1
0
mirror of https://github.com/trezor/trezor-firmware.git synced 2024-12-28 09:08:07 +00:00
Commit Graph

10691 Commits

Author SHA1 Message Date
netanelkl
aeefea054a Added some private key nullification so that they won't be uncontrolled in the stack 2015-04-08 15:07:15 -04:00
slush0
4ffadc2216 trezorctl firmware_update: allow updating from URL, detects hex and converts to binary 2015-04-02 19:05:51 +02:00
Pavol Rusnak
0cc270e6df reorder Dockerfile 2015-04-02 17:47:28 +02:00
Pavol Rusnak
795f70075b make SignIdentity.challenge_hidden and SignIdentity.challenge_visual longer (256 bytes) 2015-04-02 17:20:39 +02:00
Pavol Rusnak
ba73f43f71 change "sign in" screen 2015-04-02 16:56:03 +02:00
Pavol Rusnak
00ccf6a8ce bump storage version 2015-04-01 19:43:36 +02:00
Pavol Rusnak
8b268692fe prepare 1.3.3 release 2015-04-01 17:17:37 +02:00
Pavol Rusnak
4cbf29505d don't clear PIN on Initialize 2015-03-31 16:31:29 +02:00
Pavol Rusnak
956546ae54 update trezor-crypto 2015-03-31 16:26:51 +02:00
Pavol Rusnak
b9d43f8aa8 Merge pull request #4 from runn1ng/patch-1
Adding hidraw for raw HID access
2015-03-30 21:34:35 +02:00
Karel Bílek
fb846f8144 Adding hidraw for raw HID access
This rule is for allowing Chrome's HID API to work with Trezor on Linux
2015-03-30 20:43:43 +02:00
Pavol Rusnak
a757693fe3 Merge pull request #26 from jhoenicke/bignum_improvements
Bignum improvements
2015-03-30 17:48:43 +02:00
Pavol Rusnak
196cabe012 import random_uniform and random_permute functions from TREZOR codebase 2015-03-30 17:45:34 +02:00
Pavol Rusnak
ad71a16e61 Merge pull request #28 from oleganza/master
Typo fix in RFC6979 implementation
2015-03-30 17:32:38 +02:00
Oleg Andreev
a5a4333a8e typo fix (no, this was not a bug) 2015-03-30 17:25:34 +02:00
Pavol Rusnak
aee35dc768 add pin_cached + passphrase_cached fields to Features message; add GetFeatures message 2015-03-30 15:47:03 +02:00
Pavol Rusnak
e96ec085d5 add pin_cached + passphrase_cached fields to Features message; add GetFeatures message 2015-03-30 15:38:11 +02:00
Pavol Rusnak
bda4267c38 clear session on Initialize message 2015-03-30 14:41:51 +02:00
Pavol Rusnak
7c6d2fe395 ask for PIN in GetAddress and GetPublicKey messages 2015-03-30 14:38:33 +02:00
Pavol Rusnak
f5fb0c364e Merge pull request #23 from ELM4Ever/master
Darkcoin to Dash re-branding
2015-03-29 22:53:27 +02:00
ELMr4Ever
e855946d1c Darkcoin to Dash re-branding 2015-03-28 21:12:01 -07:00
Jochen Hoenicke
56f5777b68 Refactored code for point doubling.
New function `bn_mult_3_2` that multiplies by 3/2.
This function is used in point_double and point_jacobian_double.
Cleaned up point_add and point_double, more comments.
2015-03-22 17:55:01 +01:00
Jochen Hoenicke
edf0fc4902 New fast variant of point_multiply.
Use a similar algorithm for `point_multiply` as for
`scalar_multiply` but with less precomputation.
Added double for points in Jacobian coordinates.
Simplified `point_jacobian_add` a little.
2015-03-21 21:10:08 +01:00
Pavol Rusnak
9761dd23e0 prepare 1.3.2 release 2015-03-21 10:44:30 +01:00
Pavol Rusnak
d4df66a8d0 Merge pull request #27 from jhoenicke/bip39fix
Off by one error in word length.
2015-03-21 10:33:06 +01:00
Jochen Hoenicke
1b42fde852 Off by one error in word length.
This could lead to a buffer overrun if the final 0 byte is
written to current_word[j] after the loop.

Also document the limit of passphrase in mnemonic_to_seed.
2015-03-20 21:46:32 +01:00
Pavol Rusnak
40e174ac87 bump storage version 2015-03-18 13:34:09 +01:00
Pavol Rusnak
137ae02853 fix typo 2015-03-18 10:49:52 +01:00
Jochen Hoenicke
1700caf2ad scalar_mult based on Jacobian representation
This version of scalar_mult should be faster and much better
against side-channel attacks.  Except bn_inverse and bn_mod
all functions are constant time.  bn_inverse is only used
in the last step and its input is randomized.  The function
bn_mod is only taking extra time in 2^32/2^256 cases, so
in practise it should not occur at all.  The input to bn_mod
is also depending on the random value.

