parent
5137f4ec00
commit
4f32cb5083
@ -0,0 +1,65 @@
|
||||
/*
|
||||
* This file is part of the TREZOR project, https://trezor.io/
|
||||
*
|
||||
* Copyright (c) SatoshiLabs
|
||||
*
|
||||
* This program is free software: you can redistribute it and/or modify
|
||||
* it under the terms of the GNU General Public License as published by
|
||||
* the Free Software Foundation, either version 3 of the License, or
|
||||
* (at your option) any later version.
|
||||
*
|
||||
* This program is distributed in the hope that it will be useful,
|
||||
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
* GNU General Public License for more details.
|
||||
*
|
||||
* You should have received a copy of the GNU General Public License
|
||||
* along with this program. If not, see <http://www.gnu.org/licenses/>.
|
||||
*/
|
||||
|
||||
#include <stdio.h>
|
||||
#include "common.h"
|
||||
#include "rng.h"
|
||||
#include "layout.h"
|
||||
#include "firmware/usb.h"
|
||||
|
||||
void shutdown(void);
|
||||
|
||||
void __attribute__((noreturn)) __fatal_error(const char *expr, const char *msg, const char *file, int line_num, const char *func) {
|
||||
char line[4][128] = {{0}};
|
||||
int i = 0;
|
||||
if (expr != NULL) {
|
||||
snprintf(line[i], sizeof(line[0]), "Expr: %s", expr);
|
||||
i++;
|
||||
}
|
||||
if (msg != NULL) {
|
||||
snprintf(line[i], sizeof(line[0]), "Msg: %s", msg);
|
||||
i++;
|
||||
}
|
||||
if (file != NULL) {
|
||||
snprintf(line[i], sizeof(line[0]), "File: %s:%d", file, line_num);
|
||||
i++;
|
||||
}
|
||||
if (func != NULL) {
|
||||
snprintf(line[i], sizeof(line[0]), "Func: %s", func);
|
||||
i++;
|
||||
}
|
||||
error_shutdown("FATAL ERROR:", NULL, line[0], line[1], line[2], line[3]);
|
||||
}
|
||||
|
||||
void __attribute__((noreturn)) error_shutdown(const char *line1, const char *line2, const char *line3, const char *line4, const char *line5, const char *line6) {
|
||||
layoutDialog(&bmp_icon_error, NULL, NULL, NULL, line1, line2, line3, line4, line5, line6);
|
||||
shutdown();
|
||||
for (;;);
|
||||
}
|
||||
|
||||
#ifndef NDEBUG
|
||||
void __assert_func(const char *file, int line, const char *func, const char *expr) {
|
||||
__fatal_error(expr, "assert failed", file, line, func);
|
||||
}
|
||||
#endif
|
||||
|
||||
void hal_delay(uint32_t ms)
|
||||
{
|
||||
usbSleep(ms);
|
||||
}
|
@ -0,0 +1,43 @@
|
||||
/*
|
||||
* This file is part of the TREZOR project, https://trezor.io/
|
||||
*
|
||||
* Copyright (c) SatoshiLabs
|
||||
*
|
||||
* This program is free software: you can redistribute it and/or modify
|
||||
* it under the terms of the GNU General Public License as published by
|
||||
* the Free Software Foundation, either version 3 of the License, or
|
||||
* (at your option) any later version.
|
||||
*
|
||||
* This program is distributed in the hope that it will be useful,
|
||||
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
* GNU General Public License for more details.
|
||||
*
|
||||
* You should have received a copy of the GNU General Public License
|
||||
* along with this program. If not, see <http://www.gnu.org/licenses/>.
|
||||
*/
|
||||
|
||||
#ifndef __TREZORHAL_COMMON_H__
|
||||
#define __TREZORHAL_COMMON_H__
|
||||
|
||||
#include <stdint.h>
|
||||
#include "secbool.h"
|
||||
|
||||
#define XSTR(s) STR(s)
|
||||
#define STR(s) #s
|
||||
|
||||
#ifndef MIN
|
||||
#define MIN(a, b) (((a) < (b)) ? (a) : (b))
|
||||
#endif
|
||||
#ifndef MAX
|
||||
#define MAX(a, b) (((a) > (b)) ? (a) : (b))
|
||||
#endif
|
||||
|
||||
void __attribute__((noreturn)) __fatal_error(const char *expr, const char *msg, const char *file, int line, const char *func);
|
||||
void __attribute__((noreturn)) error_shutdown(const char *line1, const char *line2, const char *line3, const char *line4, const char *line5, const char *line6);
|
||||
|
||||
#define ensure(expr, msg) (((expr) == sectrue) ? (void)0 : __fatal_error(#expr, msg, __FILE__, __LINE__, __func__))
|
||||
|
||||
void hal_delay(uint32_t ms);
|
||||
|
||||
#endif
|
@ -0,0 +1,854 @@
|
||||
/*
|
||||
* This file is part of the TREZOR project, https://trezor.io/
|
||||
*
|
||||
* Copyright (C) 2014 Pavol Rusnak <stick@satoshilabs.com>
|
||||
*
|
||||
* This library is free software: you can redistribute it and/or modify
|
||||
* it under the terms of the GNU Lesser General Public License as published by
|
||||
* the Free Software Foundation, either version 3 of the License, or
|
||||
* (at your option) any later version.
|
||||
*
|
||||
* This library is distributed in the hope that it will be useful,
|
||||
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
* GNU Lesser General Public License for more details.
|
||||
*
|
||||
* You should have received a copy of the GNU Lesser General Public License
|
||||
* along with this library. If not, see <http://www.gnu.org/licenses/>.
|
||||
*/
|
||||
|
||||
#include <string.h>
|
||||
#include <stdint.h>
|
||||
#include <libopencm3/stm32/flash.h>
|
||||
|
||||
#include "messages.pb.h"
|
||||
|
||||
#include "trezor.h"
|
||||
#include "sha2.h"
|
||||
#include "aes/aes.h"
|
||||
#include "pbkdf2.h"
|
||||
#include "hmac.h"
|
||||
#include "bip32.h"
|
||||
#include "bip39.h"
|
||||
#include "curves.h"
|
||||
#include "util.h"
|
||||
#include "memory.h"
|
||||
#include "rng.h"
|
||||
#include "config.h"
|
||||
#include "debug.h"
|
||||
#include "protect.h"
|
||||
#include "layout2.h"
|
||||
#include "usb.h"
|
||||
#include "gettext.h"
|
||||
#include "u2f.h"
|
||||
#include "memzero.h"
|
||||
#include "supervise.h"
|
||||
#include "storage.h"
|
||||
|
||||
/* Magic constant to check validity of storage block for storage versions 1 to 10. */
|
||||
static const uint32_t CONFIG_MAGIC_V10 = 0x726f7473; // 'stor' as uint32_t
|
||||
|
||||
#define APP 0x0100
|
||||
#define FLAG_PUBLIC 0x8000
|
||||
|
||||
static const uint16_t KEY_UUID = 0 | APP | FLAG_PUBLIC; // bytes(12)
|
||||
static const uint16_t KEY_VERSION = 1 | APP; // uint32
|
||||
static const uint16_t KEY_NODE = 2 | APP; // node
|
||||
static const uint16_t KEY_MNEMONIC = 3 | APP; // string(241)
|
||||
static const uint16_t KEY_PASSPHRASE_PROTECTION = 4 | APP; // bool
|
||||
static const uint16_t KEY_LANGUAGE = 5 | APP | FLAG_PUBLIC; // string(17)
|
||||
static const uint16_t KEY_LABEL = 6 | APP | FLAG_PUBLIC; // string(33)
|
||||
static const uint16_t KEY_IMPORTED = 7 | APP; // bool
|
||||
static const uint16_t KEY_HOMESCREEN = 8 | APP | FLAG_PUBLIC; // bytes(1024)
|
||||
static const uint16_t KEY_U2F_COUNTER = 9 | APP | FLAG_PUBLIC; // uint32
|
||||
static const uint16_t KEY_NEEDS_BACKUP = 10 | APP; // bool
|
||||
static const uint16_t KEY_FLAGS = 11 | APP; // uint32
|
||||
static const uint16_t KEY_U2F_ROOT = 12 | APP; // node
|
||||
static const uint16_t KEY_UNFINISHED_BACKUP = 13 | APP; // bool
|
||||
static const uint16_t KEY_AUTO_LOCK_DELAY_MS = 14 | APP; // uint32
|
||||
static const uint16_t KEY_NO_BACKUP = 15 | APP; // bool
|
||||
|
||||
// The PIN value corresponding to an empty PIN.
|
||||
static const uint32_t PIN_EMPTY = 1;
|
||||
|
||||
static uint32_t config_uuid[UUID_SIZE / sizeof(uint32_t)];
|
||||
_Static_assert(sizeof(config_uuid) == UUID_SIZE, "config_uuid has wrong size");
|
||||
|
||||
char config_uuid_str[2*UUID_SIZE + 1];
|
||||
|
||||
/*
|
||||
Old storage layout:
|
||||
|
||||
offset | type/length | description
|
||||
--------+--------------+-------------------------------
|
||||
0x0000 | 4 bytes | magic = 'stor'
|
||||
0x0004 | 12 bytes | uuid
|
||||
0x0010 | ? bytes | Storage structure
|
||||
--------+--------------+-------------------------------
|
||||
0x4000 | 4 kbytes | area for pin failures
|
||||
0x5000 | 256 bytes | area for u2f counter updates
|
||||
0x5100 | 11.75 kbytes | reserved
|
||||
|
||||
The area for pin failures looks like this:
|
||||
0 ... 0 pinfail 0xffffffff .. 0xffffffff
|
||||
The pinfail is a binary number of the form 1...10...0,
|
||||
the number of zeros is the number of pin failures.
|
||||
This layout is used because we can only clear bits without
|
||||
erasing the flash.
|
||||
|
||||
The area for u2f counter updates is just a sequence of zero-bits
|
||||
followed by a sequence of one-bits. The bits in a byte are numbered
|
||||
from LSB to MSB. The number of zero bits is the offset that should
|
||||
be added to the storage u2f_counter to get the real counter value.
|
||||
|
||||
*/
|
||||
|
||||
/* Current u2f offset, i.e. u2f counter is
|
||||
* storage.u2f_counter + config_u2f_offset.
|
||||
* This corresponds to the number of cleared bits in the U2FAREA.
