1
0
mirror of https://github.com/trezor/trezor-firmware.git synced 2024-12-24 15:28:10 +00:00

introduce and use memzero instead of explicit_bzero

This commit is contained in:
Pavol Rusnak 2018-01-18 15:18:09 +01:00
parent b7f73ee3ff
commit bb4c3d0525
No known key found for this signature in database
GPG Key ID: 91F3B339B9A02A3D
17 changed files with 146 additions and 117 deletions

View File

@ -50,6 +50,7 @@ SRCS += chacha20poly1305/chacha20poly1305.c chacha20poly1305/chacha_merged.c ch
SRCS += rc4.c
SRCS += nem.c
SRCS += segwit_addr.c
SRCS += memzero.c
OBJS = $(SRCS:.c=.o)

View File

@ -27,6 +27,7 @@
#include "base58.h"
#include "sha2.h"
#include "ripemd160.h"
#include "memzero.h"
static const int8_t b58digits_map[] = {
-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,
@ -199,7 +200,7 @@ int base58_encode_check(const uint8_t *data, int datalen, HasherType hasher_type
hasher_Raw(hasher_type, hash, 32, hash);
size_t res = strsize;
bool success = b58enc(str, &res, buf, datalen + 4);
explicit_bzero(buf, sizeof(buf));
memzero(buf, sizeof(buf));
return success ? res : 0;
}
@ -253,7 +254,7 @@ int base58gph_encode_check(const uint8_t *data, int datalen, char *str, int strs
ripemd160(data, datalen, hash); // No double SHA256, but a single RIPEMD160
size_t res = strsize;
bool success = b58enc(str, &res, buf, datalen + 4);
explicit_bzero(buf, sizeof(buf));
memzero(buf, sizeof(buf));
return success ? res : 0;
}

View File

@ -27,6 +27,7 @@
#include <string.h>
#include <assert.h>
#include "bignum.h"
#include "memzero.h"
/* big number library */
@ -489,7 +490,7 @@ void bn_multiply(const bignum256 *k, bignum256 *x, const bignum256 *prime)
uint32_t res[18] = {0};
bn_multiply_long(k, x, res);
bn_multiply_reduce(x, res, prime);
explicit_bzero(res, sizeof(res));
memzero(res, sizeof(res));
}
// partly reduce x modulo prime
@ -551,8 +552,8 @@ void bn_sqrt(bignum256 *x, const bignum256 *prime)
}
bn_mod(&res, prime);
memcpy(x, &res, sizeof(bignum256));
explicit_bzero(&res, sizeof(res));
explicit_bzero(&p, sizeof(p));
memzero(&res, sizeof(res));
memzero(&p, sizeof(p));
}
#if ! USE_INVERSE_FAST
@ -860,9 +861,9 @@ void bn_inverse(bignum256 *x, const bignum256 *prime)
x->val[i] = temp32;
// let's wipe all temp buffers
explicit_bzero(pp, sizeof(pp));
explicit_bzero(&us, sizeof(us));
explicit_bzero(&vr, sizeof(vr));
memzero(pp, sizeof(pp));
memzero(&us, sizeof(us));
memzero(&vr, sizeof(vr));
}
#endif

