1
0
mirror of https://github.com/trezor/trezor-firmware.git synced 2024-11-28 18:38:39 +00:00

fix(crypto): Remove public key from the ed25519 signing API.

[no changelog]
This commit is contained in:
Andrew Kozlik 2022-06-23 18:00:31 +02:00 committed by Andrew Kozlik
parent 95daa2fda3
commit 892f3e348d
13 changed files with 41 additions and 48 deletions

View File

@ -77,7 +77,6 @@ STATIC mp_obj_t mod_trezorcrypto_ed25519_sign(size_t n_args,
if (msg.len == 0) { if (msg.len == 0) {
mp_raise_ValueError("Empty data to sign"); mp_raise_ValueError("Empty data to sign");
} }
ed25519_public_key pk = {0};
mp_buffer_info_t hash_func = {0}; mp_buffer_info_t hash_func = {0};
vstr_t sig = {0}; vstr_t sig = {0};
vstr_init_len(&sig, sizeof(ed25519_signature)); vstr_init_len(&sig, sizeof(ed25519_signature));
@ -86,16 +85,14 @@ STATIC mp_obj_t mod_trezorcrypto_ed25519_sign(size_t n_args,
mp_get_buffer_raise(args[2], &hash_func, MP_BUFFER_READ); mp_get_buffer_raise(args[2], &hash_func, MP_BUFFER_READ);
// if hash_func == 'keccak': // if hash_func == 'keccak':
if (memcmp(hash_func.buf, "keccak", sizeof("keccak")) == 0) { if (memcmp(hash_func.buf, "keccak", sizeof("keccak")) == 0) {
ed25519_publickey_keccak(*(const ed25519_secret_key *)sk.buf, pk);
ed25519_sign_keccak(msg.buf, msg.len, *(const ed25519_secret_key *)sk.buf, ed25519_sign_keccak(msg.buf, msg.len, *(const ed25519_secret_key *)sk.buf,
pk, *(ed25519_signature *)sig.buf); *(ed25519_signature *)sig.buf);
} else { } else {
vstr_clear(&sig); vstr_clear(&sig);
mp_raise_ValueError("Unknown hash function"); mp_raise_ValueError("Unknown hash function");
} }
} else { } else {
ed25519_publickey(*(const ed25519_secret_key *)sk.buf, pk); ed25519_sign(msg.buf, msg.len, *(const ed25519_secret_key *)sk.buf,
ed25519_sign(msg.buf, msg.len, *(const ed25519_secret_key *)sk.buf, pk,
*(ed25519_signature *)sig.buf); *(ed25519_signature *)sig.buf);
} }
@ -128,14 +125,10 @@ STATIC mp_obj_t mod_trezorcrypto_ed25519_sign_ext(mp_obj_t secret_key,
if (msg.len == 0) { if (msg.len == 0) {
mp_raise_ValueError("Empty data to sign"); mp_raise_ValueError("Empty data to sign");
} }
ed25519_public_key pk = {0};
ed25519_publickey_ext(*(const ed25519_secret_key *)sk.buf,
*(const ed25519_secret_key *)skext.buf, pk);
vstr_t sig = {0}; vstr_t sig = {0};
vstr_init_len(&sig, sizeof(ed25519_signature)); vstr_init_len(&sig, sizeof(ed25519_signature));
ed25519_sign_ext(msg.buf, msg.len, *(const ed25519_secret_key *)sk.buf, ed25519_sign_ext(msg.buf, msg.len, *(const ed25519_secret_key *)sk.buf,
*(const ed25519_secret_key *)skext.buf, pk, *(const ed25519_secret_key *)skext.buf,
*(ed25519_signature *)sig.buf); *(ed25519_signature *)sig.buf);
return mp_obj_new_str_from_vstr(&mp_type_bytes, &sig); return mp_obj_new_str_from_vstr(&mp_type_bytes, &sig);
} }

