move all methods that are still relevant to TrezorClient (originally
BaseClient)
modify ProtocolMixin to be a compatibility shim
modify BaseClient to be a compatibility shim with a proxy to original
actual TrezorClient - this prevents early failures in Electrum for long
enough to show an error message
Only a limited number of messages should be dispatched to handlers
that can be inserted anywhere in the protocol flow. Having a fixed list
of interjecting handlers makes this clearer and prevents hard-to-find
bugs.
remove Trezor 2 support from HID transport, which never worked
use ProtocolV1 explicitly everywhere, as V2 doesn't exist in practice
move USB IDs and UDEV warning string to a common place
fix a bug where HID would return a list instead of bytes
This fixes the breakage introduced by transport reshuffles.
It's still not great and I'd love to see context manager based sessions.
But it's good enough for now.
This commit breaks session handling (which matters with Bridge) and
regresses Bridge to an older code state. Both of these issues will be
rectified in subsequent commits.
Explanation of this big API reshuffle follows:
* protocols are moved to trezorlib.transport, and to a single common file.
* there is a cleaner definition of Transport and Protocol API (see below)
* fully valid mypy type hinting
* session handle counters and open handle counters mostly went away. Transports
and Protocols are meant to be "raw" APIs; TrezorClient will implement
context-handler-based sessions, session tracking, etc.
I'm calling this a "reshuffle" because it involved very small number of
code changes. Most of it is moving things around where they sit better.
The API changes are as follows.
Transport is now a thing that can:
* open and close sessions
* read and write protobuf messages
* enumerate and find devices
Some transports (all except bridge) are technically bytes-based and need
a separate protocol implementation (because we have two existing protocols,
although only the first one is actually used). Hence a protocol superclass.
Protocol is a thing that *also* can:
* open and close sessions
* read and write protobuf messages
For that, it requires a `handle`.
Handle is a physical layer for a protocol. It can:
* open and close some sort of device connection
(this is distinct from session! Connection is a channel over which you can
send data. Session is a logical arrangement on top of that; you can have
multiple sessions on a single connection.)
* read and write 64-byte chunks of data
With that, we introduce ProtocolBasedTransport, which simply delegates
the appropriate Transport functionality to respective Protocol methods.
hid and webusb transports are ProtocolBasedTransport-s that provide separate
device handles. HidHandle and WebUsbHandle existed before, but the distinction
of functionality between a Transport and its Handle was unclear. Some methods
were moved and now the handles implement the Handle API, while the transports
provide the enumeration parts of the Transport API, as well as glue between
the respective Protocols and Handles.
udp transport is also a ProtocolBasedTransport, but it acts as its own handle.
(That might be changed. For now, I went with the pre-existing structure.)
In addition, session_begin/end is renamed to begin/end_session to keep
consistent verb_noun naming.
There is no good reason to do that and it hides situations when
the field mistakenly doesn't exist.
Added comment explains that missing "vendor" field might by caused
by trezor-common mismatch, which fixes#328
- drop set_tx_api method and its usage from trezorctl
- drop _prepare_sign_tx which is not used anymore
- adapt trezorctl to new signing API
- make trezorctl signing smarter, ahead of moving it elsewhere
this fixes a problem when checking signature (and therefore
reconstructing) of a vendor header that doesn't have a VendorTrust of
all zeroes, e.g., the vendor header for test builds
We can now locally verify firmware signatures and hashes. We also
recognize min_firmware_version, so this resolves#308
This also helps with #273, as trezorlib is now mostly usable for signing
firmware images.
from https://github.com/pyca/ed25519
This makes the calculations several orders of magnitude faster, which
allows us to run the CoSi test in Travis. It also doesn't stop firmware
update for several seconds while we validate the CoSi signatures.
It's still essentially the same insecure implementation, fallible to all
the same timing attacks, and it shouldn't be used for anything except
validating public signatures of public data. But now it also takes about
as much time as it should on modern hardware.
This allows us to return early from a `write`, which we need in cases
where we want to perform an operation inbetween `read` and `write` -
namely, callback for ButtonRequest should technically be invoked after
returning ButtonAck but before waiting for device's response.
Of course that doesn't really work. The callback will actually be
invoked _before_ ButtonAck, so there's still the condition that it must
return immediately or the device gets stuck with a black screen.
But doing this allows us to write code *as if* it worked, which lets the
other transports run free and wild, by which I mean, do the Right Thing
This also moves DebugLinkMixin to debuglink.py and converts the mixin to
a subclass of TrezorClient (which is finally becoming a
reasonable-looking class). This takes advantage of the new UI protocol
and is ready for further improvements, namely, queuing input for tests
that require swipes.
The ui.py module contains a Click-based implementation of the UI
protocol. Use of callback_* methods has been limited and will probably
be cleaned up further (The contract has changed so we'll try to make
third party code fail noisily. It is unclear whether a backwards
compatible approach will be possible).
Furthermore, device.recovery() now takes a callback as an argument. This
way we can get rid of WordRequest callbacks, which are only used in the
recovery flow.
This bug caused other tests (resetdevice_t2 in particular) to fail. This
is because the test made one more swipe than was supposed to. This led to
a failure in resetdevice tests, which do swipes as well and read data
returned, which did not fit due to the redundant swipe.