void_crypto/

ecies.rs

//! Shared ECIES (Elliptic Curve Integrated Encryption Scheme) operations.
//!
//! This module provides common ECIES functions for key derivation and
//! shared secret validation. All inputs and outputs use typed key newtypes
//! from void-crypto — raw x25519-dalek types stay internal.

use hkdf::Hkdf;
use sha2::Sha256;
use x25519_dalek::{PublicKey, StaticSecret};

use crate::kdf::{RecipientSecretKey, SecretKey};
use crate::keys::RecipientPubKey;

/// HKDF info parameter for ECIES key derivation.
pub const ECIES_INFO: &[u8] = b"void-ecies-v1";

/// Errors that can occur in ECIES operations.
#[derive(Debug, thiserror::Error)]
pub enum EciesError {
    #[error("invalid shared secret: possible low-order point attack")]
    InvalidSharedSecret,
    #[error("key derivation failed")]
    KeyDerivationFailed,
}

/// Perform X25519 DH key exchange and derive a symmetric encryption key.
///
/// This function:
/// 1. Performs X25519 Diffie-Hellman to get a shared secret
/// 2. Validates the shared secret (rejects low-order points)
/// 3. Derives a 32-byte key using HKDF-SHA256
///
/// # Arguments
/// * `our_secret` - Our X25519 private key (identity recipient key or ephemeral)
/// * `their_public` - The other party's X25519 public key
///
/// # Returns
/// A `SecretKey` suitable for AES-256-GCM encryption.
pub fn perform_dh_and_derive(
    our_secret: &RecipientSecretKey,
    their_public: &RecipientPubKey,
) -> Result<SecretKey, EciesError> {
    let our_x25519 = StaticSecret::from(*our_secret.as_bytes());
    let their_x25519 = PublicKey::from(*their_public.as_bytes());

    let shared_secret = our_x25519.diffie_hellman(&their_x25519);

    // Reject low-order point attacks (all-zero shared secret)
    if !is_valid_shared_secret(shared_secret.as_bytes()) {
        return Err(EciesError::InvalidSharedSecret);
    }

    // Derive key with HKDF-SHA256
    let hk = Hkdf::<Sha256>::new(None, shared_secret.as_bytes());
    let mut key = [0u8; 32];
    hk.expand(ECIES_INFO, &mut key)
        .map_err(|_| EciesError::KeyDerivationFailed)?;

    Ok(SecretKey::new(key))
}

/// Check if a shared secret is valid (non-zero).
///
/// All-zero shared secrets can occur with low-order points and should be rejected.
fn is_valid_shared_secret(secret: &[u8; 32]) -> bool {
    secret.iter().any(|&b| b != 0)
}

#[cfg(test)]
mod tests {
    use super::*;

    fn random_recipient_keypair() -> (RecipientSecretKey, RecipientPubKey) {
        let mut bytes = [0u8; 32];
        rand::RngCore::fill_bytes(&mut rand::thread_rng(), &mut bytes);
        let secret = StaticSecret::from(bytes);
        let public = PublicKey::from(&secret);
        (
            RecipientSecretKey::from_bytes(bytes),
            RecipientPubKey::from_bytes(public.to_bytes()),
        )
    }

    #[test]
    fn is_valid_shared_secret_rejects_zeros() {
        let zero_secret = [0u8; 32];
        assert!(!is_valid_shared_secret(&zero_secret));
    }

    #[test]
    fn is_valid_shared_secret_accepts_nonzero() {
        let mut secret = [0u8; 32];
        secret[0] = 1;
        assert!(is_valid_shared_secret(&secret));

        secret[0] = 0;
        secret[31] = 1;
        assert!(is_valid_shared_secret(&secret));
    }

    #[test]
    fn perform_dh_and_derive_roundtrip() {
        let (alice_secret, alice_public) = random_recipient_keypair();
        let (bob_secret, bob_public) = random_recipient_keypair();

        // Both should derive the same key
        let alice_key = perform_dh_and_derive(&alice_secret, &bob_public).unwrap();
        let bob_key = perform_dh_and_derive(&bob_secret, &alice_public).unwrap();

        assert_eq!(alice_key.as_bytes(), bob_key.as_bytes());
    }

    #[test]
    fn perform_dh_and_derive_rejects_zero_public_key() {
        let (our_secret, _) = random_recipient_keypair();
        let zero_public = RecipientPubKey::from_bytes([0u8; 32]);

        let result = perform_dh_and_derive(&our_secret, &zero_public);
        assert!(matches!(result, Err(EciesError::InvalidSharedSecret)));
    }
}