Merge remote-tracking branch 'benma/bip39_12'

benma · benma · commit 8e006872e812 · 2021-05-13T16:06:50.000+02:00
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -4,6 +4,7 @@
 - Attempt to fix flaky SD behavior
 - Add securechip_model to DeviceInfo: ATECCC608A or ATECC608B.
 - Added reboot purpose for clearer UX: "Proceed to upgrade?" vs. "Go to startup settings?"
+- Allow creation of 128 bit seeds (12 BIP39 recovery words)
 
 ## 9.5.0 [released 2021-03-10]
 - RestoreFrommnemonic: ported to Rust. Will now return UserAbortError on user abort instead of GenericError.
diff --git a/py/bitbox02/bitbox02/bitbox02/bitbox02.py b/py/bitbox02/bitbox02/bitbox02/bitbox02.py
@@ -157,14 +157,18 @@ def set_device_name(self, device_name: str) -> None:
         request.device_name.name = device_name
         self._msg_query(request, expected_response="success")
 
-    def set_password(self) -> bool:
+    def set_password(self, entropy_size: int = 32) -> bool:
         """
         Returns True if the user entered the password correctly (passwords match).
-        Returns False otherwise.
+        Returns False otherwise. Entropy size determines the seed size in bytes; must be 16 or 32.
         """
+        assert entropy_size in (16, 32)
+        if entropy_size == 16:
+            self._require_atleast(semver.VersionInfo(9, 6, 0))
+
         # pylint: disable=no-member
         request = hww.Request()
-        request.set_password.entropy = os.urandom(32)
+        request.set_password.entropy = os.urandom(entropy_size)
         try:
             self._msg_query(request, expected_response="success")
         except Bitbox02Exception as err:
diff --git a/src/keystore.c b/src/keystore.c
@@ -257,8 +257,14 @@ bool keystore_encrypt_and_store_seed(
     return true;
 }
 
-bool keystore_create_and_store_seed(const char* password, const uint8_t* host_entropy)
+bool keystore_create_and_store_seed(
+    const char* password,
+    const uint8_t* host_entropy,
+    size_t host_entropy_size)
 {
+    if (host_entropy_size != 16 && host_entropy_size != 32) {
+        return false;
+    }
     if (KEYSTORE_MAX_SEED_LENGTH != RANDOM_NUM_SIZE) {
         Abort("keystore create: size mismatch");
     }
@@ -267,7 +273,7 @@ bool keystore_create_and_store_seed(const char* password, const uint8_t* host_en
     random_32_bytes(seed);
 
     // Mix in Host entropy.
-    for (size_t i = 0; i < KEYSTORE_MAX_SEED_LENGTH; i++) {
+    for (size_t i = 0; i < host_entropy_size; i++) {
         seed[i] ^= host_entropy[i];
     }
 
@@ -282,10 +288,10 @@ bool keystore_create_and_store_seed(const char* password, const uint8_t* host_en
         return false;
     }
 
-    for (size_t i = 0; i < KEYSTORE_MAX_SEED_LENGTH; i++) {
+    for (size_t i = 0; i < host_entropy_size; i++) {
         seed[i] ^= password_salted_hashed[i];
     }
-    return keystore_encrypt_and_store_seed(seed, KEYSTORE_MAX_SEED_LENGTH, password);
+    return keystore_encrypt_and_store_seed(seed, host_entropy_size, password);
 }
 
 static void _free_string(char** str)
diff --git a/src/keystore.h b/src/keystore.h
@@ -68,11 +68,16 @@ USE_RESULT bool keystore_encrypt_and_store_seed(
     const char* password);
 
 /**
-   Generates 32 bytes of entropy, mixes it with host_entropy, and stores it encrypted with the
-   password.
-   @param[in] host_entropy 32 bytes of entropy to be mixed in.
+   Generates the seed, mixes it with host_entropy, and stores it encrypted with the
+   password. The size of the host entropy determines the size of the seed. Can be either 16 or 32
+   bytes, resulting in 12 or 24 BIP39 recovery words.
+   @param[in] host_entropy bytes of entropy to be mixed in.
+   @param[in] host_entropy_size must be 16 or 32.
 */
-USE_RESULT bool keystore_create_and_store_seed(const char* password, const uint8_t* host_entropy);
+USE_RESULT bool keystore_create_and_store_seed(
+    const char* password,
+    const uint8_t* host_entropy,
+    size_t host_entropy_size);
 
