crypto/ecdh: revamp FIPS ECDH API

This makes it more similar to the ECDSA API, introducing proper key
types that can correctly "cache" the key check.

The new API also has a better compliance profile. Note how the old
ECDHPnnn functions were not doing the PCT, instead delegating to the
caller an invocation of ImportKeyPnnn.

Change-Id: Ic6cf834427fd790324919b4d92bdaa2aac840016
Reviewed-on: https://go-review.googlesource.com/c/go/+/630098
Reviewed-by: Dmitri Shuralyov <[email protected]>
Auto-Submit: Filippo Valsorda <[email protected]>
Reviewed-by: Russ Cox <[email protected]>
LUCI-TryBot-Result: Go LUCI <[email protected]>
Reviewed-by: Daniel McCarney <[email protected]>

Author: FiloSottile

src/crypto/ecdh/ecdh.go

@@ -9,6 +9,7 @@ package ecdh
 import (
 	"crypto"
 	"crypto/internal/boring"
+	"crypto/internal/fips140/ecdh"
 	"crypto/subtle"
 	"errors"
 	"io"
@@ -60,6 +61,7 @@ type PublicKey struct {
 	curve     Curve
 	publicKey []byte
 	boring    *boring.PublicKeyECDH
+	fips      *ecdh.PublicKey
 }
 
 // Bytes returns a copy of the encoding of the public key.
@@ -100,6 +102,7 @@ type PrivateKey struct {
 	privateKey []byte
 	publicKey  *PublicKey
 	boring     *boring.PrivateKeyECDH
+	fips       *ecdh.PrivateKey
 }
 
 // ECDH performs an ECDH exchange and returns the shared secret. The [PrivateKey]

src/crypto/ecdh/nist.go

@@ -13,11 +13,11 @@ import (
 )
 
 type nistCurve struct {
-	name         string
-	generate     func(io.Reader) (privateKey, publicKey []byte, err error)
-	importKey    func([]byte) (publicKey []byte, err error)
-	checkPubkey  func(publicKey []byte) error
-	sharedSecret func(privateKey, publicKey []byte) (sharedSecret []byte, err error)
+	name          string
+	generate      func(io.Reader) (*ecdh.PrivateKey, error)
+	newPrivateKey func([]byte) (*ecdh.PrivateKey, error)
+	newPublicKey  func(publicKey []byte) (*ecdh.PublicKey, error)
+	sharedSecret  func(*ecdh.PrivateKey, *ecdh.PublicKey) (sharedSecret []byte, err error)
 }
 
 func (c *nistCurve) String() string {
@@ -43,15 +43,20 @@ func (c *nistCurve) GenerateKey(rand io.Reader) (*PrivateKey, error) {
 		return k, nil
 	}
 
-	privateKey, publicKey, err := c.generate(rand)
+	privateKey, err := c.generate(rand)
 	if err != nil {
 		return nil, err
 	}
 
 	k := &PrivateKey{
 		curve:      c,
-		privateKey: privateKey,
-		publicKey:  &PublicKey{curve: c, publicKey: publicKey},
+		privateKey: privateKey.Bytes(),
+		fips:       privateKey,
+		publicKey: &PublicKey{
+			curve:     c,
+			publicKey: privateKey.PublicKey().Bytes(),
+			fips:      privateKey.PublicKey(),
+		},
 	}
 	if boring.Enabled {
 		bk, err := boring.NewPrivateKeyECDH(c.name, k.privateKey)
@@ -87,15 +92,19 @@ func (c *nistCurve) NewPrivateKey(key []byte) (*PrivateKey, error) {
 		return k, nil
 	}
 
-	publicKey, err := c.importKey(key)
+	fk, err := c.newPrivateKey(key)
 	if err != nil {
 		return nil, err
 	}
-
 	k := &PrivateKey{
 		curve:      c,
 		privateKey: bytes.Clone(key),
-		publicKey:  &PublicKey{curve: c, publicKey: publicKey},
+		fips:       fk,
+		publicKey: &PublicKey{
+			curve:     c,
+			publicKey: fk.PublicKey().Bytes(),
+			fips:      fk.PublicKey(),
+		},
 	}
 	return k, nil
 }
@@ -117,9 +126,11 @@ func (c *nistCurve) NewPublicKey(key []byte) (*PublicKey, error) {
 		}
 		k.boring = bk
 	} else {
-		if err := c.checkPubkey(k.publicKey); err != nil {
+		fk, err := c.newPublicKey(key)
+		if err != nil {
 			return nil, err
 		}
+		k.fips = fk
 	}
 	return k, nil
 }
@@ -135,7 +146,7 @@ func (c *nistCurve) ecdh(local *PrivateKey, remote *PublicKey) ([]byte, error) {
 	if boring.Enabled {
 		return boring.ECDH(local.boring, remote.boring)
 	}
-	return c.sharedSecret(local.privateKey, remote.publicKey)
+	return c.sharedSecret(local.fips, remote.fips)
 }
 
