ecc: Add Ed25519 key generation and prepare for optimizations.

* src/mpi.h (enum ecc_dialects): New.
* src/ec-context.h (mpi_ec_ctx_s): Add field DIALECT.
* cipher/ecc-common.h (elliptic_curve_t): Ditto.
* cipher/ecc-curves.c (ecc_domain_parms_t): Ditto.
(domain_parms): Add dialect values.
(_gcry_ecc_fill_in_curve): Set dialect.
(_gcry_ecc_get_curve): Ditto.
(_gcry_mpi_ec_new): Ditto.
(_gcry_ecc_get_param): Use ECC_DIALECT_STANDARD for now.
* cipher/ecc-misc.c (_gcry_ecc_curve_copy): Copy dialect.
(_gcry_ecc_dialect2str): New.
* mpi/ec.c (ec_p_init): Add arg DIALECT.
(_gcry_mpi_ec_p_internal_new): Ditto.
(_gcry_mpi_ec_p_new): Ditto.

* mpi/mpiutil.c (gcry_mpi_set_opaque): Set the secure flag.
(_gcry_mpi_set_opaque_copy): New.

* cipher/ecc-misc.c (_gcry_ecc_os2ec): Take care of an opaque MPI.
* cipher/ecc.c (eddsa_generate_key): New.
(generate_key): Rename to nist_generate_key and factor some code out
to ...
(ecc_generate_ext): here.  Divert to eddsa_generate_key if desired.
(eddsa_decodepoint): Take care of an opaque MPI.
(ecc_check_secret_key): Ditto.
(ecc_sign): Ditto.
* cipher/pubkey.c (sexp_elements_extract_ecc): Store public and secret
key as opaque MPIs.
(gcry_pk_genkey): Add the curve_name also to the private key part of
the result.

* tests/benchmark.c (ecc_bench): Support Ed25519.
(main): Add option --debug.
* tests/curves.c (sample_key_2): Make sure that P and N are positive.
* tests/keygen.c (show): New.
(check_ecc_keys): Support Ed25519.
--

There are two main purposes of this patch: Add a key generation
feature for Ed25519 and add the "dialect" thingy which will eventually
be used to add curve specific optimization.

Note that the entire way of how we interface between the public key
modules and pubkey.c is overly complex and probably also the cause for
a lot of performance overhead.  Given that we don't have the loadable
module system anymore, we should entirely get rid of the MPI-array
based internal interface and move parts of the s-expression handling
direct into the pubkey modules.  This needs to be fixed or we are
turning Libgcrypt into another software incarnation of Heathrow
Airport.

Signed-off-by: Werner Koch <wk@gnupg.org>

3 files changed, 62 insertions, 14 deletions

diff --git a/tests/benchmark.c b/tests/benchmark.c
index ea472a17..1fa2676e 100644
--- a/tests/benchmark.c
+++ b/tests/benchmark.c
@@ -883,7 +883,7 @@ ecc_bench (int iterations, int print_header)
 {
 #if USE_ECC
   gpg_error_t err;
-  int p_sizes[] = { 192, 224, 256, 384, 521 };
+  const char *p_sizes[] = { "192", "224", "256", "384", "521", "Ed25519" };
   int testno;
 
   if (print_header)
@@ -897,12 +897,29 @@ ecc_bench (int iterations, int print_header)
       gcry_sexp_t data;
       gcry_sexp_t sig = NULL;
       int count;
+      int p_size;
+      int is_ed25519;
 
-      printf ("ECDSA %3d bit ", p_sizes[testno]);
+      is_ed25519 = !strcmp (p_sizes[testno], "Ed25519");
+      if (is_ed25519)
+        {
+          p_size = 256;
+          printf ("EdDSA Ed25519 ");
+          fflush (stdout);
+        }
+      else
+        {
+          p_size = atoi (p_sizes[testno]);
+          printf ("ECDSA %3d bit ", p_size);
+        }
       fflush (stdout);
 
-      err = gcry_sexp_build (&key_spec, NULL,
-                             "(genkey (ECDSA (nbits %d)))", p_sizes[testno]);
+      if (is_ed25519)
+        err = gcry_sexp_build (&key_spec, NULL,
+                               "(genkey (ecdsa (curve \"Ed25519\")))");
+      else
+        err = gcry_sexp_build (&key_spec, NULL,
+                               "(genkey (ECDSA (nbits %d)))", p_size);
       if (err)
         die ("creating S-expression failed: %s\n", gcry_strerror (err));
 
@@ -910,7 +927,7 @@ ecc_bench (int iterations, int print_header)
       err = gcry_pk_genkey (&key_pair, key_spec);
       if (err)
         die ("creating %d bit ECC key failed: %s\n",
-             p_sizes[testno], gcry_strerror (err));
+             p_size, gcry_strerror (err));
 
       pub_key = gcry_sexp_find_token (key_pair, "public-key", 0);
       if (! pub_key)
@@ -925,10 +942,16 @@ ecc_bench (int iterations, int print_header)
       printf ("     %s", elapsed_time ());
       fflush (stdout);
 
