mirror of
https://github.com/trezor/trezor-firmware.git
synced 2024-12-27 00:28:10 +00:00
1354 lines
42 KiB
C
1354 lines
42 KiB
C
/*
|
|
* This file is part of the Trezor project, https://trezor.io/
|
|
*
|
|
* Copyright (C) 2014 Pavol Rusnak <stick@satoshilabs.com>
|
|
*
|
|
* This library is free software: you can redistribute it and/or modify
|
|
* it under the terms of the GNU Lesser General Public License as published by
|
|
* the Free Software Foundation, either version 3 of the License, or
|
|
* (at your option) any later version.
|
|
*
|
|
* This library is distributed in the hope that it will be useful,
|
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
* GNU Lesser General Public License for more details.
|
|
*
|
|
* You should have received a copy of the GNU Lesser General Public License
|
|
* along with this library. If not, see <http://www.gnu.org/licenses/>.
|
|
*/
|
|
|
|
#include "transaction.h"
|
|
#include <string.h>
|
|
#include "address.h"
|
|
#include "base58.h"
|
|
#include "coins.h"
|
|
#include "crypto.h"
|
|
#include "debug.h"
|
|
#include "ecdsa.h"
|
|
#include "layout2.h"
|
|
#include "memzero.h"
|
|
#include "messages.pb.h"
|
|
#include "protect.h"
|
|
#include "ripemd160.h"
|
|
#include "secp256k1.h"
|
|
#include "segwit_addr.h"
|
|
#include "util.h"
|
|
#include "zkp_bip340.h"
|
|
#ifdef USE_SECP256K1_ZKP_ECDSA
|
|
#include "zkp_ecdsa.h"
|
|
#endif
|
|
|
|
#if !BITCOIN_ONLY
|
|
#include "cash_addr.h"
|
|
#endif
|
|
|
|
#define SEGWIT_VERSION_0 0
|
|
#define SEGWIT_VERSION_1 1
|
|
|
|
#define CASHADDR_P2KH (0)
|
|
#define CASHADDR_P2SH (8)
|
|
#define CASHADDR_160 (0)
|
|
|
|
/* transaction input size (without script): 32 prevhash, 4 idx, 4 sequence */
|
|
#define TXSIZE_INPUT 40
|
|
/* transaction output size (without script): 8 amount */
|
|
#define TXSIZE_OUTPUT 8
|
|
/* size of a pubkey */
|
|
#define TXSIZE_PUBKEY 33
|
|
/* size of a DER signature (3 type bytes, 3 len bytes, 33 R, 32 S, 1 sighash */
|
|
#define TXSIZE_DER_SIGNATURE 72
|
|
/* size of a Schnorr signature (32 R, 32 S, no sighash) */
|
|
#define TXSIZE_SCHNORR_SIGNATURE 64
|
|
/* size of a multiscript without pubkey (1 M, 1 N, 1 checksig) */
|
|
#define TXSIZE_MULTISIGSCRIPT 3
|
|
/* size of a p2wpkh script (1 version, 1 push, 20 hash) */
|
|
#define TXSIZE_WITNESSPKHASH 22
|
|
/* size of a p2wsh script (1 version, 1 push, 32 hash) */
|
|
#define TXSIZE_WITNESSSCRIPT 34
|
|
/* size of a p2tr script (1 version, 1 push, 32 hash) */
|
|
#define TXSIZE_TAPROOT 34
|
|
/* size of a p2pkh script (dup, hash, push, 20 pubkeyhash, equal, checksig) */
|
|
#define TXSIZE_P2PKHASH 25
|
|
/* size of a p2sh script (hash, push, 20 scripthash, equal) */
|
|
#define TXSIZE_P2SCRIPT 23
|
|
/* size of a Decred witness (without script): 8 amount, 4 block height, 4 block
|
|
* index */
|
|
#define TXSIZE_DECRED_WITNESS 16
|
|
|
|
static const uint8_t segwit_header[2] = {0, 1};
|
|
|
|
static const uint8_t SLIP19_VERSION_MAGIC[] = {0x53, 0x4c, 0x00, 0x19};
|
|
|
|
static inline uint32_t op_push_size(uint32_t i) {
|
|
if (i < 0x4C) {
|
|
return 1;
|
|
}
|
|
if (i < 0x100) {
|
|
return 2;
|
|
}
|
|
if (i < 0x10000) {
|
|
return 3;
|
|
}
|
|
return 5;
|
|
}
|
|
|
|
uint32_t op_push(uint32_t i, uint8_t *out) {
|
|
if (i < 0x4C) {
|
|
out[0] = i & 0xFF;
|
|
return 1;
|
|
}
|
|
if (i < 0x100) {
|
|
out[0] = 0x4C;
|
|
out[1] = i & 0xFF;
|
|
return 2;
|
|
}
|
|
if (i < 0x10000) {
|
|
out[0] = 0x4D;
|
|
out[1] = i & 0xFF;
|
|
out[2] = (i >> 8) & 0xFF;
|
|
return 3;
|
|
}
|
|
out[0] = 0x4E;
|
|
out[1] = i & 0xFF;
|
|
out[2] = (i >> 8) & 0xFF;
|
|
out[3] = (i >> 16) & 0xFF;
|
|
