/*
* boot() - Runs through application firmware checking, and then boots
*
* INPUT
* none
* OUTPUT
* true/false whether boot was successful
*
*/
static bool boot(void)
{
if(magic_ok())
{
layout_home();
if(signatures_ok() == 0) /* Signature check failed */
{
delay_ms(500);
if(!confirm_without_button_request("Unofficial Firmware",
"Do you want to continue booting?"))
{
layout_simple_message("Boot Aborted");
goto cancel_boot;
}
layout_home();
}
led_func(CLR_RED_LED);
cm_disable_interrupts();
set_vector_table_application();
application_jump();
}
else
{
layout_simple_message("Please Reinstall Firmware");
goto cancel_boot;
}
cancel_boot:
return(false);
}
/*
* run_passphrase_state() - Passphrase state machine
*
* INPUT
* - passphrase_state: current passphrase input state
* - passphrase_info: passphrase information
* OUTPUT
* none
*/
static void run_passphrase_state(PassphraseState *passphrase_state,
PassphraseInfo *passphrase_info)
{
switch(*passphrase_state)
{
/* Send passphrase request */
case PASSPHRASE_REQUEST:
send_passphrase_request();
*passphrase_state = PASSPHRASE_WAITING;
layout_simple_message("Waiting for Passphrase...");
break;
/* Wait for a passphrase */
case PASSPHRASE_WAITING:
wait_for_passphrase_ack(passphrase_info);
if(passphrase_info->passphrase_ack_msg != PASSPHRASE_ACK_WAITING)
{
*passphrase_state = PASSPHRASE_FINISHED;
}
break;
case PASSPHRASE_ACK:
case PASSPHRASE_FINISHED:
default:
break;
}
}
/*
* update_fw() - Firmware update mode
*
* INPUT
* none
* OUTPUT
* none
*
*/
static void update_fw(void)
{
led_func(CLR_GREEN_LED);
if(usb_flash_firmware())
{
layout_standard_notification("Firmware Update Complete",
"Please disconnect and reconnect.", NOTIFICATION_UNPLUG);
display_refresh();
}
else
{
layout_simple_message("Firmware Update Failure, Try Again");
}
}
void fsm_msgSignTx(SignTx *msg)
{
if (!storage_is_initialized())
{
fsm_sendFailure(FailureType_Failure_NotInitialized, "Device not initialized");
return;
}
if(msg->inputs_count < 1)
{
fsm_sendFailure(FailureType_Failure_Other,
"Transaction must have at least one input");
go_home();
return;
}
if(msg->outputs_count < 1)
{
fsm_sendFailure(FailureType_Failure_Other,
"Transaction must have at least one output");
go_home();
return;
}
if(!pin_protect("Enter Current PIN"))
{
go_home();
return;
}
const CoinType *coin = fsm_getCoin(msg->coin_name);
if(!coin) { return; }
/* master node */
const HDNode *node = fsm_getDerivedNode(0, 0);
if(!node) { return; }
layout_simple_message("Preparing Transaction...");
signing_init(msg->inputs_count, msg->outputs_count, coin, node);
}
void fsm_msgVerifyMessage(VerifyMessage *msg)
{
if(!msg->has_address)
{
fsm_sendFailure(FailureType_Failure_Other, "No address provided");
return;
}
if(!msg->has_message)
{
fsm_sendFailure(FailureType_Failure_Other, "No message provided");
return;
}
const CoinType *coin = fsm_getCoin(msg->coin_name);
if (!coin) return;
layout_simple_message("Verifying Message...");
uint8_t addr_raw[21];
if(!ecdsa_address_decode(msg->address, addr_raw))
