trezor-firmware

Commit Graph

Author	SHA1	Message	Date
Roman Zeyde	587d6a65ea	Update documentation regarding ECDSA curves support	9 years ago
Pavol Rusnak	f2ef64228a	Merge pull request #37 from jdb6167/master Fixed issues with Python files	9 years ago
Josh Billings	cb0b5169c5	whitespace	9 years ago
Josh Billings	d2120d6da1	two bugfixes: 1. nist256p1.c was not included in setup.py, causing import errors when using TrezorCrypto.so in Python. 2. if you attempted a hardened derivation in python using the compiled TrezorCrypto module, an IntegerOverflowError would occur because Python ints are always signed. one-line fix by changing int to unsigned int in the pyx file	9 years ago
Pavol Rusnak	71c24673ce	Merge branch 'ssh-agent' of git://github.com/romanz/trezor-crypto into romanz-ssh-agent Conflicts: ecdsa.c	9 years ago
Pavol Rusnak	36caf5b33a	Merge pull request #35 from romanz/master ecdsa: generate_k_rfc6979() should cleanup its stack before exit	9 years ago
Roman Zeyde	36847ac0d7	ecdsa: generate_k_rfc6979() should cleanup its stack before exit	9 years ago
Roman Zeyde	7c58fc11a4	Add support for NIST256P1 elliptic curve This enables SSH ECDSA public key authentication.	9 years ago
Pavol Rusnak	0983c6c456	Merge pull request #34 from JohnDvorak/patch-1 Change return value of ecdsa_sign_digest	9 years ago
John Dvorak	85cebfe968	Change return value of ecdsa_sign_digest Error codes were not being propagated, always returned as 0.	9 years ago
Pavol Rusnak	c58d4e03c5	add proof of concept bip39 bruteforce benchmark	9 years ago
Pavol Rusnak	00954da5fe	fix /dev/urandom problem	10 years ago
Pavol Rusnak	ffedf8a4d0	suppress warning when debug is disabled	10 years ago
Pavol Rusnak	21d0bb437a	cleanup coding style	10 years ago
Pavol Rusnak	6ec585fcee	Merge pull request #29 from netanelkl/master Code Security change	10 years ago
Pavol Rusnak	f1b8f55d92	use curly braces in if block	10 years ago
Pavol Rusnak	99f01a9391	Merge pull request #30 from jhoenicke/master Added more tests for new multiplications	10 years ago
Jochen Hoenicke	c90f79bce2	Added new tests for point multiplication	10 years ago
Jochen Hoenicke	e432d772c7	Program to precompute the table for scalar_mult This program pre-computes the table and prints then in the form that can be included in secp256k1.c	10 years ago
netanelkl	3fd32df8ed	More of the same.	10 years ago
netanelkl	70dc71c87e	Some more stack memory wipe before leaving functions. Note that I preferred to change the multiple returns to multiple checks of a boolean to concentrate the erase into the last part of the functions.	10 years ago
netanelkl	aeefea054a	Added some private key nullification so that they won't be uncontrolled in the stack	10 years ago
Pavol Rusnak	a757693fe3	Merge pull request #26 from jhoenicke/bignum_improvements Bignum improvements	10 years ago
Pavol Rusnak	196cabe012	import random_uniform and random_permute functions from TREZOR codebase	10 years ago
Pavol Rusnak	ad71a16e61	Merge pull request #28 from oleganza/master Typo fix in RFC6979 implementation	10 years ago
Oleg Andreev	a5a4333a8e	typo fix (no, this was not a bug)	10 years ago
Jochen Hoenicke	56f5777b68	Refactored code for point doubling. New function `bn_mult_3_2` that multiplies by 3/2. This function is used in point_double and point_jacobian_double. Cleaned up point_add and point_double, more comments.	10 years ago
Jochen Hoenicke	edf0fc4902	New fast variant of point_multiply. Use a similar algorithm for `point_multiply` as for `scalar_multiply` but with less precomputation. Added double for points in Jacobian coordinates. Simplified `point_jacobian_add` a little.	10 years ago
Pavol Rusnak	d4df66a8d0	Merge pull request #27 from jhoenicke/bip39fix Off by one error in word length.	10 years ago
Jochen Hoenicke	1b42fde852	Off by one error in word length. This could lead to a buffer overrun if the final 0 byte is written to current_word[j] after the loop. Also document the limit of passphrase in mnemonic_to_seed.	10 years ago
Jochen Hoenicke	1700caf2ad	scalar_mult based on Jacobian representation This version of scalar_mult should be faster and much better against side-channel attacks. Except bn_inverse and bn_mod all functions are constant time. bn_inverse is only used in the last step and its input is randomized. The function bn_mod is only taking extra time in 2^32/2^256 cases, so in practise it should not occur at all. The input to bn_mod is also depending on the random value. There is secret dependent array access in scalar_multiply, so cache may be an issue.	10 years ago
