ecdh.go

     1  // Copyright 2022 The Go Authors. All rights reserved.
     2  // Use of this source code is governed by a BSD-style
     3  // license that can be found in the LICENSE file.
     4  
     5  //go:build boringcrypto && linux && (amd64 || arm64) && !android && !msan
     6  
     7  package boring
     8  
     9  // #include "goboringcrypto.h"
    10  import "C"
    11  import (
    12  	"errors"
    13  	"runtime"
    14  	"unsafe"
    15  )
    16  
    17  type PublicKeyECDH struct {
    18  	curve string
    19  	key   *C.GO_EC_POINT
    20  	group *C.GO_EC_GROUP
    21  	bytes []byte
    22  }
    23  
    24  func (k *PublicKeyECDH) finalize() {
    25  	C._goboringcrypto_EC_POINT_free(k.key)
    26  }
    27  
    28  type PrivateKeyECDH struct {
    29  	curve string
    30  	key   *C.GO_EC_KEY
    31  }
    32  
    33  func (k *PrivateKeyECDH) finalize() {
    34  	C._goboringcrypto_EC_KEY_free(k.key)
    35  }
    36  
    37  func NewPublicKeyECDH(curve string, bytes []byte) (*PublicKeyECDH, error) {
    38  	if len(bytes) != 1+2*curveSize(curve) {
    39  		return nil, errors.New("NewPublicKeyECDH: wrong key length")
    40  	}
    41  
    42  	nid, err := curveNID(curve)
    43  	if err != nil {
    44  		return nil, err
    45  	}
    46  
    47  	group := C._goboringcrypto_EC_GROUP_new_by_curve_name(nid)
    48  	if group == nil {
    49  		return nil, fail("EC_GROUP_new_by_curve_name")
    50  	}
    51  	defer C._goboringcrypto_EC_GROUP_free(group)
    52  	key := C._goboringcrypto_EC_POINT_new(group)
    53  	if key == nil {
    54  		return nil, fail("EC_POINT_new")
    55  	}
    56  	ok := C._goboringcrypto_EC_POINT_oct2point(group, key, (*C.uint8_t)(unsafe.Pointer(&bytes[0])), C.size_t(len(bytes)), nil) != 0
    57  	if !ok {
    58  		C._goboringcrypto_EC_POINT_free(key)
    59  		return nil, errors.New("point not on curve")
    60  	}
    61  
    62  	k := &PublicKeyECDH{curve, key, group, append([]byte(nil), bytes...)}
    63  	// Note: Because of the finalizer, any time k.key is passed to cgo,
    64  	// that call must be followed by a call to runtime.KeepAlive(k),
    65  	// to make sure k is not collected (and finalized) before the cgo
    66  	// call returns.
    67  	runtime.SetFinalizer(k, (*PublicKeyECDH).finalize)
    68  	return k, nil
    69  }
    70  
    71  func (k *PublicKeyECDH) Bytes() []byte { return k.bytes }
    72  
    73  func NewPrivateKeyECDH(curve string, bytes []byte) (*PrivateKeyECDH, error) {
    74  	if len(bytes) != curveSize(curve) {
    75  		return nil, errors.New("NewPrivateKeyECDH: wrong key length")
    76  	}
    77  
    78  	nid, err := curveNID(curve)
    79  	if err != nil {
    80  		return nil, err
    81  	}
    82  	key := C._goboringcrypto_EC_KEY_new_by_curve_name(nid)
    83  	if key == nil {
    84  		return nil, fail("EC_KEY_new_by_curve_name")
    85  	}
    86  	b := bytesToBN(bytes)
    87  	ok := b != nil && C._goboringcrypto_EC_KEY_set_private_key(key, b) != 0
    88  	if b != nil {
    89  		C._goboringcrypto_BN_free(b)
    90  	}
    91  	if !ok {
    92  		C._goboringcrypto_EC_KEY_free(key)
    93  		return nil, fail("EC_KEY_set_private_key")
    94  	}
    95  	k := &PrivateKeyECDH{curve, key}
    96  	// Note: Same as in NewPublicKeyECDH regarding finalizer and KeepAlive.
    97  	runtime.SetFinalizer(k, (*PrivateKeyECDH).finalize)
    98  	return k, nil
    99  }
   100  
   101  func (k *PrivateKeyECDH) PublicKey() (*PublicKeyECDH, error) {
   102  	defer runtime.KeepAlive(k)
   103  
   104  	group := C._goboringcrypto_EC_KEY_get0_group(k.key)
   105  	if group == nil {
   106  		return nil, fail("EC_KEY_get0_group")
   107  	}
   108  	kbig := C._goboringcrypto_EC_KEY_get0_private_key(k.key)
   109  	if kbig == nil {
   110  		return nil, fail("EC_KEY_get0_private_key")
   111  	}
   112  	pt := C._goboringcrypto_EC_POINT_new(group)
   113  	if pt == nil {
   114  		return nil, fail("EC_POINT_new")
   115  	}
   116  	if C._goboringcrypto_EC_POINT_mul(group, pt, kbig, nil, nil, nil) == 0 {
   117  		C._goboringcrypto_EC_POINT_free(pt)
   118  		return nil, fail("EC_POINT_mul")
   119  	}
   120  	bytes, err := pointBytesECDH(k.curve, group, pt)
   121  	if err != nil {
   122  		C._goboringcrypto_EC_POINT_free(pt)
   123  		return nil, err
   124  	}
   125  	pub := &PublicKeyECDH{k.curve, pt, group, bytes}
   126  	// Note: Same as in NewPublicKeyECDH regarding finalizer and KeepAlive.
