trezor-firmware

Commit Graph

Author	SHA1	Message	Date
Saleem Rashid	c70e440128	hasher: Replace hasher_Double with HASHER_*D This allows us to finely control when to use a single hash or a double hash in various places. For example, Bitcoin signatures use double SHA256, but Decred signatures use a single BLAKE256. However, both use double hashes for Base58.	6 years ago
Pavol Rusnak	bb4c3d0525	introduce and use memzero instead of explicit_bzero	7 years ago
Pavol Rusnak	b7f73ee3ff	use explicit_bzero	7 years ago
Saleem Rashid	b41a51805f	Use hasher_Raw instead of sha256_Raw	7 years ago
Jochen Hoenicke	9dfc6a4477	introduce confidential macro, mark confidential items	7 years ago
Pavol Rusnak	af06a997cb	refactor ecdsa_get_address_segwit_p2sh{,_raw}	7 years ago
Pavol Rusnak	c950342063	refactor hdnode_public_ckd_address_optimized	7 years ago
Pavol Rusnak	a820a5601b	split rfc6979 from ecdsa into separate module	7 years ago
Pavol Rusnak	a8aacac6be	ecdsa: rand -> rnd	7 years ago
Jochen Hoenicke	d3d88591d0	Added co-signing for ed25519.	7 years ago
Jochen Hoenicke	9443aefa9a	Multi-byte prefix cleanup use the functions from address.c in ecdsa.c to avoid duplicated code.	8 years ago
Jochen Hoenicke	949220ac0b	Protect signing against side-channel attack (#81 ) Signing uses the bn_inverse function that is prone to side-channel attacks. We randomize its argument by multiplying it with a random non-zero number. At the end we multiply again by the same number to cancel it out. Changed get_k_random to take the prime range as a second argument and to return a non-zero number. This function was previously only used for (non-rfc6979) signing and is now used for side-channel protection.	8 years ago
Pavol Rusnak	cf21bb2fbf	refactor ECDH multiplication into ecdh_multiply function	8 years ago
Pavol Rusnak	ad73c0d4e7	fix ecdsa_address_decode	8 years ago
Pavol Rusnak	8764e26368	ecdsa_address_decode now needs version	8 years ago
Pavol Rusnak	430a5087c8	introduce MAX_ADDR_RAW_SIZE and MAX_WIF_RAW_SIZE macros	8 years ago
Pavol Rusnak	d10ec230c0	add support for multibyte address versions	8 years ago
Jochen Hoenicke	157caf3763	ecdsa: fix out-of-bounds read in point_multiply (#71 ) Fixes #70.	8 years ago
Jochen Hoenicke	133c068f37	Reworked rfc6979 signing. (#72 ) This adds an is_canonic parameter to all sign functions. This is a callback that determines if a signature corresponds to some coin specific rules. It is used, e. g., by ethereum (where the recovery byte must be 0 or 1, and not 2 or 3) and or steem signatures (which require both r and s to be between 2^248 and 2^255). This also separates the initialization and the step function of the random number generator, making it easy to restart the signature process with the next random number.	8 years ago
Jochen Hoenicke	f4ed55377d	Moved get_ethereum_address from ecdsa to bip32 The new name of the function is `hdnode_get_ethereum_address` and it gets a hdnode as input as opposed to a public key. This also avoids first computing the compressed public key and then uncompressing it. Test cases were adapted to work with new function. The test-vectors are the same as for bip32 and independently checked with an adhoc python implementation.	8 years ago
Alex Beregszaszi	4e7da75c6e	Rewrite ecdsa_uncompress_pubkey() using ecdsa_read_pubkey()	8 years ago
Alex Beregszaszi	1b8e3d557f	Implement ecdsa_get_ethereum_pubkeyhash()	8 years ago
Alex Beregszaszi	7d68a6ee17	Add ecdsa_uncompress_pubkey() Code based on @Arachnid's PR, but has more strict checks	8 years ago
Pavol Rusnak	110965f31d	further optimize emscripten	8 years ago
Jochen Hoenicke	7b07dff25c	Added Unit test, fixed one corner case.	8 years ago
Jochen Hoenicke	409783ba64	New function ecdsa_verify_recover Moved the code from Trezor firmware to here for recovering the public key when verifying a bitcoin message. Fixed the signing and verification for the unlikely case the r value overflows.	8 years ago
Jochen Hoenicke	698f40f385	BIP-32 without gaps, prepare non-ecdsa curves * Split ecdsa_curve into curve_info and ecdsa_curve to support bip32 on curves that don't have a ecdsa_curve. * Don't fail in key derivation but retry with a new hash. * Adapted test case accordingly	8 years ago
