From aa16e91ac108dccfb7745e11afa94e3efacefe94 Mon Sep 17 00:00:00 2001 From: Martin Milata Date: Mon, 10 Mar 2025 14:56:14 +0100 Subject: [PATCH] fixup! refactor(legacy): check size of integers when hashing --- crypto/hasher.h | 10 ++++++- crypto/sha2.h | 10 ++++++- legacy/firmware/crypto.c | 4 +-- legacy/firmware/reset.c | 2 +- legacy/firmware/signing.c | 50 ++++++++++++++++------------------- legacy/firmware/transaction.c | 8 +++--- 6 files changed, 48 insertions(+), 36 deletions(-) diff --git a/crypto/hasher.h b/crypto/hasher.h index 283dc3548f..b70f630653 100644 --- a/crypto/hasher.h +++ b/crypto/hasher.h @@ -84,8 +84,16 @@ void hasher_Raw(HasherType type, const uint8_t *data, size_t length, // expected size. #define HASHER_UPDATE_INT(ctx, val, expected_type) \ do { \ - hasher_Update(ctx, (const uint8_t *)&(val), sizeof(val)); \ + hasher_Update((ctx), (const uint8_t *)&(val), sizeof(val)); \ _Static_assert(sizeof(val) == sizeof(expected_type), "invalid int size"); \ } while (0) +// Byte array version of the macro above. +#define HASHER_UPDATE_BYTES(ctx, val, expected_size) \ + do { \ + hasher_Update((ctx), (val), sizeof(val)); \ + _Static_assert(sizeof(val) == expected_size, "invalid value size"); \ + _Static_assert(sizeof((val)[0]) == 1, "not a byte array"); \ + } while (0) + #endif diff --git a/crypto/sha2.h b/crypto/sha2.h index 3a2940990d..ee98302b39 100644 --- a/crypto/sha2.h +++ b/crypto/sha2.h @@ -86,10 +86,18 @@ char* sha256_Data(const uint8_t*, size_t, char[SHA256_DIGEST_STRING_LENGTH]); // expected size. #define SHA256_UPDATE_INT(ctx, val, expected_type) \ do { \ - sha256_Update(ctx, (const uint8_t *)&(val), sizeof(val)); \ + sha256_Update((ctx), (const uint8_t *)&(val), sizeof(val)); \ _Static_assert(sizeof(val) == sizeof(expected_type), "invalid int size"); \ } while (0) +// Byte array version of the macro above. +#define SHA256_UPDATE_BYTES(ctx, val, expected_size) \ + do { \ + sha256_Update((ctx), (val), sizeof(val)); \ + _Static_assert(sizeof(val) == expected_size, "invalid value size"); \ + _Static_assert(sizeof((val)[0]) == 1, "not a byte array"); \ + } while (0) + void sha384_Raw(const uint8_t*, size_t, uint8_t[SHA384_DIGEST_LENGTH]); void sha512_Transform(const uint64_t* state_in, const uint64_t* data, uint64_t* state_out); diff --git a/legacy/firmware/crypto.c b/legacy/firmware/crypto.c index 245768eb59..19b5a9fdbf 100644 --- a/legacy/firmware/crypto.c +++ b/legacy/firmware/crypto.c @@ -477,8 +477,8 @@ int cryptoMultisigFingerprint(const MultisigRedeemScriptType *multisig, SHA256_UPDATE_INT(&ctx, pubnodes[i]->depth, uint32_t); SHA256_UPDATE_INT(&ctx, pubnodes[i]->fingerprint, uint32_t); SHA256_UPDATE_INT(&ctx, pubnodes[i]->child_num, uint32_t); - sha256_Update(&ctx, pubnodes[i]->chain_code.bytes, 32); - sha256_Update(&ctx, pubnodes[i]->public_key.bytes, 33); + SHA256_UPDATE_BYTES(&ctx, pubnodes[i]->chain_code.bytes, 32); + SHA256_UPDATE_BYTES(&ctx, pubnodes[i]->public_key.bytes, 33); } SHA256_UPDATE_INT(&ctx, n, uint32_t); sha256_Final(&ctx, hash); diff --git a/legacy/firmware/reset.c b/legacy/firmware/reset.c index cefffb075c..928465f53a 100644 --- a/legacy/firmware/reset.c +++ b/legacy/firmware/reset.c @@ -84,7 +84,7 @@ void reset_entropy(const uint8_t *ext_entropy, uint32_t len) { SHA256_CTX ctx = {0}; sha256_Init(&ctx); - sha256_Update(&ctx, int_entropy, 32); + SHA256_UPDATE_BYTES(&ctx, int_entropy, 32); sha256_Update(&ctx, ext_entropy, len); sha256_Final(&ctx, int_entropy); const char *mnemonic = mnemonic_from_data(int_entropy, strength / 8); diff --git a/legacy/firmware/signing.c b/legacy/firmware/signing.c index 400c51c808..9646a827ed 