1
0
mirror of https://github.com/trezor/trezor-firmware.git synced 2024-12-21 05:48:23 +00:00
Commit Graph

56 Commits

Author SHA1 Message Date
Jochen Hoenicke
c61ab76ad7 Reworked bn_format.
- Fix off-by-one in buffer size.
- Don't return uninitialized stack if number too large.
2018-04-05 09:24:41 +02:00
Jochen Hoenicke
2350bb015c Fix another undefined shift.
Note that `(1 << j)` is undefined for j == 31, so `(1u << j)` should be
used.
2018-04-05 09:24:41 +02:00
Jochen Hoenicke
009850f6c9 Fixed undefined behavior
This fixes a shift by 32 and shifts on signed integer that overflow.
2018-03-27 15:04:55 +02:00
Pavol Rusnak
bb4c3d0525
introduce and use memzero instead of explicit_bzero 2018-01-18 15:18:09 +01:00
Pavol Rusnak
b7f73ee3ff
use explicit_bzero 2018-01-16 19:41:27 +01:00
Saleem Rashid
85cb0b4f2c bignum: Fix bn_digitcount
bn_digitcount used to use bn_bitcount. This would give the maximum
digits, which would often be higher than the actual number. This would
result in leading zeroes in bn_format.
2017-07-27 21:20:43 +02:00
Saleem Rashid
43ea1392f2 bignum: rename bn_maxdigitcount to bn_digitcount
This reverts commit 5dbdf18b6c.
2017-07-27 21:20:43 +02:00
Pavol Rusnak
5dbdf18b6c
bignum: rename bn_digitcount to bn_maxdigitcount (can return value one higher than the real result) 2017-07-27 19:21:56 +02:00
Saleem Rashid
88527dde7a bignum: Add exponent and trailing to bn_format 2017-07-27 17:55:33 +02:00
Pavol Rusnak
af01ef71fc
bignum: add bn_format 2017-05-17 17:49:35 +02:00
Pavol Rusnak
459f4a5e7a
add setbit, clearbit, testbit and xor to bignum 2016-10-31 17:26:24 +01:00
Alex Beregszaszi
7e7e462be7 bignum: introduce bn_one 2016-08-27 13:15:20 +01:00
Alex Beregszaszi
7956c2f2f1 bignum: implement bitcount 2016-08-26 12:31:51 +01:00
Alex Beregszaszi
29e82018cd bignum: rename bn_load_uint* to bn_read_uint* 2016-08-26 12:14:01 +01:00
Alex Beregszaszi
97454d9cbc bignum: use the compiler's built in memory copy for bn_copy 2016-08-26 12:12:54 +01:00
Alex Beregszaszi
d061139da9 bignum: introduce load uint32/uint64 2016-08-26 12:12:54 +01:00
Alex Beregszaszi
dd25a2ee5a bignum: introduce copy 2016-08-26 01:08:55 +01:00
Alex Beregszaszi
62a0db8c4e bignum: introduce read/write_le 2016-08-25 23:18:24 +01:00
Pavol Rusnak
d61a151900
add bn_divmod1000 including unit test 2016-06-28 20:05:01 +02:00
Jochen Hoenicke
533c3beb63 Fixed uncompress_coords for NIST curve
The bn_sqrti was broken.  It didn't handle primes where all bits are set
in the lowest limb.
2016-04-20 15:09:11 +02:00
Roman Zeyde
437f8b3856 bignum: constant time implementation for bn_mod() 2015-08-31 20:55:02 +03:00
Jochen Hoenicke
472b90d8ed Added myself to copyright lines. 2015-08-19 21:45:21 +02:00
Jochen Hoenicke
f93b003cbc Extended comments, new function bn_add, a bug fix.
Describe normalized, partly reduced and reduced numbers.
Comment which function expects which kind of input.
Removed unused bn_bitlen.
Add bn_add that does not reduce.
Bug fix in ecdsa_validate_pubkey: bn_mod before bn_is_equal.
Bug fix in hdnode_private_ckd: bn_mod after bn_addmod.
2015-08-06 19:09:23 +02:00
Jochen Hoenicke
f2081d88d8 New jacobian_add that handles doubling.
Fix bug where jacobian_add is called with two identical points.
2015-08-05 21:23:04 +02:00
Jochen Hoenicke
6ba4d288b0 Cleaned up bignum code
1. Fixed bn_multiply_step to handle small primes.
2. Removed many calls to bn_mod to prevent side-channel leakage.
2015-08-05 19:36:30 +02:00
Roman Zeyde
793234a0ec bignum: use constant time comparisons 2015-08-03 10:57:09 +03:00
Roman Zeyde
ea16aa0b86 Remove unnecessary #include "secp256k1.h" 2015-07-07 10:39:12 +03:00
Roman Zeyde
587d6a65ea Update documentation regarding ECDSA curves support 2015-07-07 10:38:16 +03:00
Roman Zeyde
7c58fc11a4 Add support for NIST256P1 elliptic curve
This enables SSH ECDSA public key authentication.
2015-06-26 10:33:14 +03:00
Pavol Rusnak
21d0bb437a cleanup coding style 2015-04-13 18:19:33 +02:00
netanelkl
3fd32df8ed More of the same. 2015-04-09 15:05:28 -04:00
Jochen Hoenicke
56f5777b68 Refactored code for point doubling.
New function `bn_mult_3_2` that multiplies by 3/2.
This function is used in point_double and point_jacobian_double.
Cleaned up point_add and point_double, more comments.
2015-03-22 17:55:01 +01:00
Jochen Hoenicke
1700caf2ad scalar_mult based on Jacobian representation
This version of scalar_mult should be faster and much better
against side-channel attacks.  Except bn_inverse and bn_mod
all functions are constant time.  bn_inverse is only used
in the last step and its input is randomized.  The function
bn_mod is only taking extra time in 2^32/2^256 cases, so
in practise it should not occur at all.  The input to bn_mod
is also depending on the random value.