out[4] = (i >> 24) & 0xFF;
|
|
return 5;
|
|
}
|
|
|
|
bool compute_address(const CoinInfo *coin, InputScriptType script_type,
|
|
const HDNode *node, bool has_multisig,
|
|
const MultisigRedeemScriptType *multisig,
|
|
char address[MAX_ADDR_SIZE]) {
|
|
uint8_t raw[MAX_ADDR_RAW_SIZE] = {0};
|
|
uint8_t digest[32] = {0};
|
|
size_t prelen = 0;
|
|
|
|
if (has_multisig) {
|
|
if (cryptoMultisigPubkeyIndex(coin, multisig, node->public_key) < 0) {
|
|
return 0;
|
|
}
|
|
if (compile_script_multisig_hash(coin, multisig, digest) == 0) {
|
|
return 0;
|
|
}
|
|
if (script_type == InputScriptType_SPENDWITNESS) {
|
|
// segwit p2wsh: script hash is single sha256
|
|
if (!coin->has_segwit || !coin->bech32_prefix) {
|
|
return 0;
|
|
}
|
|
if (!segwit_addr_encode(address, coin->bech32_prefix, SEGWIT_VERSION_0,
|
|
digest, 32)) {
|
|
return 0;
|
|
}
|
|
} else if (script_type == InputScriptType_SPENDP2SHWITNESS) {
|
|
// segwit p2wsh encapsuled in p2sh address
|
|
if (!coin->has_segwit) {
|
|
return 0;
|
|
}
|
|
raw[0] = 0; // push version
|
|
raw[1] = 32; // push 32 bytes
|
|
memcpy(raw + 2, digest, 32); // push hash
|
|
hasher_Raw(coin->curve->hasher_pubkey, raw, 34, digest);
|
|
prelen = address_prefix_bytes_len(coin->address_type_p2sh);
|
|
address_write_prefix_bytes(coin->address_type_p2sh, raw);
|
|
memcpy(raw + prelen, digest, 32);
|
|
if (!base58_encode_check(raw, prelen + 20, coin->curve->hasher_base58,
|
|
address, MAX_ADDR_SIZE)) {
|
|
return 0;
|
|
}
|
|
} else if (script_type == InputScriptType_SPENDADDRESS ||
|
|
script_type == InputScriptType_SPENDMULTISIG) {
|
|
#if !BITCOIN_ONLY
|
|
if (coin->cashaddr_prefix) {
|
|
raw[0] = CASHADDR_P2SH | CASHADDR_160;
|
|
ripemd160(digest, 32, raw + 1);
|
|
if (!cash_addr_encode(address, coin->cashaddr_prefix, raw, 21)) {
|
|
return 0;
|
|
}
|
|
} else
|
|
#endif
|
|
{
|
|
// non-segwit p2sh multisig
|
|
prelen = address_prefix_bytes_len(coin->address_type_p2sh);
|
|
address_write_prefix_bytes(coin->address_type_p2sh, raw);
|
|
ripemd160(digest, 32, raw + prelen);
|
|
if (!base58_encode_check(raw, prelen + 20, coin->curve->hasher_base58,
|
|
address, MAX_ADDR_SIZE)) {
|
|
return 0;
|
|
}
|
|
}
|
|
} else {
|
|
// unsupported script type
|
|
return 0;
|
|
}
|
|
} else if (script_type == InputScriptType_SPENDWITNESS) {
|
|
// segwit p2wpkh: pubkey hash is ripemd160 of sha256
|
|
if (!coin->has_segwit || !coin->bech32_prefix) {
|
|
return 0;
|
|
}
|
|
ecdsa_get_pubkeyhash(node->public_key, coin->curve->hasher_pubkey, digest);
|
|
if (!segwit_addr_encode(address, coin->bech32_prefix, SEGWIT_VERSION_0,
|
|
digest, 20)) {
|
|
return 0;
|
|
}
|
|
} else if (script_type == InputScriptType_SPENDTAPROOT) {
|
|
// taproot
|
|
if (!coin->has_taproot || !coin->has_segwit || !coin->bech32_prefix) {
|
|
return 0;
|
|
}
|
|
uint8_t tweaked_pubkey[32];
|
|
zkp_bip340_tweak_public_key(node->public_key + 1, NULL, tweaked_pubkey);
|
|
if (!segwit_addr_encode(address, coin->bech32_prefix, SEGWIT_VERSION_1,
|
|
tweaked_pubkey, 32)) {
|
|
return 0;
|
|
}
|
|
} else if (script_type == InputScriptType_SPENDP2SHWITNESS) {
|
|
// segwit p2wpkh embedded in p2sh
|
|
if (!coin->has_segwit) {
|
|
return 0;
|
|
}
|
|
ecdsa_get_address_segwit_p2sh(
|
|
node->public_key, coin->address_type_p2sh, coin->curve->hasher_pubkey,
|
|
coin->curve->hasher_base58, address, MAX_ADDR_SIZE);
|
|
} else if (script_type == InputScriptType_SPENDADDRESS) {
|
|
#if !BITCOIN_ONLY
|
|
if (coin->cashaddr_prefix) {
|
|
ecdsa_get_address_raw(node->public_key, CASHADDR_P2KH | CASHADDR_160,
|
|
coin->curve->hasher_pubkey, raw);
|
|
if (!cash_addr_encode(address, coin->cashaddr_prefix, raw, 21)) {
