crypto/ecdh: new package

We use crypto/internal/edwards25519/field to implement X25519 directly, so that golang.org/x/crypto/curve25519 can be dropped from the src module dependencies, and eventually replaced with a crypto/ecdh wrapper, removing the need to keep golang.org/x/crypto/curve25519/internal/field in sync with crypto/internal/edwards25519/field. In crypto/internal/nistec, we add BytesX to serialize only the x coordinate, which we'll need for the horrible ECDSA x-coord-to-scalar operation, too. In crypto/tls, we replace the ECDHE implementation with crypto/ecdh, dropping the X25519 special cases and related scaffolding. Finally, FINALLY, we deprecate the ~white whale~ big.Int-based APIs of the crypto/elliptic package. •_•) ( •_•)>⌐■-■ (⌐■_■) Fixes #52182 Fixes #34648 Fixes #52221 Change-Id: Iccdda210319cc892e96bb28a0e7b7123551982c7 Reviewed-on: https://go-review.googlesource.com/c/go/+/398914 Reviewed-by: Fernando Lobato Meeser <felobato@google.com> Reviewed-by: Roland Shoemaker <roland@golang.org> Run-TryBot: Filippo Valsorda <filippo@golang.org> TryBot-Result: Gopher Robot <gobot@golang.org>
2025-04-03 20:17:36 +03:00 · 2022-04-07 15:15:31 -04:00 · 2022-04-07 15:15:31 -04:00 · f80ca9c941
commit f80ca9c941
parent 8011ffeccb
6 changed files with 85 additions and 121 deletions
--- a/handshake_client.go
+++ b/handshake_client.go
@ -8,6 +8,7 @@ import (
 	"bytes"
 	"context"
 	"crypto"
+	"crypto/ecdh"
 	"crypto/ecdsa"
 	"crypto/ed25519"
 	"crypto/rsa"
@ -35,7 +36,7 @@ type clientHandshakeState struct {

 var testingOnlyForceClientHelloSignatureAlgorithms []SignatureScheme

-func (c *Conn) makeClientHello() (*clientHelloMsg, ecdheParameters, error) {
+func (c *Conn) makeClientHello() (*clientHelloMsg, *ecdh.PrivateKey, error) {
 	config := c.config
 	if len(config.ServerName) == 0 && !config.InsecureSkipVerify {
 		return nil, nil, errors.New("tls: either ServerName or InsecureSkipVerify must be specified in the tls.Config")
@ -124,7 +125,7 @@ func (c *Conn) makeClientHello() (*clientHelloMsg, ecdheParameters, error) {
 		hello.supportedSignatureAlgorithms = testingOnlyForceClientHelloSignatureAlgorithms
 	}

-	var params ecdheParameters
+	var key *ecdh.PrivateKey
 	if hello.supportedVersions[0] == VersionTLS13 {
 		if hasAESGCMHardwareSupport {
 			hello.cipherSuites = append(hello.cipherSuites, defaultCipherSuitesTLS13...)
@ -133,17 +134,17 @@ func (c *Conn) makeClientHello() (*clientHelloMsg, ecdheParameters, error) {
 		}

 		curveID := config.curvePreferences()[0]
-		if _, ok := curveForCurveID(curveID); curveID != X25519 && !ok {
+		if _, ok := curveForCurveID(curveID); !ok {
 			return nil, nil, errors.New("tls: CurvePreferences includes unsupported curve")
 		}
-		params, err = generateECDHEParameters(config.rand(), curveID)
+		key, err = generateECDHEKey(config.rand(), curveID)
 		if err != nil {
 			return nil, nil, err
 		}
-		hello.keyShares = []keyShare{{group: curveID, data: params.PublicKey()}}
+		hello.keyShares = []keyShare{{group: curveID, data: key.PublicKey().Bytes()}}
 	}

-	return hello, params, nil
+	return hello, key, nil
 }

 func (c *Conn) clientHandshake(ctx context.Context) (err error) {
@ -155,7 +156,7 @@ func (c *Conn) clientHandshake(ctx context.Context) (err error) {
 	// need to be reset.
 	c.didResume = false

-	hello, ecdheParams, err := c.makeClientHello()
+	hello, ecdheKey, err := c.makeClientHello()
 	if err != nil {
 		return err
 	}
@ -213,7 +214,7 @@ func (c *Conn) clientHandshake(ctx context.Context) (err error) {
 			ctx:         ctx,
 			serverHello: serverHello,
 			hello:       hello,
-			ecdheParams: ecdheParams,
+			ecdheKey:    ecdheKey,
 			session:     session,
 			earlySecret: earlySecret,
 			binderKey:   binderKey,