|
||||
*/
|
||||
static bool sessionSeedCached, sessionSeedUsesPassphrase;
|
||||
|
||||
static uint8_t CONFIDENTIAL sessionSeed[64];
|
||||
|
||||
static bool sessionPassphraseCached = false;
|
||||
static char CONFIDENTIAL sessionPassphrase[51];
|
||||
|
||||
static const uint32_t CONFIG_VERSION = 10;
|
||||
|
||||
static const uint8_t FALSE_BYTE = '\x00';
|
||||
static const uint8_t TRUE_BYTE = '\x01';
|
||||
|
||||
static uint32_t pin_to_int(const char *pin)
|
||||
{
|
||||
uint32_t val = 1;
|
||||
size_t i = 0;
|
||||
for (i = 0; i < MAX_PIN_LEN && pin[i] != '\0'; ++i) {
|
||||
if (pin[i] < '0' || pin[i] > '9') {
|
||||
return 0;
|
||||
}
|
||||
val = 10*val + pin[i] - '0';
|
||||
}
|
||||
|
||||
if (pin[i] != '\0') {
|
||||
return 0;
|
||||
}
|
||||
|
||||
return val;
|
||||
}
|
||||
|
||||
static bool config_set_bool(uint16_t key, bool value)
|
||||
{
|
||||
if (value) {
|
||||
return (sectrue == storage_set(key, &TRUE_BYTE, sizeof(TRUE_BYTE)));
|
||||
} else {
|
||||
return (sectrue == storage_set(key, &FALSE_BYTE, sizeof(FALSE_BYTE)));
|
||||
}
|
||||
}
|
||||
|
||||
static bool config_get_bool(uint16_t key)
|
||||
{
|
||||
uint8_t value = 0;
|
||||
uint16_t len = 0;
|
||||
secbool ret = storage_get(key, &value, sizeof(value), &len);
|
||||
return (sectrue == ret && len == 1 && value == TRUE_BYTE);
|
||||
}
|
||||
|
||||
static bool config_has_key(uint16_t key)
|
||||
{
|
||||
uint16_t len = 0;
|
||||
return sectrue == storage_get(key, NULL, 0, &len);
|
||||
}
|
||||
|
||||
static bool config_get_string(uint16_t key, char *dest, uint16_t dest_size) {
|
||||
dest[0] = '\0';
|
||||
uint16_t len = 0;
|
||||
if (sectrue != storage_get(key, dest, dest_size - 1, &len)) {
|
||||
return false;
|
||||
}
|
||||
dest[len] = '\0';
|
||||
return true;
|
||||
}
|
||||
|
||||
static uint32_t config_get_uint32(uint16_t key) {
|
||||
uint32_t value = 0;
|
||||
uint16_t len = 0;
|
||||
if (sectrue != storage_get(key, &value, sizeof(value), &len) || len != sizeof(value)) {
|
||||
return 0;
|
||||
}
|
||||
return value;
|
||||
}
|
||||
|
||||
void config_show_error(void)
|
||||
{
|
||||
layoutDialog(&bmp_icon_error, NULL, NULL, NULL, _("Storage failure"), _("detected."), NULL, _("Please unplug"), _("the device."), NULL);
|
||||
shutdown();
|
||||
}
|
||||
|
||||
static bool config_upgrade_v10(void)
|
||||
{
|
||||
#define OLD_STORAGE_SIZE(last_member) (((offsetof(Storage, last_member) + pb_membersize(Storage, last_member)) + 3) & ~3)
|
||||
|
||||
if (memcmp(FLASH_PTR(FLASH_STORAGE_START), &CONFIG_MAGIC_V10, sizeof(CONFIG_MAGIC_V10)) != 0) {
|
||||
// wrong magic
|
||||
return false;
|
||||
}
|
||||
|
||||
Storage config __attribute__((aligned(4)));
|
||||
_Static_assert((sizeof(config) & 3) == 0, "storage unaligned");
|
||||
|
||||
memcpy(config_uuid, FLASH_PTR(FLASH_STORAGE_START + sizeof(CONFIG_MAGIC_V10)), sizeof(config_uuid));
|
||||
memcpy(&config, FLASH_PTR(FLASH_STORAGE_START + sizeof(CONFIG_MAGIC_V10) + sizeof(config_uuid)), sizeof(config));
|
||||
|
||||
// version 1: since 1.0.0
|
||||
// version 2: since 1.2.1
|
||||
// version 3: since 1.3.1
|
||||
// version 4: since 1.3.2
|
||||
// version 5: since 1.3.3
|
||||
// version 6: since 1.3.6
|
||||
// version 7: since 1.5.1
|
||||
// version 8: since 1.5.2
|
||||
// version 9: since 1.6.1
|
||||
// version 10: since 1.7.2
|
||||
if (config.version > CONFIG_VERSION) {
|
||||
// downgrade -> clear storage
|
||||
config_wipe();
|
||||
return false;
|
||||
}
|
||||
|
||||
size_t old_config_size = 0;
|
||||
if (config.version == 0) {
|
||||
} else if (config.version <= 2) {
|
||||
old_config_size = OLD_STORAGE_SIZE(imported);
|
||||
} else if (config.version <= 5) {
|
||||
// added homescreen
|
||||
old_config_size = OLD_STORAGE_SIZE(homescreen);
|
||||
} else if (config.version <= 7) {
|
||||
// added u2fcounter
|
||||
old_config_size = OLD_STORAGE_SIZE(u2f_counter);
|
||||
} else if (config.version <= 8) {
|
||||
// added flags and needsBackup
|
||||
old_config_size = OLD_STORAGE_SIZE(flags);
|
||||
} else if (config.version <= 9) {
|
||||
// added u2froot, unfinished_backup and auto_lock_delay_ms
|
||||
old_config_size = OLD_STORAGE_SIZE(auto_lock_delay_ms);
|
||||
} else if (config.version <= 10) {
|
||||
// added no_backup
|
||||
old_config_size = OLD_STORAGE_SIZE(no_backup);
|
||||
}
|
||||
|
||||
// Erase newly added fields.
|
||||
if (old_config_size != sizeof(Storage)) {
|
||||
memzero(&config + old_config_size, sizeof(Storage) - old_config_size);
|
||||
}
|
||||
|
||||
const uint32_t FLASH_STORAGE_PINAREA = FLASH_META_START + 0x4000;
|
||||
uint32_t pin_wait = 0;
|
||||
if (config.version <= 5) {
|
||||
// Get PIN failure counter from version 5 format.
|
||||
uint32_t pinctr = config.has_pin_failed_attempts ? config.pin_failed_attempts : 0;
|
||||
if (pinctr > 31) {
|
||||
pinctr = 31;
|
||||
}
|
||||
|
||||
pin_wait = (1 << pinctr) - 1;
|
||||
} else {
|
||||
// Get PIN failure counter from version 10 format.
|
||||
uint32_t flash_pinfails = FLASH_STORAGE_PINAREA;
|
||||
while (*(const uint32_t*)FLASH_PTR(flash_pinfails) == 0) {
|
||||
flash_pinfails += sizeof(uint32_t);
|
||||
}
|
||||
pin_wait = ~*(const uint32_t*)FLASH_PTR(flash_pinfails);
|
||||
}
|
||||
|
||||
uint32_t u2f_offset = 0;
|
||||
if (config.has_u2f_counter) {
|
||||
const uint32_t FLASH_STORAGE_U2FAREA = FLASH_STORAGE_PINAREA + 0x1000;
|
||||
const uint32_t *u2fptr = (const uint32_t*) FLASH_PTR(FLASH_STORAGE_U2FAREA);
|
||||
while (*u2fptr == 0) {
|
||||
u2fptr++;
|
||||
}
|
||||
u2f_offset = 32 * (u2fptr - (const uint32_t*) FLASH_PTR(FLASH_STORAGE_U2FAREA));
|
||||
uint32_t u2fword = *u2fptr;
|
||||
while ((u2fword & 1) == 0) {
|
||||
u2f_offset++;
|
||||
u2fword >>= 1;
|
||||
}
|
||||
}
|
||||
|
||||
// TODO Add salt.
|
||||
storage_init(NULL, (const uint8_t*)"", 0);
|
||||
storage_unlock(PIN_EMPTY);
|
||||
if (config.has_pin) {
|
||||
storage_change_pin(PIN_EMPTY, pin_to_int(config.pin));
|
||||
}
|
||||
while (pin_wait != 0) {
|
||||
storage_pin_fails_increase();
|
||||
pin_wait >>= 1;
|
||||
}
|
||||
|
||||
storage_set(KEY_UUID, config_uuid, sizeof(config_uuid));
|
||||
storage_set(KEY_VERSION, &CONFIG_VERSION, sizeof(CONFIG_VERSION));
|
||||
if (config.has_node) {
|
||||
storage_set(KEY_NODE, &config.node, sizeof(config.node));
|
||||
}
|
||||
if (config.has_mnemonic) {
|
||||
config_setMnemonic(config.mnemonic);
|
||||
}
|
||||
if (config.has_passphrase_protection) {
|
||||
config_setPassphraseProtection(config.passphrase_protection);
|
||||
}
|
||||
if (config.has_language) {
|
||||
config_setLanguage(config.language);
|
||||
}
|
||||
if (config.has_label) {
|
||||
config_setLabel(config.label);
|
||||
}
|
||||
if (config.has_imported) {
|
||||
config_setImported(config.imported);
|
||||
}
|
||||
if (config.has_homescreen) {
|
||||
config_setHomescreen(config.homescreen.bytes, config.homescreen.size);
|
||||
}
|
||||
if (config.has_u2f_counter) {
|
||||
config_setU2FCounter(config.u2f_counter + u2f_offset);
|
||||
}
|
||||
if (config.has_needs_backup) {
|
||||
config_setNeedsBackup(config.needs_backup);
|
||||
}
|
||||
if (config.has_flags) {
|
||||
config_applyFlags(config.flags);
|
||||
}
|
||||
if (config.has_unfinished_backup) {
|
||||
config_setUnfinishedBackup(config.unfinished_backup);
|
||||
}
|
||||
if (config.has_auto_lock_delay_ms) {
|
||||
config_setAutoLockDelayMs(config.auto_lock_delay_ms);
|
||||
}
|
||||
if (config.has_no_backup && config.no_backup) {
|
||||
config_setNoBackup();
|
||||
}
|
||||
memzero(&config, sizeof(config));
|
||||
|
||||
session_clear(true);
|
||||
|
||||
return true;
|
||||
}
|
||||
|
||||
void config_init(void)
|
||||
{
|
||||
config_upgrade_v10();
|
||||
|
||||
// TODO Add salt.
|
||||
storage_init(&protectPinUiCallback, (const uint8_t*)"", 0);
|
||||
|
||||
uint16_t len = 0;
|
||||
if (sectrue == storage_get(KEY_UUID, config_uuid, sizeof(config_uuid), &len) && len == sizeof(config_uuid)) {
|
||||
data2hex(config_uuid, sizeof(config_uuid), config_uuid_str);
|
||||
} else {
|
||||
config_wipe();
|
||||
}
|
||||
}
|
||||
|
||||
void session_clear(bool lock)
|
||||
{
|
||||
sessionSeedCached = false;
|
||||
memzero(&sessionSeed, sizeof(sessionSeed));
|
||||
sessionPassphraseCached = false;
|
||||
memzero(&sessionPassphrase, sizeof(sessionPassphrase));
|
||||
if (lock) {
|
||||
storage_lock();
|
||||
}
|
||||
}
|
||||
|
||||
static void get_u2froot_callback(uint32_t iter, uint32_t total)
|
||||
{
|
||||
layoutProgress(_("Updating"), 1000 * iter / total);
|
||||
}
|
||||
|
||||
static void config_compute_u2froot(const char* mnemonic, StorageHDNode *u2froot) {
|
||||
static CONFIDENTIAL HDNode node;
|
||||
char oldTiny = usbTiny(1);
|
||||
mnemonic_to_seed(mnemonic, "", sessionSeed, get_u2froot_callback); // BIP-0039
|
||||
usbTiny(oldTiny);
|
||||
hdnode_from_seed(sessionSeed, 64, NIST256P1_NAME, &node);
|
||||
hdnode_private_ckd(&node, U2F_KEY_PATH);
|
||||
u2froot->depth = node.depth;
|
||||
u2froot->child_num = U2F_KEY_PATH;
|
||||
u2froot->chain_code.size = sizeof(node.chain_code);
|
||||
memcpy(u2froot->chain_code.bytes, node.chain_code, sizeof(node.chain_code));
|
||||
u2froot->has_private_key = true;
|
||||
u2froot->private_key.size = sizeof(node.private_key);
|
||||
memcpy(u2froot->private_key.bytes, node.private_key, sizeof(node.private_key));
|
||||
memzero(&node, sizeof(node));
|
||||
session_clear(false); // invalidate seed cache
|
||||
}
|
||||
|
||||
static void config_setNode(const HDNodeType *node) {
|
||||
StorageHDNode storageHDNode;
|
||||
memzero(&storageHDNode, sizeof(storageHDNode));
|
||||
|
||||
storageHDNode.depth = node->depth;
|
||||
storageHDNode.fingerprint = node->fingerprint;
|
||||
storageHDNode.child_num = node->child_num;
|
||||
storageHDNode.chain_code.size = 32;
|
||||
memcpy(storageHDNode.chain_code.bytes, node->chain_code.bytes, 32);
|
||||
|
||||
if (node->has_private_key) {
|
||||
storageHDNode.has_private_key = true;
|
||||
storageHDNode.private_key.size = 32;
|
||||
memcpy(storageHDNode.private_key.bytes, node->private_key.bytes, 32);
|
||||
}
|
||||
storage_set(KEY_NODE, &storageHDNode, sizeof(storageHDNode));
|
||||
}
|
||||
|
||||
#if DEBUG_LINK
|
||||
void config_dumpNode(HDNodeType *node)
|
||||
{
|
||||
memzero(node, sizeof(HDNodeType));
|
||||
|
||||
StorageHDNode storageNode;
|
||||
uint16_t len = 0;
|
||||
if (sectrue != storage_get(KEY_NODE, &storageNode, sizeof(storageNode), &len) || len != sizeof(StorageHDNode)) {
|
||||
return;
|
||||
}
|
||||
|
||||
node->depth = storageNode.depth;
|
||||
node->fingerprint = storageNode.fingerprint;
|
||||
node->child_num = storageNode.child_num;
|
||||
|
||||
node->chain_code.size = 32;
|
||||
memcpy(node->chain_code.bytes, storageNode.chain_code.bytes, 32);
|
||||
|
||||
if (storageNode.has_private_key) {
|
||||
node->has_private_key = true;
|
||||
node->private_key.size = 32;
|
||||
memcpy(node->private_key.bytes, storageNode.private_key.bytes, 32);
|
||||
}
|
||||
|
||||
memzero(&storageNode, sizeof(storageNode));
|
||||
}
|
||||
#endif
|
||||
|
||||
void config_loadDevice(const LoadDevice *msg)
|
||||
{
|
||||
session_clear(true);
|
||||
// TODO We can't set anything with the storage locked. Shouldn't we wipe?