|
|
return 0;
|
|
}
|
|
} else
|
|
#endif
|
|
{
|
|
ecdsa_get_address(node->public_key, coin->address_type,
|
|
coin->curve->hasher_pubkey, coin->curve->hasher_base58,
|
|
address, MAX_ADDR_SIZE);
|
|
}
|
|
} else {
|
|
// unsupported script type
|
|
return 0;
|
|
}
|
|
return 1;
|
|
}
|
|
|
|
int address_to_script_pubkey(const CoinInfo *coin, const char *address,
|
|
uint8_t *script_pubkey, pb_size_t *size) {
|
|
uint8_t addr_raw[MAX_ADDR_RAW_SIZE] = {0};
|
|
size_t addr_raw_len = base58_decode_check(address, coin->curve->hasher_base58,
|
|
addr_raw, MAX_ADDR_RAW_SIZE);
|
|
|
|
// P2PKH
|
|
size_t prefix_len = address_prefix_bytes_len(coin->address_type);
|
|
if (addr_raw_len == 20 + prefix_len &&
|
|
address_check_prefix(addr_raw, coin->address_type)) {
|
|
script_pubkey[0] = 0x76; // OP_DUP
|
|
script_pubkey[1] = 0xA9; // OP_HASH_160
|
|
script_pubkey[2] = 0x14; // pushing 20 bytes
|
|
memcpy(script_pubkey + 3, addr_raw + prefix_len, 20);
|
|
script_pubkey[23] = 0x88; // OP_EQUALVERIFY
|
|
script_pubkey[24] = 0xAC; // OP_CHECKSIG
|
|
*size = 25;
|
|
return 1;
|
|
}
|
|
|
|
// P2SH
|
|
prefix_len = address_prefix_bytes_len(coin->address_type_p2sh);
|
|
if (addr_raw_len == 20 + prefix_len &&
|
|
address_check_prefix(addr_raw, coin->address_type_p2sh)) {
|
|
script_pubkey[0] = 0xA9; // OP_HASH_160
|
|
script_pubkey[1] = 0x14; // pushing 20 bytes
|
|
memcpy(script_pubkey + 2, addr_raw + prefix_len, 20);
|
|
script_pubkey[22] = 0x87; // OP_EQUAL
|
|
*size = 23;
|
|
return 1;
|
|
}
|
|
|
|
#if !BITCOIN_ONLY
|
|
if (coin->cashaddr_prefix &&
|
|
cash_addr_decode(addr_raw, &addr_raw_len, coin->cashaddr_prefix,
|
|
address)) {
|
|
if (addr_raw_len == 21 && addr_raw[0] == (CASHADDR_P2KH | CASHADDR_160)) {
|
|
script_pubkey[0] = 0x76; // OP_DUP
|
|
script_pubkey[1] = 0xA9; // OP_HASH_160
|
|
script_pubkey[2] = 0x14; // pushing 20 bytes
|
|
memcpy(script_pubkey + 3, addr_raw + 1, 20);
|
|
script_pubkey[23] = 0x88; // OP_EQUALVERIFY
|
|
script_pubkey[24] = 0xAC; // OP_CHECKSIG
|
|
*size = 25;
|
|
return 1;
|
|
} else if (addr_raw_len == 21 &&
|
|
addr_raw[0] == (CASHADDR_P2SH | CASHADDR_160)) {
|
|
script_pubkey[0] = 0xA9; // OP_HASH_160
|
|
script_pubkey[1] = 0x14; // pushing 20 bytes
|
|
memcpy(script_pubkey + 2, addr_raw + 1, 20);
|
|
script_pubkey[22] = 0x87; // OP_EQUAL
|
|
*size = 23;
|
|
return 1;
|
|
} else {
|
|
return 0;
|
|
}
|
|
}
|
|
#endif
|
|
|
|
// SegWit
|
|
if (coin->bech32_prefix) {
|
|
int witver = 0;
|
|
if (!segwit_addr_decode(&witver, addr_raw, &addr_raw_len,
|
|
coin->bech32_prefix, address)) {
|
|
return 0;
|
|
}
|
|
// check that the witness version is recognized
|
|
if (witver != 0 && witver != 1) {
|
|
return 0;
|
|
}
|
|
// check that P2TR address encodes a valid BIP340 public key
|
|
if (witver == 1) {
|
|
if (addr_raw_len != 32 || zkp_bip340_verify_publickey(addr_raw) != 0) {
|
|
return 0;
|
|
}
|
|
}
|
|
// push 1 byte version id (opcode OP_0 = 0, OP_i = 80+i)
|
|
// push addr_raw (segwit_addr_decode makes sure addr_raw_len is at most 40)
|
|
script_pubkey[0] = witver == 0 ? 0 : 80 + witver;
|
|
script_pubkey[1] = addr_raw_len;
|
|
memcpy(script_pubkey + 2, addr_raw, addr_raw_len);
|
|
*size = addr_raw_len + 2;
|
|
return 1;
|
|
}
|
|
|
|
return 0;
|
|
}
|
|
|
|
void op_return_to_script_pubkey(const uint8_t *op_return_data,
|
|
size_t op_return_size, uint8_t *script_pubkey,
|
|
pb_size_t *script_pubkey_size) {
|
|
uint32_t r = 0;
|
|
script_pubkey[0] = 0x6A;
|
|
r++; // OP_RETURN
|
|
r += op_push(op_return_size, script_pubkey + r);
|
|
memcpy(script_pubkey + r, op_return_data, op_return_size);
|
|
