2020-08-04 18:02:57 +00:00
|
|
|
# This file is part of the Trezor project.
|
|
|
|
#
|
|
|
|
# Copyright (C) 2012-2019 SatoshiLabs and contributors
|
|
|
|
#
|
|
|
|
# This library is free software: you can redistribute it and/or modify
|
|
|
|
# it under the terms of the GNU Lesser General Public License version 3
|
|
|
|
# as published by the Free Software Foundation.
|
|
|
|
#
|
|
|
|
# This library is distributed in the hope that it will be useful,
|
|
|
|
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
|
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
|
|
# GNU Lesser General Public License for more details.
|
|
|
|
#
|
|
|
|
# You should have received a copy of the License along with this library.
|
|
|
|
# If not, see <https://www.gnu.org/licenses/lgpl-3.0.html>.
|
|
|
|
|
|
|
|
import pytest
|
|
|
|
|
2021-11-10 21:28:11 +00:00
|
|
|
from trezorlib import btc, device, messages
|
2022-01-31 12:25:30 +00:00
|
|
|
from trezorlib.debuglink import TrezorClientDebugLink as Client
|
2020-08-04 18:02:57 +00:00
|
|
|
from trezorlib.exceptions import TrezorFailure
|
2021-12-08 13:53:56 +00:00
|
|
|
from trezorlib.tools import H_, parse_path
|
2020-08-04 18:02:57 +00:00
|
|
|
|
2022-01-24 20:23:58 +00:00
|
|
|
from .signtx import (
|
|
|
|
forge_prevtx,
|
|
|
|
request_finished,
|
|
|
|
request_input,
|
|
|
|
request_meta,
|
|
|
|
request_output,
|
|
|
|
)
|
2020-08-04 18:02:57 +00:00
|
|
|
|
2021-12-08 13:53:56 +00:00
|
|
|
B = messages.ButtonRequestType
|
2020-08-04 18:02:57 +00:00
|
|
|
|
2022-01-24 20:23:58 +00:00
|
|
|
# address at seed "all all all..." path m/44h/0h/0h/0/0
|
|
|
|
INPUT_ADDRESS = "1JAd7XCBzGudGpJQSDSfpmJhiygtLQWaGL"
|
|
|
|
PREV_HASH, PREV_TX = forge_prevtx([(INPUT_ADDRESS, 390_000)])
|
|
|
|
PREV_TXES = {PREV_HASH: PREV_TX}
|
2021-11-10 21:19:53 +00:00
|
|
|
|
2021-11-29 11:00:01 +00:00
|
|
|
|
2021-11-10 21:19:53 +00:00
|
|
|
# Litecoin does not have strong replay protection using SIGHASH_FORKID,
|
|
|
|
# spending from Bitcoin path should fail.
|
2021-12-08 13:53:56 +00:00
|
|
|
@pytest.mark.altcoin
|
2022-01-31 12:25:30 +00:00
|
|
|
def test_invalid_path_fail(client: Client):
|
2021-11-10 21:28:11 +00:00
|
|
|
inp1 = messages.TxInputType(
|
2022-01-31 12:25:30 +00:00
|
|
|
address_n=parse_path("m/44h/0h/0h/0/0"),
|
|
|
|
amount=390_000,
|
2022-01-24 20:23:58 +00:00
|
|
|
prev_hash=PREV_HASH,
|
2021-11-10 21:19:53 +00:00
|
|
|
prev_index=0,
|
|
|
|
)
|
|
|
|
|
|
|
|
# address is converted from 1MJ2tj2ThBE62zXbBYA5ZaN3fdve5CPAz1 by changing the version
|
2021-11-10 21:28:11 +00:00
|
|
|
out1 = messages.TxOutputType(
|
2021-11-10 21:19:53 +00:00
|
|
|
address="LfWz9wLHmqU9HoDkMg9NqbRosrHvEixeVZ",
|
2022-01-31 12:25:30 +00:00
|
|
|
amount=390_000 - 10_000,
|
2021-11-10 21:28:11 +00:00
|
|
|
script_type=messages.OutputScriptType.PAYTOADDRESS,
|
2021-11-10 21:19:53 +00:00
|
|
|
)
|
|
|
|
|
|
|
|
with pytest.raises(TrezorFailure) as exc:
|
2022-01-24 20:23:58 +00:00
|
|
|
btc.sign_tx(client, "Litecoin", [inp1], [out1], prev_txes=PREV_TXES)
|
2021-05-21 18:05:19 +00:00
|
|
|
|
2021-11-10 21:28:11 +00:00
|
|
|
assert exc.value.code == messages.FailureType.DataError
|
2021-11-10 21:19:53 +00:00
|
|
|
assert exc.value.message.endswith("Forbidden key path")