 /** Unlocks the keystore seed or checks the password:
  * If the keystore is locked, it decrypts and loads the seed, unlocking the keystore:
diff --git a/src/rust/bitbox02-rust/src/hww/api/set_password.rs b/src/rust/bitbox02-rust/src/hww/api/set_password.rs
@@ -16,23 +16,23 @@ use super::Error;
 use crate::pb;
 
 use crate::workflow::password;
-use core::convert::TryInto;
 use pb::response::Response;
 
 /// Handles the SetPassword api call. This has the user enter a password twice and creates the
 /// seed/keystore. After this call is finished, the keystore is fully unlocked.
 ///
-/// `entropy` must be exactly 32 bytes and provides additional entropy used when
-/// creating the seed.
+/// `entropy` must be exactly 16 or 32 bytes and provides additional entropy used when creating the
+/// seed. If 16 bytes are provided, the seed will also be 16 bytes long, corresponding to 12 BIP39
+/// recovery words. If 32 bytes are provided, the seed will also be 32 bytes long, corresponding to
+/// 24 BIP39 recovery words.
 pub async fn process(
     pb::SetPasswordRequest { entropy }: &pb::SetPasswordRequest,
 ) -> Result<Response, Error> {
-    let entropy32: [u8; 32] = match entropy.as_slice().try_into() {
-        Err(_) => return Err(Error::InvalidInput),
-        Ok(e) => e,
-    };
+    if entropy.len() != 16 && entropy.len() != 32 {
+        return Err(Error::InvalidInput);
+    }
     let password = password::enter_twice().await?;
-    if !bitbox02::keystore::create_and_store_seed(&password, &entropy32) {
+    if !bitbox02::keystore::create_and_store_seed(&password, &entropy) {
         return Err(Error::Generic);
     }
     if bitbox02::keystore::unlock(&password).is_err() {
diff --git a/src/rust/bitbox02/src/keystore.rs b/src/rust/bitbox02/src/keystore.rs
@@ -62,9 +62,13 @@ pub fn unlock_bip39(mnemonic_passphrase: &SafeInputString) -> Result<(), Error>
     }
 }
 
-pub fn create_and_store_seed(password: &SafeInputString, host_entropy: &[u8; 32]) -> bool {
+pub fn create_and_store_seed(password: &SafeInputString, host_entropy: &[u8]) -> bool {
     unsafe {
-        bitbox02_sys::keystore_create_and_store_seed(password.as_cstr(), host_entropy.as_ptr())
+        bitbox02_sys::keystore_create_and_store_seed(
+            password.as_cstr(),
+            host_entropy.as_ptr(),
+            host_entropy.len() as _,
+        )
     }
 }
 
diff --git a/test/device-test/src/test_backup.c b/test/device-test/src/test_backup.c
@@ -126,7 +126,8 @@ int main(void)
 
     screen_print_debug("Creating initial backup...", 1000);
 
-    if (!keystore_create_and_store_seed("device-test", "host-entropy")) {
+    uint8_t host_entropy[32] = "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa";
+    if (!keystore_create_and_store_seed("device-test", host_entropy, sizeof(host_entropy))) {
         Abort("Failed to create keystore");
     }
     uint8_t remaining_attempts;
diff --git a/test/unit-test/CMakeLists.txt b/test/unit-test/CMakeLists.txt
@@ -221,7 +221,7 @@ set(TEST_LIST
    hww
    "-Wl,--wrap=random_32_bytes,--wrap=workflow_confirm_dismiss"
    keystore
-   "-Wl,--wrap=secp256k1_anti_klepto_sign,--wrap=memory_is_initialized,--wrap=memory_is_seeded,--wrap=memory_get_failed_unlock_attempts,--wrap=memory_reset_failed_unlock_attempts,--wrap=memory_increment_failed_unlock_attempts,--wrap=memory_set_encrypted_seed_and_hmac,--wrap=memory_get_encrypted_seed_and_hmac,--wrap=reset_reset,--wrap=salt_hash_data,--wrap=cipher_aes_hmac_encrypt"
+   "-Wl,--wrap=secp256k1_anti_klepto_sign,--wrap=memory_is_initialized,--wrap=memory_is_seeded,--wrap=memory_get_failed_unlock_attempts,--wrap=memory_reset_failed_unlock_attempts,--wrap=memory_increment_failed_unlock_attempts,--wrap=memory_set_encrypted_seed_and_hmac,--wrap=memory_get_encrypted_seed_and_hmac,--wrap=reset_reset,--wrap=salt_hash_data,--wrap=cipher_aes_hmac_encrypt,--wrap=random_32_bytes"
    keystore_antiklepto
    "-Wl,--wrap=keystore_secp256k1_nonce_commit,--wrap=keystore_secp256k1_sign"
    keystore_functional
diff --git a/test/unit-test/test_keystore.c b/test/unit-test/test_keystore.c
@@ -17,8 +17,10 @@
 #include <stddef.h>
 #include <cmocka.h>
 