r += op_return_size;
|
|
*script_pubkey_size = r;
|
|
}
|
|
|
|
bool get_script_pubkey(const CoinInfo *coin, HDNode *node, bool has_multisig,
|
|
const MultisigRedeemScriptType *multisig,
|
|
InputScriptType script_type, uint8_t *script_pubkey,
|
|
pb_size_t *script_pubkey_size) {
|
|
char address[MAX_ADDR_SIZE] = {0};
|
|
bool res = true;
|
|
res = res && (hdnode_fill_public_key(node) == 0);
|
|
res = res && compute_address(coin, script_type, node, has_multisig, multisig,
|
|
address);
|
|
res = res && address_to_script_pubkey(coin, address, script_pubkey,
|
|
script_pubkey_size);
|
|
return res;
|
|
}
|
|
|
|
uint32_t compile_script_sig(uint32_t address_type, const uint8_t *pubkeyhash,
|
|
uint8_t *out) {
|
|
if (coinByAddressType(address_type)) { // valid coin type
|
|
out[0] = 0x76; // OP_DUP
|
|
out[1] = 0xA9; // OP_HASH_160
|
|
out[2] = 0x14; // pushing 20 bytes
|
|
memcpy(out + 3, pubkeyhash, 20);
|
|
out[23] = 0x88; // OP_EQUALVERIFY
|
|
out[24] = 0xAC; // OP_CHECKSIG
|
|
return 25;
|
|
} else {
|
|
return 0; // unsupported
|
|
}
|
|
}
|
|
|
|
// if out == NULL just compute the length
|
|
uint32_t compile_script_multisig(const CoinInfo *coin,
|
|
const MultisigRedeemScriptType *multisig,
|
|
uint8_t *out) {
|
|
const uint32_t m = multisig->m;
|
|
const uint32_t n = cryptoMultisigPubkeyCount(multisig);
|
|
if (m < 1 || m > 15) return 0;
|
|
if (n < 1 || n > 15) return 0;
|
|
uint32_t r = 0;
|
|
if (out) {
|
|
out[r] = 0x50 + m;
|
|
r++;
|
|
for (uint32_t i = 0; i < n; i++) {
|
|
out[r] = 33;
|
|
r++; // OP_PUSH 33
|
|
const HDNode *pubnode = cryptoMultisigPubkey(coin, multisig, i);
|
|
if (!pubnode) return 0;
|
|
memcpy(out + r, pubnode->public_key, 33);
|
|
r += 33;
|
|
}
|
|
out[r] = 0x50 + n;
|
|
r++;
|
|
out[r] = 0xAE;
|
|
r++; // OP_CHECKMULTISIG
|
|
} else {
|
|
r = 1 + 34 * n + 2;
|
|
}
|
|
return r;
|
|
}
|
|
|
|
uint32_t compile_script_multisig_hash(const CoinInfo *coin,
|
|
const MultisigRedeemScriptType *multisig,
|
|
uint8_t *hash) {
|
|
const uint32_t m = multisig->m;
|
|
const uint32_t n = cryptoMultisigPubkeyCount(multisig);
|
|
if (m < 1 || m > 15) return 0;
|
|
if (n < 1 || n > 15) return 0;
|
|
|
|
Hasher hasher = {0};
|
|
hasher_Init(&hasher, coin->curve->hasher_script);
|
|
|
|
uint8_t d[2] = {0};
|
|
d[0] = 0x50 + m;
|
|
hasher_Update(&hasher, d, 1);
|
|
for (uint32_t i = 0; i < n; i++) {
|
|
d[0] = 33;
|
|
hasher_Update(&hasher, d, 1); // OP_PUSH 33
|
|
const HDNode *pubnode = cryptoMultisigPubkey(coin, multisig, i);
|
|
if (!pubnode) return 0;
|
|
hasher_Update(&hasher, pubnode->public_key, 33);
|
|
}
|
|
d[0] = 0x50 + n;
|
|
d[1] = 0xAE;
|
|
hasher_Update(&hasher, d, 2);
|
|
|
|
hasher_Final(&hasher, hash);
|
|
|
|
return 1;
|
|
}
|
|
|
|
uint32_t serialize_script_sig(const uint8_t *signature, uint32_t signature_len,
|
|
const uint8_t *pubkey, uint32_t pubkey_len,
|
|
uint8_t sighash, uint8_t *out) {
|
|
uint32_t r = 0;
|
|
r += op_push(signature_len + 1, out + r);
|
|
memcpy(out + r, signature, signature_len);
|
|
r += signature_len;
|
|
out[r] = sighash;
|
|
r++;
|
|
r += op_push(pubkey_len, out + r);
|
|
memcpy(out + r, pubkey, pubkey_len);
|
|
r += pubkey_len;
|
|
return r;
|
|
}
|
|
|
|
uint32_t serialize_script_multisig(const CoinInfo *coin,
|
|
const MultisigRedeemScriptType *multisig,
|
|
uint8_t sighash, uint8_t *out) {
|
|
uint32_t r = 0;
|
|
#if !BITCOIN_ONLY
|
|
if (!coin->decred) {
|
|
// Decred fixed the off-by-one bug
|
|
#endif
|
|
out[r] = 0x00;
|
|
r++;
|
|
#if !BITCOIN_ONLY
|
|
}
|
|
#endif
|
|
for (uint32_t i = 0; i < multisig->signatures_count; i++) {
|
|
if (multisig->signatures[i].size == 0) {
|
|
