From 1d9e125fd4925cec96094fb75dd4e23a0752441a Mon Sep 17 00:00:00 2001 From: Andrew Kozlik Date: Fri, 7 Jun 2019 12:16:24 +0200 Subject: [PATCH] crypto/rfc6979: Use the new HMAC DRBG implementation in rfc6979.c. Remove code duplication between rfc6979.c and ecdsa.c. --- core/SConscript.firmware | 2 ++ core/SConscript.unix | 2 ++ crypto/Makefile | 1 + crypto/ecdsa.c | 49 ---------------------------------------- crypto/gui/gui.pro | 2 ++ crypto/rfc6979.c | 37 +++--------------------------- crypto/rfc6979.h | 5 ++-- 7 files changed, 12 insertions(+), 86 deletions(-) diff --git a/core/SConscript.firmware b/core/SConscript.firmware index d404796543..d36585a890 100644 --- a/core/SConscript.firmware +++ b/core/SConscript.firmware @@ -76,12 +76,14 @@ SOURCE_MOD += [ 'vendor/trezor-crypto/groestl.c', 'vendor/trezor-crypto/hasher.c', 'vendor/trezor-crypto/hmac.c', + 'vendor/trezor-crypto/hmac_drbg.c', 'vendor/trezor-crypto/memzero.c', 'vendor/trezor-crypto/nem.c', 'vendor/trezor-crypto/nist256p1.c', 'vendor/trezor-crypto/pbkdf2.c', 'vendor/trezor-crypto/rand.c', 'vendor/trezor-crypto/ripemd160.c', + 'vendor/trezor-crypto/rfc6979.c', 'vendor/trezor-crypto/secp256k1.c', 'vendor/trezor-crypto/sha2.c', 'vendor/trezor-crypto/sha3.c', diff --git a/core/SConscript.unix b/core/SConscript.unix index c62387a356..624682f644 100644 --- a/core/SConscript.unix +++ b/core/SConscript.unix @@ -74,12 +74,14 @@ SOURCE_MOD += [ 'vendor/trezor-crypto/groestl.c', 'vendor/trezor-crypto/hasher.c', 'vendor/trezor-crypto/hmac.c', + 'vendor/trezor-crypto/hmac_drbg.c', 'vendor/trezor-crypto/memzero.c', 'vendor/trezor-crypto/nem.c', 'vendor/trezor-crypto/nist256p1.c', 'vendor/trezor-crypto/pbkdf2.c', 'vendor/trezor-crypto/rand.c', 'vendor/trezor-crypto/ripemd160.c', + 'vendor/trezor-crypto/rfc6979.c', 'vendor/trezor-crypto/secp256k1.c', 'vendor/trezor-crypto/sha2.c', 'vendor/trezor-crypto/sha3.c', diff --git a/crypto/Makefile b/crypto/Makefile index f51de750ef..7b018482d2 100644 --- a/crypto/Makefile +++ b/crypto/Makefile @@ -65,6 +65,7 @@ SRCS += segwit_addr.c cash_addr.c SRCS += memzero.c SRCS += shamir.c SRCS += hmac_drbg.c +SRCS += rfc6979.c OBJS = $(SRCS:.c=.o) diff --git a/crypto/ecdsa.c b/crypto/ecdsa.c index 124a79e742..2cd02fa3e3 100644 --- a/crypto/ecdsa.c +++ b/crypto/ecdsa.c @@ -654,55 +654,6 @@ int ecdh_multiply(const ecdsa_curve *curve, const uint8_t *priv_key, return 0; } -void init_rfc6979(const uint8_t *priv_key, const uint8_t *hash, - rfc6979_state *state) { - uint8_t bx[2 * 32]; - uint8_t buf[32 + 1 + 2 * 32]; - - memcpy(bx, priv_key, 32); - memcpy(bx + 32, hash, 32); - - memset(state->v, 1, sizeof(state->v)); - memset(state->k, 0, sizeof(state->k)); - - memcpy(buf, state->v, sizeof(state->v)); - buf[sizeof(state->v)] = 0x00; - memcpy(buf + sizeof(state->v) + 1, bx, 64); - hmac_sha256(state->k, sizeof(state->k), buf, sizeof(buf), state->k); - hmac_sha256(state->k, sizeof(state->k), state->v, sizeof(state->v), state->v); - - memcpy(buf, state->v, sizeof(state->v)); - buf[sizeof(state->v)] = 0x01; - memcpy(buf + sizeof(state->v) + 1, bx, 64); - hmac_sha256(state->k, sizeof(state->k), buf, sizeof(buf), state->k); - hmac_sha256(state->k, sizeof(state->k), state->v, sizeof(state->v), state->v); - - memzero(bx, sizeof(bx)); - memzero(buf, sizeof(buf)); -} - -// generate next number from deterministic random number generator -void generate_rfc6979(uint8_t rnd[32], rfc6979_state *state) { - uint8_t buf[32 + 1]; - - hmac_sha256(state->k, sizeof(state->k), state->v, sizeof(state->v), state->v); - memcpy(buf, state->v, sizeof(state->v)); - buf[sizeof(state->v)] = 0x00; - hmac_sha256(state->k, sizeof(state->k), buf, sizeof(state->v) + 1, state->k); - hmac_sha256(state->k, sizeof(state->k), state->v, sizeof(state->v), state->v); - memcpy(rnd, buf, 32); - memzero(buf, sizeof(buf)); -} - -// generate K in a deterministic way, according to RFC6979 -// http://tools.ietf.org/html/rfc6979 -void generate_k_rfc6979(bignum256 *k, rfc6979_state *state) { - uint8_t buf[32]; - generate_rfc6979(buf, state); - bn_read_be(buf, k); - memzero(buf, sizeof(buf)); -} - // msg is a data to be signed // msg_len is the message length int ecdsa_sign(const ecdsa_curve *curve, HasherType hasher_sign, diff --git a/crypto/gui/gui.pro b/crypto/gui/gui.pro index 0197efe1e4..e4623bc4fa 100644 --- a/crypto/gui/gui.pro +++ b/crypto/gui/gui.pro @@ -13,6 +13,8 @@ SOURCES += ../hmac.c SOURCES += ../rand.c SOURCES += ../bignum.c SOURCES += ../ecdsa.c +SOURCES += ../rfc6979.c +SOURCES += ../hmac_drbg.c SOURCES += ../ripemd160.c SOURCES += ../base58.c SOURCES += ../secp256k1.c diff --git a/crypto/rfc6979.c b/crypto/rfc6979.c index 8f5f1c9131..5fe13d47d7 100644 --- a/crypto/rfc6979.c +++ b/crypto/rfc6979.c @@ -23,48 +23,17 @@ */ #include "rfc6979.h" -#include -#include "hmac.h" +#include "hmac_drbg.h" #include "memzero.h" void init_rfc6979(const uint8_t *priv_key, const uint8_t *hash, rfc6979_state *state) { - uint8_t bx[2 * 32]; - uint8_t buf[32 + 1 + 2 * 32]; - - memcpy(bx, priv_key, 32); - memcpy(bx + 32, hash, 32); - - memset(state->v, 1, sizeof(state->v)); - memset(state->k, 0, sizeof(state->k)); - - memcpy(buf, state->v, sizeof(state->v)); - buf[sizeof(state->v)] = 0x00; - memcpy(buf + sizeof(state->v) + 1, bx, 64); - hmac_sha256(state->k, sizeof(state->k), buf, sizeof(buf), state->k); - hmac_sha256(state->k, sizeof(state->k), state->v, sizeof(state->v), state->v); - - memcpy(buf, state->v, sizeof(state->v)); - buf[sizeof(state->v)] = 0x01; - memcpy(buf + sizeof(state->v) + 1, bx, 64); - hmac_sha256(state->k, sizeof(state->k), buf, sizeof(buf), state->k); - hmac_sha256(state->k, sizeof(state->k), state->v, sizeof(state->v), state->v); - - memzero(bx, sizeof(bx)); - memzero(buf, sizeof(buf)); + hmac_drbg_init(state, priv_key, 32, hash, 32); } // generate next number from deterministic random number generator void generate_rfc6979(uint8_t rnd[32], rfc6979_state *state) { - uint8_t buf[32 + 1]; - - hmac_sha256(state->k, sizeof(state->k), state->v, sizeof(state->v), state->v); - memcpy(buf, state->v, sizeof(state->v)); - buf[sizeof(state->v)] = 0x00; - hmac_sha256(state->k, sizeof(state->k), buf, sizeof(state->v) + 1, state->k); - hmac_sha256(state->k, sizeof(state->k), state->v, sizeof(state->v), state->v); - memcpy(rnd, buf, 32); - memzero(buf, sizeof(buf)); + hmac_drbg_generate(state, rnd, 32); } // generate K in a deterministic way, according to RFC6979 diff --git a/crypto/rfc6979.h b/crypto/rfc6979.h index 30ef0f17ac..3e40953509 100644 --- a/crypto/rfc6979.h +++ b/crypto/rfc6979.h @@ -27,11 +27,10 @@ #include #include "bignum.h" +#include "hmac_drbg.h" // rfc6979 pseudo random number generator state -typedef struct { - uint8_t v[32], k[32]; -} rfc6979_state; +typedef HMAC_DRBG_CTX rfc6979_state; void init_rfc6979(const uint8_t *priv_key, const uint8_t *hash, rfc6979_state *rng);