From e313234fe3b0b00498afcc1a34a36a1393741991 Mon Sep 17 00:00:00 2001 From: Pavol Rusnak Date: Wed, 22 Mar 2017 01:53:25 +0100 Subject: [PATCH] bootloader/loader: use blake2s instead of sha256 for digests --- Makefile.bootloader | 1 + Makefile.loader | 1 + docs/bootloader.md | 3 ++- micropython/bootloader/crypto.c | 18 +++++++++--------- tools/firmwarectl | 4 ++-- 5 files changed, 15 insertions(+), 12 deletions(-) diff --git a/Makefile.bootloader b/Makefile.bootloader index 5ac30ff27c..6a6a171784 100644 --- a/Makefile.bootloader +++ b/Makefile.bootloader @@ -83,6 +83,7 @@ CFLAGS_MOD += \ OBJ_MOD += \ $(BUILD_FW)/extmod/modtrezorcrypto/trezor-crypto/ed25519-donna/ed25519.o \ + $(BUILD_FW)/extmod/modtrezorcrypto/trezor-crypto/blake2s.o \ $(BUILD_FW)/extmod/modtrezorcrypto/trezor-crypto/sha2.o \ OBJ = $(OBJ_MOD) $(OBJ_MP) $(OBJ_FW) diff --git a/Makefile.loader b/Makefile.loader index c4e38230db..06cf600b23 100644 --- a/Makefile.loader +++ b/Makefile.loader @@ -81,6 +81,7 @@ CFLAGS_MOD += \ OBJ_MOD += \ $(BUILD_FW)/extmod/modtrezorcrypto/trezor-crypto/ed25519-donna/ed25519.o \ + $(BUILD_FW)/extmod/modtrezorcrypto/trezor-crypto/blake2s.o \ $(BUILD_FW)/extmod/modtrezorcrypto/trezor-crypto/sha2.o \ OBJ = $(OBJ_MOD) $(OBJ_MP) $(OBJ_FW) diff --git a/docs/bootloader.md b/docs/bootloader.md index fef1826f44..cbddc09b20 100644 --- a/docs/bootloader.md +++ b/docs/bootloader.md @@ -21,7 +21,8 @@ it will start in a firmware update mode, allowing a firmware update via USB. ## Common notes -* Hash function used below is SHA-256 and signature system is Ed25519 (allows combining signatures by multiple keys into one). +* Hash function used for computing data digest for signatures is BLAKE2s. +* Signature system is Ed25519 (allows combining signatures by multiple keys into one). * All multibyte integer values are little endian. * There is a tool called [firmwarectl](../tools/firmwarectl) which checks validity of the loader/firmware images including their headers. diff --git a/micropython/bootloader/crypto.c b/micropython/bootloader/crypto.c index 3a0de1178f..76c09d15d2 100644 --- a/micropython/bootloader/crypto.c +++ b/micropython/bootloader/crypto.c @@ -1,6 +1,6 @@ #include -#include "sha2.h" +#include "blake2s.h" #include "ed25519-donna/ed25519.h" #include "crypto.h" @@ -87,17 +87,17 @@ bool check_signature(const uint8_t *start) return false; } - uint8_t hash[SHA256_DIGEST_LENGTH]; - SHA256_CTX ctx; - sha256_Init(&ctx); - sha256_Update(&ctx, start, 256 - 65); + uint8_t hash[BLAKE2S_DIGEST_LENGTH]; + BLAKE2S_CTX ctx; + blake2s_Init(&ctx, BLAKE2S_DIGEST_LENGTH); + blake2s_Update(&ctx, start, 256 - 65); for (int i = 0; i < 65; i++) { - sha256_Update(&ctx, (const uint8_t *)"\x00", 1); + blake2s_Update(&ctx, (const uint8_t *)"\x00", 1); } - sha256_Update(&ctx, start + 256, codelen); - sha256_Final(&ctx, hash); + blake2s_Update(&ctx, start + 256, codelen); + blake2s_Final(&ctx, hash, BLAKE2S_DIGEST_LENGTH); const uint8_t *pub = get_pubkey(sigidx); - return pub && (0 == ed25519_sign_open(hash, SHA256_DIGEST_LENGTH, *(const ed25519_public_key *)pub, *(const ed25519_signature *)sig)); + return pub && (0 == ed25519_sign_open(hash, BLAKE2S_DIGEST_LENGTH, *(const ed25519_public_key *)pub, *(const ed25519_signature *)sig)); } diff --git a/tools/firmwarectl b/tools/firmwarectl index 85e3fee27a..c45a0f39a6 100755 --- a/tools/firmwarectl +++ b/tools/firmwarectl @@ -2,8 +2,8 @@ import sys import struct import binascii -import hashlib import ed25519 +import pyblake2 # loader/firmware headers specification: https://github.com/trezor/trezor-core/blob/master/docs/bootloader.md @@ -27,7 +27,7 @@ def get_sig(data): print('Enter privkey: ', end='') seckey = binascii.unhexlify(input()) signkey = ed25519.SigningKey(seckey) - digest = hashlib.sha256(data).digest() + digest = pyblake2.blake2s(data).digest() sigidx = (1, ) sig = signkey.sign(digest) return sigidx, sig