continue;
|
|
}
|
|
r += op_push(multisig->signatures[i].size + 1, out + r);
|
|
memcpy(out + r, multisig->signatures[i].bytes,
|
|
multisig->signatures[i].size);
|
|
r += multisig->signatures[i].size;
|
|
out[r] = sighash;
|
|
r++;
|
|
}
|
|
uint32_t script_len = compile_script_multisig(coin, multisig, 0);
|
|
if (script_len == 0) {
|
|
return 0;
|
|
}
|
|
r += op_push(script_len, out + r);
|
|
r += compile_script_multisig(coin, multisig, out + r);
|
|
return r;
|
|
}
|
|
|
|
uint32_t serialize_p2wpkh_witness(const uint8_t *signature,
|
|
uint32_t signature_len,
|
|
const uint8_t *public_key,
|
|
uint32_t public_key_len, uint8_t sighash,
|
|
uint8_t *out) {
|
|
uint32_t r = 0;
|
|
|
|
// 2 stack items
|
|
r += ser_length(2, out + r);
|
|
|
|
// length-prefixed signature with sighash type
|
|
r += ser_length(signature_len + 1, out + r);
|
|
memcpy(out + r, signature, signature_len);
|
|
r += signature_len;
|
|
out[r] = sighash;
|
|
r += 1;
|
|
|
|
// length-prefixed public key
|
|
r += tx_serialize_script(public_key_len, public_key, out + r);
|
|
return r;
|
|
}
|
|
|
|
uint32_t serialize_p2tr_witness(const uint8_t *signature,
|
|
uint32_t signature_len, uint8_t sighash,
|
|
uint8_t *out) {
|
|
uint32_t r = 0;
|
|
|
|
// 1 stack item
|
|
r += ser_length(1, out + r);
|
|
|
|
// length-prefixed signature with optional sighash type
|
|
uint32_t sighash_len = sighash ? 1 : 0;
|
|
r += ser_length(signature_len + sighash_len, out + r);
|
|
memcpy(out + r, signature, signature_len);
|
|
r += signature_len;
|
|
if (sighash) {
|
|
out[r] = sighash;
|
|
r += 1;
|
|
}
|
|
|
|
return r;
|
|
}
|
|
|
|
bool tx_sign_ecdsa(const ecdsa_curve *curve, const uint8_t *private_key,
|
|
const uint8_t *hash, uint8_t *out, pb_size_t *size) {
|
|
int ret = 0;
|
|
uint8_t signature[64] = {0};
|
|
#ifdef USE_SECP256K1_ZKP_ECDSA
|
|
if (curve == &secp256k1) {
|
|
ret =
|
|
zkp_ecdsa_sign_digest(curve, private_key, hash, signature, NULL, NULL);
|
|
} else
|
|
#endif
|
|
{
|
|
ret = ecdsa_sign_digest(curve, private_key, hash, signature, NULL, NULL);
|
|
}
|
|
if (ret != 0) {
|
|
return false;
|
|
}
|
|
|
|
*size = ecdsa_sig_to_der(signature, out);
|
|
return true;
|
|
}
|
|
|
|
bool tx_sign_bip340(const uint8_t *private_key, const uint8_t *hash,
|
|
uint8_t *out, pb_size_t *size) {
|
|
static CONFIDENTIAL uint8_t output_private_key[32] = {0};
|
|
bool ret = (zkp_bip340_tweak_private_key(private_key, NULL,
|
|
output_private_key) == 0);
|
|
ret =
|
|
ret && (zkp_bip340_sign_digest(output_private_key, hash, out, NULL) == 0);
|
|
*size = ret ? 64 : 0;
|
|
memzero(output_private_key, sizeof(output_private_key));
|
|
return ret;
|
|
}
|
|
|
|
// tx methods
|
|
bool tx_input_check_hash(Hasher *hasher, const TxInputType *input) {
|
|
hasher_Update(hasher, (const uint8_t *)&input->address_n_count,
|
|
sizeof(input->address_n_count));
|
|
for (int i = 0; i < input->address_n_count; ++i)
|
|
hasher_Update(hasher, (const uint8_t *)&input->address_n[i],
|
|
sizeof(input->address_n[0]));
|
|
hasher_Update(hasher, input->prev_hash.bytes, sizeof(input->prev_hash.bytes));
|
|
hasher_Update(hasher, (const uint8_t *)&input->prev_index,
|
|
sizeof(input->prev_index));
|
|
tx_script_hash(hasher, input->script_sig.size, input->script_sig.bytes);
|
|
hasher_Update(hasher, (const uint8_t *)&input->sequence,
|
|
sizeof(input->sequence));
|
|
hasher_Update(hasher, (const uint8_t *)&input->script_type,
|
|
sizeof(input->script_type));
|
|
uint8_t multisig_fp[32] = {0};
|
|
if (input->has_multisig) {
|
|
if (cryptoMultisigFingerprint(&input->multisig, multisig_fp) == 0) {
|
|
// Invalid multisig parameters.
