add basic support for dgst hmac in tool #1755

samuel40791765 · 2024-08-09T00:27:52Z

Issues:

Resolves CryptoAlg-2602

Description of changes:

OpenSSL's hmac command line tool uses dgst with a -hmac option. Supporting the entire functionality of dgst will take a bit more work, but we can support -hmac with the default SHA256 for the time being.

Call-outs:

Rearranged some of the header file function calls to make things cleaner

Testing:

Basic functionality tests against single and multiple /tmp files.

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license and the ISC license.

codecov-commenter · 2024-08-12T23:36:11Z

Codecov Report

Attention: Patch coverage is 5.78512% with 114 lines in your changes missing coverage. Please review.

Project coverage is 78.32%. Comparing base (94f021b) to head (bebd895).
Report is 1 commits behind head on main.

Files	Patch %	Lines
tool-openssl/dgst.cc	0.00%	68 Missing ⚠️
tool-openssl/dgst_test.cc	13.20%	46 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #1755      +/-   ##
==========================================
- Coverage   78.46%   78.32%   -0.14%     
==========================================
  Files         580      582       +2     
  Lines       96779    96906     +127     
  Branches    13865    13884      +19     
==========================================
- Hits        75936    75902      -34     
- Misses      20226    20381     +155     
- Partials      617      623       +6

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

andrewhop · 2024-08-12T23:38:46Z

tool-openssl/dgst_test.cc

+  awslc_hash = trim(awslc_hash);
+  openssl_hash = trim(openssl_hash);


What's with the trims? Do we have differing whitespace?

Also how does this work if there are two files getting hashed? Is this only comparing the output of one of them?

This was due to different OpenSSL versions having different outputs, but now that you mention it I don't think it applies here. Will change.
Also a reminder that I forgot to add these tests to the test script.

tool-openssl/dgst.cc

justsmth · 2024-08-13T14:38:01Z

tool-openssl/dgst.cc

+    for (;;) {
+      size_t n;
+      if (!ReadFromFD(fd, &n, buf.get(), kBufSize)) {
+        fprintf(stderr, "%s: No such file or directory\n", filename.c_str());


NP: There was an error reading from the file, which doesn't necessarily mean that there's "no such file". (Could you even read from a directory?)

Oh this was to align with OpenSSL's error messaging, I don't really enjoy it either.. I'm conflicted on compatibility everywhere or better error messages in general.
I can change this to my original error message which also prints the errno. It's not really a 1 way door and we can change to align if we get complaints.

justsmth · 2024-08-13T14:39:15Z

tool-openssl/dgst.cc

+    }
+
+    // Print HMAC output.
+    fprintf(stdout, "HMAC-%s(%s)= ", EVP_MD_get0_name(digest),


NP: This would display the full path. Is that expected?

Yes that's expected. OpenSSL's output example:

aws-lc on  main [?] via △ v3.20.0 via  v1.21.3 ❯ openssl dgst $PWD/../bio_test SHA256(/Users/sachiang/Documents/repo/aws-lc/../bio_test)= 28176a1f8de724adeb381febacf90595715b55a15294c14c24a3e5f96ced04dc

justsmth · 2024-08-13T14:44:02Z

tool-openssl/dgst.cc

+        fprintf(stderr, "Unknown option '%s'.\n", option.c_str());
+        return false;
+      }
+    } else {


I think this else block is only hit when arg.empty() -- I'm not sure the error message below this applies.

The intention was to hit this if arg[0] != '-'. But true, that it doesn't really apply if arg.empty(). Will reconfigure this.

tool-openssl/dgst.cc

andrewhop · 2024-08-13T22:13:14Z

tests/ci/run_openssl_comparison_tests.sh

@@ -39,10 +39,7 @@ declare -A openssl_branches=(
 export AWSLC_TOOL_PATH="${BUILD_ROOT}/tool-openssl/openssl"
 for branch in "${!openssl_branches[@]}"; do
  export OPENSSL_TOOL_PATH="${install_dir}/openssl-${branch}/bin/openssl"
-  LD_LIBRARY_PATH="${install_dir}/openssl-${branch}/${openssl_branches[$branch]}"
-  for test in X509ComparisonTest RSAComparisonTest MD5ComparisonTest; do


Nice, this is much simpler to add more tests in the future automatically.

OpenSSL's hmac command line tool uses `dgst` with a `-hmac` option. Supporting the entire functionality of `dgst` will take a bit more work, but we can support `-hmac` with the default `SHA256` for the time being. By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license and the ISC license. (cherry picked from commit 9178c62)

samuel40791765 force-pushed the tool-hmac branch 3 times, most recently from 5d8c8e4 to cd43457 Compare August 12, 2024 22:57

samuel40791765 marked this pull request as ready for review August 12, 2024 23:01

samuel40791765 requested a review from a team as a code owner August 12, 2024 23:01

samuel40791765 force-pushed the tool-hmac branch from cd43457 to 2e560b9 Compare August 12, 2024 23:01

add basic support for dgst hmac in tool

bebd895

samuel40791765 force-pushed the tool-hmac branch from 2e560b9 to bebd895 Compare August 12, 2024 23:14

samuel40791765 requested review from andrewhop and justsmth August 12, 2024 23:14

andrewhop reviewed Aug 13, 2024

View reviewed changes

justsmth reviewed Aug 13, 2024

View reviewed changes

PR comments; checks and optimizations

a156ce3

samuel40791765 force-pushed the tool-hmac branch from b4bc8a8 to a156ce3 Compare August 13, 2024 21:42

justsmth approved these changes Aug 13, 2024

View reviewed changes

andrewhop approved these changes Aug 13, 2024

View reviewed changes

samuel40791765 merged commit 9178c62 into aws:main Aug 13, 2024
104 of 106 checks passed

samuel40791765 deleted the tool-hmac branch August 13, 2024 23:03

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

add basic support for dgst hmac in tool #1755

add basic support for dgst hmac in tool #1755

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

		awslc_hash = trim(awslc_hash);
		openssl_hash = trim(openssl_hash);

add basic support for dgst hmac in tool #1755

add basic support for dgst hmac in tool #1755

Uh oh!

Conversation

Uh oh!

Issues:

Description of changes:

Call-outs:

Testing:

Uh oh!

Codecov Report

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!