Fixes after Ledger Review - Sign message update #106
Conversation
…gn message & sign trx
mradian1
changed the title
src/sign_msg.c
Outdated
| msg_context.message_received_length += data_length; | ||
|
|
||
| if (msg_context.message_received_length > MAX_DISPLAY_MESSAGE_SIZE) { | ||
| memcpy(msg_context.message + MAX_DISPLAY_MESSAGE_SIZE - 3, "...", 3); |
There was a problem hiding this comment.
Is it the case to make some kind of validation here?
There was a problem hiding this comment.
An option would be to handle / replace non-printable characters (an idea).
src/sign_msg.c
Outdated
| msg_context.message_received_length += data_length; | ||
|
|
||
| if (msg_context.message_received_length > MAX_DISPLAY_MESSAGE_SIZE) { | ||
| memcpy(msg_context.message + MAX_DISPLAY_MESSAGE_SIZE - 3, "...", 3); |
There was a problem hiding this comment.
An option would be to handle / replace non-printable characters (an idea).
src/sign_msg.c
Outdated
| start_review, | ||
| nbgl_reject_message_choice); | ||
| make_content_list(); | ||
| nbgl_useCaseReview(TYPE_MESSAGE, |
There was a problem hiding this comment.
I assume this is the new, recommended way, without nbgl_useCaseReviewStart, correct?
There was a problem hiding this comment.
Yes, this is a newer function, that generates similar result for both blind signing (nbgl_useCaseReviewBlindSigning) and regular flows. The same used in signing transactions. They stated in the review that this is the required form and asked for us to change the code accordingly
|
|
||
| content_pairs_list[step].item = "Hash"; | ||
| content_pairs_list[step++].value = msg_context.strhash; | ||
| content_pairs_list[step].item = "Message"; |
| content.nbMaxLinesForValue = 2; | ||
| content.token = 0; | ||
| content.smallCaseForValue = false; | ||
| content.wrapping = true; |
src/sign_msg.c
Outdated
| msg_context.message_received_length += data_length; | ||
|
|
||
| if (msg_context.message_received_length > MAX_DISPLAY_MESSAGE_SIZE) { | ||
| memcpy(msg_context.message + MAX_DISPLAY_MESSAGE_SIZE - 3, "...", 3); |
There was a problem hiding this comment.
In parse_tx.c, we use e.g.:
int ellipsisLen = strlen(ellipsis);
Maybe have a similar approach (named variable or so)?
| rapdu = backend.exchange(CLA, Ins.SIGN_MSG, P1.FIRST, 0, payload) | ||
| assert rapdu.status == Error.MESSAGE_TOO_LONG | ||
|
|
||
| def test_blind_sign_msg_confirmed(self, backend, navigator, test_name): |
There was a problem hiding this comment.
Maybe we should say "message" instead of "transaction" for this flow?
There was a problem hiding this comment.
An observation - ü is skipped / lost (utf-8 "magic" / not 1-byte-to-1-char equivalence).
There was a problem hiding this comment.
it was skipped before the length fix, now it is replace with '??'
src/sign_msg.c
Outdated
| &C_icon_multiversx_logo_64x64, | ||
| "Review message to\nsign on " APPNAME "\nnetwork", | ||
| "", | ||
| "Accept risk and sign transaction?", |
There was a problem hiding this comment.
"message" instead of "transaction"?
src/sign_msg.c
Outdated
|
|
||
| #endif | ||
|
|
||
| static bool verify_message(char *decoded, size_t len) { |
There was a problem hiding this comment.
Seems fine for our purpose. The utf-8 encoded bytes used in the test trick this function a bit, since there isn't a 1-to-1 equivalence between the original characters and the input bytes (in the encoding).
There was a problem hiding this comment.
yes, I think so too, doing a proper utf8 decoding seems too much for our purposes, in my opinion
src/sign_msg.c
Outdated
|
|
||
| #endif | ||
|
|
||
| static bool verify_message(char *decoded, size_t len) { |
There was a problem hiding this comment.
The parameter name "decoded" - is it appropriate? Maybe simply "message"?
src/sign_msg.c
Outdated
| data_buffer, | ||
| length_to_copy); | ||
|
|
||
| bool result = verify_message(msg_context.message + msg_context.message_received_length, |
There was a problem hiding this comment.
The variable result can be renamed e.g. verification_result, or directly use found_non_printable_chars (just an opinion, can also stay as it is).
There was a problem hiding this comment.
I would also directly set it to found_non_printable_chars, then we can remove the check & assignment at 292-293
There was a problem hiding this comment.
This takes into account the fact that the body of the message may come in multiple bulks. Thus if in an earlier bulk non-printable chars were found whereas in later bulks all is clear, it wouldn't be correct to update found_non_printable_chars to false.
| static bool verify_message(char *decoded, size_t len) { | ||
| bool has_non_printable_chars = false; | ||
| for (size_t i = 0; i < len / 4 * 3; i++) { | ||
| for (size_t i = 0; i < len; i++) { |
There was a problem hiding this comment.
Oh, true, good catch!
src/sign_msg.c
Outdated
| data_buffer, | ||
| length_to_copy); | ||
|
|
||
| bool result = verify_message(msg_context.message + msg_context.message_received_length, |
There was a problem hiding this comment.
I would also directly set it to found_non_printable_chars, then we can remove the check & assignment at 292-293
src/sign_msg.c
Outdated
| } | ||
|
|
||
| static void process_message(uint8_t *message, size_t data_length) { | ||
| PRINTF(message, data_length); |
There was a problem hiding this comment.
Required or debugging artifact?
There was a problem hiding this comment.
it was for debugging purposes. removed
Checklist
develop