1 /*
2 * Copyright 2023-2024 The OpenSSL Project Authors. All Rights Reserved.
3 *
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
8 */
9
10 #include <stdio.h>
11 #include <string.h>
12 #include <openssl/core_names.h>
13 #include <openssl/evp.h>
14 #include <openssl/err.h>
15
16 /*
17 * This is a demonstration of key exchange using ECDH.
18 *
19 * EC key exchange requires 2 parties (peers) to first agree on shared group
20 * parameters (the EC curve name). Each peer then generates a public/private
21 * key pair using the shared curve name. Each peer then gives their public key
22 * to the other peer. A peer can then derive the same shared secret using their
23 * private key and the other peers public key.
24 */
25
26 /* Object used to store information for a single Peer */
27 typedef struct peer_data_st {
28 const char *name; /* name of peer */
29 const char *curvename; /* The shared curve name */
30 EVP_PKEY *priv; /* private keypair */
31 EVP_PKEY *pub; /* public key to send to other peer */
32 unsigned char *secret; /* allocated shared secret buffer */
33 size_t secretlen;
34 } PEER_DATA;
35
36 /*
37 * The public key needs to be given to the other peer
38 * The following code extracts the public key data from the private key
39 * and then builds an EVP_KEY public key.
40 */
get_peer_public_key(PEER_DATA * peer,OSSL_LIB_CTX * libctx)41 static int get_peer_public_key(PEER_DATA *peer, OSSL_LIB_CTX *libctx)
42 {
43 int ret = 0;
44 EVP_PKEY_CTX *ctx;
45 OSSL_PARAM params[3];
46 unsigned char pubkeydata[256];
47 size_t pubkeylen;
48
49 /* Get the EC encoded public key data from the peers private key */
50 if (!EVP_PKEY_get_octet_string_param(peer->priv, OSSL_PKEY_PARAM_PUB_KEY,
51 pubkeydata, sizeof(pubkeydata),
52 &pubkeylen))
53 return 0;
54
55 /* Create a EC public key from the public key data */
56 ctx = EVP_PKEY_CTX_new_from_name(libctx, "EC", NULL);
57 if (ctx == NULL)
58 return 0;
59 params[0] = OSSL_PARAM_construct_utf8_string(OSSL_PKEY_PARAM_GROUP_NAME,
60 (char *)peer->curvename, 0);
61 params[1] = OSSL_PARAM_construct_octet_string(OSSL_PKEY_PARAM_PUB_KEY,
62 pubkeydata, pubkeylen);
63 params[2] = OSSL_PARAM_construct_end();
64 ret = EVP_PKEY_fromdata_init(ctx) > 0
65 && (EVP_PKEY_fromdata(ctx, &peer->pub, EVP_PKEY_PUBLIC_KEY,
66 params) > 0);
67 EVP_PKEY_CTX_free(ctx);
68 return ret;
69 }
70
create_peer(PEER_DATA * peer,OSSL_LIB_CTX * libctx)71 static int create_peer(PEER_DATA *peer, OSSL_LIB_CTX *libctx)
72 {
73 int ret = 0;
74 EVP_PKEY_CTX *ctx = NULL;
75 OSSL_PARAM params[2];
76
77 params[0] = OSSL_PARAM_construct_utf8_string(OSSL_PKEY_PARAM_GROUP_NAME,
78 (char *)peer->curvename, 0);
79 params[1] = OSSL_PARAM_construct_end();
80
81 ctx = EVP_PKEY_CTX_new_from_name(libctx, "EC", NULL);
82 if (ctx == NULL)
83 return 0;
84
85 if (EVP_PKEY_keygen_init(ctx) <= 0
86 || !EVP_PKEY_CTX_set_params(ctx, params)
87 || EVP_PKEY_generate(ctx, &peer->priv) <= 0
88 || !get_peer_public_key(peer, libctx)) {
89 EVP_PKEY_free(peer->priv);
90 peer->priv = NULL;
91 goto err;
92 }
93 ret = 1;
94 err:
95 EVP_PKEY_CTX_free(ctx);
96 return ret;
97 }
98
destroy_peer(PEER_DATA * peer)99 static void destroy_peer(PEER_DATA *peer)
100 {
101 EVP_PKEY_free(peer->priv);
102 EVP_PKEY_free(peer->pub);
103 }
104
generate_secret(PEER_DATA * peerA,EVP_PKEY * peerBpub,OSSL_LIB_CTX * libctx)105 static int generate_secret(PEER_DATA *peerA, EVP_PKEY *peerBpub,
106 OSSL_LIB_CTX *libctx)
107 {
108 unsigned char *secret = NULL;
109 size_t secretlen = 0;
110 EVP_PKEY_CTX *derivectx;
111
112 /* Create an EVP_PKEY_CTX that contains peerA's private key */
113 derivectx = EVP_PKEY_CTX_new_from_pkey(libctx, peerA->priv, NULL);
114 if (derivectx == NULL)
115 return 0;
116
117 if (EVP_PKEY_derive_init(derivectx) <= 0)
118 goto cleanup;
119 /* Set up peerB's public key */
120 if (EVP_PKEY_derive_set_peer(derivectx, peerBpub) <= 0)
121 goto cleanup;
122
123 /*
124 * For backwards compatibility purposes the OpenSSL ECDH provider supports
125 * optionally using a X963KDF to expand the secret data. This can be done
126 * with code similar to the following.
