Botan 3.7.1
Crypto and TLS for C&
ecdh.cpp
Go to the documentation of this file.
1/*
2* ECDH implemenation
3* (C) 2007 Manuel Hartl, FlexSecure GmbH
4* 2007 Falko Strenzke, FlexSecure GmbH
5* 2008-2010 Jack Lloyd
6*
7* Botan is released under the Simplified BSD License (see license.txt)
8*/
9
10#include <botan/ecdh.h>
11
12#include <botan/internal/pk_ops_impl.h>
13
14namespace Botan {
15
16std::unique_ptr<Public_Key> ECDH_PrivateKey::public_key() const {
17 return std::make_unique<ECDH_PublicKey>(domain(), _public_ec_point());
18}
19
20namespace {
21
22/**
23* ECDH operation
24*/
25class ECDH_KA_Operation final : public PK_Ops::Key_Agreement_with_KDF {
26 public:
27 ECDH_KA_Operation(const ECDH_PrivateKey& key, std::string_view kdf, RandomNumberGenerator& rng) :
28 PK_Ops::Key_Agreement_with_KDF(kdf),
29 m_group(key.domain()),
30 m_l_times_priv(mul_cofactor_inv(m_group, key._private_key())),
31 m_rng(rng) {}
32
33 size_t agreed_value_size() const override { return m_group.get_p_bytes(); }
34
35 secure_vector<uint8_t> raw_agree(const uint8_t w[], size_t w_len) override {
36 if(m_group.has_cofactor()) {
37#if defined(BOTAN_HAS_LEGACY_EC_POINT)
38 EC_AffinePoint input_point(m_group, m_group.get_cofactor() * m_group.OS2ECP(w, w_len));
39 return input_point.mul_x_only(m_l_times_priv, m_rng, m_ws);
40#else
41 throw Not_Implemented("Support for DH with cofactor adjustment not available in this build configuration");
42#endif
43 } else {
44 if(auto input_point = EC_AffinePoint::deserialize(m_group, {w, w_len})) {
45 return input_point->mul_x_only(m_l_times_priv, m_rng, m_ws);
46 } else {
47 throw Decoding_Error("ECDH - Invalid elliptic curve point");
48 }
49 }
50 }
51
52 private:
53 static EC_Scalar mul_cofactor_inv(const EC_Group& group, const EC_Scalar& x) {
54 // We implement BSI TR-03111 ECKAEG which only matters in the (rare/deprecated)
55 // case of a curve with cofactor.
56
57 if(group.has_cofactor()) {
58 // We could precompute this but cofactors are rare
59 return x * EC_Scalar::from_bigint(group, group.get_cofactor()).invert_vartime();
60 } else {
61 return x;
62 }
63 }
64
65 const EC_Group m_group;
66 const EC_Scalar m_l_times_priv;
67 RandomNumberGenerator& m_rng;
68 std::vector<BigInt> m_ws;
69};
70
71} // namespace
72
73std::unique_ptr<Private_Key> ECDH_PublicKey::generate_another(RandomNumberGenerator& rng) const {
74 return std::make_unique<ECDH_PrivateKey>(rng, domain());
75}
76
77std::vector<uint8_t> ECDH_PublicKey::public_value(EC_Point_Format format) const {
78 return _public_ec_point().serialize(format);
79}
80
81std::unique_ptr<PK_Ops::Key_Agreement> ECDH_PrivateKey::create_key_agreement_op(RandomNumberGenerator& rng,
82 std::string_view params,
83 std::string_view provider) const {
84 if(provider == "base" || provider.empty()) {
85 return std::make_unique<ECDH_KA_Operation>(*this, params, rng);
86 }
87
88 throw Provider_Not_Found(algo_name(), provider);
89}
90
91} // namespace Botan
std::unique_ptr< Public_Key > public_key() const override
Definition ecdh.cpp:16
std::unique_ptr< PK_Ops::Key_Agreement > create_key_agreement_op(RandomNumberGenerator &rng, std::string_view params, std::string_view provider) const override
Definition ecdh.cpp:81
std::vector< uint8_t > public_value() const
Definition ecdh.h:55
std::string algo_name() const override
Definition ecdh.h:50
std::unique_ptr< Private_Key > generate_another(RandomNumberGenerator &rng) const final
Definition ecdh.cpp:73
static std::optional< EC_AffinePoint > deserialize(const EC_Group &group, std::span< const uint8_t > bytes)
std::vector< uint8_t > serialize(EC_Point_Format format) const
Return an encoding depending on the requested format.
const EC_Group & domain() const
Definition ecc_key.cpp:63
const EC_AffinePoint & _public_ec_point() const
Definition ecc_key.cpp:75
static EC_Scalar from_bigint(const EC_Group &group, const BigInt &bn)
Definition ec_scalar.cpp:65
EC_Scalar invert_vartime() const
int(* final)(unsigned char *, CTX *)
std::vector< T, secure_allocator< T > > secure_vector
Definition secmem.h:61