49
bip32.c
View File

@ -46,6 +46,7 @@
#if USE_NEM
#include "nem.h"
#endif
#include "memzero.h"
const curve_info ed25519_info = {
.bip32_name = "ed25519 seed",
@ -86,7 +87,7 @@ int hdnode_from_xpub(uint32_t depth, uint32_t child_num, const uint8_t *chain_co
out->depth = depth;
out->child_num = child_num;
memcpy(out->chain_code, chain_code, 32);
explicit_bzero(out->private_key, 32);
memzero(out->private_key, 32);
memcpy(out->public_key, public_key, 33);
return 1;
}
@ -107,7 +108,7 @@ int hdnode_from_xprv(uint32_t depth, uint32_t child_num, const uint8_t *chain_co
failed = true;
}
}
explicit_bzero(&a, sizeof(a));
memzero(&a, sizeof(a));
}
if (failed) {
@ -119,7 +120,7 @@ int hdnode_from_xprv(uint32_t depth, uint32_t child_num, const uint8_t *chain_co
out->child_num = child_num;
memcpy(out->chain_code, chain_code, 32);
memcpy(out->private_key, private_key, 32);
explicit_bzero(out->public_key, sizeof(out->public_key));
memzero(out->public_key, sizeof(out->public_key));
return 1;
}
@ -150,12 +151,12 @@ int hdnode_from_seed(const uint8_t *seed, int seed_len, const char* curve, HDNod
hmac_sha512_Update(&ctx, I, sizeof(I));
hmac_sha512_Final(&ctx, I);
}
explicit_bzero(&a, sizeof(a));
memzero(&a, sizeof(a));
}
memcpy(out->private_key, I, 32);
memcpy(out->chain_code, I + 32, 32);
explicit_bzero(out->public_key, sizeof(out->public_key));
explicit_bzero(I, sizeof(I));
memzero(out->public_key, sizeof(out->public_key));
memzero(I, sizeof(I));
return 1;
}
@ -168,7 +169,7 @@ uint32_t hdnode_fingerprint(HDNode *node)
hasher_Raw(node->curve->hasher_type, node->public_key, 33, digest);
ripemd160(digest, 32, digest);
fingerprint = (digest[0] << 24) + (digest[1] << 16) + (digest[2] << 8) + digest[3];
explicit_bzero(digest, sizeof(digest));
memzero(digest, sizeof(digest));
return fingerprint;
}
@ -229,13 +230,13 @@ int hdnode_private_ckd(HDNode *inout, uint32_t i)
memcpy(inout->chain_code, I + 32, 32);
inout->depth++;
inout->child_num = i;
explicit_bzero(inout->public_key, sizeof(inout->public_key));
memzero(inout->public_key, sizeof(inout->public_key));
// making sure to wipe our memory
explicit_bzero(&a, sizeof(a));
explicit_bzero(&b, sizeof(b));
explicit_bzero(I, sizeof(I));
explicit_bzero(data, sizeof(data));
memzero(&a, sizeof(a));
memzero(&b, sizeof(b));
memzero(I, sizeof(I));
memzero(data, sizeof(data));
return 1;
}
@ -264,9 +265,9 @@ int hdnode_public_ckd_cp(const ecdsa_curve *curve, const curve_point *parent, co
}
// Wipe all stack data.
explicit_bzero(data, sizeof(data));
explicit_bzero(I, sizeof(I));
explicit_bzero(&c, sizeof(c));
memzero(data, sizeof(data));
memzero(I, sizeof(I));
memzero(&c, sizeof(c));
return 1;
}
}
@ -286,15 +287,15 @@ int hdnode_public_ckd(HDNode *inout, uint32_t i)
if (!hdnode_public_ckd_cp(inout->curve->params, &parent, inout->chain_code, i, &child, inout->chain_code)) {
return 0;
}
explicit_bzero(inout->private_key, 32);
memzero(inout->private_key, 32);
inout->depth++;
inout->child_num = i;
inout->public_key[0] = 0x02 | (child.y.val[0] & 0x01);
bn_write_be(&child.x, inout->public_key + 1);
// Wipe all stack data.
explicit_bzero(&parent, sizeof(parent));
explicit_bzero(&child, sizeof(child));
memzero(&parent, sizeof(parent));
memzero(&child, sizeof(child));
return 1;
}
@ -349,7 +350,7 @@ int hdnode_private_ckd_cached(HDNode *inout, const uint32_t *i, size_t i_count,
if (!private_ckd_cache_root_set || memcmp(&private_ckd_cache_root, inout, sizeof(HDNode)) != 0) {
// clear the cache
private_ckd_cache_index = 0;
explicit_bzero(private_ckd_cache, sizeof(private_ckd_cache));
memzero(private_ckd_cache, sizeof(private_ckd_cache));
// setup new root
memcpy(&private_ckd_cache_root, inout, sizeof(HDNode));
private_ckd_cache_root_set = true;
@ -496,7 +497,7 @@ int hdnode_nem_encrypt(const HDNode *node, const ed25519_public_key public_key,
aes_encrypt_ctx ctx;
int ret = aes_encrypt_key256(shared_key, &ctx);
explicit_bzero(shared_key, sizeof(shared_key));
memzero(shared_key, sizeof(shared_key));
if (ret != EXIT_SUCCESS) {
return 0;
@ -523,7 +524,7 @@ int hdnode_nem_decrypt(const HDNode *node, const ed25519_public_key public_key,
aes_decrypt_ctx ctx;
int ret = aes_decrypt_key256(shared_key, &ctx);
explicit_bzero(shared_key, sizeof(shared_key));
memzero(shared_key, sizeof(shared_key));
if (ret != EXIT_SUCCESS) {
return 0;
@ -609,7 +610,7 @@ static int hdnode_serialize(const HDNode *node, uint32_t fingerprint, uint32_t v
memcpy(node_data + 46, node->private_key, 32);
}
int ret = base58_encode_check(node_data, sizeof(node_data), node->curve->hasher_type, str, strsize);
explicit_bzero(node_data, sizeof(node_data));
memzero(node_data, sizeof(node_data));
return ret;
}
@ -634,14 +635,14 @@ int hdnode_deserialize(const char *str, uint32_t version_public, uint32_t versio
}
uint32_t version = read_be(node_data);
if (version == version_public) {
explicit_bzero(node->private_key, sizeof(node->private_key));
memzero(node->private_key, sizeof(node->private_key));
memcpy(node->public_key, node_data + 45, 33);
} else if (version == version_private) { // private node
if (node_data[45]) { // invalid data
return -2;
}
memcpy(node->private_key, node_data + 46, 32);
explicit_bzero(node->public_key, sizeof(node->public_key));
memzero(node->public_key, sizeof(node->public_key));
} else {
return -3; // invalid version
}

