Merge pull request #1449 from BitBoxSwiss/master

Merge master into staging/ble

Author: NickeZ

.containerversion

@@ -1 +1 @@
-46
+47

.gitmodules

@@ -1,9 +1,6 @@
 [submodule "external/cryptoauthlib"]
 	path = external/cryptoauthlib
 	url = https://github.com/BitBoxSwiss/cryptoauthlib.git
-[submodule "external/ctaes"]
-	path = external/ctaes
-	url = https://github.com/BitBoxSwiss/ctaes.git
 [submodule "external/libwally-core"]
 	path = external/libwally-core
 	url = https://github.com/BitBoxSwiss/libwally-core.git

CHANGELOG.md

@@ -10,6 +10,7 @@ customers cannot upgrade their bootloader, its changes are recorded separately.
 - Ethereum: add confirmation screen for known networks, change base unit to ETH for Arbitrum and Optimism
 - Ethereum: add Base and Gnosis Chain to known networks
 - Bitcoin: enable message signing on testnet and regtest
+- Enable Litecoin in the simulator
 
 ### 9.22.0
 - Update manufacturer HID descriptor to bitbox.swiss

CMakeLists.txt

@@ -337,10 +337,6 @@ if(NOT CMAKE_BUILD_TYPE STREQUAL "DEBUG")
   endif()
 endif()
 
-# Disallow duplicate definitions, which is the default since GCC
-# 10. It was not default in gcc-arm-none-eabi-8-2018-q4.
-string(APPEND CMAKE_C_FLAGS " -fno-common")
-
 # For `struct timespec` and `strdup`
 set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -D_XOPEN_SOURCE=600")
 

Dockerfile

@@ -34,18 +34,16 @@ RUN echo "deb http://apt.llvm.org/jammy/ llvm-toolchain-jammy-18 main" >> /etc/a
 
 # Install gcc8-arm-none-eabi
 RUN if [ "${TARGETPLATFORM}" = "linux/arm64" ]; then \
-      GNU_TOOLCHAIN=https://developer.arm.com/-/media/Files/downloads/gnu/13.3.rel1/binrel/arm-gnu-toolchain-13.3.rel1-aarch64-arm-none-eabi.tar.xz \
-      GNU_TOOLCHAIN_HASH=c8824bffd057afce2259f7618254e840715f33523a3d4e4294f471208f976764 \
-      GNU_TOOLCHAIN_FORMAT=xz; \
+      GNU_TOOLCHAIN=https://developer.arm.com/-/media/Files/downloads/gnu/14.2.rel1/binrel/arm-gnu-toolchain-14.2.rel1-aarch64-arm-none-eabi.tar.xz \
+      GNU_TOOLCHAIN_HASH=87330bab085dd8749d4ed0ad633674b9dc48b237b61069e3b481abd364d0a684; \
     else \
-      GNU_TOOLCHAIN=https://developer.arm.com/-/media/Files/downloads/gnu-rm/8-2018q4/gcc-arm-none-eabi-8-2018-q4-major-linux.tar.bz2 \
-      GNU_TOOLCHAIN_HASH=fb31fbdfe08406ece43eef5df623c0b2deb8b53e405e2c878300f7a1f303ee52 \
-      GNU_TOOLCHAIN_FORMAT=bz2; \
+      GNU_TOOLCHAIN=https://developer.arm.com/-/media/Files/downloads/gnu/14.2.rel1/binrel/arm-gnu-toolchain-14.2.rel1-x86_64-arm-none-eabi.tar.xz \
+      GNU_TOOLCHAIN_HASH=62a63b981fe391a9cbad7ef51b17e49aeaa3e7b0d029b36ca1e9c3b2a9b78823; \
     fi; \
-    wget -O gcc.tar.${GNU_TOOLCHAIN_FORMAT} ${GNU_TOOLCHAIN} &&\
-    echo "$GNU_TOOLCHAIN_HASH gcc.tar.${GNU_TOOLCHAIN_FORMAT}" | sha256sum -c &&\
-    tar -xvf gcc.tar.${GNU_TOOLCHAIN_FORMAT} -C /usr/local --strip-components=1 &&\
-    rm -f gcc.tar.${GNU_TOOLCHAIN_FORMAT}
+    curl -sSL -o gcc.tar.xz ${GNU_TOOLCHAIN} && \
+    echo "$GNU_TOOLCHAIN_HASH gcc.tar.xz" | sha256sum -c && \
+    tar -xvf gcc.tar.xz -C /usr/local --strip-components=1 && \
+    rm -f gcc.tar.xz
 
