diff --git a/main/CMakeLists.txt b/main/CMakeLists.txt index 4aff22f..839cd7e 100644 --- a/main/CMakeLists.txt +++ b/main/CMakeLists.txt @@ -5,6 +5,7 @@ set(SRCS "nostr_frost.c" "nostr_frost_sign.c" "nostr_frost_dkg_events.c" "nostr_frost_nip46.c" "frost_crypto_ops.c" "frost_coordinator.c" "frost_dkg.c" "psbt.c" "psbt_fraud.c" "policy.c" "error_context.c" "error_codes.c" "random_utils.c" "hw_entropy.c" "ux_manager.c" "ux_serial.c" "self_test.c" "anti_glitch.c" + "pin_prefix.c" ) set(REQUIRES diff --git a/main/bip39_wordlist.h b/main/bip39_wordlist.h new file mode 100644 index 0000000..8ef6a10 --- /dev/null +++ b/main/bip39_wordlist.h @@ -0,0 +1,266 @@ +// SPDX-FileCopyrightText: © 2026 PrivKey LLC +// SPDX-License-Identifier: AGPL-3.0-or-later + +#ifndef BIP39_WORDLIST_H +#define BIP39_WORDLIST_H + +static const char *const BIP39_WORDLIST[2048] = { + "abandon", "ability", "able", "about", "above", "absent", "absorb", "abstract", + "absurd", "abuse", "access", "accident", "account", "accuse", "achieve", "acid", + "acoustic", "acquire", "across", "act", "action", "actor", "actress", "actual", + "adapt", "add", "addict", "address", "adjust", "admit", "adult", "advance", + "advice", "aerobic", "affair", "afford", "afraid", "again", "age", "agent", + "agree", "ahead", "aim", "air", "airport", "aisle", "alarm", "album", + "alcohol", "alert", "alien", "all", "alley", "allow", "almost", "alone", + "alpha", "already", "also", "alter", "always", "amateur", "amazing", "among", + "amount", "amused", "analyst", "anchor", "ancient", "anger", "angle", "angry", + "animal", "ankle", "announce", "annual", "another", "answer", "antenna", "antique", + "anxiety", "any", "apart", "apology", "appear", "apple", "approve", "april", + "arch", "arctic", "area", "arena", "argue", "arm", "armed", "armor", + "army", "around", "arrange", "arrest", "arrive", "arrow", "art", "artefact", + "artist", "artwork", "ask", "aspect", "assault", "asset", "assist", "assume", + "asthma", "athlete", "atom", "attack", "attend", "attitude", "attract", "auction", + "audit", "august", "aunt", "author", "auto", "autumn", "average", "avocado", + "avoid", "awake", "aware", "away", "awesome", "awful", "awkward", "axis", + "baby", "bachelor", "bacon", "badge", "bag", "balance", "balcony", "ball", + "bamboo", "banana", "banner", "bar", "barely", "bargain", "barrel", "base", + "basic", "basket", "battle", "beach", "bean", "beauty", "because", "become", + "beef", "before", "begin", "behave", "behind", "believe", "below", "belt", + "bench", "benefit", "best", "betray", "better", "between", "beyond", "bicycle", + "bid", "bike", "bind", "biology", "bird", "birth", "bitter", "black", + "blade", "blame", "blanket", "blast", "bleak", "bless", "blind", "blood", + "blossom", "blouse", "blue", "blur", "blush", "board", "boat", "body", + "boil", "bomb", "bone", "bonus", "book", "boost", "border", "boring", + "borrow", "boss", "bottom", "bounce", "box", "boy", "bracket", "brain", + "brand", "brass", "brave", "bread", "breeze", "brick", "bridge", "brief", + "bright", "bring", "brisk", "broccoli", "broken", "bronze", "broom", "brother", + "brown", "brush", "bubble", "buddy", "budget", "buffalo", "build", "bulb", + "bulk", "bullet", "bundle", "bunker", "burden", "burger", "burst", "bus", + "business", "busy", "butter", "buyer", "buzz", "cabbage", "cabin", "cable", + "cactus", "cage", "cake", "call", "calm", "camera", "camp", "can", + "canal", "cancel", "candy", "cannon", "canoe", "canvas", "canyon", "capable", + "capital", "captain", "car", "carbon", "card", "cargo", "carpet", "carry", + "cart", "case", "cash", "casino", "castle", "casual", "cat", "catalog", + "catch", "category", "cattle", "caught", "cause", "caution", "cave", "ceiling", + "celery", "cement", "census", "century", "cereal", "certain", "chair", "chalk", + "champion", "change", "chaos", "chapter", "charge", "chase", "chat", "cheap", + "check", "cheese", "chef", "cherry", "chest", "chicken", "chief", "child", + "chimney", "choice", "choose", "chronic", "chuckle", "chunk", "churn", "cigar", + "cinnamon", "circle", "citizen", "city", "civil", "claim", "clap", "clarify", + "claw", "clay", "clean", "clerk", "clever", "click", "client", "cliff", + "climb", "clinic", "clip", "clock", "clog", "close", "cloth", "cloud", + "clown", "club", "clump", "cluster", "clutch", "coach", "coast", "coconut", + "code", "coffee", "coil", "coin", "collect", "color", "column", "combine", + "come", "comfort", "comic", "common", "company", "concert", "conduct", "confirm", + "congress", "connect", "consider", "control", "convince", "cook", "cool", "copper", + "copy", "coral", "core", "corn", "correct", "cost", "cotton", "couch", + "country", "couple", "course", "cousin", "cover", "coyote", "crack", "cradle", + "craft", "cram", "crane", "crash", "crater", "crawl", "crazy", "cream", + "credit", "creek", "crew", "cricket", "crime", "crisp", "critic", "crop", + "cross", "crouch", "crowd", "crucial", "cruel", "cruise", "crumble", "crunch", + "crush", "cry", "crystal", "cube", "culture", "cup", "cupboard", "curious", + "current", "curtain", "curve", "cushion", "custom", "cute", "cycle", "dad", + "damage", "damp", "dance", "danger", "daring", "dash", "daughter", "dawn", + "day", "deal", "debate", "debris", "decade", "december", "decide", "decline", + "decorate", "decrease", "deer", "defense", "define", "defy", "degree", "delay", + "deliver", "demand", "demise", "denial", "dentist", "deny", "depart", "depend", + "deposit", "depth", "deputy", "derive", "describe", "desert", "design", "desk", + "despair", "destroy", "detail", "detect", "develop", "device", "devote", "diagram", + "dial", "diamond", "diary", "dice", "diesel", "diet", "differ", "digital", + "dignity", "dilemma", "dinner", "dinosaur", "direct", "dirt", "disagree", "discover", + "disease", "dish", "dismiss", "disorder", "display", "distance", "divert", "divide", + "divorce", "dizzy", "doctor", "document", "dog", "doll", "dolphin", "domain", + "donate", "donkey", "donor", "door", "dose", "double", "dove", "draft", + "dragon", "drama", "drastic", "draw", "dream", "dress", "drift", "drill", + "drink", "drip", "drive", "drop", "drum", "dry", "duck", "dumb", + "dune", "during", "dust", "dutch", "duty", "dwarf", "dynamic", "eager", + "eagle", "early", "earn", "earth", "easily", "east", "easy", "echo", + "ecology", "economy", "edge", "edit", "educate", "effort", "egg", "eight", + "either", "elbow", "elder", "electric", "elegant", "element", "elephant", "elevator", + "elite", "else", "embark", "embody", "embrace", "emerge", "emotion", "employ", + "empower", "empty", "enable", "enact", "end", "endless", "endorse", "enemy", + "energy", "enforce", "engage", "engine", "enhance", "enjoy", "enlist", "enough", + "enrich", "enroll", "ensure", "enter", "entire", "entry", "envelope", "episode", + "equal", "equip", "era", "erase", "erode", "erosion", "error", "erupt", + "escape", "essay", "essence", "estate", "eternal", "ethics", "evidence", "evil", + "evoke", "evolve", "exact", "example", "excess", "exchange", "excite", "exclude", + "excuse", "execute", "exercise", "exhaust", "exhibit", "exile", "exist", "exit", + "exotic", "expand", "expect", "expire", "explain", "expose", "express", "extend", + "extra", "eye", "eyebrow", "fabric", "face", "faculty", "fade", "faint", + "faith", "fall", "false", "fame", "family", "famous", "fan", "fancy", + "fantasy", "farm", "fashion", "fat", "fatal", "father", "fatigue", "fault", + "favorite", "feature", "february", "federal", "fee", "feed", "feel", "female", + "fence", "festival", "fetch", "fever", "few", "fiber", "fiction", "field", + "figure", "file", "film", "filter", "final", "find", "fine", "finger", + "finish", "fire", "firm", "first", "fiscal", "fish", "fit", "fitness", + "fix", "flag", "flame", "flash", "flat", "flavor", "flee", "flight", + "flip", "float", "flock", "floor", "flower", "fluid", "flush", "fly", + "foam", "focus", "fog", "foil", "fold", "follow", "food", "foot", + "force", "forest", "forget", "fork", "fortune", "forum", "forward", "fossil", + "foster", "found", "fox", "fragile", "frame", "frequent", "fresh", "friend", + "fringe", "frog", "front", "frost", "frown", "frozen", "fruit", "fuel", + "fun", "funny", "furnace", "fury", "future", "gadget", "gain", "galaxy", + "gallery", "game", "gap", "garage", "garbage", "garden", "garlic", "garment", + "gas", "gasp", "gate", "gather", "gauge", "gaze", "general", "genius", + "genre", "gentle", "genuine", "gesture", "ghost", "giant", "gift", "giggle", + "ginger", "giraffe", "girl", "give", "glad", "glance", "glare", "glass", + "glide", "glimpse", "globe", "gloom", "glory", "glove", "glow", "glue", + "goat", "goddess", "gold", "good", "goose", "gorilla", "gospel", "gossip", + "govern", "gown", "grab", "grace", "grain", "grant", "grape", "grass", + "gravity", "great", "green", "grid", "grief", "grit", "grocery", "group", + "grow", "grunt", "guard", "guess", "guide", "guilt", "guitar", "gun", + "gym", "habit", "hair", "half", "hammer", "hamster", "hand", "happy", + "harbor", "hard", "harsh", "harvest", "hat", "have", "hawk", "hazard", + "head", "health", "heart", "heavy", "hedgehog", "height", "hello", "helmet", + "help", "hen", "hero", "hidden", "high", "hill", "hint", "hip", + "hire", "history", "hobby", "hockey", "hold", "hole", "holiday", "hollow", + "home", "honey", "hood", "hope", "horn", "horror", "horse", "hospital", + "host", "hotel", "hour", "hover", "hub", "huge", "human", "humble", + "humor", "hundred", "hungry", "hunt", "hurdle", "hurry", "hurt", "husband", + "hybrid", "ice", "icon", "idea", "identify", "idle", "ignore", "ill", + "illegal", "illness", "image", "imitate", "immense", "immune", "impact", "impose", + "improve", "impulse", "inch", "include", "income", "increase", "index", "indicate", + "indoor", "industry", "infant", "inflict", "inform", "inhale", "inherit", "initial", + "inject", "injury", "inmate", "inner", "innocent", "input", "inquiry", "insane", + "insect", "inside", "inspire", "install", "intact", "interest", "into", "invest", + "invite", "involve", "iron", "island", "isolate", "issue", "item", "ivory", + "jacket", "jaguar", "jar", "jazz", "jealous", "jeans", "jelly", "jewel", + "job