100644 --- a/legacy/firmware/signing.c +++ b/legacy/firmware/signing.c @@ -2668,9 +2668,9 @@ static void signing_hash_bip143(const TxInfo *tx_info, // nVersion HASHER_UPDATE_INT(&hasher_preimage, tx_info->version, uint32_t); // hashPrevouts - hasher_Update(&hasher_preimage, tx_info->hash_prevouts143, 32); + HASHER_UPDATE_BYTES(&hasher_preimage, tx_info->hash_prevouts143, 32); // hashSequence - hasher_Update(&hasher_preimage, tx_info->hash_sequence143, 32); + HASHER_UPDATE_BYTES(&hasher_preimage, tx_info->hash_sequence143, 32); // outpoint tx_prevout_hash(&hasher_preimage, txinput); // scriptCode @@ -2681,7 +2681,7 @@ static void signing_hash_bip143(const TxInfo *tx_info, // nSequence tx_sequence_hash(&hasher_preimage, txinput); // hashOutputs - hasher_Update(&hasher_preimage, tx_info->hash_outputs143, 32); + HASHER_UPDATE_BYTES(&hasher_preimage, tx_info->hash_outputs143, 32); // nLockTime HASHER_UPDATE_INT(&hasher_preimage, tx_info->lock_time, uint32_t); // nHashType @@ -2704,15 +2704,15 @@ static void signing_hash_bip341(const TxInfo *tx_info, uint32_t i, // nLockTime HASHER_UPDATE_INT(&sigmsg_hasher, tx_info->lock_time, uint32_t); // sha_prevouts - hasher_Update(&sigmsg_hasher, tx_info->hash_prevouts, 32); + HASHER_UPDATE_BYTES(&sigmsg_hasher, tx_info->hash_prevouts, 32); // sha_amounts - hasher_Update(&sigmsg_hasher, tx_info->hash_amounts, 32); + HASHER_UPDATE_BYTES(&sigmsg_hasher, tx_info->hash_amounts, 32); // sha_scriptpubkeys - hasher_Update(&sigmsg_hasher, tx_info->hash_scriptpubkeys, 32); + HASHER_UPDATE_BYTES(&sigmsg_hasher, tx_info->hash_scriptpubkeys, 32); // sha_sequences - hasher_Update(&sigmsg_hasher, tx_info->hash_sequences, 32); + HASHER_UPDATE_BYTES(&sigmsg_hasher, tx_info->hash_sequences, 32); // sha_outputs - hasher_Update(&sigmsg_hasher, tx_info->hash_outputs, 32); + HASHER_UPDATE_BYTES(&sigmsg_hasher, tx_info->hash_outputs, 32); // spend_type 0 (no tapscript message extension, no annex) hasher_Update(&sigmsg_hasher, &zero, 1); // input_index @@ -2739,11 +2739,11 @@ static void signing_hash_zip243(const TxInfo *tx_info, // 2. nVersionGroupId HASHER_UPDATE_INT(&hasher_preimage, tx_info->version_group_id, uint32_t); // 3. hashPrevouts - hasher_Update(&hasher_preimage, tx_info->hash_prevouts, 32); + HASHER_UPDATE_BYTES(&hasher_preimage, tx_info->hash_prevouts, 32); // 4. hashSequence - hasher_Update(&hasher_preimage, tx_info->hash_sequences, 32); + HASHER_UPDATE_BYTES(&hasher_preimage, tx_info->hash_sequences, 32); // 5. hashOutputs - hasher_Update(&hasher_preimage, tx_info->hash_outputs, 32); + HASHER_UPDATE_BYTES(&hasher_preimage, tx_info->hash_outputs, 32); // 6. hashJoinSplits hasher_Update(&hasher_preimage, null_bytes, 32); // 7. hashShieldedSpends @@ -2800,20 +2800,17 @@ static void signing_hash_zip244(const TxInfo *tx_info, // S.2a: hash_type (1 byte) hasher_Update(&hasher, (const uint8_t *)&hash_type, 1); // S.2b: prevouts_sig_digest (32-byte hash) - hasher_Update(&hasher, tx_info->hash_prevouts, - sizeof(tx_info->hash_prevouts)); + HASHER_UPDATE_BYTES(&hasher, tx_info->hash_prevouts, 32); // S.2c: amounts_sig_digest (32-byte hash) - hasher_Update(&hasher, tx_info->hash_amounts, sizeof(tx_info->hash_amounts)); + HASHER_UPDATE_BYTES(&hasher, tx_info->hash_amounts, 32); // S.2d: scriptpubkeys_sig_digest (32-byte hash) - hasher_Update(&hasher, tx_info->hash_scriptpubkeys, - sizeof(tx_info->hash_scriptpubkeys)); + HASHER_UPDATE_BYTES(&hasher, tx_info->hash_scriptpubkeys, 32); // S.2e: sequence_sig_digest (32-byte hash) - hasher_Update(&hasher, tx_info->hash_sequences, - sizeof(tx_info->hash_sequences)); + HASHER_UPDATE_BYTES(&hasher, tx_info->hash_sequences, 