Página Principal Explorar Ajuda
Iniciar Sessão
torambo.com
/
Momentum-Apps
2
0
Fork 0
Ficheiros Problemas 0 Pull Requests 0 Wiki
Árvore: dafe1fd7be
Ramos Etiquetas
Momentum-Apps
/
flipbip
/
lib
/
crypto
/
cardano.c

cardano.c 10 KB
Histórico Em bruto

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307 
  1. /**
    2. 

  2.  * Copyright (c) 2013-2021 SatoshiLabs
    3. 

  3.  *
    4. 

  4.  * Permission is hereby granted, free of charge, to any person obtaining
    5. 

  5.  * a copy of this software and associated documentation files (the "Software"),
    6. 

  6.  * to deal in the Software without restriction, including without limitation
    7. 

  7.  * the rights to use, copy, modify, merge, publish, distribute, sublicense,
    8. 

  8.  * and/or sell copies of the Software, and to permit persons to whom the
    9. 

  9.  * Software is furnished to do so, subject to the following conditions:
    10. 

  10.  *
    11. 

  11.  * The above copyright notice and this permission notice shall be included
    12. 

  12.  * in all copies or substantial portions of the Software.
    13. 

  13.  *
    14. 

  14.  * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
    15. 

  15.  * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
    16. 

  16.  * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
    17. 

  17.  * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES
    18. 

  18.  * OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE,
    19. 

  19.  * ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR
    20. 

  20.  * OTHER DEALINGS IN THE SOFTWARE.
    21. 

  21.  */
    22. 

  22. 

  23. #include <stdbool.h>
    24. 

  24. #include <stdint.h>
    25. 

  25. #include <string.h>
    26. 

  26. 

  27. #include "bignum.h"
    28. 

  28. #include "bip32.h"
    29. 

  29. #include "cardano.h"
    30. 

  30. #include "curves.h"
    31. 

  31. #include "hasher.h"
    32. 

  32. #include "hmac.h"
    33. 

  33. #include "memzero.h"
    34. 

  34. #include "options.h"
    35. 

  35. #include "pbkdf2.h"
    36. 

  36. #include "sha2.h"
    37. 

  37. 

  38. #if USE_CARDANO
    39. 

  39. 

  40. #define CARDANO_MAX_NODE_DEPTH 1048576
    41. 

  41. 

  42. const curve_info ed25519_cardano_info = {
    43. 

  43.     .bip32_name = ED25519_CARDANO_NAME,
    44. 

  44.     .params = NULL,
    45. 

  45.     .hasher_base58 = HASHER_SHA2D,
    46. 

  46.     .hasher_sign = HASHER_SHA2D,
    47. 

  47.     .hasher_pubkey = HASHER_SHA2_RIPEMD,
    48. 

  48.     .hasher_script = HASHER_SHA2,
    49. 

  49. };
    50. 

  50. 

  51. static void scalar_multiply8(const uint8_t* src, int bytes, uint8_t* dst) {
    52. 

  52.     uint8_t prev_acc = 0;
    53. 

  53.     for(int i = 0; i < bytes; i++) {
    54. 

  54.         dst[i] = (src[i] << 3) + (prev_acc & 0x7);
    55. 

  55.         prev_acc = src[i] >> 5;
    56. 

  56.     }
    57. 

  57.     dst[bytes] = src[bytes - 1] >> 5;
    58. 

  58. }
    59. 

  59. 

  60. static void scalar_add_256bits(const uint8_t* src1, const uint8_t* src2, uint8_t* dst) {
    61. 

  61.     uint16_t r = 0;
    62. 

  62.     for(int i = 0; i < 32; i++) {
    63. 

  63.         r = r + (uint16_t)src1[i] + (uint16_t)src2[i];
    64. 

  64.         dst[i] = r & 0xff;
    65. 

  65.         r >>= 8;
    66. 

  66.     }
    67. 

  67. }
    68. 

  68. 

  69. static void cardano_ed25519_tweak_bits(uint8_t private_key[32]) {
    70. 

  70.     private_key[0] &= 0xf8;
    71. 

  71.     private_key[31] &= 0x1f;
    72. 

  72.     private_key[31] |= 0x40;
    73. 

  73. }
    74. 

  74. 

  75. int hdnode_private_ckd_cardano(HDNode* inout, uint32_t index) {
    76. 

  76.     if(inout->curve != &ed25519_cardano_info) {
    77. 

  77.         return 0;
    78. 

  78.     }
    79. 

  79. 

  80.     if(inout->depth >= CARDANO_MAX_NODE_DEPTH) {
    81. 

  81.         return 0;
    82. 

  82.     }
    83. 

  83. 

  84.     // checks for hardened/non-hardened derivation, keysize 32 means we are
    85. 

  85.     // dealing with public key and thus non-h, keysize 64 is for private key
    86. 

