api/firmware: make sure a series of request doesn't get interrupted

benma · benma · commit 89d6c998a60c · 2025-05-02T13:23:24.000+02:00
Some API calls, like BTCSign, or BluetoothUpgrade, require a series of
request&lt;&gt;response pairs. If the device gets an unexpected message, it
fails.

However, this is not concurrency safe - if another goroutine sends
something in the middle of it, the API call in progress and the
interrupting call both fail.

To solve this, we introduce `apiLock` that ensures a series of queries
does not get interrupted.

Most API functions only use a single query, so we acquire this lock by
default in `.query()`.

We add a `nonAtomicQuery()` variant with a `atomicQueries()` helper
function to enable making a series of calls.
diff --git a/api/firmware/bluetooth.go b/api/firmware/bluetooth.go
@@ -19,12 +19,12 @@ import (
 	"github.com/BitBoxSwiss/bitbox02-api-go/util/errp"
 )
 
-// queryBluetooth is like query, but nested one level deeper for Bluetooth.
-func (device *Device) queryBluetooth(request *messages.BluetoothRequest) (*messages.BluetoothResponse, error) {
+// nonAtomicQueryBluetooth is like query, but nested one level deeper for Bluetooth.
+func (device *Device) nonAtomicQueryBluetooth(request *messages.BluetoothRequest) (*messages.BluetoothResponse, error) {
 	if !device.SupportsBluetooth() {
 		return nil, errp.New("this device does not support Bluetooth")
 	}
-	response, err := device.query(&messages.Request{
+	response, err := device.nonAtomicQuery(&messages.Request{
 		Request: &messages.Request_Bluetooth{
 			Bluetooth: request,
 		},
@@ -41,44 +41,42 @@ func (device *Device) queryBluetooth(request *messages.BluetoothRequest) (*messa
 
 // BluetoothUpgrade attempts an upgrade of the Bluetooth firmware.
 func (device *Device) BluetoothUpgrade(firmware []byte) error {
-	// Send initial upgrade request
-	initReq := &messages.BluetoothUpgradeInitRequest{
-		FirmwareLength: uint32(len(firmware)),
-	}
-	req := &messages.BluetoothRequest{
-		Request: &messages.BluetoothRequest_UpgradeInit{
-			UpgradeInit: initReq,
-		},
-	}
-
-	currentResponse, err := device.queryBluetooth(req)
-	if err != nil {
-		return err
-	}
+	return device.atomicQueries(func() error {
+		currentResponse, err := device.nonAtomicQueryBluetooth(&messages.BluetoothRequest{
+			Request: &messages.BluetoothRequest_UpgradeInit{
+				UpgradeInit: &messages.BluetoothUpgradeInitRequest{
+					FirmwareLength: uint32(len(firmware)),
+				},
+			},
+		})
+		if err != nil {
+			return err
+		}
 
-	for {
-		switch resp := currentResponse.Response.(type) {
-		case *messages.BluetoothResponse_RequestChunk:
-			chunkReq := resp.RequestChunk
-			chunkData := firmware[chunkReq.Offset : chunkReq.Offset+chunkReq.Length]
+		for {
+			switch resp := currentResponse.Response.(type) {
+			case *messages.BluetoothResponse_RequestChunk:
+				chunkReq := resp.RequestChunk
+				chunkData := firmware[chunkReq.Offset : chunkReq.Offset+chunkReq.Length]
 
-			currentResponse, err = device.queryBluetooth(&messages.BluetoothRequest{
-				Request: &messages.BluetoothRequest_Chunk{
-					Chunk: &messages.BluetoothChunkRequest{
-						Data: chunkData,
+				currentResponse, err = device.nonAtomicQueryBluetooth(&messages.BluetoothRequest{
+					Request: &messages.BluetoothRequest_Chunk{
+						Chunk: &messages.BluetoothChunkRequest{
+							Data: chunkData,
+						},
 					},
-				},
-			})
-			if err != nil {
-				return err
-			}
+				})
+				if err != nil {
+					return err
+				}
 
-		case *messages.BluetoothResponse_Success:
-			// Upgrade complete
-			return nil
+			case *messages.BluetoothResponse_Success:
+				// Upgrade complete
+				return nil
 
