delive, openssl version >= v3

@function deilver
@tparam evp_kdf|string kdf
@tparam table array of paramaters
@treturn string result binary string
*/

/***
compute KDF delive, openssl version < v3

@function deilver
@tparam string pass
@tparam string salt
@tparam string|object|nid digest
@tparam[opt=1000] number iterator
@tparam[opt=32] number keylen
@treturn string deilved result binary string
*/
static int
openssl_kdf_derive(lua_State *L)
{
#if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
  EVP_KDF      *kdf = get_kdf(L, 1);
  OSSL_PARAM   *params = openssl_toparams(L, 2);
  unsigned char key[64] = { 0 };
  size_t        sz = luaL_optinteger(L, 3, 16);
  luaL_argcheck(L, sz <= sizeof(key), 3, "out of support range, limited to 64");

  EVP_KDF_CTX *ctx = EVP_KDF_CTX_new(kdf);

  int ret = EVP_KDF_derive(ctx, key, sz, params);
  if (ret > 0) {
    lua_pushlstring(L, (const char *)key, sz);
    ret = 1;
  } else {
    ret = openssl_pushresult(L, ret);
  }
  EVP_KDF_free(kdf);
  EVP_KDF_CTX_free(ctx);
  OPENSSL_free(params);
  return ret;
#else
  size_t        passlen, saltlen;
  const char   *pass = luaL_checklstring(L, 1, &passlen);
  const char   *salt = luaL_checklstring(L, 2, &saltlen);
  const EVP_MD *md = get_digest(L, 3, NULL);
  int           iter = luaL_optinteger(L, 4, 1000);
  int           keylen = luaL_optinteger(L, 5, 32);
  unsigned char key[256] = { 0 };

  luaL_argcheck(L, keylen <= sizeof(key), 5, "out of support range, limited to 256");

  int ret = PKCS5_PBKDF2_HMAC(
    pass, (int)passlen, (const unsigned char *)salt, (int)saltlen, iter, md, keylen, key);
  if (ret == 1) {
    lua_pushlstring(L, (const char *)key, keylen);
  } else
    ret = openssl_pushresult(L, ret);

  return ret;
#endif
}

#if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
/***
openssl.kdf_ctx object
@type kdf_ctx
*/

/***
duplicate kdf_ctx object

@function dup
@treturn openssl.kdf_ctx|fail
*/
static int
openssl_kdf_ctx_dup(lua_State *L)
{
  EVP_KDF_CTX *c = CHECK_OBJECT(1, EVP_KDF_CTX, "openssl.kdf_ctx");
  c = EVP_KDF_CTX_dup(c);
  if (c)
    PUSH_OBJECT(c, "openssl.kdf_ctx");
  else
    lua_pushnil(L);
  return 1;
}

/***
reset kdf_ctx object

@function reset
@treturn openssl.kdf_ctx
*/
static int
openssl_kdf_ctx_reset(lua_State *L)
{
  EVP_KDF_CTX *c = CHECK_OBJECT(1, EVP_KDF_CTX, "openssl.kdf_ctx");
  EVP_KDF_CTX_reset(c);
  lua_pushvalue(L, 1);
  return 1;
}

/***
derive the key

@function derive
@tparam table paramaters settable paramaters can be get by `kdf:settable_ctx_params()`
@treturn string|fail
*/
static int
openssl_kdf_ctx_derive(lua_State *L)
{
  EVP_KDF_CTX  *c = CHECK_OBJECT(1, EVP_KDF_CTX, "openssl.kdf_ctx");
  OSSL_PARAM   *params = openssl_toparams(L, 2);
  unsigned char key[64] = { 0 };
  size_t        sz = luaL_optinteger(L, 3, 16);
  luaL_argcheck(L, sz <= sizeof(key), 3, "out of support range, limited to 64");

  int ret = EVP_KDF_derive(c, key, sz, params);
  if (ret > 0) {
    lua_pushlstring(L, (const char *)key, sz);
    ret = 1;
  } else {
    ret = openssl_pushresult(L, ret);
  }
  OPENSSL_free(params);
  return ret;
}

/***
get size of openssl.kdf_ctx

@function size
@treturn number
*/
static int
openssl_kdf_ctx_size(lua_State *L)
{
  EVP_KDF_CTX *c = CHECK_OBJECT(1, EVP_KDF_CTX, "openssl.kdf_ctx");
  lua_pushinteger(L, EVP_KDF_CTX_get_kdf_size(c));

  return 1;
}

/***
get openssl.kdf of openssl.kdf_ctx

@function kdf
@treturn openssl.kdf
*/
static int
openssl_kdf_ctx_kdf(lua_State *L)
{
  EVP_KDF_CTX   *c = CHECK_OBJECT(1, EVP_KDF_CTX, "openssl.kdf_ctx");
  const EVP_KDF *kdf = EVP_KDF_CTX_kdf(c);
  PUSH_OBJECT(kdf, "openssl.kdf");

  return 1;
}

/***
get array with parameters that describes the retrievable parameters.

@function gettable_params
@treturn table
*/
static int
openssl_kdf_ctx_gettable_params(lua_State *L)
{
  EVP_KDF_CTX      *ctx = CHECK_OBJECT(1, EVP_KDF_CTX, "openssl.kdf_ctx");
  const OSSL_PARAM *params = EVP_KDF_CTX_gettable_params(ctx);
  return openssl_pushparams(L, params);
}

/***
get array with parameters that describes the settable parameters.

