kdf: add OpenSSL::KDF.derive

rhenium · rhenium · commit 59f24a7fbede · 2025-07-04T19:08:12.000+09:00
diff --git a/ext/openssl/extconf.rb b/ext/openssl/extconf.rb
@@ -155,6 +155,7 @@ def find_openssl_library
 have_func("EVP_MD_CTX_get_pkey_ctx(NULL)", evp_h)
 have_func("EVP_PKEY_eq(NULL, NULL)", evp_h)
 have_func("EVP_PKEY_dup(NULL)", evp_h)
+have_type("EVP_KDF *", "openssl/types.h")
 
 # added in 3.4.0
 have_func("TS_VERIFY_CTX_set0_certs(NULL, NULL)", ts_h)
diff --git a/ext/openssl/ossl_kdf.c b/ext/openssl/ossl_kdf.c
@@ -236,6 +236,79 @@ kdf_hkdf(int argc, VALUE *argv, VALUE self)
     return str;
 }
 
+#ifdef HAVE_TYPE_EVP_KDF_P
+/*
+ * call-seq:
+ *    KDF.derive(algo, length, params) -> String
+ *
+ * Derives _length_ bytes of key material from _params_ using the \KDF algorithm
+ * specified by the String _algo_.
+ *
+ * _params_ is an Enumerable that lists the parameters and their values to be
+ * passed to the \KDF algorithm. Consult the respective EVP_KDF-* documentation
+ * for the available parameters.
+ *
+ * See the man page EVP_KDF_derive(3) for more information. Available when
+ * compiled with \OpenSSL 3.0 or later.
+ *
+ * === Example
+ *   # See the man page EVP_KDF-PBKDF2(7).
+ *   # RFC 6070 PBKDF2 HMAC-SHA1 Test Vectors, 3rd example
+ *   # https://www.rfc-editor.org/rfc/rfc6070
+ *   ret = OpenSSL::KDF.derive("PBKDF2", 20, {
+ *     "pass" => "password",
+ *     "salt" => "salt",
+ *     "iter" => 4096,
+ *     "digest" => "SHA1",
+ *   })
+ *   p ret.unpack1("H*")
+ *   #=> "4b007901b765489abead49d926f721d065a429c1"
+ */
+static VALUE
+kdf_derive(int argc, VALUE *argv, VALUE self)
+{
+    VALUE algo, keylen, hash, out;
+    int state;
+
+    rb_scan_args(argc, argv, "21", &algo, &keylen, &hash);
+    out = rb_str_new(NULL, NUM2LONG(keylen));
+
+    EVP_KDF *kdf = EVP_KDF_fetch(NULL, StringValueCStr(algo), NULL);
+    if (!kdf)
+        ossl_raise(eKDF, "EVP_KDF_fetch");
+
+    EVP_KDF_CTX *ctx = EVP_KDF_CTX_new(kdf);
+    if (!ctx) {
+        EVP_KDF_free(kdf);
+        ossl_raise(eKDF, "EVP_KDF_CTX_new");
+    }
+
+    const OSSL_PARAM *settable = EVP_KDF_CTX_settable_params(ctx);
+    if (!settable) {
+        EVP_KDF_CTX_free(ctx);
+        EVP_KDF_free(kdf);
+        ossl_raise(eKDF, "EVP_KDF_CTX_settable_params");
+    }
+
+    OSSL_PARAM *params = ossl_build_params(settable, hash, &state);
+    if (state) {
+        EVP_KDF_CTX_free(ctx);
+        EVP_KDF_free(kdf);
+        rb_jump_tag(state);
+    }
+
+    int ret = EVP_KDF_derive(ctx, (unsigned char *)RSTRING_PTR(out),
+                             RSTRING_LEN(out), params);
+    OSSL_PARAM_free(params);
+    EVP_KDF_CTX_free(ctx);
+    EVP_KDF_free(kdf);
+    if (ret != 1)
+        ossl_raise(eKDF, "EVP_KDF_derive");
+
+    return out;
+}
+#endif
+
 void
 Init_ossl_kdf(void)
 {
@@ -302,4 +375,7 @@ Init_ossl_kdf(void)
     rb_define_module_function(mKDF, "scrypt", kdf_scrypt, -1);
 #endif
     rb_define_module_function(mKDF, "hkdf", kdf_hkdf, -1);
+#ifdef HAVE_TYPE_EVP_KDF_P
+    rb_define_module_function(mKDF, "derive", kdf_derive, -1);
+#endif
 }
diff --git a/test/openssl/test_kdf.rb b/test/openssl/test_kdf.rb
@@ -170,6 +170,37 @@ def test_hkdf_rfc5869_test_case_4
     assert_equal(okm, OpenSSL::KDF.hkdf(ikm, salt: salt, info: info, length: l, hash: hash))
   end
 
+  def test_derive
+    ret = OpenSSL::KDF.derive("PBKDF2", 20, {
+      "pass" => "password",
+      "salt" => "salt",
+      "iter" => 4096,
+      "digest" => "SHA1",
+    })
+    assert_equal(B("4b007901b765489abead49d926f721d065a429c1"), ret)
+
+    # param name not in settable_params
+    assert_raise_with_message(OpenSSL::OpenSSLError, /unknown.*'nosucha'/) {
+      OpenSSL::KDF.derive("PBKDF2", 20, [["nosucha", "param"]])
+    }
+
+    # "pass" for PBKDF2 is an OSSL_PARAM_OCTET_STRING
+    assert_raise_with_message(OpenSSL::OpenSSLError, /'pass'.*String value/) {
+      OpenSSL::KDF.derive("PBKDF2", 20, [["pass", 123]])
+    }
+
+    # "iter" for PBKDF2 is an OSSL_PARAM_UNSIGNED_INTEGER
+    assert_raise_with_message(OpenSSL::OpenSSLError, /'iter'.*non-negative/) {
+      OpenSSL::KDF.derive("PBKDF2", 20, [["iter", -1]])
+    }
+
+    # "digest" for PBKDF2 is an OSSL_PARAM_UTF8_STRING, which requires a
+    # NUL-terminated string
+    assert_raise_with_message(ArgumentError, /string contains null byte/) {
+      OpenSSL::KDF.derive("PBKDF2", 20, [["digest", "SHA1\0"]])
+    }
+  end if openssl?(3, 0, 0) || OpenSSL::KDF.respond_to?(:derive)
+
   private
 
   def B(ary)
