wip

Author: benma

src/rust/bitbox02-rust/src/hww/api/restore.rs

@@ -66,7 +66,7 @@ pub async fn from_file(
     }
 
     let password = password::enter_twice(hal).await?;
-    if let Err(err) = bitbox02::keystore::encrypt_and_store_seed(data.get_seed(), &password) {
+    if let Err(err) = crate::keystore::encrypt_and_store_seed(data.get_seed(), &password) {
         hal.ui()
             .status(&format!("Could not\nrestore backup\n{:?}", err), false)
             .await;
@@ -145,7 +145,7 @@ pub async fn from_mnemonic(
         }
     };
 
-    if let Err(err) = bitbox02::keystore::encrypt_and_store_seed(&seed, &password) {
+    if let Err(err) = crate::keystore::encrypt_and_store_seed(&seed, &password) {
         hal.ui()
             .status(&format!("Could not\nrestore backup\n{:?}", err), false)
             .await;

src/rust/bitbox02-rust/src/keystore.rs

@@ -18,7 +18,39 @@ pub mod ed25519;
 use alloc::vec::Vec;
 
 use crate::bip32;
-use bitbox02::keystore;
+use bitbox02::{cipher, keystore, memory, securechip};
+
+#[derive(Debug)]
+pub enum Error {
+    AlreadyInitialized,
+    Memory,
+    SeedSize,
+    SecureChip,
+    Encrypt,
+}
+
+fn validate_seed_length(len: usize) -> Result<(), Error> {
+    match len {
+        16 | 24 | 32 => Ok(()),
+        _ => Err(Error::SeedSize),
+    }
+}
+
+pub fn encrypt_and_store_seed(seed: &[u8], password: &str) -> Result<(), Error> {
+    if memory::is_initialized() {
+        return Err(Error::AlreadyInitialized);
+    }
+    keystore::lock();
+    validate_seed_length(seed.len())?;
+    securechip::init_new_password(password).map_err(|_| Error::SecureChip)?;
+    let secret: zeroize::Zeroizing<Vec<u8>> =
+        securechip::stretch_password(password).map_err(|_| Error::SecureChip)?;
+    let encrypted_seed: Vec<u8> =
+        cipher::aes_hmac_encrypt(seed, secret.as_slice()).map_err(|_| Error::Encrypt)?;
+    memory::set_encrypted_seed_and_hmac(&encrypted_seed).map_err(|_| Error::Memory)?;
+    // TODO: verify seed
+    Ok(())
+}
 
 /// Derives an xpub from the keystore seed at the given keypath.
 pub fn get_xpub(keypath: &[u32]) -> Result<bip32::Xpub, ()> {

src/rust/bitbox02-sys/build.rs

@@ -65,7 +65,6 @@ const ALLOWLIST_FNS: &[&str] = &[
     "keystore_copy_seed",
     "keystore_create_and_store_seed",
     "keystore_encode_xpub_at_keypath",
-    "keystore_encrypt_and_store_seed",
     "keystore_get_bip39_mnemonic",
     "keystore_get_bip39_word",
     "keystore_get_ed25519_seed",
@@ -99,6 +98,7 @@ const ALLOWLIST_FNS: &[&str] = &[
     "memory_set_initialized",
     "memory_set_mnemonic_passphrase_enabled",
     "memory_set_seed_birthdate",
+    "memory_set_encrypted_seed_and_hmac",
     "memory_setup",
     "menu_create",
     "mock_memory_factoryreset",
@@ -127,6 +127,8 @@ const ALLOWLIST_FNS: &[&str] = &[
     "securechip_model",
     "securechip_monotonic_increments_remaining",
     "securechip_u2f_counter_set",
+    "securechip_init_new_password",
+    "securechip_stretch_password",
     "smarteeprom_bb02_config",
     "status_create",
     "trinary_choice_create",
@@ -139,6 +141,7 @@ const ALLOWLIST_FNS: &[&str] = &[
     "wally_free_string",
     "wally_get_secp_context",
     "wally_sha512",
+    "cipher_aes_hmac_encrypt",
 ];
 
 const RUSTIFIED_ENUMS: &[&str] = &[

src/rust/bitbox02-sys/wrapper.h

@@ -22,6 +22,7 @@
 #include <reset.h>
 #include <screen.h>
 #include <sd.h>
+#include <cipher/cipher.h>
 #include <secp256k1_ecdsa_adaptor.h>
 #include <secp256k1_ecdsa_s2c.h>
 #include <securechip/securechip.h>

