mirror of
https://github.com/trezor/trezor-firmware.git
synced 2024-11-24 16:38:15 +00:00
c8b811bac5
[no changelog]
792 lines
23 KiB
C
792 lines
23 KiB
C
/**
|
|
* Copyright (c) 2013-2016 Tomas Dzetkulic
|
|
* Copyright (c) 2013-2016 Pavol Rusnak
|
|
* Copyright (c) 2015-2016 Jochen Hoenicke
|
|
*
|
|
* Permission is hereby granted, free of charge, to any person obtaining
|
|
* a copy of this software and associated documentation files (the "Software"),
|
|
* to deal in the Software without restriction, including without limitation
|
|
* the rights to use, copy, modify, merge, publish, distribute, sublicense,
|
|
* and/or sell copies of the Software, and to permit persons to whom the
|
|
* Software is furnished to do so, subject to the following conditions:
|
|
*
|
|
* The above copyright notice and this permission notice shall be included
|
|
* in all copies or substantial portions of the Software.
|
|
*
|
|
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
|
|
* OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
|
|
* FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
|
|
* THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES
|
|
* OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE,
|
|
* ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR
|
|
* OTHER DEALINGS IN THE SOFTWARE.
|
|
*/
|
|
|
|
#include <stdbool.h>
|
|
#include <string.h>
|
|
|
|
#include "address.h"
|
|
#include "aes/aes.h"
|
|
#include "base58.h"
|
|
#include "bignum.h"
|
|
#include "bip32.h"
|
|
#include "cardano.h"
|
|
#include "curves.h"
|
|
#include "ecdsa.h"
|
|
#include "ed25519-donna/ed25519-sha3.h"
|
|
#include "ed25519-donna/ed25519.h"
|
|
#include "hmac.h"
|
|
#include "nist256p1.h"
|
|
#include "secp256k1.h"
|
|
#include "sha2.h"
|
|
#include "sha3.h"
|
|
#if USE_KECCAK
|
|
#include "ed25519-donna/ed25519-keccak.h"
|
|
#endif
|
|
#if USE_NEM
|
|
#include "nem.h"
|
|
#endif
|
|
#include "memzero.h"
|
|
|
|
const curve_info ed25519_info = {
|
|
.bip32_name = ED25519_SEED_NAME,
|
|
.params = NULL,
|
|
.hasher_base58 = HASHER_SHA2D,
|
|
.hasher_sign = HASHER_SHA2D,
|
|
.hasher_pubkey = HASHER_SHA2_RIPEMD,
|
|
.hasher_script = HASHER_SHA2,
|
|
};
|
|
|
|
const curve_info ed25519_sha3_info = {
|
|
.bip32_name = "ed25519-sha3 seed",
|
|
.params = NULL,
|
|
.hasher_base58 = HASHER_SHA2D,
|
|
.hasher_sign = HASHER_SHA2D,
|
|
.hasher_pubkey = HASHER_SHA2_RIPEMD,
|
|
.hasher_script = HASHER_SHA2,
|
|
};
|
|
|
|
#if USE_KECCAK
|
|
const curve_info ed25519_keccak_info = {
|
|
.bip32_name = "ed25519-keccak seed",
|
|
.params = NULL,
|
|
.hasher_base58 = HASHER_SHA2D,
|
|
.hasher_sign = HASHER_SHA2D,
|
|
.hasher_pubkey = HASHER_SHA2_RIPEMD,
|
|
.hasher_script = HASHER_SHA2,
|
|
};
|
|
#endif
|
|
|
|
const curve_info curve25519_info = {
|
|
.bip32_name = "curve25519 seed",
|
|
.params = NULL,
|
|
.hasher_base58 = HASHER_SHA2D,
|
|
.hasher_sign = HASHER_SHA2D,
|
|
.hasher_pubkey = HASHER_SHA2_RIPEMD,
|
|
.hasher_script = HASHER_SHA2,
|
|
};
|
|
|
|
int hdnode_from_xpub(uint32_t depth, uint32_t child_num,
