trezor-firmware

Commit Graph

Author	SHA1	Message	Date
Pavol Rusnak	21d0bb437a	cleanup coding style	10 years ago
Pavol Rusnak	6ec585fcee	Merge pull request #29 from netanelkl/master Code Security change	10 years ago
Pavol Rusnak	f1b8f55d92	use curly braces in if block	10 years ago
Pavol Rusnak	99f01a9391	Merge pull request #30 from jhoenicke/master Added more tests for new multiplications	10 years ago
Jochen Hoenicke	c90f79bce2	Added new tests for point multiplication	10 years ago
Jochen Hoenicke	e432d772c7	Program to precompute the table for scalar_mult This program pre-computes the table and prints then in the form that can be included in secp256k1.c	10 years ago
netanelkl	3fd32df8ed	More of the same.	10 years ago
netanelkl	70dc71c87e	Some more stack memory wipe before leaving functions. Note that I preferred to change the multiple returns to multiple checks of a boolean to concentrate the erase into the last part of the functions.	10 years ago
netanelkl	aeefea054a	Added some private key nullification so that they won't be uncontrolled in the stack	10 years ago
Pavol Rusnak	a757693fe3	Merge pull request #26 from jhoenicke/bignum_improvements Bignum improvements	10 years ago
Pavol Rusnak	196cabe012	import random_uniform and random_permute functions from TREZOR codebase	10 years ago
Pavol Rusnak	ad71a16e61	Merge pull request #28 from oleganza/master Typo fix in RFC6979 implementation	10 years ago
Oleg Andreev	a5a4333a8e	typo fix (no, this was not a bug)	10 years ago
Jochen Hoenicke	56f5777b68	Refactored code for point doubling. New function `bn_mult_3_2` that multiplies by 3/2. This function is used in point_double and point_jacobian_double. Cleaned up point_add and point_double, more comments.	10 years ago
Jochen Hoenicke	edf0fc4902	New fast variant of point_multiply. Use a similar algorithm for `point_multiply` as for `scalar_multiply` but with less precomputation. Added double for points in Jacobian coordinates. Simplified `point_jacobian_add` a little.	10 years ago
Pavol Rusnak	d4df66a8d0	Merge pull request #27 from jhoenicke/bip39fix Off by one error in word length.	10 years ago
Jochen Hoenicke	1b42fde852	Off by one error in word length. This could lead to a buffer overrun if the final 0 byte is written to current_word[j] after the loop. Also document the limit of passphrase in mnemonic_to_seed.	10 years ago
Jochen Hoenicke	1700caf2ad	scalar_mult based on Jacobian representation This version of scalar_mult should be faster and much better against side-channel attacks. Except bn_inverse and bn_mod all functions are constant time. bn_inverse is only used in the last step and its input is randomized. The function bn_mod is only taking extra time in 2^32/2^256 cases, so in practise it should not occur at all. The input to bn_mod is also depending on the random value. There is secret dependent array access in scalar_multiply, so cache may be an issue.	10 years ago
Jochen Hoenicke	2c38929d03	Make scalar_multiply timing attack safe. This should make side-channel attacks much more difficult. However, 1. Timing of bn_inverse, which is used in point_add depends on input. 2. Timing of reading secp256k1_cp may depend on input due to cache. 3. The conditions in point_add are not timing attack safe. However point_add is always a straight addition, never double or some other special case. In the long run, I would like to use a specialized point_add using Jacobian representation plus a randomization when converting the first point to Jacobian representation. The Jacobian representation would also make the procedure a bit faster.	10 years ago
Jochen Hoenicke	ec057a5102	"More" constant time point multiplication About the same speed, about the same precomputation table requirements. Simpler code.	10 years ago
Jochen Hoenicke	eb6e74f361	Improve speed of scalar_multiply. We also allow for substracting values to be able to do 3 bits at a time.	10 years ago
Jochen Hoenicke	d4788bddfd	Added modulus to bn_subtractmod	10 years ago
Jochen Hoenicke	62b95ee414	Optimized conversion functions. Also added a few more comments	10 years ago