@function settable_params
@treturn table
*/
static int
openssl_kdf_ctx_settable_params(lua_State *L)
{
  EVP_KDF_CTX      *ctx = CHECK_OBJECT(1, EVP_KDF_CTX, "openssl.kdf_ctx");
  const OSSL_PARAM *params = EVP_KDF_CTX_settable_params(ctx);
  return openssl_pushparams(L, params);
}

/***
retrieves parameters

@function get_params
@tparam table parameters to retrieves
@treturn table
*/
static int
openssl_kdf_ctx_get_params(lua_State *L)
{
  EVP_KDF_CTX *ctx = CHECK_OBJECT(1, EVP_KDF_CTX, "openssl.kdf_ctx");
  OSSL_PARAM  *params = openssl_toparams(L, 2);
  int          ret = EVP_KDF_CTX_get_params(ctx, params);
  if (ret == 1)
    ret = openssl_pushparams(L, params);
  else {
    ret = openssl_pushparams(L, params);
    ret += openssl_pushresult(L, ret);
  }
  OPENSSL_free(params);
  return ret;
}

/***
set parameters

@function set_params
@tparam table parameters
@treturn boolean
*/
static int
openssl_kdf_ctx_set_params(lua_State *L)
{
  EVP_KDF_CTX *ctx = CHECK_OBJECT(1, EVP_KDF_CTX, "openssl.kdf_ctx");
  OSSL_PARAM  *params = openssl_toparams(L, 2);
  int          ret = EVP_KDF_CTX_set_params(ctx, params);
  OPENSSL_free(params);
  return openssl_pushresult(L, ret);
}

/***
openssl.kdf object
@type openssl.kdf
*/

/***
compute KDF delive

@function deilver
@tparam table array of paramaters
@treturn string result binary string
*/

/***
create new openssl.kdf_ctx object

@function fetch
@treturn openssl.kdf_ctx|fail
*/
/***
create new KDF context
@function new
@tparam string algorithm KDF algorithm name
@treturn kdf_ctx new KDF context object or nil if failed
*/
static int
openssl_kdf_ctx_new(lua_State *L)
{
  EVP_KDF     *type = get_kdf(L, 1);
  EVP_KDF_CTX *c = EVP_KDF_CTX_new(type);
  int          ret = 1;
  if (c)
    PUSH_OBJECT(c, "openssl.kdf_ctx");
  else
    ret = openssl_pushresult(L, 0);
  EVP_KDF_free(type);
  return ret;
}

static int
openssl_kdf_ctx_free(lua_State *L)
{
  EVP_KDF_CTX *c = CHECK_OBJECT(1, EVP_KDF_CTX, "openssl.kdf_ctx");
  if (!c) return 0;
  EVP_KDF_CTX_free(c);

  FREE_OBJECT(1);
  return 0;
}

/***
get description

@function description
@treturn openssl.kdf_ctx
*/
static int
openssl_kdf_description(lua_State *L)
{
  const EVP_KDF *kdf = CHECK_OBJECT(1, EVP_KDF, "openssl.kdf");
  lua_pushstring(L, EVP_KDF_get0_description(kdf));
  return 1;
}

/***
get description

@function name
@treturn string|nil
*/
static int
openssl_kdf_name(lua_State *L)
{
  const EVP_KDF *kdf = CHECK_OBJECT(1, EVP_KDF, "openssl.kdf");
  lua_pushstring(L, EVP_KDF_get0_name(kdf));
  return 1;
}

/***
get provider

@function provider
@treturn lightuserdata
*/
static int
openssl_kdf_provider(lua_State *L)
{
  const EVP_KDF *kdf = CHECK_OBJECT(1, EVP_KDF, "openssl.kdf");
  lua_pushlightuserdata(L, (void *)EVP_KDF_get0_provider(kdf));
  return 1;
}

/***
check kdf is an implementation of an algorithm that's identifiable with name

@function is_a
@tparam string name an algorithm that's identifiable with name
@treturn boolean
*/
static int
openssl_kdf_is_a(lua_State *L)
{
  EVP_KDF    *kdf = CHECK_OBJECT(1, EVP_KDF, "openssl.kdf");
  const char *name = luaL_checkstring(L, 2);
  lua_pushboolean(L, EVP_KDF_is_a(kdf, name));
  return 1;
}

/***
traverses all names for kdf, and calls fn with each name

@function iterator
@tparam function cb(name)
@treturn boolean
*/
static void
iterator_cb(const char *name, void *data)
{
  lua_State *L = (lua_State *)data;
  int        typ = lua_rawgetp(L, LUA_REGISTRYINDEX, (void *)iterator_cb);
  assert(typ == LUA_TFUNCTION);

  lua_pushstring(L, name);
  if (lua_pcall(L, 1, 1, 0) != 0) luaL_error(L, lua_tostring(L, -1));
}

static int
openssl_kdf_iterator(lua_State *L)
{
  int      ret;
  EVP_KDF *kdf = CHECK_OBJECT(1, EVP_KDF, "openssl.kdf");
  luaL_checktype(L, 2, LUA_TFUNCTION);

  lua_pushvalue(L, 2);
  lua_rawsetp(L, LUA_REGISTRYINDEX, (void *)iterator_cb);

  ret = EVP_KDF_names_do_all(kdf, iterator_cb, L);
  lua_pushboolean(L, ret);
  lua_pushnil(L);
  lua_rawsetp(L, LUA_REGISTRYINDEX, (void *)iterator_cb);
  return 1;
}

/***
get array that describes the retrievable parameters.

