diff --git a/firmware/signing.c b/firmware/signing.c index aee2faf3e4..045ed1255a 100644 --- a/firmware/signing.c +++ b/firmware/signing.c @@ -37,11 +37,12 @@ enum { STAGE_REQUEST_2_PREV_META, STAGE_REQUEST_2_PREV_INPUT, STAGE_REQUEST_2_PREV_OUTPUT, - STAGE_REQUEST_3_INPUT, STAGE_REQUEST_3_OUTPUT, - STAGE_REQUEST_4_OUTPUT + STAGE_REQUEST_4_INPUT, + STAGE_REQUEST_4_OUTPUT, + STAGE_REQUEST_5_OUTPUT } signing_stage; -static uint32_t idx1i, idx2i, idx2o, idx3i, idx3o, idx4o; +static uint32_t idx1, idx2; static TxRequest resp; static TxInputType input; static TxOutputBinType bin_output; @@ -55,57 +56,74 @@ static bool multisig_fp_set, multisig_fp_mismatch; static uint8_t multisig_fp[32]; /* + Workflow of streamed signing +The STAGE_ constants describe the signing_stage when request is sent. I - input O - output -foreach I: - Request I STAGE_REQUEST_1_INPUT +Phase1 - check inputs, previous transactions, and outputs + - ask for confirmations + - check fee +========================================================= +foreach I (idx1): + Request I STAGE_REQUEST_1_INPUT + Add I to TransactionChecksum Calculate amount of I: Request prevhash I, META STAGE_REQUEST_2_PREV_META - foreach prevhash I: STAGE_REQUEST_2_PREV_INPUT - Request prevhash I - foreach prevhash O: STAGE_REQUEST_2_PREV_OUTPUT - Request prevhash O - Store amount of I + foreach prevhash I (idx2): + Request prevhash I STAGE_REQUEST_2_PREV_INPUT + foreach prevhash O (idx2): + Request prevhash O STAGE_REQUEST_2_PREV_OUTPUT + Add amount of prevhash O (which is amount of I) Calculate hash of streamed tx, compare to prevhash I +foreach O (idx1): + Request O STAGE_REQUEST_3_OUTPUT + Add O to TransactionChecksum + Display output + Ask for confirmation - foreach I: STAGE_REQUEST_3_INPUT - Request I - If I == I-to-be-signed: +Check tx fee +Ask for confirmation + +Phase2: sign inputs, check that nothing changed +=============================================== + +foreach I (idx1): // input to sign + foreach I (idx2): + Request I STAGE_REQUEST_4_INPUT + If idx1 == idx2 + Remember key for signing Fill scriptsig Add I to StreamTransactionSign - foreach O: - Request O STAGE_REQUEST_3_OUTPUT - If I=0: - Display output - Ask for confirmation + Add I to TransactionChecksum + foreach O (idx2): + Request O STAGE_REQUEST_4_OUTPUT Add O to StreamTransactionSign + Add O to TransactionChecksum - If I=0: - Check tx fee - Calculate txhash - else: - Compare current hash with txhash - If different: - Failure - + Compare TransactionChecksum with checksum computed in Phase 1 + If different: + Failure Sign StreamTransactionSign Return signed chunk - */ +foreach O (idx1): + Request O STAGE_REQUEST_5_OUTPUT + Rewrite change address + Return O +*/ void send_req_1_input(void) { layoutProgress("Signing transaction", 1000 * progress / progress_total); - idx2i = idx2o = idx3i = idx3o = 0; signing_stage = STAGE_REQUEST_1_INPUT; resp.has_request_type = true; resp.request_type = RequestType_TXINPUT; resp.has_details = true; resp.details.has_request_index = true; - resp.details.request_index = idx1i; + resp.details.request_index = idx1; msg_write(MessageType_MessageType_TxRequest, &resp); } @@ -130,7 +148,7 @@ void send_req_2_prev_input(void) resp.request_type = RequestType_TXINPUT; resp.has_details = true; resp.details.has_request_index = true; - resp.details.request_index = idx2i; + resp.details.request_index = idx2; resp.details.has_tx_hash = true; resp.details.tx_hash.size = input.prev_hash.size; memcpy(resp.details.tx_hash.bytes, input.prev_hash.bytes, resp.details.tx_hash.size); @@ -145,25 +163,13 @@ void send_req_2_prev_output(void) resp.request_type = RequestType_TXOUTPUT; resp.has_details = true; resp.details.has_request_index = true; - resp.details.request_index = idx2o; + resp.details.request_index = idx2; resp.details.has_tx_hash = true; resp.details.tx_hash.size = input.prev_hash.size; memcpy(resp.details.tx_hash.bytes, input.prev_hash.bytes, resp.details.tx_hash.size); msg_write(MessageType_MessageType_TxRequest, &resp); } -void send_req_3_input(void) -{ - layoutProgress("Signing transaction", 1000 * progress / progress_total); - signing_stage = STAGE_REQUEST_3_INPUT; - resp.has_request_type = true; - resp.request_type = RequestType_TXINPUT; - resp.has_details = true; - resp.details.has_request_index = true; - resp.details.request_index = idx3i; - msg_write(MessageType_MessageType_TxRequest, &resp); -} - void send_req_3_output(void) { layoutProgress("Signing transaction", 1000 * progress / progress_total); @@ -172,7 +178,19 @@ void send_req_3_output(void) resp.request_type = RequestType_TXOUTPUT; resp.has_details = true; resp.details.has_request_index = true; - resp.details.request_index = idx3o; + resp.details.request_index = idx1; + msg_write(MessageType_MessageType_TxRequest, &resp); +} + +void send_req_4_input(void) +{ + layoutProgress("Signing transaction", 1000 * progress / progress_total); + signing_stage = STAGE_REQUEST_4_INPUT; + resp.has_request_type = true; + resp.request_type = RequestType_TXINPUT; + resp.has_details = true; + resp.details.has_request_index = true; + resp.details.request_index = idx2; msg_write(MessageType_MessageType_TxRequest, &resp); } @@ -184,7 +202,19 @@ void send_req_4_output(void) resp.request_type = RequestType_TXOUTPUT; resp.has_details = true; resp.details.has_request_index = true; - resp.details.request_index = idx4o; + resp.details.request_index = idx2; + msg_write(MessageType_MessageType_TxRequest, &resp); +} + +void send_req_5_output(void) +{ + layoutProgress("Signing transaction", 1000 * progress / progress_total); + signing_stage = STAGE_REQUEST_5_OUTPUT; + resp.has_request_type = true; + resp.request_type = RequestType_TXOUTPUT; + resp.has_details = true; + resp.details.has_request_index = true; + resp.details.request_index = idx1; msg_write(MessageType_MessageType_TxRequest, &resp); } @@ -203,7 +233,7 @@ void signing_init(uint32_t _inputs_count, uint32_t _outputs_count, const CoinTyp coin = _coin; root = _root; - idx1i = idx2i = idx2o = idx3i = idx3o = idx4o = 0; + idx1 = 0; to_spend = 0; spending = 0; change_spend = 0; @@ -218,6 +248,7 @@ void signing_init(uint32_t _inputs_count, uint32_t _outputs_count, const CoinTyp multisig_fp_mismatch = false; tx_init(&to, inputs_count, outputs_count, version, lock_time, false); + tx_init(&tc, inputs_count, outputs_count, version, lock_time, false); layoutProgressSwipe("Signing transaction", 0); @@ -240,11 +271,40 @@ void signing_txack(TransactionType *tx) switch (signing_stage) { case STAGE_REQUEST_1_INPUT: progress++; + /* compute multisig fingerprint */ + /* (if all input share the same fingerprint, outputs having the same fingerprint will be considered as change outputs) */ + if (tx->inputs[0].script_type == InputScriptType_SPENDMULTISIG && + tx->inputs[0].has_multisig && !multisig_fp_mismatch) { + if (multisig_fp_set) { + uint8_t h[32]; + if (cryptoMultisigFingerprint(&(tx->inputs[0].multisig), h) == 0) { + fsm_sendFailure(FailureType_Failure_Other, "Error computing multisig fingeprint"); + signing_abort(); + return; + } + if (memcmp(multisig_fp, h, 32) != 0) { + multisig_fp_mismatch = true; + } + } else { + if (cryptoMultisigFingerprint(&(tx->inputs[0].multisig), multisig_fp) == 0) { + fsm_sendFailure(FailureType_Failure_Other, "Error