fix(hive): enforce SLIP-48 path in SignTx + specific memo-length error#305
Merged
Conversation
- HiveSignTx now rejects address_n outside m/48'/13'/role'/account'/0' (account_create/update already enforced this; the transfer handler was the gap — a compromised host could request a Hive signature with a key from another coin's derivation tree) - memo >440 bytes fails up front with a specific message instead of surfacing as a generic 'Hive signing failed' from the serializer guard - HIVE_MAX_MEMO_LEN moves to hive.h so the fsm handler shares the limit - hive.h documents that 13' is the de-facto Ledger-compatible network index, not the slip-0048.md registry value (0xbee); hive.c documents that hived post-HF28 only enforces BIP-0062 low-S, so the strict legacy canonical predicate is belt-and-suspenders - pin python-keepkey 560b897 -> 02fa3ea: negative tests for all three path rejections + memo limit + 440 boundary Emulator-verified on develop (rc9 base): 191/191 firmware-unit, 10/10 test_msg_hive.py over UDP emulator.
hive_slip48_path_ok now takes the required role: transfers demand active' (post-HF28 hived rejects higher-role substitution, and the cold owner key must never sign a spend), account_create/account_update demand owner' (the sponsor attestation recovers to the device owner key, and update replaces the owner authority itself). Pin python-keepkey 02fa3ea -> 35555d7: transfer rejects owner/memo/ posting/unassigned roles; account ops reject an active-role path. Emulator-verified: 191/191 firmware-unit, 11/11 test_msg_hive.py.
This was referenced Jul 15, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Closes the two remaining hive-audit firmware findings (F3/F4) against rc9 (develop
9ce5a013).F3 — path enforcement gap in HiveSignTx
HiveSignAccountCreate/HiveSignAccountUpdatealready validate the SLIP-0048 path shape; the transfer handler did not — it derived from any host-suppliedaddress_n. A compromised host could request a Hive signature with a key from another coin's derivation tree.fsm_msgHiveSignTxnow enforcesm/48'/13'/role'/account'/0'(all hardened, role ∈ {owner, active, memo, posting}) via the samehive_slip48_path_okhelper, hoisted above all three handlers.F4 — memo-length silent failure
Memo >440 bytes previously died in the serializer bounds guard and surfaced as a generic "Hive signing failed". The handler now pre-checks and returns "Hive memo too long (max 440 bytes)".
HIVE_MAX_MEMO_LENmoves tohive.hso handler and serializer share one limit; the serializer guard stays as backstop.Documentation corrections (audit F1/F2 fallout)
hive.h: 13' is the de-facto Ledger-compatible network index (LedgerHQ/app-hive, hive-ledger-cli), not the slip-0048.md registry value (0xbee = 3054', which no wallet ships). Deliberate choice for seed-level ecosystem compatibility.hive.c: hived post-HF28 enforces only BIP-0062 low-S (fcis_canonical→is_bip_0062_canonical; openhive-network/hivefull_transaction.cpp); the strict legacy Graphene predicate we pass toecdsa_sign_digestis belt-and-suspenders, kept.python-keepkey pin bump (560b897 → 02fa3ea)
New negative coverage on
BitHighlander/python-keepkeybranchfix/hive-sign-hardening-tests:config.py:KK_FORCE_UDP=1local-only escape hatch (skip HID/WebUSB autodetect when a real device is plugged in; not for CI)Verification (local, macOS ARM64 emulator)
firmware-unit: 191/191 passtest_msg_hive.pyover UDP emulator: 10/10 pass (5 pre-existing + 5 new)No wire-format or signature-byte changes — safe for the 7.15.0 line; the F6 attestation fixture can be captured on any hive-bearing rc.