@function gettable_params
@treturn table
*/
static int
openssl_kdf_gettable_params(lua_State *L)
{
  EVP_KDF          *kdf = CHECK_OBJECT(1, EVP_KDF, "openssl.kdf");
  const OSSL_PARAM *params = EVP_KDF_gettable_params(kdf);
  return openssl_pushparams(L, params);
}

/***
get array with parameters that can be retrieved from an openssl.kdf_ctx.

@function gettable_ctx_params
@treturn table
*/
static int
openssl_kdf_gettable_ctx_params(lua_State *L)
{
  EVP_KDF          *kdf = CHECK_OBJECT(1, EVP_KDF, "openssl.kdf");
  const OSSL_PARAM *params = EVP_KDF_gettable_ctx_params(kdf);
  return openssl_pushparams(L, params);
}

/***
get array with parameters that can be set to an openssl.kdf_ctx.

@function settable_ctx_params
@treturn table
*/
static int
openssl_kdf_settable_ctx_params(lua_State *L)
{
  EVP_KDF          *kdf = CHECK_OBJECT(1, EVP_KDF, "openssl.kdf");
  const OSSL_PARAM *params = EVP_KDF_settable_ctx_params(kdf);
  return openssl_pushparams(L, params);
}

/***
retrieves details about the implementation kdf.

@function get_params
@treturn table
*/
static int
openssl_kdf_get_params(lua_State *L)
{
  EVP_KDF    *kdf = CHECK_OBJECT(1, EVP_KDF, "openssl.kdf");
  OSSL_PARAM *params = openssl_toparams(L, 2);
  int         ret = EVP_KDF_get_params(kdf, params);
  if (ret == 1)
    ret = openssl_pushparams(L, params);
  else {
    ret = openssl_pushparams(L, params);
    ret += openssl_pushresult(L, ret);
  }
  OPENSSL_free(params);
  return ret;
}

static luaL_Reg kdf_ctx_funs[] = {
  { "dup",             openssl_kdf_ctx_dup             },
  { "reset",           openssl_kdf_ctx_reset           },
  { "derive",          openssl_kdf_ctx_derive          },
  { "size",            openssl_kdf_ctx_size            },
  { "kdf",             openssl_kdf_ctx_kdf             },

  { "gettable_params", openssl_kdf_ctx_gettable_params },
  { "settable_params", openssl_kdf_ctx_settable_params },
  { "get_params",      openssl_kdf_ctx_get_params      },
  { "set_params",      openssl_kdf_ctx_set_params      },

  { "__tostring",      auxiliar_tostring               },
  { "__gc",            openssl_kdf_ctx_free            },

  { NULL,              NULL                            }
};

static luaL_Reg kdf_funs[] = {
  { "description",         openssl_kdf_description         },
  { "name",                openssl_kdf_name                },
  { "provider",            openssl_kdf_provider            },
  { "is_a",                openssl_kdf_is_a                },
  { "iterator",            openssl_kdf_iterator            },
  { "derive",              openssl_kdf_derive              },
  { "new",                 openssl_kdf_ctx_new             },

  { "gettable_params",     openssl_kdf_gettable_params     },
  { "settable_ctx_params", openssl_kdf_settable_ctx_params },
  { "gettable_ctx_params", openssl_kdf_gettable_ctx_params },
  { "get_params",          openssl_kdf_get_params          },

  { "__tostring",          auxiliar_tostring               },
  { "__gc",                openssl_kdf_free                },

  { NULL,                  NULL                            }
};
#endif

static const luaL_Reg kdf_R[] = {
#if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
  { "fetch",    openssl_kdf_fetch        },
  { "iterator", openssl_kdf_iterator_kdf },
#endif
  { "derive",   openssl_kdf_derive       },

  { NULL,       NULL                     }
};

int
luaopen_kdf(lua_State *L)
{
#if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
  auxiliar_newclass(L, "openssl.kdf", kdf_funs);
  auxiliar_newclass(L, "openssl.kdf_ctx", kdf_ctx_funs);
#endif

  lua_newtable(L);
  luaL_setfuncs(L, kdf_R, 0);

#if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
  lua_pushliteral(L, "names");
  lua_newtable(L);