{
fsm_sendFailure(FailureType_Failure_InvalidSignature, "Invalid address");
}
if(msg->signature.size == 65 &&
cryptoMessageVerify(coin, msg->message.bytes, msg->message.size, addr_raw,
msg->signature.bytes) == 0)
{
if(review(ButtonRequestType_ButtonRequest_Other, "Message Verified",
(char *)msg->message.bytes))
{
fsm_sendSuccess("Message verified");
}
}
else
{
fsm_sendFailure(FailureType_Failure_InvalidSignature, "Invalid signature");
}
go_home();
}
void signing_txack(TransactionType *tx)
{
if (!signing) {
fsm_sendFailure(FailureType_Failure_UnexpectedMessage, "Not in Signing mode");
go_home();
return;
}
int co;
memset(&resp, 0, sizeof(TxRequest));
switch (signing_stage) {
case STAGE_REQUEST_1_INPUT:
/* compute multisig fingerprint */
/* (if all input share the same fingerprint, outputs having the same fingerprint will be considered as change outputs) */
if (tx->inputs[0].script_type == InputScriptType_SPENDMULTISIG) {
if (tx->inputs[0].has_multisig && !multisig_fp_mismatch) {
if (multisig_fp_set) {
uint8_t h[32];
if (cryptoMultisigFingerprint(&(tx->inputs[0].multisig), h) == 0) {
fsm_sendFailure(FailureType_Failure_Other, "Error computing multisig fingeprint");
signing_abort();
return;
}
if (memcmp(multisig_fp, h, 32) != 0) {
multisig_fp_mismatch = true;
}
} else {
if (cryptoMultisigFingerprint(&(tx->inputs[0].multisig), multisig_fp) == 0) {
fsm_sendFailure(FailureType_Failure_Other, "Error computing multisig fingeprint");
signing_abort();
return;
}
multisig_fp_set = true;
}
}
} else { // InputScriptType_SPENDADDRESS
multisig_fp_mismatch = true;
}
sha256_Update(&tc, (const uint8_t *)tx->inputs, sizeof(TxInputType));
memcpy(&input, tx->inputs, sizeof(TxInputType));
send_req_2_prev_meta();
return;
case STAGE_REQUEST_2_PREV_META:
tx_init(&tp, tx->inputs_cnt, tx->outputs_cnt, tx->version, tx->lock_time, false);
idx2 = 0;
send_req_2_prev_input();
return;
case STAGE_REQUEST_2_PREV_INPUT:
if (!tx_serialize_input_hash(&tp, tx->inputs)) {
fsm_sendFailure(FailureType_Failure_Other, "Failed to serialize input");
signing_abort();
return;
}
if (idx2 < tp.inputs_len - 1) {
idx2++;
send_req_2_prev_input();
} else {
idx2 = 0;
send_req_2_prev_output();
}
return;
case STAGE_REQUEST_2_PREV_OUTPUT:
if (!tx_serialize_output_hash(&tp, tx->bin_outputs)) {
fsm_sendFailure(FailureType_Failure_Other, "Failed to serialize output");
signing_abort();
return;
}
if (idx2 == input.prev_index) {
to_spend += tx->bin_outputs[0].amount;
}
if (idx2 < tp.outputs_len - 1) {
/* Check prevtx of next input */
idx2++;
send_req_2_prev_output();
} else {
/* Check next output */
tx_hash_final(&tp, hash, true);
if (memcmp(hash, input.prev_hash.bytes, 32) != 0) {
fsm_sendFailure(FailureType_Failure_Other, "Encountered invalid prevhash");
signing_abort();
return;
}
if (idx1 < inputs_count - 1) {
idx1++;
send_req_1_input();
} else {
idx1 = 0;
send_req_3_output();
}
}
return;
case STAGE_REQUEST_3_OUTPUT:
{
/* Downloaded output idx1 the first time.
* Add it to transaction check
* Ask for permission.
