Merge pull request #89 from cosmos/evm-path-support

Evm path support

.github/workflows/check_version.yml

@@ -25,6 +25,8 @@ jobs:
     container:
       image: zondax/ledger-app-builder:latest
       options: --user ${{ needs.configure.outputs.uid_gid }}
+    env:
+      SDK_VARNAME: NANOSP_SDK
     outputs:
       version: ${{ steps.store-version.outputs.version }}
     steps:

.github/workflows/codeql.yml

@@ -0,0 +1,37 @@
+name: "CodeQL"
+
+on:
+  workflow_dispatch:
+  push:
+  pull_request:
+    branches:
+      - main
+      - develop
+
+jobs:
+  analyse:
+    name: Analyse
+    strategy:
+      matrix:
+        sdk: ["$NANOS_SDK", "$NANOX_SDK", "$NANOSP_SDK"]
+    runs-on: ubuntu-latest
+    container:
+      image: ghcr.io/ledgerhq/ledger-app-builder/ledger-app-builder-legacy:latest
+
+    steps:
+      - name: Clone
+        uses: actions/checkout@v3
+        with:
+          submodules: recursive
+
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@v2
+        with:
+          languages: cpp
+          queries: security-and-quality
+
+      - name: Build
+        run: |
+          make -j BOLOS_SDK=${{ matrix.sdk }}
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@v2

.github/workflows/guidelines_enforcer.yml

@@ -0,0 +1,26 @@
+name: Ensure compliance with Ledger guidelines
+
+# This workflow is mandatory in all applications
+# It calls a reusable workflow guidelines_enforcer developed by Ledger's internal developer team.
+# The successful completion of the reusable workflow is a mandatory step for an app to be available on the Ledger
+# application store.
+#
+# More information on the guidelines can be found in the repository:
+# LedgerHQ/ledger-app-workflows/
+
+on:
+  workflow_dispatch:
+  push:
+    branches:
+      - master
+      - main
+      - develop
+  pull_request:
+
+jobs:
+  guidelines_enforcer:
+    name: Call Ledger guidelines_enforcer
+    uses: LedgerHQ/ledger-app-workflows/.github/workflows/reusable_guidelines_enforcer.yml@v1
+    with:
+      relative_app_directory: app
+      run_for_devices: '["nanos", "nanosp", "nanox"]'

.github/workflows/main.yml

@@ -74,18 +74,23 @@ jobs:
         with:
           submodules: true
       - run: sudo apt-get update -y && sudo apt-get install -y libusb-1.0.0 libudev-dev
-      - name: Install rust
-        uses: actions-rs/toolchain@v1
-        with:
-          toolchain: stable
       - name: Install node
         uses: actions/setup-node@v3
       - name: Install yarn
         run: |
           npm install -g yarn
-      - name: Build and run zemu tests
-        run: |
-          make test_all
+      - name: Build Ledger app
+        run: make
+      - name: Build/Install build js deps
+        run: make zemu_install
+      - name: Run zemu tests
+        run: "cd tests_zemu; yarn test"
+      - name: Upload Snapshots (only failure)
+        if: ${{ failure() }}
+        uses: actions/upload-artifact@v3
+        with:
+          name: snapshots-tmp
+          path: tests_zemu/snapshots-tmp/
 
   build_package_nanos:
     needs: [configure, build, build_ledger, test_zemu]
@@ -94,8 +99,8 @@ jobs:
     container:
       image: zondax/ledger-app-builder:latest
       options: --user ${{ needs.configure.outputs.uid_gid }}
-    env:
-      BOLOS_SDK: /opt/nanos-secure-sdk
+      env:
+        BOLOS_SDK: /opt/nanos-secure-sdk
     steps:
       - name: Checkout
         uses: actions/checkout@v3

.gitignore

@@ -91,6 +91,8 @@ app/src/glyphs.h
 /build
 .vscode/dryrun.log
 .vscode/targets.log
+app/build/*
+.DS_Store
 
 fuzz-*.log
 /fuzz/corpora

app/Makefile

@@ -40,14 +40,13 @@ $(info COIN  = [$(COIN)])
 ifeq ($(COIN),ATOM)
 # Main app configuration
 APPNAME = "Cosmos"
-APPPATH = "44'/118'"
+APPPATH = "44'/118'" --path "44'/60'"
 else
 define error_message
 
 
 COIN value not supported: [$(COIN)]
 
