Merge branch 'sha512'

Author: benma

.ci/ci

@@ -63,6 +63,14 @@ if arm-none-eabi-nm build/bin/firmware.elf | grep -q "strftime"; then
     echo "strftime adds significant binary bloat. Use custom formatting like in `format_dateimte()`."
     exit 1
 fi
+if arm-none-eabi-nm build/bin/firmware.elf | grep -q "sha26sha512"; then
+    # sha26sha512 is a mangled Rust symbol standing for `sha2::sha512`.
+    # One can use rustfilt to see the demangled symbols:
+    # cargo install rustfilt; arm-none-eabi-nm build/bin/firmware.elf | rustfilt
+    echo "sha2::Sha512 adds significant binary bloat."
+    echo "Only use it if there is no other sha512 impl available that is smaller."
+    exit 1
+fi
 
 (cd tools/atecc608; go test ./...)
 

src/CMakeLists.txt

@@ -416,6 +416,7 @@ add_custom_target(rust-bindgen
     --allowlist-function secp256k1_ecdsa_anti_exfil_host_commit
     --allowlist-function wally_get_secp_context
     --allowlist-function wally_hash160
+    --allowlist-function wally_sha512
     --allowlist-function printf
     ${CMAKE_CURRENT_SOURCE_DIR}/rust/bitbox02-sys/wrapper.h --
     -DPB_NO_PACKED_STRUCTS=1 -DPB_FIELD_16BIT=1 -fshort-enums ${RUST_BINDGEN_FLAGS} ${RUST_INCLUDES}

src/rust/.cargo/config.toml

@@ -3,7 +3,7 @@ replace-with = "vendored-sources"
 
 [source."git+https://github.com/digitalbitbox/rust-bip32-ed25519?tag=v0.1.2"]
 git = "https://github.com/digitalbitbox/rust-bip32-ed25519"
-tag = "v0.1.2"
+tag = "v0.2.0"
 replace-with = "vendored-sources"
 
 [source.vendored-sources]

src/rust/Cargo.lock

@@ -40,12 +40,12 @@ zeroize = { workspace = true }
 num-bigint = { workspace = true, optional = true }
 num-traits = { version = "0.2", default-features = false }
 # If you change this, also change src/rust/.cargo/config.toml.
-bip32-ed25519 = { git = "https://github.com/digitalbitbox/rust-bip32-ed25519", tag = "v0.1.2", optional = true }
+bip32-ed25519 = { git = "https://github.com/digitalbitbox/rust-bip32-ed25519", tag = "v0.2.0", optional = true }
 bech32 = { version = "0.11.0", default-features = false, features = ["alloc"], optional = true }
 blake2 = { version = "0.10.6", default-features = false, features = ["size_opt"], optional = true }
 minicbor = { version = "0.24.0", default-features = false, features = ["alloc"], optional = true }
 crc = { version = "3.0.1", optional = true }
-ed25519-dalek = { version = "2.0.0", default-features = false, features = ["hazmat"], optional = true }
+ed25519-dalek = { version = "2.1.1", default-features = false, features = ["hazmat", "digest"], optional = true }
 lazy_static = { workspace = true, optional = true }
 hmac = { version = "0.12.1", default-features = false, features = ["reset"] }
 

src/rust/bitbox02-rust/Cargo.toml

@@ -1,4 +1,4 @@
-// Copyright 2021 Shift Crypto AG
+// Copyright 2021, 2024 Shift Crypto AG
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
@@ -15,22 +15,61 @@
 use alloc::vec::Vec;
 
