mirror of
https://github.com/trezor/trezor-firmware.git
synced 2025-01-15 18:00:59 +00:00
1a62cc8a59
[no changelog]
511 lines
18 KiB
Python
511 lines
18 KiB
Python
# This file is part of the Trezor project.
|
|
#
|
|
# Copyright (C) 2012-2019 SatoshiLabs and contributors
|
|
#
|
|
# This library is free software: you can redistribute it and/or modify
|
|
# it under the terms of the GNU Lesser General Public License version 3
|
|
# as published by the Free Software Foundation.
|
|
#
|
|
# This library is distributed in the hope that it will be useful,
|
|
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
# GNU Lesser General Public License for more details.
|
|
#
|
|
# You should have received a copy of the License along with this library.
|
|
# If not, see <https://www.gnu.org/licenses/lgpl-3.0.html>.
|
|
|
|
import pytest
|
|
|
|
from trezorlib import btc, messages, models
|
|
from trezorlib.debuglink import TrezorClientDebugLink as Client
|
|
from trezorlib.exceptions import TrezorFailure
|
|
from trezorlib.tools import parse_path
|
|
|
|
from ...common import MNEMONIC12, is_core
|
|
from ...input_flows import InputFlowConfirmAllWarnings
|
|
from ...tx_cache import TxCache
|
|
from .signtx import (
|
|
assert_tx_matches,
|
|
forge_prevtx,
|
|
request_finished,
|
|
request_input,
|
|
request_meta,
|
|
request_output,
|
|
)
|
|
|
|
B = messages.ButtonRequestType
|
|
TX_API = TxCache("Bitcoin")
|
|
TX_API_TESTNET = TxCache("Testnet")
|
|
|
|
TXHASH_c6091a = bytes.fromhex(
|
|
"c6091adf4c0c23982a35899a6e58ae11e703eacd7954f588ed4b9cdefc4dba52"
|
|
)
|
|
TXHASH_509e08 = bytes.fromhex(
|
|
"509e08424b047403b34dc83e9899e09185ea36791716e42c00a74e1f12bcb6ef"
|
|
)
|
|
TXHASH_6b07c1 = bytes.fromhex(
|
|
"6b07c1321b52d9c85743f9695e13eb431b41708cdf4e1585258d51208e5b93fc"
|
|
)
|
|
TXHASH_0d5b56 = bytes.fromhex(
|
|
"0d5b5648d47b5650edea1af3d47bbe5624213abb577cf1b1c96f98321f75cdbc"
|
|
)
|
|
|
|
pytestmark = pytest.mark.multisig
|
|
|
|
|
|
@pytest.mark.multisig
|
|
@pytest.mark.parametrize("chunkify", (True, False))
|
|
def test_2_of_3(client: Client, chunkify: bool):
|
|
# input tx: 6b07c1321b52d9c85743f9695e13eb431b41708cdf4e1585258d51208e5b93fc
|
|
|
|
nodes = [
|
|
btc.get_public_node(
|
|
client, parse_path(f"m/48h/1h/{index}h/0h"), coin_name="Testnet"
|
|
).node
|
|
for index in range(1, 4)
|
|
]
|
|
|
|
multisig = messages.MultisigRedeemScriptType(
|
|
nodes=nodes, address_n=[0, 0], signatures=[b"", b"", b""], m=2
|
|
)
|
|
# Let's go to sign with key 1
|
|
inp1 = messages.TxInputType(
|
|
address_n=parse_path("m/48h/1h/1h/0h/0/0"),
|
|
amount=1_496_278,
|
|
prev_hash=TXHASH_6b07c1,
|
|
prev_index=0,
|
|
script_type=messages.InputScriptType.SPENDMULTISIG,
|
|
multisig=multisig,
|
|
)
|
|
|
|
out1 = messages.TxOutputType(
|
|
address="mnY26FLTzfC94mDoUcyDJh1GVE3LuAUMbs", # "44h/1h/0h/0/6"
|
|
amount=1_496_278 - 10_000,
|
|
script_type=messages.OutputScriptType.PAYTOADDRESS,
|
|
)
|
|
|
|