-
 endef
 $(error "$(error_message)")
 endif
@@ -65,35 +64,18 @@ $(error ICONNAME is not set)
 endif
 
 include $(CURDIR)/../deps/ledger-zxlib/makefiles/Makefile.platform
-LDFLAGS += -z muldefs
-CFLAGS += -Wvla
-
 DEFINES += HAVE_HASH HAVE_BLAKE2 HAVE_SHA256 HAVE_SHA512
-
-APP_SOURCE_PATH += $(MY_DIR)/src
-APP_SOURCE_PATH += $(MY_DIR)/glyphs
-APP_SOURCE_PATH += $(MY_DIR)/../deps/ledger-zxlib/include
-APP_SOURCE_PATH += $(MY_DIR)/../deps/ledger-zxlib/src
-APP_SOURCE_PATH += $(MY_DIR)/../deps/ledger-zxlib/app/common
-APP_SOURCE_PATH += $(MY_DIR)/../deps/ledger-zxlib/app/ui
-APP_SOURCE_PATH += $(MY_DIR)/../deps/jsmn/src
-
-# NanoX SDK does not allow += in APP_SOURCE_PATH or INCLUDES_PATH
 CFLAGS += -I$(MY_DIR)/../deps/tinycbor/src
 APP_SOURCE_PATH += $(MY_DIR)/../deps/tinycbor-ledger
+APP_SOURCE_PATH += $(MY_DIR)/../deps/jsmn/src
 
 .PHONY: rust
 rust:
 	@echo "No rust code"
-#	cd rust && CARGO_HOME="$(CURDIR)/rust/.cargo" cargo build --target thumbv6m-none-eabi --release
-
-# Before linking, we need to be sure rust lib is there
-bin/app.elf: rust
 
 .PHONY: rust_clean
 rust_clean:
 	@echo "No rust code"
-#	cd rust && CARGO_HOME="$(CURDIR)/rust/.cargo" cargo clean
 
 clean: rust_clean
 

app/Makefile.version

@@ -3,4 +3,4 @@ APPVERSION_M=2
 # This is the `spec_version` field of `Runtime`
 APPVERSION_N=35
 # This is the patch version of this release
-APPVERSION_P=5
+APPVERSION_P=6

app/src/addr.c

@@ -25,7 +25,7 @@
 zxerr_t addr_getNumItems(uint8_t *num_items) {
     zemu_log_stack("addr_getNumItems");
     *num_items = 1;
-    if (app_mode_expert()) {
+    if (app_mode_expert() || isEthPath) {
         zemu_log("num_items 2\n");
         *num_items = 2;
     } else {
@@ -47,7 +47,7 @@ zxerr_t addr_getItem(int8_t displayIdx,
             ZEMU_LOGF(200, "[addr_getItem] pageCount %d\n", *pageCount)
             return zxerr_ok;
         case 1: {
-            if (!app_mode_expert()) {
+            if (!app_mode_expert() && !isEthPath) {
                 return zxerr_no_data;
             }
 

app/src/apdu_handler.c

@@ -33,6 +33,91 @@
 #include "app_mode.h"
 
