crypto/rfc6979: Use the new HMAC DRBG implementation in rfc6979.c. Remove code duplication between rfc6979.c and ecdsa.c.

core/SConscript.firmware

@@ -76,12 +76,14 @@ SOURCE_MOD += [
     'vendor/trezor-crypto/groestl.c',
     'vendor/trezor-crypto/hasher.c',
     'vendor/trezor-crypto/hmac.c',
+    'vendor/trezor-crypto/hmac_drbg.c',
     'vendor/trezor-crypto/memzero.c',
     'vendor/trezor-crypto/nem.c',
     'vendor/trezor-crypto/nist256p1.c',
     'vendor/trezor-crypto/pbkdf2.c',
     'vendor/trezor-crypto/rand.c',
     'vendor/trezor-crypto/ripemd160.c',
+    'vendor/trezor-crypto/rfc6979.c',
     'vendor/trezor-crypto/secp256k1.c',
     'vendor/trezor-crypto/sha2.c',
     'vendor/trezor-crypto/sha3.c',

core/SConscript.unix

@@ -74,12 +74,14 @@ SOURCE_MOD += [
     'vendor/trezor-crypto/groestl.c',
     'vendor/trezor-crypto/hasher.c',
     'vendor/trezor-crypto/hmac.c',
+    'vendor/trezor-crypto/hmac_drbg.c',
     'vendor/trezor-crypto/memzero.c',
     'vendor/trezor-crypto/nem.c',
     'vendor/trezor-crypto/nist256p1.c',
     'vendor/trezor-crypto/pbkdf2.c',
     'vendor/trezor-crypto/rand.c',
     'vendor/trezor-crypto/ripemd160.c',
+    'vendor/trezor-crypto/rfc6979.c',
     'vendor/trezor-crypto/secp256k1.c',
     'vendor/trezor-crypto/sha2.c',
     'vendor/trezor-crypto/sha3.c',

crypto/Makefile

@@ -65,6 +65,7 @@ SRCS  += segwit_addr.c cash_addr.c
 SRCS  += memzero.c
 SRCS  += shamir.c
 SRCS  += hmac_drbg.c
+SRCS  += rfc6979.c
 
 OBJS   = $(SRCS:.c=.o)
 

crypto/ecdsa.c

@@ -654,55 +654,6 @@ int ecdh_multiply(const ecdsa_curve *curve, const uint8_t *priv_key,
   return 0;
 }
 
-void init_rfc6979(const uint8_t *priv_key, const uint8_t *hash,
-                  rfc6979_state *state) {
-  uint8_t bx[2 * 32];
-  uint8_t buf[32 + 1 + 2 * 32];
-
-  memcpy(bx, priv_key, 32);
-  memcpy(bx + 32, hash, 32);
-
-  memset(state->v, 1, sizeof(state->v));
-  memset(state->k, 0, sizeof(state->k));
-
-  memcpy(buf, state->v, sizeof(state->v));
-  buf[sizeof(state->v)] = 0x00;
-  memcpy(buf + sizeof(state->v) + 1, bx, 64);
-  hmac_sha256(state->k, sizeof(state->k), buf, sizeof(buf), state->k);
-  hmac_sha256(state->k, sizeof(state->k), state->v, sizeof(state->v), state->v);
-
-  memcpy(buf, state->v, sizeof(state->v));
-  buf[sizeof(state->v)] = 0x01;
-  memcpy(buf + sizeof(state->v) + 1, bx, 64);
-  hmac_sha256(state->k, sizeof(state->k), buf, sizeof(buf), state->k);
-  hmac_sha256(state->k, sizeof(state->k), state->v, sizeof(state->v), state->v);
-
-  memzero(bx, sizeof(bx));
-  memzero(buf, sizeof(buf));
-}
-
-// generate next number from deterministic random number generator
-void generate_rfc6979(uint8_t rnd[32], rfc6979_state *state) {
-  uint8_t buf[32 + 1];
-
-  hmac_sha256(state->k, sizeof(state->k), state->v, sizeof(state->v), state->v);
-  memcpy(buf, state->v, sizeof(state->v));
-  buf[sizeof(state->v)] = 0x00;
-  hmac_sha256(state->k, sizeof(state->k), buf, sizeof(state->v) + 1, state->k);
-  hmac_sha256(state->k, sizeof(state->k), state->v, sizeof(state->v), state->v);
-  memcpy(rnd, buf, 32);
-  memzero(buf, sizeof(buf));
-}
-
-// generate K in a deterministic way, according to RFC6979
-// http://tools.ietf.org/html/rfc6979
-void generate_k_rfc6979(bignum256 *k, rfc6979_state *state) {
-  uint8_t buf[32];
-  generate_rfc6979(buf, state);
-  bn_read_be(buf, k);
-  memzero(buf, sizeof(buf));
-}
-
 // msg is a data to be signed
 // msg_len is the message length
 int ecdsa_sign(const ecdsa_curve *curve, HasherType hasher_sign,

