1 // Copyright 2015-2017 Brian Smith.
2 //
3 // Permission to use, copy, modify, and/or distribute this software for any
4 // purpose with or without fee is hereby granted, provided that the above
5 // copyright notice and this permission notice appear in all copies.
6 //
7 // THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHORS DISCLAIM ALL WARRANTIES
8 // WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
9 // MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHORS BE LIABLE FOR ANY
10 // SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
11 // WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
12 // OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
13 // CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
14
15 //! Key Agreement: ECDH, including X25519.
16 //!
17 //! # Example
18 //!
19 //! Note that this example uses X25519, but ECDH using NIST P-256/P-384 is done
20 //! exactly the same way, just substituting
21 //! `agreement::ECDH_P256`/`agreement::ECDH_P384` for `agreement::X25519`.
22 //!
23 //! ```
24 //! use ring::{agreement, rand};
25 //!
26 //! let rng = rand::SystemRandom::new();
27 //!
28 //! let my_private_key = agreement::EphemeralPrivateKey::generate(&agreement::X25519, &rng)?;
29 //!
30 //! // Make `my_public_key` a byte slice containing my public key. In a real
31 //! // application, this would be sent to the peer in an encoded protocol
32 //! // message.
33 //! let my_public_key = my_private_key.compute_public_key()?;
34 //!
35 //! let peer_public_key = {
36 //! // In a real application, the peer public key would be parsed out of a
37 //! // protocol message. Here we just generate one.
38 //! let peer_public_key = {
39 //! let peer_private_key =
40 //! agreement::EphemeralPrivateKey::generate(&agreement::X25519, &rng)?;
41 //! peer_private_key.compute_public_key()?
42 //! };
43 //!
44 //! agreement::UnparsedPublicKey::new(&agreement::X25519, peer_public_key)
45 //! };
46 //!
47 //! agreement::agree_ephemeral(
48 //! my_private_key,
49 //! &peer_public_key,
50 //! |_key_material| {
51 //! // In a real application, we'd apply a KDF to the key material and the
52 //! // public keys (as recommended in RFC 7748) and then derive session
53 //! // keys from the result. We omit all that here.
54 //! },
55 //! )?;
56 //!
57 //! # Ok::<(), ring::error::Unspecified>(())
58 //! ```
59
60 // The "NSA Guide" steps here are from from section 3.1, "Ephemeral Unified
61 // Model."
62
63 use crate::{cpu, debug, ec, error, rand};
64
65 pub use crate::ec::{
66 curve25519::x25519::X25519,
67 suite_b::ecdh::{ECDH_P256, ECDH_P384},
68 };
69
70 /// A key agreement algorithm.
71 pub struct Algorithm {
72 pub(crate) curve: &'static ec::Curve,
73 pub(crate) ecdh: fn(
74 out: &mut [u8],
75 private_key: &ec::Seed,
76 peer_public_key: untrusted::Input,
77 ) -> Result<(), error::Unspecified>,
78 }
79
80 derive_debug_via_field!(Algorithm, curve);
81
82 impl Eq for Algorithm {}
83 impl PartialEq for Algorithm {
eq(&self, other: &Self) -> bool84 fn eq(&self, other: &Self) -> bool {
85 self.curve.id == other.curve.id
86 }
87 }
88
89 /// An ephemeral private key for use (only) with `agree_ephemeral`. The
90 /// signature of `agree_ephemeral` ensures that an `EphemeralPrivateKey` can be
91 /// used for at most one key agreement.
92 pub struct EphemeralPrivateKey {
93 private_key: ec::Seed,
94 algorithm: &'static Algorithm,
95 }
96
97 derive_debug_via_field!(
98 EphemeralPrivateKey,
99 stringify!(EphemeralPrivateKey),
100 algorithm
101 );
102
103 impl EphemeralPrivateKey {
104 /// Generate a new ephemeral private key for the given algorithm.
generate( alg: &'static Algorithm, rng: &dyn rand::SecureRandom, ) -> Result<Self, error::Unspecified>105 pub fn generate(
106 alg: &'static Algorithm,
107 rng: &dyn rand::SecureRandom,
108 ) -> Result<Self, error::Unspecified> {
109 let cpu_features = cpu::features();
110
111 // NSA Guide Step 1.
