agent:kem: Support other ECC curves.

* agent/pkdecrypt.c (ecc_table): New.
(get_ecc_params): New.
(composite_pgp_kem_decrypt): Support other curves.

--

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>

agent/pkdecrypt.c

@@ -173,6 +173,64 @@ reverse_buffer (unsigned char *buffer, unsigned int length)
     }
 }
 
+struct ecc_params
+{
+  int name_len;
+  const char *curve;
+  size_t pubkey_len;            /* Pubkey in the SEXP representation.   */
+  size_t scalar_len;
+  size_t point_len;
+  size_t shared_len;
+  int hash_algo;
+  int algo;
+  int scalar_reverse;
+};
+
+static const struct ecc_params ecc_table[] =
+  {
+    {
+      10, "Curve25519",
+      33, 32, 32, 32,
+      GCRY_MD_SHA3_256, GCRY_KEM_RAW_X25519,
+      1
+    },
+    {
+      4, "X448",
+      56, 56, 56, 64,
+      GCRY_MD_SHA3_512, GCRY_KEM_RAW_X448,
+      0
+    },
+    {
+      15, "brainpoolP256r1",
+      65, 32, 65, 32,
+      GCRY_MD_SHA3_256, GCRY_KEM_RAW_BP256,
+      0
+    },
+    {
+      15, "brainpoolP384r1",
+      97, 48, 97, 64,
+      GCRY_MD_SHA3_512, GCRY_KEM_RAW_BP384,
+      0
+    },
+    { 0, NULL, 0, 0, 0, 0, 0, 0, 0 }
+};
+
+static const struct ecc_params *
+get_ecc_params (const char *curve, size_t curve_len)
+{
+  int i, name_len;
+
+  for (i = 0; (name_len = ecc_table[i].name_len); i++)
+    if (name_len == curve_len && !memcmp (ecc_table[i].curve, curve, name_len))
+      return &ecc_table[i];
+
+  return NULL;
+}
+
+#define ECC_SCALAR_LEN_MAX 64
+#define ECC_POINT_LEN_MAX (1+2*64)
+#define ECC_HASH_LEN_MAX 64
+
 /* For composite PGP KEM (ECC+ML-KEM), decrypt CIPHERTEXT using KEM API.
    First keygrip is for ECC, second keygrip is for PQC.  CIPHERTEXT
    should follow the format of:
@@ -195,6 +253,7 @@ composite_pgp_kem_decrypt (ctrl_t ctrl, const char *desc_text,
   gcry_sexp_t s_skey1 = NULL;
   unsigned char *shadow_info = NULL;
   gpg_error_t err = 0;
+  const struct ecc_params *ecc;
 
   unsigned int nbits;
   const unsigned char *p;
@@ -206,14 +265,13 @@ composite_pgp_kem_decrypt (ctrl_t ctrl, const char *desc_text,
   size_t encrypted_sessionkey_len;
 
   gcry_mpi_t ecc_sk_mpi = NULL;
-  unsigned char ecc_sk[32];
+  unsigned char ecc_sk[ECC_SCALAR_LEN_MAX];
   gcry_mpi_t ecc_pk_mpi = NULL;
-  unsigned char ecc_pk[32];
+  unsigned char ecc_pk[ECC_POINT_LEN_MAX];
   gcry_mpi_t ecc_ct_mpi = NULL;
   const unsigned char *ecc_ct;
-  size_t ecc_ct_len;
-  unsigned char ecc_ecdh[32];
-  unsigned char ecc_ss[32];
+  unsigned char ecc_ecdh[ECC_POINT_LEN_MAX];
+  unsigned char ecc_ss[ECC_HASH_LEN_MAX];
 
   gcry_mpi_t mlkem_sk_mpi = NULL;
   gcry_mpi_t mlkem_ct_mpi = NULL;
@@ -275,7 +333,7 @@ composite_pgp_kem_decrypt (ctrl_t ctrl, const char *desc_text,
       goto leave;
     }
 
-  /* Fistly, ECC part.  FIXME: For now, we assume X25519.  */
+  /* Firstly, ECC part.  */
   curve = gcry_sexp_find_token (s_skey0, "curve", 0);
   if (!curve)
     {
@@ -286,7 +344,8 @@ composite_pgp_kem_decrypt (ctrl_t ctrl, const char *desc_text,
     }
 
   curve_name = gcry_sexp_nth_data (curve, 1, &len);
-  if (len != 10 || memcmp (curve_name, "Curve25519", len))
+  ecc = get_ecc_params (curve_name, len);
+  if (!ecc)
     {
       if (opt.verbose)
         log_info ("%s: curve '%s' not supported\n", __func__, curve_name);
@@ -305,45 +364,63 @@ composite_pgp_kem_decrypt (ctrl_t ctrl, const char *desc_text,
 
