1
0
mirror of https://github.com/trezor/trezor-firmware.git synced 2025-07-04 13:52:35 +00:00

chore(legacy): Create TxInfo struct in Bitcoin signing.

This commit is contained in:
Andrew Kozlik 2020-11-27 12:33:12 +01:00 committed by Andrew Kozlik
parent a2e35fabce
commit 4ad1fbc133

View File

@ -30,8 +30,6 @@
#include "secp256k1.h" #include "secp256k1.h"
#include "transaction.h" #include "transaction.h"
static uint32_t inputs_count;
static uint32_t outputs_count;
static uint32_t change_count; static uint32_t change_count;
static const CoinInfo *coin; static const CoinInfo *coin;
static CONFIDENTIAL HDNode root; static CONFIDENTIAL HDNode root;
@ -62,32 +60,45 @@ static TxRequest resp;
static TxInputType input; static TxInputType input;
static TxOutputBinType bin_output; static TxOutputBinType bin_output;
static TxStruct to, tp, ti; static TxStruct to, tp, ti;
static Hasher hasher_prevouts, hasher_sequence, hasher_outputs, hasher_check; static Hasher hasher_check;
static uint8_t CONFIDENTIAL privkey[32]; static uint8_t CONFIDENTIAL privkey[32];
static uint8_t pubkey[33], sig[64]; static uint8_t pubkey[33], sig[64];
static uint8_t hash_prevouts[32], hash_sequence[32], hash_outputs[32];
#if !BITCOIN_ONLY #if !BITCOIN_ONLY
static uint8_t decred_hash_prefix[32]; static uint8_t decred_hash_prefix[32];
#endif #endif
static uint8_t hash_inputs_check[32]; static uint8_t hash_inputs_check[32];
static uint64_t total_in, total_out, change_out; static uint64_t total_in, total_out, change_out;
static uint32_t version = 1;
static uint32_t lock_time = 0;
static uint32_t expiry = 0;
static uint32_t version_group_id = 0;
static uint32_t timestamp = 0;
static uint32_t min_sequence = 0;
#if !BITCOIN_ONLY
static uint32_t branch_id = 0;
#endif
static uint32_t next_nonsegwit_input; static uint32_t next_nonsegwit_input;
static uint32_t progress, progress_step, progress_meta_step; static uint32_t progress, progress_step, progress_meta_step;
static bool multisig_fp_set, multisig_fp_mismatch;
static uint8_t multisig_fp[32];
static uint32_t in_address_n[8];
static size_t in_address_n_count;
static uint32_t tx_weight; static uint32_t tx_weight;
typedef struct {
uint32_t inputs_count;
uint32_t outputs_count;
uint32_t min_sequence;
bool multisig_fp_set;
bool multisig_fp_mismatch;
uint8_t multisig_fp[32];
uint32_t in_address_n[8];
size_t in_address_n_count;
uint32_t version;
uint32_t lock_time;
uint32_t expiry;
uint32_t version_group_id;
uint32_t timestamp;
#if !BITCOIN_ONLY
uint32_t branch_id;
#endif
Hasher hasher_prevouts;
Hasher hasher_sequence;
Hasher hasher_outputs;
uint8_t hash_prevouts[32];
uint8_t hash_sequence[32];
uint8_t hash_outputs[32];
} TxInfo;
static TxInfo info;
/* A marker for in_address_n_count to indicate a mismatch in bip32 paths in /* A marker for in_address_n_count to indicate a mismatch in bip32 paths in
input */ input */
#define BIP32_NOCHANGEALLOWED 1 #define BIP32_NOCHANGEALLOWED 1
@ -405,16 +416,11 @@ void send_req_finished(void) {
} }
void phase1_request_next_input(void) { void phase1_request_next_input(void) {
if (idx1 < inputs_count - 1) { if (idx1 < info.inputs_count - 1) {
idx1++; idx1++;
send_req_1_input(); send_req_1_input();
} else { } else {
// compute segwit hashPrevouts & hashSequence
hasher_Final(&hasher_prevouts, hash_prevouts);
hasher_Final(&hasher_sequence, hash_sequence);
hasher_Final(&hasher_check, hash_inputs_check); hasher_Final(&hasher_check, hash_inputs_check);
// init hashOutputs
hasher_Reset(&hasher_outputs);
idx1 = 0; idx1 = 0;
send_req_2_output(); send_req_2_output();
} }
@ -429,39 +435,40 @@ void phase2_request_next_input(void) {
} }
} }
void extract_input_bip32_path(const TxInputType *tinput) { void extract_input_bip32_path(TxInfo *tx_info, const TxInputType *tinput) {
if (in_address_n_count == BIP32_NOCHANGEALLOWED) { if (tx_info->in_address_n_count == BIP32_NOCHANGEALLOWED) {
return; return;
} }
size_t count = tinput->address_n_count; size_t count = tinput->address_n_count;
if (count < BIP32_WALLET_DEPTH) { if (count < BIP32_WALLET_DEPTH) {
// no change address allowed // no change address allowed
in_address_n_count = BIP32_NOCHANGEALLOWED; tx_info->in_address_n_count = BIP32_NOCHANGEALLOWED;
return; return;
} }
if (in_address_n_count == 0) { if (tx_info->in_address_n_count == 0) {
// initialize in_address_n on first input seen // initialize in_address_n on first input seen
in_address_n_count = count; tx_info->in_address_n_count = count;
// store the bip32 path up to the account // store the bip32 path up to the account
memcpy(in_address_n, tinput->address_n, memcpy(tx_info->in_address_n, tinput->address_n,
(count - BIP32_WALLET_DEPTH) * sizeof(uint32_t)); (count - BIP32_WALLET_DEPTH) * sizeof(uint32_t));
return; return;
} }
// check that all addresses use a path of same length // check that all addresses use a path of same length
if (in_address_n_count != count) { if (tx_info->in_address_n_count != count) {
in_address_n_count = BIP32_NOCHANGEALLOWED; tx_info->in_address_n_count = BIP32_NOCHANGEALLOWED;
return; return;
} }
// check that the bip32 path up to the account matches // check that the bip32 path up to the account matches
if (memcmp(in_address_n, tinput->address_n, if (memcmp(tx_info->in_address_n, tinput->address_n,
(count - BIP32_WALLET_DEPTH) * sizeof(uint32_t)) != 0) { (count - BIP32_WALLET_DEPTH) * sizeof(uint32_t)) != 0) {
// mismatch -> no change address allowed // mismatch -> no change address allowed
in_address_n_count = BIP32_NOCHANGEALLOWED; tx_info->in_address_n_count = BIP32_NOCHANGEALLOWED;
return; return;
} }
} }
bool check_change_bip32_path(const TxOutputType *toutput) { bool check_change_bip32_path(const TxInfo *tx_info,
const TxOutputType *toutput) {
size_t count = toutput->address_n_count; size_t count = toutput->address_n_count;
// Check that the change path has the same bip32 path length, // Check that the change path has the same bip32 path length,
@ -469,29 +476,29 @@ bool check_change_bip32_path(const TxOutputType *toutput) {
// (chain id and address) are as expected. // (chain id and address) are as expected.
