ecc: Make "noparam" the default and replace by "param".

* src/cipher.h (PUBKEY_FLAG_NOCOMP): New.
(PUBKEY_FLAG_NOPARAM): Remove.
(PUBKEY_FLAG_PARAM): New.
* cipher/pubkey-util.c (_gcry_pk_util_parse_flaglist): Support the new
flags and ignore the obsolete "noparam" flag.
* cipher/ecc-curves.c (_gcry_ecc_fill_in_curve): Return the curve name
also for curves selected by NBITS.
(_gcry_mpi_ec_new): Support the "param" flag.
* cipher/ecc.c (ecc_generate, ecc_sign, ecc_verify): Ditto.
* tests/keygen.c (check_ecc_keys): Remove the "noparam" flag.
--

This is an API change but there are not many ECC users yet and adding
the "param" flag for those who really need the parameters (e.g. if
private keys have been stored without the curve name, it can easily be
added.

Note that no version of Libgcrypt with support for "noparam" has been
released but for the sake of projects already working with the master
version we don't bail out on "noparam".

Signed-off-by: Werner Koch <wk@gnupg.org>

7 files changed, 63 insertions, 47 deletions

diff --git a/NEWS b/NEWS
index 8010c373..d63ca96b 100644
--- a/NEWS
+++ b/NEWS
@@ -43,6 +43,9 @@ Noteworthy changes in version 1.6.0 (unreleased)
  * The algorithm ids GCRY_PK_ECDSA and GCRY_PK_ECDH are now
    deprecated.  Use GCRY_PK_ECC if you need an algorithm id.
 
+ * Changed gcry_pk_genkey for "ecc" to only include the curve name and
+   not the parameters.  The flag "param" may be used to revert this.
+
  * Interface changes relative to the 1.5.0 release:
  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  gcry_ac_*               	 REMOVED.
@@ -63,6 +66,7 @@ Noteworthy changes in version 1.6.0 (unreleased)
  GCRYCTL_SET_IV                  REMOVED.
  GCRYCTL_SET_CTR                 REMOVED.
  GCRYCTL_DISABLE_ALGO            CHANGED: Not anymore thread-safe.
+ gcry_pk_genkey                  CHANGED: ECC curve params not returned.
  gcry_md_hash_buffers            NEW.
  gcry_buffer_t                   NEW.
  GCRYCTL_SET_ENFORCED_FIPS_FLAG  NEW.
diff --git a/cipher/ecc-curves.c b/cipher/ecc-curves.c
index 1bd3679f..27d2d8ec 100644
--- a/cipher/ecc-curves.c
+++ b/cipher/ecc-curves.c
@@ -380,7 +380,10 @@ _gcry_ecc_fill_in_curve (unsigned int nbits, const char *name,
       for (idx = 0; domain_parms[idx].desc; idx++)
         if (nbits == domain_parms[idx].nbits
             && domain_parms[idx].model == MPI_EC_WEIERSTRASS)
-          break;
+          {
+            resname = domain_parms[idx].desc;
+            break;
+          }
     }
   if (!domain_parms[idx].desc)
     return GPG_ERR_UNKNOWN_CURVE;
@@ -671,7 +674,12 @@ _gcry_mpi_ec_new (gcry_ctx_t *r_ctx,
             goto leave;
         }
 
-      if (!(flags & PUBKEY_FLAG_NOPARAM))
+      /* Check whether a curve name was given.  */
+      l1 = gcry_sexp_find_token (keyparam, "curve", 5);
+
+      /* If we don't have a curve name or if override parameters have
+         explicitly been requested, parse them.  */
+      if (!l1 || (flags & PUBKEY_FLAG_PARAM))
         {
           errc = mpi_from_keyparam (&p, keyparam, "p");
           if (errc)
@@ -690,15 +698,13 @@ _gcry_mpi_ec_new (gcry_ctx_t *r_ctx,
             goto leave;
         }
     }
+  else
+    l1 = NULL; /* No curvename.  */
 
   /* Check whether a curve parameter is available and use that to fill
      in missing values.  If no curve parameter is available try an
      optional provided curvename.  If only the curvename has been
      given use that one. */
-  if (keyparam)
-    l1 = gcry_sexp_find_token (keyparam, "curve", 5);
-  else
-    l1 = NULL;
   if (l1 || curvename)
     {
       char *name;
diff --git a/cipher/ecc.c b/cipher/ecc.c
index 5578e052..f2a0e829 100644
--- a/cipher/ecc.c
+++ b/cipher/ecc.c
@@ -509,43 +509,43 @@ ecc_generate (const gcry_sexp_t genparms, gcry_sexp_t *r_skey)
         goto leave;
     }
 
-  if ((flags & PUBKEY_FLAG_NOPARAM) || (flags & PUBKEY_FLAG_EDDSA))
+  if ((flags & PUBKEY_FLAG_PARAM) || (flags & PUBKEY_FLAG_EDDSA))
     {
       rc = gcry_sexp_build
         (&curve_flags, NULL,
-         ((flags & PUBKEY_FLAG_NOPARAM) && (flags & PUBKEY_FLAG_EDDSA))?
-         "(flags noparam eddsa)" :
-         ((flags & PUBKEY_FLAG_NOPARAM))?
-         "(flags noparam)" :
+         ((flags & PUBKEY_FLAG_PARAM) && (flags & PUBKEY_FLAG_EDDSA))?
+         "(flags param eddsa)" :
+         ((flags & PUBKEY_FLAG_PARAM))?
+         "(flags param)" :
          "(flags eddsa)");
       if (rc)
         goto leave;
     }
 
-  if ((flags & PUBKEY_FLAG_NOPARAM) && E.name)
+  if ((flags & PUBKEY_FLAG_PARAM) && E.name)
     rc = gcry_sexp_build (r_skey, NULL,
                           "(key-data"
                           " (public-key"
-                          "  (ecc%S%S(q%m)))"
+                          "  (ecc%S%S(p%m)(a%m)(b%m)(g%m)(n%m)(q%m)))"
                           " (private-key"
-                          "  (ecc%S%S(q%m)(d%m)))"
+                          "  (ecc%S%S(p%m)(a%m)(b%m)(g%m)(n%m)(q%m)(d%m)))"
                           " )",
                           curve_info, curve_flags,
-                          public,
+                          sk.E.p, sk.E.a, sk.E.b, base, sk.E.n, public,
                           curve_info, curve_flags,
-                          public, secret);
+                          sk.E.p, sk.E.a, sk.E.b, base, sk.E.n, public, secret);
   else
     rc = gcry_sexp_build (r_skey, NULL,
                           "(key-data"
                           " (public-key"
-                          "  (ecc%S%S(p%m)(a%m)(b%m)(g%m)(n%m)(q%m)))"
+                          "  (ecc%S%S(q%m)))"
                           " (private-key"
-                          "  (ecc%S%S(p%m)(a%m)(b%m)(g%m)(n%m)(q%m)(d%m)))"
+                          "  (ecc%S%S(q%m)(d%m)))"
                           " )",
                           curve_info, curve_flags,
-                          sk.E.p, sk.E.a, sk.E.b, base, sk.E.n, public,
+                          public,
                           curve_info, curve_flags,
-                          sk.E.p, sk.E.a, sk.E.b, base, sk.E.n, public, secret);
+                          public, secret);
   if (rc)
     goto leave;
 
@@ -713,13 +713,13 @@ ecc_sign (gcry_sexp_t *r_sig, gcry_sexp_t s_data, gcry_sexp_t keyparms)
   /*
    * Extract the key.
    */
-  if ((ctx.flags & PUBKEY_FLAG_NOPARAM))
-    rc = _gcry_sexp_extract_param (keyparms, NULL, "/q?+d",
-                                   &mpi_q, &sk.d, NULL);
-  else
+  if ((ctx.flags & PUBKEY_FLAG_PARAM))
     rc = _gcry_sexp_extract_param (keyparms, NULL, "-p?a?b?g?n?/q?+d",
                                    &sk.E.p, &sk.E.a, &sk.E.b, &mpi_g, &sk.E.n,
                                    &mpi_q, &sk.d, NULL);
+  else
+    rc = _gcry_sexp_extract_param (keyparms, NULL, "/q?+d",
+                                   &mpi_q, &sk.d, NULL);
   if (rc)
     goto leave;
   if (mpi_g)
@@ -878,13 +878,13 @@ ecc_verify (gcry_sexp_t s_sig, gcry_sexp_t s_data, gcry_sexp_t s_keyparms)
   /*
    * Extract the key.
    */
-  if ((ctx.flags & PUBKEY_FLAG_NOPARAM))
-    rc = _gcry_sexp_extract_param (s_keyparms, NULL, "/q",
-                                   &mpi_q, NULL);
-  else
+  if ((ctx.flags & PUBKEY_FLAG_PARAM))
     rc = _gcry_sexp_extract_param (s_keyparms, NULL, "-p?a?b?g?n?/q",
                                    &pk.E.p, &pk.E.a, &pk.E.b, &mpi_g, &pk.E.n,
                                    &mpi_q, NULL);
+  else
+    rc = _gcry_sexp_extract_param (s_keyparms, NULL, "/q",
+                                   &mpi_q, NULL);
   if (rc)
     goto leave;
   if (mpi_g)
diff --git a/cipher/pubkey-util.c b/cipher/pubkey-util.c
index a591c0dd..3e0b5ef2 100644
--- a/cipher/pubkey-util.c
+++ b/cipher/pubkey-util.c
@@ -113,6 +113,15 @@ _gcry_pk_util_parse_flaglist (gcry_sexp_t list,
               encoding = PUBKEY_ENC_PKCS1;
               flags |= PUBKEY_FLAG_FIXEDLEN;
             }
+          else if (!memcmp (s, "param", 5))
+            flags |= PUBKEY_FLAG_PARAM;
+          else if (!igninvflag)
+            rc = GPG_ERR_INV_FLAG;
+          break;
+
+        case 6:
+          if (!memcmp (s, "nocomp", 6))
+            flags |= PUBKEY_FLAG_NOCOMP;
           else if (!igninvflag)
             rc = GPG_ERR_INV_FLAG;
           break;
@@ -121,7 +130,7 @@ _gcry_pk_util_parse_flaglist (gcry_sexp_t list,
           if (!memcmp (s, "rfc6979", 7))
             flags |= PUBKEY_FLAG_RFC6979;
           else if (!memcmp (s, "noparam", 7))
-            flags |= PUBKEY_FLAG_NOPARAM;
+            ; /* Ignore - it is the default.  */
           else if (!igninvflag)
             rc = GPG_ERR_INV_FLAG;
           break;
diff --git a/doc/gcrypt.texi b/doc/gcrypt.texi
index 03ace833..dd65f9a3 100644
--- a/doc/gcrypt.texi
+++ b/doc/gcrypt.texi
@@ -2267,15 +2267,11 @@ order to prevent leaking of secret information.  Blinding is only
 implemented by RSA, but it might be implemented by other algorithms in
 the future as well, when necessary.
 
-@item noparam
-@cindex noparam
-For ECC key generation do not return the domain parameters but only
-the name of the curve.  For ECC signing and verification ignore any
-provided domain parameters of the public or private key and use only
-the curve name.  It is more secure to rely on the curve name and thus
-use the curve parameters as known by Libgcrypt.  This option should
-have been the default but for backward compatibility reasons this is
-not possible.  It is best to always use this flag with ECC keys.
+@item param
+@cindex param
+For ECC key generation also return the domain parameters.  For ECC
+signing and verification override default parameters by provided
+domain parameters of the public or private key.
 
 @item transient-key
 @cindex transient-key
@@ -2849,7 +2845,7 @@ is in general not recommended.
 @example
 (genkey
   (ecc
-    (flags noparam transient-key)))
+    (flags transient-key)))
 @end example
 
 @item transient-key
@@ -2894,12 +2890,12 @@ elliptic curve key generation:
   (public-key
     (ecc
       (curve Ed25519)
-      (flags noparam eddsa)
+      (flags eddsa)
       (q @var{q-value})))
   (private-key
     (ecc
       (curve Ed25519)
-      (flags noparam eddsa)
+      (flags eddsa)
       (q @var{q-value})
       (d @var{d-value}))))
 @end example
diff --git a/src/cipher.h b/src/cipher.h
index 5ac891e0..d939ade7 100644
--- a/src/cipher.h
+++ b/src/cipher.h
@@ -35,10 +35,11 @@
 #define PUBKEY_FLAG_USE_X931       (1 << 6)
 #define PUBKEY_FLAG_USE_FIPS186    (1 << 7)
 #define PUBKEY_FLAG_USE_FIPS186_2  (1 << 8)
-#define PUBKEY_FLAG_NOPARAM        (1 << 9)
+#define PUBKEY_FLAG_PARAM          (1 << 9)
 #define PUBKEY_FLAG_COMP           (1 << 10)
-#define PUBKEY_FLAG_EDDSA          (1 << 11)
-#define PUBKEY_FLAG_GOST           (1 << 12)
+#define PUBKEY_FLAG_NOCOMP         (1 << 11)
+#define PUBKEY_FLAG_EDDSA          (1 << 12)
+#define PUBKEY_FLAG_GOST           (1 << 13)
 
 
 enum pk_operation
diff --git a/tests/keygen.c b/tests/keygen.c
index 58793930..4796b5cf 100644
--- a/tests/keygen.c
+++ b/tests/keygen.c
@@ -376,11 +376,11 @@ check_ecc_keys (void)
         show ("creating ECC key using curve %s\n", curves[testno]);
       if (!strcmp (curves[testno], "Ed25519"))
         rc = gcry_sexp_build (&keyparm, NULL,
-                              "(genkey(ecc(curve %s)(flags noparam eddsa)))",
+                              "(genkey(ecc(curve %s)(flags eddsa)))",
                               curves[testno]);
       else
         rc = gcry_sexp_build (&keyparm, NULL,
-                              "(genkey(ecc(curve %s)(flags noparam)))",
+                              "(genkey(ecc(curve %s)(flags )))",
                               curves[testno]);
       if (rc)
         die ("error creating S-expression: %s\n", gpg_strerror (rc));
@@ -418,7 +418,7 @@ check_ecc_keys (void)
   if (verbose)
     show ("creating ECC key using curve Ed25519 for ECDSA\n");
   rc = gcry_sexp_build (&keyparm, NULL,
-                        "(genkey(ecc(curve Ed25519)(flags noparam)))");
+                        "(genkey(ecc(curve Ed25519)(flags)))");
   if (rc)
     die ("error creating S-expression: %s\n", gpg_strerror (rc));
   rc = gcry_pk_genkey (&key, keyparm);