 # Tools for building
 RUN apt-get update && apt-get install -y \

external/CMakeLists.txt

@@ -273,11 +273,6 @@ set_property(TARGET fatfs PROPERTY INTERFACE_LINK_LIBRARIES "")
 target_include_directories(fatfs SYSTEM PUBLIC fatfs/source)
 target_compile_options(fatfs PRIVATE -Wno-switch-default)
 
-add_library(ctaes
-  ctaes/ctaes.c
-)
-target_include_directories(ctaes SYSTEM PUBLIC ctaes)
-
 add_library(rtt
   SEGGER_RTT_V796b/RTT/SEGGER_RTT.c
 )

external/ctaes

@@ -533,7 +533,6 @@ if(CMAKE_CROSSCOMPILING)
         embedded-swd
         cryptoauthlib
         fatfs
-        ctaes
         c
         samd51a-ds
         asf4-drivers-min

src/CMakeLists.txt

@@ -13,154 +13,34 @@
 // limitations under the License.
 
 #include "cipher.h"
-#include <ctaes.h>
-
-#include <stdlib.h>
-#include <string.h>
 
 #include <random.h>
-#include <util.h>
-#include <wally_crypto.h>
+#include <rust/rust.h>
 
 #ifdef TESTING
 #include <mock_cipher.h>
 #endif
 
-#define N_BLOCK (16U)
-// Used to sanity-check input to avoid large stack allocations
-#define CIPHER_MAX_ALLOC (200U)
-
-static bool _derive_hmac_keys(
-    const uint8_t* secret,
-    uint8_t* encryption_key_out,
-    uint8_t* authentication_key_out)
-{
-    uint8_t hash[64];
-    UTIL_CLEANUP_64(hash);
-    if (wally_sha512(secret, 32, hash, sizeof(hash)) != WALLY_OK) {
-        return false;
-    }
-    memcpy(encryption_key_out, hash, 32);
-    memcpy(authentication_key_out, hash + 32, 32);
-    return true;
-}
-
-// out_len must be at least in_len + N_BLOCK + N_BLOCK
-// necessary in_len/out_len range checks are done in cipher_aes_hmac_encrypt().
-static bool _aes_encrypt(
-    const uint8_t* in,
+bool cipher_aes_hmac_encrypt(
+    const unsigned char* in,
     size_t in_len,
     uint8_t* out,
     size_t* out_len,
-    const uint8_t* key)
+    const uint8_t* secret)
 {
-    if (in_len > CIPHER_MAX_ALLOC) {
-        return false;
-    }
-    size_t padlen = N_BLOCK - in_len % N_BLOCK;
-    size_t inpadlen = in_len + padlen;
-    uint8_t inpad[inpadlen];
-    *out_len = inpadlen + N_BLOCK;
-
-    // PKCS7 padding
-    memcpy(inpad, in, in_len);
-    for (size_t i = 0; i < padlen; i++) {
-        inpad[in_len + i] = padlen;
-    }
-
     uint8_t iv[32] = {0}; // only 16 bytes needed for IV.
 #ifdef TESTING
     cipher_mock_iv(iv);
 #else
     random_32_bytes(iv);
 #endif
-    memcpy(out, iv, N_BLOCK);
-
-    AES256_CBC_ctx ctx = {0};
-    AES256_CBC_init(&ctx, key, iv);
-    AES256_CBC_encrypt(&ctx, inpadlen / N_BLOCK, out + N_BLOCK, inpad);
-    *out_len = inpadlen + N_BLOCK;
-
-    util_zero(inpad, inpadlen);
-    util_zero(&ctx, sizeof(ctx));
-    return true;
-}
-
-bool cipher_aes_hmac_encrypt(
-    const unsigned char* in,
-    size_t in_len,
-    uint8_t* out,
-    size_t* out_len,
-    const uint8_t* secret)
-{
-    // in_len + iv + pad + hmac
-    if (*out_len != in_len + N_BLOCK + N_BLOCK + 32) {
-        return false;
-    }
-    uint8_t encryption_key[32];
-    UTIL_CLEANUP_32(encryption_key);
-    uint8_t authentication_key[32];
-    UTIL_CLEANUP_32(authentication_key);
-    if (!_derive_hmac_keys(secret, encryption_key, authentication_key)) {