View File

@ -646,23 +646,12 @@ int hdnode_sign(HDNode *node, const uint8_t *msg, uint32_t msg_len,
return 1; // signatures are not supported return 1; // signatures are not supported
} else { } else {
if (node->curve == &ed25519_info) { if (node->curve == &ed25519_info) {
if (hdnode_fill_public_key(node) != 0) { ed25519_sign(msg, msg_len, node->private_key, sig);
return 1;
}
ed25519_sign(msg, msg_len, node->private_key, node->public_key + 1, sig);
} else if (node->curve == &ed25519_sha3_info) { } else if (node->curve == &ed25519_sha3_info) {
if (hdnode_fill_public_key(node) != 0) { ed25519_sign_sha3(msg, msg_len, node->private_key, sig);
return 1;
}
ed25519_sign_sha3(msg, msg_len, node->private_key, node->public_key + 1,
sig);
#if USE_KECCAK #if USE_KECCAK
} else if (node->curve == &ed25519_keccak_info) { } else if (node->curve == &ed25519_keccak_info) {
if (hdnode_fill_public_key(node) != 0) { ed25519_sign_keccak(msg, msg_len, node->private_key, sig);
return 1;
}
ed25519_sign_keccak(msg, msg_len, node->private_key, node->public_key + 1,
sig);
#endif #endif
} else { } else {
return 1; // unknown or unsupported curve return 1; // unknown or unsupported curve

View File

@ -127,7 +127,7 @@ To generate a public key:
To sign a message: To sign a message:
ed25519_signature sig; ed25519_signature sig;
ed25519_sign(message, message_len, sk, pk, signature); ed25519_sign(message, message_len, sk, signature);
To verify a signature: To verify a signature:

View File

@ -10,7 +10,7 @@ extern "C" {
void ed25519_publickey_keccak(const ed25519_secret_key sk, ed25519_public_key pk); void ed25519_publickey_keccak(const ed25519_secret_key sk, ed25519_public_key pk);
int ed25519_sign_open_keccak(const unsigned char *m, size_t mlen, const ed25519_public_key pk, const ed25519_signature RS); int ed25519_sign_open_keccak(const unsigned char *m, size_t mlen, const ed25519_public_key pk, const ed25519_signature RS);
void ed25519_sign_keccak(const unsigned char *m, size_t mlen, const ed25519_secret_key sk, const ed25519_public_key pk, ed25519_signature RS); void ed25519_sign_keccak(const unsigned char *m, size_t mlen, const ed25519_secret_key sk, ed25519_signature RS);
int ed25519_scalarmult_keccak(ed25519_public_key res, const ed25519_secret_key sk, const ed25519_public_key pk); int ed25519_scalarmult_keccak(ed25519_public_key res, const ed25519_secret_key sk, const ed25519_public_key pk);

View File

@ -10,7 +10,7 @@ extern "C" {
void ed25519_publickey_sha3(const ed25519_secret_key sk, ed25519_public_key pk); void ed25519_publickey_sha3(const ed25519_secret_key sk, ed25519_public_key pk);
int ed25519_sign_open_sha3(const unsigned char *m, size_t mlen, const ed25519_public_key pk, const ed25519_signature RS); int ed25519_sign_open_sha3(const unsigned char *m, size_t mlen, const ed25519_public_key pk, const ed25519_signature RS);
void ed25519_sign_sha3(const unsigned char *m, size_t mlen, const ed25519_secret_key sk, const ed25519_public_key pk, ed25519_signature RS); void ed25519_sign_sha3(const unsigned char *m, size_t mlen, const ed25519_secret_key sk, ed25519_signature RS);
int ed25519_scalarmult_sha3(ed25519_public_key res, const ed25519_secret_key sk, const ed25519_public_key pk); int ed25519_scalarmult_sha3(ed25519_public_key res, const ed25519_secret_key sk, const ed25519_public_key pk);

