/src/trezor-firmware/crypto/rfc6979.c
Line | Count | Source (jump to first uncovered line) |
1 | | /** |
2 | | * Copyright (c) 2013-2014 Tomas Dzetkulic |
3 | | * Copyright (c) 2013-2014 Pavol Rusnak |
4 | | * Copyright (c) 2015 Jochen Hoenicke |
5 | | * |
6 | | * Permission is hereby granted, free of charge, to any person obtaining |
7 | | * a copy of this software and associated documentation files (the "Software"), |
8 | | * to deal in the Software without restriction, including without limitation |
9 | | * the rights to use, copy, modify, merge, publish, distribute, sublicense, |
10 | | * and/or sell copies of the Software, and to permit persons to whom the |
11 | | * Software is furnished to do so, subject to the following conditions: |
12 | | * |
13 | | * The above copyright notice and this permission notice shall be included |
14 | | * in all copies or substantial portions of the Software. |
15 | | * |
16 | | * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS |
17 | | * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, |
18 | | * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL |
19 | | * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES |
20 | | * OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, |
21 | | * ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR |
22 | | * OTHER DEALINGS IN THE SOFTWARE. |
23 | | */ |
24 | | #include <assert.h> |
25 | | |
26 | | #include "hmac_drbg.h" |
27 | | #include "memzero.h" |
28 | | #include "rfc6979.h" |
29 | | |
30 | | void init_rfc6979(const uint8_t *priv_key, const uint8_t *hash, |
31 | 203 | const ecdsa_curve *curve, rfc6979_state *state) { |
32 | 203 | if (curve) { |
33 | 203 | bignum256 hash_bn = {0}; |
34 | 203 | bn_read_be(hash, &hash_bn); |
35 | | |
36 | | // Make sure hash is partly reduced modulo order |
37 | 203 | assert(bn_bitcount(&curve->order) >= 256); |
38 | 203 | bn_mod(&hash_bn, &curve->order); |
39 | | |
40 | 203 | uint8_t hash_reduced[32] = {0}; |
41 | 203 | bn_write_be(&hash_bn, hash_reduced); |
42 | 203 | memzero(&hash_bn, sizeof(hash_bn)); |
43 | 203 | hmac_drbg_init(state, priv_key, 32, hash_reduced, 32); |
44 | 203 | memzero(hash_reduced, sizeof(hash_reduced)); |
45 | 203 | } else { |
46 | 0 | hmac_drbg_init(state, priv_key, 32, hash, 32); |
47 | 0 | } |
48 | 203 | } |
49 | | |
50 | | // generate next number from deterministic random number generator |
51 | 203 | void generate_rfc6979(uint8_t rnd[32], rfc6979_state *state) { |
52 | 203 | hmac_drbg_generate(state, rnd, 32); |
53 | 203 | } |
54 | | |
55 | | // generate K in a deterministic way, according to RFC6979 |
56 | | // http://tools.ietf.org/html/rfc6979 |
57 | 203 | void generate_k_rfc6979(bignum256 *k, rfc6979_state *state) { |
58 | 203 | uint8_t buf[32] = {0}; |
59 | 203 | generate_rfc6979(buf, state); |
60 | 203 | bn_read_be(buf, k); |
61 | 203 | memzero(buf, sizeof(buf)); |
62 | 203 | } |