  AUXILIAR_SET(L, -1, OSSL_KDF_NAME_HKDF, OSSL_KDF_NAME_HKDF, string);
  AUXILIAR_SET(L, -1, OSSL_KDF_NAME_TLS1_3_KDF, OSSL_KDF_NAME_TLS1_3_KDF, string);
  AUXILIAR_SET(L, -1, OSSL_KDF_NAME_PBKDF1, OSSL_KDF_NAME_PBKDF1, string);
  AUXILIAR_SET(L, -1, OSSL_KDF_NAME_PBKDF2, OSSL_KDF_NAME_PBKDF2, string);
  AUXILIAR_SET(L, -1, OSSL_KDF_NAME_SCRYPT, OSSL_KDF_NAME_SCRYPT, string);
  AUXILIAR_SET(L, -1, OSSL_KDF_NAME_SSHKDF, OSSL_KDF_NAME_SSHKDF, string);
  AUXILIAR_SET(L, -1, OSSL_KDF_NAME_SSKDF, OSSL_KDF_NAME_SSKDF, string);
  AUXILIAR_SET(L, -1, OSSL_KDF_NAME_TLS1_PRF, OSSL_KDF_NAME_TLS1_PRF, string);
  AUXILIAR_SET(L, -1, OSSL_KDF_NAME_X942KDF_ASN1, OSSL_KDF_NAME_X942KDF_ASN1, string);
  AUXILIAR_SET(L, -1, OSSL_KDF_NAME_X942KDF_CONCAT, OSSL_KDF_NAME_X942KDF_CONCAT, string);
  AUXILIAR_SET(L, -1, OSSL_KDF_NAME_X963KDF, OSSL_KDF_NAME_X963KDF, string);
  AUXILIAR_SET(L, -1, OSSL_KDF_NAME_KBKDF, OSSL_KDF_NAME_KBKDF, string);
#if defined(OSSL_KDF_NAME_KRB5KDF)
  AUXILIAR_SET(L, -1, OSSL_KDF_NAME_KRB5KDF, OSSL_KDF_NAME_KRB5KDF, string);
#endif

/* Argon2 KDF names (OpenSSL 3.2+) */
#if defined(OSSL_KDF_NAME_ARGON2I)
  AUXILIAR_SET(L, -1, OSSL_KDF_NAME_ARGON2I, OSSL_KDF_NAME_ARGON2I, string);
#endif
#if defined(OSSL_KDF_NAME_ARGON2D)
  AUXILIAR_SET(L, -1, OSSL_KDF_NAME_ARGON2D, OSSL_KDF_NAME_ARGON2D, string);
#endif
#if defined(OSSL_KDF_NAME_ARGON2ID)
  AUXILIAR_SET(L, -1, OSSL_KDF_NAME_ARGON2ID, OSSL_KDF_NAME_ARGON2ID, string);
#endif