computing multisig fingeprint"); + signing_abort(); + return; + } + multisig_fp_set = true; + } + } + if (!tx_serialize_input_hash(&tc, tx->inputs)) { + fsm_sendFailure(FailureType_Failure_Other, "Failed to serialize input"); + signing_abort(); + return; + } memcpy(&input, tx->inputs, sizeof(TxInputType)); send_req_2_prev_meta(); return; case STAGE_REQUEST_2_PREV_META: tx_init(&tp, tx->inputs_cnt, tx->outputs_cnt, tx->version, tx->lock_time, false); + idx2 = 0; send_req_2_prev_input(); return; case STAGE_REQUEST_2_PREV_INPUT: @@ -253,10 +313,11 @@ void signing_txack(TransactionType *tx) signing_abort(); return; } - if (idx2i < tp.inputs_len - 1) { - idx2i++; + if (idx2 < tp.inputs_len - 1) { + idx2++; send_req_2_prev_input(); } else { + idx2 = 0; send_req_2_prev_output(); } return; @@ -266,57 +327,136 @@ void signing_txack(TransactionType *tx) signing_abort(); return; } - if (idx2o == input.prev_index) { + if (idx2 == input.prev_index) { to_spend += tx->bin_outputs[0].amount; } - if (idx2o < tp.outputs_len - 1) { - idx2o++; + if (idx2 < tp.outputs_len - 1) { + /* Check prevtx of next input */ + idx2++; send_req_2_prev_output(); } else { + /* Check next output */ tx_hash_final(&tp, hash, true); if (memcmp(hash, input.prev_hash.bytes, 32) != 0) { fsm_sendFailure(FailureType_Failure_Other, "Encountered invalid prevhash"); signing_abort(); return; } - tx_init(&ti, inputs_count, outputs_count, version, lock_time, true); - tx_init(&tc, inputs_count, outputs_count, version, lock_time, true); - memset(privkey, 0, 32); - memset(pubkey, 0, 33); - send_req_3_input(); + if (idx1 < inputs_count - 1) { + idx1++; + send_req_1_input(); + } else { + idx1 = 0; + send_req_3_output(); + } } return; - case STAGE_REQUEST_3_INPUT: + case STAGE_REQUEST_3_OUTPUT: + { + /* Downloaded output idx1 the first time. + * Add it to transaction check + * Ask for permission. + */ + bool is_change = false; + if (tx->outputs[0].script_type == OutputScriptType_PAYTOMULTISIG && + tx->outputs[0].has_multisig && + multisig_fp_set && !multisig_fp_mismatch) { + uint8_t h[32]; + if (cryptoMultisigFingerprint(&(tx->outputs[0].multisig), h) == 0) { + fsm_sendFailure(FailureType_Failure_Other, "Error computing multisig fingeprint"); + signing_abort(); + return; + } + if (memcmp(multisig_fp, h, 32) == 0) { + is_change = true; + } + } else + if (tx->outputs[0].script_type == OutputScriptType_PAYTOADDRESS && + tx->outputs[0].address_n_count > 0) { + is_change = true; + } + + if (is_change) { + if (change_spend == 0) { // not set + change_spend = tx->outputs[0].amount; + } else { + fsm_sendFailure(FailureType_Failure_Other, "Only one change output allowed"); + signing_abort(); + return; + } + } + + spending += tx->outputs[0].amount; + co = compile_output(coin, root, tx->outputs, &bin_output, !is_change); + if (!is_change) { + layoutProgress("Signing transaction", 1000 * progress / progress_total); + } + if (co < 0) { + fsm_sendFailure(FailureType_Failure_Other, "Signing cancelled by user"); + signing_abort(); + return; + } else if (co == 0) { + fsm_sendFailure(FailureType_Failure_Other, "Failed to compile output"); + signing_abort(); + return; + } + if (!tx_serialize_output_hash(&tc, &bin_output)) { + fsm_sendFailure(FailureType_Failure_Other, "Failed to serialize output"); + signing_abort(); + return; + } + if (idx1 < outputs_count - 1) { + idx1++; + send_req_3_output(); + } else { + tx_hash_final(&tc, hash_check, false); + + // check fees + if (spending > to_spend) { + fsm_sendFailure(FailureType_Failure_NotEnoughFunds, "Not enough funds"); + layoutHome(); + return; + } + uint64_t fee = to_spend - spending; + uint32_t