fix(legacy): fix v2 signature validation

1 year ago · daf566a260
parent 0c3b0371dd
commit daf566a260
3 changed files with 19 additions and 14 deletions
--- a/legacy/bootloader/bootloader.c
+++ b/legacy/bootloader/bootloader.c
@ -64,7 +64,6 @@ void show_unplug(const char *line1, const char *line2) {
               "You may now", "unplug your Trezor.", NULL);
 }

-#if !BOOTLOADER_QA
 static void show_unofficial_warning(const uint8_t *hash) {
 // On production bootloader, show warning and wait for user
 // to accept or reject it
@ -94,7 +93,6 @@ static void show_unofficial_warning(const uint8_t *hash) {
  delay(100000000);
 #endif
 }
-#endif

 static void __attribute__((noreturn)) load_app(int signed_firmware) {
  // zero out SRAM
@ -161,11 +159,7 @@ int main(void) {
    uint8_t fingerprint[32] = {0};
    int signed_firmware = signatures_match(hdr, fingerprint);
    if (SIG_OK != signed_firmware) {
-#if BOOTLOADER_QA
-      show_halt("Unsigned firmware", "Won't run on QA device");
-#else
      show_unofficial_warning(fingerprint);
-#endif
    }
 #if !PRODUCTION && !BOOTLOADER_QA && !DEBUG_T1_SIGNATURES
    // try to avoid bricking board SWD debug by accident
--- a/legacy/bootloader/usb.c
+++ b/legacy/bootloader/usb.c
@ -412,12 +412,20 @@ static void rx_callback(usbd_device *dev, uint8_t ep) {

  if (flash_state == STATE_CHECK) {
    // use the firmware header from RAM
-    const image_header *hdr = (const image_header *)FW_HEADER;
+    image_header *hdr = (image_header *)FW_HEADER;

    bool hash_check_ok;
    // show fingerprint of unsigned firmware
    // allow only v3 signmessage/verifymessage signatures
    if (SIG_OK != signatures_ok(hdr, NULL, sectrue)) {
+      // clear invalid signatures
+      hdr->sigindex1 = 0;
+      hdr->sigindex2 = 0;
+      hdr->sigindex3 = 0;
+      memset(hdr->sig1, 0, sizeof(hdr->sig1));
+      memset(hdr->sig2, 0, sizeof(hdr->sig2));
+      memset(hdr->sig3, 0, sizeof(hdr->sig3));
+
      if (msg_id != 0x001B) {  // ButtonAck message (id 27)
        return;
      }
--- a/legacy/fw_signatures.c
+++ b/legacy/fw_signatures.c
@ -191,9 +191,10 @@ int signatures_ok(const image_header *hdr, uint8_t store_fingerprint[32],
    return SIG_FAIL;  // invalid index
  if (hdr->sigindex2 < 1 || hdr->sigindex2 > pubkeys)
    return SIG_FAIL;  // invalid index
-  if (use_verifymessage != sectrue &&
-      (hdr->sigindex3 < 1 || hdr->sigindex3 > pubkeys)) {
-    return SIG_FAIL;  // invalid index
+  if (use_verifymessage != sectrue) {
+    if (hdr->sigindex3 < 1 || hdr->sigindex3 > pubkeys) {
+      return SIG_FAIL;  // invalid index
+    }
  } else if (hdr->sigindex3 != 0) {
    return SIG_FAIL;
  }
@ -210,10 +211,12 @@ int signatures_ok(const image_header *hdr, uint8_t store_fingerprint[32],
                               hdr->sig2, hash)) {  // failure
    return SIG_FAIL;
  }
-  if (use_verifymessage != sectrue &&
-      (0 != ecdsa_verify_digest(&secp256k1, pubkey_ptr[hdr->sigindex3 - 1],
-                                hdr->sig3, hash))) {  // failure
-    return SIG_FAIL;
+  if (use_verifymessage != sectrue) {
+    if (0 != ecdsa_verify_digest(&secp256k1, pubkey_ptr[hdr->sigindex3 - 1],
+                                 hdr->sig3, hash))  // failure
+    {
+      return SIG_FAIL;
+    }
  } else {
    for (unsigned int i = 0; i < sizeof(hdr->sig3); i++) {
      if (hdr->sig3[i] != 0) {