-		default:
-			return errp.New("unexpected response type during bluetooth upgrade")
+			default:
+				return errp.New("unexpected response type during bluetooth upgrade")
+			}
 		}
-	}
+	})
 }
diff --git a/api/firmware/btc.go b/api/firmware/btc.go
@@ -30,9 +30,9 @@ import (
 
 const multisigNameMaxLen = 30
 
-// queryBTC is like query, but nested one level deeper.
-func (device *Device) queryBTC(request *messages.BTCRequest) (*messages.BTCResponse, error) {
-	response, err := device.query(&messages.Request{
+// nonAtomicQueryBTC is like nonAtomicQuery, but nested one level deeper.
+func (device *Device) nonAtomicQueryBTC(request *messages.BTCRequest) (*messages.BTCResponse, error) {
+	response, err := device.nonAtomicQuery(&messages.Request{
 		Request: &messages.Request_Btc{
 			Btc: request,
 		},
@@ -47,6 +47,13 @@ func (device *Device) queryBTC(request *messages.BTCRequest) (*messages.BTCRespo
 	return btcResponse.Btc, nil
 }
 
+// queryBTC is like query, but nested one level deeper.
+func (device *Device) queryBTC(request *messages.BTCRequest) (*messages.BTCResponse, error) {
+	return atomicQueriesValue(device, func() (*messages.BTCResponse, error) {
+		return device.nonAtomicQueryBTC(request)
+	})
+}
+
 // NewBTCScriptConfigSimple is a helper to construct the correct script config for simple script
 // types.
 func NewBTCScriptConfigSimple(typ messages.BTCScriptConfig_SimpleType) *messages.BTCScriptConfig {
@@ -172,9 +179,9 @@ func (device *Device) BTCAddress(
 	return pubResponse.Pub.Pub, nil
 }
 
-func (device *Device) queryBtcSign(request proto.Message) (
+func (device *Device) nonAtomicQueryBtcSign(request proto.Message) (
 	*messages.BTCSignNextResponse, error) {
-	response, err := device.query(request)
+	response, err := device.nonAtomicQuery(request)
 	if err != nil {
 		return nil, err
 	}
@@ -185,9 +192,9 @@ func (device *Device) queryBtcSign(request proto.Message) (
 	return next.BtcSignNext, nil
 }
 
-func (device *Device) nestedQueryBtcSign(request *messages.BTCRequest) (
+func (device *Device) nonAtomicNestedQueryBtcSign(request *messages.BTCRequest) (
 	*messages.BTCSignNextResponse, error) {
-	response, err := device.queryBTC(request)
+	response, err := device.nonAtomicQueryBTC(request)
 	if err != nil {
 		return nil, err
 	}
@@ -286,9 +293,7 @@ type BTCSignResult struct {
 	GeneratedOutputs map[int][]byte
 }
 
-// BTCSign signs a bitcoin or bitcoin-like transaction. The previous transactions of the inputs
-// need to be provided if `BTCSignNeedsPrevTxs()` returns true.
-func (device *Device) BTCSign(
+func (device *Device) nonAtomicBTCSign(
 	coin messages.BTCCoin,
 	scriptConfigs []*messages.BTCScriptConfigWithKeypath,
 	outputScriptConfigs []*messages.BTCScriptConfigWithKeypath,
@@ -323,7 +328,7 @@ func (device *Device) BTCSign(
 	}
 