13
bip39.c
View File

@ -31,6 +31,7 @@
#include "pbkdf2.h"
#include "bip39_english.h"
#include "options.h"
#include "memzero.h"
#if USE_BIP39_CACHE
@ -53,7 +54,7 @@ const char *mnemonic_generate(int strength)
uint8_t data[32];
random_buffer(data, 32);
const char *r = mnemonic_from_data(data, strength / 8);
explicit_bzero(data, sizeof(data));
memzero(data, sizeof(data));
return r;
}
@ -65,7 +66,7 @@ const uint16_t *mnemonic_generate_indexes(int strength)
uint8_t data[32];
random_buffer(data, 32);
const uint16_t *r = mnemonic_from_data_indexes(data, strength / 8);
explicit_bzero(data, sizeof(data));
memzero(data, sizeof(data));
return r;
}
@ -99,7 +100,7 @@ const char *mnemonic_from_data(const uint8_t *data, int len)
*p = (i < mlen - 1) ? ' ' : 0;
p++;
}
explicit_bzero(bits, sizeof(bits));
memzero(bits, sizeof(bits));
return mnemo;
}
@ -130,7 +131,7 @@ const uint16_t *mnemonic_from_data_indexes(const uint8_t *data, int len)
}
mnemo[i] = idx;
}
explicit_bzero(bits, sizeof(bits));
memzero(bits, sizeof(bits));
return mnemo;
}
@ -160,7 +161,7 @@ int mnemonic_check(const char *mnemonic)
uint32_t j, k, ki, bi;
uint8_t bits[32 + 1];
explicit_bzero(bits, sizeof(bits));
memzero(bits, sizeof(bits));
i = 0; bi = 0;
while (mnemonic[i]) {
j = 0;
@ -240,7 +241,7 @@ void mnemonic_to_seed(const char *mnemonic, const char *passphrase, uint8_t seed
}
}
pbkdf2_hmac_sha512_Final(&pctx, seed);
explicit_bzero(salt, sizeof(salt));
memzero(salt, sizeof(salt));
#if USE_BIP39_CACHE
// store to cache
if (mnemoniclen < 256 && passphraselen < 64) {

View File

@ -17,6 +17,7 @@
#include "blake2b.h"
#include "blake2_common.h"
#include "memzero.h"
typedef struct blake2b_param__
{
@ -159,7 +160,7 @@ int blake2b_InitKey( blake2b_state *S, size_t outlen, const void *key, size_t ke
memset( block, 0, BLAKE2B_BLOCKBYTES );
memcpy( block, key, keylen );
blake2b_Update( S, block, BLAKE2B_BLOCKBYTES );
explicit_bzero( block, BLAKE2B_BLOCKBYTES ); /* Burn the key from stack */
memzero( block, BLAKE2B_BLOCKBYTES ); /* Burn the key from stack */
}
return 0;
}
@ -279,7 +280,7 @@ int blake2b_Final( blake2b_state *S, void *out, size_t outlen )
store64( buffer + sizeof( S->h[i] ) * i, S->h[i] );
memcpy( out, buffer, S->outlen );
explicit_bzero(buffer, sizeof(buffer));
memzero(buffer, sizeof(buffer));
return 0;
}

View File

@ -17,6 +17,7 @@
#include "blake2s.h"
#include "blake2_common.h"
#include "memzero.h"
typedef struct blake2s_param__
{
@ -153,7 +154,7 @@ int blake2s_InitKey( blake2s_state *S, size_t outlen, const void *key, size_t ke
memset( block, 0, BLAKE2S_BLOCKBYTES );
memcpy( block, key, keylen );
blake2s_Update( S, block, BLAKE2S_BLOCKBYTES );
explicit_bzero( block, BLAKE2S_BLOCKBYTES ); /* Burn the key from stack */
memzero( block, BLAKE2S_BLOCKBYTES ); /* Burn the key from stack */
}
return 0;
}
@ -271,7 +272,7 @@ int blake2s_Final( blake2s_state *S, void *out, size_t outlen )
store32( buffer + sizeof( S->h[i] ) * i, S->h[i] );
memcpy( out, buffer, outlen );
explicit_bzero(buffer, sizeof(buffer));
memzero(buffer, sizeof(buffer));
return 0;
}

