signing: Add Decred support

firmware/signing.c

@@ -45,7 +45,8 @@ enum {
 	STAGE_REQUEST_4_OUTPUT,
 	STAGE_REQUEST_SEGWIT_INPUT,
 	STAGE_REQUEST_5_OUTPUT,
-	STAGE_REQUEST_SEGWIT_WITNESS
+	STAGE_REQUEST_SEGWIT_WITNESS,
+	STAGE_REQUEST_DECRED_WITNESS
 } signing_stage;
 static uint32_t idx1, idx2;
 static uint32_t signatures;
@@ -57,6 +58,7 @@ static Hasher hashers[3];
 static uint8_t CONFIDENTIAL privkey[32];
 static uint8_t pubkey[33], sig[64];
 static uint8_t hash_prevouts[32], hash_sequence[32],hash_outputs[32];
+static uint8_t hash_prefix[32];
 static uint8_t hash_check[32];
 static uint64_t to_spend, authorized_amount, spending, change_spend;
 static uint32_t version = 1;
@@ -92,6 +94,12 @@ enum {
 	SIGHASH_FORKID = 0x40,
 };
 
+enum {
+	DECRED_SERIALIZE_FULL = 0,
+	DECRED_SERIALIZE_NO_WITNESS = 1,
+	DECRED_SERIALIZE_WITNESS_SIGNING = 3,
+};
+
 
 /* progress_step/meta_step are fixed point numbers, giving the
  * progress per input in permille with these many additional bits.
@@ -298,6 +306,17 @@ void send_req_segwit_witness(void)
 	msg_write(MessageType_MessageType_TxRequest, &resp);
 }
 
+void send_req_decred_witness(void)
+{
+	signing_stage = STAGE_REQUEST_DECRED_WITNESS;
+	resp.has_request_type = true;
+	resp.request_type = RequestType_TXINPUT;
+	resp.has_details = true;
+	resp.details.has_request_index = true;
+	resp.details.request_index = idx1;
+	msg_write(MessageType_MessageType_TxRequest, &resp);
+}
+
 void send_req_5_output(void)
 {
 	signing_stage = STAGE_REQUEST_5_OUTPUT;
@@ -464,6 +483,18 @@ void signing_init(const SignTx *msg, const CoinInfo *_coin, const HDNode *_root)
 	next_nonsegwit_input = 0xffffffff;
 
 	tx_init(&to, inputs_count, outputs_count, version, lock_time, 0, coin->curve->hasher_type);
+
+	if (coin->decred) {
+		to.version |= (DECRED_SERIALIZE_FULL << 16);
+		to.is_decred = true;
+		to.decred_expiry = msg->decred_expiry;
+
+		tx_init(&ti, inputs_count, outputs_count, version, lock_time, 0, coin->curve->hasher_type);
+		ti.version |= (DECRED_SERIALIZE_NO_WITNESS << 16);
+		ti.is_decred = true;
+		ti.decred_expiry = msg->decred_expiry;
+	}
+
 	// segwit hashes for hashPrevouts and hashSequence
 	hasher_Init(&hashers[0], coin->curve->hasher_type);
 	hasher_Init(&hashers[1], coin->curve->hasher_type);
@@ -503,6 +534,15 @@ static bool signing_check_input(TxInputType *txinput) {
 	// compute segwit hashPrevouts & hashSequence
 	tx_prevout_hash(&hashers[0], txinput);
 	tx_sequence_hash(&hashers[1], txinput);
+	if (coin->decred) {
+		// serialize Decred prefix in Phase 1
+		resp.has_serialized = true;
+		resp.serialized.has_serialized_tx = true;
+		resp.serialized.serialized_tx.size = tx_serialize_input(&to, txinput, resp.serialized.serialized_tx.bytes);
+
+		// compute Decred hashPrefix
+		tx_serialize_input_hash(&ti, txinput);
+	}
 	// hash prevout and script type to check it later (relevant for fee computation)
 	tx_prevout_hash(&hashers[2], txinput);
 	hasher_Update(&hashers[2], (const uint8_t *) &txinput->script_type, sizeof(&txinput->script_type));
@@ -589,8 +629,17 @@ static bool signing_check_output(TxOutputType *txoutput) {
 		signing_abort();
 		return false;
 	}
+	if (coin->decred) {
+		// serialize Decred prefix in Phase 1
+		resp.has_serialized = true;
+		resp.serialized.has_serialized_tx = true;
+		resp.serialized.serialized_tx.size = tx_serialize_output(&to, &bin_output, resp.serialized.serialized_tx.bytes);
+
+		// compute Decred hashPrefix
+		tx_serialize_output_hash(&ti, &bin_output);
+	}
 	//  compute segwit hashOuts
-	tx_output_hash(&hashers[0], &bin_output);
+	tx_output_hash(&hashers[0], &bin_output, coin->decred);
 	return true;
 }
 
