Update crypto/ecdh to use boringcrypto when enabled.
Change-Id: Idd0ce06a22b1a62289b383c46893800621c7d97b
Reviewed-on: https://go-review.googlesource.com/c/go/+/423363
Run-TryBot: Russ Cox <rsc@golang.org>
Auto-Submit: Russ Cox <rsc@golang.org>
Reviewed-by: Cherry Mui <cherryyz@google.com>
Reviewed-by: Filippo Valsorda <filippo@golang.org>
TryBot-Result: Gopher Robot <gobot@golang.org>
import (
"crypto"
+ "crypto/internal/boring"
"crypto/subtle"
"io"
"sync"
type PublicKey struct {
curve Curve
publicKey []byte
+ boring *boring.PublicKeyECDH
}
// Bytes returns a copy of the encoding of the public key.
type PrivateKey struct {
curve Curve
privateKey []byte
+ boring *boring.PrivateKeyECDH
// publicKey is set under publicKeyOnce, to allow loading private keys with
// NewPrivateKey without having to perform a scalar multiplication.
publicKey *PublicKey
func (k *PrivateKey) PublicKey() *PublicKey {
k.publicKeyOnce.Do(func() {
- k.publicKey = k.curve.privateKeyToPublicKey(k)
+ if k.boring != nil {
+ // Because we already checked in NewPrivateKey that the key is valid,
+ // there should not be any possible errors from BoringCrypto,
+ // so we turn the error into a panic.
+ // (We can't return it anyhow.)
+ kpub, err := k.boring.PublicKey()
+ if err != nil {
+ panic("boringcrypto: " + err.Error())
+ }
+ k.publicKey = &PublicKey{
+ curve: k.curve,
+ publicKey: kpub.Bytes(),
+ boring: kpub,
+ }
+ } else {
+ k.publicKey = k.curve.privateKeyToPublicKey(k)
+ }
})
return k.publicKey
}
"crypto/cipher"
"crypto/ecdh"
"crypto/rand"
+ "crypto/sha256"
"encoding/hex"
"fmt"
"internal/testenv"
t.Fatal(err)
}
if !bytes.Equal(secret, hexDecode(t, v.SharedSecret)) {
- t.Error("shared secret does not match")
+ t.Errorf("shared secret does not match: %x %x %s %x", secret, sha256.Sum256(secret), v.SharedSecret,
+ sha256.Sum256(hexDecode(t, v.SharedSecret)))
}
})
}
t.Errorf("unexpectedly accepted %q", input)
} else if k != nil {
t.Error("PrivateKey was not nil on error")
+ } else if strings.Contains(err.Error(), "boringcrypto") {
+ t.Errorf("boringcrypto error leaked out: %v", err)
}
}
})
t.Errorf("unexpectedly accepted %q", input)
} else if k != nil {
t.Error("PublicKey was not nil on error")
+ } else if strings.Contains(err.Error(), "boringcrypto") {
+ t.Errorf("boringcrypto error leaked out: %v", err)
}
}
})
package ecdh
import (
+ "crypto/internal/boring"
"crypto/internal/nistec"
"crypto/internal/randutil"
"encoding/binary"
var errInvalidPrivateKey = errors.New("crypto/ecdh: invalid private key")
func (c *nistCurve[Point]) GenerateKey(rand io.Reader) (*PrivateKey, error) {
+ if boring.Enabled && rand == boring.RandReader {
+ key, bytes, err := boring.GenerateKeyECDH(c.name)
+ if err != nil {
+ return nil, err
+ }
+ return newBoringPrivateKey(c, key, bytes)
+ }
+
key := make([]byte, len(c.scalarOrder))
randutil.MaybeReadByte(rand)
for {
if isZero(key) || !isLess(key, c.scalarOrder) {
return nil, errInvalidPrivateKey
}
- return &PrivateKey{
+ if boring.Enabled {
+ bk, err := boring.NewPrivateKeyECDH(c.name, key)
+ if err != nil {
+ return nil, err
+ }
+ return newBoringPrivateKey(c, bk, key)
+ }
+ k := &PrivateKey{
curve: c,
privateKey: append([]byte{}, key...),
- }, nil
+ }
+ return k, nil
+}
+
+func newBoringPrivateKey(c Curve, bk *boring.PrivateKeyECDH, privateKey []byte) (*PrivateKey, error) {
+ k := &PrivateKey{
+ curve: c,
+ boring: bk,
+ privateKey: append([]byte(nil), privateKey...),
+ }
+ return k, nil
}
func (c *nistCurve[Point]) privateKeyToPublicKey(key *PrivateKey) *PublicKey {
+ boring.Unreachable()
if key.curve != c {
panic("crypto/ecdh: internal error: converting the wrong key type")
}
if len(key) == 0 || key[0] != 4 {
return nil, errors.New("crypto/ecdh: invalid public key")
}
- // SetBytes also checks that the point is on the curve.