67
ecdsa.c
View File

@ -37,6 +37,7 @@
#include "base58.h"
#include "secp256k1.h"
#include "rfc6979.h"
#include "memzero.h"
// Set cp2 = cp1
void point_copy(const curve_point *cp1, curve_point *cp2)
@ -541,8 +542,8 @@ void point_multiply(const ecdsa_curve *curve, const bignum256 *k, const curve_po
}
conditional_negate(sign, &jres.z, prime);
jacobian_to_curve(&jres, res, prime);
explicit_bzero(&a, sizeof(a));
explicit_bzero(&jres, sizeof(jres));
memzero(&a, sizeof(a));
memzero(&jres, sizeof(jres));
}
#if USE_PRECOMPUTED_CP
@ -629,8 +630,8 @@ void scalar_multiply(const ecdsa_curve *curve, const bignum256 *k, curve_point *
}
conditional_negate(((a.val[0] >> 4) & 1) - 1, &jres.y, prime);
jacobian_to_curve(&jres, res, prime);
explicit_bzero(&a, sizeof(a));
explicit_bzero(&jres, sizeof(jres));
memzero(&a, sizeof(a));
memzero(&jres, sizeof(jres));
}
#else
@ -652,12 +653,12 @@ int ecdh_multiply(const ecdsa_curve *curve, const uint8_t *priv_key, const uint8
bignum256 k;
bn_read_be(priv_key, &k);
point_multiply(curve, &k, &point, &point);
explicit_bzero(&k, sizeof(k));
memzero(&k, sizeof(k));
session_key[0] = 0x04;
bn_write_be(&point.x, session_key + 1);
bn_write_be(&point.y, session_key + 33);
explicit_bzero(&point, sizeof(point));
memzero(&point, sizeof(point));
return 0;
}
@ -684,8 +685,8 @@ void init_rfc6979(const uint8_t *priv_key, const uint8_t *hash, rfc6979_state *s
hmac_sha256(state->k, sizeof(state->k), buf, sizeof(buf), state->k);
hmac_sha256(state->k, sizeof(state->k), state->v, sizeof(state->v), state->v);
explicit_bzero(bx, sizeof(bx));
explicit_bzero(buf, sizeof(buf));
memzero(bx, sizeof(bx));
memzero(buf, sizeof(buf));
}
// generate next number from deterministic random number generator
@ -699,7 +700,7 @@ void generate_rfc6979(uint8_t rnd[32], rfc6979_state *state)
hmac_sha256(state->k, sizeof(state->k), buf, sizeof(state->v) + 1, state->k);
hmac_sha256(state->k, sizeof(state->k), state->v, sizeof(state->v), state->v);
memcpy(rnd, buf, 32);
explicit_bzero(buf, sizeof(buf));
memzero(buf, sizeof(buf));
}
// generate K in a deterministic way, according to RFC6979
@ -709,7 +710,7 @@ void generate_k_rfc6979(bignum256 *k, rfc6979_state *state)
uint8_t buf[32];
generate_rfc6979(buf, state);
bn_read_be(buf, k);
explicit_bzero(buf, sizeof(buf));
memzero(buf, sizeof(buf));
}
// msg is a data to be signed
@ -719,7 +720,7 @@ int ecdsa_sign(const ecdsa_curve *curve, HasherType hasher_type, const uint8_t *
uint8_t hash[32];
hasher_Raw(hasher_type, msg, msg_len, hash);
int res = ecdsa_sign_digest(curve, priv_key, hash, sig, pby, is_canonical);
explicit_bzero(hash, sizeof(hash));
memzero(hash, sizeof(hash));
return res;
}
@ -732,7 +733,7 @@ int ecdsa_sign_double(const ecdsa_curve *curve, HasherType hasher_type, const ui
hasher_Raw(hasher_type, msg, msg_len, hash);
hasher_Raw(hasher_type, hash, 32, hash);
int res = ecdsa_sign_digest(curve, priv_key, hash, sig, pby, is_canonical);
explicit_bzero(hash, sizeof(hash));
memzero(hash, sizeof(hash));
return res;
}
@ -817,20 +818,20 @@ int ecdsa_sign_digest(const ecdsa_curve *curve, const uint8_t *priv_key, const u
*pby = by;
}
explicit_bzero(&k, sizeof(k));
explicit_bzero(&randk, sizeof(randk));
memzero(&k, sizeof(k));
memzero(&randk, sizeof(randk));
#if USE_RFC6979
explicit_bzero(&rng, sizeof(rng));
memzero(&rng, sizeof(rng));
#endif
return 0;
}
// Too many retries without a valid signature
// -> fail with an error
explicit_bzero(&k, sizeof(k));
explicit_bzero(&randk, sizeof(randk));
memzero(&k, sizeof(k));
memzero(&randk, sizeof(randk));
#if USE_RFC6979
explicit_bzero(&rng, sizeof(rng));
memzero(&rng, sizeof(rng));
#endif
return -1;
}
@ -845,8 +846,8 @@ void ecdsa_get_public_key33(const ecdsa_curve *curve, const uint8_t *priv_key, u
scalar_multiply(curve, &k, &R);
pub_key[0] = 0x02 | (R.y.val[0] & 0x01);
bn_write_be(&R.x, pub_key + 1);
explicit_bzero(&R, sizeof(R));
explicit_bzero(&k, sizeof(k));
memzero(&R, sizeof(R));
memzero(&k, sizeof(k));
}
void ecdsa_get_public_key65(const ecdsa_curve *curve, const uint8_t *priv_key, uint8_t *pub_key)
@ -860,8 +861,8 @@ void ecdsa_get_public_key65(const ecdsa_curve *curve, const uint8_t *priv_key, u
pub_key[0] = 0x04;
bn_write_be(&R.x, pub_key + 1);
bn_write_be(&R.y, pub_key + 33);
explicit_bzero(&R, sizeof(R));
explicit_bzero(&k, sizeof(k));
memzero(&R, sizeof(R));
memzero(&k, sizeof(k));
}
int ecdsa_uncompress_pubkey(const ecdsa_curve *curve, const uint8_t *pub_key, uint8_t *uncompressed)
@ -890,7 +891,7 @@ void ecdsa_get_pubkeyhash(const uint8_t *pub_key, HasherType hasher_type, uint8_
hasher_Raw(hasher_type, pub_key, 33, h);
}
ripemd160(h, HASHER_DIGEST_LENGTH, pubkeyhash);
explicit_bzero(h, sizeof(h));
memzero(h, sizeof(h));
}
void ecdsa_get_address_raw(const uint8_t *pub_key, uint32_t version, HasherType hasher_type, uint8_t *addr_raw)
@ -907,7 +908,7 @@ void ecdsa_get_address(const uint8_t *pub_key, uint32_t version, HasherType hash
ecdsa_get_address_raw(pub_key, version, hasher_type, raw);
base58_encode_check(raw, 20 + prefix_len, hasher_type, addr, addrsize);
// not as important to clear this one, but we might as well
explicit_bzero(raw, sizeof(raw));
memzero(raw, sizeof(raw));
}
void ecdsa_get_address_segwit_p2sh_raw(const uint8_t *pub_key, uint32_t version, HasherType hasher_type, uint8_t *addr_raw)
@ -928,7 +929,7 @@ void ecdsa_get_address_segwit_p2sh(const uint8_t *pub_key, uint32_t version, Has
size_t prefix_len = address_prefix_bytes_len(version);
ecdsa_get_address_segwit_p2sh_raw(pub_key, version, hasher_type, raw);
base58_encode_check(raw, prefix_len + 20, hasher_type, addr, addrsize);
explicit_bzero(raw, sizeof(raw));
memzero(raw, sizeof(raw));
}
void ecdsa_get_wif(const uint8_t *priv_key, uint32_t version, HasherType hasher_type, char *wif, int wifsize)
@ -940,7 +941,7 @@ void ecdsa_get_wif(const uint8_t *priv_key, uint32_t version, HasherType hasher_
wif_raw[prefix_len + 32] = 0x01;
base58_encode_check(wif_raw, prefix_len + 32 + 1, hasher_type, wif, wifsize);
// private keys running around our stack can cause trouble
explicit_bzero(wif_raw, sizeof(wif_raw));
memzero(wif_raw, sizeof(wif_raw));
}
int ecdsa_address_decode(const char *addr, uint32_t version, HasherType hasher_type, uint8_t *out)
@ -1033,7 +1034,7 @@ int ecdsa_verify(const ecdsa_curve *curve, HasherType hasher_type, const uint8_t
uint8_t hash[32];
hasher_Raw(hasher_type, msg, msg_len, hash);
int res = ecdsa_verify_digest(curve, pub_key, sig, hash);
explicit_bzero(hash, sizeof(hash));
memzero(hash, sizeof(hash));
return res;
}
@ -1043,7 +1044,7 @@ int ecdsa_verify_double(const ecdsa_curve *curve, HasherType hasher_type, const
hasher_Raw(hasher_type, msg, msg_len, hash);
hasher_Raw(hasher_type, hash, 32, hash);
int res = ecdsa_verify_digest(curve, pub_key, sig, hash);
explicit_bzero(hash, sizeof(hash));
memzero(hash, sizeof(hash));
return res;
}
@ -1142,11 +1143,11 @@ int ecdsa_verify_digest(const ecdsa_curve *curve, const uint8_t *pub_key, const
}
}
explicit_bzero(&pub, sizeof(pub));
explicit_bzero(&res, sizeof(res));
explicit_bzero(&r, sizeof(r));
explicit_bzero(&s, sizeof(s));
explicit_bzero(&z, sizeof(z));
memzero(&pub, sizeof(pub));
memzero(&res, sizeof(res));
memzero(&r, sizeof(r));
memzero(&s, sizeof(s));
memzero(&z, sizeof(z));
// all OK
return result;