|
|
|
|
|
|
|
|
|
|
|
|
# Litecoin does not have strong replay protection using SIGHASH_FORKID, but
|
|
|
|
# spending from Bitcoin path should pass with safety checks set to prompt.
|
2021-12-08 13:53:56 +00:00
|
|
|
@pytest.mark.altcoin
|
2022-01-31 12:25:30 +00:00
|
|
|
def test_invalid_path_prompt(client: Client):
|
2021-11-10 21:28:11 +00:00
|
|
|
inp1 = messages.TxInputType(
|
2022-01-31 12:25:30 +00:00
|
|
|
address_n=parse_path("m/44h/0h/0h/0/0"),
|
|
|
|
amount=390_000,
|
2022-01-24 20:23:58 +00:00
|
|
|
prev_hash=PREV_HASH,
|
2021-11-10 21:19:53 +00:00
|
|
|
prev_index=0,
|
|
|
|
)
|
|
|
|
|
|
|
|
# address is converted from 1MJ2tj2ThBE62zXbBYA5ZaN3fdve5CPAz1 by changing the version
|
2021-11-10 21:28:11 +00:00
|
|
|
out1 = messages.TxOutputType(
|
2021-11-10 21:19:53 +00:00
|
|
|
address="LfWz9wLHmqU9HoDkMg9NqbRosrHvEixeVZ",
|
2022-01-31 12:25:30 +00:00
|
|
|
amount=390_000 - 10_000,
|
2021-11-10 21:28:11 +00:00
|
|
|
script_type=messages.OutputScriptType.PAYTOADDRESS,
|
2021-11-10 21:19:53 +00:00
|
|
|
)
|
|
|
|
|
|
|
|
device.apply_settings(
|
2021-11-10 21:28:11 +00:00
|
|
|
client, safety_checks=messages.SafetyCheckLevel.PromptTemporarily
|
2021-11-10 21:19:53 +00:00
|
|
|
)
|
|
|
|
|
2022-01-24 20:23:58 +00:00
|
|
|
btc.sign_tx(client, "Litecoin", [inp1], [out1], prev_txes=PREV_TXES)
|
2021-11-10 21:19:53 +00:00
|
|
|
|
|
|
|
|
|
|
|
# Bcash does have strong replay protection using SIGHASH_FORKID,
|
|
|
|
# spending from Bitcoin path should work.
|
2021-12-08 13:53:56 +00:00
|
|
|
@pytest.mark.altcoin
|
2022-01-31 12:25:30 +00:00
|
|
|
def test_invalid_path_pass_forkid(client: Client):
|
2021-11-10 21:28:11 +00:00
|
|
|
inp1 = messages.TxInputType(
|
2022-01-31 12:25:30 +00:00
|
|
|
address_n=parse_path("m/44h/0h/0h/0/0"),
|
|
|
|
amount=390_000,
|
2022-01-24 20:23:58 +00:00
|
|
|
prev_hash=PREV_HASH,
|
2021-11-10 21:19:53 +00:00
|
|
|
prev_index=0,
|
|
|
|
)
|
|
|
|
|
|
|
|
# address is converted from 1MJ2tj2ThBE62zXbBYA5ZaN3fdve5CPAz1 to cashaddr format
|
2021-11-10 21:28:11 +00:00
|
|
|
out1 = messages.TxOutputType(
|
2021-11-10 21:19:53 +00:00
|
|
|
address="bitcoincash:qr0fk25d5zygyn50u5w7h6jkvctas52n0qxff9ja6r",
|
2022-01-31 12:25:30 +00:00
|
|
|
amount=390_000 - 10_000,
|
2021-11-10 21:28:11 +00:00
|
|
|
script_type=messages.OutputScriptType.PAYTOADDRESS,
|
2021-11-10 21:19:53 +00:00
|
|
|
)
|
|
|
|
|
2022-01-24 20:23:58 +00:00
|
|
|
btc.sign_tx(client, "Bcash", [inp1], [out1], prev_txes=PREV_TXES)
|
2021-12-08 13:53:56 +00:00
|
|
|
|
|
|
|
|
2022-01-31 12:25:30 +00:00
|
|
|
def test_attack_path_segwit(client: Client):
