1
0
mirror of https://github.com/trezor/trezor-firmware.git synced 2024-12-29 09:38:08 +00:00
Commit Graph

9070 Commits

Author SHA1 Message Date
Jochen Hoenicke
56f5777b68 Refactored code for point doubling.
New function `bn_mult_3_2` that multiplies by 3/2.
This function is used in point_double and point_jacobian_double.
Cleaned up point_add and point_double, more comments.
2015-03-22 17:55:01 +01:00
Jochen Hoenicke
edf0fc4902 New fast variant of point_multiply.
Use a similar algorithm for `point_multiply` as for
`scalar_multiply` but with less precomputation.
Added double for points in Jacobian coordinates.
Simplified `point_jacobian_add` a little.
2015-03-21 21:10:08 +01:00
Pavol Rusnak
9761dd23e0 prepare 1.3.2 release 2015-03-21 10:44:30 +01:00
Pavol Rusnak
d4df66a8d0 Merge pull request #27 from jhoenicke/bip39fix
Off by one error in word length.
2015-03-21 10:33:06 +01:00
Jochen Hoenicke
1b42fde852 Off by one error in word length.
This could lead to a buffer overrun if the final 0 byte is
written to current_word[j] after the loop.

Also document the limit of passphrase in mnemonic_to_seed.
2015-03-20 21:46:32 +01:00
Pavol Rusnak
40e174ac87 bump storage version 2015-03-18 13:34:09 +01:00
Pavol Rusnak
137ae02853 fix typo 2015-03-18 10:49:52 +01:00
Jochen Hoenicke
1700caf2ad scalar_mult based on Jacobian representation
This version of scalar_mult should be faster and much better
against side-channel attacks.  Except bn_inverse and bn_mod
all functions are constant time.  bn_inverse is only used
in the last step and its input is randomized.  The function
bn_mod is only taking extra time in 2^32/2^256 cases, so
in practise it should not occur at all.  The input to bn_mod
is also depending on the random value.

There is secret dependent array access in scalar_multiply,
so cache may be an issue.
2015-03-17 19:18:34 +01:00
Jochen Hoenicke
2c38929d03 Make scalar_multiply timing attack safe.
This should make side-channel attacks much more difficult. However,

1. Timing of bn_inverse, which is used in point_add depends on input.
2. Timing of reading secp256k1_cp may depend on input due to cache.
3. The conditions in point_add are not timing attack safe.
   However point_add is always a straight addition, never double or some
   other special case.

In the long run, I would like to use a specialized point_add using Jacobian
representation plus a randomization when converting the first point to
Jacobian representation.  The Jacobian representation would also make
the procedure a bit faster.
2015-03-17 19:18:34 +01:00
Jochen Hoenicke
ec057a5102 "More" constant time point multiplication
About the same speed, about the same precomputation table requirements.
Simpler code.
2015-03-17 19:18:34 +01:00
Jochen Hoenicke
eb6e74f361 Improve speed of scalar_multiply.
We also allow for substracting values to be able to do 3 bits at a time.
2015-03-17 19:18:34 +01:00
Jochen Hoenicke
d4788bddfd Added modulus to bn_subtractmod 2015-03-17 19:17:56 +01:00
Jochen Hoenicke
62b95ee414 Optimized conversion functions.
Also added a few more comments
2015-03-17 19:17:56 +01:00
Jochen Hoenicke
7d4cf5cedd Optimized the bn_inverse method.
The new method needs about 30 % less time for prime256k1 and is about
twice as fast for other moduli.  The base algorithm is the same.
The code is also a bit smaller and doesn't need the 8 kb precomputed
table.

