a refactor to the API

5 files changed, 35 insertions, 43 deletions

diff --git a/src/cryptography/hazmat/backends/interfaces.py b/src/cryptography/hazmat/backends/interfaces.py
index faa0b313..dbebc883 100644
--- a/src/cryptography/hazmat/backends/interfaces.py
+++ b/src/cryptography/hazmat/backends/interfaces.py
@@ -216,7 +216,7 @@ class EllipticCurveBackend(object):
         """
 
     @abc.abstractmethod
-    def elliptic_curve_exchange_algorithm_supported(self):
+    def elliptic_curve_exchange_algorithm_supported(self, algorithm, curve):
         """
         Returns whether the exchange algorithm is supported by this backend.
         """
diff --git a/src/cryptography/hazmat/backends/multibackend.py b/src/cryptography/hazmat/backends/multibackend.py
index 77a45ccd..c4d2c133 100644
--- a/src/cryptography/hazmat/backends/multibackend.py
+++ b/src/cryptography/hazmat/backends/multibackend.py
@@ -271,9 +271,9 @@ class MultiBackend(object):
             _Reasons.UNSUPPORTED_ELLIPTIC_CURVE
         )
 
-    def elliptic_curve_exchange_algorithm_supported(self):
+    def elliptic_curve_exchange_algorithm_supported(self, algorithm, curve):
         return any(
-            b.elliptic_curve_exchange_algorithm_supported()
+            b.elliptic_curve_exchange_algorithm_supported(algorithm, curve)
             for b in self._filtered_backends(EllipticCurveBackend)
         )
 
diff --git a/src/cryptography/hazmat/backends/openssl/backend.py b/src/cryptography/hazmat/backends/openssl/backend.py
index d82f3834..f86c3aa1 100644
--- a/src/cryptography/hazmat/backends/openssl/backend.py
+++ b/src/cryptography/hazmat/backends/openssl/backend.py
@@ -1671,25 +1671,12 @@ class Backend(object):
 
         return _EllipticCurvePublicKey(self, ec_cdata, evp_pkey)
 
-    def elliptic_curve_exchange_algorithm_supported(self):
-        return (self._lib.Cryptography_HAS_EC == 1 and
-                self._lib.Cryptography_HAS_ECDH == 1)
-
-    def ecdh_compute_key(self, private_key, peer_public_key):
-        pri_key = private_key._ec_key
-        pub_key = peer_public_key._ec_key
-
-        group = self._lib.EC_KEY_get0_group(pri_key)
-        z_len = (self._lib.EC_GROUP_get_degree(group) + 7) // 8
-        self.openssl_assert(z_len > 0)
-        z_buf = self._ffi.new("uint8_t[]", z_len)
-        peer_key = self._lib.EC_KEY_get0_public_key(pub_key)
-
-        r = self._lib.ECDH_compute_key(z_buf, z_len,
-                                       peer_key, pri_key,
-                                       self._ffi.NULL)
-        self.openssl_assert(r > 0)
-        return self._ffi.buffer(z_buf)[:z_len]
+    def elliptic_curve_exchange_algorithm_supported(self, algorithm, curve):
+        return (
+            self.elliptic_curve_supported(curve) and
+            self._lib.Cryptography_HAS_ECDH == 1 and
+            isinstance(algorithm, ec.ECDH)
+        )
 
     def _ec_cdata_to_evp_pkey(self, ec_cdata):
         evp_pkey = self._lib.EVP_PKEY_new()
diff --git a/src/cryptography/hazmat/backends/openssl/ec.py b/src/cryptography/hazmat/backends/openssl/ec.py
index 939a3f90..cfd559ae 100644
--- a/src/cryptography/hazmat/backends/openssl/ec.py
+++ b/src/cryptography/hazmat/backends/openssl/ec.py
@@ -171,6 +171,31 @@ class _EllipticCurvePrivateKey(object):
                 "Unsupported elliptic curve signature algorithm.",
                 _Reasons.UNSUPPORTED_PUBLIC_KEY_ALGORITHM)
 
+    def exchange(self, algorithm, peer_public_key):
+        if not (
+            self._backend.elliptic_curve_exchange_algorithm_supported(
+                algorithm, self.curve
+            )
+        ):
+            raise UnsupportedAlgorithm(
+                "This backend does not support the ECDH algorithm.",
+                _Reasons.UNSUPPORTED_EXCHANGE_ALGORITHM
+            )
+
+        group = self._backend._lib.EC_KEY_get0_group(self._ec_key)
+        z_len = (self._backend._lib.EC_GROUP_get_degree(group) + 7) // 8
+        self._backend.openssl_assert(z_len > 0)
+        z_buf = self._backend._ffi.new("uint8_t[]", z_len)
+        peer_key = self._backend._lib.EC_KEY_get0_public_key(
+            peer_public_key._ec_key
+        )
+
+        r = self._backend._lib.ECDH_compute_key(
+            z_buf, z_len, peer_key, self._ec_key, self._backend._ffi.NULL
+        )
+        self._backend.openssl_assert(r > 0)
+        return self._backend._ffi.buffer(z_buf)[:z_len]
+
     def public_key(self):
         group = self._backend._lib.EC_KEY_get0_group(self._ec_key)
         self._backend.openssl_assert(group != self._backend._ffi.NULL)
diff --git a/src/cryptography/hazmat/primitives/asymmetric/ec.py b/src/cryptography/hazmat/primitives/asymmetric/ec.py
index 978a7c41..544894a9 100644
--- a/src/cryptography/hazmat/primitives/asymmetric/ec.py
+++ b/src/cryptography/hazmat/primitives/asymmetric/ec.py
@@ -306,24 +306,4 @@ class EllipticCurvePrivateNumbers(object):
 
 
 class ECDH(object):
-    def __init__(self, private_key):
-        if not isinstance(private_key, EllipticCurvePrivateKey):
-            raise TypeError("Private Key must be a EllipticCurvePrivateKey")
-        self._private_key = private_key
-        self._backend = private_key._backend
-        if not self._backend.elliptic_curve_exchange_algorithm_supported():
-            raise exceptions.UnsupportedAlgorithm(
-                "This backend does not support the ECDH algorithm.",
-                exceptions._Reasons.UNSUPPORTED_EXCHANGE_ALGORITHM
-            )
-
-    private_key = utils.read_only_property("_private_key")
-
-    def public_key(self):
-        return self._private_key.public_key()
-
-    def compute_key(self, peer_public_key):
-        if not isinstance(peer_public_key, EllipticCurvePublicKey):
-            raise TypeError("Peer Public Key must be a EllipticCurvePublicKey")
-        return self._backend.ecdh_compute_key(self._private_key,
-                                              peer_public_key)
+    pass