1
0
mirror of https://github.com/trezor/trezor-firmware.git synced 2024-11-29 10:58:21 +00:00

cleanup coding style

This commit is contained in:
Pavol Rusnak 2015-04-13 18:19:33 +02:00
parent 6ec585fcee
commit 21d0bb437a
9 changed files with 97 additions and 132 deletions

View File

@ -26,7 +26,7 @@
#include <sys/types.h> #include <sys/types.h>
#include "base58.h" #include "base58.h"
#include "sha2.h" #include "sha2.h"
#include "macro_utils.h" #include "macros.h"
static const int8_t b58digits_map[] = { static const int8_t b58digits_map[] = {
-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1, -1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,
@ -184,8 +184,6 @@ bool b58enc(char *b58, size_t *b58sz, const void *data, size_t binsz)
return true; return true;
} }
#include <stdio.h>
int base58_encode_check(const uint8_t *data, int datalen, char *str, int strsize) int base58_encode_check(const uint8_t *data, int datalen, char *str, int strsize)
{ {
if (datalen > 128) { if (datalen > 128) {
@ -197,10 +195,9 @@ int base58_encode_check(const uint8_t *data, int datalen, char *str, int strsize
sha256_Raw(data, datalen, hash); sha256_Raw(data, datalen, hash);
sha256_Raw(hash, 32, hash); sha256_Raw(hash, 32, hash);
size_t res = strsize; size_t res = strsize;
bool fSuccess = b58enc(str, &res, buf, datalen + 4); bool success = b58enc(str, &res, buf, datalen + 4);
MEMSET_BZERO(buf, sizeof(buf)); MEMSET_BZERO(buf, sizeof(buf));
return fSuccess ? res : 0; return success ? res : 0;
} }
int base58_decode_check(const char *str, uint8_t *data, int datalen) int base58_decode_check(const char *str, uint8_t *data, int datalen)

