crypto: add KMAC Web Cryptography algorithms

panva · npaun · commit 3b22818a0d1c · 2025-09-18T11:35:54.000-07:00
PR-URL: nodejs/node#59647 Reviewed-By: Anna Henningsen <anna@addaleax.net> Reviewed-By: James M Snell <jasnell@gmail.com>
diff --git a/include/ncrypto.h b/include/ncrypto.h
@@ -235,6 +235,8 @@ class DataPointer;
 class DHPointer;
 class ECKeyPointer;
 class EVPKeyPointer;
+class EVPMacCtxPointer;
+class EVPMacPointer;
 class EVPMDCtxPointer;
 class SSLCtxPointer;
 class SSLPointer;
@@ -1329,6 +1331,56 @@ class HMACCtxPointer final {
   DeleteFnPtr<HMAC_CTX, HMAC_CTX_free> ctx_;
 };
 
+#if OPENSSL_VERSION_MAJOR >= 3
+class EVPMacPointer final {
+ public:
+  EVPMacPointer() = default;
+  explicit EVPMacPointer(EVP_MAC* mac);
+  EVPMacPointer(EVPMacPointer&& other) noexcept;
+  EVPMacPointer& operator=(EVPMacPointer&& other) noexcept;
+  NCRYPTO_DISALLOW_COPY(EVPMacPointer)
+  ~EVPMacPointer();
+
+  inline bool operator==(std::nullptr_t) noexcept { return mac_ == nullptr; }
+  inline operator bool() const { return mac_ != nullptr; }
+  inline EVP_MAC* get() const { return mac_.get(); }
+  inline operator EVP_MAC*() const { return mac_.get(); }
+  void reset(EVP_MAC* mac = nullptr);
+  EVP_MAC* release();
+
+  static EVPMacPointer Fetch(const char* algorithm);
+
+ private:
+  DeleteFnPtr<EVP_MAC, EVP_MAC_free> mac_;
+};
+
+class EVPMacCtxPointer final {
+ public:
+  EVPMacCtxPointer() = default;
+  explicit EVPMacCtxPointer(EVP_MAC_CTX* ctx);
+  EVPMacCtxPointer(EVPMacCtxPointer&& other) noexcept;
+  EVPMacCtxPointer& operator=(EVPMacCtxPointer&& other) noexcept;
+  NCRYPTO_DISALLOW_COPY(EVPMacCtxPointer)
+  ~EVPMacCtxPointer();
+
+  inline bool operator==(std::nullptr_t) noexcept { return ctx_ == nullptr; }
+  inline operator bool() const { return ctx_ != nullptr; }
+  inline EVP_MAC_CTX* get() const { return ctx_.get(); }
+  inline operator EVP_MAC_CTX*() const { return ctx_.get(); }
+  void reset(EVP_MAC_CTX* ctx = nullptr);
+  EVP_MAC_CTX* release();
+
+  bool init(const Buffer<const void>& key, const OSSL_PARAM* params = nullptr);
+  bool update(const Buffer<const void>& data);
+  DataPointer final(size_t length);
+
+  static EVPMacCtxPointer New(EVP_MAC* mac);
+
+ private:
+  DeleteFnPtr<EVP_MAC_CTX, EVP_MAC_CTX_free> ctx_;
+};
+#endif  // OPENSSL_VERSION_MAJOR >= 3
+
 #ifndef OPENSSL_NO_ENGINE
 class EnginePointer final {
  public:
diff --git a/src/ncrypto.cpp b/src/ncrypto.cpp
@@ -4083,6 +4083,96 @@ bool HMACCtxPointer::digestInto(Buffer<void>* buf) {
 
 HMACCtxPointer HMACCtxPointer::New() { return HMACCtxPointer(HMAC_CTX_new()); }
 
+#if OPENSSL_VERSION_MAJOR >= 3
+EVPMacPointer::EVPMacPointer(EVP_MAC* mac) : mac_(mac) {}
+
+EVPMacPointer::EVPMacPointer(EVPMacPointer&& other) noexcept
+    : mac_(std::move(other.mac_)) {}
+
+EVPMacPointer& EVPMacPointer::operator=(EVPMacPointer&& other) noexcept {
+  if (this == &other) return *this;
+  mac_ = std::move(other.mac_);
+  return *this;
+}
+
+EVPMacPointer::~EVPMacPointer() {
+  mac_.reset();
+}
+
+void EVPMacPointer::reset(EVP_MAC* mac) {
+  mac_.reset(mac);
+}
+
+EVP_MAC* EVPMacPointer::release() {
+  return mac_.release();
+}
+
+EVPMacPointer EVPMacPointer::Fetch(const char* algorithm) {
+  return EVPMacPointer(EVP_MAC_fetch(nullptr, algorithm, nullptr));
+}
+
+EVPMacCtxPointer::EVPMacCtxPointer(EVP_MAC_CTX* ctx) : ctx_(ctx) {}
+
+EVPMacCtxPointer::EVPMacCtxPointer(EVPMacCtxPointer&& other) noexcept
+    : ctx_(std::move(other.ctx_)) {}
+
+EVPMacCtxPointer& EVPMacCtxPointer::operator=(
+    EVPMacCtxPointer&& other) noexcept {
+  if (this == &other) return *this;
+  ctx_ = std::move(other.ctx_);
+  return *this;
+}
+
+EVPMacCtxPointer::~EVPMacCtxPointer() {
+  ctx_.reset();
+}
+
+void EVPMacCtxPointer::reset(EVP_MAC_CTX* ctx) {
+  ctx_.reset(ctx);
+}
+
+EVP_MAC_CTX* EVPMacCtxPointer::release() {
+  return ctx_.release();
+}
+
+bool EVPMacCtxPointer::init(const Buffer<const void>& key,
+                            const OSSL_PARAM* params) {
+  if (!ctx_) return false;
+  return EVP_MAC_init(ctx_.get(),
+                      static_cast<const unsigned char*>(key.data),
+                      key.len,
+                      params) == 1;
+}
+
+bool EVPMacCtxPointer::update(const Buffer<const void>& data) {
+  if (!ctx_) return false;
+  return EVP_MAC_update(ctx_.get(),
+                        static_cast<const unsigned char*>(data.data),
+                        data.len) == 1;
+}
+
+DataPointer EVPMacCtxPointer::final(size_t length) {
+  if (!ctx_) return {};
+  auto buf = DataPointer::Alloc(length);
+  if (!buf) return {};
+
+  size_t result_len = length;
+  if (EVP_MAC_final(ctx_.get(),
+                    static_cast<unsigned char*>(buf.get()),
+                    &result_len,
+                    length) != 1) {
+    return {};
+  }
+
+  return buf;
+}
+
+EVPMacCtxPointer EVPMacCtxPointer::New(EVP_MAC* mac) {
+  if (!mac) return EVPMacCtxPointer();
+  return EVPMacCtxPointer(EVP_MAC_CTX_new(mac));
+}
+#endif  // OPENSSL_VERSION_MAJOR >= 3
+
 DataPointer hashDigest(const Buffer<const unsigned char>& buf,
                        const EVP_MD* md) {
   if (md == nullptr) return {};