// Note: count >= BIP32_WALLET_DEPTH and count == in_address_n_count // Note: count >= BIP32_WALLET_DEPTH and count == in_address_n_count
// imply that in_address_n_count != BIP32_NOCHANGEALLOWED // imply that in_address_n_count != BIP32_NOCHANGEALLOWED
return (count >= BIP32_WALLET_DEPTH && count == in_address_n_count && return (count >= BIP32_WALLET_DEPTH && count == tx_info->in_address_n_count &&
0 == memcmp(in_address_n, toutput->address_n, 0 == memcmp(tx_info->in_address_n, toutput->address_n,
(count - BIP32_WALLET_DEPTH) * sizeof(uint32_t)) && (count - BIP32_WALLET_DEPTH) * sizeof(uint32_t)) &&
toutput->address_n[count - 2] <= BIP32_CHANGE_CHAIN && toutput->address_n[count - 2] <= BIP32_CHANGE_CHAIN &&
toutput->address_n[count - 1] <= BIP32_MAX_LAST_ELEMENT); toutput->address_n[count - 1] <= BIP32_MAX_LAST_ELEMENT);
} }
bool compile_input_script_sig(TxInputType *tinput) { bool compile_input_script_sig(TxInputType *tinput) {
if (!multisig_fp_mismatch) { if (!info.multisig_fp_mismatch) {
// check that this is still multisig // check that this is still multisig
uint8_t h[32] = {0}; uint8_t h[32] = {0};
if (!tinput->has_multisig || if (!tinput->has_multisig ||
cryptoMultisigFingerprint(&(tinput->multisig), h) == 0 || cryptoMultisigFingerprint(&(tinput->multisig), h) == 0 ||
memcmp(multisig_fp, h, 32) != 0) { memcmp(info.multisig_fp, h, 32) != 0) {
// Transaction has changed during signing // Transaction has changed during signing
return false; return false;
} }
} }
if (in_address_n_count != BIP32_NOCHANGEALLOWED) { if (info.in_address_n_count != BIP32_NOCHANGEALLOWED) {
// check that input address didn't change // check that input address didn't change
size_t count = tinput->address_n_count; size_t count = tinput->address_n_count;
if (count < 2 || count != in_address_n_count || if (count < 2 || count != info.in_address_n_count ||
0 != memcmp(in_address_n, tinput->address_n, 0 != memcmp(info.in_address_n, tinput->address_n,
(count - 2) * sizeof(uint32_t))) { (count - 2) * sizeof(uint32_t))) {
return false; return false;
} }
@ -519,68 +526,151 @@ bool compile_input_script_sig(TxInputType *tinput) {
return tinput->script_sig.size > 0; return tinput->script_sig.size > 0;
} }
void signing_init(const SignTx *msg, const CoinInfo *_coin, static bool tx_info_init(TxInfo *tx_info, uint32_t inputs_count,
const HDNode *_root) { uint32_t outputs_count, uint32_t version,
inputs_count = msg->inputs_count; uint32_t lock_time, bool has_expiry, uint32_t expiry,
outputs_count = msg->outputs_count; bool has_branch_id, uint32_t branch_id,
coin = _coin; bool has_version_group_id, uint32_t version_group_id,
memcpy(&root, _root, sizeof(HDNode)); bool has_timestamp, uint32_t timestamp) {
version = msg->version;
lock_time = msg->lock_time;
min_sequence = SEQUENCE_FINAL;
if (!coin->overwintered) { if (!coin->overwintered) {
if (msg->has_version_group_id) { if (has_version_group_id) {
fsm_sendFailure(FailureType_Failure_DataError, fsm_sendFailure(FailureType_Failure_DataError,
_("Version group ID not enabled on this coin.")); _("Version group ID not enabled on this coin."));
signing_abort(); signing_abort();
return; return false;
} }
if (msg->has_branch_id) { if (has_branch_id) {
fsm_sendFailure(FailureType_Failure_DataError, fsm_sendFailure(FailureType_Failure_DataError,
_("Branch ID not enabled on this coin.")); _("Branch ID not enabled on this coin."));
signing_abort(); signing_abort();
return; return false;
} }
} }
#if !BITCOIN_ONLY if (!coin->timestamp && has_timestamp) {
expiry = (coin->decred || coin->overwintered) ? msg->expiry : 0; fsm_sendFailure(FailureType_Failure_DataError,
timestamp = coin->timestamp ? msg->timestamp : 0; _("Timestamp not enabled on this coin."));
signing_abort();
return false;
}
if (!coin->decred && !coin->overwintered && has_expiry) {
fsm_sendFailure(FailureType_Failure_DataError,
_("Expiry not enabled on this coin."));
signing_abort();
return false;
}
if (inputs_count + outputs_count < inputs_count) {
// Avoid division by zero in progress computations.