Jochen Hoenicke	2c38929d03	Make scalar_multiply timing attack safe. This should make side-channel attacks much more difficult. However, 1. Timing of bn_inverse, which is used in point_add depends on input. 2. Timing of reading secp256k1_cp may depend on input due to cache. 3. The conditions in point_add are not timing attack safe. However point_add is always a straight addition, never double or some other special case. In the long run, I would like to use a specialized point_add using Jacobian representation plus a randomization when converting the first point to Jacobian representation. The Jacobian representation would also make the procedure a bit faster.	10 years ago
Jochen Hoenicke	ec057a5102	"More" constant time point multiplication About the same speed, about the same precomputation table requirements. Simpler code.	10 years ago
Jochen Hoenicke	eb6e74f361	Improve speed of scalar_multiply. We also allow for substracting values to be able to do 3 bits at a time.	10 years ago
Jochen Hoenicke	d4788bddfd	Added modulus to bn_subtractmod	10 years ago
Jochen Hoenicke	62b95ee414	Optimized conversion functions. Also added a few more comments	10 years ago
Jochen Hoenicke	7d4cf5cedd	Optimized the bn_inverse method. The new method needs about 30 % less time for prime256k1 and is about twice as fast for other moduli. The base algorithm is the same. The code is also a bit smaller and doesn't need the 8 kb precomputed table. Important canges: 1. even/odd distinction so that we need to test only one of the numbers for being even. This also leads to less duplicated code. 2. Allow for shifting by 32 bits at a time in the even test. 3. Pack u,s and v,r into the same array, which saves a bit of stack memory. 4. Don't divide by two after subtraction; this simplifies code. 5. Abort as soon as u,v are equal, instead of subtracting them. 6. Use s instead of r after the loop; no negation needed. 7. New code that divides by 2^k fast without any precomputed values.	10 years ago
Pavol Rusnak	e37ba822e6	bn_substract -> bn_subtractmod, bn_substract_noprime -> bn_subtract remove dead code	10 years ago
Pavol Rusnak	cb9ccc5cf4	remove all references to USE_PUBKEY_VALIDATE	10 years ago
Pavol Rusnak	dc31cc50d2	Merge pull request #25 from jhoenicke/comments Added comments to the tricky algorithms.	10 years ago
Pavol Rusnak	38cfebdbfe	Merge pull request #24 from jhoenicke/master Always check for validity in ecdsa_read_pubkey.	10 years ago
Pavol Rusnak	98c4c788ce	Merge pull request #18 from mackler/remove-sha384-initial-H Remove unused static variable `sha384_initial_hash_value`.	10 years ago
Jochen Hoenicke	7e98c02afd	Added comments to the tricky algorithms. Added invariants for bn_multiply and bn_inverse. Explain that bn_multiply and bn_fast_mod doesn't work for an arbitrary modulus. The modulus must be close to 2^256.	10 years ago
Jochen Hoenicke	e2dd0b8e8d	Always check for validity in ecdsa_read_pubkey. An invalid point may crash the implementation or, worse, reveal information about the private key if used in a ECDH context (e.g. cryptoMessageEn/Decrypt). Therefore, check all user supplied points even if USE_PUBKEY_VALIDATE is not set. To improve speed, we don't check if the point lies in the main group, since the secp256k1 curve does not have any other subgroup.	10 years ago
Pavol Rusnak	92ab7504b2	add one more bip32_cache test	10 years ago
Pavol Rusnak	d814f58a3b	Merge pull request #22 from jhoenicke/master Make word list const	10 years ago
Jochen Hoenicke	7e7b40b434	Make word list const This makes the pointers to the words constant. It moves 8kb from ram to flash. It changes the return type of mnemonic_wordlist() to reflect this change. Everyone calling it should also change the type to `const char * const *`.	10 years ago
Pavol Rusnak	f4fe7c9aa5	Merge pull request #21 from jhoenicke/master Fix RFC6979 generation of k.	10 years ago
Jochen Hoenicke	ed9d8c1ebb	Fix RFC6979 generation of k. The standard says: step h: Set T to the empty sequence. while tlen < qlen V = HMAC_K(V) T = T \|\| V k = bits2int(T) in this case (HMAC-SHA256, qlen=256bit) this simplifies to V = HMAC_K(V) T = V k = bits2int(T) and T can be omitted. The old code (wrong) did: T = HMAC_K(V) k = bits2int(T) Note that V will only be used again if the first k is out of range. Thus, the old code produced the right result with a very high probability.	10 years ago
Pavol Rusnak	54aa5a4482	Merge pull request #20 from mackler/stddef-rand Add `stdlib.h` to header. Needed for `size_t`.	10 years ago

1 2 3 4 5 ...

271 Commits (86d6a0b782cc0d61eb37ead53e5aa37f8de7aa0e) All Branches Search

271 Commits (86d6a0b782cc0d61eb37ead53e5aa37f8de7aa0e)

All Branches