|
|
|
@ -254,129 +254,6 @@ int cryptoMessageVerify(const CoinInfo *coin, const uint8_t *message,
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* ECIES disabled
|
|
|
|
|
int cryptoMessageEncrypt(curve_point *pubkey, const uint8_t *msg, size_t
|
|
|
|
|
msg_size, bool display_only, uint8_t *nonce, size_t *nonce_len, uint8_t
|
|
|
|
|
*payload, size_t *payload_len, uint8_t *hmac, size_t *hmac_len, const uint8_t
|
|
|
|
|
*privkey, const uint8_t *address_raw)
|
|
|
|
|
{
|
|
|
|
|
if (privkey && address_raw) { // signing == true
|
|
|
|
|
HDNode node = {0};
|
|
|
|
|
payload[0] = display_only ? 0x81 : 0x01;
|
|
|
|
|
uint32_t l = ser_length(msg_size, payload + 1);
|
|
|
|
|
memcpy(payload + 1 + l, msg, msg_size);
|
|
|
|
|
memcpy(payload + 1 + l + msg_size, address_raw, 21);
|
|
|
|
|
hdnode_from_xprv(0, 0, 0, privkey, privkey, SECP256K1_NAME,
|
|
|
|
|
&node); if (cryptoMessageSign(&node, msg, msg_size, payload + 1 + l + msg_size +
|
|
|
|
|
21) != 0) { return 1;
|
|
|
|
|
}
|
|
|
|
|
*payload_len = 1 + l + msg_size + 21 + 65;
|
|
|
|
|
} else {
|
|
|
|
|
payload[0] = display_only ? 0x80 : 0x00;
|
|
|
|
|
uint32_t l = ser_length(msg_size, payload + 1);
|
|
|
|
|
memcpy(payload + 1 + l, msg, msg_size);
|
|
|
|
|
*payload_len = 1 + l + msg_size;
|
|
|
|
|
}
|
|
|
|
|
// generate random nonce
|
|
|
|
|
curve_point R = {0};
|
|
|
|
|
bignum256 k = {0};
|
|
|
|
|
if (generate_k_random(&secp256k1, &k) != 0) {
|
|
|
|
|
return 2;
|
|
|
|
|
}
|
|
|
|
|
// compute k*G
|
|
|
|
|
scalar_multiply(&secp256k1, &k, &R);
|
|
|
|
|
nonce[0] = 0x02 | (R.y.val[0] & 0x01);
|
|
|
|
|
bn_write_be(&R.x, nonce + 1);
|
|
|
|
|
*nonce_len = 33;
|
|
|
|
|
// compute shared secret
|
|
|
|
|
point_multiply(&secp256k1, &k, pubkey, &R);
|
|
|
|
|
uint8_t shared_secret[33] = {0};
|
|
|
|
|
shared_secret[0] = 0x02 | (R.y.val[0] & 0x01);
|
|
|
|
|
bn_write_be(&R.x, shared_secret + 1);
|
|
|
|
|
// generate keying bytes
|
|
|
|
|
uint8_t keying_bytes[80] = {0};
|
|
|
|
|
uint8_t salt[22 + 33] = {0};
|
|
|
|
|
memcpy(salt, "Bitcoin Secure Message", 22);
|
|
|
|
|
memcpy(salt + 22, nonce, 33);
|
|
|
|
|
pbkdf2_hmac_sha256(shared_secret, 33, salt, 22 + 33, 2048, keying_bytes,
|
|
|
|
|
80);
|
|
|
|
|
// encrypt payload
|
|
|
|
|
aes_encrypt_ctx ctx = {0};
|
|
|
|
|
aes_encrypt_key256(keying_bytes, &ctx);
|
|
|
|
|
aes_cfb_encrypt(payload, payload, *payload_len, keying_bytes + 64,
|
|
|
|
|
&ctx);
|
|
|
|
|
// compute hmac
|
|
|
|
|
uint8_t out[32] = {0};
|
|
|
|
|
hmac_sha256(keying_bytes + 32, 32, payload, *payload_len, out);
|
|
|
|
|
memcpy(hmac, out, 8);
|
|
|
|
|
*hmac_len = 8;
|
|
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