fsm_sendFailure(FailureType_Failure_DataError, _("Value overflow"));
signing_abort();
return false;
}
tx_info->inputs_count = inputs_count;
tx_info->outputs_count = outputs_count;
tx_info->min_sequence = SEQUENCE_FINAL;
tx_info->multisig_fp_set = false;
tx_info->multisig_fp_mismatch = false;
tx_info->in_address_n_count = 0;
tx_info->version = version;
tx_info->lock_time = lock_time;
#if BITCOIN_ONLY
(void)expiry;
(void)version_group_id;
(void)timestamp;
(void)branch_id;
tx_info->expiry = 0;
tx_info->version_group_id = 0;
tx_info->timestamp = 0;
#else
tx_info->expiry = (coin->decred || coin->overwintered) ? expiry : 0;
if (coin->timestamp) {
if (!has_timestamp || !timestamp) {
fsm_sendFailure(FailureType_Failure_DataError,
_("Timestamp must be set."));
signing_abort();
return false;
}
tx_info->timestamp = timestamp;
} else {
tx_info->timestamp = 0;
}
if (coin->overwintered) { if (coin->overwintered) {
if (!msg->has_version_group_id) { if (!has_version_group_id) {
fsm_sendFailure(FailureType_Failure_DataError, fsm_sendFailure(FailureType_Failure_DataError,
_("Version group ID must be set.")); _("Version group ID must be set."));
signing_abort(); signing_abort();
return; return false;
} }
if (!msg->has_branch_id) {
if (!has_branch_id) {
fsm_sendFailure(FailureType_Failure_DataError, fsm_sendFailure(FailureType_Failure_DataError,
_("Branch ID must be set.")); _("Branch ID must be set."));
signing_abort(); signing_abort();
return; return false;
} }
if (version != 4) {
if (tx_info->version != 4) {
fsm_sendFailure(FailureType_Failure_DataError, fsm_sendFailure(FailureType_Failure_DataError,
_("Unsupported transaction version.")); _("Unsupported transaction version."));
signing_abort(); signing_abort();
return; return false;
} }
version_group_id = msg->version_group_id;
branch_id = msg->branch_id; tx_info->version_group_id = version_group_id;
tx_info->branch_id = branch_id;
} else { } else {
version_group_id = 0; tx_info->version_group_id = 0;
branch_id = 0; tx_info->branch_id = 0;
} }
#endif #endif
#if !BITCOIN_ONLY
if (coin->overwintered) {
// ZIP-243
hasher_InitParam(&tx_info->hasher_prevouts, HASHER_BLAKE2B_PERSONAL,
"ZcashPrevoutHash", 16);
hasher_InitParam(&tx_info->hasher_sequence, HASHER_BLAKE2B_PERSONAL,
"ZcashSequencHash", 16);
hasher_InitParam(&tx_info->hasher_outputs, HASHER_BLAKE2B_PERSONAL,
"ZcashOutputsHash", 16);
} else
#endif
{
// BIP-143
hasher_Init(&tx_info->hasher_prevouts, coin->curve->hasher_sign);
hasher_Init(&tx_info->hasher_sequence, coin->curve->hasher_sign);
hasher_Init(&tx_info->hasher_outputs, coin->curve->hasher_sign);
}
return true;
}
void signing_init(const SignTx *msg, const CoinInfo *_coin,
const HDNode *_root) {
coin = _coin;
memcpy(&root, _root, sizeof(HDNode));
if (!tx_info_init(&info, msg->inputs_count, msg->outputs_count, msg->version,
msg->lock_time, msg->has_expiry, msg->expiry,
msg->has_branch_id, msg->branch_id,
msg->has_version_group_id, msg->version_group_id,
msg->has_timestamp, msg->timestamp)) {
return;
}
uint32_t size = TXSIZE_HEADER + TXSIZE_FOOTER + uint32_t size = TXSIZE_HEADER + TXSIZE_FOOTER +
ser_length_size(inputs_count) + ser_length_size(info.inputs_count) +
ser_length_size(outputs_count); ser_length_size(info.outputs_count);
#if !BITCOIN_ONLY #if !BITCOIN_ONLY
if (coin->decred) { if (coin->decred) {
size += 4; // Decred expiry size += 4; // Decred expiry
size += ser_length_size(inputs_count); // Witness inputs count size += ser_length_size(info.inputs_count); // Witness inputs count
} }
#endif #endif
@ -599,48 +689,28 @@ void signing_init(const SignTx *msg, const CoinInfo *_coin,
progress = 0; progress = 0;
// we step by 500/inputs_count per input in phase1 and phase2 // we step by 500/inputs_count per input in phase1 and phase2
// this means 50 % per phase. // this means 50 % per phase.
