ecdh.rs source code [crates/ring-0.17.8/src/ec/suite_b/ecdh.rs]

1	// Copyright 2015-2017 Brian Smith.
2	//
3	// Permission to use, copy, modify, and/or distribute this software for any
4	// purpose with or without fee is hereby granted, provided that the above
5	// copyright notice and this permission notice appear in all copies.
6	//
7	// THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHORS DISCLAIM ALL WARRANTIES
8	// WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
9	// MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHORS BE LIABLE FOR ANY
10	// SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
11	// WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
12	// OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
13	// CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
14
15	//! ECDH key agreement using the P-256 and P-384 curves.
16
17	use super::{ops::, private_key::, public_key::*};
18	use crate::{agreement, ec, error};
19
20	/// A key agreement algorithm.
21	macro_rules! ecdh {
22	( $NAME:ident, $curve:expr, $name_str:expr, $private_key_ops:expr,
23	$public_key_ops:expr, $ecdh:ident ) => {
24	#[doc = "ECDH using the NSA Suite B"]
25	#[doc=$name_str]
26	#[doc = "curve."]
27	///
28	/// Public keys are encoding in uncompressed form using the
29	/// Octet-String-to-Elliptic-Curve-Point algorithm in
30	/// [SEC 1: Elliptic Curve Cryptography, Version 2.0]. Public keys are
31	/// validated during key agreement according to
32	/// [NIST Special Publication 800-56A, revision 2] and Appendix B.3 of
33	/// the NSA's [Suite B Implementer's Guide to NIST SP 800-56A].
34	///
35	/// [SEC 1: Elliptic Curve Cryptography, Version 2.0]:
36	/// http://www.secg.org/sec1-v2.pdf
37	/// [NIST Special Publication 800-56A, revision 2]:
38	/// http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-56Ar2.pdf
39	/// [Suite B Implementer's Guide to NIST SP 800-56A]:
40	/// https://github.com/briansmith/ring/blob/main/doc/ecdh.pdf
41	pub static $NAME: agreement::Algorithm = agreement::Algorithm {
42	curve: $curve,
43	ecdh: $ecdh,
44	};
45
46	fn $ecdh(
47	out: &mut [u8],
48	my_private_key: &ec::Seed,
49	peer_public_key: untrusted::Input,
50	) -> Result<(), error::Unspecified> {
51	ecdh(
52	$private_key_ops,
53	$public_key_ops,
54	out,
55	my_private_key,
56	peer_public_key,
57	)
58	}
59	};
60	}
61
62	ecdh!(
63	ECDH_P256,
64	&ec::suite_b::curve::P256,
65	"P-256 (secp256r1)",
66	&p256::PRIVATE_KEY_OPS,
67	&p256::PUBLIC_KEY_OPS,
68	p256_ecdh
69	);
70
71	ecdh!(
72	ECDH_P384,
73	&ec::suite_b::curve::P384,
74	"P-384 (secp384r1)",
75	&p384::PRIVATE_KEY_OPS,
76	&p384::PUBLIC_KEY_OPS,
77	p384_ecdh
78	);
79
80	fn ecdh(
81	private_key_ops: &PrivateKeyOps,
82	public_key_ops: &PublicKeyOps,
83	out: &mut [u8],
84	my_private_key: &ec::Seed,
85	peer_public_key: untrusted::Input,
86	) -> Result<(), error::Unspecified> {
87	// The NIST SP 800-56Ar2 steps are from section 5.7.1.2 Elliptic Curve
88	// Cryptography Cofactor Diffie-Hellman (ECC CDH) Primitive.
89	//
90	// The "NSA Guide" steps are from section 3.1 of the NSA guide, "Ephemeral
91	// Unified Model."
92
93	// NSA Guide Step 1 is handled separately.
94
95	// NIST SP 800-56Ar2 5.6.2.2.2.
96	// NSA Guide Step 2.
97	//
98	// `parse_uncompressed_point` verifies that the point is not at infinity
99	// and that it is on the curve, using the Partial Public-Key Validation
100	// Routine.
101	let peer_public_key = parse_uncompressed_point(public_key_ops, peer_public_key)?;
102
103	// NIST SP 800-56Ar2 Step 1.
104	// NSA Guide Step 3 (except point at infinity check).
105	//
106	// Note that the cofactor (h) is one since we only support prime-order
107	// curves, so we can safely ignore the cofactor.
108	//
109	// It is impossible for the result to be the point at infinity because our
110	// private key is in the range [1, n) and the curve has prime order and
111	// `parse_uncompressed_point` verified that the peer public key is on the
112	// curve and not at infinity. However, since the standards require the
113	// check, we do it using `assert!`.
114	//
115	// NIST SP 800-56Ar2 defines "Destroy" thusly: "In this Recommendation, to
116	// destroy is an action applied to a key or a piece of secret data. After
117	// a key or a piece of secret data is destroyed, no information about its
118	// value can be recovered." We interpret "destroy" somewhat liberally: we
119	// assume that since we throw away the values to be destroyed, no
120	// information about their values can be recovered. This doesn't meet the
121	// NSA guide's explicit requirement to "zeroize" them though.