+#include <cipher/cipher.h>
 #include <keystore.h>
 #include <memory/bitbox02_smarteeprom.h>
+#include <memory/memory.h>
 #include <memory/smarteeprom.h>
 #include <secp256k1_ecdsa_s2c.h>
 #include <secp256k1_recovery.h>
@@ -29,6 +31,8 @@
 #include <stdio.h>
 #include <string.h>
 
+#define PASSWORD ("password")
+
 static uint8_t _mock_seed[32] = {
     0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22,
     0x33, 0x33, 0x33, 0x33, 0x33, 0x33, 0x33, 0x33, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
@@ -46,6 +50,8 @@ static uint8_t _mock_bip39_seed[64] = {
     0x33, 0x33, 0x33, 0x33, 0x33, 0x33, 0x33, 0x33, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
 };
 
+const uint8_t _aes_iv[32] = "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa";
+
 static const uint32_t _keypath[] = {
     44 + BIP32_INITIAL_HARDENED_CHILD,
     0 + BIP32_INITIAL_HARDENED_CHILD,
@@ -89,6 +95,13 @@ static uint8_t _kdf_out_3[32] = {
     0x33, 0x33, 0x33, 0x33, 0x33, 0x33, 0x33, 0x33, 0x33, 0x33, 0x33, 0x33, 0x33, 0x33, 0x33, 0x33,
 };
 
+// Fixture: hmac.new(_password_salted_hashed_stretch_out, _kdf_out_3,
+// hashlib.sha256).hexdigest()
+static uint8_t _expected_secret[32] = {
+    0x39, 0xa7, 0x4f, 0x75, 0xb6, 0x9d, 0x6c, 0x84, 0x5e, 0x18, 0x91, 0x5b, 0xae, 0x29, 0xd1, 0x06,
+    0x12, 0x12, 0x40, 0x37, 0x7a, 0x79, 0x97, 0x55, 0xd7, 0xcc, 0xe9, 0x26, 0x1e, 0x16, 0x91, 0x71,
+};
+
 int __real_secp256k1_anti_klepto_sign(
     const secp256k1_context* ctx,
     secp256k1_ecdsa_signature* sig,
@@ -124,6 +137,8 @@ bool __wrap_salt_hash_data(
     const char* purpose,
     uint8_t* hash_out)
 {
+    check_expected(data);
+    check_expected(data_len);
     check_expected(purpose);
     memcpy(hash_out, (const void*)mock(), 32);
     return true;
@@ -163,6 +178,11 @@ void __wrap_reset_reset(void)
     _reset_reset_called = true;
 }
 
+void __wrap_random_32_bytes(uint8_t* buf)
+{
+    memcpy(buf, (const void*)mock(), 32);
+}
+
 static bool _pubkeys_equal(
     const secp256k1_context* ctx,
     const secp256k1_pubkey* pubkey1,
@@ -296,6 +316,8 @@ static void _test_keystore_secp256k1_sign(void** state)
 
 static void _expect_stretch(bool valid)
 {
+    expect_memory(__wrap_salt_hash_data, data, PASSWORD, strlen(PASSWORD));
+    expect_value(__wrap_salt_hash_data, data_len, strlen(PASSWORD));
     expect_string(__wrap_salt_hash_data, purpose, "keystore_seed_access_in");
     will_return(__wrap_salt_hash_data, _password_salted_hashed_stretch_in);
 
@@ -314,6 +336,8 @@ static void _expect_stretch(bool valid)
     expect_memory(securechip_kdf, msg, _kdf_out_2, 32);
     will_return(securechip_kdf, _kdf_out_3);
 
+    expect_memory(__wrap_salt_hash_data, data, PASSWORD, strlen(PASSWORD));
+    expect_value(__wrap_salt_hash_data, data_len, strlen(PASSWORD));
     expect_string(__wrap_salt_hash_data, purpose, "keystore_seed_access_out");
     will_return(
         __wrap_salt_hash_data,
@@ -327,18 +351,11 @@ static void _expect_encrypt_and_store_seed(void)
     _expect_stretch(true); // first stretch to encrypt
     _expect_stretch(true); // second stretch to verify
 
