1
0
mirror of https://github.com/trezor/trezor-firmware.git synced 2025-01-01 11:01:00 +00:00
Commit Graph

311 Commits

Author SHA1 Message Date
Pavol Rusnak
c58d4e03c5 add proof of concept bip39 bruteforce benchmark 2015-05-11 14:24:45 +02:00
Pavol Rusnak
00954da5fe fix /dev/urandom problem 2015-05-04 19:53:06 +02:00
Pavol Rusnak
ffedf8a4d0 suppress warning when debug is disabled 2015-05-04 19:40:15 +02:00
Pavol Rusnak
21d0bb437a cleanup coding style 2015-04-13 18:19:33 +02:00
Pavol Rusnak
6ec585fcee Merge pull request #29 from netanelkl/master
Code Security change
2015-04-13 17:56:32 +02:00
Pavol Rusnak
f1b8f55d92 use curly braces in if block 2015-04-11 20:01:45 +02:00
Pavol Rusnak
99f01a9391 Merge pull request #30 from jhoenicke/master
Added more tests for new multiplications
2015-04-11 19:59:31 +02:00
Jochen Hoenicke
c90f79bce2 Added new tests for point multiplication 2015-04-11 13:12:03 +02:00
Jochen Hoenicke
e432d772c7 Program to precompute the table for scalar_mult
This program pre-computes the table and prints then in the form
that can be included in secp256k1.c
2015-04-11 13:12:03 +02:00
netanelkl
3fd32df8ed More of the same. 2015-04-09 15:05:28 -04:00
netanelkl
70dc71c87e Some more stack memory wipe before leaving functions.
Note that I preferred to change the multiple returns to multiple checks
of a boolean to concentrate the erase into the last part of the
functions.
2015-04-09 14:17:47 -04:00
netanelkl
aeefea054a Added some private key nullification so that they won't be uncontrolled in the stack 2015-04-08 15:07:15 -04:00
Pavol Rusnak
a757693fe3 Merge pull request #26 from jhoenicke/bignum_improvements
Bignum improvements
2015-03-30 17:48:43 +02:00
Pavol Rusnak
196cabe012 import random_uniform and random_permute functions from TREZOR codebase 2015-03-30 17:45:34 +02:00
Pavol Rusnak
ad71a16e61 Merge pull request #28 from oleganza/master
Typo fix in RFC6979 implementation
2015-03-30 17:32:38 +02:00
Oleg Andreev
a5a4333a8e typo fix (no, this was not a bug) 2015-03-30 17:25:34 +02:00
Jochen Hoenicke
56f5777b68 Refactored code for point doubling.
New function `bn_mult_3_2` that multiplies by 3/2.
This function is used in point_double and point_jacobian_double.
Cleaned up point_add and point_double, more comments.
2015-03-22 17:55:01 +01:00
Jochen Hoenicke
edf0fc4902 New fast variant of point_multiply.
Use a similar algorithm for `point_multiply` as for
`scalar_multiply` but with less precomputation.
Added double for points in Jacobian coordinates.
Simplified `point_jacobian_add` a little.
2015-03-21 21:10:08 +01:00
Pavol Rusnak
d4df66a8d0 Merge pull request #27 from jhoenicke/bip39fix
Off by one error in word length.
2015-03-21 10:33:06 +01:00
Jochen Hoenicke
1b42fde852 Off by one error in word length.
This could lead to a buffer overrun if the final 0 byte is
written to current_word[j] after the loop.

Also document the limit of passphrase in mnemonic_to_seed.
2015-03-20 21:46:32 +01:00
Jochen Hoenicke
1700caf2ad scalar_mult based on Jacobian representation
This version of scalar_mult should be faster and much better
against side-channel attacks.  Except bn_inverse and bn_mod
all functions are constant time.  bn_inverse is only used
in the last step and its input is randomized.  The function
bn_mod is only taking extra time in 2^32/2^256 cases, so
in practise it should not occur at all.  The input to bn_mod
is also depending on the random value.

There is secret dependent array access in scalar_multiply,
so cache may be an issue.
2015-03-17 19:18:34 +01:00
Jochen Hoenicke
2c38929d03 Make scalar_multiply timing attack safe.
This should make side-channel attacks much more difficult. However,

1. Timing of bn_inverse, which is used in point_add depends on input.
2. Timing of reading secp256k1_cp may depend on input due to cache.
3. The conditions in point_add are not timing attack safe.
   However point_add is always a straight addition, never double or some
   other special case.

In the long run, I would like to use a specialized point_add using Jacobian
representation plus a randomization when converting the first point to
Jacobian representation.  The Jacobian representation would also make
the procedure a bit faster.
2015-03-17 19:18:34 +01:00
Jochen Hoenicke
ec057a5102 "More" constant time point multiplication
About the same speed, about the same precomputation table requirements.
Simpler code.
2015-03-17 19:18:34 +01:00
Jochen Hoenicke
eb6e74f361 Improve speed of scalar_multiply.
We also allow for substracting values to be able to do 3 bits at a time.
2015-03-17 19:18:34 +01:00
Jochen Hoenicke
d4788bddfd Added modulus to bn_subtractmod 2015-03-17 19:17:56 +01:00
Jochen Hoenicke
62b95ee414 Optimized conversion functions.
Also added a few more comments
2015-03-17 19:17:56 +01:00
Jochen Hoenicke
7d4cf5cedd Optimized the bn_inverse method.
The new method needs about 30 % less time for prime256k1 and is about
twice as fast for other moduli.  The base algorithm is the same.
The code is also a bit smaller and doesn't need the 8 kb precomputed
table.

