diff --git a/base58.c b/base58.c index 444d695961..d8252aefc7 100644 --- a/base58.c +++ b/base58.c @@ -26,7 +26,7 @@ #include #include "base58.h" #include "sha2.h" -#include "macro_utils.h" +#include "macros.h" static const int8_t b58digits_map[] = { -1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1, @@ -184,8 +184,6 @@ bool b58enc(char *b58, size_t *b58sz, const void *data, size_t binsz) return true; } -#include - int base58_encode_check(const uint8_t *data, int datalen, char *str, int strsize) { if (datalen > 128) { @@ -197,10 +195,9 @@ int base58_encode_check(const uint8_t *data, int datalen, char *str, int strsize sha256_Raw(data, datalen, hash); sha256_Raw(hash, 32, hash); size_t res = strsize; - bool fSuccess = b58enc(str, &res, buf, datalen + 4); - + bool success = b58enc(str, &res, buf, datalen + 4); MEMSET_BZERO(buf, sizeof(buf)); - return fSuccess ? res : 0; + return success ? res : 0; } int base58_decode_check(const char *str, uint8_t *data, int datalen) diff --git a/bignum.c b/bignum.c index 134f8ee08c..3bc8478620 100644 --- a/bignum.c +++ b/bignum.c @@ -26,7 +26,7 @@ #include #include "bignum.h" #include "secp256k1.h" -#include "macro_utils.h" +#include "macros.h" inline uint32_t read_be(const uint8_t *data) { @@ -226,7 +226,7 @@ void bn_multiply(const bignum256 *k, bignum256 *x, const bignum256 *prime) // 0 <= res < 2^(30k + 256) * (2^30 + 1) // estimate (res / prime) coef = (res[i] >> 16) + (res[i + 1] << 14); - + // coef = res / 2^(30k + 256) rounded down // 0 <= coef <= 2^30 // subtract (coef * 2^(30k) * prime) from res @@ -239,7 +239,7 @@ void bn_multiply(const bignum256 *k, bignum256 *x, const bignum256 *prime) res[i - 8 + j] = temp & 0x3FFFFFFF; } // we don't clear res[i+1] but we never read it again. - + // we rely on the fact that prime > 2^256 - 2^196 // res = oldres - coef*2^(30k) * prime; // and @@ -253,8 +253,7 @@ void bn_multiply(const bignum256 *k, bignum256 *x, const bignum256 *prime) for (i = 0; i < 9; i++) { x->val[i] = res[i]; } - - MEMSET_BZERO(res,sizeof(res)); + MEMSET_BZERO(res, sizeof(res)); } // input x can be any normalized number that fits (0 <= x < 2^270). @@ -312,10 +311,8 @@ void bn_sqrt(bignum256 *x, const bignum256 *prime) } bn_mod(&res, prime); memcpy(x, &res, sizeof(bignum256)); - MEMSET_BZERO(&res, sizeof(res)); MEMSET_BZERO(&p, sizeof(p)); - } #if ! USE_INVERSE_FAST @@ -408,14 +405,14 @@ void bn_inverse(bignum256 *x, const bignum256 *prime) odd = &us; even = &vr; - // u = prime, v = x + // u = prime, v = x // r = 0 , s = 1 // k = 0 for (;;) { // invariants: - // let u = limbs us.a[0..u.len1-1] in little endian, + // let u = limbs us.a[0..u.len1-1] in little endian, // let s = limbs us.a[u.len..8] in big endian, - // let v = limbs vr.a[0..u.len1-1] in little endian, + // let v = limbs vr.a[0..u.len1-1] in little endian, // let r = limbs vr.a[u.len..8] in big endian, // r,s >= 0 ; u,v >= 1 // x*-r = u*2^k mod prime @@ -425,7 +422,7 @@ void bn_inverse(bignum256 *x, const