  lua_rawset(L, -3);
#endif

  return 1;
}

1	/***
2	kdf module perform EVP_KDF operations.
3	It base on EVP_KDF in OpenSSL v3.
4
5	@module kdf
6	@author george zhao <zhaozg(at)gmail.com>
7	@usage
8	kdf = require('openssl').kdf
9	*/
10	#include "auxiliar.h"
11	#include "lua.h"
12	#include "openssl.h"
13	#include "private.h"
14
15	#if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
16	#include <openssl/core_names.h>
17	#include <openssl/kdf.h>
18
19	static EVP_KDF *
20	get_kdf(lua_State *L, int idx)
21	{
22	EVP_KDF *kdf = NULL;
23	switch (lua_type(L, idx)) {
24	case LUA_TSTRING:
25	kdf = EVP_KDF_fetch(NULL, lua_tostring(L, idx), NULL);
26	break;
27	#if 0
28	case LUA_TNUMBER:
29	kdf = EVP_KDF_fetch(NULL, lua_tostring(L, idx), NULL);
30	break;
31	#endif
32	case LUA_TUSERDATA:
33	#if 0
34	if (auxiliar_getclassudata(L, "openssl.asn1_object", idx))
35	kdf = EVP_get_digestbyobj(CHECK_OBJECT(idx, ASN1_OBJECT, "openssl.asn1_object"));
36	else
37	#endif
38	if (auxiliar_getclassudata(L, "openssl.kdf", idx))
39	{
40	kdf = CHECK_OBJECT(idx, EVP_KDF, "openssl.kdf");
41	if (kdf) {
42	EVP_KDF_up_ref(kdf);
43	}
44	}
45	break;
46	}
47
48	if (kdf == NULL) {
49	luaL_argerror(L, idx, "must be a string for KDF method name");
50	}
51
52	return kdf;
53	}
54
55	/***
56	traverses all openssl.kdf, and calls fn with each openssl.kdf
57
58	@function iterator
59	@tparam function cb(openssl.kdf)
60	@treturn none
61	*/
62	static void
63	kdf_iterator_cb(EVP_KDF kdf, void data)
64	{
65	lua_State L = (lua_State )data;
66	int typ = lua_rawgetp(L, LUA_REGISTRYINDEX, (void *)kdf_iterator_cb);
67	assert(typ == LUA_TFUNCTION);
68
69	EVP_KDF_up_ref(kdf);
70	PUSH_OBJECT(kdf, "openssl.kdf");
71	if (lua_pcall(L, 1, 1, 0) != 0) luaL_error(L, lua_tostring(L, -1));
72	}
73
74	static int
75	openssl_kdf_iterator_kdf(lua_State *L)
76	{
77	luaL_checktype(L, 1, LUA_TFUNCTION);
78
79	lua_pushvalue(L, 1);
80	lua_rawsetp(L, LUA_REGISTRYINDEX, (void *)kdf_iterator_cb);
81
82	EVP_KDF_do_all_provided(NULL, kdf_iterator_cb, openssl_mainthread(L));
83	lua_pushnil(L);
84	lua_rawsetp(L, LUA_REGISTRYINDEX, (void *)kdf_iterator_cb);
85	return 0;
86	}
87
88	/***
89	fetch openssl.kdf object by name
90
91	@function fetch
92	@tparam string name
93	@treturn openssl.kdf
94	*/
95	static int
96	openssl_kdf_fetch(lua_State *L)
97	{
98	const char *name = luaL_checkstring(L, 1);
99	EVP_KDF *kdf = EVP_KDF_fetch(NULL, name, NULL);
100	PUSH_OBJECT(kdf, "openssl.kdf");
101
102	return 1;
103	}
104
105	static int
106	openssl_kdf_free(lua_State *L)
107	{
108	EVP_KDF *kdf = CHECK_OBJECT(1, EVP_KDF, "openssl.kdf");
109	EVP_KDF_free(kdf);
110
111	return 0;
112	}
113	#endif
114
115	/***
116	compute KDF delive, openssl version >= v3
117
118	@function deilver
119	@tparam evp_kdf\|string kdf
120	@tparam table array of paramaters
121	@treturn string result binary string
122	*/
123
124	/***
125	compute KDF delive, openssl version < v3
126
127	@function deilver
128	@tparam string pass
129	@tparam string salt
130	@tparam string\|object\|nid digest
131	@tparam[opt=1000] number iterator
132	@tparam[opt=32] number keylen
133	@treturn string deilved result binary string
134	*/
135	static int
136	openssl_kdf_derive(lua_State *L)	2✔
137	{
138	#if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
139	EVP_KDF *kdf = get_kdf(L, 1);
140	OSSL_PARAM *params = openssl_toparams(L, 2);
141	unsigned char key[64] = { 0 };
142	size_t sz = luaL_optinteger(L, 3, 16);
143	luaL_argcheck(L, sz <= sizeof(key), 3, "out of support range, limited to 64");
144
145	EVP_KDF_CTX *ctx = EVP_KDF_CTX_new(kdf);
146
147	int ret = EVP_KDF_derive(ctx, key, sz, params);
148	if (ret > 0) {
149	lua_pushlstring(L, (const char *)key, sz);
150	ret = 1;
151	} else {
152	ret = openssl_pushresult(L, ret);
153	}
154	EVP_KDF_free(kdf);
155	EVP_KDF_CTX_free(ctx);
156	OPENSSL_free(params);
157	return ret;
158	#else
159	size_t passlen, saltlen;
160	const char *pass = luaL_checklstring(L, 1, &passlen);	2✔
161	const char *salt = luaL_checklstring(L, 2, &saltlen);	2✔
162	const EVP_MD *md = get_digest(L, 3, NULL);	2✔
163	int iter = luaL_optinteger(L, 4, 1000);	2✔
164	int keylen = luaL_optinteger(L, 5, 32);	2✔
165	unsigned char key[256] = { 0 };	2✔
166
167	luaL_argcheck(L, keylen <= sizeof(key), 5, "out of support range, limited to 256");	2✔
168
169	int ret = PKCS5_PBKDF2_HMAC(	2✔
