Most time in signing transaction on the Trezor side is spent
in layoutProgress. This patch reduces the calls to this functions.
We also compute the progress differently, reserving 50 % for downloading
input transactions and 50 % for the signing process. This gives a
smoother experience if the input transactions are large.
This diff contains three changes.
1. Make timing isPinCorrect independent of storage.pin, to avoid timing attacks
2. Only update failed PIN counter if the user entered a PIN.
Of course, the fail counter is still incremented, before the PIN is checked.
3. Don't cache the PIN, but just the fact that the PIN was entered. The
cache should be in sync with storage.pin in any case.
This makes the pointers to the words constant. It moves 8kb from ram
to flash. It changes the return type of mnemonic_wordlist() to reflect
this change. Everyone calling it should also change the type to
`const char * const *`.
The trezor-crypto has some assertions, which are enabled unless
compiled with -DNDEBUG. This does not make much sense for the Trezor
as could not write the assertion errors to stderr anyway.
This simple patch removes the dependency to assert, printf, etc. It
saves about 11kb flash and 2.2kb ram.
The standard says:
step h:
Set T to the empty sequence.
while tlen < qlen
V = HMAC_K(V)
T = T || V
k = bits2int(T)
in this case (HMAC-SHA256, qlen=256bit) this simplifies to
V = HMAC_K(V)
T = V
k = bits2int(T)
and T can be omitted.
The old code (wrong) did:
T = HMAC_K(V)
k = bits2int(T)
Note that V will only be used again if the first k is out of range.
Thus, the old code produced the right result with a very high probability.