*/
bool is_change = false;
if (tx->outputs[0].script_type == OutputScriptType_PAYTOMULTISIG &&
tx->outputs[0].has_multisig &&
multisig_fp_set && !multisig_fp_mismatch) {
uint8_t h[32];
if (cryptoMultisigFingerprint(&(tx->outputs[0].multisig), h) == 0) {
fsm_sendFailure(FailureType_Failure_Other, "Error computing multisig fingeprint");
signing_abort();
return;
}
if (memcmp(multisig_fp, h, 32) == 0) {
is_change = true;
}
} else {
if(tx->outputs[0].has_address_type) {
if(check_valid_output_address(tx->outputs) == false) {
fsm_sendFailure(FailureType_Failure_Other, "Invalid output address type");
signing_abort();
return;
}
if(tx->outputs[0].script_type == OutputScriptType_PAYTOADDRESS &&
tx->outputs[0].address_n_count > 0 &&
tx->outputs[0].address_type == OutputAddressType_CHANGE) {
is_change = true;
}
}
else if(tx->outputs[0].script_type == OutputScriptType_PAYTOADDRESS &&
tx->outputs[0].address_n_count > 0) {
is_change = true;
}
}
if (is_change) {
if (change_spend == 0) { // not set
change_spend = tx->outputs[0].amount;
} else {
fsm_sendFailure(FailureType_Failure_Other, "Only one change output allowed");
signing_abort();
return;
}
}
spending += tx->outputs[0].amount;
co = compile_output(coin, root, tx->outputs, &bin_output, !is_change);
if (co < 0) {
fsm_sendFailure(FailureType_Failure_Other, "Signing cancelled by user");
signing_abort();
return;
} else if (co == 0) {
fsm_sendFailure(FailureType_Failure_Other, "Failed to compile output");
signing_abort();
return;
}
sha256_Update(&tc, (const uint8_t *)&bin_output, sizeof(TxOutputBinType));
if (idx1 < outputs_count - 1) {
idx1++;
send_req_3_output();
} else {
sha256_Final(hash_check, &tc);
// check fees
if (spending > to_spend) {
fsm_sendFailure(FailureType_Failure_NotEnoughFunds, "Not enough funds");
signing_abort();
return;
}
uint64_t fee = to_spend - spending;
uint32_t tx_est_size = transactionEstimateSizeKb(inputs_count, outputs_count);
char total_amount_str[32];
char fee_str[32];
coin_amnt_to_str(coin, fee, fee_str, sizeof(fee_str));
if(fee > (uint64_t)tx_est_size * coin->maxfee_kb) {
if (!confirm(ButtonRequestType_ButtonRequest_FeeOverThreshold,
"Confirm Fee", "%s", fee_str)) {
fsm_sendFailure(FailureType_Failure_ActionCancelled, "Fee over threshold. Signing cancelled.");
signing_abort();
return;
}
}
// last confirmation
coin_amnt_to_str(coin, to_spend - change_spend, total_amount_str, sizeof(total_amount_str));
if(!confirm_transaction(total_amount_str, fee_str))
{
fsm_sendFailure(FailureType_Failure_ActionCancelled, "Signing cancelled by user");
signing_abort();
return;
}
// Everything was checked, now phase 2 begins and the transaction is signed.
layout_simple_message("Signing Transaction...");
idx1 = 0;
idx2 = 0;
send_req_4_input();
}
return;
}
case STAGE_REQUEST_4_INPUT:
if (idx2 == 0) {
tx_init(&ti, inputs_count, outputs_count, version, lock_time, true);
sha256_Init(&tc);
sha256_Update(&tc, (const uint8_t *)&inputs_count, sizeof(inputs_count));
sha256_Update(&tc, (const uint8_t *)&outputs_count, sizeof(outputs_count));
sha256_Update(&tc, (const uint8_t *)&version, sizeof(version));
sha256_Update(&tc, (const uint8_t *)&lock_time, sizeof(lock_time));
memset(privkey, 0, 32);
memset(pubkey, 0, 33);
}
sha256_Update(&tc, (const uint8_t *)tx->inputs, sizeof(TxInputType));
if (idx2 == idx1) {
memcpy(&input, tx->inputs, sizeof(TxInputType));
memcpy(&node, root, sizeof(HDNode));
if (hdnode_private_ckd_cached(&node, tx->inputs[0].address_n, tx->inputs[0].address_n_count) == 0) {
fsm_sendFailure(FailureType_Failure_Other, "Failed to derive private key");