crypto/gui/gui.pro

@@ -13,6 +13,8 @@ SOURCES += ../hmac.c
 SOURCES += ../rand.c
 SOURCES += ../bignum.c
 SOURCES += ../ecdsa.c
+SOURCES += ../rfc6979.c
+SOURCES += ../hmac_drbg.c
 SOURCES += ../ripemd160.c
 SOURCES += ../base58.c
 SOURCES += ../secp256k1.c

crypto/rfc6979.c

@@ -23,48 +23,17 @@
  */
 
 #include "rfc6979.h"
-#include <string.h>
+#include "hmac_drbg.h"
-#include "hmac.h"
 #include "memzero.h"
 
 void init_rfc6979(const uint8_t *priv_key, const uint8_t *hash,
                   rfc6979_state *state) {
-  uint8_t bx[2 * 32];
+  hmac_drbg_init(state, priv_key, 32, hash, 32);
-  uint8_t buf[32 + 1 + 2 * 32];
-
-  memcpy(bx, priv_key, 32);
-  memcpy(bx + 32, hash, 32);
-
-  memset(state->v, 1, sizeof(state->v));
-  memset(state->k, 0, sizeof(state->k));
-
-  memcpy(buf, state->v, sizeof(state->v));
-  buf[sizeof(state->v)] = 0x00;
-  memcpy(buf + sizeof(state->v) + 1, bx, 64);
-  hmac_sha256(state->k, sizeof(state->k), buf, sizeof(buf), state->k);
-  hmac_sha256(state->k, sizeof(state->k), state->v, sizeof(state->v), state->v);
-
-  memcpy(buf, state->v, sizeof(state->v));
-  buf[sizeof(state->v)] = 0x01;
-  memcpy(buf + sizeof(state->v) + 1, bx, 64);
-  hmac_sha256(state->k, sizeof(state->k), buf, sizeof(buf), state->k);
-  hmac_sha256(state->k, sizeof(state->k), state->v, sizeof(state->v), state->v);
-
-  memzero(bx, sizeof(bx));
-  memzero(buf, sizeof(buf));
 }
 
 // generate next number from deterministic random number generator
 void generate_rfc6979(uint8_t rnd[32], rfc6979_state *state) {
-  uint8_t buf[32 + 1];
+  hmac_drbg_generate(state, rnd, 32);
-
-  hmac_sha256(state->k, sizeof(state->k), state->v, sizeof(state->v), state->v);
-  memcpy(buf, state->v, sizeof(state->v));
-  buf[sizeof(state->v)] = 0x00;
-  hmac_sha256(state->k, sizeof(state->k), buf, sizeof(state->v) + 1, state->k);
-  hmac_sha256(state->k, sizeof(state->k), state->v, sizeof(state->v), state->v);
-  memcpy(rnd, buf, 32);
-  memzero(buf, sizeof(buf));
 }
 
 // generate K in a deterministic way, according to RFC6979

crypto/rfc6979.h

@@ -27,11 +27,10 @@
 
 #include <stdint.h>
 #include "bignum.h"
+#include "hmac_drbg.h"
 
 // rfc6979 pseudo random number generator state
-typedef struct {
+typedef HMAC_DRBG_CTX rfc6979_state;
-  uint8_t v[32], k[32];
-} rfc6979_state;
 
 void init_rfc6979(const uint8_t *priv_key, const uint8_t *hash,
                   rfc6979_state *rng);