From 7cd494b9960d5a565895450569c3b0030ff574e4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ond=C5=99ej=20Vejpustek?= Date: Wed, 26 Jan 2022 17:49:48 +0100 Subject: [PATCH 1/4] chore(vendor): update secp256k1-zkp to latest --- core/.changelog.d/2261.changed | 1 + core/SConscript.firmware | 33 ++--------------------- core/SConscript.unix | 33 ++--------------------- core/embed/firmware/memory_T.ld | 2 ++ core/embed/rust/build.rs | 10 ++----- crypto/Makefile | 26 ++++++++---------- crypto/zkp_bip340.c | 4 +-- legacy/Makefile.include | 13 +++++---- legacy/firmware/.changelog.d/2261.changed | 1 + legacy/firmware/Makefile | 8 ++---- vendor/secp256k1-zkp | 2 +- 11 files changed, 34 insertions(+), 99 deletions(-) create mode 100644 core/.changelog.d/2261.changed create mode 100644 legacy/firmware/.changelog.d/2261.changed diff --git a/core/.changelog.d/2261.changed b/core/.changelog.d/2261.changed new file mode 100644 index 00000000000..48b6f4ae26a --- /dev/null +++ b/core/.changelog.d/2261.changed @@ -0,0 +1 @@ +Updated secp256k1-zkp. diff --git a/core/SConscript.firmware b/core/SConscript.firmware index 33225a840ea..7fb427e1bc0 100644 --- a/core/SConscript.firmware +++ b/core/SConscript.firmware @@ -122,13 +122,7 @@ if FEATURE_FLAGS["SECP256K1_ZKP"]: 'USE_SECP256K1_ZKP_ECDSA', ('SECP256K1_CONTEXT_SIZE', '184'), 'USE_ASM_ARM', - 'USE_NUM_NONE', - 'USE_FIELD_INV_BUILTIN', - 'USE_SCALAR_INV_BUILTIN', 'USE_EXTERNAL_ASM', - 'USE_FIELD_10X26', - 'USE_SCALAR_8X32', - 'USE_ECMULT_STATIC_PRECOMPUTATION', 'USE_EXTERNAL_DEFAULT_CALLBACKS', ('ECMULT_GEN_PREC_BITS', '4'), ('ECMULT_WINDOW_SIZE', '8'), @@ -139,6 +133,8 @@ if FEATURE_FLAGS["SECP256K1_ZKP"]: ] SOURCE_MOD_SECP256K1_ZKP = [ 'vendor/secp256k1-zkp/src/secp256k1.c', + 'vendor/secp256k1-zkp/src/precomputed_ecmult.c', + 'vendor/secp256k1-zkp/src/precomputed_ecmult_gen.c', 'vendor/secp256k1-zkp/src/asm/field_10x26_arm.s' ] SOURCE_MOD += [ @@ -677,29 +673,6 @@ if FROZEN: env.Depends(source_mpyc, qstr_generated) -# -# static secp256-zkp ecmult context -# -if FEATURE_FLAGS["SECP256K1_ZKP"]: - host_env = Environment(ENV=os.environ) - host_env.Replace( - CC=os.getenv('CC_FOR_BUILD') or 'cc', - COPT='-O2', - CPPPATH='vendor/secp256k1-zkp', - CPPDEFINES=[ - ('ECMULT_GEN_PREC_BITS', '4'), - ] - ) - gen_context = host_env.Program( - target='vendor/secp256k1-zkp/gen_context', - source='vendor/secp256k1-zkp/src/gen_context.c', - ) - secp256k1_zkp_ecmult_static_context = host_env.Command( - target='vendor/secp256k1-zkp/src/ecmult_static_context.h', - source='vendor/secp256k1-zkp/gen_context', - action='cd ${SOURCE.dir}; ./gen_context', - ) - # # Rust library # @@ -784,8 +757,6 @@ obj_program.extend( ' $SOURCE $TARGET', )) env.Depends(obj_program, qstr_generated) -if FEATURE_FLAGS["SECP256K1_ZKP"]: - env.Depends(obj_program, secp256k1_zkp_ecmult_static_context) program_elf = env.Command( target='firmware.elf', diff --git a/core/SConscript.unix b/core/SConscript.unix index dab42df2716..5a54b67376a 100644 --- a/core/SConscript.unix +++ b/core/SConscript.unix @@ -120,12 +120,6 @@ if FEATURE_FLAGS["SECP256K1_ZKP"]: 'USE_SECP256K1_ZKP', 'USE_SECP256K1_ZKP_ECDSA', ('SECP256K1_CONTEXT_SIZE', '208'), - 'USE_NUM_NONE', - 'USE_FIELD_INV_BUILTIN', - 'USE_SCALAR_INV_BUILTIN', - 'USE_FIELD_10X26', - 'USE_SCALAR_8X32', - 'USE_ECMULT_STATIC_PRECOMPUTATION', 'USE_EXTERNAL_DEFAULT_CALLBACKS', ('ECMULT_GEN_PREC_BITS', '4'), ('ECMULT_WINDOW_SIZE', '8'), @@ -136,6 +130,8 @@ if FEATURE_FLAGS["SECP256K1_ZKP"]: ] SOURCE_MOD_SECP256K1_ZKP = [ 'vendor/secp256k1-zkp/src/secp256k1.c', + 'vendor/secp256k1-zkp/src/precomputed_ecmult.c', + 'vendor/secp256k1-zkp/src/precomputed_ecmult_gen.c', ] SOURCE_MOD += [ 'vendor/trezor-crypto/zkp_context.c', @@ -640,29 +636,6 @@ if FROZEN: env.Depends(source_mpyc, qstr_generated) -# -# static secp256-zkp ecmult context -# -if FEATURE_FLAGS["SECP256K1_ZKP"]: - host_env = Environment(ENV=os.environ) - host_env.Replace( - CC=os.getenv('CC_FOR_BUILD') or 'cc', - COPT='-O2', - CPPPATH='vendor/secp256k1-zkp', - CPPDEFINES=[ - ('ECMULT_GEN_PREC_BITS', '4'), - ] - ) - gen_context = host_env.Program( - target='vendor/secp256k1-zkp/gen_context', - source='vendor/secp256k1-zkp/src/gen_context.c', - ) - secp256k1_zkp_ecmult_static_context = host_env.Command( - target='vendor/secp256k1-zkp/src/ecmult_static_context.h', - source='vendor/secp256k1-zkp/gen_context', - action='cd ${SOURCE.dir}; ./gen_context', - ) - # # Rust library # @@ -726,8 +699,6 @@ if FROZEN: obj_program.extend(env.Object(source=source_mpyc)) env.Depends(obj_program, qstr_generated) -if FEATURE_FLAGS["SECP256K1_ZKP"]: - env.Depends(obj_program, secp256k1_zkp_ecmult_static_context) program = env.Command( target='trezor-emu-core', diff --git a/core/embed/firmware/memory_T.ld b/core/embed/firmware/memory_T.ld index 1d4ae13627a..4adb2524643 100644 --- a/core/embed/firmware/memory_T.ld +++ b/core/embed/firmware/memory_T.ld @@ -45,6 +45,8 @@ SECTIONS { .flash2 : ALIGN(512) { build/firmware/frozen_mpy.o(.rodata*); build/firmware/vendor/secp256k1-zkp/src/secp256k1.o(.rodata*); + build/firmware/vendor/secp256k1-zkp/src/precomputed_ecmult.o(.rodata*); + build/firmware/vendor/secp256k1-zkp/src/precomputed_ecmult_gen.o(.rodata*); . = ALIGN(512); } >FLASH2 AT>FLASH2 diff --git a/core/embed/rust/build.rs b/core/embed/rust/build.rs index fe75fab62dd..9c2c3add103 100644 --- a/core/embed/rust/build.rs +++ b/core/embed/rust/build.rs @@ -201,9 +201,8 @@ fn link_core_objects() { let crate_path = env::var("CARGO_MANIFEST_DIR").unwrap(); let build_path = format!