 // P256 returns a [Curve] which implements NIST P-256 (FIPS 186-3, section D.2.3),
@@ -146,11 +157,19 @@ func (c *nistCurve) ecdh(local *PrivateKey, remote *PublicKey) ([]byte, error) {
 func P256() Curve { return p256 }
 
 var p256 = &nistCurve{
-	name:         "P-256",
-	generate:     ecdh.GenerateKeyP256,
-	importKey:    ecdh.ImportKeyP256,
-	checkPubkey:  ecdh.CheckPublicKeyP256,
-	sharedSecret: ecdh.ECDHP256,
+	name: "P-256",
+	generate: func(r io.Reader) (*ecdh.PrivateKey, error) {
+		return ecdh.GenerateKey(ecdh.P256(), r)
+	},
+	newPrivateKey: func(b []byte) (*ecdh.PrivateKey, error) {
+		return ecdh.NewPrivateKey(ecdh.P256(), b)
+	},
+	newPublicKey: func(publicKey []byte) (*ecdh.PublicKey, error) {
+		return ecdh.NewPublicKey(ecdh.P256(), publicKey)
+	},
+	sharedSecret: func(priv *ecdh.PrivateKey, pub *ecdh.PublicKey) (sharedSecret []byte, err error) {
+		return ecdh.ECDH(ecdh.P256(), priv, pub)
+	},
 }
 
 // P384 returns a [Curve] which implements NIST P-384 (FIPS 186-3, section D.2.4),
@@ -161,11 +180,19 @@ var p256 = &nistCurve{
 func P384() Curve { return p384 }
 
 var p384 = &nistCurve{
-	name:         "P-384",
-	generate:     ecdh.GenerateKeyP384,
-	importKey:    ecdh.ImportKeyP384,
-	checkPubkey:  ecdh.CheckPublicKeyP384,
-	sharedSecret: ecdh.ECDHP384,
+	name: "P-384",
+	generate: func(r io.Reader) (*ecdh.PrivateKey, error) {
+		return ecdh.GenerateKey(ecdh.P384(), r)
+	},
+	newPrivateKey: func(b []byte) (*ecdh.PrivateKey, error) {
+		return ecdh.NewPrivateKey(ecdh.P384(), b)
+	},
+	newPublicKey: func(publicKey []byte) (*ecdh.PublicKey, error) {
+		return ecdh.NewPublicKey(ecdh.P384(), publicKey)
+	},
+	sharedSecret: func(priv *ecdh.PrivateKey, pub *ecdh.PublicKey) (sharedSecret []byte, err error) {
+		return ecdh.ECDH(ecdh.P384(), priv, pub)
+	},
 }
 
 // P521 returns a [Curve] which implements NIST P-521 (FIPS 186-3, section D.2.5),
@@ -176,9 +203,17 @@ var p384 = &nistCurve{
 func P521() Curve { return p521 }
 
 var p521 = &nistCurve{
-	name:         "P-521",
-	generate:     ecdh.GenerateKeyP521,
-	importKey:    ecdh.ImportKeyP521,
-	checkPubkey:  ecdh.CheckPublicKeyP521,
-	sharedSecret: ecdh.ECDHP521,
+	name: "P-521",
+	generate: func(r io.Reader) (*ecdh.PrivateKey, error) {
+		return ecdh.GenerateKey(ecdh.P521(), r)
+	},
+	newPrivateKey: func(b []byte) (*ecdh.PrivateKey, error) {
+		return ecdh.NewPrivateKey(ecdh.P521(), b)
+	},
+	newPublicKey: func(publicKey []byte) (*ecdh.PublicKey, error) {
+		return ecdh.NewPublicKey(ecdh.P521(), publicKey)
+	},
+	sharedSecret: func(priv *ecdh.PrivateKey, pub *ecdh.PublicKey) (sharedSecret []byte, err error) {
+		return ecdh.ECDH(ecdh.P521(), priv, pub)
+	},
 }

src/crypto/internal/fips140/ecdh/cast.go

@@ -8,7 +8,6 @@ import (
 	"bytes"
 	"crypto/internal/fips140"
 	_ "crypto/internal/fips140/check"
-	"crypto/internal/fips140/nistec"
 	"errors"
 	"sync"
 )
@@ -39,7 +38,9 @@ var fipsSelfTest = sync.OnceFunc(func() {
 			0x83, 0x48, 0x40, 0x56, 0x69, 0xa1, 0x95, 0xfa,
 			0xc5, 0x35, 0x04, 0x06, 0xba, 0x76, 0xbc, 0xce,
 		}
-		got, err := ecdh(privateKey, publicKey, nistec.NewP256Point)
+		k := &PrivateKey{d: privateKey, pub: PublicKey{curve: p256}}
+		peer := &PublicKey{curve: p256, q: publicKey}
+		got, err := ecdh(P256(), k, peer)
 		if err != nil {
 			return err
 		}