From 2289e9c43f42a25ea6409f7c1111ff3b3a1f4ca2 Mon Sep 17 00:00:00 2001 From: Jan Mazak Date: Tue, 28 Nov 2023 13:47:08 +0100 Subject: [PATCH] conway: fix security policies --- src/securityPolicy.c | 154 +++++++++++++++++++------------------------ src/securityPolicy.h | 3 + src/signTx.c | 17 ++++- src/signTx_ui.c | 3 - 4 files changed, 85 insertions(+), 92 deletions(-) diff --git a/src/securityPolicy.c b/src/securityPolicy.c index e5efa102..7abe6b95 100644 --- a/src/securityPolicy.c +++ b/src/securityPolicy.c @@ -1018,77 +1018,72 @@ security_policy_t policyForSignTxCertificate( DENY(); // should not be reached } -security_policy_t _policyForSignTxCertificateStakeCredential( - sign_tx_signingmode_t txSigningMode, - const ext_credential_t* stakeCredential +// applicable to credentials that are witnessed in this tx +static bool forbiddenCredential( + sign_tx_signingmode_t txSigningMode, + const ext_credential_t* credential ) { - switch (stakeCredential->type) { - case EXT_CREDENTIAL_KEY_PATH: - DENY_UNLESS(bip44_isOrdinaryStakingKeyPath(&stakeCredential->keyPath)); - DENY_IF(violatesSingleAccountOrStoreIt(&stakeCredential->keyPath)); - switch (txSigningMode) { - case SIGN_TX_SIGNINGMODE_ORDINARY_TX: - case SIGN_TX_SIGNINGMODE_PLUTUS_TX: - PROMPT(); - break; - - case SIGN_TX_SIGNINGMODE_MULTISIG_TX: - DENY(); - break; - + // certain combinations of tx signing mode and credential type are not allowed + // either because they don't make sense or are dangerous + switch (txSigningMode) { + case SIGN_TX_SIGNINGMODE_MULTISIG_TX: + switch (credential->type) { + case EXT_CREDENTIAL_KEY_PATH: + case EXT_CREDENTIAL_KEY_HASH: + // everything is expected to be governed by native scripts + return true; default: - // in POOL_REGISTRATION signing modes, this certificate should have already been - // reported as invalid (only pool registration certificate is allowed) - ASSERT(false); break; } break; - case EXT_CREDENTIAL_KEY_HASH: - switch (txSigningMode) { - case SIGN_TX_SIGNINGMODE_PLUTUS_TX: - PROMPT(); - break; - - case SIGN_TX_SIGNINGMODE_ORDINARY_TX: - case SIGN_TX_SIGNINGMODE_MULTISIG_TX: - DENY(); - break; + case SIGN_TX_SIGNINGMODE_PLUTUS_TX: + // everything allowed, txs are too complex for a HW wallet to understand + // and there might be third-party key hashes in the tx + break; + case SIGN_TX_SIGNINGMODE_ORDINARY_TX: + switch (credential->type) { + case EXT_CREDENTIAL_KEY_HASH: + case EXT_CREDENTIAL_SCRIPT_HASH: + // keys must be given by path, otherwise the user does not know + // if the hash corresponds to some of his keys, + // and might inadvertently sign several certificates with a single witness + return true; default: - // in POOL_REGISTRATION signing modes, this certificate should have already been - // reported as invalid (only pool registration certificate is allowed) - ASSERT(false); break; } break; - case EXT_CREDENTIAL_SCRIPT_HASH: - switch (txSigningMode) { - case SIGN_TX_SIGNINGMODE_MULTISIG_TX: - case SIGN_TX_SIGNINGMODE_PLUTUS_TX: - PROMPT(); - break; + default: + // this should not be called in POOL_REGISTRATION signing modes + ASSERT(false); + break; + } - case SIGN_TX_SIGNINGMODE_ORDINARY_TX: - DENY(); - break; + return false; +} - default: - // in POOL_REGISTRATION signing modes, this certificate should have already been - // reported as invalid (only pool registration certificate is allowed) - ASSERT(false); - break; - } +security_policy_t _policyForSignTxCertificateStakeCredential( + sign_tx_signingmode_t txSigningMode, + const ext_credential_t* stakeCredential +) +{ + DENY_IF(forbiddenCredential(txSigningMode, stakeCredential)); + + switch (stakeCredential->type) { + case EXT_CREDENTIAL_KEY_PATH: + DENY_UNLESS(bip44_isOrdinaryStakingKeyPath(&stakeCredential->keyPath)); + DENY_IF(violatesSingleAccountOrStoreIt(&stakeCredential->keyPath)); break; default: - ASSERT(false); + // the rest is OK, forbidden credentials have been dealt with above break; } - DENY(); // should not be reached + PROMPT(); } // for certificates concerning stake keys and stake delegation @@ -1128,27 +1123,22 @@ security_policy_t policyForSignTxCertificateVoteDelegation( } security_policy_t policyForSignTxCertificateCommitteeAuth( + sign_tx_signingmode_t txSigningMode, const ext_credential_t* coldCredential, const ext_credential_t* hotCredential ) { - switch (coldCredential->type) { - - case EXT_CREDENTIAL_KEY_HASH: - // the user would not know if it is his key or not - DENY(); - break; + DENY_IF(forbiddenCredential(txSigningMode, coldCredential)); + switch (coldCredential->type) { case EXT_CREDENTIAL_KEY_PATH: DENY_UNLESS(bip44_isCommitteeColdKeyPath(&coldCredential->keyPath)); - break; - - case EXT_CREDENTIAL_SCRIPT_HASH: - // allowed + DENY_IF(violatesSingleAccountOrStoreIt(&coldCredential->keyPath)); break; default: - ASSERT(false); + // the rest is OK, forbidden credentials have been dealt with above + break; } switch (hotCredential->type) { @@ -1170,52 +1160,42 @@ security_policy_t policyForSignTxCertificateCommitteeAuth( } security_policy_t policyForSignTxCertificateCommitteeResign( + sign_tx_signingmode_t txSigningMode, const ext_credential_t* coldCredential ) { - switch (coldCredential->type) { - - case EXT_CREDENTIAL_KEY_HASH: - // the user would not know if it is his key or not - DENY(); - break; + DENY_IF(forbiddenCredential(txSigningMode, coldCredential)); + switch (coldCredential->type) { case EXT_CREDENTIAL_KEY_PATH: DENY_UNLESS(bip44_isCommitteeColdKeyPath(&coldCredential->keyPath)); - break; - - case EXT_CREDENTIAL_SCRIPT_HASH: - // allowed + DENY_IF(violatesSingleAccountOrStoreIt(&coldCredential->keyPath)); break; default: - ASSERT(false); + // the rest is OK, forbidden credentials have been dealt with above + break; } PROMPT(); } security_policy_t policyForSignTxCertificateDRep( - const ext_credential_t* drepCredential + sign_tx_signingmode_t txSigningMode, + const ext_credential_t* dRepCredential ) { - switch (drepCredential->type) { - - case EXT_CREDENTIAL_KEY_HASH: - // the user would not know if it is his key or not - DENY(); - break; + DENY_IF(forbiddenCredential(txSigningMode, dRepCredential)); + switch (dRepCredential->type) { case EXT_CREDENTIAL_KEY_PATH: - DENY_UNLESS(bip44_isDRepKeyPath(&drepCredential->keyPath)); - break; - - case EXT_CREDENTIAL_SCRIPT_HASH: - // allowed + DENY_UNLESS(bip44_isDRepKeyPath(&dRepCredential->keyPath)); + DENY_IF(violatesSingleAccountOrStoreIt(&dRepCredential->keyPath)); break; default: - ASSERT(false); + // the rest is OK, forbidden credentials have been dealt with above + break; } PROMPT(); @@ -1534,7 +1514,6 @@ static inline security_policy_t _ordinaryWitnessPolicy(const bip44_path_t* path, case PATH_COMMITTEE_HOT_KEY: // these have to be shown because the tx might contain // an action proposal that cannot be fully shown on the device - // TODO what about violation of single account policy? DENY_IF(violatesSingleAccountOrStoreIt(path)); WARN_UNLESS(bip44_isPathReasonable(path)); SHOW(); @@ -1596,6 +1575,9 @@ static inline security_policy_t _plutusWitnessPolicy(const bip44_path_t* path, b case PATH_ORDINARY_STAKING_KEY: case PATH_MULTISIG_SPENDING_KEY: case PATH_MULTISIG_STAKING_KEY: + case PATH_DREP_KEY: + case PATH_COMMITTEE_COLD_KEY: + case PATH_COMMITTEE_HOT_KEY: WARN_UNLESS(bip44_isPathReasonable(path)); SHOW(); break; diff --git a/src/securityPolicy.h b/src/securityPolicy.h index c52a7053..a804fa0a 100644 --- a/src/securityPolicy.h +++ b/src/securityPolicy.h @@ -119,13 +119,16 @@ security_policy_t policyForSignTxCertificateVoteDelegation( const ext_drep_t* drep ); security_policy_t policyForSignTxCertificateCommitteeAuth( + sign_tx_signingmode_t txSigningMode, const ext_credential_t* coldCredential, const ext_credential_t* hotCredential ); security_policy_t policyForSignTxCertificateCommitteeResign( + sign_tx_signingmode_t txSigningMode, const ext_credential_t* coldCredential ); security_policy_t policyForSignTxCertificateDRep( + sign_tx_signingmode_t txSigningMode, const ext_credential_t* drepCredential ); #ifdef APP_FEATURE_POOL_RETIREMENT diff --git a/src/signTx.c b/src/signTx.c index 485a125f..f775555c 100644 --- a/src/signTx.c +++ b/src/signTx.c @@ -1112,7 +1112,7 @@ static void _setDRep( { switch (extDRep->type) { - case EXT_CREDENTIAL_KEY_PATH: + case EXT_DREP_KEY_PATH: drep->type = DREP_KEY_HASH; bip44_pathToKeyHash( &extDRep->keyPath, @@ -1120,18 +1120,26 @@ static void _setDRep( ); break; - case EXT_CREDENTIAL_KEY_HASH: + case EXT_DREP_KEY_HASH: drep->type = DREP_KEY_HASH; STATIC_ASSERT(SIZEOF(drep->keyHash) == SIZEOF(extDRep->keyHash), "bad script hash container size"); memmove(drep->keyHash, extDRep->keyHash, SIZEOF(extDRep->keyHash)); break; - case EXT_CREDENTIAL_SCRIPT_HASH: + case EXT_DREP_SCRIPT_HASH: drep->type = DREP_SCRIPT_HASH; STATIC_ASSERT(SIZEOF(drep->scriptHash) == SIZEOF(extDRep->scriptHash), "bad script hash container size"); memmove(drep->scriptHash, extDRep->scriptHash, SIZEOF(extDRep->scriptHash)); break; + case EXT_DREP_ALWAYS_ABSTAIN: + drep->type = DREP_ALWAYS_ABSTAIN; + break; + + case EXT_DREP_ALWAYS_NO_CONFIDENCE: + drep->type = DREP_ALWAYS_NO_CONFIDENCE; + break; + default: ASSERT(false); break; @@ -1348,6 +1356,7 @@ static void _handleCertificateVoteDeleg() static void _handleCertificateCommitteeAuth() { security_policy_t policy = policyForSignTxCertificateCommitteeAuth( + ctx->commonTxData.txSigningMode, &BODY_CTX->stageData.certificate.committeeColdCredential, &BODY_CTX->stageData.certificate.committeeHotCredential ); @@ -1371,6 +1380,7 @@ static void _handleCertificateCommitteeAuth() static void _handleCertificateCommitteeResign() { security_policy_t policy = policyForSignTxCertificateCommitteeResign( + ctx->commonTxData.txSigningMode, &BODY_CTX->stageData.certificate.committeeColdCredential ); TRACE("Policy: %d", (int) policy); @@ -1393,6 +1403,7 @@ static void _handleCertificateCommitteeResign() static void _handleCertificateDRep() { security_policy_t policy = policyForSignTxCertificateDRep( + ctx->commonTxData.txSigningMode, &BODY_CTX->stageData.certificate.drepCredential ); TRACE("Policy: %d", (int) policy); diff --git a/src/signTx_ui.c b/src/signTx_ui.c index 9bd1a23d..2ae6f2ab 100644 --- a/src/signTx_ui.c +++ b/src/signTx_ui.c @@ -680,7 +680,6 @@ void signTx_handleCertificateVoteDeleg_ui_runStep() set_light_confirmation(true); display_prompt("Delegate\nvote", "", this_fn, respond_with_user_reject); #endif // HAVE_BAGL - break; } UI_STEP(HANDLE_CERTIFICATE_VOTE_DELEG_STEP_DISPLAY_STAKE_CRED) { _displayCredential( @@ -811,7 +810,6 @@ void signTx_handleCertificateCommitteeResign_ui_runStep() set_light_confirmation(true); display_prompt("Resign from\ncommittee", "", this_fn, respond_with_user_reject); #endif // HAVE_BAGL - break; } UI_STEP(HANDLE_CERTIFICATE_COMM_RESIGN_STEP_DISPLAY_COLD_CRED) { _displayCredential( @@ -877,7 +875,6 @@ void signTx_handleCertificateCommitteeAuth_ui_runStep() set_light_confirmation(true); display_prompt("Authorize committee", "", this_fn, respond_with_user_reject); #endif // HAVE_BAGL - break; } UI_STEP(HANDLE_CERTIFICATE_COMM_AUTH_STEP_DISPLAY_COLD_CRED) { _displayCredential(