   p = gcry_mpi_get_opaque (ecc_pk_mpi, &nbits);
   len = (nbits+7)/8;
-  if (len != 33)
+  if (len != ecc->pubkey_len)
     {
       if (opt.verbose)
         log_info ("%s: ECC public key length invalid (%zu)\n", __func__, len);
       err = gpg_error (GPG_ERR_INV_DATA);
       goto leave;
     }
-  memcpy (ecc_pk, p+1, 32);     /* Remove the 0x40 prefix */
+  else if (len == ecc->point_len)
+    memcpy (ecc_pk, p, ecc->point_len);
+  else if (len == ecc->point_len + 1 && p[0] == 0x40)
+    /* Remove the 0x40 prefix (for Curve25519) */
+    memcpy (ecc_pk, p+1, ecc->point_len);
+  else
+    {
+      err = gpg_error (GPG_ERR_BAD_SECKEY);
+      goto leave;
+    }
+
   mpi_release (ecc_pk_mpi);
+  ecc_pk_mpi = NULL;
 
   p = gcry_mpi_get_opaque (ecc_sk_mpi, &nbits);
   len = (nbits+7)/8;
-  if (len > 32)
+  if (len > ecc->scalar_len)
     {
       if (opt.verbose)
         log_info ("%s: ECC secret key too long (%zu)\n", __func__, len);
       err = gpg_error (GPG_ERR_INV_DATA);
       goto leave;
     }
-  memset (ecc_sk, 0, 32);
-  memcpy (ecc_sk + 32 - len, p, len);
-  reverse_buffer (ecc_sk, 32);
+  memset (ecc_sk, 0, ecc->scalar_len - len);
+  memcpy (ecc_sk + ecc->scalar_len - len, p, len);
+  if (ecc->scalar_reverse)
+    reverse_buffer (ecc_sk, ecc->scalar_len);
   mpi_release (ecc_sk_mpi);
-  ecc_pk_mpi = NULL;
   ecc_sk_mpi = NULL;
 
   ecc_ct = gcry_mpi_get_opaque (ecc_ct_mpi, &nbits);
-  ecc_ct_len = (nbits+7)/8;
-  if (ecc_ct_len != 32)
+  if (ecc->point_len != (nbits+7)/8)
     {
       if (opt.verbose)
         log_info ("%s: ECC cipher text length invalid (%zu)\n",
-                   __func__, ecc_ct_len);
+                  __func__, ecc->point_len);
       err = gpg_error (GPG_ERR_INV_DATA);
       goto leave;
     }
 
-  err = gcry_kem_decap (GCRY_KEM_RAW_X25519, ecc_sk, 32, ecc_ct, ecc_ct_len,
-                        ecc_ecdh, 32, NULL, 0);
+  if (DBG_CRYPTO)
+    {
+      log_debug ("ECC    curve: %s\n", curve_name);
+      log_printhex (ecc_pk, ecc->pubkey_len, "ECC   pubkey:");
+      log_printhex (ecc_sk, ecc->scalar_len, "ECC   seckey:");
+      log_printhex (ecc_ct, ecc->point_len, "ECC    ephem:");
+    }
+
+  err = gcry_kem_decap (ecc->algo, ecc_sk, ecc->scalar_len,
+                        ecc_ct, ecc->point_len, ecc_ecdh, ecc->point_len, NULL, 0);
   if (err)
     {
       if (opt.verbose)
@@ -351,8 +428,12 @@ composite_pgp_kem_decrypt (ctrl_t ctrl, const char *desc_text,
       goto leave;
     }
 
-  err = gnupg_ecc_kem_kdf (ecc_ss, 32, GCRY_MD_SHA3_256,
-                           ecc_ecdh, 32, ecc_ct, 32, ecc_pk, 32);
+  if (DBG_CRYPTO)
+    log_printhex (ecc_ecdh, ecc->point_len, "ECC     ecdh:");
+
+  err = gnupg_ecc_kem_kdf (ecc_ss, ecc->shared_len, ecc->hash_algo,
+                           ecc_ecdh, ecc->scalar_len, ecc_ct, ecc->point_len,
+                           ecc_pk, ecc->point_len);
   if (err)
     {
       if (opt.verbose)
@@ -360,6 +441,9 @@ composite_pgp_kem_decrypt (ctrl_t ctrl, const char *desc_text,
       goto leave;
     }
 
+  if (DBG_CRYPTO)
+    log_printhex (ecc_ss, ecc->shared_len, "ECC   shared:");
+
   /* Secondly, PQC part.  For now, we assume ML-KEM.  */
   err = gcry_sexp_extract_param (s_skey1, NULL, "/s", &mlkem_sk_mpi, NULL);
   if (err)