-      x = gcry_mpi_new (p_sizes[testno]);
-      gcry_mpi_randomize (x, p_sizes[testno], GCRY_WEAK_RANDOM);
-      err = gcry_sexp_build (&data, NULL, "(data (flags raw) (value %m))", x);
+      x = gcry_mpi_new (p_size);
+      gcry_mpi_randomize (x, p_size, GCRY_WEAK_RANDOM);
+      if (is_ed25519)
+        err = gcry_sexp_build (&data, NULL,
+                               "(data (flags eddsa)(hash-algo sha512)"
+                               " (value %m))", x);
+      else
+        err = gcry_sexp_build (&data, NULL, "(data (flags raw) (value %m))", x);
       gcry_mpi_release (x);
+
       if (err)
         die ("converting data failed: %s\n", gcry_strerror (err));
 
@@ -1041,6 +1064,7 @@ main( int argc, char **argv )
   int no_blinding = 0;
   int use_random_daemon = 0;
   int with_progress = 0;
+  int debug = 0;
 
   buffer_alignment = 1;
 
@@ -1067,6 +1091,12 @@ main( int argc, char **argv )
           verbose++;
           argc--; argv++;
         }
+      else if (!strcmp (*argv, "--debug"))
+        {
+          verbose += 2;
+          debug++;
+          argc--; argv++;
+        }
       else if (!strcmp (*argv, "--use-random-daemon"))
         {
           use_random_daemon = 1;
@@ -1167,6 +1197,9 @@ main( int argc, char **argv )
       exit (1);
     }
 
+  if (debug)
+    gcry_control (GCRYCTL_SET_DEBUG_FLAGS, 1u , 0);
+
   if (gcry_fips_mode_active ())
     in_fips_mode = 1;
   else
diff --git a/tests/curves.c b/tests/curves.c
index af2b3682..2c3ae53b 100644
--- a/tests/curves.c
+++ b/tests/curves.c
@@ -51,12 +51,12 @@ static unsigned int sample_key_1_nbits = 256;
 static char const sample_key_2[] =
 "(public-key\n"
 " (ecdh\n"
-"  (p #e95e4a5f737059dc60dfc7ad95b3d8139515620f#)\n"
+"  (p #00e95e4a5f737059dc60dfc7ad95b3d8139515620f#)\n"
 "  (a #340e7be2a280eb74e2be61bada745d97e8f7c300#)\n"
 "  (b #1e589a8595423412134faa2dbdec95c8d8675e58#)\n"
 "  (g #04bed5af16ea3f6a4f62938c4631eb5af7bdbcdbc3"
         "1667cb477a1a8ec338f94741669c976316da6321#)\n"
-"  (n #e95e4a5f737059dc60df5991d45029409e60fc09#)\n"
+"  (n #00e95e4a5f737059dc60df5991d45029409e60fc09#)\n"
 "  (q #041111111111111111111111111111111111111111"
         "2222222222222222222222222222222222222222#)\n"
 "  ))";
diff --git a/tests/keygen.c b/tests/keygen.c
index 1d1b43ea..eed62e1b 100644
--- a/tests/keygen.c
+++ b/tests/keygen.c
@@ -34,6 +34,16 @@ static int debug;
 static int error_count;
 
 static void
+show ( const char *format, ... )
+{
+    va_list arg_ptr ;
+
+    va_start( arg_ptr, format ) ;
+    vfprintf (stderr, format, arg_ptr );
+    va_end(arg_ptr);
+}
+
+static void
 fail ( const char *format, ... )
 {
     va_list arg_ptr ;
@@ -266,7 +276,8 @@ check_generated_ecc_key (gcry_sexp_t key)
 static void
 check_ecc_keys (void)
 {
-  const char *curves[] = { "NIST P-521", "NIST P-384", "NIST P-256", NULL };
+  const char *curves[] = { "NIST P-521", "NIST P-384", "NIST P-256",
+                           "Ed25519", NULL };
   int testno;
   gcry_sexp_t keyparm, key;
   int rc;
@@ -285,7 +296,11 @@ check_ecc_keys (void)
         die ("error generating ECC key using curve %s: %s\n",
              curves[testno], gpg_strerror (rc));
 
-      check_generated_ecc_key (key);
+      if (!strcmp (curves[testno], "Ed25519"))
+        show ("Note: gcry_pk_testkey does not yet work for Ed25519\n");
+      else
+        check_generated_ecc_key (key);
+
       gcry_sexp_release (key);
     }
 }
@@ -306,13 +321,13 @@ check_nonce (void)
     {
       gcry_create_nonce (b, sizeof b);
       if (!memcmp (a, b, sizeof a))
-        die ("identical nounce found\n");
+        die ("identical nonce found\n");
     }
   for (i=0; i < 10; i++)
     {
       gcry_create_nonce (a, sizeof a);
       if (!memcmp (a, b, sizeof a))
-        die ("identical nounce found\n");
+        die ("identical nonce found\n");
     }
 
  again: