Added invariants for bn_multiply and bn_inverse.
Explain that bn_multiply and bn_fast_mod doesn't work for
an arbitrary modulus. The modulus must be close to 2^256.
An invalid point may crash the implementation or, worse,
reveal information about the private key if used in a ECDH
context (e.g. cryptoMessageEn/Decrypt).
Therefore, check all user supplied points even if
USE_PUBKEY_VALIDATE is not set.
To improve speed, we don't check if the point lies in the
main group, since the secp256k1 curve does not have
any other subgroup.
The bridge is using https with a certificate signed for localback.net.
Use a session object (self.conn) to keep connection alive and
prevent costly ssl handshakes for every call.
Most time in signing transaction on the Trezor side is spent
in layoutProgress. This patch reduces the calls to this functions.
We also compute the progress differently, reserving 50 % for downloading
input transactions and 50 % for the signing process. This gives a
smoother experience if the input transactions are large.
This diff contains three changes.
1. Make timing isPinCorrect independent of storage.pin, to avoid timing attacks
2. Only update failed PIN counter if the user entered a PIN.
Of course, the fail counter is still incremented, before the PIN is checked.
3. Don't cache the PIN, but just the fact that the PIN was entered. The
cache should be in sync with storage.pin in any case.
This makes the pointers to the words constant. It moves 8kb from ram
to flash. It changes the return type of mnemonic_wordlist() to reflect
this change. Everyone calling it should also change the type to
`const char * const *`.
The trezor-crypto has some assertions, which are enabled unless
compiled with -DNDEBUG. This does not make much sense for the Trezor
as could not write the assertion errors to stderr anyway.
This simple patch removes the dependency to assert, printf, etc. It
saves about 11kb flash and 2.2kb ram.