Merge branch 'port-stretch'

Author: benma

src/keystore.c

@@ -63,27 +63,6 @@ static bool _validate_seed_length(size_t seed_len)
     return seed_len == 16 || seed_len == 24 || seed_len == 32;
 }
 
-USE_RESULT static keystore_error_t _stretch_retained_seed_encryption_key(
-    const uint8_t* encryption_key,
-    const char* purpose_in,
-    const char* purpose_out,
-    uint8_t* out)
-{
-    uint8_t salted_hashed[32] = {0};
-    UTIL_CLEANUP_32(salted_hashed);
-    if (!salt_hash_data(encryption_key, 32, purpose_in, salted_hashed)) {
-        return KEYSTORE_ERR_SALT;
-    }
-    if (securechip_kdf(salted_hashed, 32, out)) {
-        return KEYSTORE_ERR_SECURECHIP;
-    }
-    if (!salt_hash_data(encryption_key, 32, purpose_out, salted_hashed)) {
-        return KEYSTORE_ERR_SALT;
-    }
-    rust_hmac_sha256(salted_hashed, sizeof(salted_hashed), out, 32, out);
-    return KEYSTORE_OK;
-}
-
 bool keystore_copy_seed(uint8_t* seed_out, size_t* length_out)
 {
     if (!_is_unlocked_device) {
@@ -92,11 +71,15 @@ bool keystore_copy_seed(uint8_t* seed_out, size_t* length_out)
 
     uint8_t retained_seed_encryption_key[32] = {0};
     UTIL_CLEANUP_32(retained_seed_encryption_key);
-    if (_stretch_retained_seed_encryption_key(
-            _unstretched_retained_seed_encryption_key,
+    if (!rust_keystore_stretch_retained_seed_encryption_key(
+            rust_util_bytes(
+                _unstretched_retained_seed_encryption_key,
+                sizeof(_unstretched_retained_seed_encryption_key)),
             "keystore_retained_seed_access_in",
             "keystore_retained_seed_access_out",
-            retained_seed_encryption_key) != KEYSTORE_OK) {
+            rust_util_bytes_mut(
+                retained_seed_encryption_key,
+                sizeof(retained_seed_encryption_key)))) {
         return false;
     }
     size_t len = _retained_seed_encrypted_len - 48;
@@ -122,11 +105,15 @@ bool keystore_copy_bip39_seed(uint8_t* bip39_seed_out)
 
     uint8_t retained_bip39_seed_encryption_key[32] = {0};
     UTIL_CLEANUP_32(retained_bip39_seed_encryption_key);
-    if (_stretch_retained_seed_encryption_key(
-            _unstretched_retained_bip39_seed_encryption_key,
+    if (!rust_keystore_stretch_retained_seed_encryption_key(
+            rust_util_bytes(
+                _unstretched_retained_bip39_seed_encryption_key,
+                sizeof(_unstretched_retained_bip39_seed_encryption_key)),
             "keystore_retained_bip39_seed_access_in",
             "keystore_retained_bip39_seed_access_out",
-            retained_bip39_seed_encryption_key) != KEYSTORE_OK) {
+            rust_util_bytes_mut(
+                retained_bip39_seed_encryption_key,
+                sizeof(retained_bip39_seed_encryption_key)))) {
         return false;
     }
     size_t len = _retained_bip39_seed_encrypted_len - 48;
@@ -266,13 +253,15 @@ USE_RESULT static keystore_error_t _retain_seed(const uint8_t* seed, size_t seed
 #endif
     uint8_t retained_seed_encryption_key[32] = {0};
     UTIL_CLEANUP_32(retained_seed_encryption_key);
-    keystore_error_t result = _stretch_retained_seed_encryption_key(
-        _unstretched_retained_seed_encryption_key,
+    bool stretched = rust_keystore_stretch_retained_seed_encryption_key(
+        rust_util_bytes(
+            _unstretched_retained_seed_encryption_key,
+            sizeof(_unstretched_retained_seed_encryption_key)),
         "keystore_retained_seed_access_in",
         "keystore_retained_seed_access_out",
-        retained_seed_encryption_key);
-    if (result != KEYSTORE_OK) {
-        return result;
+        rust_util_bytes_mut(retained_seed_encryption_key, sizeof(retained_seed_encryption_key)));
+    if (!stretched) {
+        return KEYSTORE_ERR_STRETCH_RETAINED_SEED_KEY;
     }
     size_t len = seed_len + 64;
     if (!cipher_aes_hmac_encrypt(
@@ -299,11 +288,15 @@ USE_RESULT static bool _retain_bip39_seed(const uint8_t* bip39_seed)
 #endif
     uint8_t retained_bip39_seed_encryption_key[32] = {0};
     UTIL_CLEANUP_32(retained_bip39_seed_encryption_key);
-    if (_stretch_retained_seed_encryption_key(
-            _unstretched_retained_bip39_seed_encryption_key,
+    if (!rust_keystore_stretch_retained_seed_encryption_key(
+            rust_util_bytes(
+                _unstretched_retained_bip39_seed_encryption_key,
+                sizeof(_unstretched_retained_bip39_seed_encryption_key)),
             "keystore_retained_bip39_seed_access_in",
             "keystore_retained_bip39_seed_access_out",
-            retained_bip39_seed_encryption_key) != KEYSTORE_OK) {
+            rust_util_bytes_mut(
+                retained_bip39_seed_encryption_key,
+                sizeof(retained_bip39_seed_encryption_key)))) {
         return false;
     }
     size_t len = sizeof(_retained_bip39_seed_encrypted);

