feat: add AAD support in aes gcm

wzxjohn · zhuizhuhaomeng · commit 081d2fae4143 · 2024-02-05T15:51:34.000+08:00
diff --git a/lib/resty/aes.lua b/lib/resty/aes.lua
@@ -224,7 +224,7 @@ function _M.new(self, key, salt, _cipher, _hash, hash_rounds, iv_len, enable_pad
 end
 
 
-function _M.encrypt(self, s)
+function _M.encrypt(self, s, aad)
     local typ = type(self)
     if typ ~= "table" then
         error("bad argument #1 self: table expected, got " .. typ, 2)
@@ -241,6 +241,12 @@ function _M.encrypt(self, s)
         return nil, "EVP_EncryptInit_ex failed"
     end
 
+    if self._cipher == "gcm" and aad ~= nil then
+        if C.EVP_EncryptUpdate(ctx, nil, tmp_len, aad, #aad) == 0 then
+            return nil, "C.EVP_EncryptUpdate failed"
+        end
+    end
+
     if C.EVP_EncryptUpdate(ctx, buf, out_len, s, s_len) == 0 then
         return nil, "EVP_EncryptUpdate failed"
     end
@@ -267,7 +273,7 @@ function _M.encrypt(self, s)
 end
 
 
-function _M.decrypt(self, s, tag)
+function _M.decrypt(self, s, tag, aad)
     local typ = type(self)
     if typ ~= "table" then
         error("bad argument #1 self: table expected, got " .. typ, 2)
@@ -284,6 +290,12 @@ function _M.decrypt(self, s, tag)
       return nil, "EVP_DecryptInit_ex failed"
     end
 
+    if self._cipher == "gcm" and aad ~= nil then
+        if C.EVP_DecryptUpdate(ctx, nil, tmp_len, aad, #aad) == 0 then
+            return nil, "C.EVP_DecryptUpdate failed"
+        end
+    end
+
     if C.EVP_DecryptUpdate(ctx, buf, out_len, s, s_len) == 0 then
       return nil, "EVP_DecryptUpdate failed"
     end
diff --git a/t/aes.t b/t/aes.t
@@ -561,3 +561,29 @@ AES-256 CBC (custom keygen, without user padding, enable padding) HEX: 794617717
 true
 --- no_error_log
 [error]
+
+
+
+=== TEST 18: AES-256 GCM sha256 no salt with AAD
+--- http_config eval: $::HttpConfig
+--- config
+    location /t {
+        content_by_lua_block {
+            local aes = require "resty.aes"
+            local str = require "resty.string"
+            local aes_default = aes:new("secret",nil,
+              aes.cipher(256,"gcm"), aes.hash.sha256, 1, 12)
+            local encrypted = aes_default:encrypt("hello", "aad")
+            ngx.say("AES-256 GCM: ", str.to_hex(encrypted[1]),
+                    " tag: ",  str.to_hex(encrypted[2]))
+            local decrypted, err = aes_default:decrypt(encrypted[1], encrypted[2], "aad")
+            ngx.say(decrypted == "hello")
+        }
+    }
+--- request
+GET /t
+--- response_body
+AES-256 GCM: 4acef84443 tag: 46f4f3ca65395568407e15768b7526d9
+true
+--- no_error_log
+[error]