bignum256 *prime) // max(u,v) <= 2^k (*) see comment at end of loop // gcd(u,v) = 1 // {odd,even} = {&us, &vr} - // odd->a[0] and odd->a[8] are odd + // odd->a[0] and odd->a[8] are odd // even->a[0] or even->a[8] is even // // first u/v are large and r/s small @@ -486,7 +483,7 @@ void bn_inverse(bignum256 *x, const bignum256 *prime) assert(even->a[0] & 1); assert((even->a[8] & 1) == 0); - // cmp > 0 if us.a[0..len1-1] > vr.a[0..len1-1], + // cmp > 0 if us.a[0..len1-1] > vr.a[0..len1-1], // cmp = 0 if equal, < 0 if less. cmp = us.len1 - vr.len1; if (cmp == 0) { @@ -567,7 +564,7 @@ void bn_inverse(bignum256 *x, const bignum256 *prime) // We use the Explicit Quadratic Modular inverse algorithm. // http://arxiv.org/pdf/1209.6626.pdf // a^-1 = (2-a) * PROD_i (1 + (a - 1)^(2^i)) mod 2^32 - // the product will converge quickly, because (a-1)^(2^i) will be + // the product will converge quickly, because (a-1)^(2^i) will be // zero mod 2^32 after at most five iterations. // We want to compute -prime^-1 so we start with (pp[0]-2). assert(pp[0] & 1); @@ -622,7 +619,7 @@ void bn_inverse(bignum256 *x, const bignum256 *prime) } x->val[i] = temp32; - // Let's wipe all temp buffers. + // let's wipe all temp buffers MEMSET_BZERO(pp, sizeof(pp)); MEMSET_BZERO(&us, sizeof(us)); MEMSET_BZERO(&vr, sizeof(vr)); diff --git a/bip32.c b/bip32.c index 4137e6818d..fb8b816d76 100644 --- a/bip32.c +++ b/bip32.c @@ -31,7 +31,7 @@ #include "sha2.h" #include "ripemd160.h" #include "base58.h" -#include "macro_utils.h" +#include "macros.h" int hdnode_from_xpub(uint32_t depth, uint32_t fingerprint, uint32_t child_num, const uint8_t *chain_code, const uint8_t *public_key, HDNode *out) { @@ -53,15 +53,16 @@ int hdnode_from_xprv(uint32_t depth, uint32_t fingerprint, uint32_t child_num, c bn_read_be(private_key, &a); bool failed = false; - if (bn_is_zero(&a)) { - failed = true; - } - else if( !bn_is_less(&a, &order256k1)) { // == 0 or >= order - MEMSET_BZERO(&a,sizeof(a)); + if (bn_is_zero(&a)) { // == 0 failed = true; + } else { + if (!bn_is_less(&a, &order256k1)) { // >= order + failed = true; + } + MEMSET_BZERO(&a, sizeof(a)); } - if(failed) { + if (failed) { return 0; } @@ -87,25 +88,21 @@ int hdnode_from_seed(const uint8_t *seed, int seed_len, HDNode *out) bn_read_be(out->private_key, &a); bool failed = false; - if (bn_is_zero(&a)) { + if (bn_is_zero(&a)) { // == 0 failed = true; - } - else - { - if( !bn_is_less(&a, &order256k1)) { // == 0 or >= order + } else { + if (!bn_is_less(&a, &order256k1)) { // >= order failed = true; } - - // Making sure a is wiped. - MEMSET_BZERO(&a,sizeof(a)); + MEMSET_BZERO(&a, sizeof(a)); } - if(!failed) { + if (!failed) { memcpy(out->chain_code, I + 32, 32); hdnode_fill_public_key(out); } - MEMSET_BZERO(I,sizeof(I)); + MEMSET_BZERO(I, sizeof(I)); return failed ? 