|
|
return false;
|
|
}
|
|
}
|
|
hasher_Update(hasher, multisig_fp, sizeof(multisig_fp));
|
|
hasher_Update(hasher, (const uint8_t *)&input->amount, sizeof(input->amount));
|
|
tx_script_hash(hasher, input->witness.size, input->witness.bytes);
|
|
hasher_Update(hasher, (const uint8_t *)&input->has_orig_hash,
|
|
sizeof(input->has_orig_hash));
|
|
hasher_Update(hasher, input->orig_hash.bytes, sizeof(input->orig_hash.bytes));
|
|
hasher_Update(hasher, (const uint8_t *)&input->orig_index,
|
|
sizeof(input->orig_index));
|
|
tx_script_hash(hasher, input->script_pubkey.size, input->script_pubkey.bytes);
|
|
return true;
|
|
}
|
|
|
|
uint32_t tx_prevout_hash(Hasher *hasher, const TxInputType *input) {
|
|
for (int i = 0; i < 32; i++) {
|
|
hasher_Update(hasher, &(input->prev_hash.bytes[31 - i]), 1);
|
|
}
|
|
hasher_Update(hasher, (const uint8_t *)&input->prev_index, 4);
|
|
return 36;
|
|
}
|
|
|
|
uint32_t tx_amount_hash(Hasher *hasher, const TxInputType *input) {
|
|
hasher_Update(hasher, (const uint8_t *)&input->amount, 8);
|
|
return 8;
|
|
}
|
|
|
|
uint32_t tx_script_hash(Hasher *hasher, uint32_t size, const uint8_t *data) {
|
|
int r = ser_length_hash(hasher, size);
|
|
hasher_Update(hasher, data, size);
|
|
return r + size;
|
|
}
|
|
|
|
uint32_t tx_sequence_hash(Hasher *hasher, const TxInputType *input) {
|
|
hasher_Update(hasher, (const uint8_t *)&input->sequence, 4);
|
|
return 4;
|
|
}
|
|
|
|
uint32_t tx_output_hash(Hasher *hasher, const TxOutputBinType *output,
|
|
bool decred) {
|
|
uint32_t r = 0;
|
|
hasher_Update(hasher, (const uint8_t *)&output->amount, 8);
|
|
r += 8;
|
|
if (decred) {
|
|
uint16_t script_version = output->decred_script_version & 0xFFFF;
|
|
hasher_Update(hasher, (const uint8_t *)&script_version, 2);
|
|
r += 2;
|
|
}
|
|
r += tx_script_hash(hasher, output->script_pubkey.size,
|
|
output->script_pubkey.bytes);
|
|
return r;
|
|
}
|
|
|
|
uint32_t tx_serialize_script(uint32_t size, const uint8_t *data, uint8_t *out) {
|
|
int r = ser_length(size, out);
|
|
memcpy(out + r, data, size);
|
|
return r + size;
|
|
}
|
|
|
|
uint32_t tx_serialize_header(TxStruct *tx, uint8_t *out) {
|
|
int r = 0;
|
|
#if !BITCOIN_ONLY
|
|
if (tx->is_zcashlike && tx->version >= 3) {
|
|
uint32_t ver = tx->version | TX_OVERWINTERED;
|
|
memcpy(out + r, &ver, 4);
|
|
r += 4;
|
|
memcpy(out + r, &(tx->version_group_id), 4);
|
|
r += 4;
|
|
if (tx->version == 5) {
|
|
memcpy(out + r, &(tx->branch_id), 4);
|
|
r += 4;
|
|
memcpy(out + r, &(tx->lock_time), 4);
|
|
r += 4;
|
|
memcpy(out + r, &(tx->expiry), 4);
|
|
r += 4;
|
|
}
|
|
} else
|
|
#endif
|
|
{
|
|
memcpy(out + r, &(tx->version), 4);
|
|
r += 4;
|
|
#if !BITCOIN_ONLY
|
|
if (tx->timestamp) {
|
|
memcpy(out + r, &(tx->timestamp), 4);
|
|
r += 4;
|
|
}
|
|
#endif
|
|
if (tx->is_segwit) {
|
|
memcpy(out + r, segwit_header, 2);
|
|
r += 2;
|
|
}
|
|
}
|
|
return r + ser_length(tx->inputs_len, out + r);
|
|
}
|
|
|
|
uint32_t tx_serialize_header_hash(TxStruct *tx) {
|
|
int r = 4;
|
|
#if !BITCOIN_ONLY
|
|
if (tx->is_zcashlike && tx->version >= 3) {
|
|
uint32_t ver = tx->version | TX_OVERWINTERED;
|
|
hasher_Update(&(tx->hasher), (const uint8_t *)&ver, 4);
|
|
hasher_Update(&(tx->hasher), (const uint8_t *)&(tx->version_group_id), 4);
|
|
r += 4;
|
|
} else
|
|
#endif
|
|
{
|
|
hasher_Update(&(tx->hasher), (const uint8_t *)&(tx->version), 4);
|
|
#if !BITCOIN_ONLY
|
|
if (tx->timestamp) {
|
|
hasher_Update(&(tx->hasher), (const uint8_t *)&(tx->timestamp), 4);
|
|
}
|
|
#endif
|
|