View File

@ -107,10 +107,12 @@ ED25519_FN(ed25519_cosi_sign) (const unsigned char *m, size_t mlen, const ed2551
} }
void void
ED25519_FN(ed25519_sign) (const unsigned char *m, size_t mlen, const ed25519_secret_key sk, const ed25519_public_key pk, ed25519_signature RS) { ED25519_FN(ed25519_sign) (const unsigned char *m, size_t mlen, const ed25519_secret_key sk, ed25519_signature RS) {
ed25519_hash_context ctx; ed25519_hash_context ctx;
bignum256modm r = {0}, S = {0}, a = {0}; bignum256modm r = {0}, S = {0}, a = {0};
ge25519 ALIGN(16) R = {0}; ge25519 ALIGN(16) R = {0};
ge25519 ALIGN(16) A = {0};
ed25519_public_key pk = {0};
hash_512bits extsk = {0}, hashr = {0}, hram = {0}; hash_512bits extsk = {0}, hashr = {0}, hram = {0};
ed25519_extsk(extsk, sk); ed25519_extsk(extsk, sk);
@ -128,13 +130,19 @@ ED25519_FN(ed25519_sign) (const unsigned char *m, size_t mlen, const ed25519_sec
ge25519_scalarmult_base_niels(&R, ge25519_niels_base_multiples, r); ge25519_scalarmult_base_niels(&R, ge25519_niels_base_multiples, r);
ge25519_pack(RS, &R); ge25519_pack(RS, &R);
/* a = aExt[0..31] */
expand256_modm(a, extsk, 32);
memzero(&extsk, sizeof(extsk));
/* A = aB */
ge25519_scalarmult_base_niels(&A, ge25519_niels_base_multiples, a);
ge25519_pack(pk, &A);
/* S = H(R,A,m).. */ /* S = H(R,A,m).. */
ed25519_hram(hram, RS, pk, m, mlen); ed25519_hram(hram, RS, pk, m, mlen);
expand256_modm(S, hram, 64); expand256_modm(S, hram, 64);
/* S = H(R,A,m)a */ /* S = H(R,A,m)a */
expand256_modm(a, extsk, 32);
memzero(&extsk, sizeof(extsk));
mul256_modm(S, S, a); mul256_modm(S, S, a);
memzero(&a, sizeof(a)); memzero(&a, sizeof(a));
@ -148,10 +156,12 @@ ED25519_FN(ed25519_sign) (const unsigned char *m, size_t mlen, const ed25519_sec
#if USE_CARDANO #if USE_CARDANO
void void
ED25519_FN(ed25519_sign_ext) (const unsigned char *m, size_t mlen, const ed25519_secret_key sk, const ed25519_secret_key skext, const ed25519_public_key pk, ed25519_signature RS) { ED25519_FN(ed25519_sign_ext) (const unsigned char *m, size_t mlen, const ed25519_secret_key sk, const ed25519_secret_key skext, ed25519_signature RS) {
ed25519_hash_context ctx; ed25519_hash_context ctx;
bignum256modm r = {0}, S = {0}, a = {0}; bignum256modm r = {0}, S = {0}, a = {0};
ge25519 ALIGN(16) R = {0}; ge25519 ALIGN(16) R = {0};
ge25519 ALIGN(16) A = {0};
ed25519_public_key pk = {0};
hash_512bits extsk = {0}, hashr = {0}, hram = {0}; hash_512bits extsk = {0}, hashr = {0}, hram = {0};
/* we don't stretch the key through hashing first since its already 64 bytes */ /* we don't stretch the key through hashing first since its already 64 bytes */
@ -172,13 +182,19 @@ ED25519_FN(ed25519_sign_ext) (const unsigned char *m, size_t mlen, const ed25519
ge25519_scalarmult_base_niels(&R, ge25519_niels_base_multiples, r); ge25519_scalarmult_base_niels(&R, ge25519_niels_base_multiples, r);
ge25519_pack(RS, &R); ge25519_pack(RS, &R);
/* a = aExt[0..31] */
expand256_modm(a, extsk, 32);
memzero(&extsk, sizeof(extsk));
/* A = aB */
ge25519_scalarmult_base_niels(&A, ge25519_niels_base_multiples, a);
ge25519_pack(pk, &A);
/* S = H(R,A,m).. */ /* S = H(R,A,m).. */
ed25519_hram(hram, RS, pk, m, mlen); ed25519_hram(hram, RS, pk, m, mlen);
expand256_modm(S, hram, 64); expand256_modm(S, hram, 64);
/* S = H(R,A,m)a */ /* S = H(R,A,m)a */
expand256_modm(a, extsk, 32);
memzero(&extsk, sizeof(extsk));
mul256_modm(S, S, a); mul256_modm(S, S, a);
memzero(&a, sizeof(a)); memzero(&a, sizeof(a));