signing_abort();
return;
}
if (tx->inputs[0].script_type == InputScriptType_SPENDMULTISIG) {
if (!tx->inputs[0].has_multisig) {
fsm_sendFailure(FailureType_Failure_Other, "Multisig info not provided");
signing_abort();
return;
}
tx->inputs[0].script_sig.size = compile_script_multisig(&(tx->inputs[0].multisig), tx->inputs[0].script_sig.bytes);
} else { // SPENDADDRESS
ecdsa_get_pubkeyhash(node.public_key, hash);
tx->inputs[0].script_sig.size = compile_script_sig(coin->address_type, hash, tx->inputs[0].script_sig.bytes);
}
if (tx->inputs[0].script_sig.size == 0) {
fsm_sendFailure(FailureType_Failure_Other, "Failed to compile input");
signing_abort();
return;
}
memcpy(privkey, node.private_key, 32);
memcpy(pubkey, node.public_key, 33);
} else {
tx->inputs[0].script_sig.size = 0;
}
if (!tx_serialize_input_hash(&ti, tx->inputs)) {
fsm_sendFailure(FailureType_Failure_Other, "Failed to serialize input");
signing_abort();
return;
}
if (idx2 < inputs_count - 1) {
idx2++;
send_req_4_input();
} else {
idx2 = 0;
send_req_4_output();
}
return;
case STAGE_REQUEST_4_OUTPUT:
co = compile_output(coin, root, tx->outputs, &bin_output, false);
if (co < 0) {
fsm_sendFailure(FailureType_Failure_Other, "Signing cancelled by user");
signing_abort();
return;
} else if (co == 0) {
fsm_sendFailure(FailureType_Failure_Other, "Failed to compile output");
signing_abort();
return;
}
sha256_Update(&tc, (const uint8_t *)&bin_output, sizeof(TxOutputBinType));
if (!tx_serialize_output_hash(&ti, &bin_output)) {
fsm_sendFailure(FailureType_Failure_Other, "Failed to serialize output");
signing_abort();
return;
}
if (idx2 < outputs_count - 1) {
idx2++;
send_req_4_output();
} else {
sha256_Final(hash, &tc);
if (memcmp(hash, hash_check, 32) != 0) {
fsm_sendFailure(FailureType_Failure_Other, "Transaction has changed during signing");
signing_abort();
return;
}
tx_hash_final(&ti, hash, false);
resp.has_serialized = true;
resp.serialized.has_signature_index = true;
resp.serialized.signature_index = idx1;
resp.serialized.has_signature = true;
resp.serialized.has_serialized_tx = true;
ecdsa_sign_digest(&secp256k1, privkey, hash, sig, 0);
resp.serialized.signature.size = ecdsa_sig_to_der(sig, resp.serialized.signature.bytes);
if (input.script_type == InputScriptType_SPENDMULTISIG) {
if (!input.has_multisig) {
fsm_sendFailure(FailureType_Failure_Other, "Multisig info not provided");
signing_abort();
return;
}
// fill in the signature
int pubkey_idx = cryptoMultisigPubkeyIndex(&(input.multisig), pubkey);
if (pubkey_idx < 0) {
fsm_sendFailure(FailureType_Failure_Other, "Pubkey not found in multisig script");
signing_abort();
return;
}
memcpy(input.multisig.signatures[pubkey_idx].bytes, resp.serialized.signature.bytes, resp.serialized.signature.size);
input.multisig.signatures[pubkey_idx].size = resp.serialized.signature.size;
input.script_sig.size = serialize_script_multisig(&(input.multisig), input.script_sig.bytes);
if (input.script_sig.size == 0) {
fsm_sendFailure(FailureType_Failure_Other, "Failed to serialize multisig script");
signing_abort();
return;
}
} else { // SPENDADDRESS
input.script_sig.size = serialize_script_sig(resp.serialized.signature.bytes, resp.serialized.signature.size, pubkey, 33, input.script_sig.bytes);
}
resp.serialized.serialized_tx.size = tx_serialize_input(&to, &input, resp.serialized.serialized_tx.bytes);
if (idx1 < inputs_count - 1) {
idx1++;
idx2 = 0;
send_req_4_input();
} else {
idx1 = 0;
send_req_5_output();
}
}
return;
case STAGE_REQUEST_5_OUTPUT:
if (compile_output(coin, root, tx->outputs, &bin_output,false) <= 0) {
