cc/subtle/ecies_hkdf_recipient_kem_boringssl.cc - third_party/tink - Git at Google

 // Copyright 2017 Google Inc.
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
 // You may obtain a copy of the License at
 //
 //     http://www.apache.org/licenses/LICENSE-2.0
 //
 // Unless required by applicable law or agreed to in writing, software
 // distributed under the License is distributed on an "AS IS" BASIS,
 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 // See the License for the specific language governing permissions and
 // limitations under the License.
 //
 ///////////////////////////////////////////////////////////////////////////////

 #include "tink/subtle/ecies_hkdf_recipient_kem_boringssl.h"

 #include <utility>

 #include "absl/memory/memory.h"
 #include "absl/status/status.h"
 #include "openssl/bn.h"
 #include "openssl/ec.h"
 #include "openssl/evp.h"
 #include "tink/internal/ec_util.h"
 #include "tink/internal/ssl_unique_ptr.h"
 #include "tink/subtle/common_enums.h"
 #include "tink/subtle/hkdf.h"
 #include "tink/util/errors.h"
 #include "tink/util/secret_data.h"

 namespace crypto {
 namespace tink {
 namespace subtle {

 // static
 util::StatusOr<std::unique_ptr<EciesHkdfRecipientKemBoringSsl>>
 EciesHkdfRecipientKemBoringSsl::New(EllipticCurveType curve,
                                     util::SecretData priv_key) {
   switch (curve) {
     case EllipticCurveType::NIST_P256:
     case EllipticCurveType::NIST_P384:
     case EllipticCurveType::NIST_P521:
       return EciesHkdfNistPCurveRecipientKemBoringSsl::New(curve,
                                                            std::move(priv_key));
     case EllipticCurveType::CURVE25519:
       return EciesHkdfX25519RecipientKemBoringSsl::New(curve,
                                                        std::move(priv_key));
     default:
       return util::Status(absl::StatusCode::kUnimplemented,
                           "Unsupported elliptic curve");
   }
 }

 // static
 util::StatusOr<std::unique_ptr<EciesHkdfRecipientKemBoringSsl>>
 EciesHkdfNistPCurveRecipientKemBoringSsl::New(EllipticCurveType curve,
                                               util::SecretData priv_key) {
   auto status = internal::CheckFipsCompatibility<
       EciesHkdfNistPCurveRecipientKemBoringSsl>();
   if (!status.ok()) return status;

   if (priv_key.empty()) {
     return util::Status(absl::StatusCode::kInvalidArgument, "empty priv_key");
   }
   auto status_or_ec_group = internal::EcGroupFromCurveType(curve);
   if (!status_or_ec_group.ok()) return status_or_ec_group.status();
   // TODO(przydatek): consider refactoring internal/ec_util,
   //     so that the saved group can be used for KEM operations.
   return {absl::WrapUnique(new EciesHkdfNistPCurveRecipientKemBoringSsl(
       curve, std::move(priv_key), std::move(status_or_ec_group.value())))};
 }

 EciesHkdfNistPCurveRecipientKemBoringSsl::
     EciesHkdfNistPCurveRecipientKemBoringSsl(
         EllipticCurveType curve, util::SecretData priv_key_value,
         internal::SslUniquePtr<EC_GROUP> ec_group)
     : curve_(curve),
       priv_key_value_(std::move(priv_key_value)),
       ec_group_(std::move(ec_group)) {}