", "join", "joke", "journey", "joy", "judge", "juice", "jump", + "jungle", "junior", "junk", "just", "kangaroo", "keen", "keep", "ketchup", + "key", "kick", "kid", "kidney", "kind", "kingdom", "kiss", "kit", + "kitchen", "kite", "kitten", "kiwi", "knee", "knife", "knock", "know", + "lab", "label", "labor", "ladder", "lady", "lake", "lamp", "language", + "laptop", "large", "later", "latin", "laugh", "laundry", "lava", "law", + "lawn", "lawsuit", "layer", "lazy", "leader", "leaf", "learn", "leave", + "lecture", "left", "leg", "legal", "legend", "leisure", "lemon", "lend", + "length", "lens", "leopard", "lesson", "letter", "level", "liar", "liberty", + "library", "license", "life", "lift", "light", "like", "limb", "limit", + "link", "lion", "liquid", "list", "little", "live", "lizard", "load", + "loan", "lobster", "local", "lock", "logic", "lonely", "long", "loop", + "lottery", "loud", "lounge", "love", "loyal", "lucky", "luggage", "lumber", + "lunar", "lunch", "luxury", "lyrics", "machine", "mad", "magic", "magnet", + "maid", "mail", "main", "major", "make", "mammal", "man", "manage", + "mandate", "mango", "mansion", "manual", "maple", "marble", "march", "margin", + "marine", "market", "marriage", "mask", "mass", "master", "match", "material", + "math", "matrix", "matter", "maximum", "maze", "meadow", "mean", "measure", + "meat", "mechanic", "medal", "media", "melody", "melt", "member", "memory", + "mention", "menu", "mercy", "merge", "merit", "merry", "mesh", "message", + "metal", "method", "middle", "midnight", "milk", "million", "mimic", "mind", + "minimum", "minor", "minute", "miracle", "mirror", "misery", "miss", "mistake", + "mix", "mixed", "mixture", "mobile", "model", "modify", "mom", "moment", + "monitor", "monkey", "monster", "month", "moon", "moral", "more", "morning", + "mosquito", "mother", "motion", "motor", "mountain", "mouse", "move", "movie", + "much", "muffin", "mule", "multiply", "muscle", "museum", "mushroom", "music", + "must", "mutual", "myself", "mystery", "myth", "naive", "name", "napkin", + "narrow", "nasty", "nation", "nature", "near", "neck", "need", "negative", + "neglect", "neither", "nephew", "nerve", "nest", "net", "network", "neutral", + "never", "news", "next", "nice", "night", "noble", "noise", "nominee", + "noodle", "normal", "north", "nose", "notable", "note", "nothing", "notice", + "novel", "now", "nuclear", "number", "nurse", "nut", "oak", "obey", + "object", "oblige", "obscure", "observe", "obtain", "obvious", "occur", "ocean", + "october", "odor", "off", "offer", "office", "often", "oil", "okay", + "old", "olive", "olympic", "omit", "once", "one", "onion", "online", + "only", "open", "opera", "opinion", "oppose", "option", "orange", "orbit", + "orchard", "order", "ordinary", "organ", "orient", "original", "orphan", "ostrich", + "other", "outdoor", "outer", "output", "outside", "oval", "oven", "over", + "own", "owner", "oxygen", "oyster", "ozone", "pact", "paddle", "page", + "pair", "palace", "palm", "panda", "panel", "panic", "panther", "paper", + "parade", "parent", "park", "parrot", "party", "pass", "patch", "path", + "patient", "patrol", "pattern", "pause", "pave", "payment", "peace", "peanut", + "pear", "peasant", "pelican", "pen", "penalty", "pencil", "people", "pepper", + "perfect", "permit", "person", "pet", "phone", "photo", "phrase", "physical", + "piano", "picnic", "picture", "piece", "pig", "pigeon", "pill", "pilot", + "pink", "pioneer", "pipe", "pistol", "pitch", "pizza", "place", "planet", + "plastic", "plate", "play", "please", "pledge", "pluck", "plug", "plunge", + "poem", "poet", "point", "polar", "pole", "police", "pond", "pony", + "pool", "popular", "portion", "position", "possible", "post", "potato", "pottery", + "poverty", "powder", "power", "practice", "praise", "predict", "prefer", "prepare", + "present", "pretty", "prevent", "price", "pride", "primary", "print", "priority", + "prison", "private", "prize", "problem", "process", "produce", "profit", "program", + "project", "promote", "proof", "property", "prosper", "protect", "proud", "provide", + "public", "pudding", "pull", "pulp", "pulse", "pumpkin", "punch", "pupil", + "puppy", "purchase", "purity", "purpose", "purse", "push", "put", "puzzle", + "pyramid", "quality", "quantum", "quarter", "question", "quick", "quit", "quiz", + "quote", "rabbit", "raccoon", "race", "rack", "radar", "radio", "rail", + "rain", "raise", "rally", "ramp", "ranch", "random", "range", "rapid", + "rare", "rate", "rather", "raven", "raw", "razor", "ready", "real", + "reason", "rebel", "rebuild", "recall", "receive", "recipe", "record", "recycle", + "reduce", "reflect", "reform", "refuse", "region", "regret", "regular", "reject", + "relax", "release", "relief", "rely", "remain", "remember", "remind", "remove", + "render", "renew", "rent", "reopen", "repair", "repeat", "replace", "report", + "require", "rescue", "resemble", "resist", "resource", "response", "result", "retire", + "retreat", "return", "reunion", "reveal", "review", "reward", "rhythm", "rib", + "ribbon", "rice", "rich", "ride", "ridge", "rifle", "right", "rigid", + "ring", "riot", "ripple", "risk", "ritual", "rival", "river", "road", + "roast", "robot", "robust", "rocket", "romance", "roof", "rookie", "room", + "rose", "rotate", "rough", "round", "route", "royal", "rubber", "rude", + "rug", "rule", "run", "runway", "rural", "sad", "saddle", "sadness", + "safe", "sail", "salad", "salmon", "salon", "salt", "salute", "same", + "sample", "sand", "satisfy", "satoshi", "sauce", "sausage", "save", "say", + "scale", "scan", "scare", "scatter", "scene", "scheme", "school", "science", + "scissors", "scorpion", "scout", "scrap", "screen", "script", "scrub", "sea", + "search", "season", "seat", "second", "secret", "section", "security", "seed", + "seek", "segment", "select", "sell", "seminar", "senior", "sense", "sentence", + "series", "service", "session", "settle", "setup", "seven", "shadow", "shaft", + "shallow", "share", "shed", "shell", "sheriff", "shield", "shift", "shine", + "ship", "shiver", "shock", "shoe", "shoot", "shop", "short", "shoulder", + "shove", "shrimp", "shrug", "shuffle", "shy", "sibling", "sick", "side", + "siege", "sight", "sign", "silent", "silk", "silly", "silver", "similar", + "simple", "since", "sing", "siren", "sister", "situate", "six", "size", + "skate", "sketch", "ski", "skill", "skin", "skirt", "skull", "slab", + "slam", "sleep", "slender", "slice", "slide", "slight", "slim", "slogan", + "slot", "slow", "slush", "small", "smart", "smile", "smoke", "smooth", + "snack", "snake", "snap", "sniff", "snow", "soap", "soccer", "social", + "sock", "soda", "soft", "solar", "soldier", "solid", "solution", "solve", + "someone", "song", "soon", "sorry", "sort", "soul", "sound", "soup", + "source", "south", "space", "spare", "spatial", "spawn", "speak", "special", + "speed", "spell", "spend", "sphere", "spice", "spider", "spike", "spin", + "spirit", "split", "spoil", "sponsor", "spoon", "sport", "spot", "spray", + "spread", "spring", "spy", "square", "squeeze", "squirrel", "stable", "stadium", + "staff", "stage", "stairs", "stamp", "stand", "start", "state", "stay", + "steak", "steel", "stem", "step", "stereo", "stick", "still", "sting", + "stock", "stomach", "stone", "stool", "story", "stove", "strategy", "street", + "strike", "strong", "struggle", "student", "stuff", "stumble", "style", "subject", + "submit", "subway", "success", "such", "sudden", "suffer", "sugar", "suggest", + "suit", "summer", "sun", "sunny", "sunset", "super", "supply", "supreme", + "sure", "surface", "surge", "surprise", "surround", "survey", "suspect", "sustain", + "swallow", "swamp", "swap", "swarm", "swear", "sweet", "swift", "swim", + "swing", "switch", "sword", "symbol", "symptom", "syrup", "system", "table", + "tackle", "tag", "tail", "talent", "talk", "tank", "tape", "target", + "task", "taste", "tattoo", "taxi", "teach", "team", "tell", "ten", + "tenant", "tennis", "tent", "term", "test", "text", "thank", "that", + "theme", "then", "theory", "there", "they", "thing", "this", "thought", + "three", "thrive", "throw", "thumb", "thunder", "ticket", "tide", "tiger", + "tilt", "timber", "time", "tiny", "tip", "tired", "tissue", "title", + "toast", "tobacco", "today", "toddler", "toe", "together", "toilet", "token", + "tomato", "tomorrow", "tone", "tongue", "tonight", "tool", "tooth", "top", + "topic", "topple", "torch", "tornado", "tortoise", "toss", "total", "tourist", + "toward", "tower", "town", "toy", "track", "trade", "traffic", "tragic", + "train", "transfer", "trap", "trash", "travel", "tray", "treat", "tree", + "trend", "trial", "tribe", "trick", "trigger", "trim", "trip", "trophy", + "trouble", "truck", "true", "truly", "trumpet", "trust", "truth", "try", + "tube", "tuition", "tumble", "tuna", "tunnel", "turkey", "turn", "turtle", + "twelve", "twenty", "twice", "twin", "twist", "two", "type", "typical", + "ugly", "umbrella", "unable", "unaware", "uncle", "uncover", "under", "undo", + "unfair", "unfold", "unhappy", "uniform", "unique", "unit", "universe", "unknown", + "unlock", "until", "unusual", "unveil", "update", "upgrade", "uphold", "upon", + "upper", "upset", "urban", "urge", "usage", "use", "used", "useful", + "useless", "usual", "utility", "vacant", "vacuum", "vague", "valid", "valley", + "valve", "van", "vanish", "vapor", "various", "vast", "vault", "vehicle", + "velvet", "vendor", "venture", "venue", "verb", "verify", "version", "very", + "vessel", "veteran", "viable", "vibrant", "vicious", "victory", "video", "view", + "village", "vintage", "violin", "virtual", "virus", "visa", "visit", "visual", + "vital", "vivid", "vocal", "voice", "void", "volcano", "volume", "vote", + "voyage", "wage", "wagon", "wait", "walk", "wall", "walnut", "want", + "warfare", "warm", "warrior", "wash", "wasp", "waste", "water", "wave", + "way", "wealth", "weapon", "wear", "weasel", "weather", "web", "wedding", + "weekend", "weird", "welcome", "west", "wet", "whale", "what", "wheat", + "wheel", "when", "where", "whip", "whisper", "wide", "width", "wife", + "wild", "will", "win", "window", "wine", "wing", "wink", "winner", + "winter", "wire", "wisdom", "wise", "wish", "witness", "wolf", "woman", + "wonder", "wood", "wool", "word", "work", "world", "worry", "worth", + "wrap", "wreck", "wrestle", "wrist", "write", "wrong", "yard", "year", + "yellow", "you", "young", "youth", "zebra", "zero", "zone", "zoo", +}; + +#endif