|
||||
|
||||
config_set_bool(KEY_IMPORTED, true);
|
||||
config_setPassphraseProtection(msg->has_passphrase_protection && msg->passphrase_protection);
|
||||
|
||||
if (msg->has_pin) {
|
||||
config_changePin("", msg->pin);
|
||||
}
|
||||
|
||||
if (msg->has_node) {
|
||||
storage_delete(KEY_MNEMONIC);
|
||||
config_setNode(&(msg->node));
|
||||
} else if (msg->has_mnemonic) {
|
||||
storage_delete(KEY_NODE);
|
||||
config_setMnemonic(msg->mnemonic);
|
||||
}
|
||||
|
||||
if (msg->has_language) {
|
||||
config_setLanguage(msg->language);
|
||||
}
|
||||
|
||||
config_setLabel(msg->has_label ? msg->label : "");
|
||||
|
||||
if (msg->has_u2f_counter) {
|
||||
config_setU2FCounter(msg->u2f_counter);
|
||||
}
|
||||
}
|
||||
|
||||
void config_setLabel(const char *label)
|
||||
{
|
||||
if (label == NULL || label[0] == '\0') {
|
||||
storage_delete(KEY_LABEL);
|
||||
} else {
|
||||
storage_set(KEY_LABEL, label, strnlen(label, MAX_LABEL_LEN));
|
||||
}
|
||||
}
|
||||
|
||||
void config_setLanguage(const char *lang)
|
||||
{
|
||||
if (lang == NULL) {
|
||||
return;
|
||||
}
|
||||
|
||||
// Sanity check.
|
||||
if (strcmp(lang, "english") != 0) {
|
||||
return;
|
||||
}
|
||||
storage_set(KEY_LABEL, lang, strnlen(lang, MAX_LANGUAGE_LEN));
|
||||
}
|
||||
|
||||
void config_setPassphraseProtection(bool passphrase_protection)
|
||||
{
|
||||
sessionSeedCached = false;
|
||||
sessionPassphraseCached = false;
|
||||
config_set_bool(KEY_PASSPHRASE_PROTECTION, passphrase_protection);
|
||||
}
|
||||
|
||||
bool config_hasPassphraseProtection(void)
|
||||
{
|
||||
return config_get_bool(KEY_PASSPHRASE_PROTECTION);
|
||||
}
|
||||
|
||||
void config_setHomescreen(const uint8_t *data, uint32_t size)
|
||||
{
|
||||
if (data != NULL && size == HOMESCREEN_SIZE) {
|
||||
storage_set(KEY_HOMESCREEN, data, size);
|
||||
} else {
|
||||
storage_delete(KEY_HOMESCREEN);
|
||||
}
|
||||
}
|
||||
|
||||
static void get_root_node_callback(uint32_t iter, uint32_t total)
|
||||
{
|
||||
usbSleep(1);
|
||||
layoutProgress(_("Waking up"), 1000 * iter / total);
|
||||
}
|
||||
|
||||
const uint8_t *config_getSeed(bool usePassphrase)
|
||||
{
|
||||
// root node is properly cached
|
||||
if (usePassphrase == sessionSeedUsesPassphrase
|
||||
&& sessionSeedCached) {
|
||||
return sessionSeed;
|
||||
}
|
||||
|
||||
// if storage has mnemonic, convert it to node and use it
|
||||
char mnemonic[MAX_MNEMONIC_LEN + 1];
|
||||
if (config_getMnemonic(mnemonic, sizeof(mnemonic))) {
|
||||
if (usePassphrase && !protectPassphrase()) {
|
||||
memzero(mnemonic, sizeof(mnemonic));
|
||||
return NULL;
|
||||
}
|
||||
// if storage was not imported (i.e. it was properly generated or recovered)
|
||||
if (!config_get_bool(KEY_IMPORTED)) {
|
||||
// test whether mnemonic is a valid BIP-0039 mnemonic
|
||||
if (!mnemonic_check(mnemonic)) {
|
||||
// and if not then halt the device
|
||||
config_show_error();
|
||||
}
|
||||
}
|
||||
char oldTiny = usbTiny(1);
|
||||
mnemonic_to_seed(mnemonic, usePassphrase ? sessionPassphrase : "", sessionSeed, get_root_node_callback); // BIP-0039
|
||||
memzero(mnemonic, sizeof(mnemonic));
|
||||
usbTiny(oldTiny);
|
||||
sessionSeedCached = true;
|
||||
sessionSeedUsesPassphrase = usePassphrase;
|
||||
return sessionSeed;
|
||||
}
|
||||
|
||||
return NULL;
|
||||
}
|
||||
|
||||
static bool config_loadNode(const StorageHDNode *node, const char *curve, HDNode *out) {
|
||||
return hdnode_from_xprv(node->depth, node->child_num, node->chain_code.bytes, node->private_key.bytes, curve, out);
|
||||
}
|
||||
|
||||
bool config_getU2FRoot(HDNode *node)
|
||||
{
|
||||
StorageHDNode u2fNode;
|
||||
uint16_t len = 0;
|
||||
if (sectrue != storage_get(KEY_U2F_ROOT, &u2fNode, sizeof(u2fNode), &len) || len != sizeof(StorageHDNode)) {
|
||||
memzero(&u2fNode, sizeof(u2fNode));
|
||||
return false;
|
||||
}
|
||||
bool ret = config_loadNode(&u2fNode, NIST256P1_NAME, node);
|
||||
memzero(&u2fNode, sizeof(u2fNode));
|
||||
return ret;
|
||||
}
|
||||
|
||||
bool config_getRootNode(HDNode *node, const char *curve, bool usePassphrase)
|
||||
{
|
||||
// if storage has node, decrypt and use it
|
||||
StorageHDNode storageHDNode;
|
||||
uint16_t len = 0;
|
||||
if (strcmp(curve, SECP256K1_NAME) == 0 && sectrue == storage_get(KEY_NODE, &storageHDNode, sizeof(storageHDNode), &len) && len == sizeof(StorageHDNode)) {
|
||||
if (!protectPassphrase()) {
|
||||
memzero(&storageHDNode, sizeof(storageHDNode));
|
||||
return false;
|
||||
}
|
||||
if (!config_loadNode(&storageHDNode, curve, node)) {
|
||||
memzero(&storageHDNode, sizeof(storageHDNode));
|
||||
return false;
|
||||
}
|
||||
if (config_hasPassphraseProtection() && sessionPassphraseCached && sessionPassphrase[0] != '\0') {
|
||||
// decrypt hd node
|
||||
uint8_t secret[64];
|
||||
PBKDF2_HMAC_SHA512_CTX pctx;
|
||||
char oldTiny = usbTiny(1);
|
||||
pbkdf2_hmac_sha512_Init(&pctx, (const uint8_t *)sessionPassphrase, strlen(sessionPassphrase), (const uint8_t *)"TREZORHD", 8, 1);
|
||||
get_root_node_callback(0, BIP39_PBKDF2_ROUNDS);
|
||||
for (int i = 0; i < 8; i++) {
|
||||
pbkdf2_hmac_sha512_Update(&pctx, BIP39_PBKDF2_ROUNDS / 8);
|
||||
get_root_node_callback((i + 1) * BIP39_PBKDF2_ROUNDS / 8, BIP39_PBKDF2_ROUNDS);
|
||||
}
|
||||
pbkdf2_hmac_sha512_Final(&pctx, secret);
|
||||
usbTiny(oldTiny);
|
||||
aes_decrypt_ctx ctx;
|
||||
aes_decrypt_key256(secret, &ctx);
|
||||
aes_cbc_decrypt(node->chain_code, node->chain_code, 32, secret + 32, &ctx);
|
||||
aes_cbc_decrypt(node->private_key, node->private_key, 32, secret + 32, &ctx);
|
||||
}
|
||||
return true;
|
||||
}
|
||||
memzero(&storageHDNode, sizeof(storageHDNode));
|
||||
|
||||
const uint8_t *seed = config_getSeed(usePassphrase);
|
||||
if (seed == NULL) {
|
||||
return false;
|
||||
}
|
||||
|
||||
return hdnode_from_seed(seed, 64, curve, node);
|
||||
}
|
||||
|
||||
bool config_getLabel(char *dest, uint16_t dest_size)
|
||||
{
|
||||
return config_get_string(KEY_LABEL, dest, dest_size);
|
||||
}
|
||||
|
||||
bool config_getLanguage(char *dest, uint16_t dest_size)
|
||||
{
|
||||
return config_get_string(KEY_LANGUAGE, dest, dest_size);
|
||||
}
|
||||
|
||||
bool config_getHomescreen(uint8_t *dest, uint16_t dest_size)
|
||||
{
|
||||
uint16_t len = 0;
|
||||
secbool ret = storage_get(KEY_HOMESCREEN, dest, dest_size, &len);
|
||||
if (sectrue != ret || len != HOMESCREEN_SIZE) {
|
||||
return false;
|
||||
}
|
||||
return true;
|
||||
}
|
||||
|
||||
void config_setMnemonic(const char *mnemonic)
|
||||
{
|
||||
if (mnemonic == NULL) {
|
||||
return;
|
||||
}
|
||||
|
||||
if (sectrue != storage_set(KEY_MNEMONIC, mnemonic, strnlen(mnemonic, MAX_MNEMONIC_LEN))) {
|
||||
return;
|
||||
}
|
||||
|
||||
StorageHDNode u2fNode;
|
||||
memzero(&u2fNode, sizeof(u2fNode));
|
||||
config_compute_u2froot(mnemonic, &u2fNode);
|
||||
storage_set(KEY_U2F_ROOT, &u2fNode, sizeof(u2fNode));
|
||||
memzero(&u2fNode, sizeof(u2fNode));
|
||||
}
|
||||
|
||||
bool config_hasNode(void)
|
||||
{
|
||||
return config_has_key(KEY_NODE);
|
||||
}
|
||||
|
||||
bool config_hasMnemonic(void)
|
||||
{
|
||||
return config_has_key(KEY_MNEMONIC);
|
||||
}
|
||||
|
||||
bool config_getMnemonic(char *dest, uint16_t dest_size)
|
||||
{
|
||||
return config_get_string(KEY_MNEMONIC, dest, dest_size);
|
||||
}
|
||||
|
||||
/* Check whether mnemonic matches storage. The mnemonic must be
|
||||
* a null-terminated string.
|
||||
*/
|
||||
bool config_containsMnemonic(const char *mnemonic)
|
||||
{
|
||||
uint16_t len = 0;
|
||||
uint8_t stored_mnemonic[MAX_MNEMONIC_LEN + 1];
|
||||
if (sectrue != storage_get(KEY_MNEMONIC, stored_mnemonic, MAX_MNEMONIC_LEN, &len)) {
|
||||
return false;
|
||||
}
|
||||
stored_mnemonic[len] = '\0';
|
||||
|
||||
/* The execution time of the following code only depends on the
|
||||
* (public) input. This avoids timing attacks.
|
||||
*/
|
||||
char diff = 0;
|
||||
uint32_t i = 0;
|
||||
for (; mnemonic[i]; i++) {
|
||||
diff |= (stored_mnemonic[i] - mnemonic[i]);
|
||||
}
|
||||
diff |= stored_mnemonic[i];
|
||||
memzero(stored_mnemonic, sizeof(stored_mnemonic));
|
||||
return diff == 0;
|
||||
}
|
||||
|
||||
/* Check whether pin matches storage. The pin must be
|
||||
* a null-terminated string with at most 9 characters.