17
hmac.c
View File

@ -25,6 +25,7 @@
#include "hmac.h"
#include "options.h"
#include "memzero.h"
void hmac_sha256_Init(HMAC_SHA256_CTX *hctx, const uint8_t *key, const uint32_t keylen)
{
@ -41,7 +42,7 @@ void hmac_sha256_Init(HMAC_SHA256_CTX *hctx, const uint8_t *key, const uint32_t
}
sha256_Init(&(hctx->ctx));
sha256_Update(&(hctx->ctx), i_key_pad, SHA256_BLOCK_LENGTH);
explicit_bzero(i_key_pad, sizeof(i_key_pad));
memzero(i_key_pad, sizeof(i_key_pad));
}
void hmac_sha256_Update(HMAC_SHA256_CTX *hctx, const uint8_t *msg, const uint32_t msglen)
@ -56,7 +57,7 @@ void hmac_sha256_Final(HMAC_SHA256_CTX *hctx, uint8_t *hmac)
sha256_Update(&(hctx->ctx), hctx->o_key_pad, SHA256_BLOCK_LENGTH);
sha256_Update(&(hctx->ctx), hmac, SHA256_DIGEST_LENGTH);
sha256_Final(&(hctx->ctx), hmac);
explicit_bzero(hctx, sizeof(HMAC_SHA256_CTX));
memzero(hctx, sizeof(HMAC_SHA256_CTX));
}
void hmac_sha256(const uint8_t *key, const uint32_t keylen, const uint8_t *msg, const uint32_t msglen, uint8_t *hmac)
@ -71,7 +72,7 @@ void hmac_sha256_prepare(const uint8_t *key, const uint32_t keylen, uint32_t *op
{
static CONFIDENTIAL uint32_t key_pad[SHA256_BLOCK_LENGTH/sizeof(uint32_t)];
explicit_bzero(key_pad, sizeof(key_pad));
memzero(key_pad, sizeof(key_pad));
if (keylen > SHA256_BLOCK_LENGTH) {
static CONFIDENTIAL SHA256_CTX context;
sha256_Init(&context);
@ -98,7 +99,7 @@ void hmac_sha256_prepare(const uint8_t *key, const uint32_t keylen, uint32_t *op
key_pad[i] = key_pad[i] ^ 0x5c5c5c5c ^ 0x36363636;
}
sha256_Transform(sha256_initial_hash_value, key_pad, ipad_digest);
explicit_bzero(key_pad, sizeof(key_pad));
memzero(key_pad, sizeof(key_pad));
}
void hmac_sha512_Init(HMAC_SHA512_CTX *hctx, const uint8_t *key, const uint32_t keylen)
@ -116,7 +117,7 @@ void hmac_sha512_Init(HMAC_SHA512_CTX *hctx, const uint8_t *key, const uint32_t
}
sha512_Init(&(hctx->ctx));
sha512_Update(&(hctx->ctx), i_key_pad, SHA512_BLOCK_LENGTH);
explicit_bzero(i_key_pad, sizeof(i_key_pad));
memzero(i_key_pad, sizeof(i_key_pad));
}
void hmac_sha512_Update(HMAC_SHA512_CTX *hctx, const uint8_t *msg, const uint32_t msglen)
@ -131,7 +132,7 @@ void hmac_sha512_Final(HMAC_SHA512_CTX *hctx, uint8_t *hmac)
sha512_Update(&(hctx->ctx), hctx->o_key_pad, SHA512_BLOCK_LENGTH);
sha512_Update(&(hctx->ctx), hmac, SHA512_DIGEST_LENGTH);
sha512_Final(&(hctx->ctx), hmac);
explicit_bzero(hctx, sizeof(HMAC_SHA512_CTX));
memzero(hctx, sizeof(HMAC_SHA512_CTX));
}
void hmac_sha512(const uint8_t *key, const uint32_t keylen, const uint8_t *msg, const uint32_t msglen, uint8_t *hmac)
@ -146,7 +147,7 @@ void hmac_sha512_prepare(const uint8_t *key, const uint32_t keylen, uint64_t *op
{
static CONFIDENTIAL uint64_t key_pad[SHA512_BLOCK_LENGTH/sizeof(uint64_t)];
explicit_bzero(key_pad, sizeof(key_pad));
memzero(key_pad, sizeof(key_pad));
if (keylen > SHA512_BLOCK_LENGTH) {
static CONFIDENTIAL SHA512_CTX context;
sha512_Init(&context);
@ -173,5 +174,5 @@ void hmac_sha512_prepare(const uint8_t *key, const uint32_t keylen, uint64_t *op
key_pad[i] = key_pad[i] ^ 0x5c5c5c5c5c5c5c5c ^ 0x3636363636363636;
}
sha512_Transform(sha512_initial_hash_value, key_pad, ipad_digest);
explicit_bzero(key_pad, sizeof(key_pad));
memzero(key_pad, sizeof(key_pad));
}

