openssl/
derive.rs

1//! Shared secret derivation.
2//!
3//! # Example
4//!
5//! The following example implements [ECDH] using `NIST P-384` keys:
6//!
7//! ```
8//! # fn main() -> Result<(), Box<dyn std::error::Error>> {
9//! # use std::convert::TryInto;
10//! use openssl::bn::BigNumContext;
11//! use openssl::pkey::PKey;
12//! use openssl::derive::Deriver;
13//! use openssl::ec::{EcGroup, EcKey, EcPoint, PointConversionForm};
14//! use openssl::nid::Nid;
15//!
16//! let group = EcGroup::from_curve_name(Nid::SECP384R1)?;
17//!
18//! let first: PKey<_> = EcKey::generate(&group)?.try_into()?;
19//!
20//! // second party generates an ephemeral key and derives
21//! // a shared secret using first party's public key
22//! let shared_key = EcKey::generate(&group)?;
23//! // shared_public is sent to first party
24//! let mut ctx = BigNumContext::new()?;
25//! let shared_public = shared_key.public_key().to_bytes(
26//!        &group,
27//!        PointConversionForm::COMPRESSED,
28//!        &mut ctx,
29//!    )?;
30//!
31//! let shared_key: PKey<_> = shared_key.try_into()?;
32//! let mut deriver = Deriver::new(&shared_key)?;
33//! deriver.set_peer(&first)?;
34//! // secret can be used e.g. as a symmetric encryption key
35//! let secret = deriver.derive_to_vec()?;
36//! # drop(deriver);
37//!
38//! // first party derives the same shared secret using
39//! // shared_public
40//! let point = EcPoint::from_bytes(&group, &shared_public, &mut ctx)?;
41//! let recipient_key: PKey<_> = EcKey::from_public_key(&group, &point)?.try_into()?;
42//! let mut deriver = Deriver::new(&first)?;
43//! deriver.set_peer(&recipient_key)?;
44//! let first_secret = deriver.derive_to_vec()?;
45//!
46//! assert_eq!(secret, first_secret);
47//! # Ok(()) }
48//! ```
49//!
50//! [ECDH]: https://wiki.openssl.org/index.php/Elliptic_Curve_Diffie_Hellman
51
52use foreign_types::ForeignTypeRef;
53use std::marker::PhantomData;
54use std::ptr;
55
56use crate::error::ErrorStack;
57use crate::pkey::{HasPrivate, HasPublic, PKeyRef};
58use crate::{cvt, cvt_p};
59use openssl_macros::corresponds;
60
61/// A type used to derive a shared secret between two keys.
62pub struct Deriver<'a>(*mut ffi::EVP_PKEY_CTX, PhantomData<&'a ()>);
63
64unsafe impl Sync for Deriver<'_> {}
65unsafe impl Send for Deriver<'_> {}
66
67#[allow(clippy::len_without_is_empty)]
68impl<'a> Deriver<'a> {
69    /// Creates a new `Deriver` using the provided private key.
70    #[corresponds(EVP_PKEY_derive_init)]
71    pub fn new<T>(key: &'a PKeyRef<T>) -> Result<Deriver<'a>, ErrorStack>
72    where
73        T: HasPrivate,
74    {
75        unsafe {
76            cvt_p(ffi::EVP_PKEY_CTX_new(key.as_ptr(), ptr::null_mut()))
77                .map(|p| Deriver(p, PhantomData))
78                .and_then(|ctx| cvt(ffi::EVP_PKEY_derive_init(ctx.0)).map(|_| ctx))
79        }
80    }
81
82    /// Sets the peer key used for secret derivation.
83    #[corresponds(EVP_PKEY_derive_set_peer)]
84    pub fn set_peer<T>(&mut self, key: &'a PKeyRef<T>) -> Result<(), ErrorStack>
85    where
86        T: HasPublic,
87    {
88        unsafe { cvt(ffi::EVP_PKEY_derive_set_peer(self.0, key.as_ptr())).map(|_| ()) }
89    }
90
91    /// Sets the peer key used for secret derivation along with optionally validating the peer public key.
92    ///
93    /// Requires OpenSSL 3.0.0 or newer.
94    #[corresponds(EVP_PKEY_derive_set_peer_ex)]
95    #[cfg(ossl300)]
96    pub fn set_peer_ex<T>(
97        &mut self,
98        key: &'a PKeyRef<T>,
99        validate_peer: bool,
100    ) -> Result<(), ErrorStack>
101    where
102        T: HasPublic,
103    {
104        unsafe {
105            cvt(ffi::EVP_PKEY_derive_set_peer_ex(
106                self.0,
107                key.as_ptr(),
108                validate_peer as i32,
109            ))
110            .map(|_| ())
111        }
112    }
113
114    /// Returns the size of the shared secret.
115    ///
116    /// It can be used to size the buffer passed to [`Deriver::derive`].
117    ///
118    /// It can be used to size the buffer passed to [`Deriver::derive`].
119    ///
120    /// [`Deriver::derive`]: #method.derive
121    #[corresponds(EVP_PKEY_derive)]
122    pub fn len(&mut self) -> Result<usize, ErrorStack> {
123        unsafe {
124            let mut len = 0;
125            cvt(ffi::EVP_PKEY_derive(self.0, ptr::null_mut(), &mut len)).map(|_| len)
126        }
127    }
128
129    /// Derives a shared secret between the two keys, writing it into the buffer.