|
||||
*/
|
||||
bool config_containsPin(const char *pin)
|
||||
{
|
||||
return sectrue == storage_unlock(pin_to_int(pin));
|
||||
}
|
||||
|
||||
bool config_hasPin(void)
|
||||
{
|
||||
return storage_has_pin();
|
||||
}
|
||||
|
||||
bool config_changePin(const char *old_pin, const char *new_pin)
|
||||
{
|
||||
uint32_t new_pin_int = pin_to_int(new_pin);
|
||||
if (new_pin_int == 0) {
|
||||
return false;
|
||||
}
|
||||
|
||||
if (sectrue == storage_change_pin(pin_to_int(old_pin), new_pin_int)) {
|
||||
return true;
|
||||
}
|
||||
return false;
|
||||
}
|
||||
|
||||
void session_cachePassphrase(const char *passphrase)
|
||||
{
|
||||
strlcpy(sessionPassphrase, passphrase, sizeof(sessionPassphrase));
|
||||
sessionPassphraseCached = true;
|
||||
}
|
||||
|
||||
bool session_isPassphraseCached(void)
|
||||
{
|
||||
return sessionPassphraseCached;
|
||||
}
|
||||
|
||||
bool session_getState(const uint8_t *salt, uint8_t *state, const char *passphrase)
|
||||
{
|
||||
if (!passphrase && !sessionPassphraseCached) {
|
||||
return false;
|
||||
} else {
|
||||
passphrase = sessionPassphrase;
|
||||
}
|
||||
if (!salt) {
|
||||
// if salt is not provided fill the first half of the state with random data
|
||||
random_buffer(state, 32);
|
||||
} else {
|
||||
// if salt is provided fill the first half of the state with salt
|
||||
memcpy(state, salt, 32);
|
||||
}
|
||||
// state[0:32] = salt
|
||||
// state[32:64] = HMAC(passphrase, salt || device_id)
|
||||
HMAC_SHA256_CTX ctx;
|
||||
hmac_sha256_Init(&ctx, (const uint8_t *)passphrase, strlen(passphrase));
|
||||
hmac_sha256_Update(&ctx, state, 32);
|
||||
hmac_sha256_Update(&ctx, (const uint8_t *)config_uuid, sizeof(config_uuid));
|
||||
hmac_sha256_Final(&ctx, state + 32);
|
||||
|
||||
memzero(&ctx, sizeof(ctx));
|
||||
|
||||
return true;
|
||||
}
|
||||
|
||||
bool session_isPinCached(void)
|
||||
{
|
||||
return storage_is_unlocked();
|
||||
}
|
||||
|
||||
bool config_isInitialized(void)
|
||||
{
|
||||
return config_has_key(KEY_NODE) || config_has_key(KEY_MNEMONIC);
|
||||
}
|
||||
|
||||
bool config_isImported(void)
|
||||
{
|
||||
return config_get_bool(KEY_IMPORTED);
|
||||
}
|
||||
|
||||
void config_setImported(bool imported)
|
||||
{
|
||||
config_set_bool(KEY_IMPORTED, imported);
|
||||
}
|
||||
|
||||
bool config_needsBackup(void)
|
||||
{
|
||||
return config_get_bool(KEY_NEEDS_BACKUP);
|
||||
}
|
||||
|
||||
void config_setNeedsBackup(bool needs_backup)
|
||||
{
|
||||
config_set_bool(KEY_NEEDS_BACKUP, needs_backup);
|
||||
}
|
||||
|
||||
bool config_unfinishedBackup(void)
|
||||
{
|
||||
return config_get_bool(KEY_UNFINISHED_BACKUP);
|
||||
}
|
||||
|
||||
void config_setUnfinishedBackup(bool unfinished_backup)
|
||||
{
|
||||
config_set_bool(KEY_UNFINISHED_BACKUP, unfinished_backup);
|
||||
}
|
||||
|
||||
bool config_noBackup(void)
|
||||
{
|
||||
return config_get_bool(KEY_NO_BACKUP);
|
||||
}
|
||||
|
||||
void config_setNoBackup(void)
|
||||
{
|
||||
config_set_bool(KEY_NO_BACKUP, true);
|
||||
}
|
||||
|
||||
void config_applyFlags(uint32_t flags)
|
||||
{
|
||||
uint32_t old_flags = config_get_uint32(KEY_FLAGS);
|
||||
flags |= old_flags;
|
||||
if (flags == old_flags) {
|
||||
return; // no new flags
|
||||
}
|
||||
storage_set(KEY_FLAGS, &flags, sizeof(flags));
|
||||
}
|
||||
|
||||
uint32_t config_getFlags(void)
|
||||
{
|
||||
return config_get_uint32(KEY_FLAGS);
|
||||
}
|
||||
|
||||
uint32_t config_nextU2FCounter(void)
|
||||
{
|
||||
// TODO Implement efficient version.
|
||||
uint32_t counter = 0;
|
||||
uint16_t len = 0;
|
||||
storage_get(KEY_U2F_COUNTER, &counter, sizeof(counter), &len);
|
||||
counter++;
|
||||
storage_set(KEY_U2F_COUNTER, &counter, sizeof(counter));
|
||||
return counter;
|
||||
}
|
||||
|
||||
void config_setU2FCounter(uint32_t u2fcounter)
|
||||
{
|
||||
storage_set(KEY_U2F_COUNTER, &u2fcounter, sizeof(u2fcounter));
|
||||
}
|
||||
|
||||
uint32_t config_getAutoLockDelayMs()
|
||||
{
|
||||
const uint32_t default_delay_ms = 10 * 60 * 1000U; // 10 minutes
|
||||
uint32_t delay_ms = config_get_uint32(KEY_AUTO_LOCK_DELAY_MS);
|
||||
return (delay_ms != 0) ? delay_ms : default_delay_ms;
|
||||
}
|
||||
|
||||
void config_setAutoLockDelayMs(uint32_t auto_lock_delay_ms)
|
||||
{
|
||||
const uint32_t min_delay_ms = 10 * 1000U; // 10 seconds
|
||||
auto_lock_delay_ms = MAX(auto_lock_delay_ms, min_delay_ms);
|
||||
storage_set(KEY_AUTO_LOCK_DELAY_MS, &auto_lock_delay_ms, sizeof(auto_lock_delay_ms));
|
||||
}
|
||||
|
||||
void config_wipe(void)
|
||||
{
|
||||
storage_wipe();
|
||||
storage_unlock(PIN_EMPTY);
|
||||
random_buffer((uint8_t *)config_uuid, sizeof(config_uuid));
|
||||
data2hex(config_uuid, sizeof(config_uuid), config_uuid_str);
|
||||
storage_set(KEY_UUID, config_uuid, sizeof(config_uuid));
|
||||
storage_set(KEY_VERSION, &CONFIG_VERSION, sizeof(CONFIG_VERSION));
|
||||
session_clear(true);
|
||||
}
|
@ -1,936 +0,0 @@
|
||||
/*
|
||||
* This file is part of the TREZOR project, https://trezor.io/
|
||||
*
|
||||
* Copyright (C) 2014 Pavol Rusnak <stick@satoshilabs.com>
|
||||
*
|
||||
* This library is free software: you can redistribute it and/or modify
|
||||
* it under the terms of the GNU Lesser General Public License as published by
|
||||
* the Free Software Foundation, either version 3 of the License, or
|
||||
* (at your option) any later version.
|
||||
*
|
||||
* This library is distributed in the hope that it will be useful,
|
||||
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
* GNU Lesser General Public License for more details.
|
||||
*
|
||||
* You should have received a copy of the GNU Lesser General Public License
|
||||
* along with this library. If not, see <http://www.gnu.org/licenses/>.
|
||||
*/
|
||||
|
||||
#include <string.h>
|
||||
#include <stdint.h>
|
||||
|
||||
#include <libopencm3/stm32/flash.h>
|
||||
|
||||
#include "messages.pb.h"
|
||||
|
||||
#include "trezor.h"
|
||||
#include "sha2.h"
|
||||
#include "aes/aes.h"
|
||||
#include "pbkdf2.h"
|
||||
#include "hmac.h"
|
||||
#include "bip32.h"
|
||||
#include "bip39.h"
|
||||
#include "curves.h"
|
||||
#include "util.h"
|
||||
#include "memory.h"
|
||||
#include "rng.h"
|
||||
#include "storage.h"
|
||||
#include "debug.h"
|
||||
#include "protect.h"
|
||||
#include "layout2.h"
|
||||
#include "usb.h"
|
||||
#include "gettext.h"
|
||||
#include "u2f.h"
|
||||
#include "memzero.h"
|
||||
#include "supervise.h"
|
||||
|
||||
/* magic constant to check validity of storage block */
|
||||
static const uint32_t storage_magic = 0x726f7473; // 'stor' as uint32_t
|
||||
|
||||
static uint32_t storage_uuid[12 / sizeof(uint32_t)];
|
||||
_Static_assert(sizeof(storage_uuid) == 12, "storage_uuid has wrong size");
|
||||
|
||||
Storage CONFIDENTIAL storageUpdate __attribute__((aligned(4)));
|
||||
_Static_assert((sizeof(storageUpdate) & 3) == 0, "storage unaligned");
|
||||
|
||||
#define FLASH_STORAGE (FLASH_STORAGE_START + sizeof(storage_magic) + sizeof(storage_uuid))
|
||||
#define storageRom ((const Storage *) FLASH_PTR(FLASH_STORAGE))
|
||||
|
||||
char storage_uuid_str[25];
|
||||
|
||||
/*
|
||||
storage layout:
|
||||
|
||||
offset | type/length | description
|
||||
--------+--------------+-------------------------------
|
||||
0x0000 | 4 bytes | magic = 'stor'
|
||||
0x0004 | 12 bytes | uuid
|
||||
0x0010 | ? bytes | Storage structure
|
||||
--------+--------------+-------------------------------
|
||||
0x4000 | 4 kbytes | area for pin failures
|
||||
0x5000 | 256 bytes | area for u2f counter updates
|
||||
0x5100 | 11.75 kbytes | reserved
|
||||
|
||||
The area for pin failures looks like this:
|
||||
0 ... 0 pinfail 0xffffffff .. 0xffffffff
|
||||
The pinfail is a binary number of the form 1...10...0,
|
||||
the number of zeros is the number of pin failures.
|
||||
This layout is used because we can only clear bits without
|
||||
erasing the flash.
|
||||
|
||||
The area for u2f counter updates is just a sequence of zero-bits
|
||||
followed by a sequence of one-bits. The bits in a byte are numbered
|
||||
from LSB to MSB. The number of zero bits is the offset that should
|
||||
be added to the storage u2f_counter to get the real counter value.
|
||||
|
||||
*/
|
||||
|
||||
#define FLASH_STORAGE_PINAREA (FLASH_META_START + 0x4000)
|
||||
#define FLASH_STORAGE_PINAREA_LEN (0x1000)
|
||||
#define FLASH_STORAGE_U2FAREA (FLASH_STORAGE_PINAREA + FLASH_STORAGE_PINAREA_LEN)
|
||||
#define FLASH_STORAGE_U2FAREA_LEN (0x100)
|
||||
#define FLASH_STORAGE_REALLEN (sizeof(storage_magic) + sizeof(storage_uuid) + sizeof(Storage))
|
||||
|
||||
#if !EMULATOR
|
||||
// TODO: Fix this for emulator
|
||||
_Static_assert(FLASH_STORAGE_START + FLASH_STORAGE_REALLEN <= FLASH_STORAGE_PINAREA, "Storage struct is too large for TREZOR flash");
|
||||
#endif
|
||||
|
||||
/* Current u2f offset, i.e. u2f counter is
|
||||
* storage.u2f_counter + storage_u2f_offset.
|
||||
* This corresponds to the number of cleared bits in the U2FAREA.