int cryptoMessageDecrypt(curve_point *nonce, uint8_t *payload, size_t
|
|
|
|
|
payload_len, const uint8_t *hmac, size_t hmac_len, const uint8_t *privkey,
|
|
|
|
|
uint8_t *msg, size_t *msg_len, bool *display_only, bool *signing, uint8_t
|
|
|
|
|
*address_raw)
|
|
|
|
|
{
|
|
|
|
|
if (hmac_len != 8) {
|
|
|
|
|
return 1;
|
|
|
|
|
}
|
|
|
|
|
// compute shared secret
|
|
|
|
|
curve_point R = {0};
|
|
|
|
|
bignum256 k = {0};
|
|
|
|
|
bn_read_be(privkey, &k);
|
|
|
|
|
point_multiply(&secp256k1, &k, nonce, &R);
|
|
|
|
|
uint8_t shared_secret[33] = {0};
|
|
|
|
|
shared_secret[0] = 0x02 | (R.y.val[0] & 0x01);
|
|
|
|
|
bn_write_be(&R.x, shared_secret + 1);
|
|
|
|
|
// generate keying bytes
|
|
|
|
|
uint8_t keying_bytes[80] = {0};
|
|
|
|
|
uint8_t salt[22 + 33] = {0};
|
|
|
|
|
memcpy(salt, "Bitcoin Secure Message", 22);
|
|
|
|
|
salt[22] = 0x02 | (nonce->y.val[0] & 0x01);
|
|
|
|
|
bn_write_be(&(nonce->x), salt + 23);
|
|
|
|
|
pbkdf2_hmac_sha256(shared_secret, 33, salt, 22 + 33, 2048, keying_bytes,
|
|
|
|
|
80);
|
|
|
|
|
// compute hmac
|
|
|
|
|
uint8_t out[32] = {0};
|
|
|
|
|
hmac_sha256(keying_bytes + 32, 32, payload, payload_len, out);
|
|
|
|
|
if (memcmp(hmac, out, 8) != 0) {
|
|
|
|
|
return 2;
|
|
|
|
|
}
|
|
|
|
|
// decrypt payload
|
|
|
|
|
aes_encrypt_ctx ctx = {0};
|
|
|
|
|
aes_encrypt_key256(keying_bytes, &ctx);
|
|
|
|
|
aes_cfb_decrypt(payload, payload, payload_len, keying_bytes + 64, &ctx);
|
|
|
|
|
// check first byte
|
|
|
|
|
if (payload[0] != 0x00 && payload[0] != 0x01 && payload[0] != 0x80 &&
|
|
|
|
|
payload[0] != 0x81) { return 3;
|
|
|
|
|
}
|
|
|
|
|
*signing = payload[0] & 0x01;
|
|
|
|
|
*display_only = payload[0] & 0x80;
|
|
|
|
|
uint32_t l = 0; uint32_t o = 0;
|
|
|
|
|
l = deser_length(payload + 1, &o);
|
|
|
|
|
if (*signing) {
|
|
|
|
|
// FIXME: assumes a raw address is 21 bytes (also below).
|
|
|
|
|
if (1 + l + o + 21 + 65 != payload_len) {
|
|
|
|
|
return 4;
|
|
|
|
|
}
|
|
|
|
|
// FIXME: cryptoMessageVerify changed to take the address_type
|
|
|
|
|
as a parameter. if (cryptoMessageVerify(payload + 1 + l, o, payload + 1 + l + o,
|
|
|
|
|
payload + 1 + l + o + 21) != 0) { return 5;
|
|
|
|
|
}
|
|
|
|
|
memcpy(address_raw, payload + 1 + l + o, 21);
|
|
|
|
|
} else {
|
|
|
|
|
if (1 + l + o != payload_len) {
|
|
|
|
|
return 4;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
memcpy(msg, payload + 1 + l, o);
|
|
|
|
|
*msg_len = o;
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
const HDNode *cryptoMultisigPubkey(const CoinInfo *coin,
|
|
|
|
|
const MultisigRedeemScriptType *multisig,
|
|
|
|
|
uint32_t index) {
|
|
|
|
|