127 *
128 * OSSL_PARAM params[5];
129 * size_t outlen = 128;
130 * unsigned char ukm[] = { 1, 2, 3, 4 };
131 * params[0] = OSSL_PARAM_construct_utf8_string(OSSL_EXCHANGE_PARAM_KDF_TYPE,
132 * "X963KDF", 0);
133 * params[1] = OSSL_PARAM_construct_utf8_string(OSSL_EXCHANGE_PARAM_KDF_DIGEST,
134 * "SHA256", 0);
135 * params[2] = OSSL_PARAM_construct_size_t(OSSL_EXCHANGE_PARAM_KDF_OUTLEN,
136 * &outlen);
137 * params[3] = OSSL_PARAM_construct_octet_string(OSSL_EXCHANGE_PARAM_KDF_UKM,
138 * ukm, sizeof(ukm));
139 * params[4] = OSSL_PARAM_construct_end();
140 * if (!EVP_PKEY_CTX_set_params(derivectx, params))
141 * goto cleanup;
142 *
143 * Note: After the secret is generated below, the peer could alternatively
144 * pass the secret to a KDF to derive additional key data from the secret.
145 * See demos/kdf/hkdf.c for an example (where ikm is the secret key)
146 */
147
148 /* Calculate the size of the secret and allocate space */
149 if (EVP_PKEY_derive(derivectx, NULL, &secretlen) <= 0)
150 goto cleanup;
151 secret = (unsigned char *)OPENSSL_malloc(secretlen);
152 if (secret == NULL)
153 goto cleanup;
154
155 /*
156 * Derive the shared secret. In this example 32 bytes are generated.
157 * For EC curves the secret size is related to the degree of the curve
158 * which is 256 bits for P-256.
159 */
160 if (EVP_PKEY_derive(derivectx, secret, &secretlen) <= 0)
161 goto cleanup;
162 peerA->secret = secret;
163 peerA->secretlen = secretlen;
164
165 printf("Shared secret (%s):\n", peerA->name);
166 BIO_dump_indent_fp(stdout, peerA->secret, peerA->secretlen, 2);
167 putchar('\n');
168
169 return 1;
170 cleanup:
171 OPENSSL_free(secret);
172 EVP_PKEY_CTX_free(derivectx);
173 return 0;
174 }
175
main(void)176 int main(void)
177 {
178 int ret = EXIT_FAILURE;
179 /* Initialise the 2 peers that will share a secret */
180 PEER_DATA peer1 = {"peer 1", "P-256"};
181 PEER_DATA peer2 = {"peer 2", "P-256"};
182 /*
183 * Setting libctx to NULL uses the default library context
184 * Use OSSL_LIB_CTX_new() to create a non default library context
185 */
186 OSSL_LIB_CTX *libctx = NULL;
187
188 /* Each peer creates a (Ephemeral) keypair */
189 if (!create_peer(&peer1, libctx)
190 || !create_peer(&peer2, libctx)) {
191 fprintf(stderr, "Create peer failed\n");
192 goto cleanup;
193 }
194
195 /*
196 * Each peer uses its private key and the other peers public key to
197 * derive a shared secret
198 */
199 if (!generate_secret(&peer1, peer2.pub, libctx)
200 || !generate_secret(&peer2, peer1.pub, libctx)) {
201 fprintf(stderr, "Generate secrets failed\n");
202 goto cleanup;
203 }
204
205 /* For illustrative purposes demonstrate that the derived secrets are equal */
206 if (peer1.secretlen != peer2.secretlen
207 || CRYPTO_memcmp(peer1.secret, peer2.secret, peer1.secretlen) != 0) {
208 fprintf(stderr, "Derived secrets do not match\n");
209 goto cleanup;
210 } else {
211 fprintf(stdout, "Derived secrets match\n");
212 }
213
214 ret = EXIT_SUCCESS;
215 cleanup:
216 if (ret != EXIT_SUCCESS)
217 ERR_print_errors_fp(stderr);
218 destroy_peer(&peer2);
219 destroy_peer(&peer1);
220 return ret;
221 }
222