@@ -635,6 +684,10 @@ static void phase1_request_next_output(void) {
 		idx1++;
 		send_req_3_output();
 	} else {
+		if (coin->decred) {
+			// compute Decred hashPrefix
+			tx_hash_final(&ti, hash_prefix, false);
+		}
 		hasher_Double(&hashers[0], hash_outputs);
 		if (!signing_check_fee()) {
 			return;
@@ -643,7 +696,12 @@ static void phase1_request_next_output(void) {
 		progress_meta_step = progress_step / (inputs_count + outputs_count);
 		layoutProgress(_("Signing transaction"), progress);
 		idx1 = 0;
-		phase2_request_next_input();
+		if (coin->decred) {
+			// Decred prefix serialized in Phase 1, skip Phase 2
+			send_req_decred_witness();
+		} else {
+			phase2_request_next_input();
+		}
 	}
 }
 
@@ -663,6 +721,15 @@ static void signing_hash_bip143(const TxInputType *txinput, uint8_t *hash) {
 	hasher_Double(&hashers[0], hash);
 }
 
+static void signing_hash_decred(const uint8_t *hash_witness, uint8_t *hash) {
+	uint32_t hash_type = signing_hash_type();
+	hasher_Reset(&hashers[0]);
+	hasher_Update(&hashers[0], (const uint8_t*) &hash_type, 4);
+	hasher_Update(&hashers[0], hash_prefix, 32);
+	hasher_Update(&hashers[0], hash_witness, 32);
+	hasher_Final(&hashers[0], hash);
+}
+
 static bool signing_sign_hash(TxInputType *txinput, const uint8_t* private_key, const uint8_t *public_key, const uint8_t *hash) {
 	resp.serialized.has_signature_index = true;
 	resp.serialized.signature_index = idx1;
@@ -785,6 +852,17 @@ static bool signing_sign_segwit_input(TxInputType *txinput) {
 	return true;
 }
 
+static bool signing_sign_decred_input(TxInputType *txinput) {
+	uint8_t hash[32], hash_witness[32];
+	tx_hash_final(&ti, hash_witness, false);
+	signing_hash_decred(hash_witness, hash);
+	resp.has_serialized = true;
+	if (!signing_sign_hash(txinput, node.private_key, node.public_key, hash))
+		return false;
+	resp.serialized.serialized_tx.size = tx_serialize_decred_witness(&to, txinput, resp.serialized.serialized_tx.bytes);
+	return true;
+}
+
 #define ENABLE_SEGWIT_NONSEGWIT_MIXING  1
 