- if _, err := c.newPoint().SetBytes(key); err != nil {
- return nil, err
- }
-
- return &PublicKey{
+ k := &PublicKey{
curve: c,
publicKey: append([]byte{}, key...),
- }, nil
+ }
+ if boring.Enabled {
+ bk, err := boring.NewPublicKeyECDH(c.name, k.publicKey)
+ if err != nil {
+ return nil, err
+ }
+ k.boring = bk
+ } else {
+ // SetBytes also checks that the point is on the curve.
+ if _, err := c.newPoint().SetBytes(key); err != nil {
+ return nil, err
+ }
+ }
+ return k, nil
}
func (c *nistCurve[Point]) ECDH(local *PrivateKey, remote *PublicKey) ([]byte, error) {
// at infinity, but in a prime order group such as the NIST curves that can
// only be the result of a scalar multiplication if one of the inputs is the
// zero scalar or the point at infinity.
+
+ if boring.Enabled {
+ return boring.ECDH(local.boring, remote.boring)
+ }
+
+ boring.Unreachable()
p, err := c.newPoint().SetBytes(remote.publicKey)
if err != nil {
return nil, err
return C._goboringcrypto_BN_le2bn(wbase(x), C.size_t(len(x)*wordBytes), nil)
}
+func bytesToBN(x []byte) *C.GO_BIGNUM {
+ return C._goboringcrypto_BN_bin2bn((*C.uint8_t)(&x[0]), C.size_t(len(x)), nil)
+}
+
func bnToBig(bn *C.GO_BIGNUM) BigInt {
x := make(BigInt, (C._goboringcrypto_BN_num_bytes(bn)+wordBytes-1)/wordBytes)
if C._goboringcrypto_BN_bn2le_padded(wbase(x), C.size_t(len(x)*wordBytes), bn) == 0 {
/\/\*unchecked/ { next }
# Check enum values.
-!enum && $1 == "enum" && $NF == "{" {
+!enum && ($1 == "enum" || $2 == "enum") && $NF == "{" {
enum = 1
next
}
enum = 0
next
}
+enum && /^}.*;$/ {
+ enum = 0
+ next
+}
enum && NF == 3 && $2 == "=" {
name = $1
sub(/^GO_/, "", name)
cat >boringh.awk <<'EOF'
/^\/\/ #include/ {sub(/\/\//, ""); print > "goboringcrypto0.h"; next}
/typedef struct|enum ([a-z_]+ )?{|^[ \t]/ {print >"goboringcrypto1.h";next}
-{gsub(/GO_/, ""); gsub(/enum go_/, "enum "); print >"goboringcrypto1.h"}
+{gsub(/GO_/, ""); gsub(/enum go_/, "enum "); gsub(/go_point_conv/, "point_conv"); print >"goboringcrypto1.h"}
EOF
awk -f boringx.awk goboringcrypto.h # writes goboringcrypto.x
--- /dev/null
+// Copyright 2022 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+//go:build boringcrypto && linux && (amd64 || arm64) && !android && !cmd_go_bootstrap && !msan
+
+package boring
+
+// #include "goboringcrypto.h"
+import "C"
+import (
+ "errors"
+ "runtime"
+ "unsafe"
+)
+
+type PublicKeyECDH struct {
+ curve string
+ key *C.GO_EC_POINT
+ group *C.GO_EC_GROUP
+ bytes []byte
+}
+
+func (k *PublicKeyECDH) finalize() {
+ C._goboringcrypto_EC_POINT_free(k.key)
+}
+
+type PrivateKeyECDH struct {
+ curve string
+ key *C.GO_EC_KEY
+}
+
+func (k *PrivateKeyECDH) finalize() {
+ C._goboringcrypto_EC_KEY_free(k.key)
+}
+
+func NewPublicKeyECDH(curve string, bytes []byte) (*PublicKeyECDH, error) {
+ if len(bytes) < 1 {
+ return nil, errors.New("NewPublicKeyECDH: missing key")
+ }
+
+ nid, err := curveNID(curve)
+ if err != nil {
+ return nil, err
+ }
+
+ group := C._goboringcrypto_EC_GROUP_new_by_curve_name(nid)
+ if group == nil {
+ return nil, fail("EC_GROUP_new_by_curve_name")
+ }
+ defer C._goboringcrypto_EC_GROUP_free(group)
+ key := C._goboringcrypto_EC_POINT_new(group)
+ if key == nil {
+ return nil, fail("EC_POINT_new")
+ }
+ ok := C._goboringcrypto_EC_POINT_oct2point(group, key, (*C.uint8_t)(unsafe.Pointer(&bytes[0])), C.size_t(len(bytes)), nil) != 0
+ if !ok {
+ C._goboringcrypto_EC_POINT_free(key)
+ return nil, errors.New("point not on curve")
+ }
+
+ k := &PublicKeyECDH{curve, key, group, append([]byte(nil), bytes...)}
+ // Note: Because of the finalizer, any time k.key is passed to cgo,
+ // that call must be followed by a call to runtime.KeepAlive(k),
+ // to make sure k is not collected (and finalized) before the cgo
+ // call returns.