 util::StatusOr<util::SecretData>
 EciesHkdfNistPCurveRecipientKemBoringSsl::GenerateKey(
     absl::string_view kem_bytes, HashType hash, absl::string_view hkdf_salt,
     absl::string_view hkdf_info, uint32_t key_size_in_bytes,
     EcPointFormat point_format) const {
   auto status_or_ec_point =
       internal::EcPointDecode(curve_, point_format, kem_bytes);
   if (!status_or_ec_point.ok()) {
     return ToStatusF(absl::StatusCode::kInvalidArgument,
                      "Invalid KEM bytes: %s",
                      status_or_ec_point.status().message());
   }
   internal::SslUniquePtr<EC_POINT> pub_key =
       std::move(status_or_ec_point.value());
   internal::SslUniquePtr<BIGNUM> priv_key(
       BN_bin2bn(priv_key_value_.data(), priv_key_value_.size(), nullptr));
   auto shared_secret_or =
       internal::ComputeEcdhSharedSecret(curve_, priv_key.get(), pub_key.get());
   if (!shared_secret_or.ok()) {
     return shared_secret_or.status();
   }
   util::SecretData shared_secret = shared_secret_or.value();
   return Hkdf::ComputeEciesHkdfSymmetricKey(
       hash, kem_bytes, shared_secret, hkdf_salt, hkdf_info, key_size_in_bytes);
 }

 EciesHkdfX25519RecipientKemBoringSsl::EciesHkdfX25519RecipientKemBoringSsl(
     internal::SslUniquePtr<EVP_PKEY> private_key)
     : private_key_(std::move(private_key)) {}

 // static
 util::StatusOr<std::unique_ptr<EciesHkdfRecipientKemBoringSsl>>
 EciesHkdfX25519RecipientKemBoringSsl::New(EllipticCurveType curve,
                                           util::SecretData priv_key) {
   auto status =
       internal::CheckFipsCompatibility<EciesHkdfX25519RecipientKemBoringSsl>();
   if (!status.ok()) return status;

   if (curve != CURVE25519) {
     return util::Status(absl::StatusCode::kInvalidArgument,
                         "curve is not CURVE25519");
   }
   if (priv_key.size() != internal::X25519KeyPubKeySize()) {
     return util::Status(absl::StatusCode::kInvalidArgument,
                         "pubx has unexpected length");
   }

   internal::SslUniquePtr<EVP_PKEY> ssl_priv_key(EVP_PKEY_new_raw_private_key(
       /*type=*/EVP_PKEY_X25519, /*unused=*/nullptr, /*in=*/priv_key.data(),
       /*len=*/internal::Ed25519KeyPrivKeySize()));
   if (ssl_priv_key == nullptr) {
     return util::Status(absl::StatusCode::kInternal,
                         "EVP_PKEY_new_raw_private_key failed");
   }

   return {absl::WrapUnique(
       new EciesHkdfX25519RecipientKemBoringSsl(std::move(ssl_priv_key)))};
 }

 crypto::tink::util::StatusOr<util::SecretData>
 EciesHkdfX25519RecipientKemBoringSsl::GenerateKey(
     absl::string_view kem_bytes, HashType hash, absl::string_view hkdf_salt,
     absl::string_view hkdf_info, uint32_t key_size_in_bytes,
     EcPointFormat point_format) const {
   if (point_format != EcPointFormat::COMPRESSED) {
     return util::Status(
         absl::StatusCode::kInvalidArgument,
         "X25519 only supports compressed elliptic curve points");
   }

   if (kem_bytes.size() != internal::X25519KeyPubKeySize()) {
     return util::Status(absl::StatusCode::kInvalidArgument,
                         "kem_bytes has unexpected size");
   }

   internal::SslUniquePtr<EVP_PKEY> peer_key(EVP_PKEY_new_raw_public_key(
       /*type=*/EVP_PKEY_X25519, /*unused=*/nullptr,
       /*in=*/reinterpret_cast<const uint8_t*>(kem_bytes.data()),
       /*len=*/internal::Ed25519KeyPubKeySize()));
   if (peer_key == nullptr) {
     return util::Status(absl::StatusCode::kInternal,
                         "EVP_PKEY_new_raw_public_key failed");
   }

   util::StatusOr<util::SecretData> shared_secret =
       internal::ComputeX25519SharedSecret(private_key_.get(), peer_key.get());
   if (!shared_secret.ok()) {
     return shared_secret.status();
   }

   return Hkdf::ComputeEciesHkdfSymmetricKey(
       hash, kem_bytes, *shared_secret, hkdf_salt, hkdf_info, key_size_in_bytes);
 }

