Cleanups, text changes

docs/limitations.md

@@ -48,7 +48,7 @@
 - bitcoin limits transactions to 100k, but there could be large input transactions
   inside the PSBT. Reduce this by using segwit signatures and provide only the
   individual UTXO ("out points").
-- every transaction needs to have at least one output (otherwise Invalid PSBT)
+- every transaction needs to have at least one output, or we reject it
 
 
 # P2SH / Multisig
@@ -72,6 +72,7 @@
 - derivation path for each cosigner must be known and consistent with PSBT
 - fixed: XFP values (fingerprints) for each of the co-signers must be unique (limitation removed)
 
+
 # SIGHASH types
 
 - all sighash flags are supported:
@@ -81,6 +82,8 @@
     - `ALL|ANYONECANPAY`
     - `NONE|ANYONECANPAY`
     - `SINGLE|ANYONECANPAY`
+- any value other than ALL will cause a warning to be shown to user
+- by default, we reject `NONE` and `NONE|ANYONECANPAY` but there is a setting to allow
 
 # U2F Protocol / Web Access to USB / WebUSB
 

docs/menu-tree.txt

@@ -271,6 +271,9 @@
       Set High-Water
       Wipe HSM Policy [IF HSM POLICY]
       Clear OV cache
+      Sighash Checks
+        Default: Block
+        Warn
       Testnet Mode
         Bitcoin
         Testnet3

releases/ChangeLog.md

@@ -1,13 +1,17 @@
 ## 5.1.2 - 2023-04-XX
 
-- Enhancement: Support all `SIGHASH` types (previous: only `SIGHASH_ALL` was supported).
-  This enables specialized Bitcoin transactions such as "SINGLE|ANYONECANPAY".
+- Enhancement: Support all `SIGHASH` types (previously only `SIGHASH_ALL` was supported).
+  This can enable specialized Bitcoin transactions involving multiple signers and even
+  limited changes to the transaction after signing. To enable the most dangerous SIGHASH
+  modes, you must change `Advanced -> Danger Zone -> Sighash Checks`. Warnings are shown
+  for any of the new SIGHASH modes regardless of this setting.
 - Enhancement: SeedXOR now supports 12 and 18 words mnemonics.
 - Enhancement: Signing memory, speed optimizations.
 - Enhancement: Docker repro build container improvements (non-privileged container)
 - Bugfix: After extended private key and TAPSIGNER backup import into blank wallet,
   users needed to manually reboot Coldcard.
 - Bugfix: Do not set SIGHASH type on foreign PSBT inputs
+- Bugfix: "Validating..." screen would be shown twice in some cases. Improves signing performance.
 
 
 ## 5.1.1 - 2023-02-27

shared/auth.py

@@ -987,8 +987,6 @@ async def sign_psbt_file(filename, force_vdisk=False):
     from ux import the_ux
     from sram2 import tmp_buf
 
-    #print("sign: %s" % filename)
-
     # copy file into our spiflash
     # - can't work in-place on the card because we want to support writing out to different card
     # - accepts hex or base64 encoding, but binary prefered

shared/flow.py

@@ -130,11 +130,6 @@ SettingsMenu = [
     MenuItem('Display Units', chooser=value_resolution_chooser),
     MenuItem('Max Network Fee', chooser=max_fee_chooser),
     MenuItem('Idle Timeout', chooser=idle_timeout_chooser),
-    ToggleMenuItem("Sighash Checks", "sighshchk", ["Default On", "Disabled"],
-                   story='''\
-DANGER! This disables COLDCARD sighash checks. \
-All funds can be stolen by specially crafted PSBT. \
-Keep enabled if you're not sure what you're doing.'''),
     ToggleMenuItem('Delete PSBTs', 'del', ['Default Keep', 'Delete PSBTs'],
         story='''\
 PSBT files (on SDCard) will be blanked & deleted after they are used. \
@@ -277,6 +272,12 @@ DangerZoneMenu = [
     MenuItem("Set High-Water", f=set_highwater),
     MenuItem('Wipe HSM Policy', f=wipe_hsm_policy, predicate=hsm_policy_available),
     MenuItem('Clear OV cache', f=wipe_ovc),
+    ToggleMenuItem("Sighash Checks", "sighshchk", ["Default: Block", "Warn"], invert=True,
+                   story='''\
+If you disable sighash flag restrictions, and ignore the \
+warnings, funds can be stolen by specially crafted PSBT or MitM.
+
+Keep blocked unless you intend to sign special transactions.'''),
     ToggleMenuItem('Testnet Mode', 'chain', ['Bitcoin', 'Testnet3', 'Regtest'],
         value_map=['BTC', 'XTN', 'XRT'],
         on_change=change_which_chain,