|
|
const uint8_t *chain_code, const uint8_t *public_key,
|
|
const char *curve, HDNode *out) {
|
|
const curve_info *info = get_curve_by_name(curve);
|
|
if (info == 0) {
|
|
return 0;
|
|
}
|
|
if (public_key[0] != 0x02 && public_key[0] != 0x03) { // invalid pubkey
|
|
return 0;
|
|
}
|
|
out->curve = info;
|
|
out->depth = depth;
|
|
out->child_num = child_num;
|
|
memcpy(out->chain_code, chain_code, 32);
|
|
memzero(out->private_key, 32);
|
|
memzero(out->private_key_extension, 32);
|
|
memcpy(out->public_key, public_key, 33);
|
|
out->is_public_key_set = true;
|
|
return 1;
|
|
}
|
|
|
|
int hdnode_from_xprv(uint32_t depth, uint32_t child_num,
|
|
const uint8_t *chain_code, const uint8_t *private_key,
|
|
const char *curve, HDNode *out) {
|
|
bool failed = false;
|
|
const curve_info *info = get_curve_by_name(curve);
|
|
if (info == 0) {
|
|
failed = true;
|
|
} else if (info->params) {
|
|
bignum256 a = {0};
|
|
bn_read_be(private_key, &a);
|
|
if (bn_is_zero(&a)) { // == 0
|
|
failed = true;
|
|
} else {
|
|
if (!bn_is_less(&a, &info->params->order)) { // >= order
|
|
failed = true;
|
|
}
|
|
}
|
|
memzero(&a, sizeof(a));
|
|
}
|
|
|
|
if (failed) {
|
|
return 0;
|
|
}
|
|
|
|
out->curve = info;
|
|
out->depth = depth;
|
|
out->child_num = child_num;
|
|
memcpy(out->chain_code, chain_code, 32);
|
|
memcpy(out->private_key, private_key, 32);
|
|
memzero(out->public_key, sizeof(out->public_key));
|
|
out->is_public_key_set = false;
|
|
memzero(out->private_key_extension, sizeof(out->private_key_extension));
|
|
return 1;
|
|
}
|
|
|
|
int hdnode_from_seed(const uint8_t *seed, int seed_len, const char *curve,
|
|
HDNode *out) {
|
|
static CONFIDENTIAL uint8_t I[32 + 32];
|
|
memzero(out, sizeof(HDNode));
|
|
out->depth = 0;
|
|
out->child_num = 0;
|
|
out->curve = get_curve_by_name(curve);
|
|
if (out->curve == 0) {
|
|
return 0;
|
|
}
|
|
static CONFIDENTIAL HMAC_SHA512_CTX ctx;
|
|
hmac_sha512_Init(&ctx, (const uint8_t *)out->curve->bip32_name,
|
|
strlen(out->curve->bip32_name));
|
|
hmac_sha512_Update(&ctx, seed, seed_len);
|
|
hmac_sha512_Final(&ctx, I);
|
|
|
|
if (out->curve->params) {
|
|
bignum256 a = {0};
|
|
while (true) {
|
|
bn_read_be(I, &a);
|
|
if (!bn_is_zero(&a) // != 0
|
|
&& bn_is_less(&a, &out->curve->params->order)) { // < order
|
|
break;
|
|
}
|
|
hmac_sha512_Init(&ctx, (const uint8_t *)out->curve->bip32_name,
|
|
strlen(out->curve->bip32_name));
|
|
hmac_sha512_Update(&ctx, I, sizeof(I));
|
|
hmac_sha512_Final(&ctx, I);
|
|
}
|
|
memzero(&a, sizeof(a));
|
|
}
|
|
memcpy(out->private_key, I, 32);
|
|
memcpy(out->chain_code, I + 32, 32);
|
|
memzero(out->public_key, sizeof(out->public_key));
|
|
out->is_public_key_set = false;
|
|
memzero(I, sizeof(I));
|
|
return 1;
|
|
}
|
|
|
|
uint32_t hdnode_fingerprint(HDNode *node) {
|
|
uint8_t digest[32] = {0};
|
|
uint32_t fingerprint = 0;
|
|
|
|
hdnode_fill_public_key(node);
|
|
hasher_Raw(node->curve->hasher_pubkey, node->public_key, 33, digest);
|
|
