Skip to content

Commit

Permalink
some more error mgmt
Browse files Browse the repository at this point in the history
  • Loading branch information
sgliner-ledger committed Nov 13, 2023
1 parent b0c6256 commit cc1f1ff
Show file tree
Hide file tree
Showing 10 changed files with 694 additions and 281 deletions.
82 changes: 41 additions & 41 deletions src/monero_api.h
Original file line number Diff line number Diff line change
Expand Up @@ -142,14 +142,14 @@ extern const unsigned char C_FAKE_SEC_SPEND_KEY[32];
int is_fake_view_key(unsigned char *s);
int is_fake_spend_key(unsigned char *s);

void monero_ge_fromfe_frombytes(unsigned char *ge, unsigned char *bytes, size_t ge_len,
size_t bytes_len);
int monero_ge_fromfe_frombytes(unsigned char *ge, unsigned char *bytes, size_t ge_len,
size_t bytes_len);
void monero_sc_add(unsigned char *r, unsigned char *s1, unsigned char *s2);
void monero_hash_to_scalar(unsigned char *scalar, unsigned char *raw, size_t scalar_len,
unsigned int len);
void monero_hash_to_ec(unsigned char *ec, unsigned char *ec_pub, size_t ec_len);
void monero_generate_keypair(unsigned char *ec_pub, unsigned char *ec_priv, size_t ec_pub_len,
size_t ec_priv_len);
int monero_hash_to_scalar(unsigned char *scalar, unsigned char *raw, size_t scalar_len,
unsigned int len);
int monero_hash_to_ec(unsigned char *ec, unsigned char *ec_pub, size_t ec_len);
int monero_generate_keypair(unsigned char *ec_pub, unsigned char *ec_priv, size_t ec_pub_len,
size_t ec_priv_len);
/*
* compute s = 8 * (k*P)
*
Expand Down Expand Up @@ -182,22 +182,22 @@ int monero_derive_secret_key(unsigned char *x, unsigned char *drv_data, unsigned
int monero_derive_public_key(unsigned char *x, unsigned char *drv_data, unsigned int out_idx,
unsigned char *ec_pub, size_t x_len, size_t drv_data_len,
size_t ec_pub_len);
void monero_secret_key_to_public_key(unsigned char *ec_pub, unsigned char *ec_priv,
size_t ec_pub_len, size_t ec_priv_len);
void monero_generate_key_image(unsigned char *img, unsigned char *P, unsigned char *x,
size_t img_len, size_t x_len);
int monero_secret_key_to_public_key(unsigned char *ec_pub, unsigned char *ec_priv,
size_t ec_pub_len, size_t ec_priv_len);
int monero_generate_key_image(unsigned char *img, unsigned char *P, unsigned char *x,
size_t img_len, size_t x_len);
int monero_derive_view_tag(unsigned char *view_tag, const unsigned char drv_data[static 32],
unsigned int out_idx);

void monero_derive_subaddress_public_key(unsigned char *x, unsigned char *pub,
unsigned char *drv_data, unsigned int index, size_t x_len,
size_t pub_len, size_t drv_data_len);
void monero_get_subaddress_spend_public_key(unsigned char *x, unsigned char *index, size_t x_len,
size_t index_len);
void monero_get_subaddress(unsigned char *C, unsigned char *D, unsigned char *index, size_t C_len,
size_t D_len, size_t index_len);
void monero_get_subaddress_secret_key(unsigned char *sub_s, unsigned char *s, unsigned char *index,
size_t sub_s_len, size_t s_len, size_t index_len);
int monero_derive_subaddress_public_key(unsigned char *x, unsigned char *pub,
unsigned char *drv_data, unsigned int index, size_t x_len,
size_t pub_len, size_t drv_data_len);
int monero_get_subaddress_spend_public_key(unsigned char *x, unsigned char *index, size_t x_len,
size_t index_len);
int monero_get_subaddress(unsigned char *C, unsigned char *D, unsigned char *index, size_t C_len,
size_t D_len, size_t index_len);
int monero_get_subaddress_secret_key(unsigned char *sub_s, unsigned char *s, unsigned char *index,
size_t sub_s_len, size_t s_len, size_t index_len);

