From 426eae4dfcb853041419030bbb104cc2bbf6629f Mon Sep 17 00:00:00 2001
From: Andrew Kozlik <andrew.kozlik@gmail.com>
Date: Mon, 25 Jul 2022 19:13:24 +0200
Subject: [PATCH] fix(core): Ensure correct order when verifying external
 inputs in Bitcoin signing.

---
 core/.changelog.d/2415.fixed             |  1 +
 core/src/apps/bitcoin/sign_tx/bitcoin.py | 16 ++++++++--------
 2 files changed, 9 insertions(+), 8 deletions(-)
 create mode 100644 core/.changelog.d/2415.fixed

diff --git a/core/.changelog.d/2415.fixed b/core/.changelog.d/2415.fixed
new file mode 100644
index 000000000..a724ef5c1
--- /dev/null
+++ b/core/.changelog.d/2415.fixed
@@ -0,0 +1 @@
+Ensure correct order when verifying external inputs in Bitcoin signing.
diff --git a/core/src/apps/bitcoin/sign_tx/bitcoin.py b/core/src/apps/bitcoin/sign_tx/bitcoin.py
index 2acdefefc..805e98466 100644
--- a/core/src/apps/bitcoin/sign_tx/bitcoin.py
+++ b/core/src/apps/bitcoin/sign_tx/bitcoin.py
@@ -203,15 +203,15 @@ class Bitcoin:
             # the amounts and scriptPubKeys, because if an invalid value is provided then all
             # issued signatures will be invalid.
             expected_digest = self.h_external_inputs
-            for i in self.external:
+            for i in range(self.tx_info.tx.inputs_count):
                 progress.advance()
-                txi = await helpers.request_tx_input(self.tx_req, i, self.coin)
-                writers.write_tx_input_check(h_check, txi)
-                if not input_is_external_unverified(txi):
-                    assert txi.script_pubkey is not None  # checked in sanitize_tx_input
-                    await self.verify_external_input(i, txi, txi.script_pubkey)
-
-            progress.advance(self.tx_info.tx.inputs_count - len(self.external))
+                if i in self.external:
+                    txi = await helpers.request_tx_input(self.tx_req, i, self.coin)
+                    writers.write_tx_input_check(h_check, txi)
+                    if not input_is_external_unverified(txi):
+                        # txi.script_pubkey checked in sanitize_tx_input
+                        assert txi.script_pubkey is not None
+                        await self.verify_external_input(i, txi, txi.script_pubkey)
         else:
             # There are internal non-Taproot inputs. We need to verify all inputs, because we can't
             # trust any amounts or scriptPubKeys. If we did, then an attacker who provides invalid