-    // Fixture: hmac.new(_password_salted_hashed_stretch_out, _kdf_out_3,
-    // hashlib.sha256).hexdigest()
-    static uint8_t expected_secret[32] = {
-        0x39, 0xa7, 0x4f, 0x75, 0xb6, 0x9d, 0x6c, 0x84, 0x5e, 0x18, 0x91,
-        0x5b, 0xae, 0x29, 0xd1, 0x06, 0x12, 0x12, 0x40, 0x37, 0x7a, 0x79,
-        0x97, 0x55, 0xd7, 0xcc, 0xe9, 0x26, 0x1e, 0x16, 0x91, 0x71,
-    };
-    expect_memory(__wrap_cipher_aes_hmac_encrypt, secret, expected_secret, 32);
+    expect_memory(__wrap_cipher_aes_hmac_encrypt, secret, _expected_secret, 32);
+    // For the AES IV:
+    will_return(__wrap_random_32_bytes, _aes_iv);
 }
 
-#define PASSWORD ("password")
-
 static void _test_keystore_encrypt_and_store_seed(void** state)
 {
     _expect_encrypt_and_store_seed();
@@ -532,6 +549,53 @@ static void _test_keystore_encode_xpub(void** state)
         "mzoD84tXp15pviBjgS4df");
 }
 
+static void _test_keystore_create_and_store_seed(void** state)
+{
+    const uint8_t seed_random[32] =
+        "\x98\xef\xa1\xb6\x0a\x83\x39\x16\x61\xa2\x4d\xc7\x4a\x80\x4f\x34\x36\xe8\x33\xe0\xaa\xbe"
+        "\x75\xe9\x71\x1e\x5d\xef\x3a\x8f\x9f\x7c";
+    const uint8_t host_entropy[32] =
+        "\x25\x56\x9b\x9a\x11\xf9\xdb\x65\x60\x45\x9e\x8e\x48\xb4\x72\x7a\x4c\x93\x53\x00\x14\x3d"
+        "\x97\x89\x89\xed\x55\xdb\x1d\x1b\x9c\xbe";
+    const uint8_t password_salted_hashed[32] =
+        "\xad\xee\x84\x29\xf5\xb6\x70\xa9\xd7\x34\x17\x1b\x70\x87\xf3\x8f\x86\x6a\x7e\x26\x5f\x9d"
+        "\x7d\x06\xf0\x0e\x6f\xa4\x17\x54\xac\x77";
+    // expected_seed = seed_random ^ host_entropy ^ password_salted_hashed
+    const uint8_t expected_seed[32] =
+        "\x10\x57\xbe\x05\xee\xcc\x92\xda\xd6\xd3\xc4\x52\x72\xb3\xce\xc1\xfc\x11\x1e\xc6\xe1\x1e"
+        "\x9f\x66\x08\xfd\x67\x90\x30\xc0\xaf\xb5";
+
+    // Invalid seed lengths.
+    assert_false(keystore_create_and_store_seed(PASSWORD, host_entropy, 8));
+    assert_false(keystore_create_and_store_seed(PASSWORD, host_entropy, 24));
+    assert_false(keystore_create_and_store_seed(PASSWORD, host_entropy, 40));
+
+    size_t test_sizes[2] = {16, 32};
+    for (size_t i = 0; i < sizeof(test_sizes) / sizeof(test_sizes[0]); i++) {
+        size_t seed_len = test_sizes[i];
+        // Seed random is xored with host entropy and the salted/hashed user password.
+        will_return(__wrap_random_32_bytes, seed_random);
+        expect_memory(__wrap_salt_hash_data, data, PASSWORD, strlen(PASSWORD));
+        expect_value(__wrap_salt_hash_data, data_len, strlen(PASSWORD));
+        expect_string(__wrap_salt_hash_data, purpose, "keystore_seed_generation");
+        will_return(__wrap_salt_hash_data, password_salted_hashed);
+        _expect_encrypt_and_store_seed();
+        assert_true(keystore_create_and_store_seed(PASSWORD, host_entropy, seed_len));
+
+        // Decrypt and check seed.
+        uint8_t encrypted_seed_and_hmac[96] = {0};
+        uint8_t len = 0;
+        assert_true(memory_get_encrypted_seed_and_hmac(encrypted_seed_and_hmac, &len));
+        size_t decrypted_len = len - 48;
+        uint8_t out[decrypted_len];
+        assert_true(cipher_aes_hmac_decrypt(
+            encrypted_seed_and_hmac, len, out, &decrypted_len, _expected_secret));
+        assert_true(decrypted_len == seed_len);
+
+        assert_memory_equal(expected_seed, out, seed_len);
+    }
+}
+
 int main(void)
 {
     const struct CMUnitTest tests[] = {
@@ -545,6 +609,7 @@ int main(void)
         cmocka_unit_test(_test_keystore_lock),
         cmocka_unit_test(_test_keystore_get_bip39_mnemonic),
         cmocka_unit_test(_test_keystore_encode_xpub),
+        cmocka_unit_test(_test_keystore_create_and_store_seed),
     };
     return cmocka_run_group_tests(tests, NULL, NULL);
 }