View File

@ -26,7 +26,7 @@
#include <assert.h> #include <assert.h>
#include "bignum.h" #include "bignum.h"
#include "secp256k1.h" #include "secp256k1.h"
#include "macro_utils.h" #include "macros.h"
inline uint32_t read_be(const uint8_t *data) inline uint32_t read_be(const uint8_t *data)
{ {
@ -226,7 +226,7 @@ void bn_multiply(const bignum256 *k, bignum256 *x, const bignum256 *prime)
// 0 <= res < 2^(30k + 256) * (2^30 + 1) // 0 <= res < 2^(30k + 256) * (2^30 + 1)
// estimate (res / prime) // estimate (res / prime)
coef = (res[i] >> 16) + (res[i + 1] << 14); coef = (res[i] >> 16) + (res[i + 1] << 14);
// coef = res / 2^(30k + 256) rounded down // coef = res / 2^(30k + 256) rounded down
// 0 <= coef <= 2^30 // 0 <= coef <= 2^30
// subtract (coef * 2^(30k) * prime) from res // subtract (coef * 2^(30k) * prime) from res
@ -239,7 +239,7 @@ void bn_multiply(const bignum256 *k, bignum256 *x, const bignum256 *prime)
res[i - 8 + j] = temp & 0x3FFFFFFF; res[i - 8 + j] = temp & 0x3FFFFFFF;
} }
// we don't clear res[i+1] but we never read it again. // we don't clear res[i+1] but we never read it again.
// we rely on the fact that prime > 2^256 - 2^196 // we rely on the fact that prime > 2^256 - 2^196
// res = oldres - coef*2^(30k) * prime; // res = oldres - coef*2^(30k) * prime;
// and // and
@ -253,8 +253,7 @@ void bn_multiply(const bignum256 *k, bignum256 *x, const bignum256 *prime)
for (i = 0; i < 9; i++) { for (i = 0; i < 9; i++) {
x->val[i] = res[i]; x->val[i] = res[i];
} }
MEMSET_BZERO(res, sizeof(res));
MEMSET_BZERO(res,sizeof(res));
} }
// input x can be any normalized number that fits (0 <= x < 2^270). // input x can be any normalized number that fits (0 <= x < 2^270).
@ -312,10 +311,8 @@ void bn_sqrt(bignum256 *x, const bignum256 *prime)
} }
bn_mod(&res, prime); bn_mod(&res, prime);
memcpy(x, &res, sizeof(bignum256)); memcpy(x, &res, sizeof(bignum256));
MEMSET_BZERO(&res, sizeof(res)); MEMSET_BZERO(&res, sizeof(res));
MEMSET_BZERO(&p, sizeof(p)); MEMSET_BZERO(&p, sizeof(p));
} }
#if ! USE_INVERSE_FAST #if ! USE_INVERSE_FAST
@ -408,14 +405,14 @@ void bn_inverse(bignum256 *x, const bignum256 *prime)
odd = &us; odd = &us;
even = &vr; even = &vr;
// u = prime, v = x // u = prime, v = x
// r = 0 , s = 1 // r = 0 , s = 1
// k = 0 // k = 0
for (;;) { for (;;) {
// invariants: // invariants:
// let u = limbs us.a[0..u.len1-1] in little endian, // let u = limbs us.a[0..u.len1-1] in little endian,
// let s = limbs us.a[u.len..8] in big endian, // let s = limbs us.a[u.len..8] in big endian,
// let v = limbs vr.a[0..u.len1-1] in little endian, // let v = limbs vr.a[0..u.len1-1] in little endian,
// let r = limbs vr.a[u.len..8] in big endian, // let r = limbs vr.a[u.len..8] in big endian,
// r,s >= 0 ; u,v >= 1 // r,s >= 0 ; u,v >= 1
// x*-r = u*2^k mod prime // x*-r = u*2^k mod prime
@ -425,7 +422,7 @@ void bn_inverse(bignum256 *x, const bignum256 *prime)
// max(u,v) <= 2^k (*) see comment at end of loop // max(u,v) <= 2^k (*) see comment at end of loop
// gcd(u,v) = 1 // gcd(u,v) = 1
// {odd,even} = {&us, &vr} // {odd,even} = {&us, &vr}
// odd->a[0] and odd->a[8] are odd // odd->a[0] and odd->a[8] are odd
// even->a[0] or even->a[8] is even // even->a[0] or even->a[8] is even
// //
// first u/v are large and r/s small // first u/v are large and r/s small
@ -486,7 +483,7 @@ void bn_inverse(bignum256 *x, const bignum256 *prime)
assert(even->a[0] & 1); assert(even->a[0] & 1);
assert((even->a[8] & 1) == 0); assert((even->a[8] & 1) == 0);
// cmp > 0 if us.a[0..len1-1] > vr.a[0..len1-1], // cmp > 0 if us.a[0..len1-1] > vr.a[0..len1-1],
// cmp = 0 if equal, < 0 if less. // cmp = 0 if equal, < 0 if less.
cmp = us.len1 - vr.len1; cmp = us.len1 - vr.len1;
if (cmp == 0) { if (cmp == 0) {
@ -567,7 +564,7 @@ void bn_inverse(bignum256 *x, const bignum256 *prime)
// We use the Explicit Quadratic Modular inverse algorithm. // We use the Explicit Quadratic Modular inverse algorithm.
// http://arxiv.org/pdf/1209.6626.pdf // http://arxiv.org/pdf/1209.6626.pdf
// a^-1 = (2-a) * PROD_i (1 + (a - 1)^(2^i)) mod 2^32 // a^-1 = (2-a) * PROD_i (1 + (a - 1)^(2^i)) mod 2^32
// the product will converge quickly, because (a-1)^(2^i) will be // the product will converge quickly, because (a-1)^(2^i) will be
// zero mod 2^32 after at most five iterations. // zero mod 2^32 after at most five iterations.
// We want to compute -prime^-1 so we start with (pp[0]-2). // We want to compute -prime^-1 so we start with (pp[0]-2).
assert(pp[0] & 1); assert(pp[0] & 1);
@ -622,7 +619,7 @@ void bn_inverse(bignum256 *x, const bignum256 *prime)
} }
x->val[i] = temp32; x->val[i] = temp32;
// Let's wipe all temp buffers. // let's wipe all temp buffers
MEMSET_BZERO(pp, sizeof(pp)); MEMSET_BZERO(pp, sizeof(pp));
MEMSET_BZERO(&us, sizeof(us)); MEMSET_BZERO(&us, sizeof(us));
MEMSET_BZERO(&vr, sizeof(vr)); MEMSET_BZERO(&vr, sizeof(vr));

