trezor-firmware

Commit Graph

Author	SHA1	Message	Date
Pavol Rusnak	430a5087c8	introduce MAX_ADDR_RAW_SIZE and MAX_WIF_RAW_SIZE macros	8 years ago
Pavol Rusnak	d10ec230c0	add support for multibyte address versions	8 years ago
Jochen Hoenicke	157caf3763	ecdsa: fix out-of-bounds read in point_multiply (#71 ) Fixes #70.	8 years ago
Jochen Hoenicke	133c068f37	Reworked rfc6979 signing. (#72 ) This adds an is_canonic parameter to all sign functions. This is a callback that determines if a signature corresponds to some coin specific rules. It is used, e. g., by ethereum (where the recovery byte must be 0 or 1, and not 2 or 3) and or steem signatures (which require both r and s to be between 2^248 and 2^255). This also separates the initialization and the step function of the random number generator, making it easy to restart the signature process with the next random number.	8 years ago
Jochen Hoenicke	f4ed55377d	Moved get_ethereum_address from ecdsa to bip32 The new name of the function is `hdnode_get_ethereum_address` and it gets a hdnode as input as opposed to a public key. This also avoids first computing the compressed public key and then uncompressing it. Test cases were adapted to work with new function. The test-vectors are the same as for bip32 and independently checked with an adhoc python implementation.	8 years ago
Alex Beregszaszi	4e7da75c6e	Rewrite ecdsa_uncompress_pubkey() using ecdsa_read_pubkey()	8 years ago
Alex Beregszaszi	1b8e3d557f	Implement ecdsa_get_ethereum_pubkeyhash()	8 years ago
Alex Beregszaszi	7d68a6ee17	Add ecdsa_uncompress_pubkey() Code based on @Arachnid's PR, but has more strict checks	8 years ago
Pavol Rusnak	110965f31d	further optimize emscripten	8 years ago
Jochen Hoenicke	7b07dff25c	Added Unit test, fixed one corner case.	8 years ago
Jochen Hoenicke	409783ba64	New function ecdsa_verify_recover Moved the code from Trezor firmware to here for recovering the public key when verifying a bitcoin message. Fixed the signing and verification for the unlikely case the r value overflows.	8 years ago
Jochen Hoenicke	698f40f385	BIP-32 without gaps, prepare non-ecdsa curves * Split ecdsa_curve into curve_info and ecdsa_curve to support bip32 on curves that don't have a ecdsa_curve. * Don't fail in key derivation but retry with a new hash. * Adapted test case accordingly	8 years ago
Jochen Hoenicke	533c3beb63	Fixed uncompress_coords for NIST curve The bn_sqrti was broken. It didn't handle primes where all bits are set in the lowest limb.	8 years ago
Jochen Hoenicke	0bc1b70c4a	Use different seed modifier for different curves	8 years ago
Jochen Hoenicke	472b90d8ed	Added myself to copyright lines.	9 years ago
Jochen Hoenicke	774ac9cb22	Simplified test for doubling in point_jacobian_add	9 years ago
Jochen Hoenicke	f93b003cbc	Extended comments, new function bn_add, a bug fix. Describe normalized, partly reduced and reduced numbers. Comment which function expects which kind of input. Removed unused bn_bitlen. Add bn_add that does not reduce. Bug fix in ecdsa_validate_pubkey: bn_mod before bn_is_equal. Bug fix in hdnode_private_ckd: bn_mod after bn_addmod.	9 years ago
Jochen Hoenicke	f2081d88d8	New jacobian_add that handles doubling. Fix bug where jacobian_add is called with two identical points.	9 years ago
Jochen Hoenicke	60e36dac3b	Fixed conditional_negate for larger numbers Without the bn_mod the numbers get larger (but still < 2*prime), so conditional_negate should handle this.	9 years ago
Jochen Hoenicke	6ba4d288b0	Cleaned up bignum code 1. Fixed bn_multiply_step to handle small primes. 2. Removed many calls to bn_mod to prevent side-channel leakage.	9 years ago
Pavol Rusnak	d659fd49a5	return back normalization of signatures	9 years ago
Pavol Rusnak	71c24673ce	Merge branch 'ssh-agent' of git://github.com/romanz/trezor-crypto into romanz-ssh-agent Conflicts: ecdsa.c	9 years ago
Pavol Rusnak	36caf5b33a	Merge pull request #35 from romanz/master ecdsa: generate_k_rfc6979() should cleanup its stack before exit	9 years ago
Roman Zeyde	36847ac0d7	ecdsa: generate_k_rfc6979() should cleanup its stack before exit	9 years ago
Roman Zeyde	7c58fc11a4	Add support for NIST256P1 elliptic curve This enables SSH ECDSA public key authentication.	9 years ago
John Dvorak	85cebfe968	Change return value of ecdsa_sign_digest Error codes were not being propagated, always returned as 0.	9 years ago