# Expected responses are the same for both two signings
|
|
expected_responses = [
|
|
request_input(0),
|
|
request_output(0),
|
|
messages.ButtonRequest(code=B.ConfirmOutput),
|
|
(is_core(client), messages.ButtonRequest(code=B.ConfirmOutput)),
|
|
messages.ButtonRequest(code=B.SignTx),
|
|
request_input(0),
|
|
request_meta(TXHASH_6b07c1),
|
|
request_input(0, TXHASH_6b07c1),
|
|
request_output(0, TXHASH_6b07c1),
|
|
request_input(0),
|
|
request_output(0),
|
|
request_output(0),
|
|
request_finished(),
|
|
]
|
|
|
|
with client:
|
|
client.set_expected_responses(expected_responses)
|
|
|
|
# Now we have first signature
|
|
signatures1, _ = btc.sign_tx(
|
|
client,
|
|
"Testnet",
|
|
[inp1],
|
|
[out1],
|
|
prev_txes=TX_API_TESTNET,
|
|
chunkify=chunkify,
|
|
)
|
|
|
|
assert (
|
|
signatures1[0].hex()
|
|
== "304402206c99b48a12f340599076b93efdc2578b0cdeaedf9092aed628788f4ffc579a50022031b16212dd1f0f62f01bb5862b6d128276c7a5430746aa27a04ae0c8acbcb3b1"
|
|
)
|
|
|
|
# ---------------------------------------
|
|
# Let's do second signature using 3rd key
|
|
|
|
multisig = messages.MultisigRedeemScriptType(
|
|
nodes=nodes,
|
|
address_n=[0, 0],
|
|
signatures=[
|
|
signatures1[0],
|
|
b"",
|
|
b"",
|
|
], # Fill signature from previous signing process
|
|
m=2,
|
|
)
|
|
|
|
# Let's do a second signature with key 3
|
|
inp3 = messages.TxInputType(
|
|
address_n=parse_path("m/48h/1h/3h/0h/0/0"),
|
|
amount=1_496_278,
|
|
prev_hash=TXHASH_6b07c1,
|
|
prev_index=0,
|
|
script_type=messages.InputScriptType.SPENDMULTISIG,
|
|
multisig=multisig,
|
|
)
|
|
|
|
with client:
|
|
client.set_expected_responses(expected_responses)
|
|
signatures2, serialized_tx = btc.sign_tx(
|
|
client, "Testnet", [inp3], [out1], prev_txes=TX_API_TESTNET
|
|
)
|
|
|
|
assert (
|
|
signatures2[0].hex()
|
|
== "304502210089153ad97c0d69656cd9bd9eb2056552acaec91365dd7ab31250f3f707123baa02200f884de63041d73bd20fbe8804c6036968d8149b7f46963a82b561cd8211ab08"
|
|
)
|
|
|
|
assert_tx_matches(
|
|
serialized_tx,
|
|
hash_link="https://tbtc1.trezor.io/api/tx/4123415574c16899b4bb5b691f9b65643dbe566a9b68e4e2e7a8b29c79c83f2b",
|
|
tx_hex="0100000001fc935b8e20518d2585154edf8c70411b43eb135e69f94357c8d9521b32c1076b00000000fdfd000047304402206c99b48a12f340599076b93efdc2578b0cdeaedf9092aed628788f4ffc579a50022031b16212dd1f0f62f01bb5862b6d128276c7a5430746aa27a04ae0c8acbcb3b10148304502210089153ad97c0d69656cd9bd9eb2056552acaec91365dd7ab31250f3f707123baa02200f884de63041d73bd20fbe8804c6036968d8149b7f46963a82b561cd8211ab08014c69522103725d6c5253f2040a9a73af24bcc196bf302d6cc94374dd7197b138e10912670121038924e94fff15302a3fb45ad4fc0ed17178800f0f1c2bdacb1017f4db951aa9f12102aae8affd0eb8e1181d665daef4de1828f23053c548ec9bafc3a787f558aa014153aeffffffff01c6ad1600000000001976a9144cfc772f24b600762f905a1ee799ce0e9c26831f88ac00000000",
|
|
)
|
|
|
|
|
|
@pytest.mark.multisig
|
|
@pytest.mark.models(skip="legacy", reason="Sortedmulti is not supported")
|
|
def test_pubkeys_order(client: Client):