fsm_sendFailure(FailureType_Failure_Other, "Failed to compile output");
signing_abort();
return;
}
resp.has_serialized = true;
resp.serialized.has_serialized_tx = true;
resp.serialized.serialized_tx.size = tx_serialize_output(&to, &bin_output, resp.serialized.serialized_tx.bytes);
if (idx1 < outputs_count - 1) {
idx1++;
send_req_5_output();
} else {
send_req_finished();
signing_abort();
}
return;
}
fsm_sendFailure(FailureType_Failure_Other, "Signing error");
signing_abort();
}
void fsm_msgDecryptMessage(DecryptMessage *msg)
{
if (!storage_is_initialized())
{
fsm_sendFailure(FailureType_Failure_NotInitialized, "Device not initialized");
return;
}
if(!msg->has_nonce)
{
fsm_sendFailure(FailureType_Failure_SyntaxError, "No nonce provided");
return;
}
if(!msg->has_message)
{
fsm_sendFailure(FailureType_Failure_SyntaxError, "No message provided");
return;
}
if(!msg->has_hmac)
{
fsm_sendFailure(FailureType_Failure_SyntaxError, "No message hmac provided");
return;
}
curve_point nonce_pubkey;
if(msg->nonce.size != 33 ||
ecdsa_read_pubkey(&secp256k1, msg->nonce.bytes, &nonce_pubkey) == 0)
{
fsm_sendFailure(FailureType_Failure_SyntaxError, "Invalid nonce provided");
return;
}
if(!pin_protect_cached())
{
go_home();
return;
}
const HDNode *node = fsm_getDerivedNode(msg->address_n, msg->address_n_count);
if(!node) { return; }
layout_simple_message("Decrypting Message...");
RESP_INIT(DecryptedMessage);
bool display_only = false;
bool signing = false;
uint8_t address_raw[21];
if(cryptoMessageDecrypt(&nonce_pubkey, msg->message.bytes, msg->message.size,
msg->hmac.bytes, msg->hmac.size, node->private_key, resp->message.bytes,
&(resp->message.size), &display_only, &signing, address_raw) != 0)
{
fsm_sendFailure(FailureType_Failure_ActionCancelled,
"Error decrypting message");
go_home();
return;
}
if(signing)
{
base58_encode_check(address_raw, 21, resp->address, sizeof(resp->address));
}
if(!confirm_decrypt_msg((char *)resp->message.bytes,
signing ? resp->address : 0))
{
fsm_sendFailure(FailureType_Failure_ActionCancelled,
"Decrypt message cancelled");
go_home();
return;
}
if(display_only)
{
resp->has_address = false;
resp->has_message = false;
memset(resp->address, 0, sizeof(resp->address));
memset(&(resp->message), 0, sizeof(resp->message));
}
else
{
resp->has_address = signing;
resp->has_message = true;
}
msg_write(MessageType_MessageType_DecryptedMessage, resp);
go_home();
}
void fsm_msgEncryptMessage(EncryptMessage *msg)
{
if (!storage_is_initialized())
{
fsm_sendFailure(FailureType_Failure_NotInitialized, "Device not initialized");
return;
}
if(!msg->has_pubkey)
{
fsm_sendFailure(FailureType_Failure_SyntaxError, "No public key provided");
return;
}
if(!msg->has_message)
{
fsm_sendFailure(FailureType_Failure_SyntaxError, "No message provided");
return;
}
curve_point pubkey;
if(msg->pubkey.size != 33 ||
ecdsa_read_pubkey(&secp256k1, msg->pubkey.bytes, &pubkey) == 0)
{
fsm_sendFailure(FailureType_Failure_SyntaxError, "Invalid public key provided");
return;
}
bool display_only = msg->has_display_only && msg->display_only;
bool signing = msg->address_n_count > 0;
RESP_INIT(EncryptedMessage);
const CoinType *coin = 0;
const HDNode *node = 0;
uint8_t address_raw[21];
if(signing)
{
coin = coinByName(msg->coin_name);
if(!coin)
{
fsm_sendFailure(FailureType_Failure_Other, "Invalid coin name");
return;
}
if(!pin_protect_cached())
{
go_home();
return;
}
node = fsm_getDerivedNode(msg->address_n, msg->address_n_count);
if(!node) { return; }
uint8_t public_key[33];
ecdsa_get_public_key33(&secp256k1, node->private_key, public_key);