 void signing_txack(TransactionType *tx)
@@ -842,6 +920,11 @@ void signing_txack(TransactionType *tx)
 				}
 			} else if  (tx->inputs[0].script_type == InputScriptType_SPENDWITNESS
 						|| tx->inputs[0].script_type == InputScriptType_SPENDP2SHWITNESS) {
+				if (coin->decred) {
+					fsm_sendFailure(FailureType_Failure_DataError, _("Decred does not support Segwit"));
+					signing_abort();
+					return;
+				}
 				if (!coin->has_segwit) {
 					fsm_sendFailure(FailureType_Failure_DataError, _("Segwit not enabled on this coin"));
 					signing_abort();
@@ -883,6 +966,11 @@ void signing_txack(TransactionType *tx)
 			return;
 		case STAGE_REQUEST_2_PREV_META:
 			tx_init(&tp, tx->inputs_cnt, tx->outputs_cnt, tx->version, tx->lock_time, tx->extra_data_len, coin->curve->hasher_type);
+			if (coin->decred) {
+				tp.version |= (DECRED_SERIALIZE_NO_WITNESS << 16);
+				tp.is_decred = true;
+				tp.decred_expiry = tx->decred_expiry;
+			}
 			progress_meta_step = progress_step / (tp.inputs_len + tp.outputs_len);
 			idx2 = 0;
 			if (tp.inputs_len > 0) {
@@ -1008,7 +1096,7 @@ void signing_txack(TransactionType *tx)
 				return;
 			}
 			//  check hashOutputs
-			tx_output_hash(&hashers[0], &bin_output);
+			tx_output_hash(&hashers[0], &bin_output, coin->decred);
 			if (!tx_serialize_output_hash(&ti, &bin_output)) {
 				fsm_sendFailure(FailureType_Failure_ProcessError, _("Failed to serialize output"));
 				signing_abort();
@@ -1146,6 +1234,56 @@ void signing_txack(TransactionType *tx)
 				signing_abort();
 			}
 			return;
+
+		case STAGE_REQUEST_DECRED_WITNESS:
+			progress = 500 + ((signatures * progress_step + idx2 * progress_meta_step) >> PROGRESS_PRECISION);
+			if (idx1 == 0) {
+				// witness
+				tx_init(&to, inputs_count, outputs_count, version, lock_time, 0, coin->curve->hasher_type);
+				to.is_decred = true;
+			}
+
+			// witness hash
+			tx_init(&ti, inputs_count, outputs_count, version, lock_time, 0, coin->curve->hasher_type);
+			ti.version |= (DECRED_SERIALIZE_WITNESS_SIGNING << 16);
+			ti.is_decred = true;
+			if (!compile_input_script_sig(&tx->inputs[0])) {
+				fsm_sendFailure(FailureType_Failure_ProcessError, _("Failed to compile input"));
+				signing_abort();
+				return;
+			}
+
+			for (idx2 = 0; idx2 < inputs_count; idx2++) {
+				uint32_t r;
+				if (idx2 == idx1) {
+					r = tx_serialize_decred_witness_hash(&ti, &tx->inputs[0]);
+				} else {
+					r = tx_serialize_decred_witness_hash(&ti, NULL);
+				}
+
+				if (!r) {
+					fsm_sendFailure(FailureType_Failure_ProcessError, _("Failed to serialize input"));
+					signing_abort();
+					return;
+				}
+			}
+
+			if (!signing_sign_decred_input(&tx->inputs[0])) {
+				return;
+			}
+			// since this took a longer time, update progress
+			signatures++;
+			progress = 500 + ((signatures * progress_step) >> PROGRESS_PRECISION);
+			layoutProgress(_("Signing transaction"), progress);
+			update_ctr = 0;
+			if (idx1 < inputs_count - 1) {
+				idx1++;
+				send_req_decred_witness();
+			} else {
+				send_req_finished();
+				signing_abort();
+			}
+			return;
 	}
 	
 	fsm_sendFailure(FailureType_Failure_ProcessError, _("Signing error"));

firmware/transaction.c

@@ -173,6 +173,7 @@ int compile_output(const CoinInfo *coin, const HDNode *root, TxOutputType *in, T
 {
 	memset(out, 0, sizeof(TxOutputBinType));
 	out->amount = in->amount;
+	out->decred_script_version = in->decred_script_version;
 	uint8_t addr_raw[MAX_ADDR_RAW_SIZE];
 	size_t addr_raw_len;
 
@@ -399,10 +400,14 @@ uint32_t tx_sequence_hash(Hasher *hasher, const TxInputType *input)
 	return 4;
 }
 
-uint32_t tx_output_hash(Hasher *hasher, const TxOutputBinType *output)
+uint32_t tx_output_hash(Hasher *hasher, const TxOutputBinType *output, bool decred)
 {
 	uint32_t r = 0;
 	hasher_Update(hasher, (const uint8_t *)&output->amount, 8); r += 8;
+	if (decred) {
+		uint16_t script_version = output->decred_script_version & 0xFFFF;
+		hasher_Update(hasher, (const uint8_t *)&script_version, 2); r += 2;
+	}
 	r += tx_script_hash(hasher, output->script_pubkey.size, output->script_pubkey.bytes);
 	return r;
 }
@@ -451,7 +456,12 @@ uint32_t tx_serialize_input(TxStruct *tx, const TxInputType *input, uint8_t *out
 	}
 	r += 32;
 	memcpy(out + r, &input->prev_index, 4); r += 4;
-	r += tx_serialize_script(input->script_sig.size, input->script_sig.bytes, out + r);
+	if (tx->is_decred) {
+		uint8_t tree = input->decred_tree & 0xFF;
+		out[r++] = tree;
+	} else {
+		r += tx_serialize_script(input->script_sig.size, input->script_sig.bytes, out + r);
+	}
 	memcpy(out + r, &input->sequence, 4); r += 4;
 