|
|
node_internal = btc.get_public_node(
|
|
client, parse_path("m/45h/0"), coin_name="Bitcoin"
|
|
).node
|
|
node_external = btc.get_public_node(
|
|
client, parse_path("m/45h/1"), coin_name="Bitcoin"
|
|
).node
|
|
|
|
# A dummy signature is used to ensure that the signatures are serialized in the correct order
|
|
dummy_signature = bytes(71)
|
|
|
|
multisig_unsorted_1 = messages.MultisigRedeemScriptType(
|
|
nodes=[node_internal, node_external],
|
|
address_n=[0, 0],
|
|
signatures=[b"", dummy_signature],
|
|
m=1,
|
|
pubkeys_order=messages.MultisigPubkeysOrder.PRESERVED,
|
|
)
|
|
|
|
multisig_unsorted_2 = messages.MultisigRedeemScriptType(
|
|
nodes=[node_external, node_internal],
|
|
address_n=[0, 0],
|
|
signatures=[dummy_signature, b""],
|
|
m=1,
|
|
pubkeys_order=messages.MultisigPubkeysOrder.PRESERVED,
|
|
)
|
|
|
|
multisig_sorted_1 = messages.MultisigRedeemScriptType(
|
|
nodes=[node_internal, node_external],
|
|
address_n=[0, 0],
|
|
signatures=[b"", dummy_signature],
|
|
m=1,
|
|
pubkeys_order=messages.MultisigPubkeysOrder.LEXICOGRAPHIC,
|
|
)
|
|
|
|
multisig_sorted_2 = messages.MultisigRedeemScriptType(
|
|
nodes=[node_external, node_internal],
|
|
address_n=[0, 0],
|
|
signatures=[b"", dummy_signature],
|
|
m=1,
|
|
pubkeys_order=messages.MultisigPubkeysOrder.LEXICOGRAPHIC,
|
|
)
|
|
|
|
address_unsorted_1 = btc.get_address(
|
|
client, "Bitcoin", parse_path("m/45h/0/0/0"), multisig=multisig_unsorted_1
|
|
)
|
|
address_unsorted_2 = btc.get_address(
|
|
client, "Bitcoin", parse_path("m/45h/0/0/0"), multisig=multisig_unsorted_2
|
|
)
|
|
|
|
pubkey_internal = btc.get_public_node(
|
|
client, parse_path("m/45h/0/0/0"), coin_name="Bitcoin"
|
|
).node.public_key
|
|
pubkey_external = btc.get_public_node(
|
|
client, parse_path("m/45h/1/0/0"), coin_name="Bitcoin"
|
|
).node.public_key
|
|
|
|
# This assertion implies that script pubkey of multisig_sorted_1, multisig_sorted_2 and multisig_unsorted_1 are the same
|
|
assert pubkey_internal < pubkey_external
|
|
|
|
prev_hash, prev_tx = forge_prevtx(
|
|
[(address_unsorted_1, 1_000_000), (address_unsorted_2, 1_000_000)]
|
|
)
|
|
|
|
input_unsorted_1 = messages.TxInputType(
|
|
address_n=parse_path("m/45h/0/0/0"),
|
|
amount=1_000_000,
|
|
prev_hash=prev_hash,
|
|
prev_index=0, # multisig_unsorted_1
|
|
script_type=messages.InputScriptType.SPENDMULTISIG,
|
|
multisig=multisig_unsorted_1,
|
|
)
|
|
|
|
input_unsorted_2 = messages.TxInputType(
|
|
address_n=parse_path("m/45h/0/0/0"),
|
|
amount=1_000_000,
|
|
prev_hash=prev_hash,
|
|
prev_index=1, # multisig_unsorted_2
|
|
script_type=messages.InputScriptType.SPENDMULTISIG,
|
|
multisig=multisig_unsorted_2,
|
|
)
|
|
|
|
input_sorted_1 = messages.TxInputType(
|
|
address_n=parse_path("m/45h/0/0/0"),
|
|
amount=1_000_000,
|
|
prev_hash=prev_hash,
|
|
prev_index=0, # multisig_unsorted_1
|
|
script_type=messages.InputScriptType.SPENDMULTISIG,
|
|
multisig=multisig_sorted_1,
|
|
)
|