 }  // namespace subtle
 }  // namespace tink
 }  // namespace crypto
	// Copyright 2017 Google Inc.
	//
	// Licensed under the Apache License, Version 2.0 (the "License");
	// you may not use this file except in compliance with the License.
	// You may obtain a copy of the License at
	//
	// http://www.apache.org/licenses/LICENSE-2.0
	//
	// Unless required by applicable law or agreed to in writing, software
	// distributed under the License is distributed on an "AS IS" BASIS,
	// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	// See the License for the specific language governing permissions and
	// limitations under the License.
	//
	///////////////////////////////////////////////////////////////////////////////

	#include "tink/subtle/ecies_hkdf_recipient_kem_boringssl.h"

	#include <utility>

	#include "absl/memory/memory.h"
	#include "absl/status/status.h"
	#include "openssl/bn.h"
	#include "openssl/ec.h"
	#include "openssl/evp.h"
	#include "tink/internal/ec_util.h"
	#include "tink/internal/ssl_unique_ptr.h"
	#include "tink/subtle/common_enums.h"
	#include "tink/subtle/hkdf.h"
	#include "tink/util/errors.h"
	#include "tink/util/secret_data.h"

	namespace crypto {
	namespace tink {
	namespace subtle {

	// static
	util::StatusOr<std::unique_ptr<EciesHkdfRecipientKemBoringSsl>>
	EciesHkdfRecipientKemBoringSsl::New(EllipticCurveType curve,
	util::SecretData priv_key) {
	switch (curve) {
	case EllipticCurveType::NIST_P256:
	case EllipticCurveType::NIST_P384:
	case EllipticCurveType::NIST_P521:
	return EciesHkdfNistPCurveRecipientKemBoringSsl::New(curve,
	std::move(priv_key));
	case EllipticCurveType::CURVE25519:
	return EciesHkdfX25519RecipientKemBoringSsl::New(curve,
	std::move(priv_key));
	default:
	return util::Status(absl::StatusCode::kUnimplemented,
	"Unsupported elliptic curve");
	}
	}

	// static
	util::StatusOr<std::unique_ptr<EciesHkdfRecipientKemBoringSsl>>
	EciesHkdfNistPCurveRecipientKemBoringSsl::New(EllipticCurveType curve,
	util::SecretData priv_key) {
	auto status = internal::CheckFipsCompatibility<
	EciesHkdfNistPCurveRecipientKemBoringSsl>();
	if (!status.ok()) return status;

	if (priv_key.empty()) {
	return util::Status(absl::StatusCode::kInvalidArgument, "empty priv_key");
	}
	auto status_or_ec_group = internal::EcGroupFromCurveType(curve);
	if (!status_or_ec_group.ok()) return status_or_ec_group.status();
	// TODO(przydatek): consider refactoring internal/ec_util,
	// so that the saved group can be used for KEM operations.
	return {absl::WrapUnique(new EciesHkdfNistPCurveRecipientKemBoringSsl(
	curve, std::move(priv_key), std::move(status_or_ec_group.value())))};
	}

	EciesHkdfNistPCurveRecipientKemBoringSsl::
	EciesHkdfNistPCurveRecipientKemBoringSsl(
	EllipticCurveType curve, util::SecretData priv_key_value,
	internal::SslUniquePtr<EC_GROUP> ec_group)
	: curve_(curve),
	priv_key_value_(std::move(priv_key_value)),
	ec_group_(std::move(ec_group)) {}