76
bip32.c
View File

@ -31,7 +31,7 @@
#include "sha2.h" #include "sha2.h"
#include "ripemd160.h" #include "ripemd160.h"
#include "base58.h" #include "base58.h"
#include "macro_utils.h" #include "macros.h"
int hdnode_from_xpub(uint32_t depth, uint32_t fingerprint, uint32_t child_num, const uint8_t *chain_code, const uint8_t *public_key, HDNode *out) int hdnode_from_xpub(uint32_t depth, uint32_t fingerprint, uint32_t child_num, const uint8_t *chain_code, const uint8_t *public_key, HDNode *out)
{ {
@ -53,15 +53,16 @@ int hdnode_from_xprv(uint32_t depth, uint32_t fingerprint, uint32_t child_num, c
bn_read_be(private_key, &a); bn_read_be(private_key, &a);
bool failed = false; bool failed = false;
if (bn_is_zero(&a)) { if (bn_is_zero(&a)) { // == 0
failed = true;
}
else if( !bn_is_less(&a, &order256k1)) { // == 0 or >= order
MEMSET_BZERO(&a,sizeof(a));
failed = true; failed = true;
} else {
if (!bn_is_less(&a, &order256k1)) { // >= order
failed = true;
}
MEMSET_BZERO(&a, sizeof(a));
} }
if(failed) { if (failed) {
return 0; return 0;
} }
@ -87,25 +88,21 @@ int hdnode_from_seed(const uint8_t *seed, int seed_len, HDNode *out)
bn_read_be(out->private_key, &a); bn_read_be(out->private_key, &a);
bool failed = false; bool failed = false;
if (bn_is_zero(&a)) { if (bn_is_zero(&a)) { // == 0
failed = true; failed = true;
} } else {
else if (!bn_is_less(&a, &order256k1)) { // >= order
{
if( !bn_is_less(&a, &order256k1)) { // == 0 or >= order
failed = true; failed = true;
} }
MEMSET_BZERO(&a, sizeof(a));
// Making sure a is wiped.
MEMSET_BZERO(&a,sizeof(a));
} }
if(!failed) { if (!failed) {
memcpy(out->chain_code, I + 32, 32); memcpy(out->chain_code, I + 32, 32);
hdnode_fill_public_key(out); hdnode_fill_public_key(out);
} }
MEMSET_BZERO(I,sizeof(I)); MEMSET_BZERO(I, sizeof(I));
return failed ? 0 : 1; return failed ? 0 : 1;
} }
@ -141,30 +138,25 @@ int hdnode_private_ckd(HDNode *inout, uint32_t i)
if (!bn_is_less(&b, &order256k1)) { // >= order if (!bn_is_less(&b, &order256k1)) { // >= order
failed = true; failed = true;
} }
if(!failed) { if (!failed) {
bn_addmod(&a, &b, &order256k1); bn_addmod(&a, &b, &order256k1);
if (bn_is_zero(&a)) { if (bn_is_zero(&a)) {
failed = true; failed = true;
} }
} }
if (!failed) {
if(!failed)
{
inout->depth++; inout->depth++;
inout->child_num = i; inout->child_num = i;
bn_write_be(&a, inout->private_key); bn_write_be(&a, inout->private_key);
hdnode_fill_public_key(inout); hdnode_fill_public_key(inout);
} }
// Making sure to wipe our memory! // making sure to wipe our memory
MEMSET_BZERO(&a,sizeof(a)); MEMSET_BZERO(&a, sizeof(a));
MEMSET_BZERO(&b,sizeof(b)); MEMSET_BZERO(&b, sizeof(b));
MEMSET_BZERO(I,sizeof(I)); MEMSET_BZERO(I, sizeof(I));
MEMSET_BZERO(fingerprint,sizeof(fingerprint)); MEMSET_BZERO(fingerprint, sizeof(fingerprint));
MEMSET_BZERO(data,sizeof(data)); MEMSET_BZERO(data, sizeof(data));
return failed ? 0 : 1; return failed ? 0 : 1;
} }
@ -194,43 +186,37 @@ int hdnode_public_ckd(HDNode *inout, uint32_t i)
failed = true; failed = true;
} }
if(!failed) if (!failed) {
{
hmac_sha512(inout->chain_code, 32, data, sizeof(data), I); hmac_sha512(inout->chain_code, 32, data, sizeof(data), I);
memcpy(inout->chain_code, I + 32, 32); memcpy(inout->chain_code, I + 32, 32);
bn_read_be(I, &c); bn_read_be(I, &c);
if (!bn_is_less(&c, &order256k1)) { // >= order if (!bn_is_less(&c, &order256k1)) { // >= order
failed = true; failed = true;
} }
} }
if(!failed) if (!failed) {
{
scalar_multiply(&c, &b); // b = c * G scalar_multiply(&c, &b); // b = c * G
point_add(&a, &b); // b = a + b point_add(&a, &b); // b = a + b
if (!ecdsa_validate_pubkey(&b)) { if (!ecdsa_validate_pubkey(&b)) {
failed = true; failed = true;
} }
} }
if(!failed) if (!failed) {
{
inout->public_key[0] = 0x02 | (b.y.val[0] & 0x01); inout->public_key[0] = 0x02 | (b.y.val[0] & 0x01);
bn_write_be(&b.x, inout->public_key + 1); bn_write_be(&b.x, inout->public_key + 1);
inout->depth++; inout->depth++;
inout->child_num = i; inout->child_num = i;
} }
// Wipe all stack data. // Wipe all stack data.
MEMSET_BZERO(data,sizeof(data)); MEMSET_BZERO(data, sizeof(data));
MEMSET_BZERO(I,sizeof(I)); MEMSET_BZERO(I, sizeof(I));
MEMSET_BZERO(fingerprint,sizeof(fingerprint)); MEMSET_BZERO(fingerprint, sizeof(fingerprint));
MEMSET_BZERO(&a,sizeof(a)); MEMSET_BZERO(&a, sizeof(a));
MEMSET_BZERO(&b,sizeof(b)); MEMSET_BZERO(&b, sizeof(b));
MEMSET_BZERO(&c,sizeof(c)); MEMSET_BZERO(&c, sizeof(c));
return failed ? 0 : 1; return failed ? 0 : 1;
} }