+ runtime.SetFinalizer(k, (*PublicKeyECDH).finalize)
+ return k, nil
+}
+
+func (k *PublicKeyECDH) Bytes() []byte { return k.bytes }
+
+func NewPrivateKeyECDH(curve string, bytes []byte) (*PrivateKeyECDH, error) {
+ nid, err := curveNID(curve)
+ if err != nil {
+ return nil, err
+ }
+ key := C._goboringcrypto_EC_KEY_new_by_curve_name(nid)
+ if key == nil {
+ return nil, fail("EC_KEY_new_by_curve_name")
+ }
+ b := bytesToBN(bytes)
+ ok := b != nil && C._goboringcrypto_EC_KEY_set_private_key(key, b) != 0
+ if b != nil {
+ C._goboringcrypto_BN_free(b)
+ }
+ if !ok {
+ C._goboringcrypto_EC_KEY_free(key)
+ return nil, fail("EC_KEY_set_private_key")
+ }
+ k := &PrivateKeyECDH{curve, key}
+ // Note: Same as in NewPublicKeyECDH regarding finalizer and KeepAlive.
+ runtime.SetFinalizer(k, (*PrivateKeyECDH).finalize)
+ return k, nil
+}
+
+func (k *PrivateKeyECDH) PublicKey() (*PublicKeyECDH, error) {
+ defer runtime.KeepAlive(k)
+
+ group := C._goboringcrypto_EC_KEY_get0_group(k.key)
+ if group == nil {
+ return nil, fail("EC_KEY_get0_group")
+ }
+ kbig := C._goboringcrypto_EC_KEY_get0_private_key(k.key)
+ if kbig == nil {
+ return nil, fail("EC_KEY_get0_private_key")
+ }
+ pt := C._goboringcrypto_EC_POINT_new(group)
+ if pt == nil {
+ return nil, fail("EC_POINT_new")
+ }
+ if C._goboringcrypto_EC_POINT_mul(group, pt, kbig, nil, nil, nil) == 0 {
+ C._goboringcrypto_EC_POINT_free(pt)
+ return nil, fail("EC_POINT_mul")
+ }
+ bytes, err := pointBytesECDH(k.curve, group, pt)
+ if err != nil {
+ C._goboringcrypto_EC_POINT_free(pt)
+ return nil, err
+ }
+ pub := &PublicKeyECDH{k.curve, pt, group, bytes}
+ // Note: Same as in NewPublicKeyECDH regarding finalizer and KeepAlive.