  86.     int keysize = 32;
    87. 

  87.     if(index & 0x80000000) {
    88. 

  88.         keysize = 64;
    89. 

  89.     }
    90. 

  90. 

  91.     static CONFIDENTIAL uint8_t data[1 + 64 + 4];
    92. 

  92.     static CONFIDENTIAL uint8_t z[32 + 32];
    93. 

  93.     static CONFIDENTIAL uint8_t priv_key[64];
    94. 

  94.     static CONFIDENTIAL uint8_t res_key[64];
    95. 

  95. 

  96.     write_le(data + keysize + 1, index);
    97. 

  97. 

  98.     memcpy(priv_key, inout->private_key, 32);
    99. 

  99.     memcpy(priv_key + 32, inout->private_key_extension, 32);
    100. 

  100. 

  101.     if(keysize == 64) { // private derivation
    102. 

  102.         data[0] = 0;
    103. 

  103.         memcpy(data + 1, inout->private_key, 32);
    104. 

  104.         memcpy(data + 1 + 32, inout->private_key_extension, 32);
    105. 

  105.     } else { // public derivation
    106. 

  106.         if(hdnode_fill_public_key(inout) != 0) {
    107. 

  107.             return 0;
    108. 

  108.         }
    109. 

  109.         data[0] = 2;
    110. 

  110.         memcpy(data + 1, inout->public_key + 1, 32);
    111. 

  111.     }
    112. 

  112. 

  113.     static CONFIDENTIAL HMAC_SHA512_CTX ctx;
    114. 

  114.     hmac_sha512_Init(&ctx, inout->chain_code, 32);
    115. 

  115.     hmac_sha512_Update(&ctx, data, 1 + keysize + 4);
    116. 

  116.     hmac_sha512_Final(&ctx, z);
    117. 

  117. 

  118.     static CONFIDENTIAL uint8_t zl8[32];
    119. 

  119.     memzero(zl8, 32);
    120. 

  120. 

  121.     /* get 8 * Zl */
    122. 

  122.     scalar_multiply8(z, 28, zl8);
    123. 

  123.     /* Kl = 8*Zl + parent(K)l */
    124. 

  124.     scalar_add_256bits(zl8, priv_key, res_key);
    125. 

  125. 

  126.     /* Kr = Zr + parent(K)r */
    127. 

  127.     scalar_add_256bits(z + 32, priv_key + 32, res_key + 32);
    128. 

  128. 

  129.     memcpy(inout->private_key, res_key, 32);
    130. 

  130.     memcpy(inout->private_key_extension, res_key + 32, 32);
    131. 

  131. 

  132.     if(keysize == 64) {
    133. 

  133.         data[0] = 1;
    134. 

  134.     } else {
    135. 

  135.         data[0] = 3;
    136. 

  136.     }
    137. 

  137.     hmac_sha512_Init(&ctx, inout->chain_code, 32);
    138. 

  138.     hmac_sha512_Update(&ctx, data, 1 + keysize + 4);
    139. 

  139.     hmac_sha512_Final(&ctx, z);
    140. 

  140. 

  141.     memcpy(inout->chain_code, z + 32, 32);
    142. 

  142.     inout->depth++;
    143. 

  143.     inout->child_num = index;
    144. 

  144.     memzero(inout->public_key, sizeof(inout->public_key));
    145. 

  145. 

  146.     // making sure to wipe our memory
    147. 

  147.     memzero(z, sizeof(z));
    148. 

  148.     memzero(data, sizeof(data));
    149. 

  149.     memzero(priv_key, sizeof(priv_key));
    150. 

  150.     memzero(res_key, sizeof(res_key));
    151. 

  151.     return 1;
    152. 

  152. }
    153. 

  153. 

  154. int hdnode_from_secret_cardano(const uint8_t secret[CARDANO_SECRET_LENGTH], HDNode* out) {
    155. 

  155.     memzero(out, sizeof(HDNode));
    156. 

  156.     out->depth = 0;
    157. 

  157.     out->child_num = 0;
    158. 

  158.     out->curve = &ed25519_cardano_info;
    159. 

  159.     memcpy(out->private_key, secret, 32);
    160. 

  160.     memcpy(out->private_key_extension, secret + 32, 32);
    161. 

  161.     memcpy(out->chain_code, secret + 64, 32);
    162. 

  162. 

  163.     cardano_ed25519_tweak_bits(out->private_key);
    164. 

  164. 

  165.     out->public_key[0] = 0;
    166. 

  166.     if(hdnode_fill_public_key(out) != 0) {
    167. 

  167.         return 0;
    168. 

  168.     }
    169. 

  169. 

  170.     return 1;
    171. 

  171. }
    172. 

  172. 

  173. // Derives the root Cardano secret from a master secret, aka seed, as defined in
    174. 

