adapt to new aes api

firmware/Makefile

@@ -22,15 +22,19 @@ OBJS += debug.o
 OBJS += ../trezor-crypto/bignum.o
 OBJS += ../trezor-crypto/ecdsa.o
 OBJS += ../trezor-crypto/secp256k1.o
-OBJS += ../trezor-crypto/sha2.o
 OBJS += ../trezor-crypto/hmac.o
 OBJS += ../trezor-crypto/bip32.o
-OBJS += ../trezor-crypto/ripemd160.o
 OBJS += ../trezor-crypto/bip39.o
 OBJS += ../trezor-crypto/pbkdf2.o
+OBJS += ../trezor-crypto/base58.o
+
+OBJS += ../trezor-crypto/ripemd160.o
+OBJS += ../trezor-crypto/sha2.o
+
 OBJS += ../trezor-crypto/aescrypt.o
 OBJS += ../trezor-crypto/aeskey.o
 OBJS += ../trezor-crypto/aestab.o
+OBJS += ../trezor-crypto/aes_modes.o
 
 OBJS += protob/pb_decode.o
 OBJS += protob/pb_encode.o
@@ -41,6 +45,7 @@ OBJS += protob/types.pb.o
 include ../Makefile.include
 
 # CFLAGS += -fstack-protector -fstack-protector-all
+CFLAGS += -Wno-sequence-point
 CFLAGS += -Iprotob -DPB_FIELD_16BIT=1
 CFLAGS += -DDEBUG_LINK=0
 CFLAGS += -DDEBUG_LOG=0

firmware/fsm.c

@@ -38,6 +38,8 @@
 #include "usb.h"
 #include "util.h"
 #include "signing.h"
+#include "aes.h"
+#include "hmac.h"
 
 // message methods
 
@@ -360,6 +362,63 @@ void fsm_msgTxAck(TxAck *msg)
 	}
 }
 
+void fsm_msgCipherKeyValue(CipherKeyValue *msg)
+{
+	if (!msg->has_key) {
+		fsm_sendFailure(FailureType_Failure_SyntaxError, "No key provided");
+		return;
+	}
+	if (!msg->has_value) {
+		fsm_sendFailure(FailureType_Failure_SyntaxError, "No value provided");
+		return;
+	}
+	if (msg->value.size % 16) {
+		fsm_sendFailure(FailureType_Failure_SyntaxError, "Value length must be a multiple of 16");
+		return;
+	}
+	if (!protectPin(true)) {
+		layoutHome();
+		return;
+	}
+	HDNode *node = fsm_getRootNode();
+	if (!node) return;
+	fsm_deriveKey(node, msg->address_n, msg->address_n_count);
+
+	bool encrypt = msg->has_encrypt && msg->encrypt;
+	bool ask_on_encrypt = msg->has_ask_on_encrypt && msg->ask_on_encrypt;
+	bool ask_on_decrypt = msg->has_ask_on_decrypt && msg->ask_on_decrypt;
+	if ((encrypt && ask_on_encrypt) || (!encrypt && ask_on_decrypt)) {
+		layoutCipherKeyValue(encrypt, msg->key);
+		if (!protectButton(ButtonRequestType_ButtonRequest_Other, false)) {
+			fsm_sendFailure(FailureType_Failure_ActionCancelled, "CipherKeyValue cancelled");
+			layoutHome();
+			return;
+		}
+	}
+
+	uint8_t data[256 + 4];
+	strlcpy((char *)data, msg->key, sizeof(data));
+	strlcat((char *)data, ask_on_encrypt ? "E1" : "E0", sizeof(data));
+	strlcat((char *)data, ask_on_decrypt ? "D1" : "D0", sizeof(data));
+
+	hmac_sha512(node->private_key, 32, data, strlen((char *)data), data);
+
+	RESP_INIT(Success);
+	if (encrypt) {
+		aes_encrypt_ctx ctx;
+		aes_encrypt_key256(data, &ctx);
+		aes_cbc_encrypt(msg->value.bytes, resp->payload.bytes, msg->value.size, data + 32, &ctx);
+	} else {
+		aes_decrypt_ctx ctx;
+		aes_decrypt_key256(data, &ctx);
+		aes_cbc_decrypt(msg->value.bytes, resp->payload.bytes, msg->value.size, data + 32, &ctx);
+	}
+	resp->has_payload = true;
+	resp->payload.size = msg->value.size;
+	msg_write(MessageType_MessageType_Success, resp);
+	layoutHome();
+}
+
 void fsm_msgApplySettings(ApplySettings *msg)
 {
 	if (msg->has_label && msg->has_language) {

firmware/fsm.h

@@ -41,6 +41,7 @@ void fsm_msgSignTx(SignTx *msg);
 //void fsm_msgPinMatrixAck(PinMatrixAck *msg);
 void fsm_msgCancel(Cancel *msg);
 void fsm_msgTxAck(TxAck *msg);
+void fsm_msgCipherKeyValue(CipherKeyValue *msg);
 void fsm_msgApplySettings(ApplySettings *msg);
 //void fsm_msgButtonAck(ButtonAck *msg);
 void fsm_msgGetAddress(GetAddress *msg);