130    ///
131    /// Returns the number of bytes written.
132    #[corresponds(EVP_PKEY_derive)]
133    pub fn derive(&mut self, buf: &mut [u8]) -> Result<usize, ErrorStack> {
134        // See the matching comment in `PkeyCtxRef::derive`. On 1.1.x some
135        // pmeths ignore *keylen and write the full natural output
136        // (X25519/X448), while others (default ECDH) deliberately truncate.
137        // Derive into a temp buffer when the probed size exceeds the
138        // caller's buffer to prevent OOB writes while preserving the
139        // truncation semantics.
140        #[cfg(any(all(ossl110, not(ossl300)), libressl))]
141        {
142            let required = self.len()?;
143            if required != usize::MAX && buf.len() < required {
144                let mut temp = vec![0u8; required];
145                let mut len = required;
146                unsafe {
147                    cvt(ffi::EVP_PKEY_derive(self.0, temp.as_mut_ptr(), &mut len))?;
148                }
149                let copy_len = buf.len().min(len);
150                buf[..copy_len].copy_from_slice(&temp[..copy_len]);
151                return Ok(copy_len);
152            }
153        }
154        let mut len = buf.len();
155        unsafe {
156            cvt(ffi::EVP_PKEY_derive(
157                self.0,
158                buf.as_mut_ptr() as *mut _,
159                &mut len,
160            ))
161            .map(|_| len)
162        }
163    }
164
165    /// A convenience function which derives a shared secret and returns it in a new buffer.
166    ///
167    /// This simply wraps [`Deriver::len`] and [`Deriver::derive`].
168    ///
169    /// [`Deriver::len`]: #method.len
170    /// [`Deriver::derive`]: #method.derive
171    pub fn derive_to_vec(&mut self) -> Result<Vec<u8>, ErrorStack> {
172        let len = self.len()?;
173        let mut buf = vec![0; len];
174        let len = self.derive(&mut buf)?;
175        buf.truncate(len);
176        Ok(buf)
177    }
178}
179
180impl Drop for Deriver<'_> {
181    fn drop(&mut self) {
182        unsafe {
183            ffi::EVP_PKEY_CTX_free(self.0);
184        }
185    }
186}
187
188#[cfg(test)]
189mod test {
190    use super::*;
191
192    use crate::ec::{EcGroup, EcKey};
193    use crate::nid::Nid;
194    use crate::pkey::PKey;
195
196    #[test]
197    fn derive_without_peer() {
198        let group = EcGroup::from_curve_name(Nid::X9_62_PRIME256V1).unwrap();
199        let ec_key = EcKey::generate(&group).unwrap();
200        let pkey = PKey::from_ec_key(ec_key).unwrap();
201        let mut deriver = Deriver::new(&pkey).unwrap();
202        deriver.derive_to_vec().unwrap_err();
203    }
204
205    #[test]
206    fn test_ec_key_derive() {
207        let group = EcGroup::from_curve_name(Nid::X9_62_PRIME256V1).unwrap();
208        let ec_key = EcKey::generate(&group).unwrap();
209        let ec_key2 = EcKey::generate(&group).unwrap();
210        let pkey = PKey::from_ec_key(ec_key).unwrap();
211        let pkey2 = PKey::from_ec_key(ec_key2).unwrap();
212        let mut deriver = Deriver::new(&pkey).unwrap();
213        deriver.set_peer(&pkey2).unwrap();
214        let shared = deriver.derive_to_vec().unwrap();
215        assert!(!shared.is_empty());
216    }
217
218    #[test]
219    #[cfg(any(ossl111, libressl370))]
220    fn derive_undersized_buffer() {
221        // Without the temp-buffer fallback in this crate, X25519 on 1.1.x
222        // would OOB into a 4-byte buffer because it ignores *keylen.
223        // On 1.1.x / LibreSSL the fallback kicks in and we return the
224        // truncated prefix. On 3.0+ the provider rejects undersized
225        // buffers before any write happens, so the call errors out.
226        let pkey = PKey::generate_x25519().unwrap();
227        let pkey2 = PKey::generate_x25519().unwrap();
228        let mut deriver = Deriver::new(&pkey).unwrap();
229        deriver.set_peer(&pkey2).unwrap();
230        let mut buf = [0u8; 4];
231        let result = deriver.derive(&mut buf);
232        #[cfg(any(all(ossl110, not(ossl300)), libressl))]
233        assert_eq!(result.unwrap(), 4);
234        #[cfg(all(ossl300, not(libressl)))]
235        assert!(result.is_err());
236    }
237
238    #[test]
239    #[cfg(ossl300)]
240    fn test_ec_key_derive_ex() {
241        let group = EcGroup::from_curve_name(Nid::X9_62_PRIME256V1).unwrap();
242        let ec_key = EcKey::generate(&group).unwrap();
243        let ec_key2 = EcKey::generate(&group).unwrap();
244        let pkey = PKey::from_ec_key(ec_key).unwrap();
245        let pkey2 = PKey::from_ec_key(ec_key2).unwrap();
246        let mut deriver = Deriver::new(&pkey).unwrap();
247        deriver.set_peer_ex(&pkey2, true).unwrap();
248        let shared = deriver.derive_to_vec().unwrap();
249        assert!(!shared.is_empty());
250    }
251}
openssl/derive.rs

openssl/
derive.rs
