From 402aa0f94854bb00475c934be5ca6043a4632126 Mon Sep 17 00:00:00 2001 From: Werner Koch Date: Fri, 15 Nov 2013 08:59:45 +0100 Subject: gpg: Rework ECC support and add experimental support for Ed25519. * agent/findkey.c (key_parms_from_sexp): Add algo name "ecc". (agent_is_dsa_key): Ditto. (agent_is_eddsa_key): New. Not finished, though. * agent/pksign.c (do_encode_eddsa): New. (agent_pksign_do): Use gcry_log_debug functions. * agent/protect.c (agent_protect): Parse a flags parameter. * g10/keygen.c (gpg_curve_to_oid): Move to ... * common/openpgp-oid.c (openpgp_curve_to_oid): here and rename. (oid_ed25519): New. (openpgp_oid_is_ed25519): New. (openpgp_oid_to_curve): New. * common/t-openpgp-oid.c (test_openpgp_oid_is_ed25519): New. * g10/build-packet.c (gpg_mpi_write): Write the length header also for opaque MPIs. (gpg_mpi_write_nohdr): New. (do_key): Use gpg_mpi_write_nohdr depending on algorithm. (do_pubkey_enc): Ditto. * g10/ecdh.c (pk_ecdh_encrypt_with_shared_point): Use gpg_mpi_write_nohdr. * g10/export.c (transfer_format_to_openpgp): * g10/keygen.c (ecckey_from_sexp): Return the error. (gen_ecc): Repalce arg NBITS by CURVE. (read_parameter_file): Add keywords "Key-Curve" and "Subkey-Curve". (ask_curve): New. (generate_keypair, generate_subkeypair): Use ask_curve. (do_generate_keypair): Also pass curve name. * g10/keylist.c (list_keyblock_print, list_keyblock_colon): Print curve name. * g10/parse-packet.c (mpi_read): Remove workaround for Libcgrypt < 1.5. (parse_key): Fix ECC case. Print the curve name. * g10/pkglue.c (mpi_from_sexp): Rename to get_mpi_from_sexp. (pk_verify, pk_check_secret_key): Add special case for Ed25519. * g10/seskey.c (encode_md_value): Ditto. * g10/sign.c (do_sign, hash_for, sign_file): Ditto. -- Be warned that this code is subject to further changes and that the format will very likely change before a release. There are also known bugs and missing code. Signed-off-by: Werner Koch --- agent/agent.h | 1 + agent/findkey.c | 29 +++++++++++++++++++++++++++++ agent/pksign.c | 35 ++++++++++++++++++++++++++--------- agent/protect.c | 15 +++++++++++++++ 4 files changed, 71 insertions(+), 9 deletions(-) (limited to 'agent') diff --git a/agent/agent.h b/agent/agent.h index ae4e4686f..d40930018 100644 --- a/agent/agent.h +++ b/agent/agent.h @@ -324,6 +324,7 @@ gpg_error_t agent_public_key_from_file (ctrl_t ctrl, const unsigned char *grip, gcry_sexp_t *result); int agent_is_dsa_key (gcry_sexp_t s_key); +int agent_is_eddsa_key (gcry_sexp_t s_key); int agent_key_available (const unsigned char *grip); gpg_error_t agent_key_info_from_file (ctrl_t ctrl, const unsigned char *grip, int *r_keytype, diff --git a/agent/findkey.c b/agent/findkey.c index d11f0888a..aa2c6a2c1 100644 --- a/agent/findkey.c +++ b/agent/findkey.c @@ -729,6 +729,11 @@ key_parms_from_sexp (gcry_sexp_t s_key, gcry_sexp_t *r_list, algoname = "dsa"; elems = "pqgy"; } + else if (n==3 && !memcmp (name, "ecc", 3)) + { + algoname = "ecc"; + elems = "pabgnq"; + } else if (n==5 && !memcmp (name, "ecdsa", 5)) { algoname = "ecdsa"; @@ -788,6 +793,8 @@ agent_is_dsa_key (gcry_sexp_t s_key) if (!strcmp (algoname, "dsa")) return GCRY_PK_DSA; + else if (!strcmp (algoname, "ecc")) + return GCRY_PK_ECDSA; /* FIXME: Check for the EdDSA flag. */ else if (!strcmp (algoname, "ecdsa")) return GCRY_PK_ECDSA; else @@ -795,6 +802,28 @@ agent_is_dsa_key (gcry_sexp_t s_key) } +/* Return true if S_KEY is an EdDSA key as used with curve Ed25519. */ +int +agent_is_eddsa_key (gcry_sexp_t s_key) +{ + char algoname[6]; + + if (!s_key) + return 0; + + if (key_parms_from_sexp (s_key, NULL, algoname, sizeof algoname, NULL, 0)) + return 0; /* Error - assume it is not an DSA key. */ + + if (!strcmp (algoname, "dsa")) + return GCRY_PK_DSA; + else if (!strcmp (algoname, "ecc")) + return GCRY_PK_ECDSA; /* FIXME: Check for the EdDSA flag. */ + else if (!strcmp (algoname, "ecdsa")) + return GCRY_PK_ECDSA; + else + return 0; +} + /* Return the key for the keygrip GRIP. The result is stored at RESULT. This function extracts the key from the private key diff --git a/agent/pksign.c b/agent/pksign.c index 9c7341a7f..b2ee28f22 100644 --- a/agent/pksign.c +++ b/agent/pksign.c @@ -131,6 +131,24 @@ rfc6979_hash_algo_string (size_t mdlen) } +/* Encode a message digest for use with the EdDSA algorithm + (i.e. curve Ed25519). */ +static gpg_error_t +do_encode_eddsa (const byte *md, size_t mdlen, gcry_sexp_t *r_hash) +{ + gpg_error_t err; + gcry_sexp_t hash; + + *r_hash = NULL; + err = gcry_sexp_build (&hash, NULL, + "(data(flags eddsa)(hash-algo sha512)(value %b))", + (int)mdlen, md); + if (!err) + *r_hash = hash; + return err; +} + + /* Encode a message digest for use with an DSA algorithm. */ static gpg_error_t do_encode_dsa (const byte *md, size_t mdlen, int dsaalgo, gcry_sexp_t pkey, @@ -400,7 +418,11 @@ agent_pksign_do (ctrl_t ctrl, const char *cache_nonce, int dsaalgo; /* Put the hash into a sexp */ - if (ctrl->digest.algo == MD_USER_TLS_MD5SHA1) + if (agent_is_eddsa_key (s_skey)) + rc = do_encode_eddsa (ctrl->digest.value, + ctrl->digest.valuelen, + &s_hash); + else if (ctrl->digest.algo == MD_USER_TLS_MD5SHA1) rc = do_encode_raw_pkcs1 (ctrl->digest.value, ctrl->digest.valuelen, gcry_pk_get_nbits (s_skey), @@ -421,10 +443,8 @@ agent_pksign_do (ctrl_t ctrl, const char *cache_nonce, if (DBG_CRYPTO) { - log_debug ("skey:\n"); - gcry_sexp_dump (s_skey); - log_debug ("hash:\n"); - gcry_sexp_dump (s_hash); + gcry_log_debugsxp ("skey", s_skey); + gcry_log_debugsxp ("hash", s_hash); } /* sign */ @@ -437,10 +457,7 @@ agent_pksign_do (ctrl_t ctrl, const char *cache_nonce, } if (DBG_CRYPTO) - { - log_debug ("result:\n"); - gcry_sexp_dump (s_sig); - } + gcry_log_debugsxp ("rslt", s_sig); } leave: diff --git a/agent/protect.c b/agent/protect.c index b29f494fb..749867cc1 100644 --- a/agent/protect.c +++ b/agent/protect.c @@ -467,6 +467,7 @@ agent_protect (const unsigned char *plainkey, const char *passphrase, int depth = 0; unsigned char *p; gcry_md_hd_t md; + int have_curve = 0; /* Create an S-expression with the protected-at timestamp. */ memcpy (timestamp_exp, "(12:protected-at15:", 19); @@ -499,6 +500,11 @@ agent_protect (const unsigned char *plainkey, const char *passphrase, if (!protect_info[infidx].algo) return gpg_error (GPG_ERR_UNSUPPORTED_ALGORITHM); + /* The parser below is a complete mess: To make it robust for ECC + use we should reorder the s-expression to include only what we + really need and thus guarantee the right order for saving stuff. + This should be done before calling this function and maybe with + the help of the new gcry_sexp_extract_param. */ parmlist = protect_info[infidx].parmlist; prot_from_idx = protect_info[infidx].prot_from; prot_to_idx = protect_info[infidx].prot_to; @@ -522,10 +528,19 @@ agent_protect (const unsigned char *plainkey, const char *passphrase, /* This is a private ECC key but the first parameter is the name of the curve. We change the parameter list here to the one we expect in this case. */ + have_curve = 1; parmlist = "?qd"; prot_from_idx = 2; prot_to_idx = 2; } + else if (n == 5 && !memcmp (s, "flags", 5) + && i == 1 && have_curve) + { + /* "curve" followed by "flags": Change again. */ + parmlist = "??qd"; + prot_from_idx = 3; + prot_to_idx = 3; + } else return gpg_error (GPG_ERR_INV_SEXP); } -- cgit v1.2.3