There is secret dependent array access in scalar_multiply,
so cache may be an issue.
2015-03-17 19:18:34 +01:00
Jochen Hoenicke
2c38929d03 Make scalar_multiply timing attack safe.
This should make side-channel attacks much more difficult. However,

1. Timing of bn_inverse, which is used in point_add depends on input.
2. Timing of reading secp256k1_cp may depend on input due to cache.
3. The conditions in point_add are not timing attack safe.
   However point_add is always a straight addition, never double or some
   other special case.

In the long run, I would like to use a specialized point_add using Jacobian
representation plus a randomization when converting the first point to
Jacobian representation.  The Jacobian representation would also make
the procedure a bit faster.
2015-03-17 19:18:34 +01:00
Jochen Hoenicke
ec057a5102 "More" constant time point multiplication
About the same speed, about the same precomputation table requirements.
Simpler code.
2015-03-17 19:18:34 +01:00
Jochen Hoenicke
eb6e74f361 Improve speed of scalar_multiply.
We also allow for substracting values to be able to do 3 bits at a time.
2015-03-17 19:18:34 +01:00
Jochen Hoenicke
d4788bddfd Added modulus to bn_subtractmod 2015-03-17 19:17:56 +01:00
Jochen Hoenicke
62b95ee414 Optimized conversion functions.
Also added a few more comments
2015-03-17 19:17:56 +01:00
Jochen Hoenicke
7d4cf5cedd Optimized the bn_inverse method.
The new method needs about 30 % less time for prime256k1 and is about
twice as fast for other moduli.  The base algorithm is the same.
The code is also a bit smaller and doesn't need the 8 kb precomputed
table.

Important canges:
1. even/odd distinction so that we need to test only one of the numbers
   for being even.  This also leads to less duplicated code.
2. Allow for shifting by 32 bits at a time in the even test.
3. Pack u,s and v,r into the same array, which saves a bit of stack memory.
4. Don't divide by two after subtraction; this simplifies code.
5. Abort as soon as u,v are equal, instead of subtracting them.
6. Use s instead of r after the loop; no negation needed.
7. New code that divides by 2^k fast without any precomputed values.
2015-03-17 19:17:47 +01:00
Pavol Rusnak
c47065fb11 Merge branch 'master' of github.com:trezor/python-trezor 2015-03-17 15:12:03 +01:00
Pavol Rusnak
95817eb5d3 adapt to SLIP-0013 2015-03-17 15:11:28 +01:00
Pavol Rusnak
f344ec9c9b actually is SLIP-0013 2015-03-17 15:02:07 +01:00
Pavol Rusnak
c286cd75f3 bn_substract_noprime -> bn_subtract 2015-03-17 14:23:58 +01:00
Pavol Rusnak
e37ba822e6 bn_substract -> bn_subtractmod, bn_substract_noprime -> bn_subtract
remove dead code
2015-03-17 14:19:50 +01:00
Pavol Rusnak
fb2a085fff update trezor-crypto 2015-03-12 16:14:11 +01:00
Pavol Rusnak
cb9ccc5cf4 remove all references to USE_PUBKEY_VALIDATE 2015-03-12 15:53:41 +01:00
Pavol Rusnak
dc31cc50d2 Merge pull request #25 from jhoenicke/comments
Added comments to the tricky algorithms.
2015-03-12 15:49:16 +01:00
Pavol Rusnak
38cfebdbfe Merge pull request #24 from jhoenicke/master
Always check for validity in ecdsa_read_pubkey.
2015-03-12 15:49:05 +01:00
Pavol Rusnak
1441dffe0e cmdtr -> trezorctl 2015-03-12 15:21:22 +01:00
Pavol Rusnak
98c4c788ce Merge pull request #18 from mackler/remove-sha384-initial-H
Remove unused static variable `sha384_initial_hash_value`.
2015-03-12 15:04:30 +01:00
Pavol Rusnak
ddef895647 Merge pull request #30 from ywecur/patch-1
Add ’git‘ to list of programs to install under Debian-Ubuntu
2015-03-09 14:25:04 +01:00
ywecur
33a913d951 Add ’git‘ to list of programs to install under Debian-Ubuntu 2015-03-09 13:12:11 +01:00
Jochen Hoenicke
7e98c02afd Added comments to the tricky algorithms.
Added invariants for bn_multiply and bn_inverse.
Explain that bn_multiply and bn_fast_mod doesn't work for
an arbitrary modulus.  The modulus must be close to 2^256.
2015-03-09 12:06:46 +01:00
Jochen Hoenicke
e2dd0b8e8d Always check for validity in ecdsa_read_pubkey.
An invalid point may crash the implementation or, worse,
reveal information about the private key if used in a ECDH
context (e.g. cryptoMessageEn/Decrypt).

Therefore, check all user supplied points even if
USE_PUBKEY_VALIDATE is not set.

To improve speed, we don't check if the point lies in the
main group, since the secp256k1 curve does not have
any other subgroup.
2015-03-08 21:09:21 +01:00