Merge branch 'rust-bip85'

Author: benma

src/keystore.c

@@ -488,22 +488,15 @@ bool keystore_is_locked(void)
     return !unlocked;
 }
 
-bool keystore_get_bip39_mnemonic(char* mnemonic_out, size_t mnemonic_out_size)
+bool keystore_bip39_mnemonic_from_seed(
+    const uint8_t* seed,
+    size_t seed_size,
+    char* mnemonic_out,
+    size_t mnemonic_out_size)
 {
-    if (keystore_is_locked()) {
-        return false;
-    }
     char* mnemonic = NULL;
-    { // block so that `seed` is zeroed as soon as possible
-        uint8_t seed[KEYSTORE_MAX_SEED_LENGTH] = {0};
-        UTIL_CLEANUP_32(seed);
-        size_t seed_length = 0;
-        if (!keystore_copy_seed(seed, &seed_length)) {
-            return false;
-        }
-        if (bip39_mnemonic_from_bytes(NULL, seed, seed_length, &mnemonic) != WALLY_OK) {
-            return false;
-        }
+    if (bip39_mnemonic_from_bytes(NULL, seed, seed_size, &mnemonic) != WALLY_OK) {
+        return false;
     }
     int snprintf_result = snprintf(mnemonic_out, mnemonic_out_size, "%s", mnemonic);
     util_cleanup_str(&mnemonic);
@@ -733,90 +726,6 @@ bool keystore_get_ed25519_seed(uint8_t* seed_out)
     return true;
 }
 
-static bool _bip85_entropy(const uint32_t* keypath, size_t keypath_len, uint8_t* out)
-{
-    struct ext_key xprv __attribute__((__cleanup__(keystore_zero_xkey))) = {0};
-    if (!_get_xprv_twice(keypath, keypath_len, &xprv)) {
-        return false;
-    }
-    const uint8_t* priv_key = xprv.priv_key + 1; // first byte is 0
-    const uint8_t key[] = "bip-entropy-from-k";
-    return wally_hmac_sha512(key, sizeof(key), priv_key, 32, out, 64) == WALLY_OK;
-}
-
-bool keystore_bip85_bip39(
-    uint32_t words,
-    uint32_t index,
-    char* mnemonic_out,
-    size_t mnemonic_out_size)
-{
-    size_t seed_size;
-    switch (words) {
-    case 12:
-        seed_size = 16;
-        break;
-    case 18:
-        seed_size = 24;
-        break;
-    case 24:
-        seed_size = 32;
-        break;
-    default:
-        return false;
-    }
-
-    if (index >= BIP32_INITIAL_HARDENED_CHILD) {
-        return false;
-    }
-
-    const uint32_t keypath[] = {
-        83696968 + BIP32_INITIAL_HARDENED_CHILD,
-        39 + BIP32_INITIAL_HARDENED_CHILD,
-        0 + BIP32_INITIAL_HARDENED_CHILD,
-        words + BIP32_INITIAL_HARDENED_CHILD,
-        index + BIP32_INITIAL_HARDENED_CHILD,
-    };
-
-    uint8_t entropy[64] = {0};
-    UTIL_CLEANUP_64(entropy);
-    if (!_bip85_entropy(keypath, sizeof(keypath) / sizeof(uint32_t), entropy)) {
-        return false;
-    }
-
-    char* mnemonic = NULL;
-    if (bip39_mnemonic_from_bytes(NULL, entropy, seed_size, &mnemonic) != WALLY_OK) {
-        return false;
-    }
-    int snprintf_result = snprintf(mnemonic_out, mnemonic_out_size, "%s", mnemonic);
-    util_cleanup_str(&mnemonic);
-    free(mnemonic);
-    return snprintf_result >= 0 && snprintf_result < (int)mnemonic_out_size;
-}
-
-bool keystore_bip85_ln(uint32_t index, uint8_t* entropy_out)
-{
-    if (index >= BIP32_INITIAL_HARDENED_CHILD) {
-        return false;
-    }
-
-    const uint32_t keypath[] = {
-        83696968 + BIP32_INITIAL_HARDENED_CHILD,
-        19534 + BIP32_INITIAL_HARDENED_CHILD,
-        0 + BIP32_INITIAL_HARDENED_CHILD,
-        12 + BIP32_INITIAL_HARDENED_CHILD,
-        index + BIP32_INITIAL_HARDENED_CHILD,
-    };
-
-    uint8_t entropy[64] = {0};
-    UTIL_CLEANUP_64(entropy);
-    if (!_bip85_entropy(keypath, sizeof(keypath) / sizeof(uint32_t), entropy)) {
-        return false;
-    }
-
-    memcpy(entropy_out, entropy, 16);
-    return true;
-}
-
 USE_RESULT bool keystore_encode_xpub_at_keypath(
     const uint32_t* keypath,
     size_t keypath_len,

src/keystore.h

@@ -116,13 +116,14 @@ void keystore_lock(void);
 USE_RESULT bool keystore_is_locked(void);
 