112 //
113 // This only handles the key generation part of step 1. The rest of
114 // step one is done by `compute_public_key()`.
115 let private_key = ec::Seed::generate(&alg.curve, rng, cpu_features)?;
116 Ok(Self {
117 private_key,
118 algorithm: alg,
119 })
120 }
121
122 /// Computes the public key from the private key.
123 #[inline(always)]
compute_public_key(&self) -> Result<PublicKey, error::Unspecified>124 pub fn compute_public_key(&self) -> Result<PublicKey, error::Unspecified> {
125 // NSA Guide Step 1.
126 //
127 // Obviously, this only handles the part of Step 1 between the private
128 // key generation and the sending of the public key to the peer. `out`
129 // is what should be sent to the peer.
130 self.private_key
131 .compute_public_key()
132 .map(|public_key| PublicKey {
133 algorithm: self.algorithm,
134 bytes: public_key,
135 })
136 }
137
138 /// The algorithm for the private key.
139 #[inline]
algorithm(&self) -> &'static Algorithm140 pub fn algorithm(&self) -> &'static Algorithm {
141 self.algorithm
142 }
143
144 #[cfg(test)]
bytes(&self) -> &[u8]145 pub fn bytes(&self) -> &[u8] {
146 self.private_key.bytes_less_safe()
147 }
148 }
149
150 /// A public key for key agreement.
151 #[derive(Clone)]
152 pub struct PublicKey {
153 algorithm: &'static Algorithm,
154 bytes: ec::PublicKey,
155 }
156
157 impl AsRef<[u8]> for PublicKey {
as_ref(&self) -> &[u8]158 fn as_ref(&self) -> &[u8] {
159 self.bytes.as_ref()
160 }
161 }
162
163 impl core::fmt::Debug for PublicKey {
fmt(&self, f: &mut core::fmt::Formatter) -> Result<(), core::fmt::Error>164 fn fmt(&self, f: &mut core::fmt::Formatter) -> Result<(), core::fmt::Error> {
165 f.debug_struct("PublicKey")
166 .field("algorithm", &self.algorithm)
167 .field("bytes", &debug::HexStr(self.as_ref()))
168 .finish()
169 }
170 }
171
172 impl PublicKey {
173 /// The algorithm for the public key.
174 #[inline]
algorithm(&self) -> &'static Algorithm175 pub fn algorithm(&self) -> &'static Algorithm {
176 self.algorithm
177 }
178 }
179
180 /// An unparsed, possibly malformed, public key for key agreement.
181 pub struct UnparsedPublicKey<B: AsRef<[u8]>> {
182 algorithm: &'static Algorithm,
183 bytes: B,
184 }
185
186 impl<B: Copy> Copy for UnparsedPublicKey<B> where B: AsRef<[u8]> {}
187
188 impl<B: Clone> Clone for UnparsedPublicKey<B>
189 where
190 B: AsRef<[u8]>,
191 {
clone(&self) -> Self192 fn clone(&self) -> Self {
193 Self {
194 algorithm: self.algorithm,
195 bytes: self.bytes.clone(),
196 }
197 }
198 }
199
200 impl<B: core::fmt::Debug> core::fmt::Debug for UnparsedPublicKey<B>
201 where
202 B: AsRef<[u8]>,
203 {
fmt(&self, f: &mut core::fmt::Formatter) -> Result<(), core::fmt::Error>204 fn fmt(&self, f: &mut core::fmt::Formatter) -> Result<(), core::fmt::Error> {
205 f.debug_struct("UnparsedPublicKey")
206 .field("algorithm", &self.algorithm)
207 .field("bytes", &debug::HexStr(self.bytes.as_ref()))
208 .finish()
209 }
210 }
211
212 impl<B: AsRef<[u8]>> UnparsedPublicKey<B> {
213 /// Constructs a new `UnparsedPublicKey`.
new(algorithm: &'static Algorithm, bytes: B) -> Self214 pub fn new(algorithm: &'static Algorithm, bytes: B) -> Self {
215 Self { algorithm, bytes }
216 }
217
218 /// TODO: doc
219 #[inline]
algorithm(&self) -> &'static Algorithm220 pub fn algorithm(&self) -> &'static Algorithm {
221 self.algorithm
222 }
223
224 /// TODO: doc
225 #[inline]
bytes(&self) -> &B226 pub fn bytes(&self) -> &B {
227 &self.bytes
228 }
229 }
230
231 /// Performs a key agreement with an ephemeral private key and the given public
232 /// key.