 	signatures := make([][]byte, len(tx.Inputs))
-	next, err := device.queryBtcSign(&messages.Request{
+	next, err := device.nonAtomicQueryBtcSign(&messages.Request{
 		Request: &messages.Request_BtcSignInit{
 			BtcSignInit: &messages.BTCSignInitRequest{
 				Coin:                         coin,
@@ -363,7 +368,7 @@ func (device *Device) BTCSign(
 					Commitment: antikleptoHostCommit(hostNonce),
 				}
 			}
-			next, err = device.queryBtcSign(&messages.Request{
+			next, err = device.nonAtomicQueryBtcSign(&messages.Request{
 				Request: &messages.Request_BtcSignInput{
 					BtcSignInput: input,
 				}})
@@ -376,7 +381,7 @@ func (device *Device) BTCSign(
 					return nil, errp.New("unexpected response; expected signer nonce commitment")
 				}
 				signerCommitment := next.AntiKleptoSignerCommitment.Commitment
-				next, err = device.nestedQueryBtcSign(
+				next, err = device.nonAtomicNestedQueryBtcSign(
 					&messages.BTCRequest{
 						Request: &messages.BTCRequest_AntikleptoSignature{
 							AntikleptoSignature: &messages.AntiKleptoSignatureRequest{
@@ -408,7 +413,7 @@ func (device *Device) BTCSign(
 			}
 		case messages.BTCSignNextResponse_PREVTX_INIT:
 			prevtx := tx.Inputs[next.Index].PrevTx
-			next, err = device.nestedQueryBtcSign(
+			next, err = device.nonAtomicNestedQueryBtcSign(
 				&messages.BTCRequest{
 					Request: &messages.BTCRequest_PrevtxInit{
 						PrevtxInit: &messages.BTCPrevTxInitRequest{
@@ -424,7 +429,7 @@ func (device *Device) BTCSign(
 			}
 		case messages.BTCSignNextResponse_PREVTX_INPUT:
 			prevtxInput := tx.Inputs[next.Index].PrevTx.Inputs[next.PrevIndex]
-			next, err = device.nestedQueryBtcSign(
+			next, err = device.nonAtomicNestedQueryBtcSign(
 				&messages.BTCRequest{
 					Request: &messages.BTCRequest_PrevtxInput{
 						PrevtxInput: prevtxInput,
@@ -435,7 +440,7 @@ func (device *Device) BTCSign(
 			}
 		case messages.BTCSignNextResponse_PREVTX_OUTPUT:
 			prevtxOutput := tx.Inputs[next.Index].PrevTx.Outputs[next.PrevIndex]
-			next, err = device.nestedQueryBtcSign(
+			next, err = device.nonAtomicNestedQueryBtcSign(
 				&messages.BTCRequest{
 					Request: &messages.BTCRequest_PrevtxOutput{
 						PrevtxOutput: prevtxOutput,
@@ -446,7 +451,7 @@ func (device *Device) BTCSign(
 			}
 		case messages.BTCSignNextResponse_OUTPUT:
 			outputIndex := next.Index
-			next, err = device.queryBtcSign(&messages.Request{
+			next, err = device.nonAtomicQueryBtcSign(&messages.Request{
 				Request: &messages.Request_BtcSignOutput{
 					BtcSignOutput: tx.Outputs[outputIndex],
 				}})
@@ -471,7 +476,7 @@ func (device *Device) BTCSign(
 				return nil, errp.New("payment request index out of bounds")
 			}
 			paymentRequest := tx.PaymentRequests[paymentRequestIndex]
-			next, err = device.nestedQueryBtcSign(
+			next, err = device.nonAtomicNestedQueryBtcSign(
 				&messages.BTCRequest{
 					Request: &messages.BTCRequest_PaymentRequest{
 						PaymentRequest: paymentRequest,
@@ -490,6 +495,26 @@ func (device *Device) BTCSign(
 	}
 }
 
+// BTCSign signs a bitcoin or bitcoin-like transaction. The previous transactions of the inputs
+// need to be provided if `BTCSignNeedsPrevTxs()` returns true.
+func (device *Device) BTCSign(
+	coin messages.BTCCoin,
+	scriptConfigs []*messages.BTCScriptConfigWithKeypath,
+	outputScriptConfigs []*messages.BTCScriptConfigWithKeypath,
+	tx *BTCTx,
+	formatUnit messages.BTCSignInitRequest_FormatUnit,
+) (*BTCSignResult, error) {
+	return atomicQueriesValue(device, func() (*BTCSignResult, error) {
+		return device.nonAtomicBTCSign(
+			coin,
+			scriptConfigs,
+			outputScriptConfigs,
+			tx,
+			formatUnit,
+		)
+	})
+}
+
 // BTCIsScriptConfigRegistered returns true if the script config / account is already registered.
 func (device *Device) BTCIsScriptConfigRegistered(
 	coin messages.BTCCoin,
@@ -562,9 +587,7 @@ type BTCSignMessageResult struct {
 	ElectrumSig65 []byte
 }
 