170	pass, (int)passlen, (const unsigned char *)salt, (int)saltlen, iter, md, keylen, key);
171	if (ret == 1) {	2✔
172	lua_pushlstring(L, (const char *)key, keylen);	2✔
173	} else
UNCOV 174	ret = openssl_pushresult(L, ret);	×
175
176	return ret;	2✔
177	#endif
178	}
179
180	#if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
181	/***
182	openssl.kdf_ctx object
183	@type kdf_ctx
184	*/
185
186	/***
187	duplicate kdf_ctx object
188
189	@function dup
190	@treturn openssl.kdf_ctx\|fail
191	*/
192	static int
193	openssl_kdf_ctx_dup(lua_State *L)
194	{
195	EVP_KDF_CTX *c = CHECK_OBJECT(1, EVP_KDF_CTX, "openssl.kdf_ctx");
196	c = EVP_KDF_CTX_dup(c);
197	if (c)
198	PUSH_OBJECT(c, "openssl.kdf_ctx");
199	else
200	lua_pushnil(L);
201	return 1;
202	}
203
204	/***
205	reset kdf_ctx object
206
207	@function reset
208	@treturn openssl.kdf_ctx
209	*/
210	static int
211	openssl_kdf_ctx_reset(lua_State *L)
212	{
213	EVP_KDF_CTX *c = CHECK_OBJECT(1, EVP_KDF_CTX, "openssl.kdf_ctx");
214	EVP_KDF_CTX_reset(c);
215	lua_pushvalue(L, 1);
216	return 1;
217	}
218
219	/***
220	derive the key
221
222	@function derive
223	@tparam table paramaters settable paramaters can be get by `kdf:settable_ctx_params()`
224	@treturn string\|fail
225	*/
226	static int
227	openssl_kdf_ctx_derive(lua_State *L)
228	{
229	EVP_KDF_CTX *c = CHECK_OBJECT(1, EVP_KDF_CTX, "openssl.kdf_ctx");
230	OSSL_PARAM *params = openssl_toparams(L, 2);
231	unsigned char key[64] = { 0 };
232	size_t sz = luaL_optinteger(L, 3, 16);
233	luaL_argcheck(L, sz <= sizeof(key), 3, "out of support range, limited to 64");
234
235	int ret = EVP_KDF_derive(c, key, sz, params);
236	if (ret > 0) {
237	lua_pushlstring(L, (const char *)key, sz);
238	ret = 1;
239	} else {
240	ret = openssl_pushresult(L, ret);
241	}
242	OPENSSL_free(params);
243	return ret;
244	}
245
246	/***
247	get size of openssl.kdf_ctx
248
249	@function size
250	@treturn number
251	*/
252	static int
253	openssl_kdf_ctx_size(lua_State *L)
254	{
255	EVP_KDF_CTX *c = CHECK_OBJECT(1, EVP_KDF_CTX, "openssl.kdf_ctx");
256	lua_pushinteger(L, EVP_KDF_CTX_get_kdf_size(c));
257
258	return 1;
259	}
260
261	/***
262	get openssl.kdf of openssl.kdf_ctx
263
264	@function kdf
265	@treturn openssl.kdf
266	*/
267	static int
268	openssl_kdf_ctx_kdf(lua_State *L)
269	{
270	EVP_KDF_CTX *c = CHECK_OBJECT(1, EVP_KDF_CTX, "openssl.kdf_ctx");
271	const EVP_KDF *kdf = EVP_KDF_CTX_kdf(c);
272	PUSH_OBJECT(kdf, "openssl.kdf");
273
274	return 1;
275	}
276
277	/***
278	get array with parameters that describes the retrievable parameters.
279
280	@function gettable_params
281	@treturn table
282	*/
283	static int
284	openssl_kdf_ctx_gettable_params(lua_State *L)
285	{
286	EVP_KDF_CTX *ctx = CHECK_OBJECT(1, EVP_KDF_CTX, "openssl.kdf_ctx");
287	const OSSL_PARAM *params = EVP_KDF_CTX_gettable_params(ctx);
288	return openssl_pushparams(L, params);
289	}
290
291	/***
292	get array with parameters that describes the settable parameters.
293
294	@function settable_params
295	@treturn table
296	*/
297	static int
298	openssl_kdf_ctx_settable_params(lua_State *L)
299	{
300	EVP_KDF_CTX *ctx = CHECK_OBJECT(1, EVP_KDF_CTX, "openssl.kdf_ctx");
301	const OSSL_PARAM *params = EVP_KDF_CTX_settable_params(ctx);
302	return openssl_pushparams(L, params);
303	}
304
305	/***
306	retrieves parameters
307
308	@function get_params
309	@tparam table parameters to retrieves
310	@treturn table
311	*/
312	static int
313	openssl_kdf_ctx_get_params(lua_State *L)
314	{
315	EVP_KDF_CTX *ctx = CHECK_OBJECT(1, EVP_KDF_CTX, "openssl.kdf_ctx");
316	OSSL_PARAM *params = openssl_toparams(L, 2);
317	int ret = EVP_KDF_CTX_get_params(ctx, params);
318	if (ret == 1)
319	ret = openssl_pushparams(L, params);
320	else {
321	ret = openssl_pushparams(L, params);
322	ret += openssl_pushresult(L, ret);
323	}
324	OPENSSL_free(params);
325	return ret;
326	}
327
328	/***
329	set parameters
330
331	@function set_params
332	@tparam table parameters
333	@treturn boolean
334	*/
335	static int
336	openssl_kdf_ctx_set_params(lua_State *L)
337	{
338	EVP_KDF_CTX *ctx = CHECK_OBJECT(1, EVP_KDF_CTX, "openssl.kdf_ctx");
339	OSSL_PARAM *params = openssl_toparams(L, 2);
340	int ret = EVP_KDF_CTX_set_params(ctx, params);
341	OPENSSL_free(params);
342	return openssl_pushresult(L, ret);
343	}
344
345	/***
346	openssl.kdf object