("{}/../../build/unix", crate_path); - // List of object filenames to ignore in the `embed` and `vendor` directory + // List of object filenames to ignore in the `embed` directory let embed_blocklist = [OsStr::new("main_main.o")]; - let vendor_blocklist = [OsStr::new("gen_context.o")]; // Collect all objects that the `core` library uses, and link it in. We have to // make sure to avoid the object with the `_main` symbol, so we don't get any @@ -220,13 +219,8 @@ fn link_core_objects() { for obj in glob::glob(&format!("{}/vendor/**/*.o", build_path)).unwrap() { let obj = obj.unwrap(); - if vendor_blocklist.contains(&obj.file_name().unwrap()) { - // Ignore. - } else { - cc.object(obj); - } + cc.object(obj); } - // Compile all the objects into a static library and link it in automatically. cc.compile("core_lib"); diff --git a/crypto/Makefile b/crypto/Makefile index 1a9d7ececd5..afb1c2054af 100644 --- a/crypto/Makefile +++ b/crypto/Makefile @@ -63,12 +63,6 @@ CFLAGS += $(OPTFLAGS) \ -Werror ZKP_CFLAGS = \ - -DUSE_NUM_NONE \ - -DUSE_FIELD_INV_BUILTIN \ - -DUSE_SCALAR_INV_BUILTIN \ - -DUSE_FIELD_10X26 \ - -DUSE_SCALAR_8X32 \ - -DUSE_ECMULT_STATIC_PRECOMPUTATION \ -DECMULT_GEN_PREC_BITS=4 \ -DECMULT_WINDOW_SIZE=8 \ -DENABLE_MODULE_GENERATOR \ @@ -139,6 +133,8 @@ SRCS += cardano.c OBJS = $(SRCS:.c=.o) OBJS += secp256k1-zkp.o +OBJS += precomputed_ecmult.o +OBJS += precomputed_ecmult_gen.o TESTLIBS = $(shell pkg-config --libs check) -lpthread -lm TESTSSLLIBS = $(shell pkg-config --libs openssl) @@ -164,8 +160,8 @@ tests/test_speed: tests/test_speed.o $(OBJS) tests/test_openssl: tests/test_openssl.o $(OBJS) $(CC) $(CFLAGS) tests/test_openssl.o $(OBJS) $(TESTSSLLIBS) -o tests/test_openssl -tests/libtrezor-crypto.so: $(SRCS) secp256k1-zkp.o - $(CC) $(CFLAGS) -DAES_128 -DAES_192 -fPIC -shared $(SRCS) secp256k1-zkp.o -o tests/libtrezor-crypto.so +tests/libtrezor-crypto.so: $(SRCS) secp256k1-zkp.o precomputed_ecmult.o precomputed_ecmult_gen.o + $(CC) $(CFLAGS) -DAES_128 -DAES_192 -fPIC -shared $(SRCS) secp256k1-zkp.o precomputed_ecmult.o precomputed_ecmult_gen.o -o tests/libtrezor-crypto.so tools: tools/xpubaddrgen tools/mktable tools/bip39bruteforce @@ -181,11 +177,13 @@ tools/bip39bruteforce: tools/bip39bruteforce.o $(OBJS) fuzzer: fuzzer/fuzzer.o $(OBJS) $(CC) $(CFLAGS) fuzzer/fuzzer.o $(OBJS) -o fuzzer/fuzzer -$(ZKP_PATH)/src/ecmult_static_context.h: $(ZKP_PATH)/src/gen_context.c - $(CC) $(ZKP_CFLAGS) $(ZKP_PATH)/src/gen_context.c -o $(ZKP_PATH)/gen_context - cd $(ZKP_PATH) && ./gen_context +precomputed_ecmult.o: + $(CC) $(CFLAGS) -Wno-unused-function $(ZKP_CFLAGS) -fPIC -c $(ZKP_PATH)/src/precomputed_ecmult.c -o precomputed_ecmult.o -secp256k1-zkp.o: $(ZKP_PATH)/src/ecmult_static_context.h +precomputed_ecmult_gen.o: + $(CC) $(CFLAGS) -Wno-unused-function $(ZKP_CFLAGS) -fPIC -c $(ZKP_PATH)/src/precomputed_ecmult_gen.c -o precomputed_ecmult_gen.o + +secp256k1-zkp.o: $(CC) $(CFLAGS) -Wno-unused-function $(ZKP_CFLAGS) -fPIC -I$(ZKP_PATH) -I$(ZKP_PATH)/src -c $(ZKP_PATH)/src/secp256k1.c -o secp256k1-zkp.o clean: @@ -193,9 +191,7 @@ clean: rm -f tests/*.o tests/test_check tests/test_speed tests/test_openssl