|
|
|
input_sorted_2 = messages.TxInputType(
|
|
address_n=parse_path("m/45h/0/0/0"),
|
|
amount=1_000_000,
|
|
prev_hash=prev_hash,
|
|
prev_index=0, # multisig_unsorted_1
|
|
script_type=messages.InputScriptType.SPENDMULTISIG,
|
|
multisig=multisig_sorted_2,
|
|
)
|
|
|
|
output_unsorted_1 = messages.TxOutputType(
|
|
address_n=parse_path("m/45h/0/0/0"),
|
|
amount=1_000_000 - 10_000,
|
|
script_type=messages.OutputScriptType.PAYTOMULTISIG,
|
|
multisig=multisig_unsorted_1,
|
|
)
|
|
|
|
output_unsorted_2 = messages.TxOutputType(
|
|
address_n=parse_path("m/45h/0/0/0"),
|
|
amount=1_000_000 - 10_000,
|
|
script_type=messages.OutputScriptType.PAYTOMULTISIG,
|
|
multisig=multisig_unsorted_2,
|
|
)
|
|
|
|
output_sorted_1 = messages.TxOutputType(
|
|
address_n=parse_path("m/45h/0/0/0"),
|
|
amount=1_000_000 - 10_000,
|
|
script_type=messages.OutputScriptType.PAYTOMULTISIG,
|
|
multisig=multisig_sorted_1,
|
|
)
|
|
|
|
output_sorted_2 = messages.TxOutputType(
|
|
address_n=parse_path("m/45h/0/0/0"),
|
|
amount=1_000_000 - 10_000,
|
|
script_type=messages.OutputScriptType.PAYTOMULTISIG,
|
|
multisig=multisig_sorted_2,
|
|
)
|
|
|
|
tx_unsorted_1 = "0100000001637ffac0d4fbd8a6c02b114e36b079615ec3e4bdf09b769c7bf8b5fd6f8e781700000000db00483045022100f062d71445509d84a5769f219f4f0158dc7ff4351d671e6fa6bfdb171435064802206e1104f1d14f010bcc166cca6a9bd24b4a497475f8e23167858b4a3e92ac6a6701480000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000014751210262e9ac5bea4c84c7dea650424ed768cf123af9e447eef3c63d37c41d1f825e49210369b79f2094a6eb89e7aff0e012a5699f7272968a341e48e99e64a54312f2932b52aeffffffff01301b0f000000000017a91440bfd8ae9d806d5bd7cf475ce6a80535836285148700000000"
|
|
|
|
tx_unsorted_2 = "0100000001637ffac0d4fbd8a6c02b114e36b079615ec3e4bdf09b769c7bf8b5fd6f8e781701000000da004800000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000147304402204914036468434698e2d87985007a66691f170195e4a16507bbb86b4c00da5fde02200a788312d447b3796ee5288ce9e9c0247896debfa473339302bc928da6dd78cb014751210369b79f2094a6eb89e7aff0e012a5699f7272968a341e48e99e64a54312f2932b210262e9ac5bea4c84c7dea650424ed768cf123af9e447eef3c63d37c41d1f825e4952aeffffffff01301b0f000000000017a914320ad0ff0f1b605ab1fa8e29b70d22827cf45a9f8700000000"
|
|
|
|
_, tx = btc.sign_tx(
|
|
client,
|
|
"Bitcoin",
|
|
[input_unsorted_1],
|
|
[output_unsorted_1],
|
|
prev_txes={prev_hash: prev_tx},
|
|
)
|
|
assert tx.hex() == tx_unsorted_1
|
|
|
|
_, tx = btc.sign_tx(
|
|
client,
|
|
"Bitcoin",
|
|
[input_unsorted_2],
|
|
[output_unsorted_2],
|
|
prev_txes={prev_hash: prev_tx},
|
|
)
|
|
assert tx.hex() == tx_unsorted_2
|
|
|
|
_, tx = btc.sign_tx(
|
|
client,
|
|
"Bitcoin",
|
|
[input_sorted_1],
|
|
[output_sorted_1],
|
|
prev_txes={prev_hash: prev_tx},
|
|
)
|
|
assert tx.hex() == tx_unsorted_1
|
|
|
|
_, tx = btc.sign_tx(
|
|
client,
|
|
"Bitcoin",
|
|
[input_sorted_2],
|
|
[output_sorted_2],
|
|
prev_txes={prev_hash: prev_tx},
|
|
)
|
|
assert tx.hex() == tx_unsorted_1