src/keystore.h

@@ -41,6 +41,7 @@ typedef enum {
     KEYSTORE_ERR_HASH,
     KEYSTORE_ERR_ENCRYPT,
     KEYSTORE_ERR_DECRYPT,
+    KEYSTORE_ERR_STRETCH_RETAINED_SEED_KEY,
 } keystore_error_t;
 
 /**

src/rust/bitbox02-rust/src/keystore.rs

@@ -19,13 +19,13 @@ use alloc::string::String;
 use alloc::vec::Vec;
 
 use crate::bip32;
-use bitbox02::keystore;
+use bitbox02::{keystore, securechip};
 
 use util::bip32::HARDENED;
 
 use crate::secp256k1::SECP256K1;
 
-use bitcoin::hashes::{Hash, HashEngine, Hmac, HmacEngine, sha512};
+use bitcoin::hashes::{Hash, HashEngine, Hmac, HmacEngine, sha256, sha512};
 
 /// Returns the keystore's seed encoded as a BIP-39 mnemonic.
 pub fn get_bip39_mnemonic() -> Result<zeroize::Zeroizing<String>, ()> {
@@ -131,6 +131,62 @@ pub fn root_fingerprint() -> Result<Vec<u8>, ()> {
     keystore::root_fingerprint()
 }
 
+/// Stretches the given encryption_key using the securechip. The resulting key is used to encrypt
+/// the retained seed or bip39 seed.
+pub fn stretch_retained_seed_encryption_key(
+    encryption_key: &[u8; 32],
+    purpose_in: &str,
+    purpose_out: &str,
+) -> Result<zeroize::Zeroizing<Vec<u8>>, keystore::Error> {
+    let salted_in =
+        crate::salt::hash_data(encryption_key, purpose_in).map_err(|_| keystore::Error::Salt)?;
+
+    let kdf = securechip::kdf(salted_in.as_slice()).map_err(|err| match err {
+        securechip::Error::SecureChip(sc_err) => keystore::Error::SecureChip(sc_err as i32),
+        securechip::Error::Status(status) => keystore::Error::SecureChip(status),
+    })?;
+
+    let salted_out =
+        crate::salt::hash_data(encryption_key, purpose_out).map_err(|_| keystore::Error::Salt)?;
+
+    let mut engine = HmacEngine::<sha256::Hash>::new(salted_out.as_slice());
+    engine.input(kdf.as_slice());
+    let stretched = Hmac::<sha256::Hash>::from_engine(engine).to_byte_array();
+
+    Ok(zeroize::Zeroizing::new(stretched.to_vec()))
+}
+
+/// # Safety
+///
+/// `encryption_key` must refer to a 32-byte buffer and `out` must have space for 32 bytes.
+/// `purpose_in` and `purpose_out` must be null-terminated C strings.
+#[unsafe(no_mangle)]
+pub unsafe extern "C" fn rust_keystore_stretch_retained_seed_encryption_key(
+    encryption_key: util::bytes::Bytes,
+    purpose_in: *const core::ffi::c_char,
+    purpose_out: *const core::ffi::c_char,
+    mut out: util::bytes::BytesMut,
+) -> bool {
+    let encryption_key: [u8; 32] = match encryption_key.as_ref().try_into() {
+        Ok(key) => key,
+        Err(_) => return false,
+    };
+    let purpose_in = unsafe { bitbox02::util::str_from_null_terminated_ptr(purpose_in) };
+    let purpose_out = unsafe { bitbox02::util::str_from_null_terminated_ptr(purpose_out) };
+    let (purpose_in, purpose_out) = match (purpose_in, purpose_out) {
+        (Ok(purpose_in), Ok(purpose_out)) => (purpose_in, purpose_out),
+        _ => return false,
+    };
+
+    match stretch_retained_seed_encryption_key(&encryption_key, purpose_in, purpose_out) {
+        Ok(stretched) => {
+            out.as_mut().copy_from_slice(stretched.as_slice());
+            true
+        }
+        Err(_) => false,
+    }
+}
+
 fn bip85_entropy(keypath: &[u32]) -> Result<zeroize::Zeroizing<Vec<u8>>, ()> {
     let priv_key = secp256k1_get_private_key_twice(keypath)?;
 
