From b76bac752ff0305730472a334bd2aaba1bd29210 Mon Sep 17 00:00:00 2001 From: Jacek Sieka Date: Wed, 30 Aug 2023 11:39:48 +0200 Subject: [PATCH] avoid importing `ecnist` when not needed (#942) --- libp2p/crypto/crypto.nim | 38 +++++--------------------------------- libp2p/crypto/ecnist.nim | 30 ++++++++++++++++++++++++++++++ 2 files changed, 35 insertions(+), 33 deletions(-) diff --git a/libp2p/crypto/crypto.nim b/libp2p/crypto/crypto.nim index 2accbdd5e..4f7c198fb 100644 --- a/libp2p/crypto/crypto.nim +++ b/libp2p/crypto/crypto.nim @@ -65,11 +65,13 @@ when supported(PKScheme.Ed25519): import ed25519/ed25519 when supported(PKScheme.Secp256k1): import secp +when supported(PKScheme.ECDSA): + import ecnist -# We are still importing `ecnist` because, it is used for SECIO handshake, -# but it will be impossible to create ECNIST keys or import ECNIST keys. + # These used to be declared in `crypto` itself + export ecnist.ephemeral, ecnist.ECDHEScheme -import ecnist, bearssl/rand, bearssl/hash as bhash +import bearssl/rand, bearssl/hash as bhash import ../protobuf/minprotobuf, ../vbuffer, ../multihash, ../multicodec import nimcrypto/[rijndael, twofish, sha2, hash, hmac] # We use `ncrutils` for constant-time hexadecimal encoding/decoding procedures. @@ -86,8 +88,6 @@ type Sha256, Sha512 - ECDHEScheme* = EcCurveKind - PublicKey* = object case scheme*: PKScheme of PKScheme.RSA: @@ -879,34 +879,6 @@ proc mac*(secret: Secret, id: int): seq[byte] {.inline.} = offset += secret.ivsize + secret.keysize copyMem(addr result[0], unsafeAddr secret.data[offset], secret.macsize) -proc ephemeral*( - scheme: ECDHEScheme, - rng: var HmacDrbgContext): CryptoResult[EcKeyPair] = - ## Generate ephemeral keys used to perform ECDHE. - var keypair: EcKeyPair - if scheme == Secp256r1: - keypair = ? EcKeyPair.random(Secp256r1, rng).orError(KeyError) - elif scheme == Secp384r1: - keypair = ? EcKeyPair.random(Secp384r1, rng).orError(KeyError) - elif scheme == Secp521r1: - keypair = ? EcKeyPair.random(Secp521r1, rng).orError(KeyError) - ok(keypair) - -proc ephemeral*( - scheme: string, rng: var HmacDrbgContext): CryptoResult[EcKeyPair] = - ## Generate ephemeral keys used to perform ECDHE using string encoding. - ## - ## Currently supported encoding strings are P-256, P-384, P-521, if encoding - ## string is not supported P-521 key will be generated. - if scheme == "P-256": - ephemeral(Secp256r1, rng) - elif scheme == "P-384": - ephemeral(Secp384r1, rng) - elif scheme == "P-521": - ephemeral(Secp521r1, rng) - else: - ephemeral(Secp521r1, rng) - proc getOrder*(remotePubkey, localNonce: openArray[byte], localPubkey, remoteNonce: openArray[byte]): CryptoResult[int] = ## Compare values and calculate `order` parameter. diff --git a/libp2p/crypto/ecnist.nim b/libp2p/crypto/ecnist.nim index 644e91d69..8471e0e97 100644 --- a/libp2p/crypto/ecnist.nim +++ b/libp2p/crypto/ecnist.nim @@ -994,3 +994,33 @@ proc verify*[T: byte|char](sig: EcSignature, message: openArray[T], # Clear context with initial value kv.init(addr hc.vtable) result = (res == 1) + +type ECDHEScheme* = EcCurveKind + +proc ephemeral*( + scheme: ECDHEScheme, + rng: var HmacDrbgContext): EcResult[EcKeyPair] = + ## Generate ephemeral keys used to perform ECDHE. + var keypair: EcKeyPair + if scheme == Secp256r1: + keypair = ? EcKeyPair.random(Secp256r1, rng) + elif scheme == Secp384r1: + keypair = ? EcKeyPair.random(Secp384r1, rng) + elif scheme == Secp521r1: + keypair = ? EcKeyPair.random(Secp521r1, rng) + ok(keypair) + +proc ephemeral*( + scheme: string, rng: var HmacDrbgContext): EcResult[EcKeyPair] = + ## Generate ephemeral keys used to perform ECDHE using string encoding. + ## + ## Currently supported encoding strings are P-256, P-384, P-521, if encoding + ## string is not supported P-521 key will be generated. + if scheme == "P-256": + ephemeral(Secp256r1, rng) + elif scheme == "P-384": + ephemeral(Secp384r1, rng) + elif scheme == "P-521": + ephemeral(Secp521r1, rng) + else: + ephemeral(Secp521r1, rng)