32); // S.2f: outputs_sig_digest (32-byte hash) - hasher_Update(&hasher, tx_info->hash_outputs, sizeof(tx_info->hash_outputs)); + HASHER_UPDATE_BYTES(&hasher, tx_info->hash_outputs, 32); // S.2g: txin_sig_digest (32-byte hash) - hasher_Update(&hasher, txin_sig_digest, sizeof(txin_sig_digest)); + HASHER_UPDATE_BYTES(&hasher, txin_sig_digest, 32); hasher_Final(&hasher, transparent_sig_digest); // `S.3: sapling_digest` field. Empty Sapling bundle. @@ -2834,14 +2831,13 @@ static void signing_hash_zip244(const TxInfo *tx_info, hasher_InitParam(&hasher, HASHER_BLAKE2B_PERSONAL, personal, sizeof(personal)); // S.1: header_digest (32-byte hash output) - hasher_Update(&hasher, tx_info->hash_header, sizeof(tx_info->hash_header)); + HASHER_UPDATE_BYTES(&hasher, tx_info->hash_header, 32); // S.2: transparent_sig_digest (32-byte hash output) - hasher_Update(&hasher, transparent_sig_digest, - sizeof(transparent_sig_digest)); + HASHER_UPDATE_BYTES(&hasher, transparent_sig_digest, 32); // S.3: sapling_digest (32-byte hash output) - hasher_Update(&hasher, sapling_digest, sizeof(sapling_digest)); + HASHER_UPDATE_BYTES(&hasher, sapling_digest, 32); // S.4: orchard_digest (32-byte hash output) - hasher_Update(&hasher, orchard_digest, sizeof(orchard_digest)); + HASHER_UPDATE_BYTES(&hasher, orchard_digest, 32); hasher_Final(&hasher, hash); } #endif @@ -3130,12 +3126,12 @@ static void phase1_request_orig_output(void) { #if !BITCOIN_ONLY static void signing_hash_decred(const TxInputType *txinput, - const uint8_t *hash_witness, uint8_t *hash) { + const uint8_t hash_witness[32], uint8_t *hash) { uint32_t hash_type = signing_hash_type(txinput); Hasher hasher_preimage = {0}; hasher_Init(&hasher_preimage, coin->curve->hasher_sign); HASHER_UPDATE_INT(&hasher_preimage, hash_type, uint32_t); - hasher_Update(&hasher_preimage, decred_hash_prefix, 32); + HASHER_UPDATE_BYTES(&hasher_preimage, decred_hash_prefix, 32); hasher_Update(&hasher_preimage, hash_witness, 32); hasher_Final(&hasher_preimage, hash); } diff --git a/legacy/firmware/transaction.c b/legacy/firmware/transaction.c index ab4fdeabc0..9b7bd4317d 100644 --- a/legacy/firmware/transaction.c +++ b/legacy/firmware/transaction.c @@ -548,7 +548,7 @@ bool tx_input_check_hash(Hasher *hasher, const TxInputType *input) { for (int i = 0; i < input->address_n_count; ++i) { HASHER_UPDATE_INT(hasher, input->address_n[i], uint32_t); } - hasher_Update(hasher, input->prev_hash.bytes, sizeof(input->prev_hash.bytes)); + HASHER_UPDATE_BYTES(hasher, input->prev_hash.bytes, 32); HASHER_UPDATE_INT(hasher, input->prev_index, uint32_t); tx_script_hash(hasher, input->script_sig.size, input->script_sig.bytes); HASHER_UPDATE_INT(hasher, input->sequence, uint32_t); @@ -561,11 +561,11 @@ bool tx_input_check_hash(Hasher *hasher, const TxInputType *input) { return false; } } - hasher_Update(hasher, multisig_fp, sizeof(multisig_fp)); + HASHER_UPDATE_BYTES(hasher, multisig_fp, 32); HASHER_UPDATE_INT(hasher, input->amount, uint64_t); tx_script_hash(hasher, input->witness.size, input->witness.bytes); HASHER_UPDATE_INT(hasher, input->has_orig_hash, uint8_t); - hasher_Update(hasher, input->orig_hash.bytes, sizeof(input->orig_hash.bytes)); + HASHER_UPDATE_BYTES(hasher, input->orig_hash.bytes, 32); HASHER_UPDATE_INT(hasher, input->orig_index, uint32_t); tx_script_hash(hasher, input->script_pubkey.size, input->script_pubkey.bytes); return true; @@ -670,7 +670,7 @@ uint32_t tx_serialize_header_hash(TxStruct *tx) { } #endif if (tx->is_segwit) { - hasher_Update(&(tx->hasher), segwit_header, 2); + HASHER_UPDATE_BYTES(&(tx->hasher), segwit_header, 2); r += 2; } }