make a faster and more secure related to memory blits of pointDh for P256

2016-12-02 15:47:51 +00:00 · 2016-12-02 15:47:51 +00:00 · f627bf437a
commit f627bf437a
parent 5e52a7ffa2
2 changed files with 14 additions and 6 deletions
--- a/Crypto/ECC.hs
+++ b/Crypto/ECC.hs
@ -108,11 +108,7 @@ instance EllipticCurveArith Curve_P256R1 where
    pointSmul _ s p = P256.pointMul s p

 instance EllipticCurveDH Curve_P256R1 where
-    ecdh proxy s p = shared
-      where
-        (x, _) = P256.pointToIntegers $ pointSmul proxy s p
-        len = 32 -- (256 + 7) `div` 8
-        shared = SharedSecret $ i2ospOf_ len x
+    ecdh _ s p = SharedSecret $ P256.pointDh s p

 data Curve_P384R1 = Curve_P384R1

--- a/Crypto/PubKey/ECC/P256.hs
+++ b/Crypto/PubKey/ECC/P256.hs
@ -18,6 +18,7 @@ module Crypto.PubKey.ECC.P256
    , pointBase
    , pointAdd
    , pointMul
+    , pointDh
    , pointsMulVarTime
    , pointIsValid
    , toPoint
@ -48,7 +49,7 @@ import           Crypto.Internal.Compat
 import           Crypto.Internal.Imports
 import           Crypto.Internal.ByteArray
 import qualified Crypto.Internal.ByteArray as B
-import           Data.Memory.PtrMethods (memSet)
+import           Data.Memory.PtrMethods (memSet, memCopy)
 import           Crypto.Error
 import           Crypto.Random
 import           Crypto.Number.Serialize.Internal (os2ip, i2ospOf)
@ -112,6 +113,14 @@ pointMul scalar p = withNewPoint $ \dx dy ->
    withScalar scalar $ \n -> withPoint p $ \px py -> withScalarZero $ \nzero ->
        ccryptonite_p256_points_mul_vartime nzero n px py dx dy

+-- | Similar to 'pointMul', serializing the x coordinate as binary
+pointDh :: ByteArray binary => Scalar -> Point -> binary
+pointDh scalar p =
+    B.unsafeCreate scalarSize $ \dst -> withTempPoint $ \dx dy -> do
+        withScalar scalar $ \n -> withPoint p $ \px py -> withScalarZero $ \nzero ->
+            ccryptonite_p256_points_mul_vartime nzero n px py dx dy
+        memCopy dst (castPtr dx) scalarSize
+
 -- | multiply the point @p with @n2 and add a lifted to curve value @n1
 --
 -- > n1 * G + n2 * p
@ -282,6 +291,9 @@ withNewScalarFreeze :: (Ptr P256Scalar -> IO ()) -> Scalar
 withNewScalarFreeze f = Scalar $ B.allocAndFreeze scalarSize f
 {-# NOINLINE withNewScalarFreeze #-}

+withTempPoint :: (Ptr P256X -> Ptr P256Y -> IO a) -> IO a
+withTempPoint f = allocTempScrubbed scalarSize (\p -> let px = castPtr p in f px (pxToPy px))
+
 withTempScalar :: (Ptr P256Scalar -> IO a) -> IO a
 withTempScalar f = allocTempScrubbed scalarSize (f . castPtr)