wip

Author: benma

src/rust/Cargo.lock

@@ -28,6 +28,7 @@ doctest = false
 
 [dependencies]
 bitbox02 = {path = "../bitbox02"}
+bitbox-aes = { path = "../bitbox-aes", features = ["use-wally-sha512"] }
 util = { path = "../util" }
 erc20_params = { path = "../erc20_params", optional = true }
 binascii = { version = "0.1.4", default-features = false, features = ["encode"] }

src/rust/bitbox02-rust/Cargo.toml

@@ -66,7 +66,7 @@ pub async fn from_file(
     }
 
     let password = password::enter_twice(hal).await?;
-    if let Err(err) = bitbox02::keystore::encrypt_and_store_seed(data.get_seed(), &password) {
+    if let Err(err) = crate::keystore::encrypt_and_store_seed(data.get_seed(), &password) {
         hal.ui()
             .status(&format!("Could not\nrestore backup\n{:?}", err), false)
             .await;
@@ -145,7 +145,7 @@ pub async fn from_mnemonic(
         }
     };
 
-    if let Err(err) = bitbox02::keystore::encrypt_and_store_seed(&seed, &password) {
+    if let Err(err) = crate::keystore::encrypt_and_store_seed(&seed, &password) {
         hal.ui()
             .status(&format!("Could not\nrestore backup\n{:?}", err), false)
             .await;

src/rust/bitbox02-rust/src/hww/api/restore.rs

@@ -18,7 +18,60 @@ pub mod ed25519;
 use alloc::vec::Vec;
 
 use crate::bip32;
-use bitbox02::keystore;
+use bitbox02::{keystore, memory, securechip};
+
+#[derive(Debug)]
+pub enum Error {
+    AlreadyInitialized,
+    Memory,
+    SeedSize,
+    SecureChip,
+    IncorrectPassword,
+}
+
+fn validate_seed_length(len: usize) -> Result<(), Error> {
+    match len {
+        16 | 24 | 32 => Ok(()),
+        _ => Err(Error::SeedSize),
+    }
+}
+
+fn get_and_decrypt_seed(password: &str) -> Result<zeroize::Zeroizing<Vec<u8>>, Error> {
+    let encrypted_seed_and_hmac =
+        memory::get_encrypted_seed_and_hmac().map_err(|_| Error::Memory)?;
+
+    // TODO check actual SC result
+    let secret: zeroize::Zeroizing<Vec<u8>> =
+        securechip::stretch_password(password).map_err(|_| Error::SecureChip)?;
+    let seed = bitbox_aes::decrypt_with_hmac(&secret, &encrypted_seed_and_hmac)
+        .map_err(|_| Error::IncorrectPassword)?;
+    validate_seed_length(seed.len())?;
+    Ok(seed)
+}
+
+pub fn encrypt_and_store_seed(seed: &[u8], password: &str) -> Result<(), Error> {
+    if memory::is_initialized() {
+        return Err(Error::AlreadyInitialized);
+    }
+    keystore::lock();
+    validate_seed_length(seed.len())?;
+    securechip::init_new_password(password).map_err(|_| Error::SecureChip)?;
+    let secret: zeroize::Zeroizing<Vec<u8>> =
+        securechip::stretch_password(password).map_err(|_| Error::SecureChip)?;
+    // TODO: set IV randomly using random_32_bytes().
+    let iv = &[0u8; 16];
+    let encrypted_seed: Vec<u8> =
+        bitbox_aes::encrypt_with_hmac(iv, secret.as_slice().try_into().unwrap(), seed);
+    memory::set_encrypted_seed_and_hmac(&encrypted_seed).map_err(|_| Error::Memory)?;
+
+    // Verify seed.
+    if get_and_decrypt_seed(password)?.as_slice() != seed {
+        // TODO: reset hww
+        return Err(Error::Memory);
+    }
+
+    Ok(())
+}
 
 /// Derives an xpub from the keystore seed at the given keypath.
 pub fn get_xpub(keypath: &[u32]) -> Result<bip32::Xpub, ()> {

src/rust/bitbox02-rust/src/keystore.rs

@@ -65,7 +65,6 @@ const ALLOWLIST_FNS: &[&str] = &[
     "keystore_copy_seed",
     "keystore_create_and_store_seed",
     "keystore_encode_xpub_at_keypath",
-    "keystore_encrypt_and_store_seed",
     "keystore_get_bip39_mnemonic",
     "keystore_get_bip39_word",
     "keystore_get_ed25519_seed",
@@ -99,6 +98,8 @@ const ALLOWLIST_FNS: &[&str] = &[
     "memory_set_initialized",
     "memory_set_mnemonic_passphrase_enabled",
     "memory_set_seed_birthdate",
+    "memory_set_encrypted_seed_and_hmac",
+    "memory_get_encrypted_seed_and_hmac",
     "memory_setup",
     "menu_create",
     "mock_memory_factoryreset",
@@ -127,6 +128,8 @@ const ALLOWLIST_FNS: &[&str] = &[
     "securechip_model",
     "securechip_monotonic_increments_remaining",
     "securechip_u2f_counter_set",
+    "securechip_init_new_password",
+    "securechip_stretch_password",
     "smarteeprom_bb02_config",
     "status_create",
     "trinary_choice_create",
@@ -139,6 +142,7 @@ const ALLOWLIST_FNS: &[&str] = &[
     "wally_free_string",
     "wally_get_secp_context",
     "wally_sha512",
+    "cipher_aes_hmac_encrypt",
 ];
 
 const RUSTIFIED_ENUMS: &[&str] = &[

src/rust/bitbox02-sys/build.rs

@@ -13,6 +13,7 @@
 // limitations under the License.
 