shared/psbt.py

@@ -1216,31 +1216,39 @@ class psbtObject(psbtProxy):
             self.warnings.append(('Big Fee', 'Network fee is more than '
                                     '5%% of total value (%.1f%%).' % per_fee))
 
-        self.consolidation_tx = self.num_change_outputs == self.num_outputs
+        self.consolidation_tx = (self.num_change_outputs == self.num_outputs)
+
         # Enforce policy related to change outputs
         self.consider_dangerous_change(self.my_xfp)
 
     def consider_dangerous_sighash(self):
+        # Check sighash flags are legal, useful, and safe. Warn about
+        # some risks if user has enabled special sighash values.
+
         sh_unusual = False
         none_sh = False
+
         for input in self.inputs:
             # only if it is our input - one that will be eventually sign
             if input.num_our_keys:
                 if input.sighash is not None:
-                    # our inputs MUST have SIGHASH that we are able to sign
+                    # All inputs MUST have SIGHASH that we are able to sign.
                     if input.sighash not in ALL_SIGHASH_FLAGS:
-                        raise FatalPSBTIssue("Unsupported sighash flag %x" % input.sighash)
+                        raise FatalPSBTIssue("Unsupported sighash flag 0x%x" % input.sighash)
+
                     if input.sighash != SIGHASH_ALL:
                         sh_unusual = True
+
                     if input.sighash in (SIGHASH_NONE, SIGHASH_NONE|SIGHASH_ANYONECANPAY):
                         none_sh = True
 
         if sh_unusual and not settings.get("sighshchk"):
             if self.consolidation_tx:
-                # not all inputs are sighash ALL in consolidation tx
+                # all inputs must be sighash ALL in consolidation tx
                 raise FatalPSBTIssue("Only sighash ALL is allowed for consolidation tx")
+
             if none_sh:
-                # sighash NONE or NONE|ANYONECANPAY used
+                # sighash NONE or NONE|ANYONECANPAY is proposed: block
                 raise FatalPSBTIssue("Sighash NONE is not allowed as funds could be going anywhere")
 
         if none_sh:
@@ -1747,6 +1755,7 @@ class psbtObject(psbtProxy):
             # input side
             hashPrevouts = sha256()
             hashSequence = sha256()
+
             if not (sighash_type & SIGHASH_ANYONECANPAY):
                 for in_idx, txi in self.input_iter():
                     hashPrevouts.update(txi.prevout.serialize())
@@ -1764,10 +1773,14 @@ class psbtObject(psbtProxy):
                     hashOutputs.update(txo.serialize())
 
                 hashOutputs = ngu.hash.sha256s(hashOutputs.digest())
+
             elif out_sighash_type == SIGHASH_SINGLE:
-                # even though below case is consensus valid, we restrict it
-                # if users do not want to sign any outputs, NONE sighash flag should be used instead
-                assert replace_idx < self.num_outputs, "SINGLE corresponding output (%d) missing" % replace_idx
+                # Even though below case is consensus valid, we block it.
+                # If users do not want to sign any outputs, NONE sighash flag
+                # should be used instead.
+                assert replace_idx < self.num_outputs, \
+                            "SINGLE corresponding output (%d) missing" % replace_idx
+
                 for out_idx, txo in self.output_iter():
                     if out_idx == replace_idx:
                         hashOutputs = ngu.hash.sha256d(txo.serialize())
@@ -1782,10 +1795,6 @@ class psbtObject(psbtProxy):
 
             gc.collect()
 
-            #print('hPrev: %s' % str(b2a_hex(self.hashPrevouts), 'ascii'))
-            #print('hSeq : %s' % str(b2a_hex(self.hashSequence), 'ascii'))
-            #print('hOuts: %s' % str(b2a_hex(self.hashOutputs), 'ascii'))
-
         rv = sha256()
 
         # version number