6
memzero.c Normal file
View File

@ -0,0 +1,6 @@
#include <string.h>
void memzero(void *s, size_t n)
{
memset(s, 0, n);
}

8
memzero.h Normal file
View File

@ -0,0 +1,8 @@
#ifndef __MEMZERO_H__
#define __MEMZERO_H__
#include <stddef.h>
void memzero(void *s, size_t n);
#endif

9
nem.c
View File

@ -28,6 +28,7 @@
#include "ed25519-donna/ed25519-keccak.h"
#include "ripemd160.h"
#include "sha3.h"
#include "memzero.h"
const char *nem_network_name(uint8_t network) {
switch (network) {
@ -111,7 +112,7 @@ void nem_get_address_raw(const ed25519_public_key public_key, uint8_t version, u
/* 5. Concatenate output of step 3 and the checksum from step 4 */
memcpy(&address[1 + RIPEMD160_DIGEST_LENGTH], hash, 4);
explicit_bzero(hash, sizeof(hash));
memzero(hash, sizeof(hash));
}
bool nem_get_address(const ed25519_public_key public_key, uint8_t version, char *address) {
@ -121,7 +122,7 @@ bool nem_get_address(const ed25519_public_key public_key, uint8_t version, char
char *ret = base32_encode(pubkeyhash, sizeof(pubkeyhash), address, NEM_ADDRESS_SIZE + 1, BASE32_ALPHABET_RFC4648);
explicit_bzero(pubkeyhash, sizeof(pubkeyhash));
memzero(pubkeyhash, sizeof(pubkeyhash));
return (ret != NULL);
}
@ -135,7 +136,7 @@ bool nem_validate_address_raw(const uint8_t *address, uint8_t network) {
keccak_256(address, 1 + RIPEMD160_DIGEST_LENGTH, hash);
bool valid = (memcmp(&address[1 + RIPEMD160_DIGEST_LENGTH], hash, 4) == 0);
explicit_bzero(hash, sizeof(hash));
memzero(hash, sizeof(hash));
return valid;
}
@ -149,7 +150,7 @@ bool nem_validate_address(const char *address, uint8_t network) {
uint8_t *ret = base32_decode(address, NEM_ADDRESS_SIZE, pubkeyhash, sizeof(pubkeyhash), BASE32_ALPHABET_RFC4648);
bool valid = (ret != NULL) && nem_validate_address_raw(pubkeyhash, network);
explicit_bzero(pubkeyhash, sizeof(pubkeyhash));
memzero(pubkeyhash, sizeof(pubkeyhash));
return valid;
}

View File

@ -25,6 +25,7 @@
#include "pbkdf2.h"
#include "hmac.h"
#include "sha2.h"
#include "memzero.h"
void pbkdf2_hmac_sha256_Init(PBKDF2_HMAC_SHA256_CTX *pctx, const uint8_t *pass, int passlen, const uint8_t *salt, int saltlen)
{
@ -74,7 +75,7 @@ void pbkdf2_hmac_sha256_Final(PBKDF2_HMAC_SHA256_CTX *pctx, uint8_t *key)
}
#endif
memcpy(key, pctx->f, SHA256_DIGEST_LENGTH);
explicit_bzero(pctx, sizeof(PBKDF2_HMAC_SHA256_CTX));
memzero(pctx, sizeof(PBKDF2_HMAC_SHA256_CTX));
}
void pbkdf2_hmac_sha256(const uint8_t *pass, int passlen, const uint8_t *salt, int saltlen, uint32_t iterations, uint8_t *key)
@ -134,7 +135,7 @@ void pbkdf2_hmac_sha512_Final(PBKDF2_HMAC_SHA512_CTX *pctx, uint8_t *key)
}
#endif
memcpy(key, pctx->f, SHA512_DIGEST_LENGTH);
explicit_bzero(pctx, sizeof(PBKDF2_HMAC_SHA512_CTX));
memzero(pctx, sizeof(PBKDF2_HMAC_SHA512_CTX));
}
void pbkdf2_hmac_sha512(const uint8_t *pass, int passlen, const uint8_t *salt, int saltlen, uint32_t iterations, uint8_t *key)