tests/libtrezor-crypto.so tests/aestst rm -f tools/*.o tools/xpubaddrgen tools/mktable tools/bip39bruteforce rm -f fuzzer/*.o fuzzer/fuzzer - rm -f secp256k1-zkp.o - rm -f $(ZKP_PATH)/gen_context - rm -f $(ZKP_PATH)/src/ecmult_static_context.h + rm -f secp256k1-zkp.o precomputed_ecmult.o precomputed_ecmult_gen.o clean-fuzzer: clean rm -f crash-* fuzz-*.log slow-unit-* timeout-* diff --git a/crypto/zkp_bip340.c b/crypto/zkp_bip340.c index bce183853c8..8f588f8f7d1 100644 --- a/crypto/zkp_bip340.c +++ b/crypto/zkp_bip340.c @@ -140,8 +140,8 @@ int zkp_bip340_sign_digest(const uint8_t *private_key_bytes, if (!auxiliary_data) { auxiliary_data = zero; } - if (secp256k1_schnorrsig_sign(context_writable, signature_bytes, digest, - &keypair, auxiliary_data) != 1) { + if (secp256k1_schnorrsig_sign32(context_writable, signature_bytes, digest, + &keypair, auxiliary_data) != 1) { result = -1; } } diff --git a/legacy/Makefile.include b/legacy/Makefile.include index 1d6f220f3c3..196ec176294 100644 --- a/legacy/Makefile.include +++ b/legacy/Makefile.include @@ -203,12 +203,15 @@ $(NAME).elf: $(OBJS) $(LDSCRIPT) $(LIBDEPS) @printf " LD $@\n" $(Q)$(LD) -o $(NAME).elf $(OBJS) $(LDLIBS) $(LDFLAGS) -$(ZKP_PATH)/src/ecmult_static_context.h: $(ZKP_PATH)/src/gen_context.c - @printf " GEN $@\n" - $(Q)$(CC_FOR_BUILD) $(ZKP_CFLAGS) $(ZKP_PATH)/src/gen_context.c -o $(ZKP_PATH)/gen_context - $(Q)cd $(ZKP_PATH) && ./gen_context +precomputed_ecmult.o: + @printf " CC $@\n" + $(Q)$(CC) $(CFLAGS) -Wno-unused-function $(ZKP_CFLAGS) -c $(ZKP_PATH)/src/precomputed_ecmult.c -o precomputed_ecmult.o + +precomputed_ecmult_gen.o: + @printf " CC $@\n" + $(Q)$(CC) $(CFLAGS) -Wno-unused-function $(ZKP_CFLAGS) -c $(ZKP_PATH)/src/precomputed_ecmult_gen.c -o precomputed_ecmult_gen.o -secp256k1-zkp.o: $(ZKP_PATH)/src/ecmult_static_context.h +secp256k1-zkp.o: @printf " CC $@\n" $(Q)$(CC) $(CFLAGS) -Wno-unused-function $(ZKP_CFLAGS) -I$(ZKP_PATH) -I$(ZKP_PATH)/src -c $(ZKP_PATH)/src/secp256k1.c -o secp256k1-zkp.o diff --git a/legacy/firmware/.changelog.d/2261.changed b/legacy/firmware/.changelog.d/2261.changed new file mode 100644 index 00000000000..48b6f4ae26a --- /dev/null +++ b/legacy/firmware/.changelog.d/2261.changed @@ -0,0 +1 @@ +Updated secp256k1-zkp. diff --git a/legacy/firmware/Makefile b/legacy/firmware/Makefile index d51f8292109..17d70d18532 100644 --- a/legacy/firmware/Makefile +++ b/legacy/firmware/Makefile @@ -16,13 +16,7 @@ OBJS += field_10x26_arm.o endif ZKP_CFLAGS = \ -DUSE_ASM_ARM \ - -DUSE_NUM_NONE \ - -DUSE_FIELD_INV_BUILTIN \ - -DUSE_SCALAR_INV_BUILTIN \ -DUSE_EXTERNAL_ASM \ - -DUSE_FIELD_10X26 \ - -DUSE_SCALAR_8X32 \ - -DUSE_ECMULT_STATIC_PRECOMPUTATION \ -DUSE_EXTERNAL_DEFAULT_CALLBACKS \ -DECMULT_GEN_PREC_BITS=4 \ -DECMULT_WINDOW_SIZE=8 \ @@ -32,6 +26,8 @@ ZKP_CFLAGS = \ -DENABLE_MODULE_EXTRAKEYS OBJS += secp256k1-zkp.o +OBJS += precomputed_ecmult.o +OBJS += precomputed_ecmult_gen.o