fingerprint = ((uint32_t)digest[0] << 24) + (digest[1] << 16) +
|
|
(digest[2] << 8) + digest[3];
|
|
memzero(digest, sizeof(digest));
|
|
return fingerprint;
|
|
}
|
|
|
|
int hdnode_private_ckd_bip32(HDNode *inout, uint32_t i) {
|
|
static CONFIDENTIAL uint8_t data[1 + 32 + 4];
|
|
static CONFIDENTIAL uint8_t I[32 + 32];
|
|
static CONFIDENTIAL bignum256 a, b;
|
|
|
|
#if USE_CARDANO
|
|
if (inout->curve == &ed25519_cardano_info) {
|
|
return 0;
|
|
}
|
|
#endif
|
|
|
|
if (i & 0x80000000) { // private derivation
|
|
data[0] = 0;
|
|
memcpy(data + 1, inout->private_key, 32);
|
|
} else { // public derivation
|
|
if (!inout->curve->params) {
|
|
// SLIP-10 doesn't support private key to private key non-hardened
|
|
// derivation for curve25519 and ed25519
|
|
return 0;
|
|
}
|
|
if (hdnode_fill_public_key(inout) != 0) {
|
|
return 0;
|
|
}
|
|
memcpy(data, inout->public_key, 33);
|
|
}
|
|
write_be(data + 33, i);
|
|
|
|
bn_read_be(inout->private_key, &a);
|
|
|
|
static CONFIDENTIAL HMAC_SHA512_CTX ctx;
|
|
hmac_sha512_Init(&ctx, inout->chain_code, 32);
|
|
hmac_sha512_Update(&ctx, data, sizeof(data));
|
|
hmac_sha512_Final(&ctx, I);
|
|
|
|
if (inout->curve->params) {
|
|
while (true) {
|
|
bool failed = false;
|
|
bn_read_be(I, &b);
|
|
if (!bn_is_less(&b, &inout->curve->params->order)) { // >= order
|
|
failed = true;
|
|
} else {
|
|
bn_add(&b, &a);
|
|
bn_mod(&b, &inout->curve->params->order);
|
|
if (bn_is_zero(&b)) {
|
|
failed = true;
|
|
}
|
|
}
|
|
|
|
if (!failed) {
|
|
bn_write_be(&b, inout->private_key);
|
|
break;
|
|
}
|
|
|
|
data[0] = 1;
|
|
memcpy(data + 1, I + 32, 32);
|
|
hmac_sha512_Init(&ctx, inout->chain_code, 32);
|
|
hmac_sha512_Update(&ctx, data, sizeof(data));
|
|
hmac_sha512_Final(&ctx, I);
|
|
}
|
|
} else {
|
|
memcpy(inout->private_key, I, 32);
|
|
}
|
|
|
|
memcpy(inout->chain_code, I + 32, 32);
|
|
inout->depth++;
|
|
inout->child_num = i;
|
|
memzero(inout->public_key, sizeof(inout->public_key));
|
|
inout->is_public_key_set = false;
|
|
|
|
// making sure to wipe our memory
|
|
memzero(&a, sizeof(a));
|
|
memzero(&b, sizeof(b));
|
|
memzero(I, sizeof(I));
|
|
memzero(data, sizeof(data));
|
|
return 1;
|
|
}
|
|
|
|
int hdnode_private_ckd(HDNode *inout, uint32_t i) {
|
|
#if USE_CARDANO
|
|
if (inout->curve == &ed25519_cardano_info) {
|
|
return hdnode_private_ckd_cardano(inout, i);
|
|
} else
|
|
#endif
|
|
{
|
|
return hdnode_private_ckd_bip32(inout, i);
|
|
}
|
|
}
|
|
|
|
int hdnode_public_ckd(HDNode *inout, uint32_t i) {
|
|
if (!inout->curve->params) {
|
|
// SLIP-10 doesn't support public key to public key derivation for
|
|
// curve25519 and ed25519, Cardano BIP32-ed22519 public key to public key
|
|
// derivation is not implemented
|
|
return 0;
|
|
}
|
|
|
|
uint8_t data[33 + 4] = {0};
|
|
uint8_t digest[32 + 32] = {0};
|
|
int result = 0;
|
|
|
|
if (i & 0x80000000) { // private derivation
|
|
return 0;
|
|
}
|
|
|
|
memcpy(data, inout->public_key, 33);
|
|
write_be(data + 33, i);
|
|
|
|
while (true) {
|
|