Important canges:
1. even/odd distinction so that we need to test only one of the numbers
   for being even.  This also leads to less duplicated code.
2. Allow for shifting by 32 bits at a time in the even test.
3. Pack u,s and v,r into the same array, which saves a bit of stack memory.
4. Don't divide by two after subtraction; this simplifies code.
5. Abort as soon as u,v are equal, instead of subtracting them.
6. Use s instead of r after the loop; no negation needed.
7. New code that divides by 2^k fast without any precomputed values.
2015-03-17 19:17:47 +01:00
Pavol Rusnak
e37ba822e6 bn_substract -> bn_subtractmod, bn_substract_noprime -> bn_subtract
remove dead code
2015-03-17 14:19:50 +01:00
Pavol Rusnak
cb9ccc5cf4 remove all references to USE_PUBKEY_VALIDATE 2015-03-12 15:53:41 +01:00
Pavol Rusnak
dc31cc50d2 Merge pull request #25 from jhoenicke/comments
Added comments to the tricky algorithms.
2015-03-12 15:49:16 +01:00
Pavol Rusnak
38cfebdbfe Merge pull request #24 from jhoenicke/master
Always check for validity in ecdsa_read_pubkey.
2015-03-12 15:49:05 +01:00
Pavol Rusnak
98c4c788ce Merge pull request #18 from mackler/remove-sha384-initial-H
Remove unused static variable `sha384_initial_hash_value`.
2015-03-12 15:04:30 +01:00
Jochen Hoenicke
7e98c02afd Added comments to the tricky algorithms.
Added invariants for bn_multiply and bn_inverse.
Explain that bn_multiply and bn_fast_mod doesn't work for
an arbitrary modulus.  The modulus must be close to 2^256.
2015-03-09 12:06:46 +01:00
Jochen Hoenicke
e2dd0b8e8d Always check for validity in ecdsa_read_pubkey.
An invalid point may crash the implementation or, worse,
reveal information about the private key if used in a ECDH
context (e.g. cryptoMessageEn/Decrypt).

Therefore, check all user supplied points even if
USE_PUBKEY_VALIDATE is not set.

To improve speed, we don't check if the point lies in the
main group, since the secp256k1 curve does not have
any other subgroup.
2015-03-08 21:09:21 +01:00
Pavol Rusnak
92ab7504b2 add one more bip32_cache test 2015-03-04 15:43:14 +01:00
Pavol Rusnak
d814f58a3b Merge pull request #22 from jhoenicke/master
Make word list const
2015-02-14 12:38:36 +01:00
Jochen Hoenicke
7e7b40b434 Make word list const
This makes the pointers to the words constant.  It moves 8kb from ram
to flash.  It changes the return type of mnemonic_wordlist() to reflect
this change.  Everyone calling it should also change the type to
`const char * const *`.
2015-02-14 12:00:44 +01:00
Pavol Rusnak
f4fe7c9aa5 Merge pull request #21 from jhoenicke/master
Fix RFC6979 generation of k.
2015-02-11 16:42:32 +01:00
Jochen Hoenicke
ed9d8c1ebb Fix RFC6979 generation of k.
The standard says:
step h:
  Set T to the empty sequence.
  while tlen < qlen
    V = HMAC_K(V)
    T = T || V
  k = bits2int(T)

in this case (HMAC-SHA256, qlen=256bit) this simplifies to
  V = HMAC_K(V)
  T = V
  k = bits2int(T)
and T can be omitted.

The old code (wrong) did:
  T = HMAC_K(V)
  k = bits2int(T)
Note that V will only be used again if the first k is out of range.
Thus, the old code produced the right result with a very high probability.
2015-01-30 22:34:37 +01:00
Pavol Rusnak
54aa5a4482 Merge pull request #20 from mackler/stddef-rand
Add `stdlib.h` to header.  Needed for `size_t`.
2015-01-28 09:47:21 +01:00
Adam Mackler
82ea549661 Add stdlib.h to header. Needed for size_t. 2015-01-27 21:44:48 -05:00
Adam Mackler
cb6f976b0d Remove unused static variable sha384_initial_hash_value. 2015-01-27 19:22:42 -05:00
Pavol Rusnak
aa1833ba3f add stdlib to header 2015-01-26 19:12:22 +01:00
Pavol Rusnak
f4e6010e18 implement BIP32 cache 2015-01-26 19:10:19 +01:00
Pavol Rusnak
40b023b1f4 Merge pull request #17 from dllaurence/embedded_header
Remove now-redundant embedded header
2015-01-26 00:29:30 +01:00
Dustin Laurence
1c672dca2b Remove now-redundant embedded header 2015-01-25 08:49:52 -08:00
Pavol Rusnak
5ce27a1e1a Merge pull request #16 from dllaurence/prototypes
Prototypes
2015-01-24 20:33:23 +01:00
Dustin Laurence
a16992a893 Add stdbool.h 2015-01-23 12:12:40 -08:00
Dustin Laurence
8ce1f34233 Add prototypes for private functions 2015-01-23 12:12:40 -08:00
Pavol Rusnak
d57d030362 Merge pull request #15 from dllaurence/finalize_rand
Finalize all open file descriptors
2015-01-23 19:11:19 +01:00