From 125ab8471c00a76a79a83f541e8f7f85ea54c96f Mon Sep 17 00:00:00 2001
From: Pavol Rusnak <stick@gk2.sk>
Date: Fri, 15 Dec 2017 19:22:59 +0100
Subject: [PATCH] trezorhal: store image fingerprint in the image_header
 structure

---
 embed/trezorhal/image.c | 5 ++---
 embed/trezorhal/image.h | 1 +
 tools/binctl            | 4 +++-
 3 files changed, 6 insertions(+), 4 deletions(-)

diff --git a/embed/trezorhal/image.c b/embed/trezorhal/image.c
index c689bda7..6ea1083f 100644
--- a/embed/trezorhal/image.c
+++ b/embed/trezorhal/image.c
@@ -59,19 +59,18 @@ secbool load_image_header(const uint8_t * const data, const uint32_t magic, cons
 
     // check header signature
 
-    uint8_t hash[BLAKE2S_DIGEST_LENGTH];
     BLAKE2S_CTX ctx;
     blake2s_Init(&ctx, BLAKE2S_DIGEST_LENGTH);
     blake2s_Update(&ctx, data, IMAGE_HEADER_SIZE - IMAGE_SIG_SIZE);
     for (int i = 0; i < IMAGE_SIG_SIZE; i++) {
         blake2s_Update(&ctx, (const uint8_t *)"\x00", 1);
     }
-    blake2s_Final(&ctx, hash, BLAKE2S_DIGEST_LENGTH);
+    blake2s_Final(&ctx, hdr->fingerprint, BLAKE2S_DIGEST_LENGTH);
 
     ed25519_public_key pub;
     if (sectrue != compute_pubkey(key_m, key_n, keys, hdr->sigmask, pub)) return secfalse;
 
-    return sectrue * (0 == ed25519_sign_open(hash, BLAKE2S_DIGEST_LENGTH, pub, *(const ed25519_signature *)hdr->sig));
+    return sectrue * (0 == ed25519_sign_open(hdr->fingerprint, BLAKE2S_DIGEST_LENGTH, pub, *(const ed25519_signature *)hdr->sig));
 }
 
 secbool load_vendor_header(const uint8_t * const data, uint8_t key_m, uint8_t key_n, const uint8_t * const *keys, vendor_header * const vhdr)
diff --git a/embed/trezorhal/image.h b/embed/trezorhal/image.h
index a87e7c34..30ed15d5 100644
--- a/embed/trezorhal/image.h
+++ b/embed/trezorhal/image.h
@@ -31,6 +31,7 @@ typedef struct {
     // uint8_t reserved[415];
     uint8_t sigmask;
     uint8_t sig[64];
+    uint8_t fingerprint[32];
 } image_header;
 
 #define MAX_VENDOR_PUBLIC_KEYS 8
diff --git a/tools/binctl b/tools/binctl
index 6a56a3cf..49ddff47 100755
--- a/tools/binctl
+++ b/tools/binctl
@@ -54,7 +54,9 @@ class BinImage(object):
         assert self.reserved2 == 415 * b'\x00'
         self.code = data[self.hdrlen:]
         assert len(self.code) == self.codelen
-        self.fingerprint = pyblake2.blake2s(data[:IMAGE_HEADER_SIZE - 65]).hexdigest()
+        h = pyblake2.blake2s(data[:IMAGE_HEADER_SIZE - 65])
+        h.update(b'\x00' * 65)
+        self.fingerprint = h.hexdigest()
 
     def print(self):
         if self.magic == b'TRZF':