if (tx->is_segwit) {
|
|
hasher_Update(&(tx->hasher), segwit_header, 2);
|
|
r += 2;
|
|
}
|
|
}
|
|
return r + ser_length_hash(&(tx->hasher), tx->inputs_len);
|
|
}
|
|
|
|
uint32_t tx_serialize_input(TxStruct *tx, const TxInputType *input,
|
|
uint8_t *out) {
|
|
if (tx->have_inputs >= tx->inputs_len) {
|
|
// already got all inputs
|
|
return 0;
|
|
}
|
|
uint32_t r = 0;
|
|
if (tx->have_inputs == 0) {
|
|
r += tx_serialize_header(tx, out + r);
|
|
}
|
|
for (int i = 0; i < 32; i++) {
|
|
*(out + r + i) = input->prev_hash.bytes[31 - i];
|
|
}
|
|
r += 32;
|
|
memcpy(out + r, &input->prev_index, 4);
|
|
r += 4;
|
|
#if !BITCOIN_ONLY
|
|
if (tx->is_decred) {
|
|
uint8_t tree = input->decred_tree & 0xFF;
|
|
out[r++] = tree;
|
|
} else
|
|
#endif
|
|
{
|
|
r += tx_serialize_script(input->script_sig.size, input->script_sig.bytes,
|
|
out + r);
|
|
}
|
|
memcpy(out + r, &input->sequence, 4);
|
|
r += 4;
|
|
|
|
tx->have_inputs++;
|
|
tx->size += r;
|
|
|
|
return r;
|
|
}
|
|
|
|
uint32_t tx_serialize_input_hash(TxStruct *tx, const TxInputType *input) {
|
|
if (tx->have_inputs >= tx->inputs_len) {
|
|
// already got all inputs
|
|
return 0;
|
|
}
|
|
uint32_t r = 0;
|
|
if (tx->have_inputs == 0) {
|
|
r += tx_serialize_header_hash(tx);
|
|
}
|
|
r += tx_prevout_hash(&(tx->hasher), input);
|
|
#if !BITCOIN_ONLY
|
|
if (tx->is_decred) {
|
|
uint8_t tree = input->decred_tree & 0xFF;
|
|
hasher_Update(&(tx->hasher), (const uint8_t *)&(tree), 1);
|
|
r++;
|
|
} else
|
|
#endif
|
|
{
|
|
r += tx_script_hash(&(tx->hasher), input->script_sig.size,
|
|
input->script_sig.bytes);
|
|
}
|
|
r += tx_sequence_hash(&(tx->hasher), input);
|
|
|
|
tx->have_inputs++;
|
|
tx->size += r;
|
|
|
|
return r;
|
|
}
|
|
|
|
#if !BITCOIN_ONLY
|
|
uint32_t tx_serialize_decred_witness(TxStruct *tx, const TxInputType *input,
|
|
uint8_t *out) {
|
|
static const uint64_t amount = 0;
|
|
static const uint32_t block_height = 0x00000000;
|
|
static const uint32_t block_index = 0xFFFFFFFF;
|
|
|
|
if (tx->have_inputs >= tx->inputs_len) {
|
|
// already got all inputs
|
|
return 0;
|
|
}
|
|
uint32_t r = 0;
|
|
if (tx->have_inputs == 0) {
|
|
r += ser_length(tx->inputs_len, out + r);
|
|
}
|
|
if (input->has_amount) {
|
|
memcpy(out + r, &input->amount, 8);
|
|
} else {
|
|
memcpy(out + r, &amount, 8);
|
|
}
|
|
r += 8;
|
|
memcpy(out + r, &block_height, 4);
|
|
r += 4;
|
|
memcpy(out + r, &block_index, 4);
|
|
r += 4;
|
|
r += tx_serialize_script(input->script_sig.size, input->script_sig.bytes,
|
|
out + r);
|
|
|
|
tx->have_inputs++;
|
|
tx->size += r;
|
|
|
|
return r;
|
|
}
|
|
|
|
uint32_t tx_serialize_decred_witness_hash(TxStruct *tx,
|
|
const TxInputType *input) {
|
|
if (tx->have_inputs >= tx->inputs_len) {
|
|
// already got all inputs
|
|
return 0;
|
|
}
|
|
uint32_t r = 0;
|
|
if (tx->have_inputs == 0) {
|
|
r += tx_serialize_header_hash(tx);
|
|
}
|
|
if (input == NULL) {
|
|
r += ser_length_hash(&(tx->hasher), 0);
|
|
} else {
|
|
r += tx_script_hash(&(tx->hasher), input->script_sig.size,
|
|
input->script_sig.bytes);
|
|
}
|
|
|
|
tx->have_inputs++;
|
|
tx->size += r;
|
|
|
|
return r;
|
|
}
|
|
#endif
|
|
|
|
uint32_t tx_serialize_middle(TxStruct *tx, uint8_t *out) {
|
|
return ser_length(tx->outputs_len, out);
|
|
}
|
|
|
|
uint32_t tx_serialize_middle_hash(TxStruct *tx) {
|
|
return ser_length_hash(&(tx->hasher), tx->outputs_len);
|
|
}
|
|
|
|
uint32_t tx_serialize_footer(TxStruct *tx, uint8_t *out) {
|
|
uint32_t r = 0;
|
|
#if !BITCOIN_ONLY
|
|
if (tx->is_zcashlike) {