|
||||
*/
|
||||
static uint32_t storage_u2f_offset;
|
||||
|
||||
static bool sessionSeedCached, sessionSeedUsesPassphrase;
|
||||
|
||||
static uint8_t CONFIDENTIAL sessionSeed[64];
|
||||
|
||||
static bool sessionPinCached = false;
|
||||
|
||||
static bool sessionPassphraseCached = false;
|
||||
static char CONFIDENTIAL sessionPassphrase[51];
|
||||
|
||||
#define STORAGE_VERSION 10
|
||||
|
||||
void storage_show_error(void)
|
||||
{
|
||||
layoutDialog(&bmp_icon_error, NULL, NULL, NULL, _("Storage failure"), _("detected."), NULL, _("Please unplug"), _("the device."), NULL);
|
||||
shutdown();
|
||||
}
|
||||
|
||||
void storage_check_flash_errors(uint32_t status)
|
||||
{
|
||||
// flash operation failed
|
||||
if (status & (FLASH_SR_PGAERR | FLASH_SR_PGPERR | FLASH_SR_PGSERR | FLASH_SR_WRPERR)) {
|
||||
storage_show_error();
|
||||
}
|
||||
}
|
||||
|
||||
bool storage_from_flash(void)
|
||||
{
|
||||
storage_clear_update();
|
||||
if (memcmp(FLASH_PTR(FLASH_STORAGE_START), &storage_magic, sizeof(storage_magic)) != 0) {
|
||||
// wrong magic
|
||||
return false;
|
||||
}
|
||||
|
||||
const uint32_t version = storageRom->version;
|
||||
// version 1: since 1.0.0
|
||||
// version 2: since 1.2.1
|
||||
// version 3: since 1.3.1
|
||||
// version 4: since 1.3.2
|
||||
// version 5: since 1.3.3
|
||||
// version 6: since 1.3.6
|
||||
// version 7: since 1.5.1
|
||||
// version 8: since 1.5.2
|
||||
// version 9: since 1.6.1
|
||||
// version 10: since 1.7.2
|
||||
if (version > STORAGE_VERSION) {
|
||||
// downgrade -> clear storage
|
||||
return false;
|
||||
}
|
||||
|
||||
// load uuid
|
||||
memcpy(storage_uuid, FLASH_PTR(FLASH_STORAGE_START + sizeof(storage_magic)), sizeof(storage_uuid));
|
||||
data2hex(storage_uuid, sizeof(storage_uuid), storage_uuid_str);
|
||||
|
||||
#define OLD_STORAGE_SIZE(last_member) (((offsetof(Storage, last_member) + pb_membersize(Storage, last_member)) + 3) & ~3)
|
||||
|
||||
// copy storage
|
||||
size_t old_storage_size = 0;
|
||||
|
||||
if (version == 0) {
|
||||
} else if (version <= 2) {
|
||||
old_storage_size = OLD_STORAGE_SIZE(imported);
|
||||
} else if (version <= 5) {
|
||||
// added homescreen
|
||||
old_storage_size = OLD_STORAGE_SIZE(homescreen);
|
||||
} else if (version <= 7) {
|
||||
// added u2fcounter
|
||||
old_storage_size = OLD_STORAGE_SIZE(u2f_counter);
|
||||
} else if (version <= 8) {
|
||||
// added flags and needsBackup
|
||||
old_storage_size = OLD_STORAGE_SIZE(flags);
|
||||
} else if (version <= 9) {
|
||||
// added u2froot, unfinished_backup and auto_lock_delay_ms
|
||||
old_storage_size = OLD_STORAGE_SIZE(auto_lock_delay_ms);
|
||||
} else if (version <= 10) {
|
||||
// added no_backup
|
||||
old_storage_size = OLD_STORAGE_SIZE(no_backup);
|
||||
}
|
||||
|
||||
// erase newly added fields
|
||||
if (old_storage_size != sizeof(Storage)) {
|
||||
svc_flash_unlock();
|
||||
svc_flash_program(FLASH_CR_PROGRAM_X32);
|
||||
for (uint32_t offset = old_storage_size; offset < sizeof(Storage); offset += sizeof(uint32_t)) {
|
||||
flash_write32(FLASH_STORAGE_START + sizeof(storage_magic) + sizeof(storage_uuid) + offset, 0);
|
||||
}
|
||||
storage_check_flash_errors(svc_flash_lock());
|
||||
}
|
||||
|
||||
if (version <= 5) {
|
||||
// convert PIN failure counter from version 5 format
|
||||
uint32_t pinctr = storageRom->has_pin_failed_attempts ? storageRom->pin_failed_attempts : 0;
|
||||
if (pinctr > 31) {
|
||||
pinctr = 31;
|
||||
}
|
||||
svc_flash_unlock();
|
||||
// erase extra storage sector
|
||||
svc_flash_erase_sector(FLASH_META_SECTOR_LAST);
|
||||
svc_flash_program(FLASH_CR_PROGRAM_X32);
|
||||
flash_write32(FLASH_STORAGE_PINAREA, 0xffffffff << pinctr);
|
||||
// storageRom.has_pin_failed_attempts and storageRom.pin_failed_attempts
|
||||
// are erased by storage_update below
|
||||
storage_check_flash_errors(svc_flash_lock());
|
||||
}
|
||||
const uint32_t *u2fptr = (const uint32_t*) FLASH_PTR(FLASH_STORAGE_U2FAREA);
|
||||
while (*u2fptr == 0) {
|
||||
u2fptr++;
|
||||
}
|
||||
storage_u2f_offset = 32 * (u2fptr - (const uint32_t*) FLASH_PTR(FLASH_STORAGE_U2FAREA));
|
||||
uint32_t u2fword = *u2fptr;
|
||||
while ((u2fword & 1) == 0) {
|
||||
storage_u2f_offset++;
|
||||
u2fword >>= 1;
|
||||
}
|
||||
// force recomputing u2f root for storage version < 9.
|
||||
// this is done by re-setting the mnemonic, which triggers the computation
|
||||
if (version < 9) {
|
||||
storageUpdate.has_mnemonic = storageRom->has_mnemonic;
|
||||
strlcpy(storageUpdate.mnemonic, storageRom->mnemonic, sizeof(storageUpdate.mnemonic));
|
||||
}
|
||||
// update storage version on flash
|
||||
if (version != STORAGE_VERSION) {
|
||||
storage_update();
|
||||
}
|
||||
return true;
|
||||
}
|
||||
|
||||
void storage_init(void)
|
||||
{
|
||||
if (!storage_from_flash()) {
|
||||
storage_wipe();
|
||||
}
|
||||
}
|
||||
|
||||
void storage_generate_uuid(void)
|
||||
{
|
||||
// set random uuid
|
||||
random_buffer((uint8_t *)storage_uuid, sizeof(storage_uuid));
|
||||
data2hex(storage_uuid, sizeof(storage_uuid), storage_uuid_str);
|
||||
}
|
||||
|
||||
void session_clear(bool clear_pin)
|
||||
{
|
||||
sessionSeedCached = false;
|
||||
memzero(&sessionSeed, sizeof(sessionSeed));
|
||||
sessionPassphraseCached = false;
|
||||
memzero(&sessionPassphrase, sizeof(sessionPassphrase));
|
||||
if (clear_pin) {
|
||||
session_uncachePin();
|
||||
}
|
||||
}
|
||||
|
||||
static uint32_t storage_flash_words(uint32_t addr, const uint32_t *src, int nwords) {
|
||||
for (int i = 0; i < nwords; i++) {
|
||||
flash_write32(addr, *src++);
|
||||
addr += sizeof(uint32_t);
|
||||
}
|
||||
return addr;
|
||||
}
|
||||
|
||||
static void get_u2froot_callback(uint32_t iter, uint32_t total)
|
||||
{
|
||||
layoutProgress(_("Updating"), 1000 * iter / total);
|
||||
}
|
||||
|
||||
static void storage_compute_u2froot(const char* mnemonic, StorageHDNode *u2froot) {
|
||||
static CONFIDENTIAL HDNode node;
|
||||
char oldTiny = usbTiny(1);
|
||||
mnemonic_to_seed(mnemonic, "", sessionSeed, get_u2froot_callback); // BIP-0039
|
||||
usbTiny(oldTiny);
|
||||
hdnode_from_seed(sessionSeed, 64, NIST256P1_NAME, &node);
|
||||
hdnode_private_ckd(&node, U2F_KEY_PATH);
|
||||
u2froot->depth = node.depth;
|
||||
u2froot->child_num = U2F_KEY_PATH;
|
||||
u2froot->chain_code.size = sizeof(node.chain_code);
|
||||
memcpy(u2froot->chain_code.bytes, node.chain_code, sizeof(node.chain_code));
|
||||
u2froot->has_private_key = true;
|
||||
u2froot->private_key.size = sizeof(node.private_key);
|
||||
memcpy(u2froot->private_key.bytes, node.private_key, sizeof(node.private_key));
|
||||
memzero(&node, sizeof(node));
|
||||
session_clear(false); // invalidate seed cache
|
||||
}
|
||||
|
||||
// if storage is filled in - update fields that has has_field set to true
|
||||
// if storage is NULL - do not backup original content - essentialy a wipe
|
||||
static void storage_commit_locked(bool update)
|
||||
{
|
||||
if (update) {
|
||||
if (storageUpdate.has_passphrase_protection) {
|
||||
sessionSeedCached = false;
|
||||
sessionPassphraseCached = false;
|
||||
}
|
||||
|
||||
storageUpdate.version = STORAGE_VERSION;
|
||||
if (!storageUpdate.has_node && !storageUpdate.has_mnemonic) {
|
||||
storageUpdate.has_node = storageRom->has_node;
|
||||
memcpy(&storageUpdate.node, &storageRom->node, sizeof(StorageHDNode));
|
||||
storageUpdate.has_mnemonic = storageRom->has_mnemonic;
|
||||
strlcpy(storageUpdate.mnemonic, storageRom->mnemonic, sizeof(storageUpdate.mnemonic));
|
||||
storageUpdate.has_u2froot = storageRom->has_u2froot;
|
||||
memcpy(&storageUpdate.u2froot, &storageRom->u2froot, sizeof(StorageHDNode));
|
||||
} else if (storageUpdate.has_mnemonic) {
|
||||
storageUpdate.has_u2froot = true;
|
||||
storage_compute_u2froot(storageUpdate.mnemonic, &storageUpdate.u2froot);
|
||||
}
|
||||
if (!storageUpdate.has_passphrase_protection) {
|
||||
storageUpdate.has_passphrase_protection = storageRom->has_passphrase_protection;
|
||||
storageUpdate.passphrase_protection = storageRom->passphrase_protection;
|
||||
}
|
||||
if (!storageUpdate.has_pin) {
|
||||
storageUpdate.has_pin = storageRom->has_pin;
|
||||
strlcpy(storageUpdate.pin, storageRom->pin, sizeof(storageUpdate.pin));
|
||||
} else if (!storageUpdate.pin[0]) {
|
||||
storageUpdate.has_pin = false;
|
||||
}
|
||||
if (!storageUpdate.has_language) {
|
||||
storageUpdate.has_language = storageRom->has_language;
|
||||
strlcpy(storageUpdate.language, storageRom->language, sizeof(storageUpdate.language));
|
||||
}
|
||||
if (!storageUpdate.has_label) {
|
||||
storageUpdate.has_label = storageRom->has_label;
|
||||
strlcpy(storageUpdate.label, storageRom->label, sizeof(storageUpdate.label));
|
||||
} else if (!storageUpdate.label[0]) {
|
||||
storageUpdate.has_label = false;
|
||||
}
|
||||
if (!storageUpdate.has_imported) {
|
||||
storageUpdate.has_imported = storageRom->has_imported;
|
||||
storageUpdate.imported = storageRom->imported;
|
||||
}
|
||||
if (!storageUpdate.has_homescreen) {
|
||||
storageUpdate.has_homescreen = storageRom->has_homescreen;
|
||||
memcpy(&storageUpdate.homescreen, &storageRom->homescreen, sizeof(storageUpdate.homescreen));
|
||||
} else if (storageUpdate.homescreen.size == 0) {
|
||||
storageUpdate.has_homescreen = false;
|
||||
}
|
||||
if (!storageUpdate.has_u2f_counter) {
|
||||
storageUpdate.has_u2f_counter = storageRom->has_u2f_counter;
|
||||
storageUpdate.u2f_counter = storageRom->u2f_counter;
|
||||
}
|
||||
if (!storageUpdate.has_needs_backup) {
|
||||
storageUpdate.has_needs_backup = storageRom->has_needs_backup;
|
||||
storageUpdate.needs_backup = storageRom->needs_backup;
|
||||
}
|
||||
if (!storageUpdate.has_unfinished_backup) {
|
||||
storageUpdate.has_unfinished_backup = storageRom->has_unfinished_backup;
|
||||
storageUpdate.unfinished_backup = storageRom->unfinished_backup;
|
||||
}
|
||||
if (!storageUpdate.has_no_backup) {
|
||||
storageUpdate.has_no_backup = storageRom->has_no_backup;
|
||||
