1
0
mirror of https://github.com/trezor/trezor-firmware.git synced 2024-11-22 23:48:12 +00:00

pave the way for RFC6979

This commit is contained in:
Pavol Rusnak 2013-09-10 01:03:24 +02:00
parent 3f737896a4
commit df79a330e6

31
ecdsa.c
View File

@ -484,6 +484,27 @@ void read_32byte_big_endian(uint8_t *in_number, bignum256 *out_number)
out_number->val[8] = temp; out_number->val[8] = temp;
} }
// generate random K for signing
void generate_k_random(bignum256 *k) {
int i;
for (;;) {
for (i = 0; i < 8; i++) {
k->val[i] = random32() & 0x3FFFFFFF;
}
k->val[8] = random32() & 0xFFFF;
// if k is too big or too small, we don't like it
if (k->val[5] == 0x3FFFFFFF && k->val[6] == 0x3FFFFFFF && k->val[7] == 0x3FFFFFFF && k->val[8] == 0xFFFF) continue;
if (k->val[5] == 0x0 && k->val[6] == 0x0 && k->val[7] == 0x0 && k->val[8] == 0x0) continue;
return;
}
}
// generate K in a deterministic way, according to RFC6979
// http://tools.ietf.org/html/rfc6979
void generate_k_rfc6979(bignum256 *k, uint8_t *priv_key, uint8_t *hash) {
// TODO
}
// uses secp256k1 curve // uses secp256k1 curve
// priv_key is a 32 byte big endian stored number // priv_key is a 32 byte big endian stored number
// msg is a data to be signed // msg is a data to be signed
@ -492,7 +513,7 @@ void read_32byte_big_endian(uint8_t *in_number, bignum256 *out_number)
// sig_len is the pointer to a uint that will contain resulting signature length. note that ((*sig_len) == sig[1]+2) // sig_len is the pointer to a uint that will contain resulting signature length. note that ((*sig_len) == sig[1]+2)
void ecdsa_sign(uint8_t *priv_key, uint8_t *msg, uint32_t msg_len, uint8_t *sig, uint32_t *sig_len) void ecdsa_sign(uint8_t *priv_key, uint8_t *msg, uint32_t msg_len, uint8_t *sig, uint32_t *sig_len)
{ {
uint32_t i; int i;
uint8_t hash[32]; uint8_t hash[32];
curve_point R; curve_point R;
bignum256 k, z; bignum256 k, z;
@ -505,13 +526,7 @@ void ecdsa_sign(uint8_t *priv_key, uint8_t *msg, uint32_t msg_len, uint8_t *sig,
read_32byte_big_endian(hash, &z); read_32byte_big_endian(hash, &z);
for (;;) { for (;;) {
// generate random number k // generate random number k
for (i = 0; i < 8; i++) { generate_k_random(&k);
k.val[i] = random32() & 0x3FFFFFFF;
}
k.val[8] = random32() & 0xFFFF;
// if k is too big or too small, we don't like it
if (k.val[5] == 0x3FFFFFFF && k.val[6] == 0x3FFFFFFF && k.val[7] == 0x3FFFFFFF && k.val[8] == 0xFFFF) continue;
if (k.val[5] == 0x0 && k.val[6] == 0x0 && k.val[7] == 0x0 && k.val[8] == 0x0) continue;
// compute k*G // compute k*G
scalar_multiply(&k, &R); scalar_multiply(&k, &R);
// r = (rx mod n) // r = (rx mod n)