+ runtime.SetFinalizer(pub, (*PublicKeyECDH).finalize)
+ return pub, nil
+}
+
+func pointBytesECDH(curve string, group *C.GO_EC_GROUP, pt *C.GO_EC_POINT) ([]byte, error) {
+ out := make([]byte, 1+2*curveSize(curve))
+ n := C._goboringcrypto_EC_POINT_point2oct(group, pt, C.GO_POINT_CONVERSION_UNCOMPRESSED, (*C.uint8_t)(unsafe.Pointer(&out[0])), C.size_t(len(out)), nil)
+ if int(n) != len(out) {
+ return nil, fail("EC_POINT_point2oct")
+ }
+ return out, nil
+}
+
+func ECDH(priv *PrivateKeyECDH, pub *PublicKeyECDH) ([]byte, error) {
+ group := C._goboringcrypto_EC_KEY_get0_group(priv.key)
+ if group == nil {
+ return nil, fail("EC_KEY_get0_group")
+ }
+ privBig := C._goboringcrypto_EC_KEY_get0_private_key(priv.key)
+ if privBig == nil {
+ return nil, fail("EC_KEY_get0_private_key")
+ }
+ pt := C._goboringcrypto_EC_POINT_new(group)
+ if pt == nil {
+ return nil, fail("EC_POINT_new")
+ }
+ defer C._goboringcrypto_EC_POINT_free(pt)
+ if C._goboringcrypto_EC_POINT_mul(group, pt, nil, pub.key, privBig, nil) == 0 {
+ return nil, fail("EC_POINT_mul")
+ }
+ out, err := xCoordBytesECDH(priv.curve, group, pt)
+ if err != nil {
+ return nil, err
+ }
+ return out, nil
+}
+
+func xCoordBytesECDH(curve string, group *C.GO_EC_GROUP, pt *C.GO_EC_POINT) ([]byte, error) {
+ big := C._goboringcrypto_BN_new()
+ defer C._goboringcrypto_BN_free(big)
+ if C._goboringcrypto_EC_POINT_get_affine_coordinates_GFp(group, pt, big, nil, nil) == 0 {
+ return nil, fail("EC_POINT_get_affine_coordinates_GFp")
+ }
+ return bigBytesECDH(curve, big)
+}
+
+func bigBytesECDH(curve string, big *C.GO_BIGNUM) ([]byte, error) {
+ out := make([]byte, curveSize(curve))
+ if C._goboringcrypto_BN_bn2bin_padded((*C.uint8_t)(&out[0]), C.size_t(len(out)), big) == 0 {
+ return nil, fail("BN_bn2bin_padded")
+ }
+ return out, nil
+}
+
+func curveSize(curve string) int {
+ switch curve {
+ default:
+ panic("crypto/internal/boring: unknown curve " + curve)
+ case "P-256":
+ return 256 / 8
+ case "P-384":
+ return 384 / 8
+ case "P-521":
+ return (521 + 7) / 8
+ }
+}
+
+func GenerateKeyECDH(curve string) (*PrivateKeyECDH, []byte, error) {
+ nid, err := curveNID(curve)
+ if err != nil {
+ return nil, nil, err
+ }
+ key := C._goboringcrypto_EC_KEY_new_by_curve_name(nid)
+ if key == nil {
+ return nil, nil, fail("EC_KEY_new_by_curve_name")
+ }
+ if C._goboringcrypto_EC_KEY_generate_key_fips(key) == 0 {
+ C._goboringcrypto_EC_KEY_free(key)
+ return nil, nil, fail("EC_KEY_generate_key_fips")
+ }
+
+ group := C._goboringcrypto_EC_KEY_get0_group(key)
+ if group == nil {
+ C._goboringcrypto_EC_KEY_free(key)
+ return nil, nil, fail("EC_KEY_get0_group")
+ }
+ b := C._goboringcrypto_EC_KEY_get0_private_key(key)
+ if b == nil {
+ C._goboringcrypto_EC_KEY_free(key)
+ return nil, nil, fail("EC_KEY_get0_private_key")
+ }
+ bytes, err := bigBytesECDH(curve, b)
+ if err != nil {
+ C._goboringcrypto_EC_KEY_free(key)
+ return nil, nil, err
+ }
+
+ k := &PrivateKeyECDH{curve, key}
+ // Note: Same as in NewPublicKeyECDH regarding finalizer and KeepAlive.