80
ecdsa.c
View File

@ -33,7 +33,7 @@
#include "hmac.h" #include "hmac.h"
#include "ecdsa.h" #include "ecdsa.h"
#include "base58.h" #include "base58.h"
#include "macro_utils.h" #include "macros.h"
// Set cp2 = cp1 // Set cp2 = cp1
void point_copy(const curve_point *cp1, curve_point *cp2) void point_copy(const curve_point *cp1, curve_point *cp2)
@ -165,12 +165,12 @@ int point_is_negative_of(const curve_point *p, const curve_point *q)
if (!bn_is_equal(&(p->x), &(q->x))) { if (!bn_is_equal(&(p->x), &(q->x))) {
return 0; return 0;
} }
// we shouldn't hit this for a valid point // we shouldn't hit this for a valid point
if (bn_is_zero(&(p->y))) { if (bn_is_zero(&(p->y))) {
return 0; return 0;
} }
return !bn_is_equal(&(p->y), &(q->y)); return !bn_is_equal(&(p->y), &(q->y));
} }
@ -200,7 +200,7 @@ static void curve_to_jacobian(const curve_point *p, jacobian_curve_point *jp) {
jp->z.val[i] = random32() & 0x3FFFFFFF; jp->z.val[i] = random32() & 0x3FFFFFFF;
} }
jp->z.val[8] = (random32() & 0x7fff) + 1; jp->z.val[8] = (random32() & 0x7fff) + 1;
jp->x = jp->z; jp->x = jp->z;
bn_multiply(&jp->z, &jp->x, &prime256k1); bn_multiply(&jp->z, &jp->x, &prime256k1);
// x = z^2 // x = z^2
@ -259,7 +259,6 @@ static void point_jacobian_add(const curve_point *p1, jacobian_curve_point *p2)
* and y3 = (lambda * (x2/z2^2 - x3/z3^2) - y2/z2^3) * z3^3 * and y3 = (lambda * (x2/z2^2 - x3/z3^2) - y2/z2^3) * z3^3
* = r * (h^2*x2 - x3) - h^3*y2 * = r * (h^2*x2 - x3) - h^3*y2
*/ */
/* h = x1*z2^2 - x2 /* h = x1*z2^2 - x2
* r = y1*z2^3 - y2 * r = y1*z2^3 - y2
@ -347,7 +346,6 @@ static void point_jacobian_double(jacobian_curve_point *p) {
* and y3 = (lambda * (x/z^2 - x3/z3^2) - y/z^3) * z3^3 * and y3 = (lambda * (x/z^2 - x3/z3^2) - y/z^3) * z3^3
* = m * (xy^2 - x3) - y^4 * = m * (xy^2 - x3) - y^4
*/ */
/* m = 3/2*x*x /* m = 3/2*x*x
* x3 = m^2 - 2*xy^2 * x3 = m^2 - 2*xy^2
@ -486,7 +484,7 @@ void point_multiply(const bignum256 *k, const curve_point *p, curve_point *res)
// negate last result to make signs of this round and the // negate last result to make signs of this round and the
// last round equal. // last round equal.
conditional_negate(sign ^ nsign, &jres.z, &prime256k1); conditional_negate(sign ^ nsign, &jres.z, &prime256k1);
// add odd factor // add odd factor
point_jacobian_add(&pmult[bits >> 1], &jres); point_jacobian_add(&pmult[bits >> 1], &jres);
sign = nsign; sign = nsign;
@ -572,7 +570,7 @@ void scalar_multiply(const bignum256 *k, curve_point *res)
// negate last result to make signs of this round and the // negate last result to make signs of this round and the
// last round equal. // last round equal.
conditional_negate((lowbits & 1) - 1, &jres.y, &prime256k1); conditional_negate((lowbits & 1) - 1, &jres.y, &prime256k1);
// add odd factor // add odd factor
point_jacobian_add(&secp256k1_cp[i][lowbits >> 1], &jres); point_jacobian_add(&secp256k1_cp[i][lowbits >> 1], &jres);
} }
@ -656,7 +654,6 @@ int ecdsa_sign(const uint8_t *priv_key, const uint8_t *msg, uint32_t msg_len, ui
uint8_t hash[32]; uint8_t hash[32];
sha256_Raw(msg, msg_len, hash); sha256_Raw(msg, msg_len, hash);
int res = ecdsa_sign_digest(priv_key, hash, sig, pby); int res = ecdsa_sign_digest(priv_key, hash, sig, pby);