storageUpdate.no_backup = storageRom->no_backup;
|
||||
}
|
||||
if (!storageUpdate.has_flags) {
|
||||
storageUpdate.has_flags = storageRom->has_flags;
|
||||
storageUpdate.flags = storageRom->flags;
|
||||
}
|
||||
}
|
||||
|
||||
// backup meta
|
||||
uint32_t meta_backup[FLASH_META_DESC_LEN / sizeof(uint32_t)];
|
||||
memcpy(meta_backup, FLASH_PTR(FLASH_META_START), FLASH_META_DESC_LEN);
|
||||
|
||||
// erase storage
|
||||
svc_flash_erase_sector(FLASH_META_SECTOR_FIRST);
|
||||
svc_flash_program(FLASH_CR_PROGRAM_X32);
|
||||
|
||||
// copy meta back
|
||||
uint32_t flash = FLASH_META_START;
|
||||
flash = storage_flash_words(flash, meta_backup, FLASH_META_DESC_LEN / sizeof(uint32_t));
|
||||
|
||||
// copy storage
|
||||
flash = storage_flash_words(flash, &storage_magic, sizeof(storage_magic) / sizeof(uint32_t));
|
||||
flash = storage_flash_words(flash, storage_uuid, sizeof(storage_uuid) / sizeof(uint32_t));
|
||||
|
||||
if (update) {
|
||||
flash = storage_flash_words(flash, (const uint32_t *)&storageUpdate, sizeof(storageUpdate) / sizeof(uint32_t));
|
||||
}
|
||||
storage_clear_update();
|
||||
|
||||
// fill remainder with zero for future extensions
|
||||
while (flash < FLASH_STORAGE_PINAREA) {
|
||||
flash_write32(flash, 0);
|
||||
flash += sizeof(uint32_t);
|
||||
}
|
||||
}
|
||||
|
||||
void storage_clear_update(void)
|
||||
{
|
||||
memzero(&storageUpdate, sizeof(storageUpdate));
|
||||
}
|
||||
|
||||
void storage_update(void)
|
||||
{
|
||||
svc_flash_unlock();
|
||||
storage_commit_locked(true);
|
||||
storage_check_flash_errors(svc_flash_lock());
|
||||
}
|
||||
|
||||
static void storage_setNode(const HDNodeType *node) {
|
||||
storageUpdate.node.depth = node->depth;
|
||||
storageUpdate.node.fingerprint = node->fingerprint;
|
||||
storageUpdate.node.child_num = node->child_num;
|
||||
|
||||
storageUpdate.node.chain_code.size = 32;
|
||||
memcpy(storageUpdate.node.chain_code.bytes, node->chain_code.bytes, 32);
|
||||
|
||||
if (node->has_private_key) {
|
||||
storageUpdate.node.has_private_key = true;
|
||||
storageUpdate.node.private_key.size = 32;
|
||||
memcpy(storageUpdate.node.private_key.bytes, node->private_key.bytes, 32);
|
||||
}
|
||||
}
|
||||
|
||||
#if DEBUG_LINK
|
||||
void storage_dumpNode(HDNodeType *node) {
|
||||
node->depth = storageRom->node.depth;
|
||||
node->fingerprint = storageRom->node.fingerprint;
|
||||
node->child_num = storageRom->node.child_num;
|
||||
|
||||
node->chain_code.size = 32;
|
||||
memcpy(node->chain_code.bytes, storageRom->node.chain_code.bytes, 32);
|
||||
|
||||
if (storageRom->node.has_private_key) {
|
||||
node->has_private_key = true;
|
||||
node->private_key.size = 32;
|
||||
memcpy(node->private_key.bytes, storageRom->node.private_key.bytes, 32);
|
||||
}
|
||||
}
|
||||
#endif
|
||||
|
||||
void storage_loadDevice(const LoadDevice *msg)
|
||||
{
|
||||
session_clear(true);
|
||||
|
||||
storageUpdate.has_imported = true;
|
||||
storageUpdate.imported = true;
|
||||
|
||||
storage_setPin(msg->has_pin ? msg->pin : "");
|
||||
storage_setPassphraseProtection(msg->has_passphrase_protection && msg->passphrase_protection);
|
||||
|
||||
if (msg->has_node) {
|
||||
storageUpdate.has_node = true;
|
||||
storageUpdate.has_mnemonic = false;
|
||||
storage_setNode(&(msg->node));
|
||||
sessionSeedCached = false;
|
||||
memzero(&sessionSeed, sizeof(sessionSeed));
|
||||
} else if (msg->has_mnemonic) {
|
||||
storageUpdate.has_mnemonic = true;
|
||||
storageUpdate.has_node = false;
|
||||
strlcpy(storageUpdate.mnemonic, msg->mnemonic, sizeof(storageUpdate.mnemonic));
|
||||
sessionSeedCached = false;
|
||||
memzero(&sessionSeed, sizeof(sessionSeed));
|
||||
}
|
||||
|
||||
if (msg->has_language) {
|
||||
storageUpdate.has_language = true;
|
||||
strlcpy(storageUpdate.language, msg->language, sizeof(storageUpdate.language));
|
||||
}
|
||||
|
||||
storage_setLabel(msg->has_label ? msg->label : "");
|
||||
|
||||
if (msg->has_u2f_counter) {
|
||||
storageUpdate.has_u2f_counter = true;
|
||||
storageUpdate.u2f_counter = msg->u2f_counter - storage_u2f_offset;
|
||||
}
|
||||
|
||||
storage_update();
|
||||
}
|
||||
|
||||
void storage_setLabel(const char *label)
|
||||
{
|
||||
storageUpdate.has_label = true;
|
||||
if (!label) return;
|
||||
strlcpy(storageUpdate.label, label, sizeof(storageUpdate.label));
|
||||
}
|
||||
|
||||
void storage_setLanguage(const char *lang)
|
||||
{
|
||||
if (!lang) return;
|
||||
// sanity check
|
||||
if (strcmp(lang, "english") == 0) {
|
||||
storageUpdate.has_language = true;
|
||||
strlcpy(storageUpdate.language, lang, sizeof(storageUpdate.language));
|
||||
}
|
||||
}
|
||||
|
||||
void storage_setPassphraseProtection(bool passphrase_protection)
|
||||
{
|
||||
sessionSeedCached = false;
|
||||
sessionPassphraseCached = false;
|
||||
|
||||
storageUpdate.has_passphrase_protection = true;
|
||||
storageUpdate.passphrase_protection = passphrase_protection;
|
||||
}
|
||||
|
||||
bool storage_hasPassphraseProtection(void)
|
||||
{
|
||||
return storageRom->has_passphrase_protection && storageRom->passphrase_protection;
|
||||
}
|
||||
|
||||
void storage_setHomescreen(const uint8_t *data, uint32_t size)
|
||||
{
|
||||
storageUpdate.has_homescreen = true;
|
||||
if (data && size == 1024) {
|
||||
memcpy(storageUpdate.homescreen.bytes, data, size);
|
||||
storageUpdate.homescreen.size = size;
|
||||
} else {
|
||||
memzero(storageUpdate.homescreen.bytes, sizeof(storageUpdate.homescreen.bytes));
|
||||
storageUpdate.homescreen.size = 0;
|
||||
}
|
||||
}
|
||||
|
||||
static void get_root_node_callback(uint32_t iter, uint32_t total)
|
||||
{
|
||||
usbSleep(1);
|
||||
layoutProgress(_("Waking up"), 1000 * iter / total);
|
||||
}
|
||||
|
||||
const uint8_t *storage_getSeed(bool usePassphrase)
|
||||
{
|
||||
// root node is properly cached
|
||||
if (usePassphrase == sessionSeedUsesPassphrase
|
||||
&& sessionSeedCached) {
|
||||
return sessionSeed;
|
||||
}
|
||||
|
||||
// if storage has mnemonic, convert it to node and use it
|
||||
if (storageRom->has_mnemonic) {
|
||||
if (usePassphrase && !protectPassphrase()) {
|
||||
return NULL;
|
||||
}
|
||||
// if storage was not imported (i.e. it was properly generated or recovered)
|
||||
if (!storageRom->has_imported || !storageRom->imported) {
|
||||
// test whether mnemonic is a valid BIP-0039 mnemonic
|
||||
if (!mnemonic_check(storageRom->mnemonic)) {
|
||||
// and if not then halt the device
|
||||
storage_show_error();
|
||||
}
|
||||
}
|
||||
char oldTiny = usbTiny(1);
|
||||
mnemonic_to_seed(storageRom->mnemonic, usePassphrase ? sessionPassphrase : "", sessionSeed, get_root_node_callback); // BIP-0039
|
||||
usbTiny(oldTiny);
|
||||
sessionSeedCached = true;
|
||||
sessionSeedUsesPassphrase = usePassphrase;
|
||||
return sessionSeed;
|
||||
}
|
||||
|
||||
return NULL;
|
||||
}
|
||||
|
||||
static bool storage_loadNode(const StorageHDNode *node, const char *curve, HDNode *out) {
|
||||
return hdnode_from_xprv(node->depth, node->child_num, node->chain_code.bytes, node->private_key.bytes, curve, out);
|
||||
}
|
||||
|
||||
bool storage_getU2FRoot(HDNode *node)
|
||||
{
|
||||
return storageRom->has_u2froot && storage_loadNode(&storageRom->u2froot, NIST256P1_NAME, node);
|
||||
}
|
||||
|
||||
bool storage_getRootNode(HDNode *node, const char *curve, bool usePassphrase)
|
||||
{
|
||||
// if storage has node, decrypt and use it
|
||||
if (storageRom->has_node && strcmp(curve, SECP256K1_NAME) == 0) {
|
||||
if (!protectPassphrase()) {
|
||||
return false;
|
||||
}
|
||||
if (!storage_loadNode(&storageRom->node, curve, node)) {
|
||||
return false;
|
||||
}
|
||||
if (storageRom->has_passphrase_protection && storageRom->passphrase_protection && sessionPassphraseCached && strlen(sessionPassphrase) > 0) {
|
||||
// decrypt hd node
|
||||
uint8_t secret[64];
|
||||
PBKDF2_HMAC_SHA512_CTX pctx;
|
||||
char oldTiny = usbTiny(1);
|
||||
pbkdf2_hmac_sha512_Init(&pctx, (const uint8_t *)sessionPassphrase, strlen(sessionPassphrase), (const uint8_t *)"TREZORHD", 8, 1);
|
||||
get_root_node_callback(0, BIP39_PBKDF2_ROUNDS);
|
||||
for (int i = 0; i < 8; i++) {
|
||||
pbkdf2_hmac_sha512_Update(&pctx, BIP39_PBKDF2_ROUNDS / 8);
|
||||
get_root_node_callback((i + 1) * BIP39_PBKDF2_ROUNDS / 8, BIP39_PBKDF2_ROUNDS);
|
||||
}
|
||||
pbkdf2_hmac_sha512_Final(&pctx, secret);
|
||||
usbTiny(oldTiny);
|
||||
aes_decrypt_ctx ctx;
|
||||
aes_decrypt_key256(secret, &ctx);
|
||||
aes_cbc_decrypt(node->chain_code, node->chain_code, 32, secret + 32, &ctx);
|
||||
aes_cbc_decrypt(node->private_key, node->private_key, 32, secret + 32, &ctx);
|
||||
}
|
||||
return true;
|
||||
}
|
||||
|
||||
const uint8_t *seed = storage_getSeed(usePassphrase);
|
||||
if (seed == NULL) {
|
||||
return false;
|
||||
}
|
||||
|
||||
return hdnode_from_seed(seed, 64, curve, node);
|
||||
}
|
||||
|
||||
const char *storage_getLabel(void)
|
||||
{
|
||||
return storageRom->has_label ? storageRom->label : 0;
|
||||
}
|
||||
|
||||
const char *storage_getLanguage(void)
|
||||
{
|
||||
return storageRom->has_language ? storageRom->language : 0;
|
||||
}
|
||||
|
||||
const uint8_t *storage_getHomescreen(void)
|
||||
{
|
||||
return (storageRom->has_homescreen && storageRom->homescreen.size == 1024) ? storageRom->homescreen.bytes : 0;
|
||||
}
|
||||
|
||||
void storage_setMnemonic(const char *mnemonic)
|
||||
{
|
||||
storageUpdate.has_mnemonic = true;
|
||||
strlcpy(storageUpdate.mnemonic, mnemonic, sizeof(storageUpdate.mnemonic));
|
||||
}
|
||||
|
||||
bool storage_hasNode(void)
|
||||
{
|
||||
return storageRom->has_node;
|
||||
}
|
||||
|
||||
bool storage_hasMnemonic(void)
|
||||
{
|
||||
return storageRom->has_mnemonic;
|
||||
}
|
||||
|
||||
const char *storage_getMnemonic(void)
|
||||
{
|
||||
return storageUpdate.has_mnemonic ? storageUpdate.mnemonic
|
||||
: storageRom->has_mnemonic ? storageRom->mnemonic : 0;
|
||||
}
|
||||
|
||||
/* Check whether mnemonic matches storage. The mnemonic must be
|
||||
* a null-terminated string.