Important canges:
1. even/odd distinction so that we need to test only one of the numbers
   for being even.  This also leads to less duplicated code.
2. Allow for shifting by 32 bits at a time in the even test.
3. Pack u,s and v,r into the same array, which saves a bit of stack memory.
4. Don't divide by two after subtraction; this simplifies code.
5. Abort as soon as u,v are equal, instead of subtracting them.
6. Use s instead of r after the loop; no negation needed.
7. New code that divides by 2^k fast without any precomputed values.
2015-03-17 19:17:47 +01:00
Pavol Rusnak
c47065fb11 Merge branch 'master' of github.com:trezor/python-trezor 2015-03-17 15:12:03 +01:00
Pavol Rusnak
95817eb5d3 adapt to SLIP-0013 2015-03-17 15:11:28 +01:00
Pavol Rusnak
f344ec9c9b actually is SLIP-0013 2015-03-17 15:02:07 +01:00
Pavol Rusnak
c286cd75f3 bn_substract_noprime -> bn_subtract 2015-03-17 14:23:58 +01:00
Pavol Rusnak
e37ba822e6 bn_substract -> bn_subtractmod, bn_substract_noprime -> bn_subtract
remove dead code
2015-03-17 14:19:50 +01:00
Pavol Rusnak
fb2a085fff update trezor-crypto 2015-03-12 16:14:11 +01:00
Pavol Rusnak
cb9ccc5cf4 remove all references to USE_PUBKEY_VALIDATE 2015-03-12 15:53:41 +01:00
Pavol Rusnak
dc31cc50d2 Merge pull request #25 from jhoenicke/comments
Added comments to the tricky algorithms.
2015-03-12 15:49:16 +01:00
Pavol Rusnak
38cfebdbfe Merge pull request #24 from jhoenicke/master
Always check for validity in ecdsa_read_pubkey.
2015-03-12 15:49:05 +01:00
Pavol Rusnak
1441dffe0e cmdtr -> trezorctl 2015-03-12 15:21:22 +01:00
Pavol Rusnak
98c4c788ce Merge pull request #18 from mackler/remove-sha384-initial-H
Remove unused static variable `sha384_initial_hash_value`.
2015-03-12 15:04:30 +01:00
Pavol Rusnak
ddef895647 Merge pull request #30 from ywecur/patch-1
Add ’git‘ to list of programs to install under Debian-Ubuntu
2015-03-09 14:25:04 +01:00
ywecur
33a913d951 Add ’git‘ to list of programs to install under Debian-Ubuntu 2015-03-09 13:12:11 +01:00
Jochen Hoenicke
7e98c02afd Added comments to the tricky algorithms.
Added invariants for bn_multiply and bn_inverse.
Explain that bn_multiply and bn_fast_mod doesn't work for
an arbitrary modulus.  The modulus must be close to 2^256.
2015-03-09 12:06:46 +01:00
Jochen Hoenicke
e2dd0b8e8d Always check for validity in ecdsa_read_pubkey.
An invalid point may crash the implementation or, worse,
reveal information about the private key if used in a ECDH
context (e.g. cryptoMessageEn/Decrypt).

Therefore, check all user supplied points even if
USE_PUBKEY_VALIDATE is not set.

To improve speed, we don't check if the point lies in the
main group, since the secp256k1 curve does not have
any other subgroup.
2015-03-08 21:09:21 +01:00
Pavol Rusnak
66cf46d7c5 Merge pull request #29 from jhoenicke/master
Verify the localback.net certificate
2015-03-05 11:36:52 +01:00
Jochen Hoenicke
6f59de799a Verify the localback.net certificate 2015-03-05 11:15:53 +01:00
Pavol Rusnak
690702063c Merge pull request #28 from jhoenicke/master
Use right URL for bridge and keep-alive connection
2015-03-05 11:08:13 +01:00
Jochen Hoenicke
9107aab76a Use right URL for bridge and keep-alive connection
The bridge is using https with a certificate signed for localback.net.

Use a session object (self.conn) to keep connection alive and
prevent costly ssl handshakes for every call.
2015-03-05 11:00:18 +01:00
Pavol Rusnak
2451936f0e add posibility to override tag to be built in firmware-docker-build, make master as default 2015-03-04 18:12:33 +01:00
Pavol Rusnak
92ab7504b2 add one more bip32_cache test 2015-03-04 15:43:14 +01:00
Pavol Rusnak
e523d34596 Merge pull request #27 from nelisky/insight_tx-fixes
Insight tx fixes
2015-03-04 02:59:37 +01:00
nelisky
f3b7629a4f Prevent floating point issues when pushing output amount 2015-03-03 23:37:32 +00:00
nelisky
e4429242aa Allow insight_tx to be passed a dict object instead of an url 2015-03-03 23:36:51 +00:00
Pavol Rusnak
0ee02eb09a revert non-swiping dialogs 2015-03-03 18:35:04 +01:00
Pavol Rusnak
24660f3e2c fix port in signidentity dialog 2015-03-03 17:42:25 +01:00
Pavol Rusnak
65d734df58 add Darkcoin 2015-03-03 02:09:15 +01:00
Pavol Rusnak
d1c62659f7 make signidentity dialog nicer 2015-03-02 21:33:06 +01:00
Pavol Rusnak
1272046375 login -> sign in 2015-03-02 19:58:33 +01:00
Pavol Rusnak
6eb2933bfe rework signer to consume secexp format as well 2015-03-02 19:16:45 +01:00
Pavol Rusnak
6dd6deb2ad fix tabs/spaces 2015-03-02 19:08:46 +01:00
Pavol Rusnak
d3ccdb56bd Merge pull request #3 from Flavien/master
Add Coinprism to the URL whitelist
2015-03-02 19:07:20 +01:00
Flavien Charlon
19a807edda Add Coinprism to the URL whitelist 2015-03-02 17:48:30 +00:00
Pavol Rusnak
f74d31788c old PIN -> current PIN 2015-02-28 14:06:23 +01:00
Pavol Rusnak
402886e00d Merge pull request #16 from jhoenicke/master
PIN handling - constant time.
2015-02-26 11:38:53 +01:00
Pavol Rusnak
82308d8a38 make wording more verbose (in SignIdentity) 2015-02-25 20:26:21 +01:00