-// BTCSignMessage signs a Bitcoin message. The 64 byte raw signature, the recoverable ID and the 65
-// byte signature in Electrum format are returned.
-func (device *Device) BTCSignMessage(
+func (device *Device) nonAtomicBTCSignMessage(
 	coin messages.BTCCoin,
 	scriptConfig *messages.BTCScriptConfigWithKeypath,
 	message []byte,
@@ -601,7 +624,7 @@ func (device *Device) BTCSignMessage(
 			},
 		},
 	}
-	response, err := device.queryBTC(request)
+	response, err := device.nonAtomicQueryBTC(request)
 	if err != nil {
 		return nil, err
 	}
@@ -612,7 +635,7 @@ func (device *Device) BTCSignMessage(
 		if !ok {
 			return nil, errp.New("unexpected response")
 		}
-		response, err := device.queryBTC(&messages.BTCRequest{
+		response, err := device.nonAtomicQueryBTC(&messages.BTCRequest{
 			Request: &messages.BTCRequest_AntikleptoSignature{
 				AntikleptoSignature: &messages.AntiKleptoSignatureRequest{
 					HostNonce: hostNonce,
@@ -654,3 +677,14 @@ func (device *Device) BTCSignMessage(
 		ElectrumSig65: electrumSig65,
 	}, nil
 }
+
+// BTCSignMessage signs a Bitcoin message.
+func (device *Device) BTCSignMessage(
+	coin messages.BTCCoin,
+	scriptConfig *messages.BTCScriptConfigWithKeypath,
+	message []byte,
+) (*BTCSignMessageResult, error) {
+	return atomicQueriesValue(device, func() (*BTCSignMessageResult, error) {
+		return device.nonAtomicBTCSignMessage(coin, scriptConfig, message)
+	})
+}
diff --git a/api/firmware/device.go b/api/firmware/device.go
@@ -94,7 +94,14 @@ type Device struct {
 	// nonces must match the incrementing of the device nonces, so the decryption works. Avoid the
 	// situation where we Encrypt() locally twice, and send the queries out of order, which will
 	// result in a failed decryption on the device.
+	//
+	// Also, every request is followed by a response, so this lock ensures the responses is matched
+	// to the request.
 	queryLock sync.Mutex
+	// While `queryLock` ensures that the response matches the request, `apiLock` ensures that a
+	// series of request<>response pairs does not get interrupted. Some API calls require a series
+	// of calls, like signing a BTC transactions.
+	apiLock sync.Mutex
 
 	status Status
 
diff --git a/api/firmware/query.go b/api/firmware/query.go
@@ -27,7 +27,7 @@ import (
 )
 
 const (
-	// sinve v7.0.0, requets and responses are framed with hww* codes.
+	// sinve v7.0.0, requests and responses are framed with hww* codes.
 
 	// hwwReq* are HWW-level framing opcodes of requests.
 
@@ -130,7 +130,12 @@ func (device *Device) rawQuery(msg []byte) ([]byte, error) {
 	return device.communication.Query(msg)
 }
 
-func (device *Device) query(request proto.Message) (*messages.Response, error) {
+// Sends one request and returns the matching response.
+// This acquires the queryLock, so other queries can't interrupt and need to wait.
+// This *does not* acquire the apiLock.
+// Use this if you need to perform a series of requests that should not get interrupted.
+// Only use this inside `atomicQueries()`.
+func (device *Device) nonAtomicQuery(request proto.Message) (*messages.Response, error) {
 	device.queryLock.Lock()
 	defer device.queryLock.Unlock()
 	if device.sendCipher == nil || !device.channelHashDeviceVerified || !device.channelHashAppVerified {
@@ -180,3 +185,33 @@ func (device *Device) query(request proto.Message) (*messages.Response, error) {
 
 	return response, nil
 }
+
+// Sends one request and returns the matching response.
+// This acquires the queryLock, so other queries can't interrupt and need to wait.
+// This also acquires the apiLock, so series of request<>responses that should not be interrupted
+// don't get interrupted. Use `nonAtomicQuery()` if you need a series of request<>response pairs
+// that should not be interrupted.
+func (device *Device) query(request proto.Message) (*messages.Response, error) {
+	device.apiLock.Lock()
+	defer device.apiLock.Unlock()
+	return device.nonAtomicQuery(request)
+}
+
+// atomicQueries runs a series of device queries while holding the `apiLock` mutex, to ensure the
+// series of quries does not get interrupted.
+//
+// Important: only use `nonAtomicQuery` inside the callback (`query()` also acquires `apiLock` which
+// would lead to a deadlock).
+func (device *Device) atomicQueries(run func() error) error {
+	device.apiLock.Lock()
+	defer device.apiLock.Unlock()
+	return run()
+}
+
+// atomicQueriesValue is like `atomicQueries`, but allows returning a result value for convenience.
+// It is a function and not a method because Go does not support generic methods.
+func atomicQueriesValue[R any](device *Device, run func() (R, error)) (R, error) {
+	device.apiLock.Lock()
+	defer device.apiLock.Unlock()
+	return run()
+}