|
||||
*/
|
||||
bool storage_containsMnemonic(const char *mnemonic) {
|
||||
/* The execution time of the following code only depends on the
|
||||
* (public) input. This avoids timing attacks.
|
||||
*/
|
||||
char diff = 0;
|
||||
uint32_t i = 0;
|
||||
for (; mnemonic[i]; i++) {
|
||||
diff |= (storageRom->mnemonic[i] - mnemonic[i]);
|
||||
}
|
||||
diff |= storageRom->mnemonic[i];
|
||||
return diff == 0;
|
||||
}
|
||||
|
||||
/* Check whether pin matches storage. The pin must be
|
||||
* a null-terminated string with at most 9 characters.
|
||||
*/
|
||||
bool storage_containsPin(const char *pin)
|
||||
{
|
||||
/* The execution time of the following code only depends on the
|
||||
* (public) input. This avoids timing attacks.
|
||||
*/
|
||||
char diff = 0;
|
||||
uint32_t i = 0;
|
||||
while (pin[i]) {
|
||||
diff |= storageRom->pin[i] - pin[i];
|
||||
i++;
|
||||
}
|
||||
diff |= storageRom->pin[i];
|
||||
return diff == 0;
|
||||
}
|
||||
|
||||
bool storage_hasPin(void)
|
||||
{
|
||||
return storageRom->has_pin && storageRom->pin[0] != 0;
|
||||
}
|
||||
|
||||
void storage_setPin(const char *pin)
|
||||
{
|
||||
storageUpdate.has_pin = true;
|
||||
strlcpy(storageUpdate.pin, pin, sizeof(storageUpdate.pin));
|
||||
session_cachePin();
|
||||
}
|
||||
|
||||
const char *storage_getPin(void)
|
||||
{
|
||||
return storageRom->has_pin ? storageRom->pin : 0;
|
||||
}
|
||||
|
||||
void session_cachePassphrase(const char *passphrase)
|
||||
{
|
||||
strlcpy(sessionPassphrase, passphrase, sizeof(sessionPassphrase));
|
||||
sessionPassphraseCached = true;
|
||||
}
|
||||
|
||||
bool session_isPassphraseCached(void)
|
||||
{
|
||||
return sessionPassphraseCached;
|
||||
}
|
||||
|
||||
bool session_getState(const uint8_t *salt, uint8_t *state, const char *passphrase)
|
||||
{
|
||||
if (!passphrase && !sessionPassphraseCached) {
|
||||
return false;
|
||||
} else {
|
||||
passphrase = sessionPassphrase;
|
||||
}
|
||||
if (!salt) {
|
||||
// if salt is not provided fill the first half of the state with random data
|
||||
random_buffer(state, 32);
|
||||
} else {
|
||||
// if salt is provided fill the first half of the state with salt
|
||||
memcpy(state, salt, 32);
|
||||
}
|
||||
// state[0:32] = salt
|
||||
// state[32:64] = HMAC(passphrase, salt || device_id)
|
||||
HMAC_SHA256_CTX ctx;
|
||||
hmac_sha256_Init(&ctx, (const uint8_t *)passphrase, strlen(passphrase));
|
||||
hmac_sha256_Update(&ctx, state, 32);
|
||||
hmac_sha256_Update(&ctx, (const uint8_t *)storage_uuid, sizeof(storage_uuid));
|
||||
hmac_sha256_Final(&ctx, state + 32);
|
||||
|
||||
memzero(&ctx, sizeof(ctx));
|
||||
|
||||
return true;
|
||||
}
|
||||
|
||||
void session_cachePin(void)
|
||||
{
|
||||
sessionPinCached = true;
|
||||
}
|
||||
|
||||
void session_uncachePin(void)
|
||||
{
|
||||
sessionPinCached = false;
|
||||
}
|
||||
|
||||
bool session_isPinCached(void)
|
||||
{
|
||||
return sessionPinCached;
|
||||
}
|
||||
|
||||
void storage_clearPinArea(void)
|
||||
{
|
||||
svc_flash_unlock();
|
||||
svc_flash_erase_sector(FLASH_META_SECTOR_LAST);
|
||||
storage_check_flash_errors(svc_flash_lock());
|
||||
storage_u2f_offset = 0;
|
||||
}
|
||||
|
||||
// called when u2f area or pin area overflows
|
||||
static void storage_area_recycle(uint32_t new_pinfails)
|
||||
{
|
||||
// first clear storage marker. In case of a failure below it is better
|
||||
// to clear the storage than to allow restarting with zero PIN failures
|
||||
svc_flash_program(FLASH_CR_PROGRAM_X32);
|
||||
flash_write32(FLASH_STORAGE_START, 0);
|
||||
if (*(const uint32_t *)FLASH_PTR(FLASH_STORAGE_START) != 0) {
|
||||
storage_show_error();
|
||||
}
|
||||
|
||||
// erase pinarea/u2f sector
|
||||
svc_flash_erase_sector(FLASH_META_SECTOR_LAST);
|
||||
flash_write32(FLASH_STORAGE_PINAREA, new_pinfails);
|
||||
if (*(const volatile uint32_t *)FLASH_PTR(FLASH_STORAGE_PINAREA) != new_pinfails) {
|
||||
storage_show_error();
|
||||
}
|
||||
|
||||
// restore storage sector
|
||||
storageUpdate.has_u2f_counter = true;
|
||||
storageUpdate.u2f_counter += storage_u2f_offset;
|
||||
storage_u2f_offset = 0;
|
||||
storage_commit_locked(true);
|
||||
}
|
||||
|
||||
void storage_resetPinFails(uint32_t flash_pinfails)
|
||||
{
|
||||
svc_flash_unlock();
|
||||
if (flash_pinfails + sizeof(uint32_t)
|
||||
>= FLASH_STORAGE_PINAREA + FLASH_STORAGE_PINAREA_LEN) {
|
||||
// recycle extra storage sector
|
||||
storage_area_recycle(0xffffffff);
|
||||
} else {
|
||||
svc_flash_program(FLASH_CR_PROGRAM_X32);
|
||||
flash_write32(flash_pinfails, 0);
|
||||
}
|
||||
storage_check_flash_errors(svc_flash_lock());
|
||||
}
|
||||
|
||||
bool storage_increasePinFails(uint32_t flash_pinfails)
|
||||
{
|
||||
uint32_t newctr = *(const uint32_t*)FLASH_PTR(flash_pinfails) << 1;
|
||||
// counter already at maximum, we do not increase it any more
|
||||
// return success so that a good pin is accepted
|
||||
if (!newctr)
|
||||
return true;
|
||||
|
||||
svc_flash_unlock();
|
||||
svc_flash_program(FLASH_CR_PROGRAM_X32);
|
||||
flash_write32(flash_pinfails, newctr);
|
||||
storage_check_flash_errors(svc_flash_lock());
|
||||
|
||||
return *(const uint32_t*)FLASH_PTR(flash_pinfails) == newctr;
|
||||
}
|
||||
|
||||
uint32_t storage_getPinWait(uint32_t flash_pinfails)
|
||||
{
|
||||
// The pin failure word is the inverted wait time in seconds.
|
||||
// It's inverted because flash allows changing 1 to 0 but not vice versa.
|
||||
return ~*(const uint32_t*)FLASH_PTR(flash_pinfails);
|
||||
}
|
||||
|
||||
uint32_t storage_getPinFailsOffset(void)
|
||||
{
|
||||
uint32_t flash_pinfails = FLASH_STORAGE_PINAREA;
|
||||
while (*(const uint32_t*)FLASH_PTR(flash_pinfails) == 0)
|
||||
flash_pinfails += sizeof(uint32_t);
|
||||
return flash_pinfails;
|
||||
}
|
||||
|
||||
bool storage_isInitialized(void)
|
||||
{
|
||||
return storageRom->has_node || storageRom->has_mnemonic;
|
||||
}
|
||||
|
||||
bool storage_isImported(void)
|
||||
{
|
||||
return storageRom->has_imported && storageRom->imported;
|
||||
}
|
||||
|
||||
void storage_setImported(bool imported)
|
||||
{
|
||||
storageUpdate.has_imported = true;
|
||||
storageUpdate.imported = imported;
|
||||
}
|
||||
|
||||
bool storage_needsBackup(void)
|
||||
{
|
||||
return storageUpdate.has_needs_backup ? storageUpdate.needs_backup
|
||||
: storageRom->has_needs_backup && storageRom->needs_backup;
|
||||
}
|
||||
|
||||
void storage_setNeedsBackup(bool needs_backup)
|
||||
{
|
||||
storageUpdate.has_needs_backup = true;
|
||||
storageUpdate.needs_backup = needs_backup;
|
||||
}
|
||||
|
||||
bool storage_unfinishedBackup(void)
|
||||
{
|
||||
return storageUpdate.has_unfinished_backup ? storageUpdate.unfinished_backup
|
||||
: storageRom->has_unfinished_backup && storageRom->unfinished_backup;
|
||||
}
|
||||
|
||||
void storage_setUnfinishedBackup(bool unfinished_backup)
|
||||
{
|
||||
storageUpdate.has_unfinished_backup = true;
|
||||
storageUpdate.unfinished_backup = unfinished_backup;
|
||||
}
|
||||
|
||||
bool storage_noBackup(void)
|
||||
{
|
||||
return storageUpdate.has_no_backup ? storageUpdate.no_backup
|
||||
: storageRom->has_no_backup && storageRom->no_backup;
|
||||
}
|
||||
|
||||
void storage_setNoBackup(void)
|
||||
{
|
||||
storageUpdate.has_no_backup = true;
|
||||
storageUpdate.no_backup = true;
|
||||
}
|
||||
|
||||
void storage_applyFlags(uint32_t flags)
|
||||
{
|
||||
if ((storageRom->flags | flags) == storageRom->flags) {
|
||||
return; // no new flags
|
||||
}
|
||||
storageUpdate.has_flags = true;
|
||||
storageUpdate.flags |= flags;
|
||||
storage_update();
|
||||
}
|
||||
|
||||
uint32_t storage_getFlags(void)
|
||||
{
|
||||
return storageRom->has_flags ? storageRom->flags : 0;
|
||||
}
|
||||
|
||||
uint32_t storage_nextU2FCounter(void)
|
||||
{
|
||||
uint32_t flash_u2f_offset = FLASH_STORAGE_U2FAREA +
|
||||
sizeof(uint32_t) * (storage_u2f_offset / 32);
|
||||
uint32_t newval = 0xfffffffe << (storage_u2f_offset & 31);
|
||||
|
||||
svc_flash_unlock();
|
||||
svc_flash_program(FLASH_CR_PROGRAM_X32);
|
||||
flash_write32(flash_u2f_offset, newval);
|
||||
storage_u2f_offset++;
|
||||
if (storage_u2f_offset >= 8 * FLASH_STORAGE_U2FAREA_LEN) {
|
||||
storage_area_recycle(*(const uint32_t*)
|
||||
FLASH_PTR(storage_getPinFailsOffset()));
|
||||
}
|
||||
storage_check_flash_errors(svc_flash_lock());
|
||||
return storageRom->u2f_counter + storage_u2f_offset;
|
||||
}
|
||||
|
||||
void storage_setU2FCounter(uint32_t u2fcounter)
|
||||
{
|
||||
storageUpdate.has_u2f_counter = true;
|
||||
storageUpdate.u2f_counter = u2fcounter - storage_u2f_offset;
|
||||
}
|
||||
|
||||
uint32_t storage_getAutoLockDelayMs()
|
||||
{
|
||||
const uint32_t default_delay_ms = 10 * 60 * 1000U; // 10 minutes
|
||||
return storageRom->has_auto_lock_delay_ms ? storageRom->auto_lock_delay_ms : default_delay_ms;
|
||||
}
|
||||
|
||||
void storage_setAutoLockDelayMs(uint32_t auto_lock_delay_ms)
|
||||
{
|
||||
const uint32_t min_delay_ms = 10 * 1000U; // 10 seconds
|
||||
auto_lock_delay_ms = MAX(auto_lock_delay_ms, min_delay_ms);
|
||||
storageUpdate.has_auto_lock_delay_ms = true;
|
||||
storageUpdate.auto_lock_delay_ms = auto_lock_delay_ms;
|
||||
}
|
||||
|
||||
void storage_wipe(void)
|
||||
{
|
||||
session_clear(true);
|
||||
storage_generate_uuid();
|
||||
|
||||
svc_flash_unlock();
|
||||
storage_commit_locked(false);
|
||||
storage_check_flash_errors(svc_flash_lock());
|
||||
|
||||
storage_clearPinArea();
|
||||
}
|
@ -0,0 +1,137 @@
|
||||
/*
|
||||
* This file is part of the TREZOR project, https://trezor.io/
|
||||
*
|
||||
* Copyright (c) SatoshiLabs
|
||||
*
|
||||
* This program is free software: you can redistribute it and/or modify
|
||||
* it under the terms of the GNU General Public License as published by
|
||||
* the Free Software Foundation, either version 3 of the License, or
|
||||
* (at your option) any later version.