  174. // SLIP-0023.
    175. 

  175. int secret_from_seed_cardano_slip23(
    176. 

  176.     const uint8_t* seed,
    177. 

  177.     int seed_len,
    178. 

  178.     uint8_t secret_out[CARDANO_SECRET_LENGTH]) {
    179. 

  179.     static CONFIDENTIAL uint8_t I[SHA512_DIGEST_LENGTH];
    180. 

  180.     static CONFIDENTIAL HMAC_SHA512_CTX ctx;
    181. 

  181. 

  182.     hmac_sha512_Init(&ctx, (const uint8_t*)ED25519_CARDANO_NAME, strlen(ED25519_CARDANO_NAME));
    183. 

  183.     hmac_sha512_Update(&ctx, seed, seed_len);
    184. 

  184.     hmac_sha512_Final(&ctx, I);
    185. 

  185. 

  186.     sha512_Raw(I, 32, secret_out);
    187. 

  187. 

  188.     memcpy(secret_out + SHA512_DIGEST_LENGTH, I + 32, 32);
    189. 

  189.     cardano_ed25519_tweak_bits(secret_out);
    190. 

  190. 

  191.     memzero(I, sizeof(I));
    192. 

  192.     memzero(&ctx, sizeof(ctx));
    193. 

  193.     return 1;
    194. 

  194. }
    195. 

  195. 

  196. // Derives the root Cardano secret from a BIP-32 master secret via the Ledger
    197. 

  197. // derivation:
    198. 

  198. // https://github.com/cardano-foundation/CIPs/blob/09d7d8ee1bd64f7e6b20b5a6cae088039dce00cb/CIP-0003/Ledger.md
    199. 

  199. int secret_from_seed_cardano_ledger(
    200. 

  200.     const uint8_t* seed,
    201. 

  201.     int seed_len,
    202. 

  202.     uint8_t secret_out[CARDANO_SECRET_LENGTH]) {
    203. 

  203.     static CONFIDENTIAL uint8_t chain_code[SHA256_DIGEST_LENGTH];
    204. 

  204.     static CONFIDENTIAL uint8_t root_key[SHA512_DIGEST_LENGTH];
    205. 

  205.     static CONFIDENTIAL HMAC_SHA256_CTX ctx;
    206. 

  206.     static CONFIDENTIAL HMAC_SHA512_CTX sctx;
    207. 

  207. 

  208.     const uint8_t* intermediate_result = seed;
    209. 

  209.     int intermediate_result_len = seed_len;
    210. 

  210.     do {
    211. 

  211.         // STEP 1: derive a master secret like in BIP-32/SLIP-10
    212. 

  212.         hmac_sha512_Init(&sctx, (const uint8_t*)ED25519_SEED_NAME, strlen(ED25519_SEED_NAME));
    213. 

  213.         hmac_sha512_Update(&sctx, intermediate_result, intermediate_result_len);
    214. 

  214.         hmac_sha512_Final(&sctx, root_key);
    215. 

  215. 

  216.         // STEP 2: check that the resulting key does not have a particular bit set,
    217. 

  217.         // otherwise iterate like in SLIP-10
    218. 

  218.         intermediate_result = root_key;
    219. 

  219.         intermediate_result_len = sizeof(root_key);
    220. 

  220.     } while(root_key[31] & 0x20);
    221. 

  221. 

  222.     // STEP 3: calculate the chain code as a HMAC-SHA256 of "\x01" + seed,
    223. 

  223.     // key is "ed25519 seed"
    224. 

  224.     hmac_sha256_Init(&ctx, (const unsigned char*)ED25519_SEED_NAME, strlen(ED25519_SEED_NAME));
    225. 

  225.     hmac_sha256_Update(&ctx, (const unsigned char*)"\x01", 1);
    226. 

  226.     hmac_sha256_Update(&ctx, seed, seed_len);
    227. 

  227.     hmac_sha256_Final(&ctx, chain_code);
    228. 

  228. 

  229.     // STEP 4: extract information into output
    230. 

  230.     _Static_assert(
    231. 

  231.         SHA512_DIGEST_LENGTH + SHA256_DIGEST_LENGTH == CARDANO_SECRET_LENGTH,
    232. 

  232.         "Invalid configuration of Cardano secret size");
    233. 

  233.     memcpy(secret_out, root_key, SHA512_DIGEST_LENGTH);
    234. 

  234.     memcpy(secret_out + SHA512_DIGEST_LENGTH, chain_code, SHA256_DIGEST_LENGTH);
    235. 

  235. 

  236.     // STEP 5: tweak bits of the private key
    237. 

  237.     cardano_ed25519_tweak_bits(secret_out);
    238. 

  238. 

  239.     memzero(&ctx, sizeof(ctx));
    240. 

  240.     memzero(&sctx, sizeof(sctx));
    241. 

