kdf: add OpenSSL::KDF.derive

rhenium · rhenium · commit dce970b3309f · 2025-07-24T19:43:06.000+09:00
Expose EVP_KDF_derive() added in OpenSSL 3.0. OpenSSL apparently plans
to implement new algorithms through this interface only from now on.
For example, the Argon2 password hashing algorithm added in OpenSSL 3.2
is available exclusively through this API.

This is a low-level and minimum method to interact with the API. You
will have to carefully read the relevant man pages to use this
correctly.
diff --git a/ext/openssl/extconf.rb b/ext/openssl/extconf.rb
@@ -155,6 +155,7 @@ def find_openssl_library
 have_func("EVP_MD_CTX_get_pkey_ctx(NULL)", evp_h)
 have_func("EVP_PKEY_eq(NULL, NULL)", evp_h)
 have_func("EVP_PKEY_dup(NULL)", evp_h)
+have_type("EVP_KDF *", "openssl/types.h")
 
 # added in 3.2.0
 have_func("SSL_get0_group_name(NULL)", ssl_h)
diff --git a/ext/openssl/ossl_kdf.c b/ext/openssl/ossl_kdf.c
@@ -236,6 +236,79 @@ kdf_hkdf(int argc, VALUE *argv, VALUE self)
     return str;
 }
 
+#ifdef HAVE_TYPE_EVP_KDF_P
+/*
+ * call-seq:
+ *    KDF.derive(algo, length, params) -> String
+ *
+ * Derives _length_ bytes of key material from _params_ using the \KDF algorithm
+ * specified by the String _algo_.
+ *
+ * _params_ is an Enumerable that lists the parameters and their values to be
+ * passed to the \KDF algorithm. Consult the respective EVP_KDF-* documentation
+ * for the available parameters.
+ *
+ * See the man page EVP_KDF_derive(3) for more information. Available when
+ * compiled with \OpenSSL 3.0 or later.
+ *
+ * === Example
+ *   # See the man page EVP_KDF-PBKDF2(7).
+ *   # RFC 6070 PBKDF2 HMAC-SHA1 Test Vectors, 3rd example
+ *   # https://www.rfc-editor.org/rfc/rfc6070
+ *   ret = OpenSSL::KDF.derive("PBKDF2", 20, {
+ *     "pass" => "password",
+ *     "salt" => "salt",
+ *     "iter" => 4096,
+ *     "digest" => "SHA1",
+ *   })
+ *   p ret.unpack1("H*")
+ *   #=> "4b007901b765489abead49d926f721d065a429c1"
+ */
+static VALUE
+kdf_derive(int argc, VALUE *argv, VALUE self)
+{
+    VALUE algo, keylen, hash, out;
+    int state;
+
+    rb_scan_args(argc, argv, "21", &algo, &keylen, &hash);
+    out = rb_str_new(NULL, NUM2LONG(keylen));
+
+    EVP_KDF *kdf = EVP_KDF_fetch(NULL, StringValueCStr(algo), NULL);
+    if (!kdf)
+        ossl_raise(eKDF, "EVP_KDF_fetch");
+
+    EVP_KDF_CTX *ctx = EVP_KDF_CTX_new(kdf);
+    if (!ctx) {
+        EVP_KDF_free(kdf);
+        ossl_raise(eKDF, "EVP_KDF_CTX_new");
+    }
+
+    const OSSL_PARAM *settable = EVP_KDF_CTX_settable_params(ctx);
+    if (!settable) {
+        EVP_KDF_CTX_free(ctx);
+        EVP_KDF_free(kdf);
+        ossl_raise(eKDF, "EVP_KDF_CTX_settable_params");
+    }
+
+    OSSL_PARAM *params = ossl_build_params(settable, hash, &state);
+    if (state) {
+        EVP_KDF_CTX_free(ctx);
+        EVP_KDF_free(kdf);
+        rb_jump_tag(state);
+    }
+
+    int ret = EVP_KDF_derive(ctx, (unsigned char *)RSTRING_PTR(out),
+                             RSTRING_LEN(out), params);
+    OSSL_PARAM_free(params);
+    EVP_KDF_CTX_free(ctx);
+    EVP_KDF_free(kdf);
+    if (ret != 1)
+        ossl_raise(eKDF, "EVP_KDF_derive");
+
+    return out;
+}
+#endif
+
 void
 Init_ossl_kdf(void)
 {
@@ -302,4 +375,7 @@ Init_ossl_kdf(void)
     rb_define_module_function(mKDF, "scrypt", kdf_scrypt, -1);
 #endif
     rb_define_module_function(mKDF, "hkdf", kdf_hkdf, -1);
+#ifdef HAVE_TYPE_EVP_KDF_P
+    rb_define_module_function(mKDF, "derive", kdf_derive, -1);
+#endif
 }
diff --git a/test/openssl/test_kdf.rb b/test/openssl/test_kdf.rb
@@ -170,6 +170,37 @@ def test_hkdf_rfc5869_test_case_4
     assert_equal(okm, OpenSSL::KDF.hkdf(ikm, salt: salt, info: info, length: l, hash: hash))
   end
 
+  def test_derive
+    ret = OpenSSL::KDF.derive("PBKDF2", 20, {
+      "pass" => "password",
+      "salt" => "salt",
+      "iter" => 4096,
+      "digest" => "SHA1",
+    })
+    assert_equal(B("4b007901b765489abead49d926f721d065a429c1"), ret)
+
+    # param name not in settable_params
+    assert_raise_with_message(OpenSSL::OpenSSLError, /unknown.*'nosucha'/) {
+      OpenSSL::KDF.derive("PBKDF2", 20, [["nosucha", "param"]])
+    }
+
+    # "pass" for PBKDF2 is an OSSL_PARAM_OCTET_STRING
+    assert_raise_with_message(OpenSSL::OpenSSLError, /'pass'.*String value/) {
+      OpenSSL::KDF.derive("PBKDF2", 20, [["pass", 123]])
+    }
+
+    # "iter" for PBKDF2 is an OSSL_PARAM_UNSIGNED_INTEGER
+    assert_raise_with_message(OpenSSL::OpenSSLError, /'iter'.*non-negative/) {
+      OpenSSL::KDF.derive("PBKDF2", 20, [["iter", -1]])
+    }
+
+    # "digest" for PBKDF2 is an OSSL_PARAM_UTF8_STRING, which requires a
+    # NUL-terminated string
+    assert_raise_with_message(ArgumentError, /string contains null byte/) {
+      OpenSSL::KDF.derive("PBKDF2", 20, [["digest", "SHA1\0"]])
+    }
+  end if openssl?(3, 0, 0) || OpenSSL::KDF.respond_to?(:derive)
+
   private
 
   def B(ary)
