/* * boot() - Runs through application firmware checking, and then boots * * INPUT * none * OUTPUT * true/false whether boot was successful * */ static bool boot(void) { if(magic_ok()) { layout_home(); if(signatures_ok() == 0) /* Signature check failed */ { delay_ms(500); if(!confirm_without_button_request("Unofficial Firmware", "Do you want to continue booting?")) { layout_simple_message("Boot Aborted"); goto cancel_boot; } layout_home(); } led_func(CLR_RED_LED); cm_disable_interrupts(); set_vector_table_application(); application_jump(); } else { layout_simple_message("Please Reinstall Firmware"); goto cancel_boot; } cancel_boot: return(false); }
/* * run_passphrase_state() - Passphrase state machine * * INPUT * - passphrase_state: current passphrase input state * - passphrase_info: passphrase information * OUTPUT * none */ static void run_passphrase_state(PassphraseState *passphrase_state, PassphraseInfo *passphrase_info) { switch(*passphrase_state) { /* Send passphrase request */ case PASSPHRASE_REQUEST: send_passphrase_request(); *passphrase_state = PASSPHRASE_WAITING; layout_simple_message("Waiting for Passphrase..."); break; /* Wait for a passphrase */ case PASSPHRASE_WAITING: wait_for_passphrase_ack(passphrase_info); if(passphrase_info->passphrase_ack_msg != PASSPHRASE_ACK_WAITING) { *passphrase_state = PASSPHRASE_FINISHED; } break; case PASSPHRASE_ACK: case PASSPHRASE_FINISHED: default: break; } }
/* * update_fw() - Firmware update mode * * INPUT * none * OUTPUT * none * */ static void update_fw(void) { led_func(CLR_GREEN_LED); if(usb_flash_firmware()) { layout_standard_notification("Firmware Update Complete", "Please disconnect and reconnect.", NOTIFICATION_UNPLUG); display_refresh(); } else { layout_simple_message("Firmware Update Failure, Try Again"); } }
void fsm_msgSignTx(SignTx *msg) { if (!storage_is_initialized()) { fsm_sendFailure(FailureType_Failure_NotInitialized, "Device not initialized"); return; } if(msg->inputs_count < 1) { fsm_sendFailure(FailureType_Failure_Other, "Transaction must have at least one input"); go_home(); return; } if(msg->outputs_count < 1) { fsm_sendFailure(FailureType_Failure_Other, "Transaction must have at least one output"); go_home(); return; } if(!pin_protect("Enter Current PIN")) { go_home(); return; } const CoinType *coin = fsm_getCoin(msg->coin_name); if(!coin) { return; } /* master node */ const HDNode *node = fsm_getDerivedNode(0, 0); if(!node) { return; } layout_simple_message("Preparing Transaction..."); signing_init(msg->inputs_count, msg->outputs_count, coin, node); }
void fsm_msgVerifyMessage(VerifyMessage *msg) { if(!msg->has_address) { fsm_sendFailure(FailureType_Failure_Other, "No address provided"); return; } if(!msg->has_message) { fsm_sendFailure(FailureType_Failure_Other, "No message provided"); return; } const CoinType *coin = fsm_getCoin(msg->coin_name); if (!coin) return; layout_simple_message("Verifying Message..."); uint8_t addr_raw[21]; if(!ecdsa_address_decode(msg->address, addr_raw)) { fsm_sendFailure(FailureType_Failure_InvalidSignature, "Invalid address"); } if(msg->signature.size == 65 && cryptoMessageVerify(coin, msg->message.bytes, msg->message.size, addr_raw, msg->signature.bytes) == 0) { if(review(ButtonRequestType_ButtonRequest_Other, "Message Verified", (char *)msg->message.bytes)) { fsm_sendSuccess("Message verified"); } } else { fsm_sendFailure(FailureType_Failure_InvalidSignature, "Invalid signature"); } go_home(); }
