From 3553086e84e1e5d8c0473ff68f4a8dcd90265918 Mon Sep 17 00:00:00 2001
From: Andrew Kozlik <andrew.kozlik@gmail.com>
Date: Sat, 5 Feb 2022 10:50:55 +0100
Subject: [PATCH] feat(legacy): Strict path validation for CoSi.

---
 legacy/firmware/fsm_msg_crypto.h | 26 ++++++++++++++++++++++++++
 legacy/firmware/layout2.c        |  1 +
 2 files changed, 27 insertions(+)

diff --git a/legacy/firmware/fsm_msg_crypto.h b/legacy/firmware/fsm_msg_crypto.h
index cae8e2bea..bb6fe22e7 100644
--- a/legacy/firmware/fsm_msg_crypto.h
+++ b/legacy/firmware/fsm_msg_crypto.h
@@ -235,6 +235,22 @@ void fsm_msgGetECDHSessionKey(const GetECDHSessionKey *msg) {
   layoutHome();
 }
 
+static bool fsm_checkCosiPath(uint32_t address_n_count,
+                              const uint32_t *address_n) {
+  // The path should typically match "m / 10018' / [0-9]'", but we allow
+  // any path from the SLIP-18 domain "m / 10018' / *".
+  if (address_n_count >= 1 && address_n[0] == PATH_HARDENED + 10018) {
+    return true;
+  }
+
+  if (config_getSafetyCheckLevel() == SafetyCheckLevel_Strict) {
+    fsm_sendFailure(FailureType_Failure_DataError, _("Forbidden key path"));
+    return false;
+  }
+
+  return fsm_layoutPathWarning();
+}
+
 void fsm_msgCosiCommit(const CosiCommit *msg) {
   RESP_INIT(CosiCommitment);
 
@@ -242,6 +258,11 @@ void fsm_msgCosiCommit(const CosiCommit *msg) {
 
   CHECK_PARAM(msg->has_data, _("No data provided"));
 
+  if (!fsm_checkCosiPath(msg->address_n_count, msg->address_n)) {
+    layoutHome();
+    return;
+  }
+
   layoutCosiCommitSign(msg->address_n, msg->address_n_count, msg->data.bytes,
                        msg->data.size, false);
   if (!protectButton(ButtonRequestType_ButtonRequest_ProtectCall, false)) {
@@ -285,6 +306,11 @@ void fsm_msgCosiSign(const CosiSign *msg) {
   CHECK_PARAM(msg->has_global_pubkey && msg->global_pubkey.size == 32,
               _("Invalid global pubkey"));
 
+  if (!fsm_checkCosiPath(msg->address_n_count, msg->address_n)) {
+    layoutHome();
+    return;
+  }
+
   layoutCosiCommitSign(msg->address_n, msg->address_n_count, msg->data.bytes,
                        msg->data.size, true);
   if (!protectButton(ButtonRequestType_ButtonRequest_ProtectCall, false)) {
diff --git a/legacy/firmware/layout2.c b/legacy/firmware/layout2.c
index adbd22d4f..3c75f9784 100644
--- a/legacy/firmware/layout2.c
+++ b/legacy/firmware/layout2.c
@@ -1178,6 +1178,7 @@ void layoutNEMLevy(const NEMMosaicDefinition *definition, uint8_t network) {
 
 static inline bool is_slip18(const uint32_t *address_n,
                              size_t address_n_count) {
+  // m / 10018' / [0-9]'
   return address_n_count == 2 && address_n[0] == (PATH_HARDENED + 10018) &&
          (address_n[1] & PATH_HARDENED) &&
          (address_n[1] & PATH_UNHARDEN_MASK) <= 9;