keystore: allow creation of 16 byte seeds

benma · benma · commit b8b6d06520d5 · 2021-05-04T17:49:25.000+02:00
Corresponds to 12 recovery words / 128 bits.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -4,6 +4,7 @@
 - Attempt to fix flaky SD behavior
 - Add securechip_model to DeviceInfo: ATECCC608A or ATECC608B.
 - Added reboot purpose for clearer UX: "Proceed to upgrade?" vs. "Go to startup settings?"
+- Allow creation of 128 bit seeds (12 BIP39 recovery words)
 
 ## 9.5.0 [released 2021-03-10]
 - RestoreFrommnemonic: ported to Rust. Will now return UserAbortError on user abort instead of GenericError.
diff --git a/py/bitbox02/bitbox02/bitbox02/bitbox02.py b/py/bitbox02/bitbox02/bitbox02/bitbox02.py
@@ -157,14 +157,18 @@ def set_device_name(self, device_name: str) -> None:
         request.device_name.name = device_name
         self._msg_query(request, expected_response="success")
 
-    def set_password(self) -> bool:
+    def set_password(self, entropy_size: int = 32) -> bool:
         """
         Returns True if the user entered the password correctly (passwords match).
-        Returns False otherwise.
+        Returns False otherwise. Entropy size determines the seed size in bytes; must be 16 or 32.
         """
+        assert entropy_size in (16, 32)
+        if entropy_size == 16:
+            self._require_atleast(semver.VersionInfo(9, 6, 0))
+
         # pylint: disable=no-member
         request = hww.Request()
-        request.set_password.entropy = os.urandom(32)
+        request.set_password.entropy = os.urandom(entropy_size)
         try:
             self._msg_query(request, expected_response="success")
         except Bitbox02Exception as err:
diff --git a/src/keystore.c b/src/keystore.c
@@ -257,8 +257,14 @@ bool keystore_encrypt_and_store_seed(
     return true;
 }
 
-bool keystore_create_and_store_seed(const char* password, const uint8_t* host_entropy)
+bool keystore_create_and_store_seed(
+    const char* password,
+    const uint8_t* host_entropy,
+    size_t host_entropy_size)
 {
+    if (host_entropy_size != 16 && host_entropy_size != 32) {
+        return false;
+    }
     if (KEYSTORE_MAX_SEED_LENGTH != RANDOM_NUM_SIZE) {
         Abort("keystore create: size mismatch");
     }
@@ -267,7 +273,7 @@ bool keystore_create_and_store_seed(const char* password, const uint8_t* host_en
     random_32_bytes(seed);
 
     // Mix in Host entropy.
-    for (size_t i = 0; i < KEYSTORE_MAX_SEED_LENGTH; i++) {
+    for (size_t i = 0; i < host_entropy_size; i++) {
         seed[i] ^= host_entropy[i];
     }
 
@@ -282,10 +288,10 @@ bool keystore_create_and_store_seed(const char* password, const uint8_t* host_en
         return false;
     }
 
-    for (size_t i = 0; i < KEYSTORE_MAX_SEED_LENGTH; i++) {
+    for (size_t i = 0; i < host_entropy_size; i++) {
         seed[i] ^= password_salted_hashed[i];
     }
-    return keystore_encrypt_and_store_seed(seed, KEYSTORE_MAX_SEED_LENGTH, password);
+    return keystore_encrypt_and_store_seed(seed, host_entropy_size, password);
 }
 
 static void _free_string(char** str)
diff --git a/src/keystore.h b/src/keystore.h
@@ -68,11 +68,16 @@ USE_RESULT bool keystore_encrypt_and_store_seed(
     const char* password);
 