void signing_txack(TransactionType *tx) { if (!signing) { fsm_sendFailure(FailureType_Failure_UnexpectedMessage, "Not in Signing mode"); go_home(); return; } int co; memset(&resp, 0, sizeof(TxRequest)); switch (signing_stage) { case STAGE_REQUEST_1_INPUT: /* compute multisig fingerprint */ /* (if all input share the same fingerprint, outputs having the same fingerprint will be considered as change outputs) */ if (tx->inputs[0].script_type == InputScriptType_SPENDMULTISIG) { if (tx->inputs[0].has_multisig && !multisig_fp_mismatch) { if (multisig_fp_set) { uint8_t h[32]; if (cryptoMultisigFingerprint(&(tx->inputs[0].multisig), h) == 0) { fsm_sendFailure(FailureType_Failure_Other, "Error computing multisig fingeprint"); signing_abort(); return; } if (memcmp(multisig_fp, h, 32) != 0) { multisig_fp_mismatch = true; } } else { if (cryptoMultisigFingerprint(&(tx->inputs[0].multisig), multisig_fp) == 0) { fsm_sendFailure(FailureType_Failure_Other, "Error computing multisig fingeprint"); signing_abort(); return; } multisig_fp_set = true; } } } else { // InputScriptType_SPENDADDRESS multisig_fp_mismatch = true; } sha256_Update(&tc, (const uint8_t *)tx->inputs, sizeof(TxInputType)); memcpy(&input, tx->inputs, sizeof(TxInputType)); send_req_2_prev_meta(); return; case STAGE_REQUEST_2_PREV_META: tx_init(&tp, tx->inputs_cnt, tx->outputs_cnt, tx->version, tx->lock_time, false); idx2 = 0; send_req_2_prev_input(); return; case STAGE_REQUEST_2_PREV_INPUT: if (!tx_serialize_input_hash(&tp, tx->inputs)) { fsm_sendFailure(FailureType_Failure_Other, "Failed to serialize input"); signing_abort(); return; } if (idx2 < tp.inputs_len - 1) { idx2++; send_req_2_prev_input(); } else { idx2 = 0; send_req_2_prev_output(); } return; case STAGE_REQUEST_2_PREV_OUTPUT: if (!tx_serialize_output_hash(&tp, tx->bin_outputs)) { fsm_sendFailure(FailureType_Failure_Other, "Failed to serialize output"); signing_abort(); return; } if (idx2 == input.prev_index) { to_spend += tx->bin_outputs[0].amount; } if (idx2 < tp.outputs_len - 1) { /* Check prevtx of next input */ idx2++; send_req_2_prev_output(); } else { /* Check next output */ tx_hash_final(&tp, hash, true); if (memcmp(hash, input.prev_hash.bytes, 32) != 0) { fsm_sendFailure(FailureType_Failure_Other, "Encountered invalid prevhash"); signing_abort(); return; } if (idx1 < inputs_count - 1) { idx1++; send_req_1_input(); } else { idx1 = 0; send_req_3_output(); } } return; case STAGE_REQUEST_3_OUTPUT: { /* Downloaded output idx1 the first time. * Add it to transaction check * Ask for permission. */ bool is_change = false; if (tx->outputs[0].script_type == OutputScriptType_PAYTOMULTISIG && tx->outputs[0].has_multisig && multisig_fp_set && !multisig_fp_mismatch) { uint8_t h[32]; if (cryptoMultisigFingerprint(&(tx->outputs[0].multisig), h) == 0) { fsm_sendFailure(FailureType_Failure_Other, "Error computing multisig fingeprint"); signing_abort(); return; } if (memcmp(multisig_fp, h, 32) == 0) { is_change = true; } } else { if(tx->outputs[0].has_address_type) { if(check_valid_output_address(tx->outputs) == false) { fsm_sendFailure(FailureType_Failure_Other, "Invalid output address type"); signing_abort(); return; } if(tx->outputs[0].script_type == OutputScriptType_PAYTOADDRESS && tx->outputs[0].address_n_count > 0 && tx->outputs[0].address_type == OutputAddressType_CHANGE) { is_change = true; } } else if(tx->outputs[0].script_type == OutputScriptType_PAYTOADDRESS && tx->outputs[0].address_n_count > 0) { is_change = true; } } if (is_change) { if (change_spend == 0) { // not set change_spend = tx->outputs[0].amount; } else { fsm_sendFailure(FailureType_Failure_Other, "Only one change output allowed"); signing_abort(); return; } } spending += tx->outputs[0].amount; co = compile_output(coin, root, tx->outputs, &bin_output, !is_change); if (co < 0) { fsm_sendFailure(FailureType_Failure_Other, "Signing cancelled by user"); signing_abort(); return; } else if (co == 0) { fsm_sendFailure(FailureType_Failure_Other, "Failed to compile output"); signing_abort(); return; } sha256_Update(&tc, (const uint8_t *)&bin_output, sizeof(TxOutputBinType)); if (idx1 < outputs_count - 1) { idx1++; send_req_3_output(); } else { sha256_Final(hash_check, &tc); // check fees if (spending > to_spend) { fsm_sendFailure(FailureType_Failure_NotEnoughFunds, "Not enough funds"); signing_abort(); return; } uint64_t fee = to_spend - spending; uint32_t tx_est_size = transactionEstimateSizeKb(inputs_count, outputs_count); char total_amount_str[32]; char fee_str[32]; coin_amnt_to_str(coin, fee, fee_str, sizeof(fee_str)); if(fee > (uint64_t)tx_est_size * coin->maxfee_kb) { if (!confirm(ButtonRequestType_ButtonRequest_FeeOverThreshold, "Confirm Fee", "%s", fee_str)) { fsm_sendFailure(FailureType_Failure_ActionCancelled, "Fee over threshold. Signing cancelled."); signing_abort(); return; } } // last confirmation coin_amnt_to_str(coin, to_spend - change_spend, total_amount_str, sizeof(total_amount_str)); if(!confirm_transaction(total_amount_str, fee_str)) { fsm_sendFailure(FailureType_Failure_ActionCancelled, "Signing cancelled by user"); signing_abort(); return; } // Everything was checked, now phase 2 begins and the transaction is signed. layout_simple_message("Signing Transaction..."); idx1 = 0; idx2 = 0; send_req_4_input(); } return; } case STAGE_REQUEST_4_INPUT: if (idx2 == 0) { tx_init(&ti, inputs_count, outputs_count, version, lock_time, true); sha256_Init(&tc); sha256_Update(&tc, (const uint8_t *)&inputs_count, sizeof(inputs_count)); sha256_Update(&tc, (const uint8_t *)&outputs_count, sizeof(outputs_count)); sha256_Update(&tc, (const uint8_t *)&version, sizeof(version)); sha256_Update(&tc, (const uint8_t *)&lock_time, sizeof(lock_time)); memset(privkey, 0, 32); memset(pubkey, 0, 33); } sha256_Update(&tc, (const uint8_t *)tx->inputs, sizeof(TxInputType)); if (idx2 == idx1) { memcpy(&input, tx->inputs, sizeof(TxInputType)); memcpy(&node, root, sizeof(HDNode)); if (hdnode_private_ckd_cached(&node, tx->inputs[0].address_n, tx->inputs[0].address_n_count) == 0) { fsm_sendFailure(FailureType_Failure_Other, "Failed to derive private key"); signing_abort(); return; } if (tx->inputs[0].script_type == InputScriptType_SPENDMULTISIG) { if (!tx->inputs[0].has_multisig) { fsm_sendFailure(FailureType_Failure_Other, "Multisig info not provided"); signing_abort(); return; } tx->inputs[0].script_sig.size = compile_script_multisig(&(tx->inputs[0].multisig), tx->inputs[0].script_sig.bytes); } else { // SPENDADDRESS ecdsa_get_pubkeyhash(node.public_key, hash); tx->inputs[0].script_sig.size = compile_script_sig(coin->address_type, hash, tx->inputs[0].script_sig.bytes); } if (tx->inputs[0].script_sig.size == 0) { fsm_sendFailure(FailureType_Failure_Other, "Failed to compile input"); signing_abort(); return; } memcpy(privkey, node.private_key, 32); memcpy(pubkey, node.public_key, 33); } else { tx->inputs[0].script_sig.size = 0; } if (!tx_serialize_input_hash(&ti, tx->inputs)) { fsm_sendFailure(FailureType_Failure_Other, "Failed to serialize input"); signing_abort(); return; } if (idx2 < inputs_count - 1) { idx2++; send_req_4_input(); } else { idx2 = 0; send_req_4_output(); } return; case STAGE_REQUEST_4_OUTPUT: co = compile_output(coin, root, tx->outputs, &bin_output, false); if (co < 0) { fsm_sendFailure(FailureType_Failure_Other, "Signing cancelled by user"); signing_abort(); return; } else if (co == 0) { fsm_sendFailure(FailureType_Failure_Other, "Failed to compile output"); signing_abort(); return; } sha256_Update(&tc, (const uint8_t *)&bin_output, sizeof(TxOutputBinType)); if (!tx_serialize_output_hash(&ti, &bin_output)) { fsm_sendFailure(FailureType_Failure_Other, "Failed to serialize output"); signing_abort(); return; } if (idx2 < outputs_count - 1) { idx2++; send_req_4_output(); } else { sha256_Final(hash, &tc); if (memcmp(hash, hash_check, 32) != 0) { fsm_sendFailure(FailureType_Failure_Other, "Transaction has changed during signing"); signing_abort(); return; } tx_hash_final(&ti, hash, false); resp.has_serialized = true; resp.serialized.has_signature_index = true; resp.serialized.signature_index = idx1; resp.serialized.has_signature = true; resp.serialized.has_serialized_tx = true; ecdsa_sign_digest(&secp256k1, privkey, hash, sig, 0); resp.serialized.signature.size = ecdsa_sig_to_der(sig, resp.serialized.signature.bytes); if (input.script_type == InputScriptType_SPENDMULTISIG) { if (!input.has_multisig) { fsm_sendFailure(FailureType_Failure_Other, "Multisig info not provided"); signing_abort(); return; } // fill in the signature int pubkey_idx = cryptoMultisigPubkeyIndex(&(input.multisig), pubkey); if (pubkey_idx < 0) { fsm_sendFailure(FailureType_Failure_Other, "Pubkey not found in multisig script"); signing_abort(); return; } memcpy(input.multisig.signatures[pubkey_idx].bytes, resp.serialized.signature.bytes, resp.serialized.signature.size); input.multisig.signatures[pubkey_idx].size = resp.serialized.signature.size; input.script_sig.size = serialize_script_multisig(&(input.multisig), input.script_sig.bytes); if (input.script_sig.size == 0) { fsm_sendFailure(FailureType_Failure_Other, "Failed to serialize multisig script"); signing_abort(); return; } } else { // SPENDADDRESS input.script_sig.size = serialize_script_sig(resp.serialized.signature.bytes, resp.serialized.signature.size, pubkey, 33, input.script_sig.bytes); } resp.serialized.serialized_tx.size = tx_serialize_input(&to, &input, resp.serialized.serialized_tx.bytes); if (idx1 < inputs_count - 1) { idx1++; idx2 = 0; send_req_4_input(); } else { idx1 = 0; send_req_5_output(); } } return; case STAGE_REQUEST_5_OUTPUT: if (compile_output(coin, root, tx->outputs, &bin_output,false) <= 0) { fsm_sendFailure(FailureType_Failure_Other, "Failed to compile output"); signing_abort(); return; } resp.has_serialized = true; resp.serialized.has_serialized_tx = true; resp.serialized.serialized_tx.size = tx_serialize_output(&to, &bin_output, resp.serialized.serialized_tx.bytes); if (idx1 < outputs_count - 1) { idx1++; send_req_5_output(); } else { send_req_finished(); signing_abort(); } return; } fsm_sendFailure(FailureType_Failure_Other, "Signing error"); signing_abort(); }