progress_step = (500 << PROGRESS_PRECISION) / inputs_count; progress_step = (500 << PROGRESS_PRECISION) / info.inputs_count;
in_address_n_count = 0;
multisig_fp_set = false;
multisig_fp_mismatch = false;
next_nonsegwit_input = 0xffffffff; next_nonsegwit_input = 0xffffffff;
tx_init(&to, inputs_count, outputs_count, version, lock_time, expiry, 0, tx_init(&to, info.inputs_count, info.outputs_count, info.version,
coin->curve->hasher_sign, coin->overwintered, version_group_id, info.lock_time, info.expiry, 0, coin->curve->hasher_sign,
timestamp); coin->overwintered, info.version_group_id, info.timestamp);
#if !BITCOIN_ONLY #if !BITCOIN_ONLY
if (coin->decred) { if (coin->decred) {
to.version |= (DECRED_SERIALIZE_FULL << 16); to.version |= (DECRED_SERIALIZE_FULL << 16);
to.is_decred = true; to.is_decred = true;
tx_init(&ti, inputs_count, outputs_count, version, lock_time, expiry, 0, tx_init(&ti, info.inputs_count, info.outputs_count, info.version,
coin->curve->hasher_sign, coin->overwintered, version_group_id, info.lock_time, info.expiry, 0, coin->curve->hasher_sign,
timestamp); coin->overwintered, info.version_group_id, info.timestamp);
ti.version |= (DECRED_SERIALIZE_NO_WITNESS << 16); ti.version |= (DECRED_SERIALIZE_NO_WITNESS << 16);
ti.is_decred = true; ti.is_decred = true;
} }
#endif #endif
// segwit hashes for hashPrevouts and hashSequence hasher_Init(&hasher_check, coin->curve->hasher_sign);
#if !BITCOIN_ONLY
if (coin->overwintered) {
hasher_InitParam(&hasher_prevouts, HASHER_BLAKE2B_PERSONAL,
"ZcashPrevoutHash", 16);
hasher_InitParam(&hasher_sequence, HASHER_BLAKE2B_PERSONAL,
"ZcashSequencHash", 16);
hasher_InitParam(&hasher_outputs, HASHER_BLAKE2B_PERSONAL,
"ZcashOutputsHash", 16);
hasher_Init(&hasher_check, coin->curve->hasher_sign);
} else
#endif
{
hasher_Init(&hasher_prevouts, coin->curve->hasher_sign);
hasher_Init(&hasher_sequence, coin->curve->hasher_sign);
hasher_Init(&hasher_outputs, coin->curve->hasher_sign);
hasher_Init(&hasher_check, coin->curve->hasher_sign);
}
layoutProgressSwipe(_("Signing transaction"), 0); layoutProgressSwipe(_("Signing transaction"), 0);
@ -790,11 +860,11 @@ static bool signing_validate_bin_output(TxOutputBinType *tx_bin_output) {
return true; return true;
} }
static bool signing_check_input(const TxInputType *txinput) { static bool tx_info_add_input(TxInfo *tx_info, const TxInputType *txinput) {
/* compute multisig fingerprint */ // Compute multisig fingerprint for change-output detection. In order for an
/* (if all input share the same fingerprint, outputs having the same // output to be considered a change-output, it must have the same fingerprint
* fingerprint will be considered as change outputs) */ // as all inputs.
if (txinput->has_multisig && !multisig_fp_mismatch) { if (txinput->has_multisig && !tx_info->multisig_fp_mismatch) {
uint8_t h[32] = {0}; uint8_t h[32] = {0};
if (cryptoMultisigFingerprint(&txinput->multisig, h) == 0) { if (cryptoMultisigFingerprint(&txinput->multisig, h) == 0) {
fsm_sendFailure(FailureType_Failure_ProcessError, fsm_sendFailure(FailureType_Failure_ProcessError,
@ -802,28 +872,52 @@ static bool signing_check_input(const TxInputType *txinput) {
signing_abort(); signing_abort();
return false; return false;
} }
if (multisig_fp_set) { if (tx_info->multisig_fp_set) {
if (memcmp(multisig_fp, h, 32) != 0) { if (memcmp(tx_info->multisig_fp, h, 32) != 0) {
multisig_fp_mismatch = true; tx_info->multisig_fp_mismatch = true;
} }
} else { } else {
memcpy(multisig_fp, h, 32); memcpy(tx_info->multisig_fp, h, 32);
multisig_fp_set = true; tx_info->multisig_fp_set = true;
} }
} else { // single signature } else { // single signature
multisig_fp_mismatch = true; tx_info->multisig_fp_mismatch = true;
} }
// remember the input bip32 path // Remember the input's BIP-32 path. Change-outputs must use the same path
// change addresses must use the same bip32 path as all inputs // as all inputs.
extract_input_bip32_path(txinput); extract_input_bip32_path(tx_info, txinput);
// remember the minimum nSequence value // Remember the minimum nSequence value.
if (txinput->sequence < min_sequence) min_sequence = txinput->sequence; if (txinput->sequence < tx_info->min_sequence) {
tx_info->min_sequence = txinput->sequence;
}
// compute segwit hashPrevouts & hashSequence // Add input to BIP-143 hashPrevouts and hashSequence.
tx_prevout_hash(&hasher_prevouts, txinput); tx_prevout_hash(&tx_info->hasher_prevouts, txinput);
tx_sequence_hash(&hasher_sequence, txinput); tx_sequence_hash(&tx_info->hasher_sequence, txinput);
return true;
}
static bool tx_info_add_output(TxInfo *tx_info,
const TxOutputBinType *tx_bin_output) {
// Add output to BIP-143 hashOutputs.
tx_output_hash(&tx_info->hasher_outputs, tx_bin_output, coin->decred);
return true;
}
static void tx_info_finish(TxInfo *tx_info) {
hasher_Final(&tx_info->hasher_prevouts, tx_info->hash_prevouts);
hasher_Final(&tx_info->hasher_sequence, tx_info->hash_sequence);
hasher_Final(&tx_info->hasher_outputs, tx_info->hash_outputs);
}
static bool signing_check_input(const TxInputType *txinput) {
// Add input to BIP143 computation.
if (!tx_info_add_input(&info, txinput)) {
return false;
}
#if !BITCOIN_ONLY #if !BITCOIN_ONLY
if (coin->decred) { if (coin->decred) {
@ -853,7 +947,7 @@ static bool signing_check_prevtx_hash(void) {
return false; return false;
} }
if (idx1 < inputs_count - 1) { if (idx1 < info.inputs_count - 1) {
idx1++; idx1++;
send_req_3_input(); send_req_3_input();
} else { } else {
@ -866,7 +960,8 @@ static bool signing_check_prevtx_hash(void) {
} }
// Everything was checked, now phase 2 begins and the transaction is signed. // Everything was checked, now phase 2 begins and the transaction is signed.