There is secret dependent array access in scalar_multiply,
so cache may be an issue.
2015-03-17 19:18:34 +01:00
Jochen Hoenicke
d4788bddfd Added modulus to bn_subtractmod 2015-03-17 19:17:56 +01:00
Jochen Hoenicke
62b95ee414 Optimized conversion functions.
Also added a few more comments
2015-03-17 19:17:56 +01:00
Jochen Hoenicke
7d4cf5cedd Optimized the bn_inverse method.
The new method needs about 30 % less time for prime256k1 and is about
twice as fast for other moduli.  The base algorithm is the same.
The code is also a bit smaller and doesn't need the 8 kb precomputed
table.

Important canges:
1. even/odd distinction so that we need to test only one of the numbers
   for being even.  This also leads to less duplicated code.
2. Allow for shifting by 32 bits at a time in the even test.
3. Pack u,s and v,r into the same array, which saves a bit of stack memory.
4. Don't divide by two after subtraction; this simplifies code.
5. Abort as soon as u,v are equal, instead of subtracting them.
6. Use s instead of r after the loop; no negation needed.
7. New code that divides by 2^k fast without any precomputed values.
2015-03-17 19:17:47 +01:00
Pavol Rusnak
e37ba822e6 bn_substract -> bn_subtractmod, bn_substract_noprime -> bn_subtract
remove dead code
2015-03-17 14:19:50 +01:00
Jochen Hoenicke
7e98c02afd Added comments to the tricky algorithms.
Added invariants for bn_multiply and bn_inverse.
Explain that bn_multiply and bn_fast_mod doesn't work for
an arbitrary modulus.  The modulus must be close to 2^256.
2015-03-09 12:06:46 +01:00
Pavol Rusnak
03a8925e0f rename BN_PRINT define to USE_BN_PRINT 2014-07-07 21:24:10 +02:00
Pavol Rusnak
019d779a94 Revert "Revert "add more precomputation to ecdsa signing""
This reverts commit 3747ba4323.
2014-07-03 10:09:45 +02:00
Pavol Rusnak
3747ba4323 Revert "add more precomputation to ecdsa signing"
This reverts commit 06dd166a82.
2014-07-03 01:18:00 +02:00
Pavol Rusnak
612f5ab050 fix copyright headers 2014-05-22 20:54:58 +02:00
Pavol Rusnak
06dd166a82 add more precomputation to ecdsa signing 2014-05-15 17:11:26 +02:00
Jan Pochyla
67eb76fd1b llu -> ull for MSVC compatibility 2014-02-15 15:57:41 +01:00
Pavol Rusnak
2e4ec7fe0a introduce ecdsa_address_to_hash160 2014-01-30 20:34:05 +01:00
Pavol Rusnak
8423c7abfd add check that pub.y != res.y 2014-01-04 17:39:37 +01:00
Pavol Rusnak
9205c0d952 use canonical signatures (if S > Order/2: S = Order - S) 2013-10-08 14:06:48 +02:00
Pavol Rusnak
678e5b1af2 use #if instead of #ifdef for conditional macros 2013-10-03 17:32:27 +02:00
Pavol Rusnak
f4f246f3d7 optimize computations 2013-09-27 15:42:52 +02:00
Pavol Rusnak
7ed18947ba simplify divmod58 2013-09-25 12:39:23 +02:00