 use bip32_ed25519::{Xprv, Xpub, ED25519_EXPANDED_SECRET_KEY_SIZE};
-use sha2::Sha512;
+
+/// Implements the digest traits for Sha512 backing it with the wally_sha512 C function. This is
+/// done to avoid using a second sha512 implementation like `sha2::Sha512`, which bloats the binary
+/// by an additional ~12.7kB (at the time of writing).
+///
+/// This implementation accumulates the data to be hashed in heap, it does **not** hash in a
+/// streaming fashion, even when using `update()`. This is okay for the use within this module, as
+/// bip32_ed25519 and sign_raw() do not hash a lot of data.
+#[derive(Default, Clone)]
+pub struct Sha512(Vec<u8>);
+
+impl digest::HashMarker for Sha512 {}
+
+impl digest::OutputSizeUser for Sha512 {
+    type OutputSize = digest::typenum::U64;
+}
+
+impl digest::FixedOutput for Sha512 {
+    fn finalize_into(self, out: &mut digest::Output<Self>) {
+        // use digest::Digest;
+        // out.copy_from_slice(&sha2::Sha512::digest(&self.0));
+        out.copy_from_slice(&bitbox02::sha512(&self.0));
+    }
+}
+
+impl digest::Update for Sha512 {
+    fn update(&mut self, data: &[u8]) {
+        self.0.extend(data);
+    }
+}
+
+impl digest::Reset for Sha512 {
+    fn reset(&mut self) {
+        self.0 = vec![];
+    }
+}
+
+impl digest::core_api::BlockSizeUser for Sha512 {
+    type BlockSize = digest::typenum::U128;
+}
 
 fn get_seed() -> Result<zeroize::Zeroizing<Vec<u8>>, ()> {
     bitbox02::keystore::get_ed25519_seed()
 }
 
-fn get_xprv(keypath: &[u32]) -> Result<Xprv, ()> {
+fn get_xprv(keypath: &[u32]) -> Result<Xprv<Sha512>, ()> {
     let root = get_seed()?;
-    Ok(Xprv::from_normalize(
+    Ok(Xprv::<Sha512>::from_normalize(
         &root[..ED25519_EXPANDED_SECRET_KEY_SIZE],
         &root[ED25519_EXPANDED_SECRET_KEY_SIZE..],
     )
     .derive_path(keypath))
 }
 
-pub fn get_xpub(keypath: &[u32]) -> Result<Xpub, ()> {
+pub fn get_xpub(keypath: &[u32]) -> Result<Xpub<Sha512>, ()> {
     Ok(get_xprv(keypath)?.public())
 }
 
@@ -57,6 +96,24 @@ mod tests {
 
     use bip32_ed25519::HARDENED_OFFSET;
     use bitbox02::testing::{mock_unlocked, mock_unlocked_using_mnemonic};
+    use digest::Digest;
+
+    #[test]
+    fn test_sha512() {
+        assert_eq!(Sha512::digest(b"foobar"), sha2::Sha512::digest(b"foobar"));
+
+        let mut hasher: Sha512 = Default::default();
+        hasher.update(b"foo");
+        hasher.update(b"bar");
+        assert_eq!(hasher.finalize(), sha2::Sha512::digest(b"foobar"));
+
+        hasher = Default::default();
+        hasher.update(b"foo");
+        hasher.update(b"bar");
+        hasher.reset();
+        hasher.update(b"baz");
+        assert_eq!(hasher.finalize(), sha2::Sha512::digest(b"baz"));
+    }
 
     #[test]
     fn test_get_seed() {

src/rust/bitbox02-rust/src/keystore/ed25519.rs

@@ -255,6 +255,19 @@ pub fn println_stdout(msg: &str) {
     }
 }
 
+pub fn sha512(msg: &[u8]) -> [u8; 64] {
+    let mut result = [0u8; 64];
+    unsafe {
+        bitbox02_sys::wally_sha512(
+            msg.as_ptr(),
+            msg.len() as _,
+            result.as_mut_ptr(),
+            result.len() as _,
+        );
+    }
+    result
+}
+
 #[cfg(test)]
 mod tests {
     use super::*;