progress_meta_step = progress_step / (inputs_count + outputs_count); progress_meta_step =
progress_step / (info.inputs_count + info.outputs_count);
layoutProgress(_("Signing transaction"), progress); layoutProgress(_("Signing transaction"), progress);
idx1 = 0; idx1 = 0;
#if !BITCOIN_ONLY #if !BITCOIN_ONLY
@ -883,32 +978,38 @@ static bool signing_check_prevtx_hash(void) {
return true; return true;
} }
static bool is_change_output(const TxInfo *tx_info,
const TxOutputType *txoutput) {
if (!is_change_output_script_type(txoutput)) {
return false;
}
if (txoutput->address_n_count == 0) {
return false;
}
/*
* For multisig check that all inputs are multisig
*/
if (txoutput->has_multisig) {
uint8_t h[32] = {0};
if (!tx_info->multisig_fp_set || tx_info->multisig_fp_mismatch ||
!cryptoMultisigFingerprint(&(txoutput->multisig), h) ||
memcmp(tx_info->multisig_fp, h, 32) != 0) {
return false;
}
}
return check_change_bip32_path(tx_info, txoutput);
}
static bool signing_check_output(TxOutputType *txoutput) { static bool signing_check_output(TxOutputType *txoutput) {
// Phase1: Check outputs // Phase1: Check outputs
// add it to hash_outputs // add it to hash_outputs
// ask user for permission // ask user for permission
// check for change address // check for change address
bool is_change = false; bool is_change = is_change_output(&info, txoutput);
if (txoutput->address_n_count > 0) {
/*
* For multisig check that all inputs are multisig
*/
if (txoutput->has_multisig) {
uint8_t h[32] = {0};
if (multisig_fp_set && !multisig_fp_mismatch &&
cryptoMultisigFingerprint(&(txoutput->multisig), h) &&
memcmp(multisig_fp, h, 32) == 0) {
is_change = check_change_bip32_path(txoutput);
}
} else {
is_change = check_change_bip32_path(txoutput);
}
}
if (!is_change_output_script_type(txoutput)) {
is_change = false;
}
if (is_change) { if (is_change) {
if (!add_amount(&change_out, txoutput->amount)) { if (!add_amount(&change_out, txoutput->amount)) {
@ -953,9 +1054,8 @@ static bool signing_check_output(TxOutputType *txoutput) {
tx_serialize_output_hash(&ti, &bin_output); tx_serialize_output_hash(&ti, &bin_output);
} }
#endif #endif
// compute segwit hashOuts // Add output to BIP143 computation.
tx_output_hash(&hasher_outputs, &bin_output, coin->decred); return tx_info_add_output(&info, &bin_output);
return true;
} }
static bool signing_confirm_tx(void) { static bool signing_confirm_tx(void) {
@ -996,9 +1096,9 @@ static bool signing_confirm_tx(void) {
} }
} }
if (lock_time != 0) { if (info.lock_time != 0) {
bool lock_time_disabled = (min_sequence == SEQUENCE_FINAL); bool lock_time_disabled = (info.min_sequence == SEQUENCE_FINAL);
layoutConfirmNondefaultLockTime(lock_time, lock_time_disabled); layoutConfirmNondefaultLockTime(info.lock_time, lock_time_disabled);
if (!protectButton(ButtonRequestType_ButtonRequest_SignTx, false)) { if (!protectButton(ButtonRequestType_ButtonRequest_SignTx, false)) {
fsm_sendFailure(FailureType_Failure_ActionCancelled, NULL); fsm_sendFailure(FailureType_Failure_ActionCancelled, NULL);
signing_abort(); signing_abort();
@ -1027,7 +1127,7 @@ static uint32_t signing_hash_type(void) {
} }
static void phase1_request_next_output(void) { static void phase1_request_next_output(void) {
if (idx1 < outputs_count - 1) { if (idx1 < info.outputs_count - 1) {
idx1++; idx1++;
send_req_2_output(); send_req_2_output();
} else { } else {
@ -1037,7 +1137,8 @@ static void phase1_request_next_output(void) {
tx_hash_final(&ti, decred_hash_prefix, false); tx_hash_final(&ti, decred_hash_prefix, false);
} }
#endif #endif
hasher_Final(&hasher_outputs, hash_outputs); // Compute BIP143 hashPrevouts, hashSequence and hashOutputs.