Pavol Rusnak	21d0bb437a	cleanup coding style	9 years ago
netanelkl	3fd32df8ed	More of the same.	9 years ago
Pavol Rusnak	a757693fe3	Merge pull request #26 from jhoenicke/bignum_improvements Bignum improvements	9 years ago
Oleg Andreev	a5a4333a8e	typo fix (no, this was not a bug)	9 years ago
Jochen Hoenicke	56f5777b68	Refactored code for point doubling. New function `bn_mult_3_2` that multiplies by 3/2. This function is used in point_double and point_jacobian_double. Cleaned up point_add and point_double, more comments.	9 years ago
Jochen Hoenicke	edf0fc4902	New fast variant of point_multiply. Use a similar algorithm for `point_multiply` as for `scalar_multiply` but with less precomputation. Added double for points in Jacobian coordinates. Simplified `point_jacobian_add` a little.	9 years ago
Jochen Hoenicke	1700caf2ad	scalar_mult based on Jacobian representation This version of scalar_mult should be faster and much better against side-channel attacks. Except bn_inverse and bn_mod all functions are constant time. bn_inverse is only used in the last step and its input is randomized. The function bn_mod is only taking extra time in 2^32/2^256 cases, so in practise it should not occur at all. The input to bn_mod is also depending on the random value. There is secret dependent array access in scalar_multiply, so cache may be an issue.	9 years ago
Jochen Hoenicke	2c38929d03	Make scalar_multiply timing attack safe. This should make side-channel attacks much more difficult. However, 1. Timing of bn_inverse, which is used in point_add depends on input. 2. Timing of reading secp256k1_cp may depend on input due to cache. 3. The conditions in point_add are not timing attack safe. However point_add is always a straight addition, never double or some other special case. In the long run, I would like to use a specialized point_add using Jacobian representation plus a randomization when converting the first point to Jacobian representation. The Jacobian representation would also make the procedure a bit faster.	9 years ago
Jochen Hoenicke	ec057a5102	"More" constant time point multiplication About the same speed, about the same precomputation table requirements. Simpler code.	9 years ago
Jochen Hoenicke	eb6e74f361	Improve speed of scalar_multiply. We also allow for substracting values to be able to do 3 bits at a time.	9 years ago
Jochen Hoenicke	d4788bddfd	Added modulus to bn_subtractmod	9 years ago
Pavol Rusnak	e37ba822e6	bn_substract -> bn_subtractmod, bn_substract_noprime -> bn_subtract remove dead code	9 years ago
Jochen Hoenicke	e2dd0b8e8d	Always check for validity in ecdsa_read_pubkey. An invalid point may crash the implementation or, worse, reveal information about the private key if used in a ECDH context (e.g. cryptoMessageEn/Decrypt). Therefore, check all user supplied points even if USE_PUBKEY_VALIDATE is not set. To improve speed, we don't check if the point lies in the main group, since the secp256k1 curve does not have any other subgroup.	9 years ago
Jochen Hoenicke	ed9d8c1ebb	Fix RFC6979 generation of k. The standard says: step h: Set T to the empty sequence. while tlen < qlen V = HMAC_K(V) T = T \|\| V k = bits2int(T) in this case (HMAC-SHA256, qlen=256bit) this simplifies to V = HMAC_K(V) T = V k = bits2int(T) and T can be omitted. The old code (wrong) did: T = HMAC_K(V) k = bits2int(T) Note that V will only be used again if the first k is out of range. Thus, the old code produced the right result with a very high probability.	10 years ago
Pavol Rusnak	795579cbac	invert pby when normalizing S during signing	10 years ago
Pavol Rusnak	89a7d7797b	replace base58 implementation	10 years ago
Pavol Rusnak	b4cdba8489	export pby from ecdsa_sign functions	10 years ago
Pavol Rusnak	9469a64a0a	use bn_is_zero and bn_is_equal where possible	10 years ago
Pavol Rusnak	df3606dd5e	introduce ecdsa_get_address_raw	10 years ago
Pavol Rusnak	0fe1857513	normalize y^2 in pubkey validation fix last commit	10 years ago
Pavol Rusnak	b9d5896174	make pubkey validation optional, extract options to separate header	10 years ago
Ondrej Mikle	b34516bc49	Removed unnessary point copy.	10 years ago
Ondrej Mikle	03fee34550	Validating of public key curve point.	10 years ago
Ondrej Mikle	7fd81a1e0c	Removed superfluous bn_mod, it's done now in point_add and point_double.	10 years ago

1 2 3

101 Commits (430a5087c8b71791d10d24e0141185a627c88748)