1
0
mirror of https://github.com/trezor/trezor-firmware.git synced 2024-12-01 20:08:26 +00:00
Commit Graph

116 Commits

Author SHA1 Message Date
Saleem Rashid
c70e440128 hasher: Replace hasher_Double with HASHER_*D
This allows us to finely control when to use a single hash or a double hash in
various places. For example, Bitcoin signatures use double SHA256, but Decred
signatures use a single BLAKE256. However, both use double hashes for Base58.
2018-04-03 18:28:06 +02:00
Pavol Rusnak
bb4c3d0525
introduce and use memzero instead of explicit_bzero 2018-01-18 15:18:09 +01:00
Pavol Rusnak
b7f73ee3ff
use explicit_bzero 2018-01-16 19:41:27 +01:00
Saleem Rashid
b41a51805f Use hasher_Raw instead of sha256_Raw 2017-12-10 20:07:13 +01:00
Jochen Hoenicke
9dfc6a4477
introduce confidential macro, mark confidential items 2017-08-16 13:38:49 +02:00
Pavol Rusnak
af06a997cb
refactor ecdsa_get_address_segwit_p2sh{,_raw} 2017-07-25 17:59:26 +02:00
Pavol Rusnak
c950342063
refactor hdnode_public_ckd_address_optimized 2017-07-24 22:57:20 +02:00
Pavol Rusnak
a820a5601b
split rfc6979 from ecdsa into separate module 2017-04-03 20:58:53 +02:00
Pavol Rusnak
a8aacac6be
ecdsa: rand -> rnd 2017-04-02 02:52:50 +02:00
Jochen Hoenicke
d3d88591d0 Added co-signing for ed25519. 2017-04-02 01:18:03 +02:00
Jochen Hoenicke
9443aefa9a
Multi-byte prefix cleanup
use the functions from address.c in ecdsa.c to avoid duplicated code.
2017-01-04 15:16:55 +01:00
Jochen Hoenicke
949220ac0b
Protect signing against side-channel attack (#81)
Signing uses the bn_inverse function that is prone to side-channel
attacks.  We randomize its argument by multiplying it with a random
non-zero number.  At the end we multiply again by the same number to
cancel it out.

Changed get_k_random to take the prime range as a second argument and
to return a non-zero number.  This function was previously only used
for (non-rfc6979) signing and is now used for side-channel protection.
2016-11-06 15:20:07 +01:00
Pavol Rusnak
cf21bb2fbf
refactor ECDH multiplication into ecdh_multiply function 2016-10-21 18:19:01 +02:00
Pavol Rusnak
ad73c0d4e7
fix ecdsa_address_decode 2016-10-09 23:42:21 +02:00
Pavol Rusnak
8764e26368
ecdsa_address_decode now needs version 2016-10-08 18:13:23 +02:00
Pavol Rusnak
430a5087c8
introduce MAX_ADDR_RAW_SIZE and MAX_WIF_RAW_SIZE macros 2016-10-08 18:01:44 +02:00
Pavol Rusnak
d10ec230c0
add support for multibyte address versions 2016-10-08 17:56:12 +02:00
Jochen Hoenicke
157caf3763 ecdsa: fix out-of-bounds read in point_multiply (#71)
Fixes #70.
2016-10-06 16:54:25 +02:00
Jochen Hoenicke
133c068f37 Reworked rfc6979 signing. (#72)
This adds an is_canonic parameter to all sign functions.  This is a
callback that determines if a signature corresponds to some coin
specific rules.  It is used, e. g., by ethereum (where the recovery
byte must be 0 or 1, and not 2 or 3) and or steem signatures (which
require both r and s to be between 2^248 and 2^255).

This also separates the initialization and the step function of the
random number generator, making it easy to restart the signature
process with the next random number.
2016-10-06 16:54:07 +02:00
Jochen Hoenicke
f4ed55377d Moved get_ethereum_address from ecdsa to bip32
The new name of the function is `hdnode_get_ethereum_address`
and it gets a hdnode as input as opposed to a public key.  This
also avoids first computing the compressed public key and then
uncompressing it.