347	@type openssl.kdf
348	*/
349
350	/***
351	compute KDF delive
352
353	@function deilver
354	@tparam table array of paramaters
355	@treturn string result binary string
356	*/
357
358	/***
359	create new openssl.kdf_ctx object
360
361	@function fetch
362	@treturn openssl.kdf_ctx\|fail
363	*/
364	/***
365	create new KDF context
366	@function new
367	@tparam string algorithm KDF algorithm name
368	@treturn kdf_ctx new KDF context object or nil if failed
369	*/
370	static int
371	openssl_kdf_ctx_new(lua_State *L)
372	{
373	EVP_KDF *type = get_kdf(L, 1);
374	EVP_KDF_CTX *c = EVP_KDF_CTX_new(type);
375	int ret = 1;
376	if (c)
377	PUSH_OBJECT(c, "openssl.kdf_ctx");
378	else
379	ret = openssl_pushresult(L, 0);
380	EVP_KDF_free(type);
381	return ret;
382	}
383
384	static int
385	openssl_kdf_ctx_free(lua_State *L)
386	{
387	EVP_KDF_CTX *c = CHECK_OBJECT(1, EVP_KDF_CTX, "openssl.kdf_ctx");
388	if (!c) return 0;
389	EVP_KDF_CTX_free(c);
390
391	FREE_OBJECT(1);
392	return 0;
393	}
394
395	/***
396	get description
397
398	@function description
399	@treturn openssl.kdf_ctx
400	*/
401	static int
402	openssl_kdf_description(lua_State *L)
403	{
404	const EVP_KDF *kdf = CHECK_OBJECT(1, EVP_KDF, "openssl.kdf");
405	lua_pushstring(L, EVP_KDF_get0_description(kdf));
406	return 1;
407	}
408
409	/***
410	get description
411
412	@function name
413	@treturn string\|nil
414	*/
415	static int
416	openssl_kdf_name(lua_State *L)
417	{
418	const EVP_KDF *kdf = CHECK_OBJECT(1, EVP_KDF, "openssl.kdf");
419	lua_pushstring(L, EVP_KDF_get0_name(kdf));
420	return 1;
421	}
422
423	/***
424	get provider
425
426	@function provider
427	@treturn lightuserdata
428	*/
429	static int
430	openssl_kdf_provider(lua_State *L)
431	{
432	const EVP_KDF *kdf = CHECK_OBJECT(1, EVP_KDF, "openssl.kdf");
433	lua_pushlightuserdata(L, (void *)EVP_KDF_get0_provider(kdf));
434	return 1;
435	}
436
437	/***
438	check kdf is an implementation of an algorithm that's identifiable with name
439
440	@function is_a
441	@tparam string name an algorithm that's identifiable with name
442	@treturn boolean
443	*/
444	static int
445	openssl_kdf_is_a(lua_State *L)
446	{
447	EVP_KDF *kdf = CHECK_OBJECT(1, EVP_KDF, "openssl.kdf");
448	const char *name = luaL_checkstring(L, 2);
449	lua_pushboolean(L, EVP_KDF_is_a(kdf, name));
450	return 1;
451	}
452
453	/***
454	traverses all names for kdf, and calls fn with each name
455
456	@function iterator
457	@tparam function cb(name)
458	@treturn boolean
459	*/
460	static void
461	iterator_cb(const char name, void data)
462	{
463	lua_State L = (lua_State )data;
464	int typ = lua_rawgetp(L, LUA_REGISTRYINDEX, (void *)iterator_cb);
465	assert(typ == LUA_TFUNCTION);
466
467	lua_pushstring(L, name);
468	if (lua_pcall(L, 1, 1, 0) != 0) luaL_error(L, lua_tostring(L, -1));
469	}
470
471	static int
472	openssl_kdf_iterator(lua_State *L)
473	{
474	int ret;
475	EVP_KDF *kdf = CHECK_OBJECT(1, EVP_KDF, "openssl.kdf");
476	luaL_checktype(L, 2, LUA_TFUNCTION);
477
478	lua_pushvalue(L, 2);
479	lua_rawsetp(L, LUA_REGISTRYINDEX, (void *)iterator_cb);
480
481	ret = EVP_KDF_names_do_all(kdf, iterator_cb, L);
482	lua_pushboolean(L, ret);
483	lua_pushnil(L);
484	lua_rawsetp(L, LUA_REGISTRYINDEX, (void *)iterator_cb);
485	return 1;
486	}
487
488	/***
489	get array that describes the retrievable parameters.
490
491	@function gettable_params
492	@treturn table
493	*/
494	static int
495	openssl_kdf_gettable_params(lua_State *L)
496	{
497	EVP_KDF *kdf = CHECK_OBJECT(1, EVP_KDF, "openssl.kdf");
498	const OSSL_PARAM *params = EVP_KDF_gettable_params(kdf);
499	return openssl_pushparams(L, params);
500	}
501
502	/***
503	get array with parameters that can be retrieved from an openssl.kdf_ctx.
504
505	@function gettable_ctx_params
506	@treturn table
507	*/
508	static int
509	openssl_kdf_gettable_ctx_params(lua_State *L)
510	{
511	EVP_KDF *kdf = CHECK_OBJECT(1, EVP_KDF, "openssl.kdf");
512	const OSSL_PARAM *params = EVP_KDF_gettable_ctx_params(kdf);
513	return openssl_pushparams(L, params);
514	}
515
516	/***
517	get array with parameters that can be set to an openssl.kdf_ctx.
518
519	@function settable_ctx_params
520	@treturn table
521	*/
522	static int
523	openssl_kdf_settable_ctx_params(lua_State *L)
524	{
525	EVP_KDF *kdf = CHECK_OBJECT(1, EVP_KDF, "openssl.kdf");
526	const OSSL_PARAM *params = EVP_KDF_settable_ctx_params(kdf);