	util::StatusOr<util::SecretData>
	EciesHkdfNistPCurveRecipientKemBoringSsl::GenerateKey(
	absl::string_view kem_bytes, HashType hash, absl::string_view hkdf_salt,
	absl::string_view hkdf_info, uint32_t key_size_in_bytes,
	EcPointFormat point_format) const {
	auto status_or_ec_point =
	internal::EcPointDecode(curve_, point_format, kem_bytes);
	if (!status_or_ec_point.ok()) {
	return ToStatusF(absl::StatusCode::kInvalidArgument,
	"Invalid KEM bytes: %s",
	status_or_ec_point.status().message());
	}
	internal::SslUniquePtr<EC_POINT> pub_key =
	std::move(status_or_ec_point.value());
	internal::SslUniquePtr<BIGNUM> priv_key(
	BN_bin2bn(priv_key_value_.data(), priv_key_value_.size(), nullptr));
	auto shared_secret_or =
	internal::ComputeEcdhSharedSecret(curve_, priv_key.get(), pub_key.get());
	if (!shared_secret_or.ok()) {
	return shared_secret_or.status();
	}
	util::SecretData shared_secret = shared_secret_or.value();
	return Hkdf::ComputeEciesHkdfSymmetricKey(
	hash, kem_bytes, shared_secret, hkdf_salt, hkdf_info, key_size_in_bytes);
	}

	EciesHkdfX25519RecipientKemBoringSsl::EciesHkdfX25519RecipientKemBoringSsl(
	internal::SslUniquePtr<EVP_PKEY> private_key)
	: private_key_(std::move(private_key)) {}

	// static
	util::StatusOr<std::unique_ptr<EciesHkdfRecipientKemBoringSsl>>
	EciesHkdfX25519RecipientKemBoringSsl::New(EllipticCurveType curve,
	util::SecretData priv_key) {
	auto status =
	internal::CheckFipsCompatibility<EciesHkdfX25519RecipientKemBoringSsl>();
	if (!status.ok()) return status;

	if (curve != CURVE25519) {
	return util::Status(absl::StatusCode::kInvalidArgument,
	"curve is not CURVE25519");
	}
	if (priv_key.size() != internal::X25519KeyPubKeySize()) {
	return util::Status(absl::StatusCode::kInvalidArgument,
	"pubx has unexpected length");
	}

	internal::SslUniquePtr<EVP_PKEY> ssl_priv_key(EVP_PKEY_new_raw_private_key(
	/type=/EVP_PKEY_X25519, /unused=/nullptr, /in=/priv_key.data(),
	/len=/internal::Ed25519KeyPrivKeySize()));
	if (ssl_priv_key == nullptr) {
	return util::Status(absl::StatusCode::kInternal,
	"EVP_PKEY_new_raw_private_key failed");
	}

	return {absl::WrapUnique(
	new EciesHkdfX25519RecipientKemBoringSsl(std::move(ssl_priv_key)))};
	}

	crypto::tink::util::StatusOr<util::SecretData>
	EciesHkdfX25519RecipientKemBoringSsl::GenerateKey(
	absl::string_view kem_bytes, HashType hash, absl::string_view hkdf_salt,
	absl::string_view hkdf_info, uint32_t key_size_in_bytes,
	EcPointFormat point_format) const {
	if (point_format != EcPointFormat::COMPRESSED) {
	return util::Status(
	absl::StatusCode::kInvalidArgument,
	"X25519 only supports compressed elliptic curve points");
	}

	if (kem_bytes.size() != internal::X25519KeyPubKeySize()) {
	return util::Status(absl::StatusCode::kInvalidArgument,
	"kem_bytes has unexpected size");
	}

	internal::SslUniquePtr<EVP_PKEY> peer_key(EVP_PKEY_new_raw_public_key(
	/type=/EVP_PKEY_X25519, /unused=/nullptr,
	/in=/reinterpret_cast<const uint8_t*>(kem_bytes.data()),
	/len=/internal::Ed25519KeyPubKeySize()));
	if (peer_key == nullptr) {
	return util::Status(absl::StatusCode::kInternal,
	"EVP_PKEY_new_raw_public_key failed");
	}

	util::StatusOr<util::SecretData> shared_secret =
	internal::ComputeX25519SharedSecret(private_key_.get(), peer_key.get());
	if (!shared_secret.ok()) {
	return shared_secret.status();
	}

	return Hkdf::ComputeEciesHkdfSymmetricKey(
	hash, kem_bytes, *shared_secret, hkdf_salt, hkdf_info, key_size_in_bytes);
	}

	} // namespace subtle
	} // namespace tink
	} // namespace crypto