MEMSET_BZERO(hash, sizeof(hash)); MEMSET_BZERO(hash, sizeof(hash));
return res; return res;
@ -670,9 +667,7 @@ int ecdsa_sign_double(const uint8_t *priv_key, const uint8_t *msg, uint32_t msg_
sha256_Raw(msg, msg_len, hash); sha256_Raw(msg, msg_len, hash);
sha256_Raw(hash, 32, hash); sha256_Raw(hash, 32, hash);
int res = ecdsa_sign_digest(priv_key, hash, sig, pby); int res = ecdsa_sign_digest(priv_key, hash, sig, pby);
MEMSET_BZERO(hash, sizeof(hash)); MEMSET_BZERO(hash, sizeof(hash));
return res; return res;
} }
@ -701,7 +696,7 @@ int ecdsa_sign_digest(const uint8_t *priv_key, const uint8_t *digest, uint8_t *s
} }
#endif #endif
if(result == 0) { if (result == 0) {
// compute k*G // compute k*G
scalar_multiply(&k, &R); scalar_multiply(&k, &R);
if (pby) { if (pby) {
@ -716,7 +711,7 @@ int ecdsa_sign_digest(const uint8_t *priv_key, const uint8_t *digest, uint8_t *s
} }
} }
if(result == 0) { if (result == 0) {
bn_inverse(&k, &order256k1); bn_inverse(&k, &order256k1);
bn_read_be(priv_key, da); bn_read_be(priv_key, da);
bn_multiply(&R.x, da, &order256k1); bn_multiply(&R.x, da, &order256k1);
@ -734,8 +729,7 @@ int ecdsa_sign_digest(const uint8_t *priv_key, const uint8_t *digest, uint8_t *s
} }
} }
if(result == 0) if (result == 0) {
{
// if S > order/2 => S = -S // if S > order/2 => S = -S
if (bn_is_less(&order256k1_half, &k)) { if (bn_is_less(&order256k1_half, &k)) {
bn_subtract(&order256k1, &k, &k); bn_subtract(&order256k1, &k, &k);
@ -748,9 +742,9 @@ int ecdsa_sign_digest(const uint8_t *priv_key, const uint8_t *digest, uint8_t *s
bn_write_be(&k, sig + 32); bn_write_be(&k, sig + 32);
} }
MEMSET_BZERO(&k,sizeof(k)); MEMSET_BZERO(&k, sizeof(k));
MEMSET_BZERO(&z,sizeof(z)); MEMSET_BZERO(&z, sizeof(z));
MEMSET_BZERO(&R,sizeof(R)); MEMSET_BZERO(&R, sizeof(R));
return 0; return 0;
} }
@ -764,8 +758,8 @@ void ecdsa_get_public_key33(const uint8_t *priv_key, uint8_t *pub_key)
scalar_multiply(&k, &R); scalar_multiply(&k, &R);
pub_key[0] = 0x02 | (R.y.val[0] & 0x01); pub_key[0] = 0x02 | (R.y.val[0] & 0x01);
bn_write_be(&R.x, pub_key + 1); bn_write_be(&R.x, pub_key + 1);
MEMSET_BZERO(&R,sizeof(R)); MEMSET_BZERO(&R, sizeof(R));
MEMSET_BZERO(&k,sizeof(k)); MEMSET_BZERO(&k, sizeof(k));
} }
void ecdsa_get_public_key65(const uint8_t *priv_key, uint8_t *pub_key) void ecdsa_get_public_key65(const uint8_t *priv_key, uint8_t *pub_key)
@ -779,8 +773,8 @@ void ecdsa_get_public_key65(const uint8_t *priv_key, uint8_t *pub_key)
pub_key[0] = 0x04; pub_key[0] = 0x04;
bn_write_be(&R.x, pub_key + 1); bn_write_be(&R.x, pub_key + 1);
bn_write_be(&R.y, pub_key + 33); bn_write_be(&R.y, pub_key + 33);
MEMSET_BZERO(&R,sizeof(R)); MEMSET_BZERO(&R, sizeof(R));
MEMSET_BZERO(&k,sizeof(k)); MEMSET_BZERO(&k, sizeof(k));
} }
void ecdsa_get_pubkeyhash(const uint8_t *pub_key, uint8_t *pubkeyhash) void ecdsa_get_pubkeyhash(const uint8_t *pub_key, uint8_t *pubkeyhash)
@ -794,7 +788,7 @@ void ecdsa_get_pubkeyhash(const uint8_t *pub_key, uint8_t *pubkeyhash)
sha256_Raw(pub_key, 33, h); // expecting compressed format sha256_Raw(pub_key, 33, h); // expecting compressed format
} }
ripemd160(h, 32, pubkeyhash); ripemd160(h, 32, pubkeyhash);
MEMSET_BZERO(h,sizeof(h)); MEMSET_BZERO(h, sizeof(h));
} }
