From 18983dcf376661564dac2bc6b5b8d1355f191ef3 Mon Sep 17 00:00:00 2001 From: Z4karia Date: Fri, 17 May 2024 11:49:53 +0200 Subject: [PATCH 1/5] audit fix --- app/src/chain_config.c | 2 +- app/src/crypto.c | 2 +- app/src/crypto.h | 1 + app/src/json/json_parser.c | 6 +++++- app/src/secret.c | 1 - app/src/tx_validate.c | 4 ++++ 6 files changed, 12 insertions(+), 4 deletions(-) diff --git a/app/src/chain_config.c b/app/src/chain_config.c index 34b6d0f..10783a2 100644 --- a/app/src/chain_config.c +++ b/app/src/chain_config.c @@ -17,7 +17,7 @@ #include address_encoding_e checkChainConfig(uint32_t path) { - // Always allowed for 118 (default Cosmos) + // Always allowed for 931 (default THORChain) if (path == HDPATH_1_DEFAULT) { return BECH32_COSMOS; } diff --git a/app/src/crypto.c b/app/src/crypto.c index edf4080..bc55bd0 100644 --- a/app/src/crypto.c +++ b/app/src/crypto.c @@ -199,7 +199,7 @@ zxerr_t crypto_fillAddress(uint8_t *buffer, uint16_t buffer_len, uint16_t *addrR return zxerr_unknown; } CHECK_CX_OK(cx_hash_no_throw((cx_hash_t *)&ctx, CX_LAST, uncompressedPubkey+1, sizeof(uncompressedPubkey)-1, hashed1_pk, sizeof(hashed1_pk))); - CHECK_ZXERR(bech32EncodeFromBytes(addr, buffer_len - PK_LEN_SECP256K1, bech32_hrp, hashed1_pk + 12, sizeof(hashed1_pk) - 12, 1, BECH32_ENCODING_BECH32)); + CHECK_ZXERR(bech32EncodeFromBytes(addr, buffer_len - PK_LEN_SECP256K1, bech32_hrp, hashed1_pk + ETH_ADDRESS_OFFSET, sizeof(hashed1_pk) - ETH_ADDRESS_OFFSET, 1, BECH32_ENCODING_BECH32)); break; } diff --git a/app/src/crypto.h b/app/src/crypto.h index 7b21629..a9d1a0c 100644 --- a/app/src/crypto.h +++ b/app/src/crypto.h @@ -27,6 +27,7 @@ extern "C" { #include "zxerror.h" #define MAX_BECH32_HRP_LEN 83u +#define ETH_ADDRESS_OFFSET 12u extern uint32_t hdPath[HDPATH_LEN_DEFAULT]; extern char bech32_hrp[MAX_BECH32_HRP_LEN + 1]; diff --git a/app/src/json/json_parser.c b/app/src/json/json_parser.c index e7adf3f..65ce9a7 100644 --- a/app/src/json/json_parser.c +++ b/app/src/json/json_parser.c @@ -22,6 +22,10 @@ #define EQUALS(_P, _Q, _LEN) (MEMCMP( (const void*) PIC(_P), (const void*) PIC(_Q), (_LEN))==0) parser_error_t json_parse(parsed_json_t *parsed_json, const char *buffer, uint16_t bufferLen) { + if (parsed_json == NULL) { + return parser_init_context_empty; + } + jsmn_parser parser; jsmn_init(&parser); @@ -78,7 +82,7 @@ parser_error_t array_get_element_count(const parsed_json_t *json, uint16_t array_token_index, uint16_t *number_elements) { *number_elements = 0; - if (array_token_index < 0 || array_token_index > json->numberOfTokens) { + if (array_token_index > json->numberOfTokens) { return parser_no_data; } diff --git a/app/src/secret.c b/app/src/secret.c index 155acb9..0e46315 100644 --- a/app/src/secret.c +++ b/app/src/secret.c @@ -29,7 +29,6 @@ void secret_accept() { #endif } -//static char *secret_message = ""; zxerr_t secret_getNumItems(uint8_t *num_items) { *num_items = 0; diff --git a/app/src/tx_validate.c b/app/src/tx_validate.c index b395670..2eed930 100644 --- a/app/src/tx_validate.c +++ b/app/src/tx_validate.c @@ -38,6 +38,10 @@ int8_t is_space(char c) { } int8_t contains_whitespace(parsed_json_t *json) { + if (json == NULL){ + return 1; + } + int start = 0; const int last_element_index = json->tokens[0].end; From 6cdf65cfca29aa99c8b5990001c489ac0de10d7d Mon Sep 17 00:00:00 2001 From: Z4karia Date: Fri, 17 May 2024 13:19:35 +0200 Subject: [PATCH 2/5] chore: Update README.md with instructions for app loading --- README.md | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 579646f..bb670d2 100644 --- a/README.md +++ b/README.md @@ -154,6 +154,10 @@ Many of our integration tests expect the device to be configured with a known te ### Loading into your development device +To easily setup a development environment for compilation and loading on a physical device, you can use the [VSCode integration](https://marketplace.visualstudio.com/items?itemName=LedgerHQ.ledger-dev-tools) whether