Jochen Hoenicke	7d4cf5cedd	Optimized the bn_inverse method. The new method needs about 30 % less time for prime256k1 and is about twice as fast for other moduli. The base algorithm is the same. The code is also a bit smaller and doesn't need the 8 kb precomputed table. Important canges: 1. even/odd distinction so that we need to test only one of the numbers for being even. This also leads to less duplicated code. 2. Allow for shifting by 32 bits at a time in the even test. 3. Pack u,s and v,r into the same array, which saves a bit of stack memory. 4. Don't divide by two after subtraction; this simplifies code. 5. Abort as soon as u,v are equal, instead of subtracting them. 6. Use s instead of r after the loop; no negation needed. 7. New code that divides by 2^k fast without any precomputed values.	10 years ago
Pavol Rusnak	e37ba822e6	bn_substract -> bn_subtractmod, bn_substract_noprime -> bn_subtract remove dead code	10 years ago
Pavol Rusnak	cb9ccc5cf4	remove all references to USE_PUBKEY_VALIDATE	10 years ago
Pavol Rusnak	dc31cc50d2	Merge pull request #25 from jhoenicke/comments Added comments to the tricky algorithms.	10 years ago
Pavol Rusnak	38cfebdbfe	Merge pull request #24 from jhoenicke/master Always check for validity in ecdsa_read_pubkey.	10 years ago
Pavol Rusnak	98c4c788ce	Merge pull request #18 from mackler/remove-sha384-initial-H Remove unused static variable `sha384_initial_hash_value`.	10 years ago
Jochen Hoenicke	7e98c02afd	Added comments to the tricky algorithms. Added invariants for bn_multiply and bn_inverse. Explain that bn_multiply and bn_fast_mod doesn't work for an arbitrary modulus. The modulus must be close to 2^256.	10 years ago
Jochen Hoenicke	e2dd0b8e8d	Always check for validity in ecdsa_read_pubkey. An invalid point may crash the implementation or, worse, reveal information about the private key if used in a ECDH context (e.g. cryptoMessageEn/Decrypt). Therefore, check all user supplied points even if USE_PUBKEY_VALIDATE is not set. To improve speed, we don't check if the point lies in the main group, since the secp256k1 curve does not have any other subgroup.	10 years ago
Pavol Rusnak	92ab7504b2	add one more bip32_cache test	10 years ago
Pavol Rusnak	d814f58a3b	Merge pull request #22 from jhoenicke/master Make word list const	10 years ago
Jochen Hoenicke	7e7b40b434	Make word list const This makes the pointers to the words constant. It moves 8kb from ram to flash. It changes the return type of mnemonic_wordlist() to reflect this change. Everyone calling it should also change the type to `const char * const *`.	10 years ago
Pavol Rusnak	f4fe7c9aa5	Merge pull request #21 from jhoenicke/master Fix RFC6979 generation of k.	10 years ago
Jochen Hoenicke	ed9d8c1ebb	Fix RFC6979 generation of k. The standard says: step h: Set T to the empty sequence. while tlen < qlen V = HMAC_K(V) T = T \|\| V k = bits2int(T) in this case (HMAC-SHA256, qlen=256bit) this simplifies to V = HMAC_K(V) T = V k = bits2int(T) and T can be omitted. The old code (wrong) did: T = HMAC_K(V) k = bits2int(T) Note that V will only be used again if the first k is out of range. Thus, the old code produced the right result with a very high probability.	10 years ago
Pavol Rusnak	54aa5a4482	Merge pull request #20 from mackler/stddef-rand Add `stdlib.h` to header. Needed for `size_t`.	10 years ago
Adam Mackler	82ea549661	Add `stdlib.h` to header. Needed for `size_t`.	10 years ago
Adam Mackler	cb6f976b0d	Remove unused static variable sha384_initial_hash_value.	10 years ago
Pavol Rusnak	aa1833ba3f	add stdlib to header	10 years ago
Pavol Rusnak	f4e6010e18	implement BIP32 cache	10 years ago
Pavol Rusnak	40b023b1f4	Merge pull request #17 from dllaurence/embedded_header Remove now-redundant embedded header	10 years ago
Dustin Laurence	1c672dca2b	Remove now-redundant embedded header	10 years ago
Pavol Rusnak	5ce27a1e1a	Merge pull request #16 from dllaurence/prototypes Prototypes	10 years ago
Dustin Laurence	a16992a893	Add stdbool.h	10 years ago
Dustin Laurence	8ce1f34233	Add prototypes for private functions	10 years ago
Pavol Rusnak	d57d030362	Merge pull request #15 from dllaurence/finalize_rand Finalize all open file descriptors	10 years ago
Dustin Laurence	ce67a85d39	Add finalize_rand() to prove we have no leaks	10 years ago
Dustin Laurence	661751ab4b	Add finalize_rand()	10 years ago
Pavol Rusnak	fb747384a0	prepare cython-TrezorCrypto for pip release	10 years ago

... 4 5 6 7 8 ...

458 Commits (dc1939bae917f5673a67b0347971eb054f9145bd) All Branches Search

458 Commits (dc1939bae917f5673a67b0347971eb054f9145bd)

All Branches