View File

@ -25,6 +25,7 @@
#include <string.h>
#include "rfc6979.h"
#include "hmac.h"
#include "memzero.h"
void init_rfc6979(const uint8_t *priv_key, const uint8_t *hash, rfc6979_state *state) {
uint8_t bx[2*32];
@ -48,8 +49,8 @@ void init_rfc6979(const uint8_t *priv_key, const uint8_t *hash, rfc6979_state *s
hmac_sha256(state->k, sizeof(state->k), buf, sizeof(buf), state->k);
hmac_sha256(state->k, sizeof(state->k), state->v, sizeof(state->v), state->v);
explicit_bzero(bx, sizeof(bx));
explicit_bzero(buf, sizeof(buf));
memzero(bx, sizeof(bx));
memzero(buf, sizeof(buf));
}
// generate next number from deterministic random number generator
@ -63,7 +64,7 @@ void generate_rfc6979(uint8_t rnd[32], rfc6979_state *state)
hmac_sha256(state->k, sizeof(state->k), buf, sizeof(state->v) + 1, state->k);
hmac_sha256(state->k, sizeof(state->k), state->v, sizeof(state->v), state->v);
memcpy(rnd, buf, 32);
explicit_bzero(buf, sizeof(buf));
memzero(buf, sizeof(buf));
}
// generate K in a deterministic way, according to RFC6979
@ -73,5 +74,5 @@ void generate_k_rfc6979(bignum256 *k, rfc6979_state *state)
uint8_t buf[32];
generate_rfc6979(buf, state);
bn_read_be(buf, k);
explicit_bzero(buf, sizeof(buf));
memzero(buf, sizeof(buf));
}

View File

@ -28,6 +28,7 @@
#include <string.h>
#include "ripemd160.h"
#include "memzero.h"
/*
* 32-bit integer manipulation macros (little endian)
@ -327,7 +328,7 @@ void ripemd160_Final( RIPEMD160_CTX *ctx, uint8_t output[RIPEMD160_DIGEST_LENGTH
PUT_UINT32_LE( ctx->state[3], output, 12 );
PUT_UINT32_LE( ctx->state[4], output, 16 );
explicit_bzero(ctx, sizeof(RIPEMD160_CTX));
memzero(ctx, sizeof(RIPEMD160_CTX));
}
/*