tx_info_finish(&info);
if (!signing_confirm_tx()) { if (!signing_confirm_tx()) {
return; return;
} }
@ -1046,68 +1147,90 @@ static void phase1_request_next_output(void) {
} }
} }
static void signing_hash_bip143(const TxInputType *txinput, uint8_t *hash) { static void signing_hash_bip143(const TxInfo *tx_info,
const TxInputType *txinput, uint8_t *hash) {
uint32_t hash_type = signing_hash_type(); uint32_t hash_type = signing_hash_type();
Hasher hasher_preimage = {0}; Hasher hasher_preimage = {0};
hasher_Init(&hasher_preimage, coin->curve->hasher_sign); hasher_Init(&hasher_preimage, coin->curve->hasher_sign);
hasher_Update(&hasher_preimage, (const uint8_t *)&version, 4); // nVersion
hasher_Update(&hasher_preimage, hash_prevouts, 32); // hashPrevouts // nVersion
hasher_Update(&hasher_preimage, hash_sequence, 32); // hashSequence hasher_Update(&hasher_preimage, (const uint8_t *)&tx_info->version, 4);
tx_prevout_hash(&hasher_preimage, txinput); // outpoint // hashPrevouts
hasher_Update(&hasher_preimage, tx_info->hash_prevouts, 32);
// hashSequence
hasher_Update(&hasher_preimage, tx_info->hash_sequence, 32);
// outpoint
tx_prevout_hash(&hasher_preimage, txinput);
// scriptCode
tx_script_hash(&hasher_preimage, txinput->script_sig.size, tx_script_hash(&hasher_preimage, txinput->script_sig.size,
txinput->script_sig.bytes); // scriptCode txinput->script_sig.bytes);
hasher_Update(&hasher_preimage, (const uint8_t *)&txinput->amount, // amount
8); // amount hasher_Update(&hasher_preimage, (const uint8_t *)&txinput->amount, 8);
tx_sequence_hash(&hasher_preimage, txinput); // nSequence // nSequence
hasher_Update(&hasher_preimage, hash_outputs, 32); // hashOutputs tx_sequence_hash(&hasher_preimage, txinput);
hasher_Update(&hasher_preimage, (const uint8_t *)&lock_time, 4); // nLockTime // hashOutputs
hasher_Update(&hasher_preimage, (const uint8_t *)&hash_type, 4); // nHashType hasher_Update(&hasher_preimage, tx_info->hash_outputs, 32);
// nLockTime
hasher_Update(&hasher_preimage, (const uint8_t *)&tx_info->lock_time, 4);
// nHashType
hasher_Update(&hasher_preimage, (const uint8_t *)&hash_type, 4);
hasher_Final(&hasher_preimage, hash); hasher_Final(&hasher_preimage, hash);
} }
#if !BITCOIN_ONLY #if !BITCOIN_ONLY
static void signing_hash_zip243(const TxInfo *tx_info,
static void signing_hash_zip243(const TxInputType *txinput, uint8_t *hash) { const TxInputType *txinput, uint8_t *hash) {
uint32_t hash_type = signing_hash_type(); uint32_t hash_type = signing_hash_type();
uint8_t personal[16] = {0}; uint8_t personal[16] = {0};
memcpy(personal, "ZcashSigHash", 12); memcpy(personal, "ZcashSigHash", 12);
memcpy(personal + 12, &branch_id, 4); memcpy(personal + 12, &tx_info->branch_id, 4);
Hasher hasher_preimage = {0}; Hasher hasher_preimage = {0};
hasher_InitParam(&hasher_preimage, HASHER_BLAKE2B_PERSONAL, personal, hasher_InitParam(&hasher_preimage, HASHER_BLAKE2B_PERSONAL, personal,
sizeof(personal)); sizeof(personal));
uint32_t ver = version | TX_OVERWINTERED; // 1. nVersion | fOverwintered
// 1. nVersion | fOverwintered
uint32_t ver = tx_info->version | TX_OVERWINTERED;
hasher_Update(&hasher_preimage, (const uint8_t *)&ver, 4); hasher_Update(&hasher_preimage, (const uint8_t *)&ver, 4);
hasher_Update(&hasher_preimage, (const uint8_t *)&version_group_id, // 2. nVersionGroupId
4); // 2. nVersionGroupId hasher_Update(&hasher_preimage, (const uint8_t *)&tx_info->version_group_id,
hasher_Update(&hasher_preimage, hash_prevouts, 32); // 3. hashPrevouts 4);
hasher_Update(&hasher_preimage, hash_sequence, 32); // 4. hashSequence // 3. hashPrevouts
hasher_Update(&hasher_preimage, hash_outputs, 32); // 5. hashOutputs hasher_Update(&hasher_preimage, tx_info->hash_prevouts, 32);
// 6. hashJoinSplits // 4. hashSequence
hasher_Update(&hasher_preimage, tx_info->hash_sequence, 32);
// 5. hashOutputs
hasher_Update(&hasher_preimage, tx_info->hash_outputs, 32);
// 6. hashJoinSplits
hasher_Update(&hasher_preimage, (const uint8_t *)"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00", 32); hasher_Update(&hasher_preimage, (const uint8_t *)"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00", 32);
// 7. hashShieldedSpends // 7. hashShieldedSpends
hasher_Update(&hasher_preimage, (const uint8_t *)"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00", 32); hasher_Update(&hasher_preimage, (const uint8_t *)"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00", 32);
// 8. hashShieldedOutputs // 8. hashShieldedOutputs
hasher_Update(&hasher_preimage, (const uint8_t *)"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00", 32); hasher_Update(&hasher_preimage, (const uint8_t *)"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00", 32);
hasher_Update(&hasher_preimage, (const uint8_t *)&lock_time, // 9. nLockTime
4); // 9. nLockTime hasher_Update(&hasher_preimage, (const uint8_t *)&tx_info->lock_time, 4);
hasher_Update(&hasher_preimage, (const uint8_t *)&expiry, // 10. expiryHeight
4); // 10. expiryHeight hasher_Update(&hasher_preimage, (const uint8_t *)&tx_info->expiry, 4);
// 11. valueBalance
hasher_Update(&hasher_preimage, hasher_Update(&hasher_preimage,