122	// TODO: this only needs common scalar ops
123	let my_private_key = private_key_as_scalar(private_key_ops, my_private_key);
124	let product = private_key_ops.point_mul(&my_private_key, &peer_public_key);
125
126	// NIST SP 800-56Ar2 Steps 2, 3, 4, and 5.
127	// NSA Guide Steps 3 (point at infinity check) and 4.
128	//
129	// Again, we have a pretty liberal interpretation of the NIST's spec's
130	// "Destroy" that doesn't meet the NSA requirement to "zeroize."
131	// `big_endian_affine_from_jacobian` verifies that the result is not at
132	// infinity and also does an extra check to verify that the point is on
133	// the curve.
134	big_endian_affine_from_jacobian(private_key_ops, Some(out), None, &product)
135
136	// NSA Guide Step 5 & 6 are deferred to the caller. Again, we have a
137	// pretty liberal interpretation of the NIST's spec's "Destroy" that
138	// doesn't meet the NSA requirement to "zeroize."
139	}
140
141	#[cfg(test)]
142	mod tests {
143	use super::super::ops;
144	use crate::{agreement, ec, limb, test};
145
146	static SUPPORTED_SUITE_B_ALGS: [(&str, &agreement::Algorithm, &ec::Curve, &ops::CommonOps); `2`] = [
147	(
148	"P-256",
149	&agreement::ECDH_P256,
150	&super::super::curve::P256,
151	&super::super::ops::p256::COMMON_OPS,
152	),
153	(
154	"P-384",
155	&agreement::ECDH_P384,
156	&super::super::curve::P384,
157	&super::super::ops::p384::COMMON_OPS,
158	),
159	];
160
161	#[test]
162	fn test_agreement_suite_b_ecdh_generate() {
163	// Generates a string of bytes 0x00...00, which will always result in
164	// a scalar value of zero.
165	let random_00 = test::rand::FixedByteRandom { byte: `0x00` };
166
167	// Generates a string of bytes 0xFF...FF, which will be larger than the
168	// group order of any curve that is supported.
169	let random_ff = test::rand::FixedByteRandom { byte: `0xff` };
170
171	for &(_, alg, curve, ops) in SUPPORTED_SUITE_B_ALGS.iter() {
172	// Test that the private key value zero is rejected and that
173	// `generate` gives up after a while of only getting zeros.
174	assert!(agreement::EphemeralPrivateKey::generate(alg, &random_00).is_err());
175
176	// Test that the private key value larger than the group order is
177	// rejected and that `generate` gives up after a while of only
178	// getting values larger than the group order.
179	assert!(agreement::EphemeralPrivateKey::generate(alg, &random_ff).is_err());
180
181	// Test that a private key value exactly equal to the group order
182	// is rejected and that `generate` gives up after a while of only
183	// getting that value from the PRNG.
184	let mut n_bytes = [`0u8`; ec::SCALAR_MAX_BYTES];
185	let num_bytes = curve.elem_scalar_seed_len;
186	limb::big_endian_from_limbs(ops.n_limbs(), &mut n_bytes[..num_bytes]);
187	{
188	let n_bytes = &mut n_bytes[..num_bytes];
189	let rng = test::rand::FixedSliceRandom { bytes: n_bytes };
190	assert!(agreement::EphemeralPrivateKey::generate(alg, &rng).is_err());
191	}
192
193	// Test that a private key value exactly equal to the group order
194	// minus 1 is accepted.
195	let mut n_minus_1_bytes = n_bytes;
196	{
197	let n_minus_1_bytes = &mut n_minus_1_bytes[..num_bytes];
198	n_minus_1_bytes[num_bytes - `1`] -= `1`;
199	let rng = test::rand::FixedSliceRandom {
200	bytes: n_minus_1_bytes,
201	};
202	let key = agreement::EphemeralPrivateKey::generate(alg, &rng).unwrap();
203	assert_eq!(n_minus_1_bytes, key.bytes());
204	}
205
206	// Test that n + 1 also fails.
207	let mut n_plus_1_bytes = n_bytes;
208	{
209	let n_plus_1_bytes = &mut n_plus_1_bytes[..num_bytes];
210	n_plus_1_bytes[num_bytes - `1`] += `1`;
211	let rng = test::rand::FixedSliceRandom {
212	bytes: n_plus_1_bytes,
213	};
214	assert!(agreement::EphemeralPrivateKey::generate(alg, &rng).is_err());
215	}
216
217	// Test recovery from initial RNG failure. The first value will be
218	// n, then n + 1, then zero, the next value will be n - 1, which
219	// will be accepted.
220	{
221	let bytes = [
222	&n_bytes[..num_bytes],
223	&n_plus_1_bytes[..num_bytes],
224	&[`0u8`; ec::SCALAR_MAX_BYTES][..num_bytes],
225	&n_minus_1_bytes[..num_bytes],
226	];
227	let rng = test::rand::FixedSliceSequenceRandom {
228	bytes: &bytes,
229	current: core::cell::UnsafeCell::new(`0`),
230	};
231	let key = agreement::EphemeralPrivateKey::generate(alg, &rng).unwrap();
232	assert_eq!(&n_minus_1_bytes[..num_bytes], key.bytes());
233	}
234	}
235	}
236	}
237