void fsm_msgDecryptMessage(DecryptMessage *msg) { if (!storage_is_initialized()) { fsm_sendFailure(FailureType_Failure_NotInitialized, "Device not initialized"); return; } if(!msg->has_nonce) { fsm_sendFailure(FailureType_Failure_SyntaxError, "No nonce provided"); return; } if(!msg->has_message) { fsm_sendFailure(FailureType_Failure_SyntaxError, "No message provided"); return; } if(!msg->has_hmac) { fsm_sendFailure(FailureType_Failure_SyntaxError, "No message hmac provided"); return; } curve_point nonce_pubkey; if(msg->nonce.size != 33 || ecdsa_read_pubkey(&secp256k1, msg->nonce.bytes, &nonce_pubkey) == 0) { fsm_sendFailure(FailureType_Failure_SyntaxError, "Invalid nonce provided"); return; } if(!pin_protect_cached()) { go_home(); return; } const HDNode *node = fsm_getDerivedNode(msg->address_n, msg->address_n_count); if(!node) { return; } layout_simple_message("Decrypting Message..."); RESP_INIT(DecryptedMessage); bool display_only = false; bool signing = false; uint8_t address_raw[21]; if(cryptoMessageDecrypt(&nonce_pubkey, msg->message.bytes, msg->message.size, msg->hmac.bytes, msg->hmac.size, node->private_key, resp->message.bytes, &(resp->message.size), &display_only, &signing, address_raw) != 0) { fsm_sendFailure(FailureType_Failure_ActionCancelled, "Error decrypting message"); go_home(); return; } if(signing) { base58_encode_check(address_raw, 21, resp->address, sizeof(resp->address)); } if(!confirm_decrypt_msg((char *)resp->message.bytes, signing ? resp->address : 0)) { fsm_sendFailure(FailureType_Failure_ActionCancelled, "Decrypt message cancelled"); go_home(); return; } if(display_only) { resp->has_address = false; resp->has_message = false; memset(resp->address, 0, sizeof(resp->address)); memset(&(resp->message), 0, sizeof(resp->message)); } else { resp->has_address = signing; resp->has_message = true; } msg_write(MessageType_MessageType_DecryptedMessage, resp); go_home(); }
void fsm_msgEncryptMessage(EncryptMessage *msg) { if (!storage_is_initialized()) { fsm_sendFailure(FailureType_Failure_NotInitialized, "Device not initialized"); return; } if(!msg->has_pubkey) { fsm_sendFailure(FailureType_Failure_SyntaxError, "No public key provided"); return; } if(!msg->has_message) { fsm_sendFailure(FailureType_Failure_SyntaxError, "No message provided"); return; } curve_point pubkey; if(msg->pubkey.size != 33 || ecdsa_read_pubkey(&secp256k1, msg->pubkey.bytes, &pubkey) == 0) { fsm_sendFailure(FailureType_Failure_SyntaxError, "Invalid public key provided"); return; } bool display_only = msg->has_display_only && msg->display_only; bool signing = msg->address_n_count > 0; RESP_INIT(EncryptedMessage); const CoinType *coin = 0; const HDNode *node = 0; uint8_t address_raw[21]; if(signing) { coin = coinByName(msg->coin_name); if(!coin) { fsm_sendFailure(FailureType_Failure_Other, "Invalid coin name"); return; } if(!pin_protect_cached()) { go_home(); return; } node = fsm_getDerivedNode(msg->address_n, msg->address_n_count); if(!node) { return; } uint8_t public_key[33]; ecdsa_get_public_key33(&secp256k1, node->private_key, public_key); ecdsa_get_address_raw(public_key, coin->address_type, address_raw); } if(!confirm_encrypt_msg((char *)msg->message.bytes, signing)) { fsm_sendFailure(FailureType_Failure_ActionCancelled, "Encrypt