View File

@ -21,9 +21,9 @@ void ed25519_publickey_ext(const ed25519_secret_key sk, const ed25519_secret_key
#endif #endif
int ed25519_sign_open(const unsigned char *m, size_t mlen, const ed25519_public_key pk, const ed25519_signature RS); int ed25519_sign_open(const unsigned char *m, size_t mlen, const ed25519_public_key pk, const ed25519_signature RS);
void ed25519_sign(const unsigned char *m, size_t mlen, const ed25519_secret_key sk, const ed25519_public_key pk, ed25519_signature RS); void ed25519_sign(const unsigned char *m, size_t mlen, const ed25519_secret_key sk, ed25519_signature RS);
#if USE_CARDANO #if USE_CARDANO
void ed25519_sign_ext(const unsigned char *m, size_t mlen, const ed25519_secret_key sk, const ed25519_secret_key skext, const ed25519_public_key pk, ed25519_signature RS); void ed25519_sign_ext(const unsigned char *m, size_t mlen, const ed25519_secret_key sk, const ed25519_secret_key skext, ed25519_signature RS);
#endif #endif
int ed25519_scalarmult(ed25519_public_key res, const ed25519_secret_key sk, const ed25519_public_key pk); int ed25519_scalarmult(ed25519_public_key res, const ed25519_secret_key sk, const ed25519_public_key pk);

View File

@ -922,7 +922,7 @@ int fuzz_ed25519_sign_verify(void) {
ed25519_publickey(secret_key, public_key); ed25519_publickey(secret_key, public_key);
// sign message, this should always succeed // sign message, this should always succeed
ed25519_sign(message, sizeof(message), secret_key, public_key, signature); ed25519_sign(message, sizeof(message), secret_key, signature);
// verify message, we expect this to work // verify message, we expect this to work
ret = ed25519_sign_open(message, sizeof(message), public_key, signature); ret = ed25519_sign_open(message, sizeof(message), public_key, signature);

View File

@ -205,8 +205,7 @@ size_t nem_transaction_end(nem_transaction_ctx *ctx,
const ed25519_secret_key private_key, const ed25519_secret_key private_key,
ed25519_signature signature) { ed25519_signature signature) {
if (private_key != NULL && signature != NULL) { if (private_key != NULL && signature != NULL) {
ed25519_sign_keccak(ctx->buffer, ctx->offset, private_key, ctx->public_key, ed25519_sign_keccak(ctx->buffer, ctx->offset, private_key, signature);
signature);
} }
return ctx->offset; return ctx->offset;

View File

@ -6595,7 +6595,7 @@ START_TEST(test_ed25519) {
UNMARK_SECRET_DATA(pk, sizeof(pk)); UNMARK_SECRET_DATA(pk, sizeof(pk));
ck_assert_mem_eq(pk, fromhex(*spk), 32); ck_assert_mem_eq(pk, fromhex(*spk), 32);
ed25519_sign(pk, 32, sk, pk, sig); ed25519_sign(pk, 32, sk, sig);
UNMARK_SECRET_DATA(sig, sizeof(sig)); UNMARK_SECRET_DATA(sig, sizeof(sig));
ck_assert_mem_eq(sig, fromhex(*ssig), 64); ck_assert_mem_eq(sig, fromhex(*ssig), 64);
@ -6813,7 +6813,7 @@ START_TEST(test_ed25519_keccak) {
ck_assert_mem_eq(public_key, fromhex(tests[i].public_key), 32); ck_assert_mem_eq(public_key, fromhex(tests[i].public_key), 32);
ed25519_sign_keccak(fromhex(tests[i].data), tests[i].length, private_key, ed25519_sign_keccak(fromhex(tests[i].data), tests[i].length, private_key,
public_key, signature); signature);
UNMARK_SECRET_DATA(signature, sizeof(signature)); UNMARK_SECRET_DATA(signature, sizeof(signature));
ck_assert_mem_eq(signature, fromhex(tests[i].signature), 64); ck_assert_mem_eq(signature, fromhex(tests[i].signature), 64);