(const uint8_t *)"\x00\x00\x00\x00\x00\x00\x00\x00", (const uint8_t *)"\x00\x00\x00\x00\x00\x00\x00\x00", 8);
8); // 11. valueBalance // 12. nHashType
hasher_Update(&hasher_preimage, (const uint8_t *)&hash_type, hasher_Update(&hasher_preimage, (const uint8_t *)&hash_type, 4);
4); // 12. nHashType // 13a. outpoint
tx_prevout_hash(&hasher_preimage, txinput);
tx_prevout_hash(&hasher_preimage, txinput); // 13a. outpoint // 13b. scriptCode
tx_script_hash(&hasher_preimage, txinput->script_sig.size, tx_script_hash(&hasher_preimage, txinput->script_sig.size,
txinput->script_sig.bytes); // 13b. scriptCode txinput->script_sig.bytes);
hasher_Update(&hasher_preimage, (const uint8_t *)&txinput->amount, // 13c. value
8); // 13c. value hasher_Update(&hasher_preimage, (const uint8_t *)&txinput->amount, 8);
tx_sequence_hash(&hasher_preimage, txinput); // 13d. nSequence // 13d. nSequence
tx_sequence_hash(&hasher_preimage, txinput);
hasher_Final(&hasher_preimage, hash); hasher_Final(&hasher_preimage, hash);
} }
#endif
#if !BITCOIN_ONLY
static void signing_hash_decred(const uint8_t *hash_witness, uint8_t *hash) { static void signing_hash_decred(const uint8_t *hash_witness, uint8_t *hash) {
uint32_t hash_type = signing_hash_type(); uint32_t hash_type = signing_hash_type();
Hasher hasher_preimage = {0}; Hasher hasher_preimage = {0};
@ -1117,7 +1240,6 @@ static void signing_hash_decred(const uint8_t *hash_witness, uint8_t *hash) {
hasher_Update(&hasher_preimage, hash_witness, 32); hasher_Update(&hasher_preimage, hash_witness, 32);
hasher_Final(&hasher_preimage, hash); hasher_Final(&hasher_preimage, hash);
} }
#endif #endif
static bool signing_sign_hash(TxInputType *txinput, const uint8_t *private_key, static bool signing_sign_hash(TxInputType *txinput, const uint8_t *private_key,
@ -1169,7 +1291,7 @@ static bool signing_sign_hash(TxInputType *txinput, const uint8_t *private_key,
static bool signing_sign_input(void) { static bool signing_sign_input(void) {
uint8_t hash[32] = {0}; uint8_t hash[32] = {0};
hasher_Final(&hasher_check, hash); hasher_Final(&hasher_check, hash);
if (memcmp(hash, hash_outputs, 32) != 0) { if (memcmp(hash, info.hash_outputs, 32) != 0) {
fsm_sendFailure(FailureType_Failure_DataError, fsm_sendFailure(FailureType_Failure_DataError,
_("Transaction has changed during signing")); _("Transaction has changed during signing"));
signing_abort(); signing_abort();
@ -1204,7 +1326,7 @@ static bool signing_sign_segwit_input(TxInputType *txinput) {
return false; return false;
} }
signing_hash_bip143(txinput, hash); signing_hash_bip143(&info, txinput, hash);
resp.has_serialized = true; resp.has_serialized = true;
if (!signing_sign_hash(txinput, node.private_key, node.public_key, hash)) if (!signing_sign_hash(txinput, node.private_key, node.public_key, hash))
@ -1255,7 +1377,7 @@ static bool signing_sign_segwit_input(TxInputType *txinput) {
resp.serialized.serialized_tx.size = 1; resp.serialized.serialized_tx.size = 1;
} }
// if last witness add tx footer // if last witness add tx footer
if (idx1 == inputs_count - 1) { if (idx1 == info.inputs_count - 1) {
uint32_t r = resp.serialized.serialized_tx.size; uint32_t r = resp.serialized.serialized_tx.size;
r += tx_serialize_footer(&to, resp.serialized.serialized_tx.bytes + r); r += tx_serialize_footer(&to, resp.serialized.serialized_tx.bytes + r);
resp.serialized.serialized_tx.size = r; resp.serialized.serialized_tx.size = r;
@ -1572,9 +1694,9 @@ void signing_txack(TransactionType *tx) {
500 + ((signatures * progress_step + idx2 * progress_meta_step) >> 500 + ((signatures * progress_step + idx2 * progress_meta_step) >>
PROGRESS_PRECISION); PROGRESS_PRECISION);
if (idx2 == 0) { if (idx2 == 0) {
tx_init(&ti, inputs_count, outputs_count, version, lock_time, expiry, 0, tx_init(&ti, info.inputs_count, info.outputs_count, info.version,
coin->curve->hasher_sign, coin->overwintered, version_group_id, info.lock_time, info.expiry, 0, coin->curve->hasher_sign,
timestamp); coin->overwintered, info.version_group_id, info.timestamp);
hasher_Reset(&hasher_check); hasher_Reset(&hasher_check);
} }
// check inputs are the same as those in phase 1 // check inputs are the same as those in phase 1
@ -1603,7 +1725,7 @@ void signing_txack(TransactionType *tx) {
signing_abort(); signing_abort();
return; return;
} }
if (idx2 < inputs_count - 1) { if (idx2 < info.inputs_count - 1) {
idx2++; idx2++;
send_req_4_input(); send_req_4_input();
} else { } else {
@ -1625,7 +1747,7 @@ void signing_txack(TransactionType *tx) {
return; return;
} }
progress = 500 + ((signatures * progress_step + progress = 500 + ((signatures * progress_step +
(inputs_count + idx2) * progress_meta_step) >> (info.inputs_count + idx2) * progress_meta_step) >>
PROGRESS_PRECISION); PROGRESS_PRECISION);
if (compile_output(coin, &root, tx->outputs, &bin_output, false) <= 0) { if (compile_output(coin, &root, tx->outputs, &bin_output, false) <= 0) {
fsm_sendFailure(FailureType_Failure_ProcessError, fsm_sendFailure(FailureType_Failure_ProcessError,
@ -1641,7 +1763,7 @@ void signing_txack(TransactionType *tx) {
signing_abort(); signing_abort();