ecdsa_get_address_raw(public_key, coin->address_type, address_raw);
}
if(!confirm_encrypt_msg((char *)msg->message.bytes, signing))
{
fsm_sendFailure(FailureType_Failure_ActionCancelled,
"Encrypt message cancelled");
go_home();
return;
}
layout_simple_message("Encrypting Message...");
if(cryptoMessageEncrypt(&pubkey, msg->message.bytes, msg->message.size,
display_only,
resp->nonce.bytes, &(resp->nonce.size), resp->message.bytes,
&(resp->message.size),
resp->hmac.bytes, &(resp->hmac.size), signing ? node->private_key : 0,
signing ? address_raw : 0) != 0)
{
fsm_sendFailure(FailureType_Failure_ActionCancelled,
"Error encrypting message");
go_home();
return;
}
resp->has_nonce = true;
resp->has_message = true;
resp->has_hmac = true;
msg_write(MessageType_MessageType_EncryptedMessage, resp);
go_home();
}
void fsm_msgSignIdentity(SignIdentity *msg)
{
RESP_INIT(SignedIdentity);
if (!storage_is_initialized())
{
fsm_sendFailure(FailureType_Failure_NotInitialized, "Device not initialized");
return;
}
if(!confirm_sign_identity(&(msg->identity),
msg->has_challenge_visual ? msg->challenge_visual : 0))
{
fsm_sendFailure(FailureType_Failure_ActionCancelled, "Sign identity cancelled");
go_home();
return;
}
if(!pin_protect_cached())
{
go_home();
return;
}
uint8_t hash[32];
if(!msg->has_identity || cryptoIdentityFingerprint(&(msg->identity), hash) == 0)
{
fsm_sendFailure(FailureType_Failure_Other, "Invalid identity");
go_home();
return;
}
uint32_t address_n[5];
address_n[0] = 0x80000000 | 13;
address_n[1] = 0x80000000 | hash[ 0] | (hash[ 1] << 8) | (hash[ 2] << 16) |
(hash[ 3] << 24);
address_n[2] = 0x80000000 | hash[ 4] | (hash[ 5] << 8) | (hash[ 6] << 16) |
(hash[ 7] << 24);
address_n[3] = 0x80000000 | hash[ 8] | (hash[ 9] << 8) | (hash[10] << 16) |
(hash[11] << 24);
address_n[4] = 0x80000000 | hash[12] | (hash[13] << 8) | (hash[14] << 16) |
(hash[15] << 24);
const HDNode *node = fsm_getDerivedNode(address_n, 5);
if(!node) { return; }
uint8_t public_key[33]; // copy public key to temporary buffer
memcpy(public_key, node->public_key, sizeof(public_key));
if(msg->has_ecdsa_curve_name)
{
const ecdsa_curve *curve = get_curve_by_name(msg->ecdsa_curve_name);
if(curve)
{
// correct public key (since fsm_getDerivedNode uses secp256k1 curve)
ecdsa_get_public_key33(curve, node->private_key, public_key);
}
}
bool sign_ssh = msg->identity.has_proto && (strcmp(msg->identity.proto, "ssh") == 0);
int result = 0;
layout_simple_message("Signing Identity...");
if(sign_ssh) // SSH does not sign visual challenge
{
result = sshMessageSign(msg->challenge_hidden.bytes, msg->challenge_hidden.size,
node->private_key, resp->signature.bytes);
}
else
{
uint8_t digest[64];
sha256_Raw(msg->challenge_hidden.bytes, msg->challenge_hidden.size, digest);
sha256_Raw((const uint8_t *)msg->challenge_visual, strlen(msg->challenge_visual),
digest + 32);
result = cryptoMessageSign(&(coins[0]), digest, 64, node->private_key, resp->signature.bytes);
}
if(result == 0)
{
if(sign_ssh)
{
resp->has_address = false;
}
else
{
resp->has_address = true;
uint8_t addr_raw[21];
ecdsa_get_address_raw(node->public_key, 0x00, addr_raw); // hardcoded Bitcoin address type
base58_encode_check(addr_raw, 21, resp->address, sizeof(resp->address));
}
resp->has_public_key = true;
resp->public_key.size = 33;
memcpy(resp->public_key.bytes, public_key, 33);
resp->has_signature = true;
resp->signature.size = 65;
msg_write(MessageType_MessageType_SignedIdentity, resp);
}
else
{
fsm_sendFailure(FailureType_Failure_Other, "Error signing identity");
}
go_home();
}