 /**
- * @param[out] mnemonic_out resulting mnemonic
- * @param[in] mnemonic_out_size size of mnemonic_out. Should be at least 216 bytes (longest possible
- *            24 word phrase plus null terminator).
- * @return returns false if the keystore is not unlocked or the mnemonic does not fit.
- * The resulting string should be safely zeroed after use.
+ * Converts a 16/24/32 byte seed into a BIP-39 mnemonic string.
+ * Returns false if the seed size is invalid or the output string buffer is not large enough.
  */
-USE_RESULT bool keystore_get_bip39_mnemonic(char* mnemonic_out, size_t mnemonic_out_size);
+USE_RESULT bool keystore_bip39_mnemonic_from_seed(
+    const uint8_t* seed,
+    size_t seed_size,
+    char* mnemonic_out,
+    size_t mnemonic_out_size);
 
 /**
  * Turn a bip39 mnemonic into a seed. Make sure to use UTIL_CLEANUP_32 to destroy it.
@@ -230,31 +231,6 @@ USE_RESULT bool keystore_get_u2f_seed(uint8_t* seed_out);
  */
 USE_RESULT bool keystore_get_ed25519_seed(uint8_t* seed_out);
 
-/**
- * Computes a BIP39 mnemonic according to BIP-85:
- * https://github.com/bitcoin/bips/blob/master/bip-0085.mediawiki#bip39
- * @param[in] words must be 12, 18 or 24.
- * @param[in] index must be smaller than `BIP32_INITIAL_HARDENED_CHILD`.
- * @param[out] mnemonic_out resulting mnemonic
- * @param[in] mnemonic_out_size size of mnemonic_out. Should be at least 216 bytes (longest possible
- *            24 word phrase plus null terminator).
- */
-USE_RESULT bool keystore_bip85_bip39(
-    uint32_t words,
-    uint32_t index,
-    char* mnemonic_out,
-    size_t mnemonic_out_size);
-
-/**
- * Computes a 16 byte deterministic seed specifically for Lightning hot wallets according to BIP-85.
- * It is the same as BIP-85 with app number 39', but instead using app number 19534' (= 0x4c4e =
- * 'LN'). https://github.com/bitcoin/bips/blob/master/bip-0085.mediawiki#bip39
- * Restricted to 16 byte output entropy.
- * @param[in] index must be smaller than `BIP32_INITIAL_HARDENED_CHILD`.
- * @param[out] entropy_out resulting entropy, must be at least 16 bytes in size.
- */
-USE_RESULT bool keystore_bip85_ln(uint32_t index, uint8_t* entropy_out);
-
 /**
  * Encode an xpub at the given `keypath` as 78 bytes according to BIP32. The version bytes are
  * the ones corresponding to `xpub`, i.e. 0x0488B21E.

src/rust/bitbox02-rust/src/hash.rs

@@ -0,0 +1,56 @@
+// Copyright 2025 Shift Crypto AG
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+use alloc::vec::Vec;
+
+/// Implements the digest traits for Sha512 backing it with the wally_sha512 C function. This is
+/// done to avoid using a second sha512 implementation like `sha2::Sha512`, which bloats the binary
+/// by an additional ~12.7kB (at the time of writing).
+///
+/// This implementation accumulates the data to be hashed in heap, it does **not** hash in a
+/// streaming fashion, even when using `update()`.
+#[derive(Default, Clone)]
+pub struct Sha512 {
+    message: Vec<u8>,
+}
+
+impl digest::HashMarker for Sha512 {}
+
+impl digest::OutputSizeUser for Sha512 {
+    type OutputSize = digest::typenum::U64;
+}
+
+impl digest::FixedOutput for Sha512 {
+    fn finalize_into(self, out: &mut digest::Output<Self>) {
+        // use digest::Digest;
+        // out.copy_from_slice(&sha2::Sha512::digest(&self.message));
+        out.copy_from_slice(&bitbox02::sha512(&self.message));
+    }
+}
+
+impl digest::Update for Sha512 {
+    fn update(&mut self, data: &[u8]) {
+        self.message.extend(data);
+    }
+}
+
+impl digest::Reset for Sha512 {
+    fn reset(&mut self) {
+        self.message.clear()
+    }
+}
+
+impl digest::core_api::BlockSizeUser for Sha512 {
+    type BlockSize = digest::typenum::U128;
+}

src/rust/bitbox02-rust/src/hww/api/bip85.rs

@@ -20,7 +20,7 @@ use pb::response::Response;
 use crate::hal::Ui;
 use crate::workflow::confirm;
 
-use bitbox02::keystore;
+use crate::keystore;
 
 use alloc::vec::Vec;
 
@@ -160,5 +160,7 @@ async fn process_ln(
         })
         .await?;
 
-    keystore::bip85_ln(account_number).map_err(|_| Error::Generic)
+    Ok(keystore::bip85_ln(account_number)
+        .map_err(|_| Error::Generic)?
+        .to_vec())
 }

src/rust/bitbox02-rust/src/hww/api/show_mnemonic.rs

@@ -22,7 +22,7 @@ use pb::response::Response;
 use crate::hal::Ui;
 use crate::workflow::{confirm, mnemonic, unlock};
 
-use bitbox02::keystore;
+use crate::keystore;
 
 /// Handle the ShowMnemonic API call. This shows the seed encoded as
 /// 12/18/24 BIP39 English words. Afterwards, for each word, the user