 /**
-   Generates 32 bytes of entropy, mixes it with host_entropy, and stores it encrypted with the
-   password.
-   @param[in] host_entropy 32 bytes of entropy to be mixed in.
+   Generates the seed, mixes it with host_entropy, and stores it encrypted with the
+   password. The size of the host entropy determines the size of the seed. Can be either 16 or 32
+   bytes, resulting in 12 or 24 BIP39 recovery words.
+   @param[in] host_entropy bytes of entropy to be mixed in.
+   @param[in] host_entropy_size must be 16 or 32.
 */
-USE_RESULT bool keystore_create_and_store_seed(const char* password, const uint8_t* host_entropy);
+USE_RESULT bool keystore_create_and_store_seed(
+    const char* password,
+    const uint8_t* host_entropy,
+    size_t host_entropy_size);
 
 /** Unlocks the keystore seed or checks the password:
  * If the keystore is locked, it decrypts and loads the seed, unlocking the keystore:
diff --git a/src/rust/bitbox02-rust/src/hww/api/set_password.rs b/src/rust/bitbox02-rust/src/hww/api/set_password.rs
@@ -16,23 +16,23 @@ use super::Error;
 use crate::pb;
 
 use crate::workflow::password;
-use core::convert::TryInto;
 use pb::response::Response;
 
 /// Handles the SetPassword api call. This has the user enter a password twice and creates the
 /// seed/keystore. After this call is finished, the keystore is fully unlocked.
 ///
-/// `entropy` must be exactly 32 bytes and provides additional entropy used when
-/// creating the seed.
+/// `entropy` must be exactly 16 or 32 bytes and provides additional entropy used when creating the
+/// seed. If 16 bytes are provided, the seed will also be 16 bytes long, corresponding to 12 BIP39
+/// recovery words. If 32 bytes are provided, the seed will also be 32 bytes long, corresponding to
+/// 24 BIP39 recovery words.
 pub async fn process(
     pb::SetPasswordRequest { entropy }: &pb::SetPasswordRequest,
 ) -> Result<Response, Error> {
-    let entropy32: [u8; 32] = match entropy.as_slice().try_into() {
-        Err(_) => return Err(Error::InvalidInput),
-        Ok(e) => e,
-    };
+    if entropy.len() != 16 && entropy.len() != 32 {
+        return Err(Error::InvalidInput);
+    }
     let password = password::enter_twice().await?;
-    if !bitbox02::keystore::create_and_store_seed(&password, &entropy32) {
+    if !bitbox02::keystore::create_and_store_seed(&password, &entropy) {
         return Err(Error::Generic);
     }
     if bitbox02::keystore::unlock(&password).is_err() {
diff --git a/src/rust/bitbox02/src/keystore.rs b/src/rust/bitbox02/src/keystore.rs
@@ -62,9 +62,13 @@ pub fn unlock_bip39(mnemonic_passphrase: &SafeInputString) -> Result<(), Error>
     }
 }
 
-pub fn create_and_store_seed(password: &SafeInputString, host_entropy: &[u8; 32]) -> bool {
+pub fn create_and_store_seed(password: &SafeInputString, host_entropy: &[u8]) -> bool {
     unsafe {
-        bitbox02_sys::keystore_create_and_store_seed(password.as_cstr(), host_entropy.as_ptr())
+        bitbox02_sys::keystore_create_and_store_seed(
+            password.as_cstr(),
+            host_entropy.as_ptr(),
+            host_entropy.len() as _,
+        )
     }
 }
 
diff --git a/test/device-test/src/test_backup.c b/test/device-test/src/test_backup.c
@@ -126,7 +126,8 @@ int main(void)
 
     screen_print_debug("Creating initial backup...", 1000);
 
-    if (!keystore_create_and_store_seed("device-test", "host-entropy")) {
+    uint8_t host_entropy[32] = "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa";
+    if (!keystore_create_and_store_seed("device-test", host_entropy, sizeof(host_entropy))) {
         Abort("Failed to create keystore");
     }
     uint8_t remaining_attempts;

