blob: 8f6440d5d6997f26815e045aa430af66e5d7ed82 [file] [log] [blame]
/* Copyright (c) 2023, Google Inc.
*
* Permission to use, copy, modify, and/or distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
* THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
* WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
* MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
* SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
* OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
* CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
//! Diffie-Hellman over curve25519.
//!
//! X25519 is the Diffie-Hellman primitive built from curve25519. It is sometimes referred to as
//! “curve25519”, but “X25519” is a more precise name. See <http://cr.yp.to/ecdh.html> and
//! <https://tools.ietf.org/html/rfc7748>.
//!
//! ```
//! use bssl_crypto::x25519;
//!
//! // Alice generates her key pair.
//! let (alice_public_key, alice_private_key) = x25519::PrivateKey::generate();
//! // Bob generates his key pair.
//! let (bob_public_key, bob_private_key) = x25519::PrivateKey::generate();
//!
//! // If Alice obtains Bob's public key somehow, she can compute their
//! // shared key:
//! let shared_key = alice_private_key.compute_shared_key(&bob_public_key);
//!
//! // Alice can then derive a key (e.g. by using HKDF), which should include
//! // at least the two public keys. Then shen can send a message to Bob
//! // including her public key and an AEAD-protected blob. Bob can compute the
//! // same shared key given Alice's public key:
//! let shared_key2 = bob_private_key.compute_shared_key(&alice_public_key);
//! assert_eq!(shared_key, shared_key2);
//!
//! // This is an _unauthenticated_ exchange which is vulnerable to an
//! // active attacker. See, for example,
//! // http://www.noiseprotocol.org/noise.html for an example of building
//! // real protocols from a Diffie-Hellman primitive.
//! ```
use crate::with_output_array;
use crate::with_output_array_fallible;
use crate::FfiSlice;
/// Number of bytes in a private key in X25519
pub const PRIVATE_KEY_LEN: usize = bssl_sys::X25519_PRIVATE_KEY_LEN as usize;
/// Number of bytes in a public key in X25519
pub const PUBLIC_KEY_LEN: usize = bssl_sys::X25519_PUBLIC_VALUE_LEN as usize;
/// Number of bytes in a shared secret derived with X25519
pub const SHARED_KEY_LEN: usize = bssl_sys::X25519_SHARED_KEY_LEN as usize;
/// X25519 public keys are simply 32-byte strings.
pub type PublicKey = [u8; PUBLIC_KEY_LEN];
/// An X25519 private key (a 32-byte string).
pub struct PrivateKey(pub [u8; PRIVATE_KEY_LEN]);
impl AsRef<[u8]> for PrivateKey {
fn as_ref(&self) -> &[u8] {
&self.0
}
}
impl PrivateKey {
/// Derive the shared key between this private key and a peer's public key.
/// Don't use the shared key directly, rather use a KDF and also include
/// the two public values as inputs.
///
/// Will fail and produce `None` if the peer's public key is a point of
/// small order. It is safe to react to this in non-constant time.
pub fn compute_shared_key(&self, other_public_key: &PublicKey) -> Option<[u8; SHARED_KEY_LEN]> {
// Safety: `X25519` indeed writes `SHARED_KEY_LEN` bytes.
unsafe {
with_output_array_fallible(|out, _| {
bssl_sys::X25519(out, self.0.as_ffi_ptr(), other_public_key.as_ffi_ptr())
})
}
}
/// Generate a new key pair.
pub fn generate() -> (PublicKey, PrivateKey) {
let mut public_key_uninit = core::mem::MaybeUninit::<[u8; PUBLIC_KEY_LEN]>::uninit();
let mut private_key_uninit = core::mem::MaybeUninit::<[u8; PRIVATE_KEY_LEN]>::uninit();
// Safety:
// - private_key_uninit and public_key_uninit are the correct length.
unsafe {
bssl_sys::X25519_keypair(
public_key_uninit.as_mut_ptr() as *mut u8,
private_key_uninit.as_mut_ptr() as *mut u8,
);
// Safety: Initialized by `X25519_keypair` just above.
(
public_key_uninit.assume_init(),
PrivateKey(private_key_uninit.assume_init()),
)
}
}
/// Compute the public key corresponding to this private key.
pub fn to_public(&self) -> PublicKey {
// Safety: `X25519_public_from_private` indeed fills an entire [`PublicKey`].
unsafe {
with_output_array(|out, _| {
bssl_sys::X25519_public_from_private(out, self.0.as_ffi_ptr());
})
}
}
}
#[cfg(test)]
#[allow(clippy::unwrap_used)]
mod tests {
use crate::{test_helpers::decode_hex, x25519::PrivateKey};
#[test]
fn known_vector() {
// wycheproof/testvectors/x25519_test.json tcId 1
let public_key: [u8; 32] =
decode_hex("504a36999f489cd2fdbc08baff3d88fa00569ba986cba22548ffde80f9806829");
let private_key = PrivateKey(decode_hex(
"c8a9d5a91091ad851c668b0736c1c9a02936c0d3ad62670858088047ba057475",
));
let expected_shared_secret: [u8; 32] =
decode_hex("436a2c040cf45fea9b29a0cb81b1f41458f863d0d61b453d0a982720d6d61320");
let shared_secret = private_key.compute_shared_key(&public_key).unwrap();
assert_eq!(expected_shared_secret, shared_secret);
}
#[test]
fn all_zero_public_key() {
assert!(PrivateKey::generate()
.1
.compute_shared_key(&[0u8; 32])
.is_none());
}
#[test]
fn to_public() {
// Taken from https://www.rfc-editor.org/rfc/rfc7748.html#section-6.1
let public_key_bytes =
decode_hex("8520f0098930a754748b7ddcb43ef75a0dbf3a0d26381af4eba4a98eaa9b4e6a");
let private_key = PrivateKey(decode_hex(
"77076d0a7318a57d3c16c17251b26645df4c2f87ebc0992ab177fba51db92c2a",
));
assert_eq!(public_key_bytes, private_key.to_public());
}
}