src/rust/bitbox02/src/lib.rs

@@ -1 +1 @@
-{"files":{".github/workflows/ci.yml":"c8a9063d44963604b66d58eada923660f915ba0491051d1ffc052de32635e3b3","Cargo.toml":"58d701ce118c3e26d7cf28327acf2511cbf2b45e5977f0453347f6cdf016bccc","LICENSE-APACHE":"c71d239df91726fc519c6eb72d318ec65820627232b2f796219e87dcf35d0ab4","LICENSE-MIT":"5530596cde343de2238ec3276d94599ff6e78b7b7a20f6143162b3eceb727f29","README.md":"99a18dfc2a588d8b8cb3c287dad52d2e76c2b2b3be0e7a95cce19f509e9d59d7","src/arbitrary.rs":"ecb52788eec1142459ab252c320a5f0e421eb63cf959260b16e689ccfc8f2590","src/bigint.rs":"756b33c8d971b282b43268671c08fb4d8af095a6ebb6e9dc0c750631650e4d14","src/lib.rs":"8a663d5860d5ce9e5f200b786b7b4aec938627b141cc73260322f1cd9a20fec0","tests/table_test.rs":"a2e40ed32e495dbed8fc93f402476624e4609b9e5ef47a34e8be8dd8ed90dc92","tests/testdata/gen_table.py":"2fd91055920d9ac4cfb6c004b96aca42aaf2e3cf074d0d49d48ada993abdaedf","tests/testdata/table.json":"9e37a43d759f793b091f87488ea4b6d733154a10d29554c5103e12d617ae70cd"},"package":null}
+{"files":{".github/workflows/ci.yml":"f465a052857e00c4a513784ae8527fca34a9a0b1075c7511bbf302b96d6e9e36","Cargo.toml":"4f133fb93e1cfba99cee3a46432e4927593e4a88d24594b4b62d15c5922c5a34","LICENSE-APACHE":"c71d239df91726fc519c6eb72d318ec65820627232b2f796219e87dcf35d0ab4","LICENSE-MIT":"5530596cde343de2238ec3276d94599ff6e78b7b7a20f6143162b3eceb727f29","README.md":"99a18dfc2a588d8b8cb3c287dad52d2e76c2b2b3be0e7a95cce19f509e9d59d7","src/arbitrary.rs":"ecb52788eec1142459ab252c320a5f0e421eb63cf959260b16e689ccfc8f2590","src/bigint.rs":"756b33c8d971b282b43268671c08fb4d8af095a6ebb6e9dc0c750631650e4d14","src/lib.rs":"93a19d865e85bde9646e42ef6c6b5106d6876c71fcffedad4b2c523deeb6f951","tests/table_test.rs":"7cba52f2578cfaf44f7d01a14ae1ce3b2b21857079722b7f04a507ca2884d878","tests/testdata/gen_table.py":"2fd91055920d9ac4cfb6c004b96aca42aaf2e3cf074d0d49d48ada993abdaedf","tests/testdata/table.json":"9e37a43d759f793b091f87488ea4b6d733154a10d29554c5103e12d617ae70cd"},"package":null}

src/rust/vendor/bip32-ed25519/.cargo-checksum.json

@@ -8,10 +8,10 @@ on: [push, pull_request]
 jobs:
   lint:
     name: Lint
-    runs-on: ubuntu-18.04
+    runs-on: ubuntu-22.04
     steps:
       - name: Checkout sources
-        uses: actions/checkout@v2
+        uses: actions/checkout@v4
 
       - name: Install stable toolchain
         uses: actions-rs/toolchain@v1
@@ -35,10 +35,10 @@ jobs:
 
   test:
     name: Test Suite
-    runs-on: ubuntu-18.04
+    runs-on: ubuntu-22.04
     steps:
       - name: Checkout sources
-        uses: actions/checkout@v2
+        uses: actions/checkout@v4
 
       - name: Install stable toolchain
         uses: actions-rs/toolchain@v1

src/rust/vendor/bip32-ed25519/.github/workflows/ci.yml

@@ -12,7 +12,7 @@
 [package]
 edition = "2021"
 name = "bip32-ed25519"
-version = "0.1.2"
+version = "0.2.0"
 authors = ["Shift Crypto AG <support@shiftcrypto.ch>"]
 description = "BIP32-Ed25519"
 readme = "README.md"
@@ -27,15 +27,15 @@ license = "MIT OR Apache-2.0"
 version = "4"
 default-features = false
 
+[dependencies.digest]
+version = "0.10"
+default-features = false
+
 [dependencies.hmac]
 version = "0.12"
 features = ["reset"]
 default-features = false
 
-[dependencies.sha2]
-version = "0.10"
-default-features = false
-
 [dependencies.zeroize]
 version = "1"
 features = ["zeroize_derive"]
@@ -59,3 +59,7 @@ features = ["serde"]
 [dev-dependencies.serde]
 version = "1.0.104"
 features = ["derive"]
+
+[dev-dependencies.sha2]
+version = "0.10"
+default-features = false