go-ethereum/accounts
James Prestwich 1e3177de22
accounts/usbwallet: mitigate ledger app chunking issue (#26773)
This PR mitigates an issue with Ledger's on-device RLP deserialization, see
https://github.com/LedgerHQ/app-ethereum/issues/409

Ledger's RLP deserialization code does not validate the length of the RLP list received,
and it may prematurely enter the signing flow when a APDU chunk boundary falls immediately
before the EIP-155 chain_id when deserializing a transaction. Since the chain_id is
uninitialized, it is 0 during this signing flow. This may cause the user to accidentally
sign the transaction with chain_id = 0. That signature would be returned from the device 1
packet earlier than expected by the communication loop. The device blocks the
second-to-last packet waiting for the signer flow, and then errors on the successive
packet (which contains the chain_id, zeroed r, and zeroed s)

Since the signature's early arrival causes successive errors during the communication
process, geth does not parse the improper signature produced by the device, and therefore
no improperly-signed transaction can be created. User funds are not at risk.

We mitigate by selecting the highest chunk size that leaves at least 4 bytes in the
final chunk.
2023-03-07 15:20:04 +01:00
..
abi all: change chain head markers from block to header (#26777) 2023-03-02 08:29:15 +02:00
external all: more linters (#24783) 2022-06-13 16:24:45 +02:00
keystore all: remove deprecated uses of math.rand (#26710) 2023-02-16 14:36:58 -05:00
scwallet accounts/scwallet: fix keycard data signing error (#25331) 2022-10-27 10:06:28 +02:00
usbwallet accounts/usbwallet: mitigate ledger app chunking issue (#26773) 2023-03-07 15:20:04 +01:00
accounts.go build: upgrade to go 1.19 (#25726) 2022-09-10 13:25:40 +02:00
accounts_test.go all: update author list and licenses 2019-07-22 12:17:27 +03:00
errors.go accounts: fix typo in comments (#24805) 2022-05-03 08:49:41 +02:00
hd.go build: upgrade to go 1.19 (#25726) 2022-09-10 13:25:40 +02:00
hd_test.go accounts, signer: fix Ledger Live account derivation path (clef) (#21757) 2020-11-29 13:43:15 +01:00
manager.go all: fix spelling mistakes (#25961) 2022-10-11 09:37:00 +02:00
sort.go accounts, console: frendly card errors, support pin unblock 2019-04-08 13:19:37 +02:00
url.go build: upgrade to go 1.19 (#25726) 2022-09-10 13:25:40 +02:00
url_test.go accounts: increase parseURL test coverage (#25033) 2022-06-07 12:46:27 +02:00