   127  	runtime.SetFinalizer(pub, (*PublicKeyECDH).finalize)
   128  	return pub, nil
   129  }
   130  
   131  func pointBytesECDH(curve string, group *C.GO_EC_GROUP, pt *C.GO_EC_POINT) ([]byte, error) {
   132  	out := make([]byte, 1+2*curveSize(curve))
   133  	n := C._goboringcrypto_EC_POINT_point2oct(group, pt, C.GO_POINT_CONVERSION_UNCOMPRESSED, (*C.uint8_t)(unsafe.Pointer(&out[0])), C.size_t(len(out)), nil)
   134  	if int(n) != len(out) {
   135  		return nil, fail("EC_POINT_point2oct")
   136  	}
   137  	return out, nil
   138  }
   139  
   140  func ECDH(priv *PrivateKeyECDH, pub *PublicKeyECDH) ([]byte, error) {
   141  	// Make sure priv and pub are not garbage collected while we are in a cgo
   142  	// call.
   143  	//
   144  	// The call to xCoordBytesECDH should prevent priv from being collected, but
   145  	// include this in case the code is reordered and there is a subsequent call
   146  	// cgo call after that point.
   147  	defer runtime.KeepAlive(priv)
   148  	defer runtime.KeepAlive(pub)
   149  
   150  	group := C._goboringcrypto_EC_KEY_get0_group(priv.key)
   151  	if group == nil {
   152  		return nil, fail("EC_KEY_get0_group")
   153  	}
   154  	privBig := C._goboringcrypto_EC_KEY_get0_private_key(priv.key)
   155  	if privBig == nil {
   156  		return nil, fail("EC_KEY_get0_private_key")
   157  	}
   158  	pt := C._goboringcrypto_EC_POINT_new(group)
   159  	if pt == nil {
   160  		return nil, fail("EC_POINT_new")
   161  	}
   162  	defer C._goboringcrypto_EC_POINT_free(pt)
   163  	if C._goboringcrypto_EC_POINT_mul(group, pt, nil, pub.key, privBig, nil) == 0 {
   164  		return nil, fail("EC_POINT_mul")
   165  	}
   166  	out, err := xCoordBytesECDH(priv.curve, group, pt)
   167  	if err != nil {
   168  		return nil, err
   169  	}
   170  	return out, nil
   171  }
   172  
   173  func xCoordBytesECDH(curve string, group *C.GO_EC_GROUP, pt *C.GO_EC_POINT) ([]byte, error) {
   174  	big := C._goboringcrypto_BN_new()
   175  	defer C._goboringcrypto_BN_free(big)
   176  	if C._goboringcrypto_EC_POINT_get_affine_coordinates_GFp(group, pt, big, nil, nil) == 0 {
   177  		return nil, fail("EC_POINT_get_affine_coordinates_GFp")
   178  	}
   179  	return bigBytesECDH(curve, big)
   180  }
   181  
   182  func bigBytesECDH(curve string, big *C.GO_BIGNUM) ([]byte, error) {
   183  	out := make([]byte, curveSize(curve))
   184  	if C._goboringcrypto_BN_bn2bin_padded((*C.uint8_t)(&out[0]), C.size_t(len(out)), big) == 0 {
   185  		return nil, fail("BN_bn2bin_padded")
   186  	}
   187  	return out, nil
   188  }
   189  
   190  func curveSize(curve string) int {
   191  	switch curve {
   192  	default:
   193  		panic("crypto/internal/boring: unknown curve " + curve)
   194  	case "P-256":
   195  		return 256 / 8
   196  	case "P-384":
   197  		return 384 / 8
   198  	case "P-521":
   199  		return (521 + 7) / 8
   200  	}
   201  }
   202  
   203  func GenerateKeyECDH(curve string) (*PrivateKeyECDH, []byte, error) {
   204  	nid, err := curveNID(curve)
   205  	if err != nil {
   206  		return nil, nil, err
   207  	}
   208  	key := C._goboringcrypto_EC_KEY_new_by_curve_name(nid)
   209  	if key == nil {
   210  		return nil, nil, fail("EC_KEY_new_by_curve_name")
   211  	}
   212  	if C._goboringcrypto_EC_KEY_generate_key_fips(key) == 0 {
   213  		C._goboringcrypto_EC_KEY_free(key)
   214  		return nil, nil, fail("EC_KEY_generate_key_fips")
   215  	}
   216  
   217  	group := C._goboringcrypto_EC_KEY_get0_group(key)
   218  	if group == nil {
   219  		C._goboringcrypto_EC_KEY_free(key)
   220  		return nil, nil, fail("EC_KEY_get0_group")
   221  	}
   222  	b := C._goboringcrypto_EC_KEY_get0_private_key(key)
   223  	if b == nil {
   224  		C._goboringcrypto_EC_KEY_free(key)
   225  		return nil, nil, fail("EC_KEY_get0_private_key")
   226  	}
   227  	bytes, err := bigBytesECDH(curve, b)
   228  	if err != nil {
   229  		C._goboringcrypto_EC_KEY_free(key)
   230  		return nil, nil, err
   231  	}
   232  
   233  	k := &PrivateKeyECDH{curve, key}
   234  	// Note: Same as in NewPublicKeyECDH regarding finalizer and KeepAlive.
   235  	runtime.SetFinalizer(k, (*PrivateKeyECDH).finalize)
   236  	return k, bytes, nil
   237  }
   238
View as plain text