firmware/layout2.c

@@ -231,3 +231,23 @@ void layoutVerifyMessage(const uint8_t *msg, uint32_t len)
 		ascii ? "Message contents:" : "Bin message contents:",
 		str[0], str[1], str[2], str[3], NULL);
 }
+
+void layoutCipherKeyValue(bool encrypt, const char *key)
+{
+	int len = strlen(key);
+	char str[4][17];
+	memset(str, 0, sizeof(str));
+	strlcpy(str[0], (char *)key, 17);
+	if (len > 16) {
+		strlcpy(str[1], (char *)key + 16, 17);
+	}
+	if (len > 32) {
+		strlcpy(str[2], (char *)key + 32, 17);
+	}
+	if (len > 48) {
+		strlcpy(str[3], (char *)key + 48, 17);
+	}
+	layoutDialogSwipe(DIALOG_ICON_QUESTION, "Cancel", "Confirm", NULL,
+		encrypt ? "Encrypt?" : "Decrypt?",
+		str[0], str[1], str[2], str[3], NULL);
+}

firmware/layout2.h

@@ -32,5 +32,6 @@ void layoutConfirmTx(const CoinType *coin, uint64_t amount_out, uint64_t amount_
 void layoutFeeOverThreshold(const CoinType *coin, uint64_t fee, uint32_t kb);
 void layoutSignMessage(const uint8_t *msg, uint32_t len);
 void layoutVerifyMessage(const uint8_t *msg, uint32_t len);
+void layoutCipherKeyValue(bool encrypt, const char *key);
 
 #endif

firmware/messages.c

@@ -53,6 +53,7 @@ static const struct MessagesMap_t MessagesMap[] = {
 //	{'n', 'i', MessageType_MessageType_PinMatrixAck,		PinMatrixAck_fields,		(void (*)(void *))fsm_msgPinMatrixAck},
 	{'n', 'i', MessageType_MessageType_Cancel,				Cancel_fields,				(void (*)(void *))fsm_msgCancel},
 	{'n', 'i', MessageType_MessageType_TxAck,				TxAck_fields,				(void (*)(void *))fsm_msgTxAck},
+	{'n', 'i', MessageType_MessageType_CipherKeyValue,		CipherKeyValue_fields,		(void (*)(void *))fsm_msgCipherKeyValue},
 	{'n', 'i', MessageType_MessageType_ApplySettings,		ApplySettings_fields,		(void (*)(void *))fsm_msgApplySettings},
 //	{'n', 'i', MessageType_MessageType_ButtonAck,			ButtonAck_fields,			(void (*)(void *))fsm_msgButtonAck},
 	{'n', 'i', MessageType_MessageType_GetAddress,			GetAddress_fields,			(void (*)(void *))fsm_msgGetAddress},

firmware/storage.c

@@ -26,7 +26,9 @@
 #include "storage.pb.h"
 
 #include "trezor.h"
+#include "sha2.h"
 #include "aes.h"
+#include "pbkdf2.h"
 #include "bip32.h"
 #include "bip39.h"
 #include "util.h"
@@ -217,12 +219,13 @@ bool storage_getRootNode(HDNode *node)
 		hdnode_from_xprv(storage.node.depth, storage.node.fingerprint, storage.node.child_num, storage.node.chain_code.bytes, storage.node.private_key.bytes, &sessionRootNode);
 		if (storage.has_passphrase_protection && storage.passphrase_protection) {
 			// decrypt hd node
-			aes_ctx ctx;
+			uint8_t secret[64];
-			aes_enc_key((const uint8_t *)sessionPassphrase, strlen(sessionPassphrase), &ctx);
+			layoutProgressSwipe("Waking up", 0, 0);
-			aes_enc_blk(sessionRootNode.chain_code, sessionRootNode.chain_code, &ctx);
+			pbkdf2((const uint8_t *)sessionPassphrase, strlen(sessionPassphrase), (uint8_t *)"TREZORHD", 8, BIP39_PBKDF2_ROUNDS, secret, 64, get_root_node_callback);
-			aes_enc_blk(sessionRootNode.chain_code + 16, sessionRootNode.chain_code + 16, &ctx);
+			aes_decrypt_ctx ctx;
-			aes_enc_blk(sessionRootNode.private_key, sessionRootNode.private_key, &ctx);
+			aes_decrypt_key256(secret, &ctx);
-			aes_enc_blk(sessionRootNode.private_key + 16, sessionRootNode.private_key + 16, &ctx);
+			aes_cbc_decrypt(sessionRootNode.chain_code, sessionRootNode.chain_code, 32, secret + 32, &ctx);
+			aes_cbc_decrypt(sessionRootNode.private_key, sessionRootNode.private_key, 32, secret + 32, &ctx);
 		}
 		memcpy(node, &sessionRootNode, sizeof(HDNode));
 		sessionRootNodeCached = true;

trezor-crypto

@@ -1 +1 @@
-Subproject commit 44116b8a7405299be5de8353e9e624538b4dac92
+Subproject commit e588906f811e826c596e631d4dd2500fc38fea60