|
||||
*
|
||||
* This program is distributed in the hope that it will be useful,
|
||||
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
* GNU General Public License for more details.
|
||||
*
|
||||
* You should have received a copy of the GNU General Public License
|
||||
* along with this program. If not, see <http://www.gnu.org/licenses/>.
|
||||
*/
|
||||
|
||||
#include <string.h>
|
||||
#include <libopencm3/stm32/flash.h>
|
||||
|
||||
#include "common.h"
|
||||
#include "flash.h"
|
||||
#include "memory.h"
|
||||
#include "supervise.h"
|
||||
|
||||
static const uint32_t FLASH_SECTOR_TABLE[FLASH_SECTOR_COUNT + 1] = {
|
||||
[ 0] = 0x08000000, // - 0x08003FFF | 16 KiB
|
||||
[ 1] = 0x08004000, // - 0x08007FFF | 16 KiB
|
||||
[ 2] = 0x08008000, // - 0x0800BFFF | 16 KiB
|
||||
[ 3] = 0x0800C000, // - 0x0800FFFF | 16 KiB
|
||||
[ 4] = 0x08010000, // - 0x0801FFFF | 64 KiB
|
||||
[ 5] = 0x08020000, // - 0x0803FFFF | 128 KiB
|
||||
[ 6] = 0x08040000, // - 0x0805FFFF | 128 KiB
|
||||
[ 7] = 0x08060000, // - 0x0807FFFF | 128 KiB
|
||||
[ 8] = 0x08080000, // - 0x0809FFFF | 128 KiB
|
||||
[ 9] = 0x080A0000, // - 0x080BFFFF | 128 KiB
|
||||
[10] = 0x080C0000, // - 0x080DFFFF | 128 KiB
|
||||
[11] = 0x080E0000, // - 0x080FFFFF | 128 KiB
|
||||
[12] = 0x08100000, // last element - not a valid sector
|
||||
};
|
||||
|
||||
static secbool flash_check_success(uint32_t status)
|
||||
{
|
||||
return (status & (FLASH_SR_PGAERR | FLASH_SR_PGPERR | FLASH_SR_PGSERR | FLASH_SR_WRPERR)) ? secfalse : sectrue;
|
||||
}
|
||||
|
||||
void flash_init(void)
|
||||
{
|
||||
}
|
||||
|
||||
secbool flash_unlock_write(void)
|
||||
{
|
||||
svc_flash_unlock();
|
||||
return sectrue;
|
||||
}
|
||||
|
||||
secbool flash_lock_write(void)
|
||||
{
|
||||
return flash_check_success(svc_flash_lock());
|
||||
}
|
||||
|
||||
const void *flash_get_address(uint8_t sector, uint32_t offset, uint32_t size)
|
||||
{
|
||||
if (sector >= FLASH_SECTOR_COUNT) {
|
||||
return NULL;
|
||||
}
|
||||
const uint32_t addr = FLASH_SECTOR_TABLE[sector] + offset;
|
||||
const uint32_t next = FLASH_SECTOR_TABLE[sector + 1];
|
||||
if (addr + size > next) {
|
||||
return NULL;
|
||||
}
|
||||
return (const void *)addr;
|
||||
}
|
||||
|
||||
secbool flash_erase(uint8_t sector)
|
||||
{
|
||||
ensure(flash_unlock_write(), NULL);
|
||||
svc_flash_erase_sector(sector);
|
||||
ensure(flash_lock_write(), NULL);
|
||||
|
||||
// Check whether the sector was really deleted (contains only 0xFF).
|
||||
const uint32_t addr_start = FLASH_SECTOR_TABLE[sector], addr_end = FLASH_SECTOR_TABLE[sector + 1];
|
||||
for (uint32_t addr = addr_start; addr < addr_end; addr += 4) {
|
||||
if (*((const uint32_t *)addr) != 0xFFFFFFFF) {
|
||||
return secfalse;
|
||||
}
|
||||
}
|
||||
return sectrue;
|
||||
}
|
||||
|
||||
secbool flash_write_byte(uint8_t sector, uint32_t offset, uint8_t data)
|
||||
{
|
||||
uint32_t address = (uint32_t)flash_get_address(sector, offset, 1);
|
||||
if (address == 0) {
|
||||
return secfalse;
|
||||
}
|
||||
|
||||
if ((*((uint8_t*)address) & data) != data) {
|
||||
return secfalse;
|
||||
}
|
||||
|
||||
svc_flash_program(FLASH_CR_PROGRAM_X8);
|
||||
flash_write8(address, data);
|
||||
|
||||
if (*((uint8_t*)address) != data) {
|
||||
return secfalse;
|
||||
}
|
||||
|
||||
return sectrue;
|
||||
}
|
||||
|
||||
secbool flash_write_word(uint8_t sector, uint32_t offset, uint32_t data)
|
||||
{
|
||||
uint32_t address = (uint32_t)flash_get_address(sector, offset, 4);
|
||||
if (address == 0) {
|
||||
return secfalse;
|
||||
}
|
||||
|
||||
if (offset % 4 != 0) {
|
||||
return secfalse;
|
||||
}
|
||||
|
||||
if ((*((uint32_t*)address) & data) != data) {
|
||||
return secfalse;
|
||||
}
|
||||
|
||||
svc_flash_program(FLASH_CR_PROGRAM_X32);
|
||||
flash_write32(address, data);
|
||||
|
||||
if (*((uint32_t*)address) != data) {
|
||||
return secfalse;
|
||||
}
|
||||
|
||||
return sectrue;
|
||||
}
|
@ -0,0 +1,47 @@
|
||||
/*
|
||||
* This file is part of the TREZOR project, https://trezor.io/
|
||||
*
|
||||
* Copyright (c) SatoshiLabs
|
||||
*
|
||||
* This program is free software: you can redistribute it and/or modify
|
||||
* it under the terms of the GNU General Public License as published by
|
||||
* the Free Software Foundation, either version 3 of the License, or
|
||||
* (at your option) any later version.
|
||||
*
|
||||
* This program is distributed in the hope that it will be useful,
|
||||
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
* GNU General Public License for more details.
|
||||
*
|
||||
* You should have received a copy of the GNU General Public License
|
||||
* along with this program. If not, see <http://www.gnu.org/licenses/>.
|
||||
*/
|
||||
|
||||
#ifndef TREZORHAL_FLASH_H
|
||||
#define TREZORHAL_FLASH_H
|
||||
|
||||
#include <stdint.h>
|
||||
#include <stdlib.h>
|
||||
#include "secbool.h"
|
||||
|
||||
#define FLASH_SECTOR_COUNT 24
|
||||
|
||||
// note: FLASH_SR_RDERR is STM32F42xxx and STM32F43xxx specific (STM32F427) (reference RM0090 section 3.7.5)
|
||||
#ifndef STM32F427xx
|
||||
#define FLASH_SR_RDERR 0
|
||||
#endif
|
||||
|
||||
#define FLASH_STATUS_ALL_FLAGS (FLASH_SR_RDERR | FLASH_SR_PGSERR | FLASH_SR_PGPERR | FLASH_SR_PGAERR | FLASH_SR_WRPERR | FLASH_SR_SOP | FLASH_SR_EOP)
|
||||
|
||||
void flash_init(void);
|
||||
|
||||
secbool __wur flash_unlock_write(void);
|
||||
secbool __wur flash_lock_write(void);
|
||||
|
||||
const void *flash_get_address(uint8_t sector, uint32_t offset, uint32_t size);
|
||||
|
||||
secbool __wur flash_erase(uint8_t sector);
|
||||
secbool __wur flash_write_byte(uint8_t sector, uint32_t offset, uint8_t data);
|
||||
secbool __wur flash_write_word(uint8_t sector, uint32_t offset, uint32_t data);
|
||||
|
||||
#endif // TREZORHAL_FLASH_H
|
@ -0,0 +1,39 @@
|
||||
/*
|
||||
* This file is part of the TREZOR project, https://trezor.io/
|
||||
*
|
||||
* Copyright (c) SatoshiLabs
|
||||
*
|
||||
* This program is free software: you can redistribute it and/or modify
|
||||
* it under the terms of the GNU General Public License as published by
|
||||
* the Free Software Foundation, either version 3 of the License, or
|
||||
* (at your option) any later version.
|
||||
*
|
||||
* This program is distributed in the hope that it will be useful,
|
||||
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
* GNU General Public License for more details.
|
||||
*
|
||||
* You should have received a copy of the GNU General Public License
|
||||
* along with this program. If not, see <http://www.gnu.org/licenses/>.
|
||||
*/
|
||||
|
||||
#ifndef __NORCOW_CONFIG_H__
|
||||
#define __NORCOW_CONFIG_H__
|
||||
|
||||
#include "flash.h"
|
||||
|
||||
#define NORCOW_SECTOR_COUNT 2
|
||||
#define NORCOW_SECTOR_SIZE (16*1024)
|
||||
#define NORCOW_SECTORS {2, 3}
|
||||
|
||||
/*
|
||||
* The length of the sector header in bytes. The header is preserved between sector erasures.
|
||||
*/
|
||||
#define NORCOW_HEADER_LEN (0x100)
|
||||
|
||||
/*
|
||||
* Current storage version.
|
||||
*/
|
||||
#define NORCOW_VERSION ((uint32_t)0x00000001)
|
||||
|
||||
#endif
|
@ -0,0 +1,33 @@
|
||||
/*
|
||||
* This file is part of the TREZOR project, https://trezor.io/
|
||||
*
|
||||
* Copyright (c) SatoshiLabs
|
||||
*
|
||||
* This program is free software: you can redistribute it and/or modify
|
||||
* it under the terms of the GNU General Public License as published by
|
||||
* the Free Software Foundation, either version 3 of the License, or
|
||||
* (at your option) any later version.
|
||||
*
|
||||
* This program is distributed in the hope that it will be useful,
|
||||
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
* GNU General Public License for more details.
|
||||
*
|
||||
* You should have received a copy of the GNU General Public License
|
||||
* along with this program. If not, see <http://www.gnu.org/licenses/>.
|
||||
*/
|
||||
|
||||
#ifndef TREZORHAL_SECBOOL_H
|
||||
#define TREZORHAL_SECBOOL_H
|
||||
|
||||
#include <stdint.h>
|
||||
|
||||
typedef uint32_t secbool;
|
||||
#define sectrue 0xAAAAAAAAU
|
||||
#define secfalse 0x00000000U
|
||||
|
||||
#ifndef __wur
|
||||
#define __wur __attribute__ ((warn_unused_result))
|
||||
#endif
|
||||
|
||||
#endif
|
@ -0,0 +1 @@
|
||||
Subproject commit 840f7461ee6f0c5cb0db75c46018615dbd5b0256
|
Loading…
Reference in new issue