+ runtime.SetFinalizer(k, (*PrivateKeyECDH).finalize)
+ return k, bytes, nil
+}
GO_BIGNUM* _goboringcrypto_BN_le2bn(const uint8_t*, size_t, GO_BIGNUM*);
size_t _goboringcrypto_BN_bn2bin(const GO_BIGNUM*, uint8_t*);
int _goboringcrypto_BN_bn2le_padded(uint8_t*, size_t, const GO_BIGNUM*);
+int _goboringcrypto_BN_bn2bin_padded(uint8_t*, size_t, const GO_BIGNUM*);
// #include <openssl/ec.h>
/*unchecked (opaque)*/ typedef struct GO_EC_GROUP { char data[1]; } GO_EC_GROUP;
/*unchecked (opaque)*/ typedef struct GO_EC_POINT { char data[1]; } GO_EC_POINT;
GO_EC_POINT* _goboringcrypto_EC_POINT_new(const GO_EC_GROUP*);
+int _goboringcrypto_EC_POINT_mul(const GO_EC_GROUP*, GO_EC_POINT*, const GO_BIGNUM*, const GO_EC_POINT*, const GO_BIGNUM*, GO_BN_CTX*);
void _goboringcrypto_EC_POINT_free(GO_EC_POINT*);
int _goboringcrypto_EC_POINT_get_affine_coordinates_GFp(const GO_EC_GROUP*, const GO_EC_POINT*, GO_BIGNUM*, GO_BIGNUM*, GO_BN_CTX*);
int _goboringcrypto_EC_POINT_set_affine_coordinates_GFp(const GO_EC_GROUP*, GO_EC_POINT*, const GO_BIGNUM*, const GO_BIGNUM*, GO_BN_CTX*);
+int _goboringcrypto_EC_POINT_oct2point(const GO_EC_GROUP*, GO_EC_POINT*, const uint8_t*, size_t, GO_BN_CTX*);
+GO_EC_POINT* _goboringcrypto_EC_POINT_dup(const GO_EC_POINT*, const GO_EC_GROUP*);
+int _goboringcrypto_EC_POINT_is_on_curve(const GO_EC_GROUP*, const GO_EC_POINT*, GO_BN_CTX*);
+#ifndef OPENSSL_HEADER_EC_H
+typedef enum {
+ GO_POINT_CONVERSION_COMPRESSED = 2,
+ GO_POINT_CONVERSION_UNCOMPRESSED = 4,
+ GO_POINT_CONVERSION_HYBRID = 6,
+} go_point_conversion_form_t;
+#endif
+size_t _goboringcrypto_EC_POINT_point2oct(const GO_EC_GROUP*, const GO_EC_POINT*, go_point_conversion_form_t, uint8_t*, size_t, GO_BN_CTX*);
// #include <openssl/ec_key.h>
/*unchecked (opaque)*/ typedef struct GO_EC_KEY { char data[1]; } GO_EC_KEY;
const GO_EC_POINT* _goboringcrypto_EC_KEY_get0_public_key(const GO_EC_KEY*);
// TODO: EC_KEY_check_fips?
+// #include <openssl/ecdh.h>
+int _goboringcrypto_ECDH_compute_key_fips(uint8_t*, size_t, const GO_EC_POINT*, const GO_EC_KEY*);
+
// #include <openssl/ecdsa.h>
typedef struct GO_ECDSA_SIG { char data[16]; } GO_ECDSA_SIG;
GO_ECDSA_SIG* _goboringcrypto_ECDSA_SIG_new(void);
func VerifyRSAPSS(pub *PublicKeyRSA, h crypto.Hash, hashed, sig []byte, saltLen int) error {
panic("boringcrypto: not available")
}
+
+type PublicKeyECDH struct{}
+type PrivateKeyECDH struct{}
+
+func ECDH(*PrivateKeyECDH, *PublicKeyECDH) ([]byte, error) { panic("boringcrypto: not available") }
+func GenerateKeyECDH(string) (*PrivateKeyECDH, []byte, error) { panic("boringcrypto: not available") }
+func NewPrivateKeyECDH(string, []byte) (*PrivateKeyECDH, error) { panic("boringcrypto: not available") }
+func NewPublicKeyECDH(string, []byte) (*PublicKeyECDH, error) { panic("boringcrypto: not available") }
+func (*PublicKeyECDH) Bytes() []byte { panic("boringcrypto: not available") }
+func (*PrivateKeyECDH) PublicKey() (*PublicKeyECDH, error) { panic("boringcrypto: not available") }
< crypto
< crypto/subtle
< crypto/internal/alias
- < crypto/internal/randutil
- < crypto/internal/nistec/fiat
- < crypto/internal/nistec
- < crypto/internal/edwards25519/field
- < crypto/internal/edwards25519, crypto/ecdh
< crypto/cipher;
crypto/cipher,
crypto/internal/boring/bcache
< crypto/internal/boring
- < crypto/boring
+ < crypto/boring;
+
+ crypto/internal/alias
+ < crypto/internal/randutil
+ < crypto/internal/nistec/fiat
+ < crypto/internal/nistec
+ < crypto/internal/edwards25519/field
+ < crypto/internal/edwards25519;
+
+ crypto/boring
< crypto/aes, crypto/des, crypto/hmac, crypto/md5, crypto/rc4,
- crypto/sha1, crypto/sha256, crypto/sha512
+ crypto/sha1, crypto/sha256, crypto/sha512;
+
+ crypto/boring, crypto/internal/edwards25519/field
+ < crypto/ecdh;
+
+ crypto/aes,
+ crypto/des,
+ crypto/ecdh,
+ crypto/hmac,
+ crypto/internal/edwards25519,
+ crypto/md5,
+ crypto/rc4,
+ crypto/sha1,
+ crypto/sha256,
+ crypto/sha512
< CRYPTO;
CGO, fmt, net !< CRYPTO;