  241.     memzero(root_key, sizeof(root_key));
    242. 

  242.     memzero(chain_code, sizeof(chain_code));
    243. 

  243.     return 1;
    244. 

  244. }
    245. 

  245. 

  246. #define CARDANO_ICARUS_STEPS 32
    247. 

  247. _Static_assert(
    248. 

  248.     CARDANO_ICARUS_PBKDF2_ROUNDS % CARDANO_ICARUS_STEPS == 0,
    249. 

  249.     "CARDANO_ICARUS_STEPS does not divide CARDANO_ICARUS_PBKDF2_ROUNDS");
    250. 

  250. #define CARDANO_ICARUS_ROUNDS_PER_STEP (CARDANO_ICARUS_PBKDF2_ROUNDS / CARDANO_ICARUS_STEPS)
    251. 

  251. 

  252. // Derives the root Cardano HDNode from a passphrase and the entropy encoded in
    253. 

  253. // a BIP-0039 mnemonic using the Icarus derivation scheme, aka V2 derivation
    254. 

  254. // scheme:
    255. 

  255. // https://github.com/cardano-foundation/CIPs/blob/09d7d8ee1bd64f7e6b20b5a6cae088039dce00cb/CIP-0003/Icarus.md
    256. 

  256. int secret_from_entropy_cardano_icarus(
    257. 

  257.     const uint8_t* pass,
    258. 

  258.     int pass_len,
    259. 

  259.     const uint8_t* entropy,
    260. 

  260.     int entropy_len,
    261. 

  261.     uint8_t secret_out[CARDANO_SECRET_LENGTH],
    262. 

  262.     void (*progress_callback)(uint32_t, uint32_t)) {
    263. 

  263.     static CONFIDENTIAL PBKDF2_HMAC_SHA512_CTX pctx;
    264. 

  264.     static CONFIDENTIAL uint8_t digest[SHA512_DIGEST_LENGTH];
    265. 

  265.     uint32_t progress = 0;
    266. 

  266. 

  267.     // PASS 1: first 64 bytes
    268. 

  268.     pbkdf2_hmac_sha512_Init(&pctx, pass, pass_len, entropy, entropy_len, 1);
    269. 

  269.     if(progress_callback) {
    270. 

  270.         progress_callback(progress, CARDANO_ICARUS_PBKDF2_ROUNDS * 2);
    271. 

  271.     }
    272. 

  272.     for(int i = 0; i < CARDANO_ICARUS_STEPS; i++) {
    273. 

  273.         pbkdf2_hmac_sha512_Update(&pctx, CARDANO_ICARUS_ROUNDS_PER_STEP);
    274. 

  274.         if(progress_callback) {
    275. 

  275.             progress += CARDANO_ICARUS_ROUNDS_PER_STEP;
    276. 

  276.             progress_callback(progress, CARDANO_ICARUS_PBKDF2_ROUNDS * 2);
    277. 

  277.         }
    278. 

  278.     }
    279. 

  279.     pbkdf2_hmac_sha512_Final(&pctx, digest);
    280. 

  280. 

  281.     memcpy(secret_out, digest, SHA512_DIGEST_LENGTH);
    282. 

  282. 

  283.     // PASS 2: remaining 32 bytes
    284. 

  284.     pbkdf2_hmac_sha512_Init(&pctx, pass, pass_len, entropy, entropy_len, 2);
    285. 

  285.     if(progress_callback) {
    286. 

  286.         progress_callback(progress, CARDANO_ICARUS_PBKDF2_ROUNDS * 2);
    287. 

  287.     }
    288. 

  288.     for(int i = 0; i < CARDANO_ICARUS_STEPS; i++) {
    289. 

  289.         pbkdf2_hmac_sha512_Update(&pctx, CARDANO_ICARUS_ROUNDS_PER_STEP);
    290. 

  290.         if(progress_callback) {
    291. 

  291.             progress += CARDANO_ICARUS_ROUNDS_PER_STEP;
    292. 

  292.             progress_callback(progress, CARDANO_ICARUS_PBKDF2_ROUNDS * 2);
    293. 

  293.         }
    294. 

  294.     }
    295. 

  295.     pbkdf2_hmac_sha512_Final(&pctx, digest);
    296. 

  296. 

  297.     memcpy(
    298. 

  298.         secret_out + SHA512_DIGEST_LENGTH, digest, CARDANO_SECRET_LENGTH - SHA512_DIGEST_LENGTH);
    299. 

  299. 

  300.     cardano_ed25519_tweak_bits(secret_out);
    301. 

  301. 

  302.     memzero(&pctx, sizeof(pctx));
    303. 

  303.     memzero(digest, sizeof(digest));
    304. 

  304.     return 1;
    305. 

  305. }
    306. 

  306. 

  307. #endif // USE_CARDANO
    308.