Test cases were adapted to work with new function.  The test-vectors
are the same as for bip32 and independently checked with an adhoc
python implementation.
2016-08-18 16:21:33 +02:00
Alex Beregszaszi
4e7da75c6e Rewrite ecdsa_uncompress_pubkey() using ecdsa_read_pubkey() 2016-05-23 19:10:06 +01:00
Alex Beregszaszi
1b8e3d557f Implement ecdsa_get_ethereum_pubkeyhash() 2016-05-23 19:10:06 +01:00
Alex Beregszaszi
7d68a6ee17 Add ecdsa_uncompress_pubkey()
Code based on @Arachnid's PR, but has more strict checks
2016-05-17 19:38:14 +01:00
Pavol Rusnak
110965f31d
further optimize emscripten 2016-05-12 19:29:24 +02:00
Jochen Hoenicke
7b07dff25c
Added Unit test, fixed one corner case. 2016-04-25 22:55:30 +02:00
Jochen Hoenicke
409783ba64
New function ecdsa_verify_recover
Moved the code from Trezor firmware to here for recovering the public key
when verifying a bitcoin message.  Fixed the signing and verification for
the unlikely case the r value overflows.
2016-04-25 18:02:24 +02:00
Jochen Hoenicke
698f40f385
BIP-32 without gaps, prepare non-ecdsa curves
* Split ecdsa_curve into curve_info and ecdsa_curve to support bip32 on
  curves that don't have a ecdsa_curve.
* Don't fail in key derivation but retry with a new hash.
* Adapted test case accordingly
2016-04-22 17:43:15 +02:00
Jochen Hoenicke
533c3beb63 Fixed uncompress_coords for NIST curve
The bn_sqrti was broken.  It didn't handle primes where all bits are set
in the lowest limb.
2016-04-20 15:09:11 +02:00
Jochen Hoenicke
0bc1b70c4a Use different seed modifier for different curves 2016-04-20 10:38:11 +02:00
Jochen Hoenicke
472b90d8ed Added myself to copyright lines. 2015-08-19 21:45:21 +02:00
Jochen Hoenicke
774ac9cb22 Simplified test for doubling in point_jacobian_add 2015-08-07 11:26:00 +02:00
Jochen Hoenicke
f93b003cbc Extended comments, new function bn_add, a bug fix.
Describe normalized, partly reduced and reduced numbers.
Comment which function expects which kind of input.
Removed unused bn_bitlen.
Add bn_add that does not reduce.
Bug fix in ecdsa_validate_pubkey: bn_mod before bn_is_equal.
Bug fix in hdnode_private_ckd: bn_mod after bn_addmod.
2015-08-06 19:09:23 +02:00
Jochen Hoenicke
f2081d88d8 New jacobian_add that handles doubling.
Fix bug where jacobian_add is called with two identical points.
2015-08-05 21:23:04 +02:00
Jochen Hoenicke
60e36dac3b Fixed conditional_negate for larger numbers
Without the bn_mod the numbers get larger (but still < 2*prime), so
conditional_negate should handle this.
2015-08-05 19:36:30 +02:00
Jochen Hoenicke
6ba4d288b0 Cleaned up bignum code
1. Fixed bn_multiply_step to handle small primes.
2. Removed many calls to bn_mod to prevent side-channel leakage.
2015-08-05 19:36:30 +02:00
Pavol Rusnak
d659fd49a5 return back normalization of signatures 2015-08-03 21:47:06 +02:00
Pavol Rusnak
71c24673ce Merge branch 'ssh-agent' of git://github.com/romanz/trezor-crypto into romanz-ssh-agent
Conflicts:
	ecdsa.c
2015-06-28 21:22:50 +02:00
Pavol Rusnak
36caf5b33a Merge pull request #35 from romanz/master
ecdsa: generate_k_rfc6979() should cleanup its stack before exit
2015-06-28 21:01:57 +02:00
Roman Zeyde
36847ac0d7 ecdsa: generate_k_rfc6979() should cleanup its stack before exit 2015-06-27 10:08:18 +03:00
Roman Zeyde
7c58fc11a4 Add support for NIST256P1 elliptic curve
This enables SSH ECDSA public key authentication.
2015-06-26 10:33:14 +03:00
John Dvorak
85cebfe968 Change return value of ecdsa_sign_digest
Error codes were not being propagated, always returned as 0.
2015-06-18 09:55:12 -04:00
Pavol Rusnak
21d0bb437a cleanup coding style 2015-04-13 18:19:33 +02:00
netanelkl
3fd32df8ed More of the same. 2015-04-09 15:05:28 -04:00
Pavol Rusnak
a757693fe3 Merge pull request #26 from jhoenicke/bignum_improvements
Bignum improvements
2015-03-30 17:48:43 +02:00
Oleg Andreev
a5a4333a8e typo fix (no, this was not a bug) 2015-03-30 17:25:34 +02:00
Jochen Hoenicke
56f5777b68 Refactored code for point doubling.
New function `bn_mult_3_2` that multiplies by 3/2.
This function is used in point_double and point_jacobian_double.
Cleaned up point_add and point_double, more comments.
2015-03-22 17:55:01 +01:00
Jochen Hoenicke
edf0fc4902 New fast variant of point_multiply.
Use a similar algorithm for `point_multiply` as for
`scalar_multiply` but with less precomputation.
Added double for points in Jacobian coordinates.
Simplified `point_jacobian_add` a little.
2015-03-21 21:10:08 +01:00
Jochen Hoenicke
1700caf2ad scalar_mult based on Jacobian representation
This version of scalar_mult should be faster and much better
against side-channel attacks.  Except bn_inverse and bn_mod
all functions are constant time.  bn_inverse is only used
in the last step and its input is randomized.  The function
bn_mod is only taking extra time in 2^32/2^256 cases, so
in practise it should not occur at all.  The input to bn_mod
is also depending on the random value.

There is secret dependent array access in scalar_multiply,
so cache may be an issue.
2015-03-17 19:18:34 +01:00
Jochen Hoenicke
2c38929d03 Make scalar_multiply timing attack safe.
This should make side-channel attacks much more difficult. However,

1. Timing of bn_inverse, which is used in point_add depends on input.
2. Timing of reading secp256k1_cp may depend on input due to cache.
3. The conditions in point_add are not timing attack safe.
   However point_add is always a straight addition, never double or some
   other special case.

In the long run, I would like to use a specialized point_add using Jacobian
representation plus a randomization when converting the first point to
Jacobian representation.  The Jacobian representation would also make
the procedure a bit faster.
2015-03-17 19:18:34 +01:00
Jochen Hoenicke
ec057a5102 "More" constant time point multiplication
About the same speed, about the same precomputation table requirements.
Simpler code.
2015-03-17 19:18:34 +01:00