|
|
|
|
|
|
@pytest.mark.multisig
|
|
def test_15_of_15(client: Client):
|
|
# input tx: 0d5b5648d47b5650edea1af3d47bbe5624213abb577cf1b1c96f98321f75cdbc
|
|
|
|
node = btc.get_public_node(
|
|
client, parse_path("m/48h/1h/1h/0h"), coin_name="Testnet"
|
|
).node
|
|
pubs = [messages.HDNodePathType(node=node, address_n=[0, x]) for x in range(15)]
|
|
|
|
signatures = [b""] * 15
|
|
|
|
out1 = messages.TxOutputType(
|
|
address="mnY26FLTzfC94mDoUcyDJh1GVE3LuAUMbs", # "44h/1h/0h/0/6"
|
|
amount=1_476_278 - 10_000,
|
|
script_type=messages.OutputScriptType.PAYTOADDRESS,
|
|
)
|
|
|
|
for x in range(15):
|
|
multisig = messages.MultisigRedeemScriptType(
|
|
pubkeys=pubs, signatures=signatures, m=15
|
|
)
|
|
|
|
inp1 = messages.TxInputType(
|
|
address_n=parse_path(f"m/48h/1h/1h/0h/0/{x}"),
|
|
amount=1_476_278,
|
|
prev_hash=TXHASH_0d5b56,
|
|
prev_index=0,
|
|
script_type=messages.InputScriptType.SPENDMULTISIG,
|
|
multisig=multisig,
|
|
)
|
|
|
|
with client:
|
|
sig, serialized_tx = btc.sign_tx(
|
|
client, "Testnet", [inp1], [out1], prev_txes=TX_API_TESTNET
|
|
)
|
|
signatures[x] = sig[0]
|
|
|
|
assert_tx_matches(
|
|
serialized_tx,
|
|
hash_link="https://tbtc1.trezor.io/api/tx/b41284067577e1266ad3632f7caffead5d58277cc35f42642455bfd2a3fa0325",
|
|
)
|
|
|
|
|
|
@pytest.mark.multisig
|
|
@pytest.mark.setup_client(mnemonic=MNEMONIC12)
|
|
def test_missing_pubkey(client: Client):
|
|
node = btc.get_public_node(
|
|
client, parse_path("m/48h/0h/1h/0h/0"), coin_name="Bitcoin"
|
|
).node
|
|
|
|
multisig = messages.MultisigRedeemScriptType(
|
|
pubkeys=[
|
|
messages.HDNodePathType(node=node, address_n=[1]),
|
|
messages.HDNodePathType(node=node, address_n=[2]),
|
|
messages.HDNodePathType(node=node, address_n=[3]),
|
|
],
|
|
signatures=[b"", b"", b""],
|
|
m=2,
|
|
)
|
|
|
|
# Let's go to sign with key 10, which is NOT in pubkeys
|
|
inp1 = messages.TxInputType(
|
|
address_n=parse_path("m/48h/0h/1h/0h/0/10"),
|
|
amount=100_000,
|
|
prev_hash=TXHASH_c6091a,
|
|
prev_index=1,
|
|
script_type=messages.InputScriptType.SPENDMULTISIG,
|
|
multisig=multisig,
|
|
)
|
|
|
|
out1 = messages.TxOutputType(
|
|
address="12iyMbUb4R2K3gre4dHSrbu5azG5KaqVss",
|
|
amount=100_000,
|
|
script_type=messages.OutputScriptType.PAYTOADDRESS,
|
|
)
|
|
|
|
with pytest.raises(TrezorFailure) as exc:
|
|
btc.sign_tx(client, "Bitcoin", [inp1], [out1], prev_txes=TX_API)
|
|
|
|
if client.model is models.T1B1:
|
|
assert exc.value.message.endswith("Failed to derive scriptPubKey")
|
|
else:
|
|
assert exc.value.message.endswith("Pubkey not found in multisig script")
|
|
|
|
|
|
@pytest.mark.multisig
|
|
def test_attack_change_input(client: Client):
|
|
"""
|
|
In Phases 1 and 2 the attacker replaces a non-multisig input
|
|
`input_real` with a multisig input `input_fake`, which allows the
|
|
attacker to provide a 1-of-2 multisig change address. When `input_real`
|
|
is provided in the signing phase, an error must occur.