Original file line number	Diff line number	Diff line change
`@@ -257,8 +257,14 @@ bool keystore_encrypt_and_store_seed(`
`257`	`257`	`return true;`
`258`	`258`	`}`
`259`	`259`
`260`		`-bool keystore_create_and_store_seed(const char* password, const uint8_t* host_entropy)`
	`260`	`+bool keystore_create_and_store_seed(`
	`261`	`+ const char* password,`
	`262`	`+ const uint8_t* host_entropy,`
	`263`	`+ size_t host_entropy_size)`
`261`	`264`	`{`
	`265`	`+ if (host_entropy_size != 16 && host_entropy_size != 32) {`
	`266`	`+ return false;`
	`267`	`+ }`
`262`	`268`	`if (KEYSTORE_MAX_SEED_LENGTH != RANDOM_NUM_SIZE) {`
`263`	`269`	`Abort("keystore create: size mismatch");`
`264`	`270`	`}`
`@@ -267,7 +273,7 @@ bool keystore_create_and_store_seed(const char* password, const uint8_t* host_en`
`267`	`273`	`random_32_bytes(seed);`
`268`	`274`
`269`	`275`	`// Mix in Host entropy.`
`270`		`- for (size_t i = 0; i < KEYSTORE_MAX_SEED_LENGTH; i++) {`
	`276`	`+ for (size_t i = 0; i < host_entropy_size; i++) {`
`271`	`277`	`seed[i] ^= host_entropy[i];`
`272`	`278`	`}`
`273`	`279`
`@@ -282,10 +288,10 @@ bool keystore_create_and_store_seed(const char* password, const uint8_t* host_en`
`282`	`288`	`return false;`
`283`	`289`	`}`
`284`	`290`
`285`		`- for (size_t i = 0; i < KEYSTORE_MAX_SEED_LENGTH; i++) {`
	`291`	`+ for (size_t i = 0; i < host_entropy_size; i++) {`
`286`	`292`	`seed[i] ^= password_salted_hashed[i];`
`287`	`293`	`}`
`288`		`- return keystore_encrypt_and_store_seed(seed, KEYSTORE_MAX_SEED_LENGTH, password);`
	`294`	`+ return keystore_encrypt_and_store_seed(seed, host_entropy_size, password);`
`289`	`295`	`}`
`290`	`296`
`291`	`297`	`static void _free_string(char** str)`
Original file line number	Diff line number	Diff line change
`@@ -62,9 +62,13 @@ pub fn unlock_bip39(mnemonic_passphrase: &SafeInputString) -> Result<(), Error>`
`62`	`62`	`}`
`63`	`63`	`}`
`64`	`64`
`65`		`-pub fn create_and_store_seed(password: &SafeInputString, host_entropy: &[u8; 32]) -> bool {`
	`65`	`+pub fn create_and_store_seed(password: &SafeInputString, host_entropy: &[u8]) -> bool {`
`66`	`66`	`unsafe {`
`67`		`- bitbox02_sys::keystore_create_and_store_seed(password.as_cstr(), host_entropy.as_ptr())`
	`67`	`+ bitbox02_sys::keystore_create_and_store_seed(`
	`68`	`+ password.as_cstr(),`
	`69`	`+ host_entropy.as_ptr(),`
	`70`	`+ host_entropy.len() as _,`
	`71`	`+ )`
`68`	`72`	`}`
`69`	`73`	`}`
`70`	`74`
Original file line number	Diff line number	Diff line change
`@@ -126,7 +126,8 @@ int main(void)`
`126`	`126`
`127`	`127`	`screen_print_debug("Creating initial backup...", 1000);`
`128`	`128`
`129`		`- if (!keystore_create_and_store_seed("device-test", "host-entropy")) {`
	`129`	`+ uint8_t host_entropy[32] = "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa";`
	`130`	`+ if (!keystore_create_and_store_seed("device-test", host_entropy, sizeof(host_entropy))) {`
`130`	`131`	`Abort("Failed to create keystore");`
`131`	`132`	`}`
`132`	`133`	`uint8_t remaining_attempts;`