hmac_sha512(inout->chain_code, 32, data, sizeof(data), digest);
|
|
|
|
result = ecdsa_tweak_pubkey(inout->curve->params, inout->public_key, digest,
|
|
inout->public_key);
|
|
if (result == ECDSA_TWEAK_PUBKEY_SUCCESS) {
|
|
memcpy(inout->chain_code, digest + 32, 32);
|
|
inout->depth++;
|
|
inout->child_num = i;
|
|
memzero(inout->private_key, 32);
|
|
break;
|
|
}
|
|
if (result != ECDSA_TWEAK_PUBKEY_INVALID_TWEAK_OR_RESULT_ERR) {
|
|
break;
|
|
}
|
|
|
|
// The tweak is less than the order of the curve or the tweaked public key
|
|
// is the point at infinity
|
|
data[0] = 1;
|
|
memcpy(data + 1, digest + 32, 32);
|
|
}
|
|
|
|
memzero(digest, sizeof(digest));
|
|
memzero(data, sizeof(data));
|
|
|
|
return result == ECDSA_TWEAK_PUBKEY_SUCCESS;
|
|
}
|
|
|
|
#if USE_BIP32_CACHE
|
|
static bool private_ckd_cache_root_set = false;
|
|
static CONFIDENTIAL HDNode private_ckd_cache_root;
|
|
static int private_ckd_cache_index = 0;
|
|
|
|
static CONFIDENTIAL struct {
|
|
bool set;
|
|
size_t depth;
|
|
uint32_t i[BIP32_CACHE_MAXDEPTH];
|
|
HDNode node;
|
|
} private_ckd_cache[BIP32_CACHE_SIZE];
|
|
|
|
void bip32_cache_clear(void) {
|
|
private_ckd_cache_root_set = false;
|
|
private_ckd_cache_index = 0;
|
|
memzero(&private_ckd_cache_root, sizeof(private_ckd_cache_root));
|
|
memzero(private_ckd_cache, sizeof(private_ckd_cache));
|
|
}
|
|
|
|
int hdnode_private_ckd_cached(HDNode *inout, const uint32_t *i, size_t i_count,
|
|
uint32_t *fingerprint) {
|
|
if (i_count == 0) {
|
|
// no way how to compute parent fingerprint
|
|
return 1;
|
|
}
|
|
if (i_count == 1) {
|
|
if (fingerprint) {
|
|
*fingerprint = hdnode_fingerprint(inout);
|
|
}
|
|
if (hdnode_private_ckd(inout, i[0]) == 0) return 0;
|
|
return 1;
|
|
}
|
|
|
|
bool found = false;
|
|
// if root is not set or not the same
|
|
if (!private_ckd_cache_root_set ||
|
|
memcmp(&private_ckd_cache_root, inout, sizeof(HDNode)) != 0) {
|
|
// clear the cache
|
|
private_ckd_cache_index = 0;
|
|
memzero(private_ckd_cache, sizeof(private_ckd_cache));
|
|
// setup new root
|
|
memcpy(&private_ckd_cache_root, inout, sizeof(HDNode));
|
|
private_ckd_cache_root_set = true;
|
|
} else {
|
|
// try to find parent
|
|
int j = 0;
|
|
for (j = 0; j < BIP32_CACHE_SIZE; j++) {
|
|
if (private_ckd_cache[j].set &&
|
|
private_ckd_cache[j].depth == i_count - 1 &&
|
|
memcmp(private_ckd_cache[j].i, i, (i_count - 1) * sizeof(uint32_t)) ==
|
|
0 &&
|
|
private_ckd_cache[j].node.curve == inout->curve) {
|
|
memcpy(inout, &(private_ckd_cache[j].node), sizeof(HDNode));
|
|
found = true;
|
|
break;
|
|
}
|
|
}
|
|
}
|
|
|
|
// else derive parent
|
|
if (!found) {
|
|
size_t k = 0;
|
|
for (k = 0; k < i_count - 1; k++) {
|
|
if (hdnode_private_ckd(inout, i[k]) == 0) return 0;
|
|
}
|
|
// and save it
|
|
memzero(&(private_ckd_cache[private_ckd_cache_index]),
|
|
sizeof(private_ckd_cache[private_ckd_cache_index]));
|
|
private_ckd_cache[private_ckd_cache_index].set = true;
|
|
private_ckd_cache[private_ckd_cache_index].depth = i_count - 1;
|
|