return; return;
} }
if (idx2 < outputs_count - 1) { if (idx2 < info.outputs_count - 1) {
idx2++; idx2++;
send_req_4_output(); send_req_4_output();
} else { } else {
@ -1653,7 +1775,7 @@ void signing_txack(TransactionType *tx) {
progress = 500 + ((signatures * progress_step) >> PROGRESS_PRECISION); progress = 500 + ((signatures * progress_step) >> PROGRESS_PRECISION);
layoutProgress(_("Signing transaction"), progress); layoutProgress(_("Signing transaction"), progress);
update_ctr = 0; update_ctr = 0;
if (idx1 < inputs_count - 1) { if (idx1 < info.inputs_count - 1) {
idx1++; idx1++;
phase2_request_next_input(); phase2_request_next_input();
} else { } else {
@ -1695,18 +1817,18 @@ void signing_txack(TransactionType *tx) {
uint8_t hash[32] = {0}; uint8_t hash[32] = {0};
#if !BITCOIN_ONLY #if !BITCOIN_ONLY
if (coin->overwintered) { if (coin->overwintered) {
if (version != 4) { if (info.version != 4) {
fsm_sendFailure( fsm_sendFailure(
FailureType_Failure_DataError, FailureType_Failure_DataError,
_("Unsupported version for overwintered transaction")); _("Unsupported version for overwintered transaction"));
signing_abort(); signing_abort();
return; return;
} }
signing_hash_zip243(&tx->inputs[0], hash); signing_hash_zip243(&info, &tx->inputs[0], hash);
} else } else
#endif #endif
{ {
signing_hash_bip143(&tx->inputs[0], hash); signing_hash_bip143(&info, &tx->inputs[0], hash);
} }
if (!signing_sign_hash(&tx->inputs[0], node.private_key, if (!signing_sign_hash(&tx->inputs[0], node.private_key,
node.public_key, hash)) node.public_key, hash))
@ -1756,7 +1878,7 @@ void signing_txack(TransactionType *tx) {
} }
resp.serialized.serialized_tx.size = tx_serialize_input( resp.serialized.serialized_tx.size = tx_serialize_input(
&to, &tx->inputs[0], resp.serialized.serialized_tx.bytes); &to, &tx->inputs[0], resp.serialized.serialized_tx.bytes);
if (idx1 < inputs_count - 1) { if (idx1 < info.inputs_count - 1) {
idx1++; idx1++;
phase2_request_next_input(); phase2_request_next_input();
} else { } else {
@ -1779,7 +1901,7 @@ void signing_txack(TransactionType *tx) {
resp.serialized.has_serialized_tx = true; resp.serialized.has_serialized_tx = true;
resp.serialized.serialized_tx.size = tx_serialize_output( resp.serialized.serialized_tx.size = tx_serialize_output(
&to, &bin_output, resp.serialized.serialized_tx.bytes); &to, &bin_output, resp.serialized.serialized_tx.bytes);
if (idx1 < outputs_count - 1) { if (idx1 < info.outputs_count - 1) {
idx1++; idx1++;
send_req_5_output(); send_req_5_output();
} else if (to.is_segwit) { } else if (to.is_segwit) {
@ -1802,7 +1924,7 @@ void signing_txack(TransactionType *tx) {
progress = 500 + ((signatures * progress_step) >> PROGRESS_PRECISION); progress = 500 + ((signatures * progress_step) >> PROGRESS_PRECISION);
layoutProgress(_("Signing transaction"), progress); layoutProgress(_("Signing transaction"), progress);
update_ctr = 0; update_ctr = 0;
if (idx1 < inputs_count - 1) { if (idx1 < info.inputs_count - 1) {
idx1++; idx1++;
send_req_segwit_witness(); send_req_segwit_witness();
} else { } else {
@ -1822,16 +1944,16 @@ void signing_txack(TransactionType *tx) {
PROGRESS_PRECISION); PROGRESS_PRECISION);
if (idx1 == 0) { if (idx1 == 0) {
// witness // witness
tx_init(&to, inputs_count, outputs_count, version, lock_time, expiry, 0, tx_init(&to, info.inputs_count, info.outputs_count, info.version,
coin->curve->hasher_sign, coin->overwintered, version_group_id, info.lock_time, info.expiry, 0, coin->curve->hasher_sign,
timestamp); coin->overwintered, info.version_group_id, info.timestamp);
to.is_decred = true; to.is_decred = true;
} }
// witness hash // witness hash
tx_init(&ti, inputs_count, outputs_count, version, lock_time, expiry, 0, tx_init(&ti, info.inputs_count, info.outputs_count, info.version,
coin->curve->hasher_sign, coin->overwintered, version_group_id, info.lock_time, info.expiry, 0, coin->curve->hasher_sign,
timestamp); coin->overwintered, info.version_group_id, info.timestamp);
ti.version |= (DECRED_SERIALIZE_WITNESS_SIGNING << 16); ti.version |= (DECRED_SERIALIZE_WITNESS_SIGNING << 16);
ti.is_decred = true; ti.is_decred = true;
if (!compile_input_script_sig(&tx->inputs[0])) { if (!compile_input_script_sig(&tx->inputs[0])) {
@ -1841,7 +1963,7 @@ void signing_txack(TransactionType *tx) {
return; return;
} }
for (idx2 = 0; idx2 < inputs_count; idx2++) { for (idx2 = 0; idx2 < info.inputs_count; idx2++) {
uint32_t r = 0; uint32_t r = 0;
if (idx2 == idx1) { if (idx2 == idx1) {
r = tx_serialize_decred_witness_hash(&ti, &tx->inputs[0]); r = tx_serialize_decred_witness_hash(&ti, &tx->inputs[0]);
@ -1865,7 +1987,7 @@ void signing_txack(TransactionType *tx) {
progress = 500 + ((signatures * progress_step) >> PROGRESS_PRECISION); progress = 500 + ((signatures * progress_step) >> PROGRESS_PRECISION);
layoutProgress(_("Signing transaction"), progress); layoutProgress(_("Signing transaction"), progress);
update_ctr = 0; update_ctr = 0;
if (idx1 < inputs_count - 1) { if (idx1 < info.inputs_count - 1) {
idx1++; idx1++;
send_req_decred_witness(); send_req_decred_witness();
} else { } else {