message cancelled"); go_home(); return; } layout_simple_message("Encrypting Message..."); if(cryptoMessageEncrypt(&pubkey, msg->message.bytes, msg->message.size, display_only, resp->nonce.bytes, &(resp->nonce.size), resp->message.bytes, &(resp->message.size), resp->hmac.bytes, &(resp->hmac.size), signing ? node->private_key : 0, signing ? address_raw : 0) != 0) { fsm_sendFailure(FailureType_Failure_ActionCancelled, "Error encrypting message"); go_home(); return; } resp->has_nonce = true; resp->has_message = true; resp->has_hmac = true; msg_write(MessageType_MessageType_EncryptedMessage, resp); go_home(); }
void fsm_msgSignIdentity(SignIdentity *msg) { RESP_INIT(SignedIdentity); if (!storage_is_initialized()) { fsm_sendFailure(FailureType_Failure_NotInitialized, "Device not initialized"); return; } if(!confirm_sign_identity(&(msg->identity), msg->has_challenge_visual ? msg->challenge_visual : 0)) { fsm_sendFailure(FailureType_Failure_ActionCancelled, "Sign identity cancelled"); go_home(); return; } if(!pin_protect_cached()) { go_home(); return; } uint8_t hash[32]; if(!msg->has_identity || cryptoIdentityFingerprint(&(msg->identity), hash) == 0) { fsm_sendFailure(FailureType_Failure_Other, "Invalid identity"); go_home(); return; } uint32_t address_n[5]; address_n[0] = 0x80000000 | 13; address_n[1] = 0x80000000 | hash[ 0] | (hash[ 1] << 8) | (hash[ 2] << 16) | (hash[ 3] << 24); address_n[2] = 0x80000000 | hash[ 4] | (hash[ 5] << 8) | (hash[ 6] << 16) | (hash[ 7] << 24); address_n[3] = 0x80000000 | hash[ 8] | (hash[ 9] << 8) | (hash[10] << 16) | (hash[11] << 24); address_n[4] = 0x80000000 | hash[12] | (hash[13] << 8) | (hash[14] << 16) | (hash[15] << 24); const HDNode *node = fsm_getDerivedNode(address_n, 5); if(!node) { return; } uint8_t public_key[33]; // copy public key to temporary buffer memcpy(public_key, node->public_key, sizeof(public_key)); if(msg->has_ecdsa_curve_name) { const ecdsa_curve *curve = get_curve_by_name(msg->ecdsa_curve_name); if(curve) { // correct public key (since fsm_getDerivedNode uses secp256k1 curve) ecdsa_get_public_key33(curve, node->private_key, public_key); } } bool sign_ssh = msg->identity.has_proto && (strcmp(msg->identity.proto, "ssh") == 0); int result = 0; layout_simple_message("Signing Identity..."); if(sign_ssh) // SSH does not sign visual challenge { result = sshMessageSign(msg->challenge_hidden.bytes, msg->challenge_hidden.size, node->private_key, resp->signature.bytes); } else { uint8_t digest[64]; sha256_Raw(msg->challenge_hidden.bytes, msg->challenge_hidden.size, digest); sha256_Raw((const uint8_t *)msg->challenge_visual, strlen(msg->challenge_visual), digest + 32); result = cryptoMessageSign(&(coins[0]), digest, 64, node->private_key, resp->signature.bytes); } if(result == 0) { if(sign_ssh) { resp->has_address = false; } else { resp->has_address = true; uint8_t addr_raw[21]; ecdsa_get_address_raw(node->public_key, 0x00, addr_raw); // hardcoded Bitcoin address type base58_encode_check(addr_raw, 21, resp->address, sizeof(resp->address)); } resp->has_public_key = true; resp->public_key.size = 33; memcpy(resp->public_key.bytes, public_key, 33); resp->has_signature = true; resp->signature.size = 65; msg_write(MessageType_MessageType_SignedIdentity, resp); } else { fsm_sendFailure(FailureType_Failure_Other, "Error signing identity"); } go_home(); }