@@ -455,6 +511,68 @@ mod tests {
         assert_eq!(root_fingerprint(), Err(()));
     }
 
+    #[test]
+    fn test_stretch_retained_seed_encryption_key_success() {
+        mock_memory();
+        let salt_root = hex!("0000000000000000111111111111111122222222222222223333333333333333");
+        bitbox02::memory::set_salt_root(&salt_root).unwrap();
+
+        let encryption_key =
+            hex!("00112233445566778899aabbccddeeff112233445566778899aabbccddeeff00");
+
+        let stretched = stretch_retained_seed_encryption_key(
+            &encryption_key,
+            "keystore_retained_seed_access_in",
+            "keystore_retained_seed_access_out",
+        )
+        .unwrap();
+
+        let expected = hex!("b6b20683810aee16b5603ae95d14eaae5ae2c8d9df9b66e1b67c698e627bb208");
+        assert_eq!(stretched.as_slice(), expected.as_slice());
+    }
+
+    #[test]
+    fn test_rust_keystore_stretch_retained_seed_encryption_key_success() {
+        mock_memory();
+        let salt_root =
+            hex::decode("0000000000000000111111111111111122222222222222223333333333333333")
+                .unwrap();
+        bitbox02::memory::set_salt_root(salt_root.as_slice().try_into().unwrap()).unwrap();
+
+        let encryption_key_vec =
+            hex::decode("00112233445566778899aabbccddeeff112233445566778899aabbccddeeff00")
+                .unwrap();
+
+        let mut out = [0u8; 32];
+        let purpose_in = c"keystore_retained_seed_access_in";
+        let purpose_out = c"keystore_retained_seed_access_out";
+
+        let success = unsafe {
+            rust_keystore_stretch_retained_seed_encryption_key(
+                util::bytes::rust_util_bytes(encryption_key_vec.as_ptr(), encryption_key_vec.len()),
+                purpose_in.as_ptr(),
+                purpose_out.as_ptr(),
+                util::bytes::rust_util_bytes_mut(out.as_mut_ptr(), out.len()),
+            )
+        };
+        assert!(success);
+        let expected =
+            hex::decode("b6b20683810aee16b5603ae95d14eaae5ae2c8d9df9b66e1b67c698e627bb208")
+                .unwrap();
+        assert_eq!(out, expected.as_slice());
+    }
+
+    #[test]
+    fn test_stretch_retained_seed_encryption_key_salt_error() {
+        mock_memory();
+        bitbox02::memory::set_salt_root(&[0xffu8; 32]).unwrap();
+
+        let encryption_key = [0u8; 32];
+        let result =
+            stretch_retained_seed_encryption_key(&encryption_key, "purpose_in", "purpose_out");
+        assert!(matches!(result, Err(keystore::Error::Salt)));
+    }
+
     #[test]
     fn test_bip85_bip39() {
         keystore::lock();

src/rust/bitbox02-sys/build.rs

@@ -50,6 +50,7 @@ const ALLOWLIST_TYPES: &[&str] = &[
     "component_t",
     "confirm_params_t",
     "trinary_input_string_params_t",
+    "securechip_error_t",
 ];
 
 const ALLOWLIST_FNS: &[&str] = &[
@@ -142,6 +143,7 @@ const ALLOWLIST_FNS: &[&str] = &[
     "sdcard_create",
     "secp256k1_ecdsa_anti_exfil_host_commit",
     "securechip_attestation_sign",
+    "securechip_kdf",
     "securechip_model",
     "securechip_monotonic_increments_remaining",
     "securechip_u2f_counter_set",
@@ -167,6 +169,7 @@ const RUSTIFIED_ENUMS: &[&str] = &[
     "memory_result_t",
     "multisig_script_type_t",
     "output_type_t",
+    "securechip_error_t",
     "securechip_model_t",
     "simple_type_t",
     "trinary_choice_t",

src/rust/bitbox02/src/securechip.rs

@@ -12,8 +12,62 @@
 // See the License for the specific language governing permissions and
 // limitations under the License.
 