memcpy(private_ckd_cache[private_ckd_cache_index].i, i,
|
|
(i_count - 1) * sizeof(uint32_t));
|
|
memcpy(&(private_ckd_cache[private_ckd_cache_index].node), inout,
|
|
sizeof(HDNode));
|
|
private_ckd_cache_index = (private_ckd_cache_index + 1) % BIP32_CACHE_SIZE;
|
|
}
|
|
|
|
if (fingerprint) {
|
|
*fingerprint = hdnode_fingerprint(inout);
|
|
}
|
|
if (hdnode_private_ckd(inout, i[i_count - 1]) == 0) return 0;
|
|
|
|
return 1;
|
|
}
|
|
#endif
|
|
|
|
int hdnode_get_address_raw(HDNode *node, uint32_t version, uint8_t *addr_raw) {
|
|
if (hdnode_fill_public_key(node) != 0) {
|
|
return 1;
|
|
}
|
|
ecdsa_get_address_raw(node->public_key, version, node->curve->hasher_pubkey,
|
|
addr_raw);
|
|
return 0;
|
|
}
|
|
|
|
int hdnode_get_address(HDNode *node, uint32_t version, char *addr,
|
|
int addrsize) {
|
|
if (hdnode_fill_public_key(node) != 0) {
|
|
return 1;
|
|
}
|
|
ecdsa_get_address(node->public_key, version, node->curve->hasher_pubkey,
|
|
node->curve->hasher_base58, addr, addrsize);
|
|
return 0;
|
|
}
|
|
|
|
int hdnode_fill_public_key(HDNode *node) {
|
|
if (node->is_public_key_set) {
|
|
return 0;
|
|
}
|
|
|
|
#if USE_BIP32_25519_CURVES
|
|
if (node->curve->params) {
|
|
if (ecdsa_get_public_key33(node->curve->params, node->private_key,
|
|
node->public_key) != 0) {
|
|
return 1;
|
|
}
|
|
} else {
|
|
// According to SLIP-10, curve25519 and ed25519 use the prefix 0x00
|
|
node->public_key[0] = 0;
|
|
if (node->curve == &ed25519_info) {
|
|
ed25519_publickey(node->private_key, node->public_key + 1);
|
|
} else if (node->curve == &ed25519_sha3_info) {
|
|
ed25519_publickey_sha3(node->private_key, node->public_key + 1);
|
|
#if USE_KECCAK
|
|
} else if (node->curve == &ed25519_keccak_info) {
|
|
ed25519_publickey_keccak(node->private_key, node->public_key + 1);
|
|
#endif
|
|
} else if (node->curve == &curve25519_info) {
|
|
curve25519_scalarmult_basepoint(node->public_key + 1, node->private_key);
|
|
#if USE_CARDANO
|
|
} else if (node->curve == &ed25519_cardano_info) {
|
|
ed25519_publickey_ext(node->private_key, node->public_key + 1);
|
|
#endif
|
|
}
|
|
}
|
|
#else
|
|
|
|
if (ecdsa_get_public_key33(node->curve->params, node->private_key,
|
|
node->public_key) != 0) {
|
|
return 1;
|
|
}
|
|
#endif
|
|
node->is_public_key_set = true;
|
|
return 0;
|
|
}
|
|
|
|
#if USE_ETHEREUM
|
|
int hdnode_get_ethereum_pubkeyhash(const HDNode *node, uint8_t *pubkeyhash) {
|
|
uint8_t buf[65] = {0};
|
|
SHA3_CTX ctx = {0};
|
|
|
|
/* get uncompressed public key */
|
|
if (ecdsa_get_public_key65(node->curve->params, node->private_key, buf) !=
|
|
0) {
|
|
return 0;
|
|
}
|
|
|
|
/* compute sha3 of x and y coordinate without 04 prefix */
|
|
sha3_256_Init(&ctx);
|
|
sha3_Update(&ctx, buf + 1, 64);
|
|
keccak_Final(&ctx, buf);
|
|
|
|
/* result are the least significant 160 bits */
|
|
memcpy(pubkeyhash, buf + 12, 20);
|
|
|
|
return 1;
|
|
}
|
|
#endif
|
|
|
|
#if USE_NEM
|
|
int hdnode_get_nem_address(HDNode *node, uint8_t version, char *address) {
|
|
if (node->curve != &ed25519_keccak_info) {
