mls/mls-rs-crypto-boringssl/src/ecdh.rs

// Copyright 2024, The Android Open Source Project
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
//     http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.

//! Elliptic curve Diffie–Hellman.

use bssl_crypto::x25519;
use mls_rs_core::crypto::{CipherSuite, HpkePublicKey, HpkeSecretKey};
use mls_rs_core::error::IntoAnyError;
use mls_rs_crypto_traits::{Curve, DhType};

use core::array::TryFromSliceError;
use thiserror::Error;

/// Errors returned from ECDH.
#[derive(Debug, Error)]
pub enum EcdhError {
    /// Error returned when conversion from slice to array fails.
    #[error(transparent)]
    TryFromSliceError(#[from] TryFromSliceError),
    /// Error returned when the public key is invalid.
    #[error("ECDH public key was invalid")]
    InvalidPubKey,
    /// Error returned when the private key length is invalid.
    #[error("ECDH private key of invalid length {len}, expected length {expected_len}")]
    InvalidPrivKeyLen {
        /// Invalid key length.
        len: usize,
        /// Expected key length.
        expected_len: usize,
    },
    /// Error returned when the public key length is invalid.
    #[error("ECDH public key of invalid length {len}, expected length {expected_len}")]
    InvalidPubKeyLen {
        /// Invalid key length.
        len: usize,
        /// Expected key length.
        expected_len: usize,
    },
    /// Error returned when unsupported cipher suite is requested.
    #[error("unsupported cipher suite")]
    UnsupportedCipherSuite,
}

impl IntoAnyError for EcdhError {
    fn into_dyn_error(self) -> Result<Box<dyn std::error::Error + Send + Sync>, Self> {
        Ok(self.into())
    }
}

/// DhType implementation backed by BoringSSL.
#[derive(Clone, Debug, Eq, PartialEq)]
pub struct Ecdh(Curve);

impl Ecdh {
    /// Creates a new Ecdh.
    pub fn new(cipher_suite: CipherSuite) -> Option<Self> {
        Curve::from_ciphersuite(cipher_suite, /*for_sig=*/ false).map(Self)
    }
}

#[cfg_attr(not(mls_build_async), maybe_async::must_be_sync)]
#[cfg_attr(all(target_arch = "wasm32", mls_build_async), maybe_async::must_be_async(?Send))]
#[cfg_attr(all(not(target_arch = "wasm32"), mls_build_async), maybe_async::must_be_async)]
impl DhType for Ecdh {
    type Error = EcdhError;

    async fn dh(
        &self,
        secret_key: &HpkeSecretKey,
        public_key: &HpkePublicKey,
    ) -> Result<Vec<u8>, Self::Error> {
        if self.0 != Curve::X25519 {
            return Err(EcdhError::UnsupportedCipherSuite);
        }
        if secret_key.len() != x25519::PRIVATE_KEY_LEN {
            return Err(EcdhError::InvalidPrivKeyLen {
                len: secret_key.len(),
                expected_len: x25519::PRIVATE_KEY_LEN,
            });
        }
        if public_key.len() != x25519::PUBLIC_KEY_LEN {
            return Err(EcdhError::InvalidPubKeyLen {
                len: public_key.len(),
                expected_len: x25519::PUBLIC_KEY_LEN,
            });
        }

        let private_key = x25519::PrivateKey(secret_key[..x25519::PRIVATE_KEY_LEN].try_into()?);
        match private_key.compute_shared_key(public_key[..x25519::PUBLIC_KEY_LEN].try_into()?) {
            Some(x) => Ok(x.to_vec()),
            None => Err(EcdhError::InvalidPubKey),
        }
    }

    async fn to_public(&self, secret_key: &HpkeSecretKey) -> Result<HpkePublicKey, Self::Error> {
        if self.0 != Curve::X25519 {
            return Err(EcdhError::UnsupportedCipherSuite);
        }
        if secret_key.len() != x25519::PRIVATE_KEY_LEN {
            return Err(EcdhError::InvalidPrivKeyLen {
                len: secret_key.len(),
                expected_len: x25519::PRIVATE_KEY_LEN,
            });
        }

        let private_key = x25519::PrivateKey(secret_key[..x25519::PRIVATE_KEY_LEN].try_into()?);
        Ok(private_key.to_public().to_vec().into())
    }

    async fn generate(&self) -> Result<(HpkeSecretKey, HpkePublicKey), Self::Error> {
        if self.0 != Curve::X25519 {
            return Err(EcdhError::UnsupportedCipherSuite);
        }

        let (public_key, private_key) = x25519::PrivateKey::generate();
        Ok((private_key.0.to_vec().into(), public_key.to_vec().into()))
    }

    fn bitmask_for_rejection_sampling(&self) -> Option<u8> {
        self.0.curve_bitmask()
    }

    fn public_key_validate(&self, key: &HpkePublicKey) -> Result<(), Self::Error> {
        if self.0 != Curve::X25519 {
            return Err(EcdhError::UnsupportedCipherSuite);
        }

        // bssl_crypto does not implement validation of curve25519 public keys.
        // Note: Neither does x25519_dalek used by RustCrypto's implementation of this function.
        if key.len() != x25519::PUBLIC_KEY_LEN {
            return Err(EcdhError::InvalidPubKeyLen {
                len: key.len(),
                expected_len: x25519::PUBLIC_KEY_LEN,
            });
        }
        Ok(())
    }

    fn secret_key_size(&self) -> usize {
        self.0.secret_key_size()
    }
}

#[cfg(all(not(mls_build_async), test))]
mod test {
    use super::{DhType, Ecdh, EcdhError};
    use crate::test_helpers::decode_hex;
    use assert_matches::assert_matches;
    use mls_rs_core::crypto::{CipherSuite, HpkePublicKey, HpkeSecretKey};