tx_est_size = transactionEstimateSizeKb(inputs_count, outputs_count); + if (fee > (uint64_t)tx_est_size * coin->maxfee_kb) { + layoutFeeOverThreshold(coin, fee, tx_est_size); + if (!protectButton(ButtonRequestType_ButtonRequest_FeeOverThreshold, false)) { + fsm_sendFailure(FailureType_Failure_ActionCancelled, "Fee over threshold. Signing cancelled."); + layoutHome(); + return; + } + } + // last confirmation + layoutConfirmTx(coin, to_spend - change_spend, fee); + if (!protectButton(ButtonRequestType_ButtonRequest_SignTx, false)) { + fsm_sendFailure(FailureType_Failure_ActionCancelled, "Signing cancelled by user"); + signing_abort(); + return; + } + + // Everything was checked, now phase 2 begins and the transaction is signed. + idx1 = 0; + idx2 = 0; + send_req_4_input(); + } + return; + } + case STAGE_REQUEST_4_INPUT: + if (idx2 == 0) { + tx_init(&ti, inputs_count, outputs_count, version, lock_time, true); + tx_init(&tc, inputs_count, outputs_count, version, lock_time, false); + memset(privkey, 0, 32); + memset(pubkey, 0, 33); + } progress++; if (!tx_serialize_input_hash(&tc, tx->inputs)) { fsm_sendFailure(FailureType_Failure_Other, "Failed to serialize input"); signing_abort(); return; } - if (idx1i == 0) { - if (tx->inputs[0].script_type == InputScriptType_SPENDMULTISIG && - tx->inputs[0].has_multisig && !multisig_fp_mismatch) { - if (multisig_fp_set) { - uint8_t h[32]; - if (cryptoMultisigFingerprint(&(tx->inputs[0].multisig), h) == 0) { - fsm_sendFailure(FailureType_Failure_Other, "Error computing multisig fingeprint"); - signing_abort(); - return; - } - if (memcmp(multisig_fp, h, 32) != 0) { - multisig_fp_mismatch = true; - } - } else { - if (cryptoMultisigFingerprint(&(tx->inputs[0].multisig), multisig_fp) == 0) { - fsm_sendFailure(FailureType_Failure_Other, "Error computing multisig fingeprint"); - signing_abort(); - return; - } - multisig_fp_set = true; - } - } - } - if (idx3i == idx1i) { + if (idx2 == idx1) { + memcpy(&input, tx->inputs, sizeof(TxInputType)); memcpy(&node, root, sizeof(HDNode)); if (hdnode_private_ckd_cached(&node, tx->inputs[0].address_n, tx->inputs[0].address_n_count) == 0) { fsm_sendFailure(FailureType_Failure_Other, "Failed to derive private key"); @@ -349,51 +489,17 @@ void signing_txack(TransactionType *tx) signing_abort(); return; } - if (idx3i < inputs_count - 1) { - idx3i++; - send_req_3_input(); + if (idx2 < inputs_count - 1) { + idx2++; + send_req_4_input(); } else { - send_req_3_output(); + idx2 = 0; + send_req_4_output(); } return; - case STAGE_REQUEST_3_OUTPUT: + case STAGE_REQUEST_4_OUTPUT: progress++; - if (idx1i == 0) { - bool is_change = false; - if (tx->outputs[0].script_type == OutputScriptType_PAYTOMULTISIG && - tx->outputs[0].has_multisig && - multisig_fp_set && !multisig_fp_mismatch) { - uint8_t h[32]; - if (cryptoMultisigFingerprint(&(tx->outputs[0].multisig), h) == 0) { - fsm_sendFailure(FailureType_Failure_Other, "Error computing multisig fingeprint"); - signing_abort(); - return; - } - if (memcmp(multisig_fp, h, 32) == 0) { - is_change = true; - } - } else - if (tx->outputs[0].script_type == OutputScriptType_PAYTOADDRESS && - tx->outputs[0].address_n_count > 0) { - is_change = true; - } - if (is_change) { - if (change_spend == 0) { // not set - change_spend = tx->outputs[0].amount; - } else { - fsm_sendFailure(FailureType_Failure_Other, "Only one change output allowed"); - signing_abort(); - return; - } - } - spending += tx->outputs[0].amount; - co = compile_output(coin, root, tx->outputs, &bin_output, !is_change); - if (!is_change) { - layoutProgress("Signing transaction", 1000 * progress / progress_total); - } - } else { - co = compile_output(coin, root, tx->outputs, &bin_output, false); - } + co = compile_output(coin, root, tx->outputs, &bin_output, false); if (co < 0) { fsm_sendFailure(FailureType_Failure_Other, "Signing cancelled by user"); signing_abort(); @@ -413,24 +519,20 @@ void signing_txack(TransactionType *tx) signing_abort(); return; } - if (idx3o < outputs_count - 1) { - idx3o++; - send_req_3_output(); + if (idx2 < outputs_count - 1) { + idx2++; + send_req_4_output(); } else { - if (idx1i == 0) { - tx_hash_final(&tc, hash_check, false); - } else { - tx_hash_final(&tc, hash, false); - if (memcmp(hash, hash_check, 32) != 0) { - fsm_sendFailure(FailureType_Failure_Other, "Transaction has changed during signing"); - signing_abort(); - return; - } + tx_hash_final(&tc, hash, false); + if (memcmp(hash, hash_check, 32) != 0) { + fsm_sendFailure(FailureType_Failure_Other, "Transaction has changed during signing"); + signing_abort(); + return; } tx_hash_final(&ti, hash, false); resp.has_serialized = true; resp.serialized.has_signature_index = true; - resp.serialized.signature_index = idx1i; + resp.serialized.signature_index = idx1; resp.serialized.has_signature = true; resp.serialized.has_serialized_tx = true; ecdsa_sign_digest(privkey, hash, sig, 0); @@ -460,39 +562,19 @@ void signing_txack(TransactionType *tx) input.script_sig.size = serialize_script_sig(resp.serialized.signature.bytes, resp.serialized.signature.size, pubkey, 33, input.script_sig.bytes); } resp.serialized.serialized_tx.size = tx_serialize_input(&to, &input, resp.serialized.serialized_tx.bytes); - if (idx1i < inputs_count - 1) { - idx1i++; - send_req_1_input(); + if (idx1 < inputs_count - 1) { + idx1++; + idx2 = 0; + send_req_4_input(); } else { - if (spending > to_spend) { - fsm_sendFailure(FailureType_Failure_NotEnoughFunds, "Not enough funds"); - layoutHome(); - return; - } - uint64_t fee = to_spend - spending; - uint32_t tx_est_size = transactionEstimateSizeKb(inputs_count, outputs_count); - if (fee > (uint64_t)tx_est_size * coin->maxfee_kb) { - layoutFeeOverThreshold(coin, fee, tx_est_size); - if (!protectButton(ButtonRequestType_ButtonRequest_FeeOverThreshold, false)) { - fsm_sendFailure(FailureType_Failure_ActionCancelled, "Fee over threshold. Signing cancelled."); - layoutHome(); - return; - } - } - // last confirmation - layoutConfirmTx(coin, to_spend - change_spend, fee); - if (!protectButton(ButtonRequestType_ButtonRequest_SignTx, false)) { - fsm_sendFailure(FailureType_Failure_ActionCancelled, "Signing cancelled by user"); - signing_abort(); - return; - } - send_req_4_output(); + idx1 = 0; + send_req_5_output(); } } return; - case STAGE_REQUEST_4_OUTPUT: + case STAGE_REQUEST_5_OUTPUT: progress++; - if (compile_output(coin, root, tx->outputs, &bin_output, false) <= 0) { + if (compile_output(coin, root, tx->outputs, &bin_output,false) <= 0) { fsm_sendFailure(FailureType_Failure_Other, "Failed to compile output"); signing_abort(); return; @@ -500,9 +582,9 @@ void signing_txack(TransactionType *tx) resp.has_serialized = true; resp.serialized.has_serialized_tx = true; resp.serialized.serialized_tx.size = tx_serialize_output(&to, &bin_output, resp.serialized.serialized_tx.bytes); - if (idx4o < outputs_count - 1) { - idx4o++; - send_req_4_output(); + if (idx1 < outputs_count - 1) { + idx1++; + send_req_5_output(); } else { send_req_finished(); signing_abort(); diff --git a/trezor-crypto b/trezor-crypto index 54aa5a4482..f4fe7c9aa5 160000 --- a/trezor-crypto +++ b/trezor-crypto @@ -1 +1 @@ -Subproject commit 54aa5a4482eaf6f11c0c6941be5e34aa3a5ff5e2 +Subproject commit f4fe7c9aa5e85ec3898ce07a5af5fc99bb8f5de4