OBJS += ../vendor/trezor-crypto/zkp_bip340.o OBJS += ../vendor/trezor-crypto/zkp_context.o OBJS += ../vendor/trezor-crypto/zkp_ecdsa.o diff --git a/vendor/secp256k1-zkp b/vendor/secp256k1-zkp index 6b8733577e4..7a30cb0c9d9 160000 --- a/vendor/secp256k1-zkp +++ b/vendor/secp256k1-zkp @@ -1 +1 @@ -Subproject commit 6b8733577e4a8e1a4f77aaa48691f188b0c42f5c +Subproject commit 7a30cb0c9d99ab195c461a6fb4e654cd4ef19a8d From 101fe315abf2faf0601b0957428d99b54d862421 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ond=C5=99ej=20Vejpustek?= Date: Wed, 26 Jan 2022 18:49:24 +0100 Subject: [PATCH 2/4] refactor(crypto,legacy): extend parameters of init_rfc6979 by curve --- crypto/ecdsa.c | 2 +- crypto/rfc6979.c | 2 +- crypto/rfc6979.h | 2 +- crypto/tests/test_check.c | 4 ++-- legacy/firmware/fsm_msg_crypto.h | 4 ++-- 5 files changed, 7 insertions(+), 7 deletions(-) diff --git a/crypto/ecdsa.c b/crypto/ecdsa.c index 1f6f378ee89..f9ff33faf3a 100644 --- a/crypto/ecdsa.c +++ b/crypto/ecdsa.c @@ -687,7 +687,7 @@ int ecdsa_sign_digest(const ecdsa_curve *curve, const uint8_t *priv_key, #if USE_RFC6979 rfc6979_state rng = {0}; - init_rfc6979(priv_key, digest, &rng); + init_rfc6979(priv_key, digest, curve, &rng); #endif bn_read_be(digest, &z); diff --git a/crypto/rfc6979.c b/crypto/rfc6979.c index bb405126490..634da05692a 100644 --- a/crypto/rfc6979.c +++ b/crypto/rfc6979.c @@ -27,7 +27,7 @@ #include "memzero.h" void init_rfc6979(const uint8_t *priv_key, const uint8_t *hash, - rfc6979_state *state) { + const ecdsa_curve *curve, rfc6979_state *state) { hmac_drbg_init(state, priv_key, 32, hash, 32); } diff --git a/crypto/rfc6979.h b/crypto/rfc6979.h index 3e409535093..de253f45352 100644 --- a/crypto/rfc6979.h +++ b/crypto/rfc6979.h @@ -33,7 +33,7 @@ typedef HMAC_DRBG_CTX rfc6979_state; void init_rfc6979(const uint8_t *priv_key, const uint8_t *hash, - rfc6979_state *rng); + const ecdsa_curve *curve, rfc6979_state *rng); void generate_rfc6979(uint8_t rnd[32], rfc6979_state *rng); void generate_k_rfc6979(bignum256 *k, rfc6979_state *rng); diff --git a/crypto/tests/test_check.c b/crypto/tests/test_check.c index 4e74923c26a..d411054d202 100644 --- a/crypto/tests/test_check.c +++ b/crypto/tests/test_check.c @@ -3757,7 +3757,7 @@ END_TEST #define test_deterministic(KEY, MSG, K) \ do { \ sha256_Raw((uint8_t *)MSG, strlen(MSG), buf); \ - init_rfc6979(fromhex(KEY), buf, &rng); \ + init_rfc6979(fromhex(KEY), buf, NULL, &rng); \ generate_k_rfc6979(&k, &rng); \ bn_write_be(&k, buf); \ ck_assert_mem_eq(buf, fromhex(K), 32); \ @@ -6790,7 +6790,7 @@ START_TEST(test_ed25519_cosi) { "26c76712d89d906e6672dafa614c42e5cb1caac8c6568e4d2493087db51f0d36"), fromhex( "26659c1cf7321c178c07437150639ff0c5b7679c7ea195253ed9abda2e081a37"), - &rng); + NULL, &rng); for (int N = 1; N < 11; N++) { ed25519_public_key pk; diff --git a/legacy/firmware/fsm_msg_crypto.h b/legacy/firmware/fsm_msg_crypto.h