|
|
return 0;
|
|
}
|
|
|
|
if (hdnode_fill_public_key(node) != 0) {
|
|
return 0;
|
|
}
|
|
|
|
return nem_get_address(&node->public_key[1], version, address);
|
|
}
|
|
|
|
int hdnode_get_nem_shared_key(const HDNode *node,
|
|
const ed25519_public_key peer_public_key,
|
|
const uint8_t *salt, ed25519_public_key mul,
|
|
uint8_t *shared_key) {
|
|
if (node->curve != &ed25519_keccak_info) {
|
|
return 0;
|
|
}
|
|
|
|
// sizeof(ed25519_public_key) == SHA3_256_DIGEST_LENGTH
|
|
if (mul == NULL) mul = shared_key;
|
|
|
|
if (ed25519_scalarmult_keccak(mul, node->private_key, peer_public_key)) {
|
|
return 0;
|
|
}
|
|
|
|
for (size_t i = 0; i < 32; i++) {
|
|
shared_key[i] = mul[i] ^ salt[i];
|
|
}
|
|
|
|
keccak_256(shared_key, 32, shared_key);
|
|
return 1;
|
|
}
|
|
|
|
int hdnode_nem_encrypt(const HDNode *node, const ed25519_public_key public_key,
|
|
const uint8_t *iv_immut, const uint8_t *salt,
|
|
const uint8_t *payload, size_t size, uint8_t *buffer) {
|
|
uint8_t last_block[AES_BLOCK_SIZE] = {0};
|
|
uint8_t remainder = size % AES_BLOCK_SIZE;
|
|
|
|
// Round down to last whole block
|
|
size -= remainder;
|
|
// Copy old last block
|
|
memcpy(last_block, &payload[size], remainder);
|
|
// Pad new last block with number of missing bytes
|
|
memset(&last_block[remainder], AES_BLOCK_SIZE - remainder,
|
|
AES_BLOCK_SIZE - remainder);
|
|
|
|
// the IV gets mutated, so we make a copy not to touch the original
|
|
uint8_t iv[AES_BLOCK_SIZE] = {0};
|
|
memcpy(iv, iv_immut, AES_BLOCK_SIZE);
|
|
|
|
uint8_t shared_key[SHA3_256_DIGEST_LENGTH] = {0};
|
|
if (!hdnode_get_nem_shared_key(node, public_key, salt, NULL, shared_key)) {
|
|
return 0;
|
|
}
|
|
|
|
aes_encrypt_ctx ctx = {0};
|
|
|
|
int ret = aes_encrypt_key256(shared_key, &ctx);
|
|
memzero(shared_key, sizeof(shared_key));
|
|
|
|
if (ret != EXIT_SUCCESS) {
|
|
return 0;
|
|
}
|
|
|
|
if (aes_cbc_encrypt(payload, buffer, size, iv, &ctx) != EXIT_SUCCESS) {
|
|
return 0;
|
|
}
|
|
|
|
if (aes_cbc_encrypt(last_block, &buffer[size], sizeof(last_block), iv,
|
|
&ctx) != EXIT_SUCCESS) {
|
|
return 0;
|
|
}
|
|
|
|
return 1;
|
|
}
|
|
|
|
int hdnode_nem_decrypt(const HDNode *node, const ed25519_public_key public_key,
|
|
uint8_t *iv, const uint8_t *salt, const uint8_t *payload,
|
|
size_t size, uint8_t *buffer) {
|
|
uint8_t shared_key[SHA3_256_DIGEST_LENGTH] = {0};
|
|
|
|
if (!hdnode_get_nem_shared_key(node, public_key, salt, NULL, shared_key)) {
|
|
return 0;
|
|
}
|
|
|
|
aes_decrypt_ctx ctx = {0};
|
|
|
|
int ret = aes_decrypt_key256(shared_key, &ctx);
|
|
memzero(shared_key, sizeof(shared_key));
|
|
|
|
if (ret != EXIT_SUCCESS) {
|
|
return 0;
|
|
}
|
|
|
|
if (aes_cbc_decrypt(payload, buffer, size, iv, &ctx) != EXIT_SUCCESS) {
|
|
return 0;
|
|
}
|
|
|
|
return 1;
|
|
}
|
|
#endif
|
|
|
|
// msg is a data to be signed
|
|
// msg_len is the message length
|
|
int hdnode_sign(HDNode *node, const uint8_t *msg, uint32_t msg_len,
|
|
HasherType hasher_sign, uint8_t *sig, uint8_t *pby,
|
|