-        return false;
-    }
-
-    size_t encrypt_len = in_len + 32;
-    if (!_aes_encrypt(in, in_len, out, &encrypt_len, encryption_key)) {
-        return false;
-    }
-
-    *out_len = encrypt_len + 32;
-
-    return wally_hmac_sha256(
-               authentication_key,
-               sizeof(authentication_key),
-               out,
-               encrypt_len,
-               out + encrypt_len,
-               32) == WALLY_OK;
-}
-
-// necessary in_len/out_len range checks are done in cipher_aes_hmac_decrypt().
-static bool _aes_decrypt(
-    const uint8_t* in,
-    size_t in_len,
-    uint8_t* out,
-    size_t* out_len,
-    const uint8_t* key)
-{
-    if (in_len > CIPHER_MAX_ALLOC) {
-        return false;
-    }
-    uint8_t dec_pad[in_len - N_BLOCK];
-    const uint8_t* iv = in; // first 16 bytes
-
-    AES256_CBC_ctx ctx = {0};
-    AES256_CBC_init(&ctx, key, iv);
-    AES256_CBC_decrypt(&ctx, in_len / N_BLOCK - 1, dec_pad, in + N_BLOCK);
-
-    // Strip PKCS7 padding
-    uint8_t padlen = dec_pad[in_len - N_BLOCK - 1];
-    if (padlen > N_BLOCK) {
-        goto error;
-    }
-    if (in_len < N_BLOCK + padlen) {
-        goto error;
-    }
-    for (size_t i = 0; i < padlen; i++) {
-        if (dec_pad[in_len - N_BLOCK - 1 - i] != padlen) {
-            goto error;
-        }
-    }
-    memcpy(out, dec_pad, in_len - N_BLOCK - padlen);
-    *out_len = in_len - N_BLOCK - padlen;
-    util_zero(dec_pad, sizeof(dec_pad));
-    util_zero(&ctx, sizeof(ctx));
+    rust_cipher_encrypt(
+        rust_util_bytes(iv, 16),
+        rust_util_bytes(secret, 32),
+        rust_util_bytes(in, in_len),
+        rust_util_bytes_mut(out, *out_len),
+        out_len);
     return true;
-error:
-    util_zero(dec_pad, sizeof(dec_pad));
-    util_zero(&ctx, sizeof(ctx));
-    return false;
 }
 
 bool cipher_aes_hmac_decrypt(
@@ -170,38 +50,9 @@ bool cipher_aes_hmac_decrypt(
     size_t* out_len,
     const uint8_t* key)
 {
-    // iv + pad + hmac
-    if (in_len < N_BLOCK + N_BLOCK + 32) {
-        return false;
-    }
-    // have space for at least in_len - iv - hmac
-    if (*out_len != in_len - N_BLOCK - 32) {
-        return false;
-    }
-
-    uint8_t encryption_key[32];
-    UTIL_CLEANUP_32(encryption_key);
-    uint8_t authentication_key[32];
-    UTIL_CLEANUP_32(authentication_key);
-
-    if (!_derive_hmac_keys(key, encryption_key, authentication_key)) {
-        return false;
-    }
-
-    uint8_t hmac[32];
-    UTIL_CLEANUP_32(hmac);
-    if (wally_hmac_sha256(
-            authentication_key,
-            sizeof(authentication_key),
-            in,
-            in_len - sizeof(hmac),
-            hmac,
-            sizeof(hmac)) != WALLY_OK) {
-        return false;
-    }
-
-    if (!MEMEQ(hmac, in + in_len - sizeof(hmac), sizeof(hmac))) {
-        return false;
-    }
-    return _aes_decrypt(in, in_len - sizeof(hmac), out, out_len, encryption_key);
+    return rust_cipher_decrypt(
+        rust_util_bytes(key, 32),
+        rust_util_bytes(in, in_len),
+        rust_util_bytes_mut(out, *out_len),
+        out_len);
 }