index da9e76cd4c7..5e2b8df9e77 100644 --- a/legacy/firmware/fsm_msg_crypto.h +++ b/legacy/firmware/fsm_msg_crypto.h @@ -259,7 +259,7 @@ void fsm_msgCosiCommit(const CosiCommit *msg) { uint8_t nonce[32]; sha256_Raw(msg->data.bytes, msg->data.size, nonce); rfc6979_state rng; - init_rfc6979(node->private_key, nonce, &rng); + init_rfc6979(node->private_key, nonce, NULL, &rng); generate_rfc6979(nonce, &rng); resp->has_commitment = true; @@ -302,7 +302,7 @@ void fsm_msgCosiSign(const CosiSign *msg) { uint8_t nonce[32]; sha256_Raw(msg->data.bytes, msg->data.size, nonce); rfc6979_state rng; - init_rfc6979(node->private_key, nonce, &rng); + init_rfc6979(node->private_key, nonce, NULL, &rng); generate_rfc6979(nonce, &rng); resp->signature.size = 32; From 58e9af355bbfc10de51da888f0f2d14adf899c1f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ond=C5=99ej=20Vejpustek?= Date: Wed, 26 Jan 2022 17:53:04 +0100 Subject: [PATCH 3/4] fix(crypto): reduce digest in RFC6979 to match specification --- crypto/rfc6979.c | 20 +++++++++++++-- crypto/rfc6979.h | 1 + crypto/tests/test_check.c | 52 +++++++++++++++++++++++++++++++++++++++ 3 files changed, 71 insertions(+), 2 deletions(-) diff --git a/crypto/rfc6979.c b/crypto/rfc6979.c index 634da05692a..96f4dfcbf6d 100644 --- a/crypto/rfc6979.c +++ b/crypto/rfc6979.c @@ -21,14 +21,30 @@ * ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR * OTHER DEALINGS IN THE SOFTWARE. */ +#include -#include "rfc6979.h" #include "hmac_drbg.h" #include "memzero.h" +#include "rfc6979.h" void init_rfc6979(const uint8_t *priv_key, const uint8_t *hash, const ecdsa_curve *curve, rfc6979_state *state) { - hmac_drbg_init(state, priv_key, 32, hash, 32); + if (curve) { + bignum256 hash_bn = {0}; + bn_read_be(hash, &hash_bn); + + // Make sure hash is partly reduced modulo order + assert(bn_bitcount(&curve->order) >= 256); + bn_mod(&hash_bn, &curve->order); + + uint8_t hash_reduced[32] = {0}; + bn_write_be(&hash_bn, hash_reduced); + memzero(&hash_bn, sizeof(hash_bn)); + hmac_drbg_init(state, priv_key, 32, hash_reduced, 32); + memzero(hash_reduced, sizeof(hash_reduced)); + } else { + hmac_drbg_init(state, priv_key, 32, hash, 32); + } } // generate next number from deterministic random number generator diff --git a/crypto/rfc6979.h b/crypto/rfc6979.h index de253f45352..e4cb9ff049f 100644 --- a/crypto/rfc6979.h +++ b/crypto/rfc6979.h @@ -27,6 +27,7 @@ #include #include "bignum.h" +#include "ecdsa.h" #include "hmac_drbg.h" // rfc6979 pseudo random number generator state diff --git a/crypto/tests/test_check.c b/crypto/tests/test_check.c index d411054d202..bf2670bdfbd 100644 --- a/crypto/tests/test_check.c +++ b/crypto/tests/test_check.c @@ -3802,6 +3802,54 @@ START_TEST(test_rfc6979) { } END_TEST +static void test_ecdsa_sign_digest_deterministic_helper( + int (*ecdsa_sign_digest_fn)(const ecdsa_curve *, const uint8_t *, + const uint8_t *, uint8_t *, uint8_t *, + int (*)(uint8_t by, uint8_t sig[64]))) { + static struct { + const char *priv_key; + const char *digest; + const char *sig; + } tests[] = { + {"312155017c70a204106e034520e0cdf17b3e54516e2ece38e38e38e38e38e38e", + "ffffffffffffffffffffffffffffffff20202020202020202020202020202020", + "e3d70248ea2fc771fc8d5e62d76b9cfd5402c96990333549eaadce1ae9f737eb" + "5cfbdc7d1e0ec18cc9b57bbb18f0a57dc929ec3c4dfac9073c581705015f6a8a"}, + {"312155017c70a204106e034520e0cdf17b3e54516e2ece38e38e38e38e38e38e", + "2020202020202020202020202020202020202020202020202020202020202020", + "40666188895430715552a7e4c6b53851f37a93030fb94e043850921242db78e8" + "75aa2ac9fd7e5a19402973e60e64382cdc29a09ebf6cb37e92f23be5b9251aee"}, + }; + + const ecdsa_curve *curve = &secp256k1; + uint8_t priv_key[32] = {0}; + uint8_t digest[32] = {0}; + uint8_t expected_sig[64] = {0}; + uint8_t computed_sig[64] = {0}; + int res = 0; + + for (size_t i = 0; i < sizeof(tests) / sizeof(*tests); i++) { + memcpy(priv_key, fromhex(tests[i].priv_key), 32); + memcpy(digest, fromhex(tests[i].digest), 32); + memcpy(expected_sig, fromhex(tests[i].sig), 64); + + res = + ecdsa_sign_digest_fn(curve, priv_key, digest, computed_sig, NULL, NULL); + ck_assert_int_eq(res, 0); + ck_assert_mem_eq(expected_sig, computed_sig, 64); + } +} + +START_TEST(test_ecdsa_sign_digest_deterministic) { + test_ecdsa_sign_digest_deterministic_helper(ecdsa_sign_digest); +} +END_TEST + +START_TEST(test_zkp_ecdsa_sign_digest_deterministic) { + test_ecdsa_sign_digest_deterministic_helper(zkp_ecdsa_sign_digest); +} +END_TEST + // test vectors from // http://www.inconteam.com/software-development/41-encryption/55-aes-test-vectors START_TEST(test_aes) { @@ -9461,6 +9509,10 @@ Suite *test_suite(void) { tcase_add_test(tc, test_zkp_ecdsa_get_public_key65); tcase_add_test(tc, test_zkp_ecdsa_recover_pub_from_sig); tcase_add_test(tc, test_zkp_ecdsa_verify_digest); +#if USE_RFC6979 + tcase_add_test(tc, test_ecdsa_sign_digest_deterministic); + tcase_add_test(tc, test_zkp_ecdsa_sign_digest_deterministic); +#endif suite_add_tcase(s, tc); tc = tcase_create("rfc6979"); From 1624d7c5e26878088465a82885194bd356a151fa Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ond=C5=99ej=20Vejpustek?= Date: Mon, 9 May 2022 16:08:33 +0200 Subject: [PATCH 4/4] refactor(crypto): remove code that is duplicated in secp256k1-zkp submodule --- crypto/zkp_bip340.c | 4 ---- 1 file changed, 4 deletions(-) diff --git a/crypto/zkp_bip340.c b/crypto/zkp_bip340.c index 8f588f8f7d1..fd87086a268 100644 --- a/crypto/zkp_bip340.c +++ b/crypto/zkp_bip340.c @@ -136,10 +136,6 @@ int zkp_bip340_sign_digest(const uint8_t *private_key_bytes, } if (result == 0) { - uint8_t zero[32] = {0}; - if (!auxiliary_data) { - auxiliary_data = zero; - } if (secp256k1_schnorrsig_sign32(context_writable, signature_bytes, digest, &keypair, auxiliary_data) != 1) { result = -1;