src/rust/bitbox02/src/cipher.rs

@@ -0,0 +1,35 @@
+// Copyright 2020 Shift Crypto AG
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+use alloc::vec::Vec;
+
+pub fn aes_hmac_encrypt(input: &[u8], key: &[u8]) -> Result<Vec<u8>, ()> {
+    let mut output = vec![0u8; input.len() + 64];
+    let mut output_size: usize = output.len();
+    match unsafe {
+        bitbox02_sys::cipher_aes_hmac_encrypt(
+            input.as_ptr(),
+            input.len() as _,
+            output.as_mut_ptr(),
+            &mut output_size,
+            key.as_ptr(),
+        )
+    } {
+        true => {
+            output.truncate(output_size);
+            Ok(output)
+        }
+        false => Err(()),
+    }
+}

src/rust/bitbox02/src/keystore.rs

@@ -293,19 +293,6 @@ pub fn bip39_mnemonic_to_seed(mnemonic: &str) -> Result<zeroize::Zeroizing<Vec<u
     }
 }
 
-pub fn encrypt_and_store_seed(seed: &[u8], password: &str) -> Result<(), Error> {
-    match unsafe {
-        bitbox02_sys::keystore_encrypt_and_store_seed(
-            seed.as_ptr(),
-            seed.len(),
-            crate::util::str_to_cstr_vec(password).unwrap().as_ptr(),
-        )
-    } {
-        keystore_error_t::KEYSTORE_OK => Ok(()),
-        err => Err(err.into()),
-    }
-}
-
 pub fn get_ed25519_seed() -> Result<zeroize::Zeroizing<Vec<u8>>, ()> {
     let mut seed = zeroize::Zeroizing::new([0u8; 96].to_vec());
     match unsafe { bitbox02_sys::keystore_get_ed25519_seed(seed.as_mut_ptr()) } {

src/rust/bitbox02/src/lib.rs

@@ -34,6 +34,7 @@ use alloc::string::String;
 pub mod testing;
 
 pub mod bip32;
+pub mod cipher;
 pub mod keystore;
 pub mod memory;
 pub mod random;

src/rust/bitbox02/src/memory.rs

@@ -160,6 +160,18 @@ pub fn multisig_get_by_hash(hash: &[u8]) -> Option<String> {
     }
 }
 
+pub fn set_encrypted_seed_and_hmac(encrypted_seed_and_hmac: &[u8]) -> Result<(), ()> {
+    match unsafe {
+        bitbox02_sys::memory_set_encrypted_seed_and_hmac(
+            encrypted_seed_and_hmac.as_ptr(),
+            encrypted_seed_and_hmac.len().try_into().unwrap(),
+        )
+    } {
+        true => Ok(()),
+        false => Err(()),
+    }
+}
+
 #[cfg(test)]
 mod tests {
     use super::*;

src/rust/bitbox02/src/securechip.rs

@@ -14,6 +14,8 @@
 
 pub use bitbox02_sys::securechip_model_t as Model;
 
+use alloc::vec::Vec;
+
 pub fn attestation_sign(challenge: &[u8; 32], signature: &mut [u8; 64]) -> Result<(), ()> {
     match unsafe {
         bitbox02_sys::securechip_attestation_sign(challenge.as_ptr(), signature.as_mut_ptr())
@@ -46,6 +48,28 @@ pub fn u2f_counter_set(_counter: u32) -> Result<(), ()> {
     Ok(())
 }
 
+pub fn init_new_password(password: &str) -> Result<(), ()> {
+    match unsafe {
+        bitbox02_sys::securechip_init_new_password(crate::util::str_to_cstr_vec(password)?.as_ptr())
+    } {
+        0 => Ok(()),
+        _ => Err(()),
+    }
+}
+
+pub fn stretch_password(password: &str) -> Result<zeroize::Zeroizing<Vec<u8>>, ()> {
+    let mut out = zeroize::Zeroizing::new(vec![0u8; 32]);
+    match unsafe {
+        bitbox02_sys::securechip_stretch_password(
+            crate::util::str_to_cstr_vec(password)?.as_ptr(),
+            out.as_mut_ptr(),
+        )
+    } {
+        0 => Ok(out),
+        _ => Err(()),
+    }
+}
+
 pub fn model() -> Result<Model, ()> {
     let mut ver = core::mem::MaybeUninit::uninit();
     match unsafe { bitbox02_sys::securechip_model(ver.as_mut_ptr()) } {

src/rust/bitbox02/src/util.rs

@@ -44,7 +44,7 @@ pub fn truncate_str(s: &str, len: usize) -> &str {
 }
 
 /// Converts a Rust string to a null terminated C string by appending a null
-/// terminator.  Returns `Err(())` if the input already contians a null byte.
+/// terminator.  Returns `Err(())` if the input already contains a null byte.
 pub fn str_to_cstr_vec(input: &str) -> Result<Vec<u8>, ()> {
     Ok(alloc::ffi::CString::new(input)
         .or(Err(()))?