Reworked rfc6979 signing. (#116)

New parameter is_canonical that allows for generating signatures that have additional requirements.
8 years ago · a0ade6343e
parent d7ff70caf6
commit a0ade6343e
4 changed files with 16 additions and 9 deletions
--- a/firmware/crypto.c
+++ b/firmware/crypto.c
@ -88,7 +88,7 @@ uint32_t deser_length(const uint8_t *in, uint32_t *out)
 int sshMessageSign(HDNode *node, const uint8_t *message, size_t message_len, uint8_t *signature)
 {
 	signature[0] = 0; // prefix: pad with zero, so all signatures are 65 bytes
-	return hdnode_sign(node, message, message_len, signature + 1, NULL);
+	return hdnode_sign(node, message, message_len, signature + 1, NULL, NULL);
 }

 int gpgMessageSign(HDNode *node, const uint8_t *message, size_t message_len, uint8_t *signature)
@ -98,7 +98,7 @@ int gpgMessageSign(HDNode *node, const uint8_t *message, size_t message_len, uin
 		return 1;
 	}
 	signature[0] = 0; // prefix: pad with zero, so all signatures are 65 bytes
-	return hdnode_sign_digest(node, message, signature + 1, NULL);
+	return hdnode_sign_digest(node, message, signature + 1, NULL, NULL);
 }

 int cryptoGetECDHSessionKey(const HDNode *node, const uint8_t *peer_public_key, uint8_t *session_key)
@ -133,7 +133,7 @@ int cryptoMessageSign(const CoinType *coin, HDNode *node, const uint8_t *message
 	sha256_Final(&ctx, hash);
 	sha256_Raw(hash, 32, hash);
 	uint8_t pby;
-	int result = hdnode_sign_digest(node, hash, signature + 1, &pby);
+	int result = hdnode_sign_digest(node, hash, signature + 1, &pby, NULL);
 	if (result == 0) {
 		signature[0] = 27 + pby + 4;
 	}
--- a/firmware/ethereum.c
+++ b/firmware/ethereum.c
@ -34,7 +34,7 @@
 static bool ethereum_signing = false;
 static uint32_t data_total, data_left;
 static EthereumTxRequest resp;
-static uint8_t hash[32], sig[64], privkey[32];
+static uint8_t privkey[32];
 struct SHA3_CTX keccak_ctx;

 static inline void hash_data(const uint8_t *buf, size_t size)
@ -139,12 +139,19 @@ static void send_request_chunk(void)
 	msg_write(MessageType_MessageType_EthereumTxRequest, &resp);
 }

+static int ethereum_is_canonic(uint8_t v, uint8_t signature[64])
+{
+	(void) signature;
+	return (v & 2) == 0;
+}
+
 static void send_signature(void)
 {
+	uint8_t hash[32], sig[64];
+	uint8_t v;
 	layoutProgress("Signing", 1000);
 	keccak_Final(&keccak_ctx, hash);
-	uint8_t v;
-	if (ecdsa_sign_digest(&secp256k1, privkey, hash, sig, &v) != 0) {
+	if (ecdsa_sign_digest(&secp256k1, privkey, hash, sig, &v, ethereum_is_canonic) != 0) {
 		fsm_sendFailure(FailureType_Failure_Other, "Signing failed");
 		ethereum_signing_abort();
 		return;
--- a/firmware/signing.c
+++ b/firmware/signing.c
@ -540,7 +540,7 @@ void signing_txack(TransactionType *tx)
 				resp.serialized.signature_index = idx1;
 				resp.serialized.has_signature = true;
 				resp.serialized.has_serialized_tx = true;
-				ecdsa_sign_digest(&secp256k1, privkey, hash, sig, 0);
+				ecdsa_sign_digest(&secp256k1, privkey, hash, sig, NULL, NULL);
 				resp.serialized.signature.size = ecdsa_sig_to_der(sig, resp.serialized.signature.bytes);
 				if (input.script_type == InputScriptType_SPENDMULTISIG) {
 					if (!input.has_multisig) {
--- a/firmware/u2f.c
+++ b/firmware/u2f.c
@ -617,7 +617,7 @@ void u2f_register(const APDU *a)
 		memcpy(sig_base.keyHandle, &resp->keyHandleCertSig, KEY_HANDLE_LEN);
 		memcpy(sig_base.pubKey, &resp->pubKey, U2F_PUBKEY_LEN);
 		ecdsa_sign(&nist256p1, U2F_ATT_PRIV_KEY, (uint8_t *)&sig_base,
-			   sizeof(sig_base), sig, NULL);
+			   sizeof(sig_base), sig, NULL, NULL);

 		// Where to write the signature in the response
 		uint8_t *resp_sig = resp->keyHandleCertSig +
@ -738,7 +738,7 @@ void u2f_authenticate(const APDU *a)
 		memcpy(sig_base.chal, req->chal, U2F_CHAL_SIZE);
 		ecdsa_sign(&nist256p1, node->private_key,
 			   (uint8_t *)&sig_base, sizeof(sig_base), sig,
-			   NULL);
+			   NULL, NULL);

 		// Copy DER encoded signature into response
 		const uint8_t sig_len = ecdsa_sig_to_der(sig, resp->sig);