diff --git a/main/pin_prefix.c b/main/pin_prefix.c new file mode 100644 index 0000000..d2269b4 --- /dev/null +++ b/main/pin_prefix.c @@ -0,0 +1,106 @@ +// SPDX-FileCopyrightText: © 2026 PrivKey LLC +// SPDX-License-Identifier: AGPL-3.0-or-later + +#include "pin_prefix.h" +#include "bip39_wordlist.h" +#include "crypto_asm.h" +#include +#include +#include + +_Static_assert(sizeof(BIP39_WORDLIST) / sizeof(BIP39_WORDLIST[0]) == BIP39_WORD_COUNT, + "BIP39_WORDLIST size mismatch"); + +#define HMAC_OUTPUT_SIZE 32 +#define ANTI_PHISHING_CONTEXT "anti-phishing" +#define CONTEXT_LEN 13 +#define SECRET_LEN_MAX 1024 + +int pin_prefix_derive_words(const pin_prefix_t *prefix, const uint8_t *device_secret, + size_t secret_len, uint16_t *word1_index, uint16_t *word2_index) { + if (!prefix || !device_secret || !word1_index || !word2_index) + return -1; + if (prefix->len < PIN_PREFIX_MIN_LEN || prefix->len > PIN_PREFIX_MAX_LEN) + return -1; + if (secret_len == 0 || secret_len > SECRET_LEN_MAX) + return -1; + + uint8_t input[CONTEXT_LEN + PIN_PREFIX_MAX_LEN]; + memcpy(input, ANTI_PHISHING_CONTEXT, CONTEXT_LEN); + memcpy(input + CONTEXT_LEN, prefix->digits, prefix->len); + size_t input_len = CONTEXT_LEN + prefix->len; + + uint8_t hmac_out[HMAC_OUTPUT_SIZE]; + const mbedtls_md_info_t *md_info = mbedtls_md_info_from_type(MBEDTLS_MD_SHA256); + if (!md_info) { + secure_memzero(input, sizeof(input)); + secure_memzero(hmac_out, sizeof(hmac_out)); + return -1; + } + int ret = mbedtls_md_hmac(md_info, device_secret, secret_len, input, input_len, hmac_out); + + secure_memzero(input, sizeof(input)); + + if (ret != 0) { + secure_memzero(hmac_out, sizeof(hmac_out)); + return -1; + } + + *word1_index = ((uint16_t)hmac_out[0] << 3 | hmac_out[1] >> 5) & 0x7FF; + *word2_index = ((uint16_t)(hmac_out[1] & 0x1F) << 6 | hmac_out[2] >> 2) & 0x7FF; + + secure_memzero(hmac_out, sizeof(hmac_out)); + return 0; +} + +const char *bip39_get_word(uint16_t index) { + if (index >= BIP39_WORD_COUNT) { + return NULL; + } + return BIP39_WORDLIST[index]; +} + +int pin_prefix_get_words(const pin_prefix_t *prefix, const uint8_t *device_secret, + size_t secret_len, char *word1, size_t word1_size, char *word2, + size_t word2_size) { + if (!word1 || !word2 || word1_size == 0 || word2_size == 0) + return -1; + + uint16_t idx1, idx2; + if (pin_prefix_derive_words(prefix, device_secret, secret_len, &idx1, &idx2) != 0) { + return -1; + } + + const char *w1 = bip39_get_word(idx1); + const char *w2 = bip39_get_word(idx2); + if (!w1 || !w2) { + return -1; + } + + size_t len1 = strlen(w1); + size_t len2 = strlen(w2); + if (len1 >= word1_size || len2 >= word2_size) { + return -1; + } + + memcpy(word1, w1, len1 + 1); + memcpy(word2, w2, len2 + 1); + return 0; +} + +int pin_prefix_set_digit(pin_prefix_t *prefix, uint8_t digit) { + if (!prefix || digit > 9 || prefix->len >= PIN_PREFIX_MAX_LEN) + return -1; + prefix->digits[prefix->len++] = digit; + return 0; +} + +void pin_prefix_clear(pin_prefix_t *prefix) { + if (prefix) { + secure_memzero(prefix, sizeof(*prefix)); + } +} + +bool pin_prefix_is_ready(const pin_prefix_t *prefix) { + return prefix && prefix->len >= PIN_PREFIX_MIN_LEN; +} diff --git a/main/pin_prefix.h b/main/pin_prefix.h new file mode 100644 index 0000000..399878e --- /dev/null +++ b/main/pin_prefix.h @@ -0,0 +1,37 @@ +// SPDX-FileCopyrightText: © 2026 PrivKey LLC +// SPDX-License-Identifier: AGPL-3.0-or-later + +#ifndef PIN_PREFIX_H +#define PIN_PREFIX_H + +#include +#include +#include + +#define PIN_PREFIX_MAX_LEN 4 +#define PIN_PREFIX_MIN_LEN 2 +#define PIN_PREFIX_WORD_COUNT 2 +#define BIP39_WORD_COUNT 2048 +#define BIP39_MAX_WORD_LEN 8 + +typedef struct { + uint8_t digits[PIN_PREFIX_MAX_LEN]; + uint8_t len; +} pin_prefix_t; + +int pin_prefix_derive_words(const pin_prefix_t *prefix, const uint8_t *device_secret, + size_t secret_len, uint16_t *word1_index, uint16_t *word2_index); + +const char *bip39_get_word(uint16_t index); + +int pin_prefix_get_words(const pin_prefix_t *prefix, const uint8_t *device_secret, + size_t secret_len, char *word1, size_t word1_size, char *word2, + size_t word2_size); + +int pin_prefix_set_digit(pin_prefix_t *prefix, uint8_t digit); + +void pin_prefix_clear(pin_prefix_t *prefix); + +bool pin_prefix_is_ready(const pin_prefix_t *prefix); + +#endif diff --git a/test/native/CMakeLists.txt b/test/native/CMakeLists.txt index 09672e2..f205916 100644 --- a/test/native/CMakeLists.txt +++ b/test/native/CMakeLists.txt @@ -165,3 +165,15 @@ target_include_directories(test_anti_glitch PRIVATE ${MAIN_DIR} ) target_compile_definitions(test_anti_glitch PRIVATE NATIVE_TEST=1) + +add_executable(test_pin_prefix test_pin_prefix.c ${MAIN_DIR}/pin_prefix.c) +target_include_directories(test_pin_prefix PRIVATE + ${CMAKE_CURRENT_SOURCE_DIR}/mocks + ${MAIN_DIR} +) +target_compile_definitions(test_pin_prefix PRIVATE