 	tx->have_inputs++;
@@ -471,7 +481,12 @@ uint32_t tx_serialize_input_hash(TxStruct *tx, const TxInputType *input)
 		r += tx_serialize_header_hash(tx);
 	}
 	r += tx_prevout_hash(&(tx->hasher), input);
-	r += tx_script_hash(&(tx->hasher), input->script_sig.size, input->script_sig.bytes);
+	if (tx->is_decred) {
+		uint8_t tree = input->decred_tree & 0xFF;
+		hasher_Update(&(tx->hasher), (const uint8_t *)&(tree), 1); r++;
+	} else {
+		r += tx_script_hash(&(tx->hasher), input->script_sig.size, input->script_sig.bytes);
+	}
 	r += tx_sequence_hash(&(tx->hasher), input);
 
 	tx->have_inputs++;
@@ -480,6 +495,53 @@ uint32_t tx_serialize_input_hash(TxStruct *tx, const TxInputType *input)
 	return r;
 }
 
+uint32_t tx_serialize_decred_witness(TxStruct *tx, const TxInputType *input, uint8_t *out)
+{
+	static const uint64_t amount = 0;
+	static const uint32_t block_height = 0x00000000;
+	static const uint32_t block_index = 0xFFFFFFFF;
+
+	if (tx->have_inputs >= tx->inputs_len) {
+		// already got all inputs
+		return 0;
+	}
+	uint32_t r = 0;
+	if (tx->have_inputs == 0) {
+		r += ser_length(tx->inputs_len, out + r);
+	}
+	memcpy(out + r, &amount, 8); r += 8;
+	memcpy(out + r, &block_height, 4); r += 4;
+	memcpy(out + r, &block_index, 4); r += 4;
+	r += tx_serialize_script(input->script_sig.size, input->script_sig.bytes, out + r);
+
+	tx->have_inputs++;
+	tx->size += r;
+
+	return r;
+}
+
+uint32_t tx_serialize_decred_witness_hash(TxStruct *tx, const TxInputType *input)
+{
+	if (tx->have_inputs >= tx->inputs_len) {
+		// already got all inputs
+		return 0;
+	}
+	uint32_t r = 0;
+	if (tx->have_inputs == 0) {
+		r += tx_serialize_header_hash(tx);
+	}
+	if (input == NULL) {
+		r += ser_length_hash(&(tx->hasher), 0);
+	} else {
+		r += tx_script_hash(&(tx->hasher), input->script_sig.size, input->script_sig.bytes);
+	}
+
+	tx->have_inputs++;
+	tx->size += r;
+
+	return r;
+}
+
 uint32_t tx_serialize_middle(TxStruct *tx, uint8_t *out)
 {
 	return ser_length(tx->outputs_len, out);
@@ -493,12 +555,20 @@ uint32_t tx_serialize_middle_hash(TxStruct *tx)
 uint32_t tx_serialize_footer(TxStruct *tx, uint8_t *out)
 {
 	memcpy(out, &(tx->lock_time), 4);
+	if (tx->is_decred) {
+		memcpy(out + 4, &(tx->decred_expiry), 4);
+		return 8;
+	}
 	return 4;
 }
 
 uint32_t tx_serialize_footer_hash(TxStruct *tx)
 {
 	hasher_Update(&(tx->hasher), (const uint8_t *)&(tx->lock_time), 4);
+	if (tx->is_decred) {
+		hasher_Update(&(tx->hasher), (const uint8_t *)&(tx->decred_expiry), 4);
+		return 8;
+	}
 	return 4;
 }
 