void monero_clear_words(void);
/* ----------------------------------------------------------------------- */
Expand Down Expand Up @@ -295,28 +295,28 @@ int monero_derivation_to_scalar(unsigned char *scalar, unsigned char *drv_data,
/*
* W = k.P
*/
void monero_ecmul_k(unsigned char *W, unsigned char *P, unsigned char *scalar32, size_t W_len,
size_t P_len, size_t scalar32_len);
int monero_ecmul_k(unsigned char *W, unsigned char *P, unsigned char *scalar32, size_t W_len,
size_t P_len, size_t scalar32_len);
/*
* W = 8k.P
*/
void monero_ecmul_8k(unsigned char *W, unsigned char *P, unsigned char *scalar32, size_t W_len,
size_t P_len, size_t scalar32_len);
int monero_ecmul_8k(unsigned char *W, unsigned char *P, unsigned char *scalar32, size_t W_len,
size_t P_len, size_t scalar32_len);

/*
* W = 8.P
*/
void monero_ecmul_8(unsigned char *W, unsigned char *P, size_t W_len, size_t P_len);
int monero_ecmul_8(unsigned char *W, unsigned char *P, size_t W_len, size_t P_len);

/*
* W = k.G
*/
void monero_ecmul_G(unsigned char *W, unsigned char *scalar32, size_t W_len, size_t scalar32_len);
int monero_ecmul_G(unsigned char *W, unsigned char *scalar32, size_t W_len, size_t scalar32_len);

/*
* W = k.H
*/
void monero_ecmul_H(unsigned char *W, unsigned char *scalar32, size_t W_len, size_t scalar32_len);
int monero_ecmul_H(unsigned char *W, unsigned char *scalar32, size_t W_len, size_t scalar32_len);

/**
* keccak("amount"|sk)
Expand All @@ -326,38 +326,38 @@ void monero_ecdhHash(unsigned char *x, unsigned char *k, size_t k_len);
/**
* keccak("commitment_mask"|sk) %order
*/
void monero_genCommitmentMask(unsigned char *c, unsigned char *sk, size_t c_len, size_t sk_len);
int monero_genCommitmentMask(unsigned char *c, unsigned char *sk, size_t c_len, size_t sk_len);

/*
* W = P+Q
*/
void monero_ecadd(unsigned char *W, unsigned char *P, unsigned char *Q, size_t W_len, size_t P_len,
size_t Q_len);
int monero_ecadd(unsigned char *W, unsigned char *P, unsigned char *Q, size_t W_len, size_t P_len,
size_t Q_len);
/*
* W = P-Q
*/
void monero_ecsub(unsigned char *W, unsigned char *P, unsigned char *Q, size_t W_len, size_t P_len,
size_t Q_len);
int monero_ecsub(unsigned char *W, unsigned char *P, unsigned char *Q, size_t W_len, size_t P_len,
size_t Q_len);

/* r = (a+b) %order */
void monero_addm(unsigned char *r, unsigned char *a, unsigned char *b, size_t r_len, size_t a_len,
size_t b_len);
int monero_addm(unsigned char *r, unsigned char *a, unsigned char *b, size_t r_len, size_t a_len,
size_t b_len);

/* r = (a-b) %order */
void monero_subm(unsigned char *r, unsigned char *a, unsigned char *b, size_t r_len, size_t a_len,
size_t b_len);
int monero_subm(unsigned char *r, unsigned char *a, unsigned char *b, size_t r_len, size_t a_len,
size_t b_len);

/* r = (a*b) %order */
void monero_multm(unsigned char *r, unsigned char *a, unsigned char *b, size_t r_len, size_t a_len,
size_t b_len);
int monero_multm(unsigned char *r, unsigned char *a, unsigned char *b, size_t r_len, size_t a_len,
size_t b_len);

/* r = (a*8) %order */
void monero_multm_8(unsigned char *r, unsigned char *a, size_t r_len, size_t a_len);
int monero_multm_8(unsigned char *r, unsigned char *a, size_t r_len, size_t a_len);

/* */
void monero_reduce(unsigned char *r, unsigned char *a, size_t r_len, size_t a_len);
int monero_reduce(unsigned char *r, unsigned char *a, size_t r_len, size_t a_len);

void monero_rng_mod_order(unsigned char *r, size_t r_len);
int monero_rng_mod_order(unsigned char *r, size_t r_len);
/* ----------------------------------------------------------------------- */
/* --- IO ---- */
/* ----------------------------------------------------------------------- */
Expand Down
65 changes: 53 additions & 12 deletions src/monero_blind.c
Original file line number Diff line number Diff line change
Expand Up @@ -48,11 +48,26 @@ int monero_apdu_blind() {
}
} else {
// blind mask
monero_hash_to_scalar(AKout, AKout, sizeof(AKout), sizeof(AKout));
monero_addm(k, k, AKout, sizeof(k), sizeof(k), sizeof(AKout));
err = monero_hash_to_scalar(AKout, AKout, sizeof(AKout), sizeof(AKout));
if (err) {
return err;
}

err = monero_addm(k, k, AKout, sizeof(k), sizeof(k), sizeof(AKout));
if (err) {
return err;
}