NATIVE_TEST=1) +find_package(OpenSSL QUIET) +if(OpenSSL_FOUND) + target_compile_definitions(test_pin_prefix PRIVATE HAS_OPENSSL=1) + target_link_libraries(test_pin_prefix OpenSSL::Crypto) +endif() diff --git a/test/native/mocks/mbedtls/md.h b/test/native/mocks/mbedtls/md.h index d04e93b..d5c6e07 100644 --- a/test/native/mocks/mbedtls/md.h +++ b/test/native/mocks/mbedtls/md.h @@ -3,6 +3,9 @@ #include #include +#include + +#include "crypto_asm.h" typedef enum { MBEDTLS_MD_SHA256 = 6 } mbedtls_md_type_t; @@ -37,4 +40,148 @@ static inline int mbedtls_md_setup(mbedtls_md_context_t *ctx, const mbedtls_md_i return 0; } +#ifdef HAS_OPENSSL +#include +#include + +static inline int mbedtls_md_hmac(const mbedtls_md_info_t *md_info, const unsigned char *key, + size_t keylen, const unsigned char *input, size_t ilen, + unsigned char *output) { + (void)md_info; + unsigned int out_len = 32; + if (HMAC(EVP_sha256(), key, (int)keylen, input, ilen, output, &out_len) == NULL) { + return -1; + } + return 0; +} + +#else + +static inline uint32_t rotr32(uint32_t x, int n) { + return (x >> n) | (x << (32 - n)); +} + +static inline void sha256_transform(uint32_t state[8], const uint8_t block[64]) { + static const uint32_t k[64] = { + 0x428a2f98, 0x71374491, 0xb5c0fbcf, 0xe9b5dba5, 0x3956c25b, 0x59f111f1, 0x923f82a4, + 0xab1c5ed5, 0xd807aa98, 0x12835b01, 0x243185be, 0x550c7dc3, 0x72be5d74, 0x80deb1fe, + 0x9bdc06a7, 0xc19bf174, 0xe49b69c1, 0xefbe4786, 0x0fc19dc6, 0x240ca1cc, 0x2de92c6f, + 0x4a7484aa, 0x5cb0a9dc, 0x76f988da, 0x983e5152, 0xa831c66d, 0xb00327c8, 0xbf597fc7, + 0xc6e00bf3, 0xd5a79147, 0x06ca6351, 0x14292967, 0x27b70a85, 0x2e1b2138, 0x4d2c6dfc, + 0x53380d13, 0x650a7354, 0x766a0abb, 0x81c2c92e, 0x92722c85, 0xa2bfe8a1, 0xa81a664b, + 0xc24b8b70, 0xc76c51a3, 0xd192e819, 0xd6990624, 0xf40e3585, 0x106aa070, 0x19a4c116, + 0x1e376c08, 0x2748774c, 0x34b0bcb5, 0x391c0cb3, 0x4ed8aa4a, 0x5b9cca4f, 0x682e6ff3, + 0x748f82ee, 0x78a5636f, 0x84c87814, 0x8cc70208, 0x90befffa, 0xa4506ceb, 0xbef9a3f7, + 0xc67178f2}; + uint32_t w[64]; + for (int i = 0; i < 16; i++) { + w[i] = ((uint32_t)block[i * 4] << 24) | ((uint32_t)block[i * 4 + 1] << 16) | + ((uint32_t)block[i * 4 + 2] << 8) | block[i * 4 + 3]; + } + for (int i = 16; i < 64; i++) { + uint32_t s0 = rotr32(w[i - 15], 7) ^ rotr32(w[i - 15], 18) ^ (w[i - 15] >> 3); + uint32_t s1 = rotr32(w[i - 2], 17) ^ rotr32(w[i - 2], 19) ^ (w[i - 2] >> 10); + w[i] = w[i - 16] + s0 + w[i - 7] + s1; + } + uint32_t a = state[0], b = state[1], c = state[2], d = state[3]; + uint32_t e = state[4], f = state[5], g = state[6], h = state[7]; + for (int i = 0; i < 64; i++) { + uint32_t S1 = rotr32(e, 6) ^ rotr32(e, 11) ^ rotr32(e, 25); + uint32_t ch = (e & f) ^ (~e & g); + uint32_t t1 = h + S1 + ch + k[i] + w[i]; + uint32_t S0 = rotr32(a, 2) ^ rotr32(a, 13) ^ rotr32(a, 22); + uint32_t maj = (a & b) ^ (a & c) ^ (b & c); + uint32_t t2 = S0 + maj; + h = g; + g = f; + f = e; + e = d + t1; + d = c; + c = b; + b = a; + a = t1 + t2; + } + state[0] += a; + state[1] += b; + state[2] += c; + state[3] += d; + state[4] += e; + state[5] += f; + state[6] += g; + state[7] += h; +} + +static inline void sha256(const uint8_t *data, size_t len, uint8_t out[32]) { + uint32_t state[8] = {0x6a09e667, 0xbb67ae85, 0x3c6ef372, 0xa54ff53a, + 0x510e527f, 0x9b05688c, 0x1f83d9ab, 0x5be0cd19}; + uint8_t block[64]; + size_t i; + for (i = 0; i + 64 <= len; i += 64) { + sha256_transform(state, data + i); + } + size_t rem = len - i; + memset(block, 0, 64); + memcpy(block, data + i, rem); + block[rem] = 0x80; + if (rem >= 56) { + sha256_transform(state, block); + memset(block, 0, 64); + } + uint64_t bits = (uint64_t)len * 8; + for (int j = 0; j < 8; j++) { + block[63 - j] = (uint8_t)(bits >> (j * 8)); + } + sha256_transform(state, block); + for (int j = 0; j < 8; j++) { + out[j * 4] = (uint8_t)(state[j] >> 24); + out[j * 4 + 1] = (uint8_t)(state[j] >> 16); + out[j * 4 + 2] = (uint8_t)(state[j] >> 8); + out[j * 4 + 3] = (uint8_t)state[j]; + } +} + +static inline int mbedtls_md_hmac(const mbedtls_md_info_t *md_info, const unsigned char *key, + size_t keylen, const unsigned char *input, size_t ilen, + unsigned char *output) { + (void)md_info; + uint8_t k_ipad[64], k_opad[64]; + uint8_t tk[32]; + if (keylen > 64) { + sha256(key, keylen, tk); + key = tk; + keylen = 32; + } + memset(k_ipad, 0x36, 64); + memset(k_opad, 0x5c, 64); + for (size_t i = 0; i < keylen; i++) { + k_ipad[i] ^= key[i]; + k_opad[i] ^= key[i]; + } + uint8_t inner[64 + 1024]; + if (ilen > 1024) { + memset(k_ipad, 0, sizeof(k_ipad)); + memset(k_opad, 0, sizeof(k_opad)); + memset(tk, 0, sizeof(tk)); + return -1; + } + memcpy(inner, k_ipad, 64); + memcpy(inner + 64, input, ilen); + uint8_t inner_hash[32]; + sha256(inner, 64 + ilen, inner_hash); + uint8_t outer[64 + 32]; + memcpy(outer, k_opad, 64); + memcpy(outer + 64, inner_hash, 32); + sha256(outer, 64 + 32, output); + + secure_memzero(k_ipad, sizeof(k_ipad)); + secure_memzero(k_opad, sizeof(k_opad)); + secure_memzero(tk, sizeof(tk)); + secure_memzero(inner, sizeof(inner)); + secure_memzero(inner_hash, sizeof(inner_hash)); + + return 0; +} + +#endif + #endif diff --git a/test/native/test_pin_prefix.c b/test/native/test_pin_prefix.c new file mode 100644 index 0000000..1744784 --- /dev/null +++ b/test/native/test_pin_prefix.c @@ -0,0 +1,383 @@ +// SPDX-FileCopyrightText: © 2026 PrivKey LLC +// SPDX-License-Identifier: AGPL-3.0-or-later + +#include +#include +#include + +#include "crypto_asm.h" +#include "pin_prefix.h" + +#define TEST(name) printf(" TEST: %s\n", name) +#define PASS() printf(" PASS\n") +#define FAIL(msg) \ + do { \ + printf(" FAIL: %s\n", msg); \ + return 1; \ + } while (0) + +static const uint8_t TEST_SECRET[32] = { + 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, + 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20}; + +static int test_derive_words_basic(void) { + TEST("derive words basic"); + + pin_prefix_t prefix = {.digits = {1, 2, 3, 4}, .len = 4}; + uint16_t word1, word2; + + if (pin_prefix_derive_words(&prefix, TEST_SECRET, sizeof(TEST_SECRET), &word1, &word2) != 0) + FAIL("derive failed"); + + if (word1 >= BIP39_WORD_COUNT) + FAIL("word1 index out of range"); + if (word2 >= BIP39_WORD_COUNT) + FAIL("word2 index out of range"); + + PASS(); + return 0; +} + +static int test_derive_words_deterministic(void) { + TEST("derive words deterministic"); + + pin_prefix_t prefix = {.digits = {1, 2, 3, 4}, .len = 4}; + uint16_t word1_a, word2_a, word1_b, word2_b; + + if (pin_prefix_derive_words(&prefix, TEST_SECRET, sizeof(TEST_SECRET), &word1_a, &word2_a) != 0) + FAIL("first derive failed"); + if (pin_prefix_derive_words(&prefix, TEST_SECRET, sizeof(TEST_SECRET), &word1_b, &word2_b) != 0) + FAIL("second derive failed"); + + if (word1_a != word1_b) + FAIL("word1 not deterministic"); + if (word2_a != word2_b) + FAIL("word2 not deterministic"); + + PASS(); + return 0; +} + +static int test_different_prefix_different_words(void) { + TEST("different prefix different words"); + + pin_prefix_t prefix1 = {.digits = {1, 2, 3, 4}, .len = 4}; + pin_prefix_t prefix2 = {.digits = {5, 6, 7, 8}, .len = 4}; + uint16_t word1_a, word2_a, word1_b, word2_b; + + if (pin_prefix_derive_words(&prefix1, TEST_SECRET, sizeof(TEST_SECRET), &word1_a, &word2_a) != + 0) + FAIL("first derive failed"); + if (pin_prefix_derive_words(&prefix2, TEST_SECRET, sizeof(TEST_SECRET), &word1_b, &word2_b) != + 0) + FAIL("second derive failed"); + + if (word1_a == word1_b && word2_a == word2_b) + FAIL("different prefixes should produce different words"); + + PASS(); + return 0; +} + +static int test_different_secret_different_words(void) { + TEST("different secret different words"); + + pin_prefix_t prefix = {.digits = {1, 2, 3, 4}, .len = 4}; + uint8_t secret2[32]; + memcpy(secret2, TEST_SECRET, sizeof(secret2)); + secret2[0] ^= 0xFF; + + uint16_t word1_a, word2_a, word1_b, word2_b; + + if (pin_prefix_derive_words(&prefix, TEST_SECRET, sizeof(TEST_SECRET), &word1_a, &word2_a) != 0) + FAIL("first derive failed"); + if (pin_prefix_derive_words(&prefix, secret2, sizeof(secret2), &word1_b, &word2_b) != 0) + FAIL("second derive failed"); + + if (word1_a == word1_b && word2_a == word2_b) + FAIL("different secrets should produce different words"); + + PASS(); + return 0; +} + +static int test_min_prefix_len(void) { + TEST("minimum prefix length"); + + pin_prefix_t prefix = {.digits = {1, 2}, .len = 2}; + uint16_t word1, word2; + + if (pin_prefix_derive_words(&prefix, TEST_SECRET, sizeof(TEST_SECRET), &word1, &word2) != 0) + FAIL("derive with 2 digits should work"); + + PASS(); + return 0; +} + +static int test_prefix_too_short(void) { + TEST("prefix too short"); + + pin_prefix_t prefix = {.digits = {1}, .len = 1}; + uint16_t word1, word2; + + if (pin_prefix_derive_words(&prefix, TEST_SECRET, sizeof(TEST_SECRET), &word1, &word2) == 0) + FAIL("should fail with 1 digit"); + + PASS(); + return 0; +} + +static int test_prefix_too_long(void) { + TEST("prefix too long"); + + pin_prefix_t prefix = {.digits = {1, 2, 3, 4}, .len = 5}; + uint16_t word1, word2; + + if (pin_prefix_derive_words(&prefix, TEST_SECRET, sizeof(TEST_SECRET), &word1, &word2) == 0) + FAIL("should fail with 5 digits"); + + PASS(); + return 0; +} + +static int test_null_params(void) { + TEST("null parameters"); + + pin_prefix_t prefix = {.digits = {1, 2, 3, 4}, .len = 4}; + uint16_t word1, word2; + + if (pin_prefix_derive_words(NULL, TEST_SECRET, sizeof(TEST_SECRET), &word1, &word2) == 0) + FAIL("should fail with null prefix"); + if (pin_prefix_derive_words(&prefix, NULL, sizeof(TEST_SECRET), &word1, &word2) == 0) + FAIL("should fail with null secret"); + if (pin_prefix_derive_words(&prefix, TEST_SECRET, sizeof(TEST_SECRET), NULL, &word2) == 0) + FAIL("should fail with null word1"); + if (pin_prefix_derive_words(&prefix, TEST_SECRET, sizeof(TEST_SECRET), &word1, NULL) == 0) + FAIL("should fail with null word2"); + + PASS(); + return 0; +} + +static int test_zero_secret_len(void) { + TEST("zero secret length"); + + pin_prefix_t prefix = {.digits = {1, 2, 3, 4}, .len = 4}; + uint16_t word1, word2; + + if (pin_prefix_derive_words(&prefix, TEST_SECRET, 0, &word1, &word2) == 0) + FAIL("should fail with zero secret