|
2021-12-08 13:53:56 +00:00
|
|
|
# Scenario: The attacker falsely claims that the transaction uses Testnet paths to
|
|
|
|
# avoid the path warning dialog, but in step6_sign_segwit_inputs() uses Bitcoin paths
|
|
|
|
# to get a valid signature.
|
|
|
|
|
2022-01-24 20:23:58 +00:00
|
|
|
# Generate keys
|
|
|
|
address_a = btc.get_address(
|
|
|
|
client,
|
|
|
|
"Testnet",
|
|
|
|
parse_path("m/84h/1h/0h/0/0"),
|
|
|
|
script_type=messages.InputScriptType.SPENDWITNESS,
|
|
|
|
)
|
|
|
|
address_b = btc.get_address(
|
|
|
|
client,
|
|
|
|
"Testnet",
|
|
|
|
parse_path("m/84h/1h/1h/0/1"),
|
|
|
|
script_type=messages.InputScriptType.SPENDWITNESS,
|
|
|
|
)
|
|
|
|
prev_hash, prev_tx = forge_prevtx(
|
|
|
|
[(address_a, 9_426), (address_b, 7_086)], network="testnet"
|
|
|
|
)
|
|
|
|
|
2021-12-08 13:53:56 +00:00
|
|
|
device.apply_settings(
|
|
|
|
client, safety_checks=messages.SafetyCheckLevel.PromptTemporarily
|
|
|
|
)
|
|
|
|
|
|
|
|
inp1 = messages.TxInputType(
|
2022-01-24 20:23:58 +00:00
|
|
|
# The actual input that the attacker wants to get signed.
|
2022-01-31 12:25:30 +00:00
|
|
|
address_n=parse_path("m/84h/0h/0h/0/0"),
|
|
|
|
amount=9_426,
|
2022-01-24 20:23:58 +00:00
|
|
|
prev_hash=prev_hash,
|
2021-12-08 13:53:56 +00:00
|
|
|
prev_index=0,
|
|
|
|
script_type=messages.InputScriptType.SPENDWITNESS,
|
|
|
|
)
|
|
|
|
inp2 = messages.TxInputType(
|
2022-01-24 20:23:58 +00:00
|
|
|
# The actual input that the attacker wants to get signed.
|
2021-12-08 13:53:56 +00:00
|
|
|
# We need this one to be from a different account, so that the match checker
|
|
|
|
# allows the transaction to pass.
|
2022-01-31 12:25:30 +00:00
|
|
|
address_n=parse_path("m/84h/0h/1h/0/1"),
|
|
|
|
amount=7_086,
|
2022-01-24 20:23:58 +00:00
|
|
|
prev_hash=prev_hash,
|
|
|
|
prev_index=1,
|
2021-12-08 13:53:56 +00:00
|
|
|
script_type=messages.InputScriptType.SPENDWITNESS,
|
|
|
|
)
|
|
|
|
|
|
|
|
out1 = messages.TxOutputType(
|
|
|
|
# Attacker's Mainnet address encoded as Testnet.
|
|
|
|
address="tb1q694ccp5qcc0udmfwgp692u2s2hjpq5h407urtu",
|
|
|
|
script_type=messages.OutputScriptType.PAYTOADDRESS,
|
2022-01-31 12:25:30 +00:00
|
|
|
amount=9_426 + 7_086 - 500,
|
2021-12-08 13:53:56 +00:00
|
|
|
)
|
|
|
|
|
|
|
|
attack_count = 6
|
|
|
|
|
|
|
|
def attack_processor(msg):
|
|
|
|
nonlocal attack_count
|
|
|
|
# Make the inputs look like they are coming from Testnet paths until we reach the
|
|
|
|
# signing phase.
|
|
|
|
if attack_count > 0 and msg.tx.inputs and msg.tx.inputs[0] in (inp1, inp2):
|
|
|
|
attack_count -= 1
|
|
|
|
msg.tx.inputs[0].address_n[1] = H_(1)
|
|
|
|
|
|
|
|
return msg
|
|
|
|
|
|
|
|
with client:
|
|
|
|
client.set_filter(messages.TxAck, attack_processor)