43
sha2.c
View File

@ -31,6 +31,7 @@
#include <string.h>
#include <stdint.h>
#include "sha2.h"
#include "memzero.h"
/*
* ASSERT NOTE:
@ -281,7 +282,7 @@ static const char *sha2_hex_digits = "0123456789abcdef";
/*** SHA-1: ***********************************************************/
void sha1_Init(SHA1_CTX* context) {
MEMCPY_BCOPY(context->state, sha1_initial_hash_value, SHA1_DIGEST_LENGTH);
explicit_bzero(context->buffer, SHA1_BLOCK_LENGTH);
memzero(context->buffer, SHA1_BLOCK_LENGTH);
context->bitcount = 0;
}
@ -591,14 +592,14 @@ void sha1_Final(SHA1_CTX* context, sha2_byte digest[]) {
* No digest buffer, so we can do nothing
* except clean up and go home
*/
explicit_bzero(context, sizeof(SHA1_CTX));
memzero(context, sizeof(SHA1_CTX));
return;
}
usedspace = (context->bitcount >> 3) % SHA1_BLOCK_LENGTH;
if (usedspace == 0) {
/* Set-up for the last transform: */
explicit_bzero(context->buffer, SHA1_SHORT_BLOCK_LENGTH);
memzero(context->buffer, SHA1_SHORT_BLOCK_LENGTH);
/* Begin padding with a 1 bit: */
*context->buffer = 0x80;
@ -608,16 +609,16 @@ void sha1_Final(SHA1_CTX* context, sha2_byte digest[]) {
if (usedspace <= 56) {
/* Set-up for the last transform: */
explicit_bzero(((uint8_t*)context->buffer) + usedspace, 56 - usedspace);
memzero(((uint8_t*)context->buffer) + usedspace, 56 - usedspace);
} else {
if (usedspace < 64) {
explicit_bzero(((uint8_t*)context->buffer) + usedspace, 64 - usedspace);
memzero(((uint8_t*)context->buffer) + usedspace, 64 - usedspace);
}
/* Do second-to-last transform: */
sha1_Transform(context->state, context->buffer, context->state);
/* And set-up for the last transform: */
explicit_bzero(context->buffer, 56);
memzero(context->buffer, 56);
}
/* Clean up: */
usedspace = 0;
@ -648,7 +649,7 @@ void sha1_Final(SHA1_CTX* context, sha2_byte digest[]) {
#endif
/* Clean up: */
explicit_bzero(context, sizeof(SHA1_CTX));
memzero(context, sizeof(SHA1_CTX));
}
char *sha1_End(SHA1_CTX* context, char buffer[]) {
@ -665,9 +666,9 @@ char *sha1_End(SHA1_CTX* context, char buffer[]) {
}
*buffer = (char)0;
} else {
explicit_bzero(context, sizeof(SHA1_CTX));
memzero(context, sizeof(SHA1_CTX));
}
explicit_bzero(digest, SHA1_DIGEST_LENGTH);
memzero(digest, SHA1_DIGEST_LENGTH);
return buffer;
}
@ -692,7 +693,7 @@ void sha256_Init(SHA256_CTX* context) {
return;
}
MEMCPY_BCOPY(context->state, sha256_initial_hash_value, SHA256_DIGEST_LENGTH);
explicit_bzero(context->buffer, SHA256_BLOCK_LENGTH);
memzero(context->buffer, SHA256_BLOCK_LENGTH);
context->bitcount = 0;
}
@ -929,7 +930,7 @@ void sha256_Final(SHA256_CTX* context, sha2_byte digest[]) {
((uint8_t*)context->buffer)[usedspace++] = 0x80;
if (usedspace > SHA256_SHORT_BLOCK_LENGTH) {
explicit_bzero(((uint8_t*)context->buffer) + usedspace, SHA256_BLOCK_LENGTH - usedspace);
memzero(((uint8_t*)context->buffer) + usedspace, SHA256_BLOCK_LENGTH - usedspace);
#if BYTE_ORDER == LITTLE_ENDIAN
/* Convert TO host byte order */
@ -944,7 +945,7 @@ void sha256_Final(SHA256_CTX* context, sha2_byte digest[]) {
usedspace = 0;
}
/* Set-up for the last transform: */
explicit_bzero(((uint8_t*)context->buffer) + usedspace, SHA256_SHORT_BLOCK_LENGTH - usedspace);
memzero(((uint8_t*)context->buffer) + usedspace, SHA256_SHORT_BLOCK_LENGTH - usedspace);
#if BYTE_ORDER == LITTLE_ENDIAN
/* Convert TO host byte order */
@ -969,7 +970,7 @@ void sha256_Final(SHA256_CTX* context, sha2_byte digest[]) {
}
/* Clean up state data: */
explicit_bzero(context, sizeof(SHA256_CTX));
memzero(context, sizeof(SHA256_CTX));
usedspace = 0;
}
@ -987,9 +988,9 @@ char *sha256_End(SHA256_CTX* context, char buffer[]) {
}
*buffer = (char)0;
} else {
explicit_bzero(context, sizeof(SHA256_CTX));
memzero(context, sizeof(SHA256_CTX));
}
explicit_bzero(digest, SHA256_DIGEST_LENGTH);
memzero(digest, SHA256_DIGEST_LENGTH);
return buffer;
}
@ -1015,7 +1016,7 @@ void sha512_Init(SHA512_CTX* context) {
return;
}
MEMCPY_BCOPY(context->state, sha512_initial_hash_value, SHA512_DIGEST_LENGTH);
explicit_bzero(context->buffer, SHA512_BLOCK_LENGTH);
memzero(context->buffer, SHA512_BLOCK_LENGTH);
context->bitcount[0] = context->bitcount[1] = 0;
}
@ -1232,7 +1233,7 @@ static void sha512_Last(SHA512_CTX* context) {
((uint8_t*)context->buffer)[usedspace++] = 0x80;
if (usedspace > SHA512_SHORT_BLOCK_LENGTH) {
explicit_bzero(((uint8_t*)context->buffer) + usedspace, SHA512_BLOCK_LENGTH - usedspace);
memzero(((uint8_t*)context->buffer) + usedspace, SHA512_BLOCK_LENGTH - usedspace);
#if BYTE_ORDER == LITTLE_ENDIAN
/* Convert TO host byte order */
@ -1247,7 +1248,7 @@ static void sha512_Last(SHA512_CTX* context) {
usedspace = 0;
}
/* Set-up for the last transform: */
explicit_bzero(((uint8_t*)context->buffer) + usedspace, SHA512_SHORT_BLOCK_LENGTH - usedspace);
memzero(((uint8_t*)context->buffer) + usedspace, SHA512_SHORT_BLOCK_LENGTH - usedspace);
#if BYTE_ORDER == LITTLE_ENDIAN
/* Convert TO host byte order */
@ -1279,7 +1280,7 @@ void sha512_Final(SHA512_CTX* context, sha2_byte digest[]) {
}
/* Zero out state data */
explicit_bzero(context, sizeof(SHA512_CTX));
memzero(context, sizeof(SHA512_CTX));
}
char *sha512_End(SHA512_CTX* context, char buffer[]) {
@ -1296,9 +1297,9 @@ char *sha512_End(SHA512_CTX* context, char buffer[]) {
}
*buffer = (char)0;
} else {
explicit_bzero(context, sizeof(SHA512_CTX));
memzero(context, sizeof(SHA512_CTX));
}
explicit_bzero(digest, SHA512_DIGEST_LENGTH);
memzero(digest, SHA512_DIGEST_LENGTH);
return buffer;
}

5
sha3.c
View File

@ -21,6 +21,7 @@
#include <string.h>
#include "sha3.h"
#include "memzero.h"
#define I64(x) x##LL
#define ROTL64(qword, n) ((qword) << (n) ^ ((qword) >> (64 - (n))))
@ -330,7 +331,7 @@ void sha3_Final(SHA3_CTX *ctx, unsigned char* result)
assert(block_size > digest_length);
if (result) me64_to_le_str(result, ctx->hash, digest_length);
explicit_bzero(ctx, sizeof(SHA3_CTX));
memzero(ctx, sizeof(SHA3_CTX));
}
#if USE_KECCAK
@ -359,7 +360,7 @@ void keccak_Final(SHA3_CTX *ctx, unsigned char* result)
assert(block_size > digest_length);
if (result) me64_to_le_str(result, ctx->hash, digest_length);
explicit_bzero(ctx, sizeof(SHA3_CTX));
memzero(ctx, sizeof(SHA3_CTX));
}
void keccak_256(const unsigned char* data, size_t len, unsigned char* digest)