233 ///
234 /// `my_private_key` is the ephemeral private key to use. Since it is moved, it
235 /// will not be usable after calling `agree_ephemeral`, thus guaranteeing that
236 /// the key is used for only one key agreement.
237 ///
238 /// `peer_public_key` is the peer's public key. `agree_ephemeral` will return
239 /// `Err(error_value)` if it does not match `my_private_key's` algorithm/curve.
240 /// `agree_ephemeral` verifies that it is encoded in the standard form for the
241 /// algorithm and that the key is *valid*; see the algorithm's documentation for
242 /// details on how keys are to be encoded and what constitutes a valid key for
243 /// that algorithm.
244 ///
245 /// After the key agreement is done, `agree_ephemeral` calls `kdf` with the raw
246 /// key material from the key agreement operation and then returns what `kdf`
247 /// returns.
248 #[inline]
agree_ephemeral<B: AsRef<[u8]>, R>( my_private_key: EphemeralPrivateKey, peer_public_key: &UnparsedPublicKey<B>, kdf: impl FnOnce(&[u8]) -> R, ) -> Result<R, error::Unspecified>249 pub fn agree_ephemeral<B: AsRef<[u8]>, R>(
250 my_private_key: EphemeralPrivateKey,
251 peer_public_key: &UnparsedPublicKey<B>,
252 kdf: impl FnOnce(&[u8]) -> R,
253 ) -> Result<R, error::Unspecified> {
254 let peer_public_key = UnparsedPublicKey {
255 algorithm: peer_public_key.algorithm,
256 bytes: peer_public_key.bytes.as_ref(),
257 };
258 agree_ephemeral_(my_private_key, peer_public_key, kdf)
259 }
260
agree_ephemeral_<R>( my_private_key: EphemeralPrivateKey, peer_public_key: UnparsedPublicKey<&[u8]>, kdf: impl FnOnce(&[u8]) -> R, ) -> Result<R, error::Unspecified>261 fn agree_ephemeral_<R>(
262 my_private_key: EphemeralPrivateKey,
263 peer_public_key: UnparsedPublicKey<&[u8]>,
264 kdf: impl FnOnce(&[u8]) -> R,
265 ) -> Result<R, error::Unspecified> {
266 // NSA Guide Prerequisite 1.
267 //
268 // The domain parameters are hard-coded. This check verifies that the
269 // peer's public key's domain parameters match the domain parameters of
270 // this private key.
271 if peer_public_key.algorithm != my_private_key.algorithm {
272 return Err(error::Unspecified);
273 }
274
275 let alg = &my_private_key.algorithm;
276
277 // NSA Guide Prerequisite 2, regarding which KDFs are allowed, is delegated
278 // to the caller.
279
280 // NSA Guide Prerequisite 3, "Prior to or during the key-agreement process,
281 // each party shall obtain the identifier associated with the other party
282 // during the key-agreement scheme," is delegated to the caller.
283
284 // NSA Guide Step 1 is handled by `EphemeralPrivateKey::generate()` and
285 // `EphemeralPrivateKey::compute_public_key()`.
286
287 let mut shared_key = [0u8; ec::ELEM_MAX_BYTES];
288 let shared_key = &mut shared_key[..alg.curve.elem_scalar_seed_len];
289
290 // NSA Guide Steps 2, 3, and 4.
291 //
292 // We have a pretty liberal interpretation of the NIST's spec's "Destroy"
293 // that doesn't meet the NSA requirement to "zeroize."
294 (alg.ecdh)(
295 shared_key,
296 &my_private_key.private_key,
297 untrusted::Input::from(peer_public_key.bytes),
298 )?;
299
300 // NSA Guide Steps 5 and 6.
301 //
302 // Again, we have a pretty liberal interpretation of the NIST's spec's
303 // "Destroy" that doesn't meet the NSA requirement to "zeroize."
304 Ok(kdf(shared_key))
305 }
306