void ecdsa_get_address_raw(const uint8_t *pub_key, uint8_t version, uint8_t *addr_raw) void ecdsa_get_address_raw(const uint8_t *pub_key, uint8_t version, uint8_t *addr_raw)
@ -809,8 +803,8 @@ void ecdsa_get_address(const uint8_t *pub_key, uint8_t version, char *addr, int
ecdsa_get_address_raw(pub_key, version, raw); ecdsa_get_address_raw(pub_key, version, raw);
base58_encode_check(raw, 21, addr, addrsize); base58_encode_check(raw, 21, addr, addrsize);
// Not as important to clear this one, but we might as well. // not as important to clear this one, but we might as well
MEMSET_BZERO(raw,sizeof(raw)); MEMSET_BZERO(raw, sizeof(raw));
} }
void ecdsa_get_wif(const uint8_t *priv_key, uint8_t version, char *wif, int wifsize) void ecdsa_get_wif(const uint8_t *priv_key, uint8_t version, char *wif, int wifsize)
@ -821,8 +815,8 @@ void ecdsa_get_wif(const uint8_t *priv_key, uint8_t version, char *wif, int wifs
data[33] = 0x01; data[33] = 0x01;
base58_encode_check(data, 34, wif, wifsize); base58_encode_check(data, 34, wif, wifsize);
// This private keys running around our stack can cause trouble! // private keys running around our stack can cause trouble
MEMSET_BZERO(data,sizeof(data)); MEMSET_BZERO(data, sizeof(data));
} }
int ecdsa_address_decode(const char *addr, uint8_t *out) int ecdsa_address_decode(const char *addr, uint8_t *out)
@ -907,8 +901,7 @@ int ecdsa_verify(const uint8_t *pub_key, const uint8_t *sig, const uint8_t *msg,
uint8_t hash[32]; uint8_t hash[32];
sha256_Raw(msg, msg_len, hash); sha256_Raw(msg, msg_len, hash);
int res = ecdsa_verify_digest(pub_key, sig, hash); int res = ecdsa_verify_digest(pub_key, sig, hash);
MEMSET_BZERO(hash, sizeof(hash));
MEMSET_BZERO(hash,sizeof(hash));
return res; return res;
} }
@ -917,10 +910,8 @@ int ecdsa_verify_double(const uint8_t *pub_key, const uint8_t *sig, const uint8_
uint8_t hash[32]; uint8_t hash[32];
sha256_Raw(msg, msg_len, hash); sha256_Raw(msg, msg_len, hash);
sha256_Raw(hash, 32, hash); sha256_Raw(hash, 32, hash);
int res = ecdsa_verify_digest(pub_key, sig, hash); int res = ecdsa_verify_digest(pub_key, sig, hash);
MEMSET_BZERO(hash, sizeof(hash));
MEMSET_BZERO(hash,sizeof(hash));
return res; return res;
} }
@ -958,24 +949,23 @@ int ecdsa_verify_digest(const uint8_t *pub_key, const uint8_t *sig, const uint8_
scalar_multiply(&z, &res); scalar_multiply(&z, &res);
} }
if(result == 0) { if (result == 0) {
// both pub and res can be infinity, can have y = 0 OR can be equal -> false negative
// both pub and res can be infinity, can have y = 0 OR can be equal -> false negative point_multiply(&s, &pub, &pub);
point_multiply(&s, &pub, &pub); point_add(&pub, &res);
point_add(&pub, &res); bn_mod(&(res.x), &order256k1);
bn_mod(&(res.x), &order256k1); // signature does not match
// signature does not match
if (!bn_is_equal(&res.x, &r)) { if (!bn_is_equal(&res.x, &r)) {
result = 5; result = 5;
} }
} }
MEMSET_BZERO(&pub,sizeof(pub)); MEMSET_BZERO(&pub, sizeof(pub));
MEMSET_BZERO(&res,sizeof(res)); MEMSET_BZERO(&res, sizeof(res));
MEMSET_BZERO(&r,sizeof(r)); MEMSET_BZERO(&r, sizeof(r));
MEMSET_BZERO(&s,sizeof(s)); MEMSET_BZERO(&s, sizeof(s));
MEMSET_BZERO(&z,sizeof(z)); MEMSET_BZERO(&z, sizeof(z));
// all OK // all OK
return result; return result;
} }