int (*is_canonical)(uint8_t by, uint8_t sig[64])) {
|
|
if (node->curve->params) {
|
|
return ecdsa_sign(node->curve->params, hasher_sign, node->private_key, msg,
|
|
msg_len, sig, pby, is_canonical);
|
|
} else if (node->curve == &curve25519_info) {
|
|
return 1; // signatures are not supported
|
|
} else {
|
|
if (node->curve == &ed25519_info) {
|
|
ed25519_sign(msg, msg_len, node->private_key, sig);
|
|
} else if (node->curve == &ed25519_sha3_info) {
|
|
ed25519_sign_sha3(msg, msg_len, node->private_key, sig);
|
|
#if USE_KECCAK
|
|
} else if (node->curve == &ed25519_keccak_info) {
|
|
ed25519_sign_keccak(msg, msg_len, node->private_key, sig);
|
|
#endif
|
|
} else {
|
|
return 1; // unknown or unsupported curve
|
|
}
|
|
return 0;
|
|
}
|
|
}
|
|
|
|
int hdnode_sign_digest(HDNode *node, const uint8_t *digest, uint8_t *sig,
|
|
uint8_t *pby,
|
|
int (*is_canonical)(uint8_t by, uint8_t sig[64])) {
|
|
if (node->curve->params) {
|
|
return ecdsa_sign_digest(node->curve->params, node->private_key, digest,
|
|
sig, pby, is_canonical);
|
|
} else if (node->curve == &curve25519_info) {
|
|
return 1; // signatures are not supported
|
|
} else {
|
|
return hdnode_sign(node, digest, 32, 0, sig, pby, is_canonical);
|
|
}
|
|
}
|
|
|
|
int hdnode_get_shared_key(const HDNode *node, const uint8_t *peer_public_key,
|
|
uint8_t *session_key, int *result_size) {
|
|
// Use elliptic curve Diffie-Helman to compute shared session key
|
|
if (node->curve->params) {
|
|
if (ecdh_multiply(node->curve->params, node->private_key, peer_public_key,
|
|
session_key) != 0) {
|
|
return 1;
|
|
}
|
|
*result_size = 65;
|
|
return 0;
|
|
} else if (node->curve == &curve25519_info) {
|
|
// The prefix 0x04 doesn't make sense here, and may be changed or removed in
|
|
// the future
|
|
session_key[0] = 0x04;
|
|
if (peer_public_key[0] != 0x40) {
|
|
return 1; // Curve25519 public key should start with 0x40 byte.
|
|
}
|
|
curve25519_scalarmult(session_key + 1, node->private_key,
|
|
peer_public_key + 1);
|
|
*result_size = 33;
|
|
return 0;
|
|
} else {
|
|
*result_size = 0;
|
|
return 1; // ECDH is not supported
|
|
}
|
|
}
|
|
|
|
static int hdnode_serialize(const HDNode *node, uint32_t fingerprint,
|
|
uint32_t version, bool use_private, char *str,
|
|
int strsize) {
|
|
uint8_t node_data[78] = {0};
|
|
write_be(node_data, version);
|
|
node_data[4] = node->depth;
|
|
write_be(node_data + 5, fingerprint);
|
|
write_be(node_data + 9, node->child_num);
|
|
memcpy(node_data + 13, node->chain_code, 32);
|
|
if (use_private) {
|
|
node_data[45] = 0;
|
|
memcpy(node_data + 46, node->private_key, 32);
|
|
} else {
|
|
memcpy(node_data + 45, node->public_key, 33);
|
|
}
|
|
int ret = base58_encode_check(node_data, sizeof(node_data),
|
|
node->curve->hasher_base58, str, strsize);
|
|
memzero(node_data, sizeof(node_data));
|
|
return ret;
|
|
}
|
|
|
|
int hdnode_serialize_public(const HDNode *node, uint32_t fingerprint,
|
|
uint32_t version, char *str, int strsize) {
|
|
return hdnode_serialize(node, fingerprint, version, false, str, strsize);