@@ -517,6 +587,10 @@ uint32_t tx_serialize_output(TxStruct *tx, const TxOutputBinType *output, uint8_
 		r += tx_serialize_middle(tx, out + r);
 	}
 	memcpy(out + r, &output->amount, 8); r += 8;
+	if (tx->is_decred) {
+		uint16_t script_version = output->decred_script_version & 0xFFFF;
+		memcpy(out + r, &script_version, 2); r += 2;
+	}
 	r += tx_serialize_script(output->script_pubkey.size, output->script_pubkey.bytes, out + r);
 	tx->have_outputs++;
 	if (tx->have_outputs == tx->outputs_len
@@ -541,7 +615,7 @@ uint32_t tx_serialize_output_hash(TxStruct *tx, const TxOutputBinType *output)
 	if (tx->have_outputs == 0) {
 		r += tx_serialize_middle_hash(tx);
 	}
-	r += tx_output_hash(&(tx->hasher), output);
+	r += tx_output_hash(&(tx->hasher), output, tx->is_decred);
 	tx->have_outputs++;
 	if (tx->have_outputs == tx->outputs_len
 		&& !tx->is_segwit) {
@@ -583,12 +657,18 @@ void tx_init(TxStruct *tx, uint32_t inputs_len, uint32_t outputs_len, uint32_t v
 	tx->extra_data_received = 0;
 	tx->size = 0;
 	tx->is_segwit = false;
+	tx->is_decred = false;
+	tx->decred_expiry = 0;
 	hasher_Init(&(tx->hasher), hasher_type);
 }
 
 void tx_hash_final(TxStruct *t, uint8_t *hash, bool reverse)
 {
-	hasher_Double(&(t->hasher), hash);
+	if (t->is_decred) {
+		hasher_Final(&(t->hasher), hash);
+	} else {
+		hasher_Double(&(t->hasher), hash);
+	}
 	if (!reverse) return;
 	for (uint8_t i = 0; i < 16; i++) {
 		uint8_t k = hash[31 - i];

firmware/transaction.h

@@ -34,7 +34,9 @@ typedef struct {
 
 	uint32_t version;
 	uint32_t lock_time;
+	uint32_t decred_expiry;
 	bool is_segwit;
+	bool is_decred;
 
 	uint32_t have_inputs;
 	uint32_t have_outputs;
@@ -58,18 +60,20 @@ int compile_output(const CoinInfo *coin, const HDNode *root, TxOutputType *in, T
 uint32_t tx_prevout_hash(Hasher *hasher, const TxInputType *input);
 uint32_t tx_script_hash(Hasher *hasher, uint32_t size, const uint8_t *data);
 uint32_t tx_sequence_hash(Hasher *hasher, const TxInputType *input);
-uint32_t tx_output_hash(Hasher *hasher, const TxOutputBinType *output);
+uint32_t tx_output_hash(Hasher *hasher, const TxOutputBinType *output, bool decred);
 uint32_t tx_serialize_script(uint32_t size, const uint8_t *data, uint8_t *out);
 
 uint32_t tx_serialize_footer(TxStruct *tx, uint8_t *out);
 uint32_t tx_serialize_input(TxStruct *tx, const TxInputType *input, uint8_t *out);
 uint32_t tx_serialize_output(TxStruct *tx, const TxOutputBinType *output, uint8_t *out);
+uint32_t tx_serialize_decred_witness(TxStruct *tx, const TxInputType *input, uint8_t *out);
 
 void tx_init(TxStruct *tx, uint32_t inputs_len, uint32_t outputs_len, uint32_t version, uint32_t lock_time, uint32_t extra_data_len, HasherType hasher_type);
 uint32_t tx_serialize_header_hash(TxStruct *tx);
 uint32_t tx_serialize_input_hash(TxStruct *tx, const TxInputType *input);
 uint32_t tx_serialize_output_hash(TxStruct *tx, const TxOutputBinType *output);
 uint32_t tx_serialize_extra_data_hash(TxStruct *tx, const uint8_t *data, uint32_t datalen);
+uint32_t tx_serialize_decred_witness_hash(TxStruct *tx, const TxInputType *input);
 void tx_hash_final(TxStruct *t, uint8_t *hash, bool reverse);
 
 uint32_t tx_input_weight(const TxInputType *txinput);