// blind value
monero_hash_to_scalar(AKout, AKout, sizeof(AKout), sizeof(AKout));
monero_addm(v, v, AKout, sizeof(v), sizeof(v), sizeof(AKout));
err = monero_hash_to_scalar(AKout, AKout, sizeof(AKout), sizeof(AKout));
if (err) {
return err;
}

err = monero_addm(v, v, AKout, sizeof(v), sizeof(v), sizeof(AKout));
if (err) {
return err;
}
}
// ret all
monero_io_insert(v, 32);
Expand All @@ -66,19 +81,39 @@ int monero_apdu_blind() {
/* ----------------------------------------------------------------------- */
int monero_unblind(unsigned char *v, unsigned char *k, unsigned char *AKout,
unsigned int short_amount, size_t v_len, size_t k_len, size_t AKout_len) {
int error;
if (short_amount == 2) {
monero_genCommitmentMask(k, AKout, k_len, AKout_len);
error = monero_genCommitmentMask(k, AKout, k_len, AKout_len);
if (error) {
return error;
}

monero_ecdhHash(AKout, AKout, AKout_len);
for (int i = 0; i < 8; i++) {
v[i] = v[i] ^ AKout[i];
}
} else {
// unblind mask
monero_hash_to_scalar(AKout, AKout, AKout_len, AKout_len);
monero_subm(k, k, AKout, k_len, k_len, AKout_len);
error = monero_hash_to_scalar(AKout, AKout, AKout_len, AKout_len);
if (error) {
return error;
}

error = monero_subm(k, k, AKout, k_len, k_len, AKout_len);
if (error) {
return error;
}

// unblind value
monero_hash_to_scalar(AKout, AKout, AKout_len, AKout_len);
monero_subm(v, v, AKout, v_len, v_len, AKout_len);
error = monero_hash_to_scalar(AKout, AKout, AKout_len, AKout_len);
if (error) {
return error;
}

error = monero_subm(v, v, AKout, v_len, v_len, AKout_len);
if (error) {
return error;
}
}
return 0;
}
Expand All @@ -101,8 +136,11 @@ int monero_apdu_unblind() {

monero_io_discard(1);

monero_unblind(v, k, AKout, G_monero_vstate.options & 0x03, sizeof(v), sizeof(k),
sizeof(AKout));
err = monero_unblind(v, k, AKout, G_monero_vstate.options & 0x03, sizeof(v), sizeof(k),
sizeof(AKout));
if (err) {
return err;
}

// ret all
monero_io_insert(v, 32);
Expand All @@ -125,7 +163,10 @@ int monero_apdu_gen_commitment_mask() {
}

monero_io_discard(1);
monero_genCommitmentMask(k, AKout, sizeof(k), sizeof(AKout));
err = monero_genCommitmentMask(k, AKout, sizeof(k), sizeof(AKout));
if (err) {
return err;
}

// ret all
monero_io_insert(k, 32);
Expand Down
96 changes: 78 additions & 18 deletions src/monero_clsag.c
Original file line number Diff line number Diff line change
Expand Up @@ -62,20 +62,38 @@ int monero_apdu_clsag_prepare() {
monero_io_discard(1);

// a
monero_rng_mod_order(a, sizeof(a));
err = monero_rng_mod_order(a, sizeof(a));
if (err) {
return err;
}

monero_io_insert_encrypt(a, 32, TYPE_ALPHA);
// a.G
monero_ecmul_G(W, a, sizeof(W), sizeof(a));
err = monero_ecmul_G(W, a, sizeof(W), sizeof(a));
if (err) {
return err;
}

monero_io_insert(W, 32);
// a.H
monero_ecmul_k(W, H, a, sizeof(W), sizeof(H), sizeof(a));
err = monero_ecmul_k(W, H, a, sizeof(W), sizeof(H), sizeof(a));
if (err) {
return err;
}

monero_io_insert(W, 32);
// I = p.H
monero_ecmul_k(W, H, p, sizeof(W), sizeof(H), sizeof(p));
err = monero_ecmul_k(W, H, p, sizeof(W), sizeof(H), sizeof(p));
if (err) {
return err;
}
monero_io_insert(W, 32);