0 : 1; } @@ -141,30 +138,25 @@ int hdnode_private_ckd(HDNode *inout, uint32_t i) if (!bn_is_less(&b, &order256k1)) { // >= order failed = true; } - if(!failed) { - + if (!failed) { bn_addmod(&a, &b, &order256k1); - if (bn_is_zero(&a)) { failed = true; } } - - if(!failed) - { + if (!failed) { inout->depth++; inout->child_num = i; bn_write_be(&a, inout->private_key); - hdnode_fill_public_key(inout); } - // Making sure to wipe our memory! - MEMSET_BZERO(&a,sizeof(a)); - MEMSET_BZERO(&b,sizeof(b)); - MEMSET_BZERO(I,sizeof(I)); - MEMSET_BZERO(fingerprint,sizeof(fingerprint)); - MEMSET_BZERO(data,sizeof(data)); + // making sure to wipe our memory + MEMSET_BZERO(&a, sizeof(a)); + MEMSET_BZERO(&b, sizeof(b)); + MEMSET_BZERO(I, sizeof(I)); + MEMSET_BZERO(fingerprint, sizeof(fingerprint)); + MEMSET_BZERO(data, sizeof(data)); return failed ? 0 : 1; } @@ -194,43 +186,37 @@ int hdnode_public_ckd(HDNode *inout, uint32_t i) failed = true; } - if(!failed) - { + if (!failed) { hmac_sha512(inout->chain_code, 32, data, sizeof(data), I); memcpy(inout->chain_code, I + 32, 32); bn_read_be(I, &c); - if (!bn_is_less(&c, &order256k1)) { // >= order failed = true; } } - if(!failed) - { + if (!failed) { scalar_multiply(&c, &b); // b = c * G point_add(&a, &b); // b = a + b - if (!ecdsa_validate_pubkey(&b)) { failed = true; } } - if(!failed) - { + if (!failed) { inout->public_key[0] = 0x02 | (b.y.val[0] & 0x01); bn_write_be(&b.x, inout->public_key + 1); - inout->depth++; inout->child_num = i; } // Wipe all stack data. - MEMSET_BZERO(data,sizeof(data)); - MEMSET_BZERO(I,sizeof(I)); - MEMSET_BZERO(fingerprint,sizeof(fingerprint)); - MEMSET_BZERO(&a,sizeof(a)); - MEMSET_BZERO(&b,sizeof(b)); - MEMSET_BZERO(&c,sizeof(c)); + MEMSET_BZERO(data, sizeof(data)); + MEMSET_BZERO(I, sizeof(I)); + MEMSET_BZERO(fingerprint, sizeof(fingerprint)); + MEMSET_BZERO(&a, sizeof(a)); + MEMSET_BZERO(&b, sizeof(b)); + MEMSET_BZERO(&c, sizeof(c)); return failed ? 0 : 1; } diff --git a/ecdsa.c b/ecdsa.c index 8fe28f7f52..1462ad5eb8 100644 --- a/ecdsa.c +++ b/ecdsa.c @@ -33,7 +33,7 @@ #include "hmac.h" #include "ecdsa.h" #include "base58.h" -#include "macro_utils.h" +#include "macros.h" // Set cp2 = cp1 void point_copy(const curve_point *cp1, curve_point *cp2) @@ -165,12 +165,12 @@ int point_is_negative_of(const curve_point *p, const curve_point *q) if (!bn_is_equal(&(p->x), &(q->x))) { return 0; } - + // we shouldn't hit this for a valid point if (bn_is_zero(&(p->y))) { return 0; } - + return !bn_is_equal(&(p->y), &(q->y)); } @@ -200,7 +200,7 @@ static void curve_to_jacobian(const curve_point *p, jacobian_curve_point *jp) { jp->z.val[i] = random32() & 0x3FFFFFFF; } jp->z.val[8] = (random32() & 0x7fff) + 1; - + jp->x = jp->z; bn_multiply(&jp->z, &jp->x, &prime256k1); // x = z^2 @@ -259,7 +259,6 @@ static void point_jacobian_add(const curve_point *p1, jacobian_curve_point *p2) * and y3 = (lambda * (x2/z2^2 - x3/z3^2) - y2/z2^3) * z3^3 * = r * (h^2*x2 - x3) - h^3*y2 */ - /* h = x1*z2^2 - x2 * r = y1*z2^3 - y2 @@ -347,7 +346,6 @@ static void point_jacobian_double(jacobian_curve_point *p) { * and y3 = (lambda * (x/z^2 - x3/z3^2) - y/z^3) * z3^3 * = m * (xy^2 - x3) - y^4 */ - /* m = 3/2*x*x * x3 = m^2 - 2*xy^2 @@ -486,7 +484,7 @@ void point_multiply(const bignum256 *k, const curve_point *p, curve_point *res) // negate last result to make signs of this round and the // last round equal. conditional_negate(sign ^ nsign, &jres.z, &prime256k1); - + // add odd factor point_jacobian_add(&pmult[bits >> 1], &jres); sign = nsign; @@ -572,7 +570,7 @@ void scalar_multiply(const bignum256 *k, curve_point *res) // negate last result to make signs of this round and the // last round equal. conditional_negate((lowbits & 1) - 1, &jres.y, &prime256k1); - + // add odd factor point_jacobian_add(&secp256k1_cp[i][lowbits >> 1], &jres); } @@ -656,7 +654,6 @@ int ecdsa_sign(const uint8_t *priv_key, const uint8_t *msg, uint32_t msg_len, ui uint8_t hash[32]; sha256_Raw(msg, msg_len, hash); int res = ecdsa_sign_digest(priv_key, hash, sig, pby); - MEMSET_BZERO(hash, sizeof(hash)); return res; @@ -670,9 +667,7 @@ int ecdsa_sign_double(const uint8_t *priv_key, const uint8_t *msg, uint32_t msg_ sha256_Raw(msg, msg_len, hash); sha256_Raw(hash, 32, hash); int res = ecdsa_sign_digest(priv_key, hash, sig, pby); - MEMSET_BZERO(hash, sizeof(hash)); - return res; } @@ -701,7 +696,7 @@ int ecdsa_sign_digest(const uint8_t *priv_key, const uint8_t *digest, uint8_t *s } #endif - if(result == 0) { + if (result == 0) { // compute k*G scalar_multiply(&k, &R); if (pby) { @@ -716,7 +711,7 @@ int ecdsa_sign_digest(const uint8_t *priv_key, const uint8_t *digest, uint8_t *s } } - if(result == 0) { + if (result == 0) { bn_inverse(&k, &order256k1); bn_read_be(priv_key, da); bn_multiply(&R.x, da, &order256k1); @@ -734,8 +729,7 @@ int ecdsa_sign_digest(const uint8_t *priv_key, const uint8_t *digest, uint8_t *s } } - if(result == 0) - { + if (result == 0) { // if S > order/2 => S = -S if (bn_is_less(&order256k1_half, &k)) { bn_subtract(&order256k1, &k, &k); @@ -748,9 +742,9 @@ int ecdsa_sign_digest(const uint8_t *priv_key, const uint8_t *digest, uint8_t *s bn_write_be(&k, sig + 32); } - MEMSET_BZERO(&k,sizeof(k)); - MEMSET_BZERO(&z,sizeof(z)); - MEMSET_BZERO(&R,sizeof(R)); + MEMSET_BZERO(&k, sizeof(k)); + MEMSET_BZERO(&z, sizeof(z)); + MEMSET_BZERO(&R, sizeof(R)); return 0; } @@ -764,8 +758,8 @@ void ecdsa_get_public_key33(const uint8_t *priv_key, uint8_t *pub_key) scalar_multiply(&k, &R); pub_key[0] = 0x02 | (R.y.val[0] & 0x01); bn_write_be(&R.x, pub_key + 1); - MEMSET_BZERO(&R,sizeof(R)); - MEMSET_BZERO(&k,sizeof(k)); + MEMSET_BZERO(&R, sizeof(R)); + MEMSET_BZERO(&k, sizeof(k)); } void ecdsa_get_public_key65(const uint8_t *priv_key, uint8_t *pub_key) @@ -779,8 +773,8 @@ void ecdsa_get_public_key65(const uint8_t *priv_key, uint8_t *pub_key) pub_key[0] = 0x04; bn_write_be(&R.x, pub_key + 1); bn_write_be(&R.y, pub_key + 33); - MEMSET_BZERO(&R,sizeof(R)); - MEMSET_BZERO(&k,sizeof(k)); + MEMSET_BZERO(&R, sizeof(R)); + MEMSET_BZERO(&k, sizeof(k)); } void ecdsa_get_pubkeyhash(const uint8_t *pub_key, uint8_t *pubkeyhash) @@ -794,7 +788,7 @@ void ecdsa_get_pubkeyhash(const uint8_t *pub_key, uint8_t *pubkeyhash) sha256_Raw(pub_key, 33, h); // expecting compressed format } ripemd160(h, 32, pubkeyhash); - MEMSET_BZERO(h,sizeof(h)); + MEMSET_BZERO(h, sizeof(h)); } void ecdsa_get_address_raw(const uint8_t *pub_key, uint8_t version, uint8_t *addr_raw) @@ -809,8 +803,8 @@ void ecdsa_get_address(const uint8_t *pub_key, uint8_t version, char *addr, int ecdsa_get_address_raw(pub_key, version, raw); base58_encode_check(raw, 21, addr, addrsize); - // Not as important to clear this one, but we might as well. - MEMSET_BZERO(raw,sizeof(raw)); + // not as important to clear this one, but we might as well + MEMSET_BZERO(raw, sizeof(raw)); } void ecdsa_get_wif(const uint8_t *priv_key, uint8_t version, char *wif, int wifsize) @@ -821,8 +815,8 @@ void ecdsa_get_wif(const uint8_t *priv_key, uint8_t version, char *wif, int wifs data[33] = 0x01; base58_encode_check(data, 34, wif, wifsize); - // This private keys running around our stack can cause trouble! - MEMSET_BZERO(data,sizeof(data)); + // private keys running around our stack can cause trouble + MEMSET_BZERO(data, sizeof(data)); } int ecdsa_address_decode(const char *addr, uint8_t *out) @@ -907,8 +901,7 @@ int ecdsa_verify(const uint8_t *pub_key, const uint8_t *sig, const uint8_t *msg, uint8_t hash[32]; sha256_Raw(msg, msg_len, hash); int res = ecdsa_verify_digest(pub_key, sig, hash); - - MEMSET_BZERO(hash,sizeof(hash)); + MEMSET_BZERO(hash, sizeof(hash)); return res; } @@ -917,10 +910,8 @@ int ecdsa_verify_double(const uint8_t *pub_key, const uint8_t *sig, const uint8_ uint8_t hash[32]; sha256_Raw(msg, msg_len, hash); sha256_Raw(hash, 32, hash); - int res = ecdsa_verify_digest(pub_key, sig, hash); - - MEMSET_BZERO(hash,sizeof(hash)); + MEMSET_BZERO(hash, sizeof(hash)); return res; } @@ -958,24 +949,23 @@ int ecdsa_verify_digest(const uint8_t *pub_key, const uint8_t *sig, const uint8_ scalar_multiply(&z, &res); } - if(result == 0) { - - // both pub and res can be infinity, can have y = 0 OR can be equal -> false negative - point_multiply(&s, &pub, &pub); - point_add(&pub, &res); - bn_mod(&(res.x), &order256k1); - - // signature does not match + if (result == 0) { + // both pub and res can be infinity, can have y = 0 OR can be equal -> false negative + point_multiply(&s, &pub, &pub); + point_add(&pub, &res); + bn_mod(&(res.x), &order256k1); + // signature does not match if (!bn_is_equal(&res.x, &r)) { result = 5; } } - MEMSET_BZERO(&pub,sizeof(pub)); - MEMSET_BZERO(&res,sizeof(res)); - MEMSET_BZERO(&r,sizeof(r)); - MEMSET_BZERO(&s,sizeof(s)); - MEMSET_BZERO(&z,sizeof(z)); + MEMSET_BZERO(&pub, sizeof(pub)); + MEMSET_BZERO(&res, sizeof(res)); + MEMSET_BZERO(&r, sizeof(r)); + MEMSET_BZERO(&s, sizeof(s)); + MEMSET_BZERO(&z, sizeof(z)); + // all OK return result; } diff --git a/hmac.c b/hmac.c index a43d2a7a61..f7b00774cf 100644 --- a/hmac.c +++ b/hmac.c @@ -25,7 +25,7 @@ #include "hmac.h" #include "sha2.h" -#include "macro_utils.h" +#include "macros.h" void hmac_sha256(const uint8_t *key, const uint32_t keylen, const uint8_t *msg, const uint32_t msglen, uint8_t *hmac) { @@ -54,10 +54,9 @@ void hmac_sha256(const uint8_t *key, const uint32_t keylen, const uint8_t *msg, sha256_Update(&ctx, o_key_pad, SHA256_BLOCK_LENGTH); sha256_Update(&ctx, buf, SHA256_DIGEST_LENGTH); sha256_Final(hmac, &ctx); - MEMSET_BZERO(buf,sizeof(buf)); - MEMSET_BZERO(o_key_pad,sizeof(o_key_pad)); - MEMSET_BZERO(i_key_pad,sizeof(i_key_pad)); - + MEMSET_BZERO(buf, sizeof(buf)); + MEMSET_BZERO(o_key_pad, sizeof(o_key_pad)); + MEMSET_BZERO(i_key_pad, sizeof(i_key_pad)); } void hmac_sha512(const uint8_t *key, const uint32_t keylen, const uint8_t *msg, const uint32_t msglen, uint8_t *hmac) @@ -88,7 +87,7 @@ void hmac_sha512(const uint8_t *key, const uint32_t keylen, const uint8_t *msg, sha512_Update(&ctx, buf, SHA512_DIGEST_LENGTH); sha512_Final(hmac, &ctx); - MEMSET_BZERO(buf,sizeof(buf)); - MEMSET_BZERO(o_key_pad,sizeof(o_key_pad)); - MEMSET_BZERO(i_key_pad,sizeof(i_key_pad)); + MEMSET_BZERO(buf, sizeof(buf)); + MEMSET_BZERO(o_key_pad, sizeof(o_key_pad)); + MEMSET_BZERO(i_key_pad, sizeof(i_key_pad)); } diff --git a/macro_utils.h b/macro_utils.h deleted file mode 100644 index 54634f8d18..0000000000 --- a/macro_utils.h +++ /dev/null @@ -1,8 +0,0 @@ - -#if !defined( _MACRO_UTILS_H ) -#define _MACRO_UTILS_H - -#define MEMSET_BZERO(p,l) memset((p), 0, (l)) - - -#endif diff --git a/macros.h b/macros.h new file mode 100644 index 0000000000..041289e7ca --- /dev/null +++ b/macros.h @@ -0,0 +1,6 @@ +#ifndef __MACROS_H__ +#define __MACROS_H__ + +#define MEMSET_BZERO(p,l) memset((p), 0, (l)) + +#endif diff --git a/pbkdf2.c b/pbkdf2.c index 256ef86e16..363618e08a 100644 --- a/pbkdf2.c +++ b/pbkdf2.c @@ -24,7 +24,7 @@ #include #include "pbkdf2.h" #include "hmac.h" -#include "macro_utils.h" +#include "macros.h" void pbkdf2_hmac_sha256(const uint8_t *pass, int passlen, uint8_t *salt, int saltlen, uint32_t iterations, uint8_t *key, int keylen, void (*progress_callback)(uint32_t current, uint32_t total)) { @@ -57,8 +57,7 @@ void pbkdf2_hmac_sha256(const uint8_t *pass, int passlen, uint8_t *salt, int sal memcpy(key + HMACLEN * (i - 1), f, HMACLEN); } } - - MEMSET_BZERO(f,sizeof(f)); + MEMSET_BZERO(f, sizeof(f)); MEMSET_BZERO(g, sizeof(g)); } @@ -93,7 +92,6 @@ void pbkdf2_hmac_sha512(const uint8_t *pass, int passlen, uint8_t *salt, int sal memcpy(key + HMACLEN * (i - 1), f, HMACLEN); } } - - MEMSET_BZERO(f,sizeof(f)); + MEMSET_BZERO(f, sizeof(f)); MEMSET_BZERO(g, sizeof(g)); } diff --git a/tests.c b/tests.c index 0f58c09fd3..94c9449e63 100644 --- a/tests.c +++ b/tests.c @@ -1220,7 +1220,7 @@ START_TEST(test_secp256k1_cp) { point_multiply(&a, &G256k1, &p); ck_assert_mem_eq(&p, &secp256k1_cp[i][j], sizeof(curve_point)); - // even/odd has different behaviour; + // even/odd has different behaviour; // increment by one and test again p1 = p; point_add(&G256k1, &p1);