you are on Linux, macOS or Windows. + +If you prefer using a terminal to perform the steps manually, you can do the following: + The Makefile will build the firmware in a docker container and leave the binary in the correct directory. - Build @@ -163,9 +167,10 @@ The Makefile will build the firmware in a docker container and leave the binary ``` - Upload to a device - The following command will upload the application to the ledger. _Warning: The application will be deleted before uploading._ + The following commands will upload the application to the ledger. _Warning: The application will be deleted before uploading._ ``` - make load # Builds and loads the app to the device + make shellS # Or shellS2, shellX + make load ``` ## APDU Specifications From 48b91c7d420509de5cb30c9329a04feddda3aedb Mon Sep 17 00:00:00 2001 From: Z4karia Date: Fri, 17 May 2024 13:20:08 +0200 Subject: [PATCH 3/5] chore: Update npm dependency for ThorchainApp in tests_zemu --- tests_zemu/package.json | 2 +- tests_zemu/tests/thor.test.ts | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/tests_zemu/package.json b/tests_zemu/package.json index bd8feec..4221e55 100644 --- a/tests_zemu/package.json +++ b/tests_zemu/package.json @@ -18,7 +18,7 @@ "test": "yarn clean && jest --maxConcurrency 2" }, "dependencies": { - "@zondax/ledger-cosmos-js": "^3.0.3", + "@blooo/ledger-thorchain-js": "^1.0.1", "@zondax/zemu": "^0.46.0" }, "devDependencies": { diff --git a/tests_zemu/tests/thor.test.ts b/tests_zemu/tests/thor.test.ts index 0425dd5..4263880 100644 --- a/tests_zemu/tests/thor.test.ts +++ b/tests_zemu/tests/thor.test.ts @@ -16,7 +16,7 @@ import Zemu, { ClickNavigation, TouchNavigation, IDeviceModel } from '@zondax/zemu' // @ts-ignore -import { CosmosApp } from '@zondax/ledger-cosmos-js' +import { ThorchainApp } from '@blooo/ledger-thorchain-js' import { defaultOptions, DEVICE_MODELS, @@ -37,7 +37,7 @@ async function signAndVerifyTransaction(m: IDeviceModel, test_name: String, tran const sim = new Zemu(m.path); try { await sim.start({ ...defaultOptions, model: m.name }); - const app = new CosmosApp(sim.getTransport()); + const app = new ThorchainApp(sim.getTransport()); const path = [44, 931, 0, 0, 0]; const tx = Buffer.from(JSON.stringify(transaction), "utf-8"); @@ -50,7 +50,7 @@ async function signAndVerifyTransaction(m: IDeviceModel, test_name: String, tran console.log(respPk); // do not wait here.. - const signatureRequest = app.sign(path, tx, hrp, AMINO_JSON_TX); + const signatureRequest = app.sign(path, tx, AMINO_JSON_TX); // Wait until we are not in the main menu await sim.waitUntilScreenIsNot(sim.getMainMenuSnapshot()); From d7498fae3cae3edb45149abcddc2204841764c15 Mon Sep 17 00:00:00 2001 From: Z4karia Date: Fri, 17 May 2024 13:26:32 +0200 Subject: [PATCH 4/5] chore: Remove debug flags in Makefile --- app/Makefile | 1 - 1 file changed, 1 deletion(-) diff --git a/app/Makefile b/app/Makefile index 3a58b95..5d4ac98 100755 --- a/app/Makefile +++ b/app/Makefile @@ -66,7 +66,6 @@ endif include $(CURDIR)/../deps/ledger-zxlib/makefiles/Makefile.platform DEFINES += HAVE_HASH HAVE_BLAKE2 HAVE_SHA256 HAVE_SHA512 CFLAGS += -I$(MY_DIR)/../deps/tinycbor/src -CFLAGS += -g3 -ggdb3 -O3 APP_SOURCE_PATH += $(MY_DIR)/../deps/tinycbor-ledger APP_SOURCE_PATH += $(MY_DIR)/../deps/jsmn/src From cf0ab2de8189f9641fd955b9962a8c9b3930ff41 Mon Sep 17 00:00:00 2001 From: Z4karia Date: Fri, 17 May 2024 13:27:02 +0200 Subject: [PATCH 5/5] chore: Bump patch version --- app/Makefile.version | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/app/Makefile.version b/app/Makefile.version index 42b9d95..75c1711 100644 --- a/app/Makefile.version +++ b/app/Makefile.version @@ -3,4 +3,4 @@ APPVERSION_M=2 # This is the `spec_version` field of `Runtime` APPVERSION_N=3 # This is the patch version of this release -APPVERSION_P=0 +APPVERSION_P=1