+extern crate alloc;
+
+use alloc::vec::Vec;
+use zeroize::Zeroizing;
+
+pub use bitbox02_sys::securechip_error_t as SecureChipError;
 pub use bitbox02_sys::securechip_model_t as Model;
 
+#[derive(Debug, PartialEq, Eq)]
+pub enum Error {
+    SecureChip(SecureChipError),
+    Status(i32),
+}
+
+// Keep in sync with securechip.h's securechip_error_t.
+const SECURECHIP_ERRORS: [SecureChipError; 15] = [
+    // Errors common to any securechip implementation
+    SecureChipError::SC_ERR_IFS,
+    SecureChipError::SC_ERR_INVALID_ARGS,
+    SecureChipError::SC_ERR_CONFIG_MISMATCH,
+    SecureChipError::SC_ERR_SALT,
+    SecureChipError::SC_ERR_INCORRECT_PASSWORD,
+    // Errors specific to the ATECC
+    SecureChipError::SC_ATECC_ERR_ZONE_UNLOCKED_CONFIG,
+    SecureChipError::SC_ATECC_ERR_ZONE_UNLOCKED_DATA,
+    SecureChipError::SC_ATECC_ERR_SLOT_UNLOCKED_IO,
+    SecureChipError::SC_ATECC_ERR_SLOT_UNLOCKED_AUTH,
+    SecureChipError::SC_ATECC_ERR_SLOT_UNLOCKED_ENC,
+    SecureChipError::SC_ATECC_ERR_RESET_KEYS,
+    // Errors specific to the Optiga
+    SecureChipError::SC_OPTIGA_ERR_CREATE,
+    SecureChipError::SC_OPTIGA_ERR_UNEXPECTED_METADATA,
+    SecureChipError::SC_OPTIGA_ERR_PAL,
+    SecureChipError::SC_OPTIGA_ERR_UNEXPECTED_LEN,
+];
+
+fn securechip_error_from_status(status: i32) -> Option<SecureChipError> {
+    SECURECHIP_ERRORS
+        .iter()
+        .copied()
+        .find(|err| *err as i32 == status)
+}
+
+impl Error {
+    fn from_status(status: i32) -> Self {
+        if status < 0 {
+            match securechip_error_from_status(status) {
+                Some(err) => Error::SecureChip(err),
+                None => Error::Status(status),
+            }
+        } else {
+            Error::Status(status)
+        }
+    }
+}
+
 pub fn attestation_sign(challenge: &[u8; 32], signature: &mut [u8; 64]) -> Result<(), ()> {
     match unsafe {
         bitbox02_sys::securechip_attestation_sign(challenge.as_ptr(), signature.as_mut_ptr())
@@ -31,6 +85,18 @@ pub fn monotonic_increments_remaining() -> Result<u32, ()> {
     }
 }
 
+/// Perform the secure chip KDF with the message in `msg` and return the zeroizing 32-byte result.
+pub fn kdf(msg: &[u8]) -> Result<Zeroizing<Vec<u8>>, Error> {
+    let mut result = Zeroizing::new(vec![0u8; 32]);
+    let status =
+        unsafe { bitbox02_sys::securechip_kdf(msg.as_ptr(), msg.len(), result.as_mut_ptr()) };
+    if status == 0 {
+        Ok(result)
+    } else {
+        Err(Error::from_status(status))
+    }
+}
+
 #[cfg(feature = "app-u2f")]
 #[cfg(not(feature = "testing"))]
 pub fn u2f_counter_set(counter: u32) -> Result<(), ()> {
@@ -63,3 +129,18 @@ pub fn model() -> Result<Model, ()> {
         false => Err(()),
     }
 }
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+
+    use hex_lit::hex;
+
+    #[test]
+    fn test_kdf() {
+        // Matches the deterministic HMAC result returned by test/hardware-fakes/src/fake_securechip.c.
+        let result = kdf(b"stub input").unwrap();
+        let expected = hex!("3d7caa0407f18f6b15a6202843c883f326d614996df67940af210d91aff5b9c8");
+        assert_eq!(result.as_slice(), expected.as_slice());
+    }
+}

src/securechip/securechip.h

@@ -22,6 +22,7 @@
 #include <stddef.h>
 #include <stdint.h>
 
+// Keep in sync with securechip.rs `SECURECHIP_ERRORS`.
 typedef enum {
     // Errors common to any securechip implementation
     SC_ERR_IFS = -1,