From 9e73d9c5947fcd68d41479bed552cd73bf945acf Mon Sep 17 00:00:00 2001
From: zhaozg <zhaozg@gmail.com>
Date: Sat, 30 Dec 2023 12:28:25 +0800
Subject: [PATCH] update kdf module

---
 src/kdf.c      | 51 ++++++++++++++++++++++++++++++++++++++++++++++++--
 src/openssl.c  |  2 +-
 src/openssl.h  |  2 +-
 test/2.kdf.lua | 25 ++++++++++++++++++++-----
 4 files changed, 71 insertions(+), 9 deletions(-)

diff --git a/src/kdf.c b/src/kdf.c
index 7a2b555c..2988905a 100644
--- a/src/kdf.c
+++ b/src/kdf.c
@@ -94,17 +94,31 @@ static int openssl_kdf_fetch(lua_State *L)
 
   return 1;
 }
+#endif
 
 /***
-compute KDF delive
+compute KDF delive, openssl version >= v3
 
 @function deilver
 @tparam evp_kdf|string kdf
 @tparam table array of paramaters
 @treturn string result binary string
 */
+
+/***
+compute KDF delive, openssl version < v3
+
+@function deilver
+@tparam string pass
+@tparam string salt
+@tparam string|object|nid digest
+@tparam[opt=1000] number iterator
+@tparam[opt=32] number keylen
+@treturn string deilved result binary string
+*/
 static int openssl_kdf_derive(lua_State *L)
 {
+#if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
   EVP_KDF *kdf = get_kdf(L, 1);
   OSSL_PARAM *params = openssl_toparams(L, 2);
   unsigned char key[64] = {0};
@@ -124,8 +138,35 @@ static int openssl_kdf_derive(lua_State *L)
   EVP_KDF_CTX_free(ctx);
   OPENSSL_free(params);
   return ret;
+#else
+  size_t passlen, saltlen;
+  const char* pass = luaL_checklstring (L, 1, &passlen);
+  const char* salt = luaL_checklstring (L, 2, &saltlen);
+  const EVP_MD* md = get_digest(L, 3, NULL);
+  int iter = luaL_optinteger(L, 4, 1000);
+  int keylen = luaL_optinteger(L, 5, 32);
+  unsigned char key[256] = {0};
+
+  luaL_argcheck(L, keylen <= sizeof(key), 5,
+                "out of support range, limited to 256");
+
+  int ret = PKCS5_PBKDF2_HMAC(pass, (int)passlen,
+                              salt, (int)saltlen,
+                              iter,
+                              md,
+                              keylen,
+                              key);
+  if (ret==1)
+  {
+    lua_pushlstring(L, key, keylen);
+  } else
+    ret = openssl_pushresult(L, ret);
+
+  return ret;
+#endif
 }
 
+#if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
 /***
 openssl.kdf_ctx object
 @type kdf_ctx
@@ -512,11 +553,14 @@ static luaL_Reg kdf_funs[] =
 
   {NULL,  NULL}
 };
+#endif
 
 static const luaL_Reg kdf_R[] =
 {
+#if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
   {"fetch",     openssl_kdf_fetch},
   {"iterator",  openssl_kdf_iterator_kdf},
+#endif
   {"derive",    openssl_kdf_derive},
 
   {NULL,  NULL}
@@ -524,12 +568,15 @@ static const luaL_Reg kdf_R[] =
 
 int luaopen_kdf(lua_State *L)
 {
+#if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
   auxiliar_newclass(L, "openssl.kdf", kdf_funs);
   auxiliar_newclass(L, "openssl.kdf_ctx", kdf_ctx_funs);
+#endif
 
   lua_newtable(L);
   luaL_setfuncs(L, kdf_R, 0);
 
+#if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
   lua_pushliteral(L, "names");
   lua_newtable(L);
 
@@ -550,7 +597,7 @@ int luaopen_kdf(lua_State *L)
 #endif
 
   lua_rawset(L, -3);
+#endif
 
   return 1;
 }
-#endif
diff --git a/src/openssl.c b/src/openssl.c
index 31708fa4..a79d0178 100644
--- a/src/openssl.c
+++ b/src/openssl.c
@@ -563,9 +563,9 @@ LUALIB_API int luaopen_openssl(lua_State*L)
   lua_setfield(L, -2, "mac");
   luaopen_param(L);
   lua_setfield(L, -2, "param");
+#endif
   luaopen_kdf(L);
   lua_setfield(L, -2, "kdf");
-#endif
 
   luaopen_pkey(L);
   lua_setfield(L, -2, "pkey");
diff --git a/src/openssl.h b/src/openssl.h
index 3b9ee13f..81fa3dea 100644
--- a/src/openssl.h
+++ b/src/openssl.h
@@ -141,8 +141,8 @@ LUA_FUNCTION(luaopen_dh);
 #if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
 LUA_FUNCTION(luaopen_mac);
 LUA_FUNCTION(luaopen_param);
-LUA_FUNCTION(luaopen_kdf);
 #endif
+LUA_FUNCTION(luaopen_kdf);
 
 void openssl_add_method_or_alias(const OBJ_NAME *name, void *arg) ;
 void openssl_add_method(const OBJ_NAME *name, void *arg);
diff --git a/test/2.kdf.lua b/test/2.kdf.lua
index ce82ad65..cebd9d97 100644
--- a/test/2.kdf.lua
+++ b/test/2.kdf.lua
@@ -2,13 +2,24 @@ local lu = require 'luaunit'
 
 local openssl = require 'openssl'
 local kdf = require'openssl'.kdf
-if not kdf then
-  return
-end
 
 TestKDF = {}
 
+function TestKDF:testDerive()
+  local pwd = "1234567890";
+  local salt = "0987654321"
+  local md = 'sha256'
+  local iter = 4096
+  local keylen = 32
+
+  local key = assert(kdf.derive(pwd, salt, md, iter, keylen))
+  print('key', key)
+  assert(key)
+  assert(#key == 32)
+end
+
 function TestKDF:testBasic()
+  if not kdf.iterator then return end
   kdf.iterator(function(k)
     assert(k:name())
     assert(k)
@@ -25,8 +36,10 @@ function TestKDF:testBasic()
 end
 
 function TestKDF:testPBKDF2()
+  if not kdf.fetch then return end
+
   local pwd = "1234567890";
-  local salt = "0987654321" -- <D-s>getSalt(pwd)
+  local salt = "0987654321" -- getSalt(pwd)
   local pbkdf2 = kdf.fetch('PBKDF2')
   local t = assert(pbkdf2:settable_ctx_params())
   local key = assert(pbkdf2:derive({
@@ -59,8 +72,10 @@ function TestKDF:testPBKDF2()
 end
 
 function TestKDF:testPBKDF2CTX()
+  if not kdf.fetch then return end
+
   local pwd = "1234567890";
-  local salt = "0987654321" -- <D-s>getSalt(pwd)
+  local salt = "0987654321" -- getSalt(pwd)
   local pbkdf2 = kdf.fetch('PBKDF2')
   local ctx = assert(pbkdf2:new())