// D = z.H
monero_ecmul_k(W, H, z, sizeof(W), sizeof(H), sizeof(z));
err = monero_ecmul_k(W, H, z, sizeof(W), sizeof(H), sizeof(z));
if (err) {
return err;
}
monero_io_insert(W, 32);

return SW_OK;
Expand Down Expand Up @@ -107,7 +125,10 @@ int monero_apdu_clsag_hash() {
monero_keccak_update_H(msg, 32);
if ((G_monero_vstate.options & 0x80) == 0) {
monero_keccak_final_H(c);
monero_reduce(c, c, sizeof(c), sizeof(c));
int err = monero_reduce(c, c, sizeof(c), sizeof(c));
if (err) {
return err;
}
monero_io_insert(c, 32);
memcpy(G_monero_vstate.c, c, 32);
}
Expand Down Expand Up @@ -172,13 +193,36 @@ int monero_apdu_clsag_sign() {
monero_check_scalar_not_null(p);
monero_check_scalar_not_null(z);

monero_reduce(a, a, sizeof(a), sizeof(a));
monero_reduce(p, p, sizeof(p), sizeof(p));
monero_reduce(z, z, sizeof(z), sizeof(z));
monero_reduce(mu_P, mu_P, sizeof(mu_P), sizeof(mu_P));
monero_reduce(mu_C, mu_C, sizeof(mu_C), sizeof(mu_C));
monero_reduce(G_monero_vstate.c, G_monero_vstate.c, sizeof(G_monero_vstate.c),
sizeof(G_monero_vstate.c));
err = monero_reduce(a, a, sizeof(a), sizeof(a));
if (err) {
return err;
}

err = monero_reduce(p, p, sizeof(p), sizeof(p));
if (err) {
return err;
}

err = monero_reduce(z, z, sizeof(z), sizeof(z));
if (err) {
return err;
}

err = monero_reduce(mu_P, mu_P, sizeof(mu_P), sizeof(mu_P));
if (err) {
return err;
}

err = monero_reduce(mu_C, mu_C, sizeof(mu_C), sizeof(mu_C));
if (err) {
return err;
}

err = monero_reduce(G_monero_vstate.c, G_monero_vstate.c, sizeof(G_monero_vstate.c),
sizeof(G_monero_vstate.c));
if (err) {
return err;
}

// s0_p_mu_P = mu_P*p
// s0_add_z_mu_C = mu_C*z + s0_p_mu_P
Expand All @@ -187,15 +231,31 @@ int monero_apdu_clsag_sign() {
// = a - c*(mu_C*z + mu_P*p)

// s = p*mu_P
monero_multm(s, p, mu_P, sizeof(s), sizeof(p), sizeof(mu_P));
err = monero_multm(s, p, mu_P, sizeof(s), sizeof(p), sizeof(mu_P));
if (err) {
return err;
}
// mu_P = mu_C*z
monero_multm(mu_P, mu_C, z, sizeof(mu_P), sizeof(mu_C), sizeof(z));
err = monero_multm(mu_P, mu_C, z, sizeof(mu_P), sizeof(mu_C), sizeof(z));
if (err) {
return err;
}
// s = p*mu_P + mu_C*z
monero_addm(s, s, mu_P, sizeof(s), sizeof(s), sizeof(mu_P));
err = monero_addm(s, s, mu_P, sizeof(s), sizeof(s), sizeof(mu_P));
if (err) {
return err;
}
// mu_P = c * (p*mu_P + mu_C*z)
monero_multm(mu_P, G_monero_vstate.c, s, sizeof(mu_P), sizeof(G_monero_vstate.c), sizeof(s));
err = monero_multm(mu_P, G_monero_vstate.c, s, sizeof(mu_P), sizeof(G_monero_vstate.c),
sizeof(s));
if (err) {
return err;
}
// s = a - c*(p*mu_P + mu_C*z)
monero_subm(s, a, mu_P, sizeof(s), sizeof(a), sizeof(mu_P));
err = monero_subm(s, a, mu_P, sizeof(s), sizeof(a), sizeof(mu_P));
if (err) {
return err;
}

monero_io_insert(s, 32);

Expand Down
Loading

0 comments on commit cc1f1ff

Please sign in to comment.