Original file line number	Diff line number	Diff line change
`@@ -257,8 +257,14 @@ bool keystore_encrypt_and_store_seed(`
`257`	`257`	`return true;`
`258`	`258`	`}`
`259`	`259`
`260`		`-bool keystore_create_and_store_seed(const char* password, const uint8_t* host_entropy)`
	`260`	`+bool keystore_create_and_store_seed(`
	`261`	`+ const char* password,`
	`262`	`+ const uint8_t* host_entropy,`
	`263`	`+ size_t host_entropy_size)`
`261`	`264`	`{`
	`265`	`+ if (host_entropy_size != 16 && host_entropy_size != 32) {`
	`266`	`+ return false;`
	`267`	`+ }`
`262`	`268`	`if (KEYSTORE_MAX_SEED_LENGTH != RANDOM_NUM_SIZE) {`
`263`	`269`	`Abort("keystore create: size mismatch");`
`264`	`270`	`}`
`@@ -267,7 +273,7 @@ bool keystore_create_and_store_seed(const char* password, const uint8_t* host_en`
`267`	`273`	`random_32_bytes(seed);`
`268`	`274`
`269`	`275`	`// Mix in Host entropy.`
`270`		`- for (size_t i = 0; i < KEYSTORE_MAX_SEED_LENGTH; i++) {`
	`276`	`+ for (size_t i = 0; i < host_entropy_size; i++) {`
`271`	`277`	`seed[i] ^= host_entropy[i];`
`272`	`278`	`}`
`273`	`279`
`@@ -282,10 +288,10 @@ bool keystore_create_and_store_seed(const char* password, const uint8_t* host_en`
`282`	`288`	`return false;`
`283`	`289`	`}`
`284`	`290`
`285`		`- for (size_t i = 0; i < KEYSTORE_MAX_SEED_LENGTH; i++) {`
	`291`	`+ for (size_t i = 0; i < host_entropy_size; i++) {`
`286`	`292`	`seed[i] ^= password_salted_hashed[i];`
`287`	`293`	`}`
`288`		`- return keystore_encrypt_and_store_seed(seed, KEYSTORE_MAX_SEED_LENGTH, password);`
	`294`	`+ return keystore_encrypt_and_store_seed(seed, host_entropy_size, password);`
`289`	`295`	`}`
`290`	`296`
`291`	`297`	`static void _free_string(char** str)`
Original file line number	Diff line number	Diff line change
`@@ -62,9 +62,13 @@ pub fn unlock_bip39(mnemonic_passphrase: &SafeInputString) -> Result<(), Error>`
`62`	`62`	`}`
`63`	`63`	`}`
`64`	`64`
`65`		`-pub fn create_and_store_seed(password: &SafeInputString, host_entropy: &[u8; 32]) -> bool {`
	`65`	`+pub fn create_and_store_seed(password: &SafeInputString, host_entropy: &[u8]) -> bool {`
`66`	`66`	`unsafe {`
`67`		`- bitbox02_sys::keystore_create_and_store_seed(password.as_cstr(), host_entropy.as_ptr())`
	`67`	`+ bitbox02_sys::keystore_create_and_store_seed(`
	`68`	`+ password.as_cstr(),`
	`69`	`+ host_entropy.as_ptr(),`
	`70`	`+ host_entropy.len() as _,`
	`71`	`+ )`
`68`	`72`	`}`
`69`	`73`	`}`
`70`	`74`
Original file line number	Diff line number	Diff line change
`@@ -126,7 +126,8 @@ int main(void)`
`126`	`126`
`127`	`127`	`screen_print_debug("Creating initial backup...", 1000);`
`128`	`128`
`129`		`- if (!keystore_create_and_store_seed("device-test", "host-entropy")) {`
	`129`	`+ uint8_t host_entropy[32] = "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa";`
	`130`	`+ if (!keystore_create_and_store_seed("device-test", host_entropy, sizeof(host_entropy))) {`
`130`	`131`	`Abort("Failed to create keystore");`
`131`	`132`	`}`
`132`	`133`	`uint8_t remaining_attempts;`