527	return openssl_pushparams(L, params);
528	}
529
530	/***
531	retrieves details about the implementation kdf.
532
533	@function get_params
534	@treturn table
535	*/
536	static int
537	openssl_kdf_get_params(lua_State *L)
538	{
539	EVP_KDF *kdf = CHECK_OBJECT(1, EVP_KDF, "openssl.kdf");
540	OSSL_PARAM *params = openssl_toparams(L, 2);
541	int ret = EVP_KDF_get_params(kdf, params);
542	if (ret == 1)
543	ret = openssl_pushparams(L, params);
544	else {
545	ret = openssl_pushparams(L, params);
546	ret += openssl_pushresult(L, ret);
547	}
548	OPENSSL_free(params);
549	return ret;
550	}
551
552	static luaL_Reg kdf_ctx_funs[] = {
553	{ "dup", openssl_kdf_ctx_dup },
554	{ "reset", openssl_kdf_ctx_reset },
555	{ "derive", openssl_kdf_ctx_derive },
556	{ "size", openssl_kdf_ctx_size },
557	{ "kdf", openssl_kdf_ctx_kdf },
558
559	{ "gettable_params", openssl_kdf_ctx_gettable_params },
560	{ "settable_params", openssl_kdf_ctx_settable_params },
561	{ "get_params", openssl_kdf_ctx_get_params },
562	{ "set_params", openssl_kdf_ctx_set_params },
563
564	{ "__tostring", auxiliar_tostring },
565	{ "__gc", openssl_kdf_ctx_free },
566
567	{ NULL, NULL }
568	};
569
570	static luaL_Reg kdf_funs[] = {
571	{ "description", openssl_kdf_description },
572	{ "name", openssl_kdf_name },
573	{ "provider", openssl_kdf_provider },
574	{ "is_a", openssl_kdf_is_a },
575	{ "iterator", openssl_kdf_iterator },
576	{ "derive", openssl_kdf_derive },
577	{ "new", openssl_kdf_ctx_new },
578
579	{ "gettable_params", openssl_kdf_gettable_params },
580	{ "settable_ctx_params", openssl_kdf_settable_ctx_params },
581	{ "gettable_ctx_params", openssl_kdf_gettable_ctx_params },
582	{ "get_params", openssl_kdf_get_params },
583
584	{ "__tostring", auxiliar_tostring },
585	{ "__gc", openssl_kdf_free },
586
587	{ NULL, NULL }
588	};
589	#endif
590
591	static const luaL_Reg kdf_R[] = {
592	#if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
593	{ "fetch", openssl_kdf_fetch },
594	{ "iterator", openssl_kdf_iterator_kdf },
595	#endif
596	{ "derive", openssl_kdf_derive },
597
598	{ NULL, NULL }
599	};
600
601	int
602	luaopen_kdf(lua_State *L)	15✔
603	{
604	#if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
605	auxiliar_newclass(L, "openssl.kdf", kdf_funs);
606	auxiliar_newclass(L, "openssl.kdf_ctx", kdf_ctx_funs);
607	#endif
608
609	lua_newtable(L);	15✔
610	luaL_setfuncs(L, kdf_R, 0);	15✔
611
612	#if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
613	lua_pushliteral(L, "names");
614	lua_newtable(L);
615
616	AUXILIAR_SET(L, -1, OSSL_KDF_NAME_HKDF, OSSL_KDF_NAME_HKDF, string);
617	AUXILIAR_SET(L, -1, OSSL_KDF_NAME_TLS1_3_KDF, OSSL_KDF_NAME_TLS1_3_KDF, string);
618	AUXILIAR_SET(L, -1, OSSL_KDF_NAME_PBKDF1, OSSL_KDF_NAME_PBKDF1, string);
619	AUXILIAR_SET(L, -1, OSSL_KDF_NAME_PBKDF2, OSSL_KDF_NAME_PBKDF2, string);
620	AUXILIAR_SET(L, -1, OSSL_KDF_NAME_SCRYPT, OSSL_KDF_NAME_SCRYPT, string);
621	AUXILIAR_SET(L, -1, OSSL_KDF_NAME_SSHKDF, OSSL_KDF_NAME_SSHKDF, string);
622	AUXILIAR_SET(L, -1, OSSL_KDF_NAME_SSKDF, OSSL_KDF_NAME_SSKDF, string);
623	AUXILIAR_SET(L, -1, OSSL_KDF_NAME_TLS1_PRF, OSSL_KDF_NAME_TLS1_PRF, string);
624	AUXILIAR_SET(L, -1, OSSL_KDF_NAME_X942KDF_ASN1, OSSL_KDF_NAME_X942KDF_ASN1, string);
625	AUXILIAR_SET(L, -1, OSSL_KDF_NAME_X942KDF_CONCAT, OSSL_KDF_NAME_X942KDF_CONCAT, string);
626	AUXILIAR_SET(L, -1, OSSL_KDF_NAME_X963KDF, OSSL_KDF_NAME_X963KDF, string);
627	AUXILIAR_SET(L, -1, OSSL_KDF_NAME_KBKDF, OSSL_KDF_NAME_KBKDF, string);
628	#if defined(OSSL_KDF_NAME_KRB5KDF)
629	AUXILIAR_SET(L, -1, OSSL_KDF_NAME_KRB5KDF, OSSL_KDF_NAME_KRB5KDF, string);
630	#endif
631
632	/* Argon2 KDF names (OpenSSL 3.2+) */
633	#if defined(OSSL_KDF_NAME_ARGON2I)
634	AUXILIAR_SET(L, -1, OSSL_KDF_NAME_ARGON2I, OSSL_KDF_NAME_ARGON2I, string);
635	#endif
636	#if defined(OSSL_KDF_NAME_ARGON2D)
637	AUXILIAR_SET(L, -1, OSSL_KDF_NAME_ARGON2D, OSSL_KDF_NAME_ARGON2D, string);
638	#endif
639	#if defined(OSSL_KDF_NAME_ARGON2ID)
640	AUXILIAR_SET(L, -1, OSSL_KDF_NAME_ARGON2ID, OSSL_KDF_NAME_ARGON2ID, string);
641	#endif
642
643	lua_rawset(L, -3);
644	#endif
645
646	return 1;	15✔
647	}

zhaozg / lua-openssl / 25776463823

Source File Press 'n' to go to next uncovered line, 'b' for previous

Source File
Press 'n' to go to next uncovered line, 'b' for previous