length"); + + PASS(); + return 0; +} + +static int test_secret_len_too_large(void) { + TEST("secret length too large"); + + pin_prefix_t prefix = {.digits = {1, 2, 3, 4}, .len = 4}; + uint16_t word1, word2; + + if (pin_prefix_derive_words(&prefix, TEST_SECRET, 1025, &word1, &word2) == 0) + FAIL("should fail with secret length > 1024"); + + PASS(); + return 0; +} + +static int test_bip39_get_word(void) { + TEST("bip39_get_word"); + + const char *first = bip39_get_word(0); + const char *last = bip39_get_word(2047); + + if (!first) + FAIL("first word is null"); + if (!last) + FAIL("last word is null"); + if (strcmp(first, "abandon") != 0) + FAIL("first word should be 'abandon'"); + if (strcmp(last, "zoo") != 0) + FAIL("last word should be 'zoo'"); + if (bip39_get_word(2048) != NULL) + FAIL("out of range should return null"); + + PASS(); + return 0; +} + +static int test_get_words(void) { + TEST("get_words convenience function"); + + pin_prefix_t prefix = {.digits = {1, 2, 3, 4}, .len = 4}; + char word1[16], word2[16]; + + if (pin_prefix_get_words(&prefix, TEST_SECRET, sizeof(TEST_SECRET), word1, sizeof(word1), word2, + sizeof(word2)) != 0) + FAIL("get_words failed"); + + if (strlen(word1) == 0) + FAIL("word1 is empty"); + if (strlen(word2) == 0) + FAIL("word2 is empty"); + + PASS(); + return 0; +} + +static int test_get_words_buffer_too_small(void) { + TEST("get_words buffer too small"); + + pin_prefix_t prefix = {.digits = {1, 2, 3, 4}, .len = 4}; + char word1[2], word2[16]; + + if (pin_prefix_get_words(&prefix, TEST_SECRET, sizeof(TEST_SECRET), word1, sizeof(word1), word2, + sizeof(word2)) == 0) + FAIL("should fail with small buffer"); + + PASS(); + return 0; +} + +static int test_set_digit(void) { + TEST("set_digit"); + + pin_prefix_t prefix; + pin_prefix_clear(&prefix); + + if (pin_prefix_set_digit(&prefix, 1) != 0) + FAIL("set first digit failed"); + if (pin_prefix_set_digit(&prefix, 2) != 0) + FAIL("set second digit failed"); + if (prefix.len != 2) + FAIL("length should be 2"); + if (prefix.digits[0] != 1 || prefix.digits[1] != 2) + FAIL("digits mismatch"); + + PASS(); + return 0; +} + +static int test_set_digit_overflow(void) { + TEST("set_digit overflow"); + + pin_prefix_t prefix = {.digits = {1, 2, 3, 4}, .len = 4}; + + if (pin_prefix_set_digit(&prefix, 5) == 0) + FAIL("should fail when full"); + + PASS(); + return 0; +} + +static int test_set_digit_invalid(void) { + TEST("set_digit invalid digit"); + + pin_prefix_t prefix; + pin_prefix_clear(&prefix); + + if (pin_prefix_set_digit(&prefix, 10) == 0) + FAIL("should reject digit > 9"); + + PASS(); + return 0; +} + +static int test_is_ready(void) { + TEST("is_ready"); + + pin_prefix_t prefix; + pin_prefix_clear(&prefix); + + if (pin_prefix_is_ready(&prefix)) + FAIL("should not be ready with 0 digits"); + + pin_prefix_set_digit(&prefix, 1); + if (pin_prefix_is_ready(&prefix)) + FAIL("should not be ready with 1 digit"); + + pin_prefix_set_digit(&prefix, 2); + if (!pin_prefix_is_ready(&prefix)) + FAIL("should be ready with 2 digits"); + + PASS(); + return 0; +} + +static int test_clear(void) { + TEST("clear"); + + pin_prefix_t prefix = {.digits = {1, 2, 3, 4}, .len = 4}; + pin_prefix_clear(&prefix); + + if (prefix.len != 0) + FAIL("length should be 0"); + for (int i = 0; i < PIN_PREFIX_MAX_LEN; i++) { + if (prefix.digits[i] != 0) + FAIL("digits should be zeroed"); + } + + PASS(); + return 0; +} + +static int test_word_index_distribution(void) { + TEST("word index distribution"); + + int seen_different = 0; + uint16_t prev_word1 = 0, prev_word2 = 0; + + for (int i = 0; i < 10; i++) { + pin_prefix_t prefix = {.digits = {(uint8_t)i, (uint8_t)((i + 1) % 10)}, .len = 2}; + uint16_t word1, word2; + + if (pin_prefix_derive_words(&prefix, TEST_SECRET, sizeof(TEST_SECRET), &word1, &word2) != 0) + FAIL("derive failed"); + + if (i > 0 && (word1 != prev_word1 || word2 != prev_word2)) { + seen_different = 1; + } + prev_word1 = word1; + prev_word2 = word2; + } + + if (!seen_different) + FAIL("all prefixes produced same words"); + + PASS(); + return 0; +} + +int main(void) { + printf("\n=== PIN Prefix Anti-Phishing Tests ===\n\n"); + + int failures = 0; + failures += test_derive_words_basic(); + failures += test_derive_words_deterministic(); + failures += test_different_prefix_different_words(); + failures += test_different_secret_different_words(); + failures += test_min_prefix_len(); + failures += test_prefix_too_short(); + failures += test_prefix_too_long(); + failures += test_null_params(); + failures += test_zero_secret_len(); + failures += test_secret_len_too_large(); + failures += test_bip39_get_word(); + failures += test_get_words(); + failures += test_get_words_buffer_too_small(); + failures += test_set_digit(); + failures += test_set_digit_overflow(); + failures += test_set_digit_invalid(); + failures += test_is_ready(); + failures += test_clear(); + failures += test_word_index_distribution(); + + printf("\n"); + if (failures == 0) { + printf("=== All tests passed ===\n\n"); + return 0; + } else { + printf("=== %d test(s) failed ===\n\n", failures); + return 1; + } +}