15
hmac.c
View File

@ -25,7 +25,7 @@
#include "hmac.h" #include "hmac.h"
#include "sha2.h" #include "sha2.h"
#include "macro_utils.h" #include "macros.h"
void hmac_sha256(const uint8_t *key, const uint32_t keylen, const uint8_t *msg, const uint32_t msglen, uint8_t *hmac) void hmac_sha256(const uint8_t *key, const uint32_t keylen, const uint8_t *msg, const uint32_t msglen, uint8_t *hmac)
{ {
@ -54,10 +54,9 @@ void hmac_sha256(const uint8_t *key, const uint32_t keylen, const uint8_t *msg,
sha256_Update(&ctx, o_key_pad, SHA256_BLOCK_LENGTH); sha256_Update(&ctx, o_key_pad, SHA256_BLOCK_LENGTH);
sha256_Update(&ctx, buf, SHA256_DIGEST_LENGTH); sha256_Update(&ctx, buf, SHA256_DIGEST_LENGTH);
sha256_Final(hmac, &ctx); sha256_Final(hmac, &ctx);
MEMSET_BZERO(buf,sizeof(buf)); MEMSET_BZERO(buf, sizeof(buf));
MEMSET_BZERO(o_key_pad,sizeof(o_key_pad)); MEMSET_BZERO(o_key_pad, sizeof(o_key_pad));
MEMSET_BZERO(i_key_pad,sizeof(i_key_pad)); MEMSET_BZERO(i_key_pad, sizeof(i_key_pad));
} }
void hmac_sha512(const uint8_t *key, const uint32_t keylen, const uint8_t *msg, const uint32_t msglen, uint8_t *hmac) void hmac_sha512(const uint8_t *key, const uint32_t keylen, const uint8_t *msg, const uint32_t msglen, uint8_t *hmac)
@ -88,7 +87,7 @@ void hmac_sha512(const uint8_t *key, const uint32_t keylen, const uint8_t *msg,
sha512_Update(&ctx, buf, SHA512_DIGEST_LENGTH); sha512_Update(&ctx, buf, SHA512_DIGEST_LENGTH);
sha512_Final(hmac, &ctx); sha512_Final(hmac, &ctx);
MEMSET_BZERO(buf,sizeof(buf)); MEMSET_BZERO(buf, sizeof(buf));
MEMSET_BZERO(o_key_pad,sizeof(o_key_pad)); MEMSET_BZERO(o_key_pad, sizeof(o_key_pad));
MEMSET_BZERO(i_key_pad,sizeof(i_key_pad)); MEMSET_BZERO(i_key_pad, sizeof(i_key_pad));
} }

View File

@ -1,8 +0,0 @@
#if !defined( _MACRO_UTILS_H )
#define _MACRO_UTILS_H
#define MEMSET_BZERO(p,l) memset((p), 0, (l))
#endif

6
macros.h Normal file
View File

@ -0,0 +1,6 @@
#ifndef __MACROS_H__
#define __MACROS_H__
#define MEMSET_BZERO(p,l) memset((p), 0, (l))
#endif

View File

@ -24,7 +24,7 @@
#include <string.h> #include <string.h>
#include "pbkdf2.h" #include "pbkdf2.h"
#include "hmac.h" #include "hmac.h"
#include "macro_utils.h" #include "macros.h"
void pbkdf2_hmac_sha256(const uint8_t *pass, int passlen, uint8_t *salt, int saltlen, uint32_t iterations, uint8_t *key, int keylen, void (*progress_callback)(uint32_t current, uint32_t total)) void pbkdf2_hmac_sha256(const uint8_t *pass, int passlen, uint8_t *salt, int saltlen, uint32_t iterations, uint8_t *key, int keylen, void (*progress_callback)(uint32_t current, uint32_t total))
{ {
@ -57,8 +57,7 @@ void pbkdf2_hmac_sha256(const uint8_t *pass, int passlen, uint8_t *salt, int sal
memcpy(key + HMACLEN * (i - 1), f, HMACLEN); memcpy(key + HMACLEN * (i - 1), f, HMACLEN);
} }
} }
MEMSET_BZERO(f, sizeof(f));
MEMSET_BZERO(f,sizeof(f));
MEMSET_BZERO(g, sizeof(g)); MEMSET_BZERO(g, sizeof(g));
} }
@ -93,7 +92,6 @@ void pbkdf2_hmac_sha512(const uint8_t *pass, int passlen, uint8_t *salt, int sal
memcpy(key + HMACLEN * (i - 1), f, HMACLEN); memcpy(key + HMACLEN * (i - 1), f, HMACLEN);
} }
} }
MEMSET_BZERO(f, sizeof(f));
MEMSET_BZERO(f,sizeof(f));
MEMSET_BZERO(g, sizeof(g)); MEMSET_BZERO(g, sizeof(g));
} }

View File

@ -1220,7 +1220,7 @@ START_TEST(test_secp256k1_cp) {
point_multiply(&a, &G256k1, &p); point_multiply(&a, &G256k1, &p);
ck_assert_mem_eq(&p, &secp256k1_cp[i][j], sizeof(curve_point)); ck_assert_mem_eq(&p, &secp256k1_cp[i][j], sizeof(curve_point));
// even/odd has different behaviour; // even/odd has different behaviour;
// increment by one and test again // increment by one and test again
p1 = p; p1 = p;
point_add(&G256k1, &p1); point_add(&G256k1, &p1);