/src/trezor-firmware/crypto/rfc6979.c

Source (jump to first uncovered line)
/**
 * Copyright (c) 2013-2014 Tomas Dzetkulic
 * Copyright (c) 2013-2014 Pavol Rusnak
 * Copyright (c)      2015 Jochen Hoenicke
 *
 * Permission is hereby granted, free of charge, to any person obtaining
 * a copy of this software and associated documentation files (the "Software"),
 * to deal in the Software without restriction, including without limitation
 * the rights to use, copy, modify, merge, publish, distribute, sublicense,
 * and/or sell copies of the Software, and to permit persons to whom the
 * Software is furnished to do so, subject to the following conditions:
 *
 * The above copyright notice and this permission notice shall be included
 * in all copies or substantial portions of the Software.
 *
 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
 * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
 * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
 * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES
 * OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE,
 * ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR
 * OTHER DEALINGS IN THE SOFTWARE.
 */
#include <assert.h>

#include "hmac_drbg.h"
#include "memzero.h"
#include "rfc6979.h"

void init_rfc6979(const uint8_t *priv_key, const uint8_t *hash,
                  const ecdsa_curve *curve, rfc6979_state *state) {
  if (curve) {
    bignum256 hash_bn = {0};
    bn_read_be(hash, &hash_bn);

    // Make sure hash is partly reduced modulo order
    assert(bn_bitcount(&curve->order) >= 256);
    bn_mod(&hash_bn, &curve->order);

    uint8_t hash_reduced[32] = {0};
    bn_write_be(&hash_bn, hash_reduced);
    memzero(&hash_bn, sizeof(hash_bn));
    hmac_drbg_init(state, priv_key, 32, hash_reduced, 32);
    memzero(hash_reduced, sizeof(hash_reduced));
  } else {
    hmac_drbg_init(state, priv_key, 32, hash, 32);
  }
}

// generate next number from deterministic random number generator
void generate_rfc6979(uint8_t rnd[32], rfc6979_state *state) {
  hmac_drbg_generate(state, rnd, 32);
}

// generate K in a deterministic way, according to RFC6979
// http://tools.ietf.org/html/rfc6979
void generate_k_rfc6979(bignum256 *k, rfc6979_state *state) {
  uint8_t buf[32] = {0};
  generate_rfc6979(buf, state);
  bn_read_be(buf, k);
  memzero(buf, sizeof(buf));
}

Line	Count	Source (jump to first uncovered line)
1		/**
2		* Copyright (c) 2013-2014 Tomas Dzetkulic
3		* Copyright (c) 2013-2014 Pavol Rusnak
4		* Copyright (c) 2015 Jochen Hoenicke
5		*
6		* Permission is hereby granted, free of charge, to any person obtaining
7		* a copy of this software and associated documentation files (the "Software"),
8		* to deal in the Software without restriction, including without limitation
9		* the rights to use, copy, modify, merge, publish, distribute, sublicense,
10		* and/or sell copies of the Software, and to permit persons to whom the
11		* Software is furnished to do so, subject to the following conditions:
12		*
13		* The above copyright notice and this permission notice shall be included
14		* in all copies or substantial portions of the Software.
15		*
16		* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
17		* OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
18		* FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
19		* THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES
20		* OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE,
21		* ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR
22		* OTHER DEALINGS IN THE SOFTWARE.
23		*/
24		#include <assert.h>
25
26		#include "hmac_drbg.h"
27		#include "memzero.h"
28		#include "rfc6979.h"
29
30		void init_rfc6979(const uint8_t priv_key, const uint8_t hash,
31	203	const ecdsa_curve curve, rfc6979_state state) {
32	203	if (curve) {
33	203	bignum256 hash_bn = {0};
34	203	bn_read_be(hash, &hash_bn);
35
36		// Make sure hash is partly reduced modulo order
37	203	assert(bn_bitcount(&curve->order) >= 256);
38	203	bn_mod(&hash_bn, &curve->order);
39
40	203	uint8_t hash_reduced[32] = {0};
41	203	bn_write_be(&hash_bn, hash_reduced);
42	203	memzero(&hash_bn, sizeof(hash_bn));
43	203	hmac_drbg_init(state, priv_key, 32, hash_reduced, 32);
44	203	memzero(hash_reduced, sizeof(hash_reduced));
45	203	} else {
46	0	hmac_drbg_init(state, priv_key, 32, hash, 32);
47	0	}
48	203	}
49
50		// generate next number from deterministic random number generator
51	203	void generate_rfc6979(uint8_t rnd[32], rfc6979_state *state) {
52	203	hmac_drbg_generate(state, rnd, 32);
53	203	}
54
55		// generate K in a deterministic way, according to RFC6979
56		// http://tools.ietf.org/html/rfc6979
57	203	void generate_k_rfc6979(bignum256 k, rfc6979_state state) {
58	203	uint8_t buf[32] = {0};
59	203	generate_rfc6979(buf, state);
60	203	bn_read_be(buf, k);
61	203	memzero(buf, sizeof(buf));
62	203	}

Coverage Report

Created: 2024-11-21 07:03