|
|
}
|
|
|
|
int hdnode_serialize_private(const HDNode *node, uint32_t fingerprint,
|
|
uint32_t version, char *str, int strsize) {
|
|
return hdnode_serialize(node, fingerprint, version, true, str, strsize);
|
|
}
|
|
|
|
// check for validity of curve point in case of public data not performed
|
|
static int hdnode_deserialize(const char *str, uint32_t version,
|
|
bool use_private, const char *curve, HDNode *node,
|
|
uint32_t *fingerprint) {
|
|
uint8_t node_data[78] = {0};
|
|
memzero(node, sizeof(HDNode));
|
|
node->curve = get_curve_by_name(curve);
|
|
if (base58_decode_check(str, node->curve->hasher_base58, node_data,
|
|
sizeof(node_data)) != sizeof(node_data)) {
|
|
return -1;
|
|
}
|
|
uint32_t ver = read_be(node_data);
|
|
if (ver != version) {
|
|
return -3; // invalid version
|
|
}
|
|
if (use_private) {
|
|
// invalid data
|
|
if (node_data[45]) {
|
|
return -2;
|
|
}
|
|
memcpy(node->private_key, node_data + 46, 32);
|
|
memzero(node->public_key, sizeof(node->public_key));
|
|
node->is_public_key_set = false;
|
|
} else {
|
|
memzero(node->private_key, sizeof(node->private_key));
|
|
memcpy(node->public_key, node_data + 45, 33);
|
|
node->is_public_key_set = true;
|
|
}
|
|
node->depth = node_data[4];
|
|
if (fingerprint) {
|
|
*fingerprint = read_be(node_data + 5);
|
|
}
|
|
node->child_num = read_be(node_data + 9);
|
|
memcpy(node->chain_code, node_data + 13, 32);
|
|
return 0;
|
|
}
|
|
|
|
int hdnode_deserialize_public(const char *str, uint32_t version,
|
|
const char *curve, HDNode *node,
|
|
uint32_t *fingerprint) {
|
|
return hdnode_deserialize(str, version, false, curve, node, fingerprint);
|
|
}
|
|
|
|
int hdnode_deserialize_private(const char *str, uint32_t version,
|
|
const char *curve, HDNode *node,
|
|
uint32_t *fingerprint) {
|
|
return hdnode_deserialize(str, version, true, curve, node, fingerprint);
|
|
}
|
|
|
|
const curve_info *get_curve_by_name(const char *curve_name) {
|
|
if (curve_name == 0) {
|
|
return 0;
|
|
}
|
|
if (strcmp(curve_name, SECP256K1_NAME) == 0) {
|
|
return &secp256k1_info;
|
|
}
|
|
if (strcmp(curve_name, SECP256K1_DECRED_NAME) == 0) {
|
|
return &secp256k1_decred_info;
|
|
}
|
|
if (strcmp(curve_name, SECP256K1_GROESTL_NAME) == 0) {
|
|
return &secp256k1_groestl_info;
|
|
}
|
|
if (strcmp(curve_name, SECP256K1_SMART_NAME) == 0) {
|
|
return &secp256k1_smart_info;
|
|
}
|
|
if (strcmp(curve_name, NIST256P1_NAME) == 0) {
|
|
return &nist256p1_info;
|
|
}
|
|
if (strcmp(curve_name, ED25519_NAME) == 0) {
|
|
return &ed25519_info;
|
|
}
|
|
#if USE_CARDANO
|
|
if (strcmp(curve_name, ED25519_CARDANO_NAME) == 0) {
|
|
return &ed25519_cardano_info;
|
|
}
|
|
#endif
|
|
if (strcmp(curve_name, ED25519_SHA3_NAME) == 0) {
|
|
return &ed25519_sha3_info;
|
|
}
|
|
#if USE_KECCAK
|
|
if (strcmp(curve_name, ED25519_KECCAK_NAME) == 0) {
|
|
return &ed25519_keccak_info;
|
|
}
|
|
#endif
|
|
if (strcmp(curve_name, CURVE25519_NAME) == 0) {
|
|
return &curve25519_info;
|
|
}
|
|
return 0;
|
|
}
|