 #include <bip32.h>
+#include <cipher/cipher.h>
 #include <keystore.h>
 #include <memory/bitbox02_smarteeprom.h>
 #include <memory/memory.h>

src/rust/bitbox02-sys/wrapper.h

@@ -0,0 +1,35 @@
+// Copyright 2020 Shift Crypto AG
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+use alloc::vec::Vec;
+
+pub fn aes_hmac_encrypt(input: &[u8], key: &[u8]) -> Result<zeroize::Zeroizing<Vec<u8>>, ()> {
+    let mut output = zeroize::Zeroizing::new(vec![0u8; input.len() + 64]);
+    let mut output_size: usize = output.len();
+    match unsafe {
+        bitbox02_sys::cipher_aes_hmac_encrypt(
+            input.as_ptr(),
+            input.len() as _,
+            output.as_mut_ptr(),
+            &mut output_size,
+            key.as_ptr(),
+        )
+    } {
+        true => {
+            output.truncate(output_size);
+            Ok(output)
+        }
+        false => Err(()),
+    }
+}

src/rust/bitbox02/src/cipher.rs

@@ -293,19 +293,6 @@ pub fn bip39_mnemonic_to_seed(mnemonic: &str) -> Result<zeroize::Zeroizing<Vec<u
     }
 }
 
-pub fn encrypt_and_store_seed(seed: &[u8], password: &str) -> Result<(), Error> {
-    match unsafe {
-        bitbox02_sys::keystore_encrypt_and_store_seed(
-            seed.as_ptr(),
-            seed.len(),
-            crate::util::str_to_cstr_vec(password).unwrap().as_ptr(),
-        )
-    } {
-        keystore_error_t::KEYSTORE_OK => Ok(()),
-        err => Err(err.into()),
-    }
-}
-
 pub fn get_ed25519_seed() -> Result<zeroize::Zeroizing<Vec<u8>>, ()> {
     let mut seed = zeroize::Zeroizing::new([0u8; 96].to_vec());
     match unsafe { bitbox02_sys::keystore_get_ed25519_seed(seed.as_mut_ptr()) } {

src/rust/bitbox02/src/keystore.rs

@@ -34,6 +34,7 @@ use alloc::string::String;
 pub mod testing;
 
 pub mod bip32;
+pub mod cipher;
 pub mod keystore;
 pub mod memory;
 pub mod random;

src/rust/bitbox02/src/lib.rs

@@ -15,6 +15,7 @@
 
 extern crate alloc;
 use alloc::string::String;
+use alloc::vec::Vec;
 
 // deduct one for the null terminator.
 pub const DEVICE_NAME_MAX_LEN: usize = bitbox02_sys::MEMORY_DEVICE_NAME_MAX_LEN as usize - 1;
@@ -160,13 +161,57 @@ pub fn multisig_get_by_hash(hash: &[u8]) -> Option<String> {
     }
 }
 
+pub fn set_encrypted_seed_and_hmac(encrypted_seed_and_hmac: &[u8]) -> Result<(), ()> {
+    match unsafe {
+        bitbox02_sys::memory_set_encrypted_seed_and_hmac(
+            encrypted_seed_and_hmac.as_ptr(),
+            encrypted_seed_and_hmac.len().try_into().unwrap(),
+        )
+    } {
+        true => Ok(()),
+        false => Err(()),
+    }
+}
+
+pub fn get_encrypted_seed_and_hmac() -> Result<Vec<u8>, ()> {
+    let mut out = vec![0u8; 96];
+    let mut out_size = 0u8;
+    match unsafe {
+        bitbox02_sys::memory_get_encrypted_seed_and_hmac(out.as_mut_ptr(), &mut out_size)
+    } {
+        true => {
+            out.truncate(out_size as usize);
+            Ok(out)
+        }
+        false => Err(()),
+    }
+}
+
 #[cfg(test)]
 mod tests {
     use super::*;
+    use crate::testing::mock_memory;
 
     #[test]
     fn test_get_attestation_bootloader_hash() {
+        mock_memory();
+
         let expected: [u8; 32] = *b"\x71\x3d\xf0\xd5\x8c\x71\x7d\x40\x31\x78\x7c\xdc\x8f\xa3\x5b\x90\x25\x82\xbe\x6a\xb6\xa2\x2e\x09\xde\x44\x77\xd3\x0e\x22\x30\xfc";
         assert_eq!(get_attestation_bootloader_hash(), expected);
     }
+
+    #[test]
+    fn test_encrypted_seed_and_hmac_roundtrip() {
+        for len in 0..=96 {
+            mock_memory();
+            let value: Vec<u8> = (0..len as u8).collect();
+            assert!(set_encrypted_seed_and_hmac(&value).is_ok());
+            assert_eq!(get_encrypted_seed_and_hmac().unwrap(), value);
+        }
+        {
+            mock_memory();
+            let value: Vec<u8> = (0..97 as u8).collect();
+            assert!(set_encrypted_seed_and_hmac(&value).is_err());
+        }
+    }
 }