 #include "parser_impl.h"
+#include "view_internal.h"
+
+bool isEthPath = false;
+
+static const char *msg_error1 = "Expert Mode";
+static const char *msg_error2 = "Required";
+
+__Z_INLINE void handle_getversion(__Z_UNUSED volatile uint32_t *flags, volatile uint32_t *tx, __Z_UNUSED uint32_t rx) {
+#ifdef DEBUG
+    G_io_apdu_buffer[0] = 0xFF;
+#else
+    G_io_apdu_buffer[0] = 0;
+#endif
+    G_io_apdu_buffer[1] = LEDGER_MAJOR_VERSION;
+    G_io_apdu_buffer[2] = LEDGER_MINOR_VERSION;
+    G_io_apdu_buffer[3] = LEDGER_PATCH_VERSION;
+    G_io_apdu_buffer[4] = !IS_UX_ALLOWED;
+
+    G_io_apdu_buffer[5] = (TARGET_ID >> 24) & 0xFF;
+    G_io_apdu_buffer[6] = (TARGET_ID >> 16) & 0xFF;
+    G_io_apdu_buffer[7] = (TARGET_ID >> 8) & 0xFF;
+    G_io_apdu_buffer[8] = (TARGET_ID >> 0) & 0xFF;
+
+    *tx += 9;
+    THROW(APDU_CODE_OK);
+}
+
+static void extractHDPath(uint32_t rx, uint32_t offset) {
+    if ((rx - offset) < sizeof(uint32_t) * HDPATH_LEN_DEFAULT) {
+        THROW(APDU_CODE_WRONG_LENGTH);
+    }
+
+    MEMCPY(hdPath, G_io_apdu_buffer + offset, sizeof(uint32_t) * HDPATH_LEN_DEFAULT);
+
+    // Check values
+    if (hdPath[0] != HDPATH_0_DEFAULT ||
+        ((hdPath[1] != HDPATH_1_DEFAULT) && (hdPath[1] != HDPATH_ETH_1_DEFAULT)) ||
+        hdPath[3] != HDPATH_3_DEFAULT) {
+        THROW(APDU_CODE_DATA_INVALID);
+    }
+
+    // Set EthPath flag
+    isEthPath = (hdPath[1] == HDPATH_ETH_1_DEFAULT) ? true : false;
+
+    // Limit values unless the app is running in expert mode
+    if (!app_mode_expert()) {
+        for(int i=2; i < HDPATH_LEN_DEFAULT; i++) {
+            // hardened or unhardened values should be below 20
+            if ( (hdPath[i] & 0x7FFFFFFF) > 100) THROW(APDU_CODE_CONDITIONS_NOT_SATISFIED);
+        }
+    }
+}
+
+static bool process_chunk(volatile uint32_t *tx, uint32_t rx) {
+    UNUSED(tx);
+
+    const uint8_t payloadType = G_io_apdu_buffer[OFFSET_PAYLOAD_TYPE];
+
+    if (rx < OFFSET_DATA) {
+        THROW(APDU_CODE_WRONG_LENGTH);
+    }
+
+    uint32_t added;
+    switch (payloadType) {
+        case P1_INIT:
+            tx_initialize();
+            tx_reset();
+            extractHDPath(rx, OFFSET_DATA);
+            return false;
+        case P1_ADD:
+            added = tx_append(&(G_io_apdu_buffer[OFFSET_DATA]), rx - OFFSET_DATA);
+            if (added != rx - OFFSET_DATA) {
+                THROW(APDU_CODE_OUTPUT_BUFFER_TOO_SMALL);
+            }
+            return false;
+        case P1_LAST:
+            added = tx_append(&(G_io_apdu_buffer[OFFSET_DATA]), rx - OFFSET_DATA);
+            if (added != rx - OFFSET_DATA) {
+                THROW(APDU_CODE_OUTPUT_BUFFER_TOO_SMALL);
+            }
+            return true;
+    }
+
+    THROW(APDU_CODE_INVALIDP1P2);
+}
 
 __Z_INLINE void handleGetAddrSecp256K1(volatile uint32_t *flags, volatile uint32_t *tx, uint32_t rx) {
     uint8_t len = extractHRP(rx, OFFSET_DATA);
@@ -73,6 +158,11 @@ __Z_INLINE void handleSign(volatile uint32_t *flags, volatile uint32_t *tx, uint
     }
     parser_tx_obj.tx_json.own_addr = (const char *) (G_io_apdu_buffer + VIEW_ADDRESS_OFFSET_SECP256K1);
 
+    if (isEthPath && !app_mode_expert()) {
+        *flags |= IO_ASYNCH_REPLY;
+        view_custom_error_show(PIC(msg_error1),PIC(msg_error2));
+        THROW(APDU_CODE_DATA_INVALID);
+    }
     const char *error_msg = tx_parse(sign_type);
 
     if (error_msg != NULL) {

app/src/coin.h

@@ -14,7 +14,7 @@
 *  limitations under the License.
 ********************************************************************************/
 #pragma once
-
+#include "stdbool.h"
 #ifdef __cplusplus
 extern "C" {
 #endif
@@ -25,11 +25,13 @@ extern "C" {
 
 #define HDPATH_0_DEFAULT     (0x80000000u | 0x2cu)
 #define HDPATH_1_DEFAULT     (0x80000000u | 0x76u)
+#define HDPATH_ETH_1_DEFAULT (0x80000000u | 0x3cu)
 #define HDPATH_2_DEFAULT     (0x80000000u | 0u)
 #define HDPATH_3_DEFAULT     (0u)
 
 #define PK_LEN_SECP256K1     33u
 
+extern bool isEthPath;
 typedef enum {
     addr_secp256k1 = 0,
 } address_kind_e;
@@ -70,6 +72,10 @@ typedef enum {
 #define MENU_MAIN_APP_LINE2_SECRET         "?"
 #define COIN_SECRET_REQUIRED_CLICKS         0
 
+#define INS_GET_VERSION                 0x00
+#define INS_SIGN_SECP256K1              0x02
+#define INS_GET_ADDR_SECP256K1          0x04
+
 #ifdef __cplusplus
 }
 #endif