    #[test]
    fn dh() {
        // https://github.com/C2SP/wycheproof/blob/cd27d6419bedd83cbd24611ec54b6d4bfdb0cdca/testvectors/x25519_test.json#L23
        let private_key = HpkeSecretKey::from(
            decode_hex::<32>("c8a9d5a91091ad851c668b0736c1c9a02936c0d3ad62670858088047ba057475")
                .to_vec(),
        );
        let public_key = HpkePublicKey::from(
            decode_hex::<32>("504a36999f489cd2fdbc08baff3d88fa00569ba986cba22548ffde80f9806829")
                .to_vec(),
        );
        let expected_shared_secret: [u8; 32] =
            decode_hex("436a2c040cf45fea9b29a0cb81b1f41458f863d0d61b453d0a982720d6d61320");

        let x25519 = Ecdh::new(CipherSuite::CURVE25519_AES128).unwrap();
        assert_eq!(x25519.dh(&private_key, &public_key).unwrap(), expected_shared_secret);
    }

    #[test]
    fn dh_invalid_key() {
        let x25519 = Ecdh::new(CipherSuite::CURVE25519_AES128).unwrap();

        let private_key_short =
            HpkeSecretKey::from(decode_hex::<16>("c8a9d5a91091ad851c668b0736c1c9a0").to_vec());
        let public_key = HpkePublicKey::from(
            decode_hex::<32>("504a36999f489cd2fdbc08baff3d88fa00569ba986cba22548ffde80f9806829")
                .to_vec(),
        );
        assert_matches!(
            x25519.dh(&private_key_short, &public_key),
            Err(EcdhError::InvalidPrivKeyLen { .. })
        );

        let private_key = HpkeSecretKey::from(
            decode_hex::<32>("c8a9d5a91091ad851c668b0736c1c9a02936c0d3ad62670858088047ba057475")
                .to_vec(),
        );
        let public_key_short =
            HpkePublicKey::from(decode_hex::<16>("504a36999f489cd2fdbc08baff3d88fa").to_vec());
        assert_matches!(
            x25519.dh(&private_key, &public_key_short),
            Err(EcdhError::InvalidPubKeyLen { .. })
        );
    }

    #[test]
    fn to_public() {
        // https://www.rfc-editor.org/rfc/rfc7748.html#section-6.1
        let private_key = HpkeSecretKey::from(
            decode_hex::<32>("77076d0a7318a57d3c16c17251b26645df4c2f87ebc0992ab177fba51db92c2a")
                .to_vec(),
        );
        let expected_public_key = HpkePublicKey::from(
            decode_hex::<32>("8520f0098930a754748b7ddcb43ef75a0dbf3a0d26381af4eba4a98eaa9b4e6a")
                .to_vec(),
        );

        let x25519 = Ecdh::new(CipherSuite::CURVE25519_CHACHA).unwrap();
        assert_eq!(x25519.to_public(&private_key).unwrap(), expected_public_key);
    }

    #[test]
    fn to_public_invalid_key() {
        let private_key_short =
            HpkeSecretKey::from(decode_hex::<16>("c8a9d5a91091ad851c668b0736c1c9a0").to_vec());

        let x25519 = Ecdh::new(CipherSuite::CURVE25519_CHACHA).unwrap();
        assert_matches!(
            x25519.to_public(&private_key_short),
            Err(EcdhError::InvalidPrivKeyLen { .. })
        );
    }

    #[test]
    fn generate() {
        let x25519 = Ecdh::new(CipherSuite::CURVE25519_AES128).unwrap();
        assert!(x25519.generate().is_ok());
    }

    #[test]
    fn public_key_validate() {
        // https://www.rfc-editor.org/rfc/rfc7748.html#section-6.1
        let public_key = HpkePublicKey::from(
            decode_hex::<32>("8520f0098930a754748b7ddcb43ef75a0dbf3a0d26381af4eba4a98eaa9b4e6a")
                .to_vec(),
        );

        let x25519 = Ecdh::new(CipherSuite::CURVE25519_AES128).unwrap();
        assert!(x25519.public_key_validate(&public_key).is_ok());
    }

    #[test]
    fn public_key_validate_invalid_key() {
        let public_key_short =
            HpkePublicKey::from(decode_hex::<16>("504a36999f489cd2fdbc08baff3d88fa").to_vec());

        let x25519 = Ecdh::new(CipherSuite::CURVE25519_AES128).unwrap();
        assert_matches!(
            x25519.public_key_validate(&public_key_short),
            Err(EcdhError::InvalidPubKeyLen { .. })
        );
    }

    #[test]
    fn unsupported_cipher_suites() {
        for suite in vec![
            CipherSuite::P256_AES128,
            CipherSuite::P384_AES256,
            CipherSuite::P521_AES256,
            CipherSuite::CURVE448_CHACHA,
            CipherSuite::CURVE448_AES256,
        ] {
            assert_matches!(
                Ecdh::new(suite).unwrap().generate(),
                Err(EcdhError::UnsupportedCipherSuite)
            );
        }
    }
}