View File

@ -95,8 +95,7 @@ START_TEST(test_ed25519_cardano_sign_vectors) {
ck_assert_mem_eq(public_key, fromhex(*(test_data + 2)), 32); ck_assert_mem_eq(public_key, fromhex(*(test_data + 2)), 32);
const uint8_t *message = (const uint8_t *)"Hello World"; const uint8_t *message = (const uint8_t *)"Hello World";
ed25519_sign_ext(message, 11, secret_key, secret_key_extension, public_key, ed25519_sign_ext(message, 11, secret_key, secret_key_extension, signature);
signature);
UNMARK_SECRET_DATA(signature, sizeof(signature)); UNMARK_SECRET_DATA(signature, sizeof(signature));
ck_assert_mem_eq(signature, fromhex(*(test_data + 3)), 64); ck_assert_mem_eq(signature, fromhex(*(test_data + 3)), 64);

View File

@ -50,7 +50,6 @@ void bench_sign_nist256p1(int iterations) {
} }
void bench_sign_ed25519(int iterations) { void bench_sign_ed25519(int iterations) {
ed25519_public_key pk;
ed25519_secret_key sk; ed25519_secret_key sk;
ed25519_signature sig; ed25519_signature sig;
@ -58,10 +57,9 @@ void bench_sign_ed25519(int iterations) {
"\xc5\x5e\xce\x85\x8b\x0d\xdd\x52\x63\xf9\x68\x10\xfe\x14\x43\x7c\xd3" "\xc5\x5e\xce\x85\x8b\x0d\xdd\x52\x63\xf9\x68\x10\xfe\x14\x43\x7c\xd3"
"\xb5\xe1\xfb\xd7\xc6\xa2\xec\x1e\x03\x1f\x05\xe8\x6d\x8b\xd5", "\xb5\xe1\xfb\xd7\xc6\xa2\xec\x1e\x03\x1f\x05\xe8\x6d\x8b\xd5",
32); 32);
ed25519_publickey(sk, pk);
for (int i = 0; i < iterations; i++) { for (int i = 0; i < iterations; i++) {
ed25519_sign(msg, sizeof(msg), sk, pk, sig); ed25519_sign(msg, sizeof(msg), sk, sig);
} }
} }
@ -143,7 +141,7 @@ void bench_verify_ed25519(int iterations) {
"\xb5\xe1\xfb\xd7\xc6\xa2\xec\x1e\x03\x1f\x05\xe8\x6d\x8b\xd5", "\xb5\xe1\xfb\xd7\xc6\xa2\xec\x1e\x03\x1f\x05\xe8\x6d\x8b\xd5",
32); 32);
ed25519_publickey(sk, pk); ed25519_publickey(sk, pk);
ed25519_sign(msg, sizeof(msg), sk, pk, sig); ed25519_sign(msg, sizeof(msg), sk, sig);
for (int i = 0; i < iterations; i++) { for (int i = 0; i < iterations; i++) {
ed25519_sign_open(msg, sizeof(msg), pk, sig); ed25519_sign_open(msg, sizeof(msg), pk, sig);

View File

@ -1368,8 +1368,7 @@ void stellar_getSignatureForActiveTx(uint8_t *out_signature) {
sha256_Final(&(stellar_activeTx.sha256_ctx), to_sign); sha256_Final(&(stellar_activeTx.sha256_ctx), to_sign);
uint8_t signature[64] = {0}; uint8_t signature[64] = {0};
ed25519_sign(to_sign, sizeof(to_sign), node->private_key, ed25519_sign(to_sign, sizeof(to_sign), node->private_key, signature);
node->public_key + 1, signature);
memcpy(out_signature, signature, sizeof(signature)); memcpy(out_signature, signature, sizeof(signature));
} }