|
|
|
|
client.set_expected_responses(
|
|
|
|
[
|
|
|
|
# Step: process inputs
|
|
|
|
request_input(0),
|
|
|
|
# Attacker bypasses warning about non-standard path.
|
|
|
|
request_input(1),
|
|
|
|
# Attacker bypasses warning about non-standard path.
|
|
|
|
# Step: approve outputs
|
|
|
|
request_output(0),
|
|
|
|
messages.ButtonRequest(code=B.ConfirmOutput),
|
|
|
|
messages.ButtonRequest(code=B.SignTx),
|
|
|
|
# Step: verify inputs
|
|
|
|
request_input(0),
|
2022-01-24 20:23:58 +00:00
|
|
|
request_meta(prev_hash),
|
|
|
|
request_input(0, prev_hash),
|
|
|
|
request_output(0, prev_hash),
|
|
|
|
request_output(1, prev_hash),
|
2021-12-08 13:53:56 +00:00
|
|
|
request_input(1),
|
2022-01-24 20:23:58 +00:00
|
|
|
request_meta(prev_hash),
|
|
|
|
request_input(0, prev_hash),
|
|
|
|
request_output(0, prev_hash),
|
|
|
|
request_output(1, prev_hash),
|
2021-12-08 13:53:56 +00:00
|
|
|
# Step: serialize inputs
|
|
|
|
request_input(0),
|
|
|
|
request_input(1),
|
|
|
|
# Step: serialize outputs
|
|
|
|
request_output(0),
|
|
|
|
# Step: sign segwit inputs
|
|
|
|
request_input(0),
|
|
|
|
# Trezor must warn about non-standard path before signing.
|
|
|
|
messages.ButtonRequest(code=B.UnknownDerivationPath),
|
|
|
|
request_input(1),
|
|
|
|
# Trezor must warn about non-standard path before signing.
|
|
|
|
messages.ButtonRequest(code=B.UnknownDerivationPath),
|
|
|
|
request_finished(),
|
|
|
|
]
|
|
|
|
)
|
|
|
|
|
2022-01-24 20:23:58 +00:00
|
|
|
btc.sign_tx(
|
|
|
|
client, "Testnet", [inp1, inp2], [out1], prev_txes={prev_hash: prev_tx}
|
|
|
|
)
|
2021-12-14 12:57:56 +00:00
|
|
|
|
|
|
|
|
|
|
|
@pytest.mark.skip_t1(reason="T1 only prevents using paths known to be altcoins")
|
2022-01-31 12:25:30 +00:00
|
|
|
def test_invalid_path_fail_asap(client: Client):
|
2021-12-14 12:57:56 +00:00
|
|
|
inp1 = messages.TxInputType(
|
2022-01-31 12:25:30 +00:00
|
|
|
address_n=parse_path("m/0"),
|
2022-01-24 20:23:58 +00:00
|
|
|
amount=1_000_000,
|
|
|
|
prev_hash=b"\x42" * 32,
|
2021-12-14 12:57:56 +00:00
|
|
|
prev_index=0,
|
|
|
|
script_type=messages.InputScriptType.SPENDWITNESS,
|
2022-01-31 12:25:30 +00:00
|
|
|
sequence=4_294_967_293,
|
2021-12-14 12:57:56 +00:00
|
|
|
)
|
|
|
|
|
|
|
|
out1 = messages.TxOutputType(
|
2022-01-31 12:25:30 +00:00
|
|
|
address_n=parse_path("m/84h/0h/0h/1/0"),
|
2022-01-24 20:23:58 +00:00
|
|
|
amount=1_000_000,
|
2021-12-14 12:57:56 +00:00
|
|
|
script_type=messages.OutputScriptType.PAYTOWITNESS,
|
|
|
|
)
|
|
|
|
|
|
|
|
with client:
|
|
|
|
client.set_expected_responses(
|
2022-01-24 20:23:58 +00:00
|
|
|
[
|
|
|
|
request_input(0),
|
|
|
|
messages.Failure(code=messages.FailureType.DataError),
|
|
|
|
]
|
2021-12-14 12:57:56 +00:00
|
|
|
)
|
|
|
|
try:
|
2022-01-24 20:23:58 +00:00
|
|
|
btc.sign_tx(client, "Testnet", [inp1], [out1])
|
2021-12-14 12:57:56 +00:00
|
|
|
except TrezorFailure:
|
|
|
|
pass
|