|
|
"""
|
|
address_n = parse_path("m/48h/1h/0h/1h/0/0") # 2NErUdruXmM8o8bQySrzB3WdBRcmc5br4E8
|
|
attacker_multisig_public_key = bytes.fromhex(
|
|
"03653a148b68584acb97947344a7d4fd6a6f8b8485cad12987ff8edac874268088"
|
|
)
|
|
|
|
input_real = messages.TxInputType(
|
|
address_n=address_n,
|
|
prev_hash=TXHASH_509e08,
|
|
prev_index=0,
|
|
script_type=messages.InputScriptType.SPENDP2SHWITNESS,
|
|
amount=61_093,
|
|
)
|
|
|
|
multisig_fake = messages.MultisigRedeemScriptType(
|
|
m=1,
|
|
nodes=[
|
|
btc.get_public_node(client, address_n, coin_name="Testnet").node,
|
|
messages.HDNodeType(
|
|
depth=0,
|
|
fingerprint=0,
|
|
child_num=0,
|
|
chain_code=bytes(32),
|
|
public_key=attacker_multisig_public_key,
|
|
),
|
|
],
|
|
address_n=[],
|
|
)
|
|
|
|
input_fake = messages.TxInputType(
|
|
address_n=address_n,
|
|
prev_hash=input_real.prev_hash,
|
|
prev_index=input_real.prev_index,
|
|
script_type=input_real.script_type,
|
|
multisig=multisig_fake,
|
|
amount=input_real.amount,
|
|
)
|
|
|
|
output_payee = messages.TxOutputType(
|
|
address="n2eMqTT929pb1RDNuqEnxdaLau1rxy3efi",
|
|
amount=10_000,
|
|
script_type=messages.OutputScriptType.PAYTOADDRESS,
|
|
)
|
|
|
|
output_change = messages.TxOutputType(
|
|
address_n=address_n,
|
|
amount=input_real.amount - output_payee.amount - 1_000,
|
|
script_type=messages.OutputScriptType.PAYTOP2SHWITNESS,
|
|
multisig=multisig_fake,
|
|
)
|
|
|
|
# Transaction can be signed without the attack processor
|
|
with client:
|
|
if is_core(client):
|
|
IF = InputFlowConfirmAllWarnings(client)
|
|
client.set_input_flow(IF.get())
|
|
btc.sign_tx(
|
|
client,
|
|
"Testnet",
|
|
[input_real],
|
|
[output_payee, output_change],
|
|
prev_txes=TX_API_TESTNET,
|
|
)
|
|
|
|
attack_count = 3
|
|
|
|
def attack_processor(msg):
|
|
nonlocal attack_count
|
|
# replace the first input_real with input_fake
|
|
if attack_count > 0 and msg.tx.inputs and msg.tx.inputs[0] == input_real:
|
|
msg.tx.inputs[0] = input_fake
|
|
attack_count -= 1
|
|
return msg
|
|
|
|
with client:
|
|
client.set_filter(messages.TxAck, attack_processor)
|
|
with pytest.raises(TrezorFailure):
|
|
btc.sign_tx(
|
|
client,
|
|
"Testnet",
|
|
[input_real],
|
|
[output_payee, output_change],
|
|
prev_txes=TX_API_TESTNET,
|
|
)
|