Jochen Hoenicke	533c3beb63	Fixed uncompress_coords for NIST curve The bn_sqrti was broken. It didn't handle primes where all bits are set in the lowest limb.	8 years ago
Jochen Hoenicke	0bc1b70c4a	Use different seed modifier for different curves	8 years ago
Jochen Hoenicke	472b90d8ed	Added myself to copyright lines.	9 years ago
Jochen Hoenicke	774ac9cb22	Simplified test for doubling in point_jacobian_add	9 years ago
Jochen Hoenicke	f93b003cbc	Extended comments, new function bn_add, a bug fix. Describe normalized, partly reduced and reduced numbers. Comment which function expects which kind of input. Removed unused bn_bitlen. Add bn_add that does not reduce. Bug fix in ecdsa_validate_pubkey: bn_mod before bn_is_equal. Bug fix in hdnode_private_ckd: bn_mod after bn_addmod.	9 years ago
Jochen Hoenicke	f2081d88d8	New jacobian_add that handles doubling. Fix bug where jacobian_add is called with two identical points.	9 years ago
Jochen Hoenicke	60e36dac3b	Fixed conditional_negate for larger numbers Without the bn_mod the numbers get larger (but still < 2*prime), so conditional_negate should handle this.	9 years ago
Jochen Hoenicke	6ba4d288b0	Cleaned up bignum code 1. Fixed bn_multiply_step to handle small primes. 2. Removed many calls to bn_mod to prevent side-channel leakage.	9 years ago
Pavol Rusnak	d659fd49a5	return back normalization of signatures	9 years ago
Pavol Rusnak	71c24673ce	Merge branch 'ssh-agent' of git://github.com/romanz/trezor-crypto into romanz-ssh-agent Conflicts: ecdsa.c	9 years ago
Pavol Rusnak	36caf5b33a	Merge pull request #35 from romanz/master ecdsa: generate_k_rfc6979() should cleanup its stack before exit	9 years ago
Roman Zeyde	36847ac0d7	ecdsa: generate_k_rfc6979() should cleanup its stack before exit	9 years ago
Roman Zeyde	7c58fc11a4	Add support for NIST256P1 elliptic curve This enables SSH ECDSA public key authentication.	9 years ago
John Dvorak	85cebfe968	Change return value of ecdsa_sign_digest Error codes were not being propagated, always returned as 0.	9 years ago
Pavol Rusnak	21d0bb437a	cleanup coding style	9 years ago
netanelkl	3fd32df8ed	More of the same.	10 years ago
Pavol Rusnak	a757693fe3	Merge pull request #26 from jhoenicke/bignum_improvements Bignum improvements	10 years ago
Oleg Andreev	a5a4333a8e	typo fix (no, this was not a bug)	10 years ago
Jochen Hoenicke	56f5777b68	Refactored code for point doubling. New function `bn_mult_3_2` that multiplies by 3/2. This function is used in point_double and point_jacobian_double. Cleaned up point_add and point_double, more comments.	10 years ago
Jochen Hoenicke	edf0fc4902	New fast variant of point_multiply. Use a similar algorithm for `point_multiply` as for `scalar_multiply` but with less precomputation. Added double for points in Jacobian coordinates. Simplified `point_jacobian_add` a little.	10 years ago
Jochen Hoenicke	1700caf2ad	scalar_mult based on Jacobian representation This version of scalar_mult should be faster and much better against side-channel attacks. Except bn_inverse and bn_mod all functions are constant time. bn_inverse is only used in the last step and its input is randomized. The function bn_mod is only taking extra time in 2^32/2^256 cases, so in practise it should not occur at all. The input to bn_mod is also depending on the random value. There is secret dependent array access in scalar_multiply, so cache may be an issue.	10 years ago
Jochen Hoenicke	2c38929d03	Make scalar_multiply timing attack safe. This should make side-channel attacks much more difficult. However, 1. Timing of bn_inverse, which is used in point_add depends on input. 2. Timing of reading secp256k1_cp may depend on input due to cache. 3. The conditions in point_add are not timing attack safe. However point_add is always a straight addition, never double or some other special case. In the long run, I would like to use a specialized point_add using Jacobian representation plus a randomization when converting the first point to Jacobian representation. The Jacobian representation would also make the procedure a bit faster.	10 years ago
Jochen Hoenicke	ec057a5102	"More" constant time point multiplication About the same speed, about the same precomputation table requirements. Simpler code.	10 years ago

1 2 3

116 Commits (0b0f01fb59290fd6c2790fef0578d3257b64ea9d)