|
|
if (tx->version == 4) {
|
|
memcpy(out, &(tx->lock_time), 4);
|
|
r += 4;
|
|
memcpy(out + r, &(tx->expiry), 4);
|
|
r += 4;
|
|
memzero(out + r, 8); // valueBalance
|
|
r += 8;
|
|
out[r] = 0x00; // nShieldedSpend
|
|
r += 1;
|
|
out[r] = 0x00; // nShieldedOutput
|
|
r += 1;
|
|
out[r] = 0x00; // nJoinSplit
|
|
r += 1;
|
|
} else if (tx->version == 5) {
|
|
out[r] = 0x00; // nSpendsSapling
|
|
r += 1;
|
|
out[r] = 0x00; // nOutputsSapling
|
|
r += 1;
|
|
out[r] = 0x00; // nActionsOrchard
|
|
r += 1;
|
|
}
|
|
} else if (tx->is_decred) {
|
|
memcpy(out, &(tx->lock_time), 4);
|
|
r += 4;
|
|
memcpy(out + r, &(tx->expiry), 4);
|
|
r += 4;
|
|
} else
|
|
#endif
|
|
{
|
|
memcpy(out, &(tx->lock_time), 4);
|
|
r += 4;
|
|
}
|
|
return r;
|
|
}
|
|
|
|
uint32_t tx_serialize_footer_hash(TxStruct *tx) {
|
|
hasher_Update(&(tx->hasher), (const uint8_t *)&(tx->lock_time), 4);
|
|
#if !BITCOIN_ONLY
|
|
if (tx->is_zcashlike && tx->version >= 3) {
|
|
hasher_Update(&(tx->hasher), (const uint8_t *)&(tx->expiry), 4);
|
|
return 8;
|
|
}
|
|
if (tx->is_decred) {
|
|
hasher_Update(&(tx->hasher), (const uint8_t *)&(tx->expiry), 4);
|
|
return 8;
|
|
}
|
|
#endif
|
|
return 4;
|
|
}
|
|
|
|
uint32_t tx_serialize_output(TxStruct *tx, const TxOutputBinType *output,
|
|
uint8_t *out) {
|
|
if (tx->have_inputs < tx->inputs_len) {
|
|
// not all inputs provided
|
|
return 0;
|
|
}
|
|
if (tx->have_outputs >= tx->outputs_len) {
|
|
// already got all outputs
|
|
return 0;
|
|
}
|
|
uint32_t r = 0;
|
|
if (tx->have_outputs == 0) {
|
|
r += tx_serialize_middle(tx, out + r);
|
|
}
|
|
memcpy(out + r, &output->amount, 8);
|
|
r += 8;
|
|
#if !BITCOIN_ONLY
|
|
if (tx->is_decred) {
|
|
uint16_t script_version = output->decred_script_version & 0xFFFF;
|
|
memcpy(out + r, &script_version, 2);
|
|
r += 2;
|
|
}
|
|
#endif
|
|
r += tx_serialize_script(output->script_pubkey.size,
|
|
output->script_pubkey.bytes, out + r);
|
|
tx->have_outputs++;
|
|
if (tx->have_outputs == tx->outputs_len && !tx->is_segwit) {
|
|
r += tx_serialize_footer(tx, out + r);
|
|
}
|
|
tx->size += r;
|
|
return r;
|
|
}
|
|
|
|
uint32_t tx_serialize_output_hash(TxStruct *tx, const TxOutputBinType *output) {
|
|
if (tx->have_inputs < tx->inputs_len) {
|
|
// not all inputs provided
|
|
return 0;
|
|
}
|
|
if (tx->have_outputs >= tx->outputs_len) {
|
|
// already got all outputs
|
|
return 0;
|
|
}
|
|
uint32_t r = 0;
|
|
if (tx->have_outputs == 0) {
|
|
r += tx_serialize_middle_hash(tx);
|
|
}
|
|
r += tx_output_hash(&(tx->hasher), output, tx->is_decred);
|
|
tx->have_outputs++;
|
|
if (tx->have_outputs == tx->outputs_len && !tx->is_segwit) {
|
|
r += tx_serialize_footer_hash(tx);
|
|
}
|
|
tx->size += r;
|
|
return r;
|
|
}
|
|
|
|
#if !BITCOIN_ONLY
|
|
uint32_t tx_serialize_extra_data_hash(TxStruct *tx, const uint8_t *data,
|
|
uint32_t datalen) {
|
|
if (tx->have_inputs < tx->inputs_len) {
|
|
// not all inputs provided
|
|
return 0;
|
|
}
|
|
if (tx->have_outputs < tx->outputs_len) {
|
|
// not all inputs provided
|
|
return 0;
|
|
}
|
|
if (tx->extra_data_received + datalen > tx->extra_data_len) {
|
|
// we are receiving too much data
|
|
return 0;
|
|
}
|
|
hasher_Update(&(tx->hasher), data, datalen);
|
|
tx->extra_data_received += datalen;
|
|
tx->size += datalen;
|
|
return datalen;
|
|
}
|
|
#endif
|
|
|
|
void tx_init(TxStruct *tx, uint32_t inputs_len, uint32_t outputs_len,
|
|
uint32_t version, uint32_t lock_time, uint32_t expiry,
|
|
uint32_t branch_id, uint32_t extra_data_len,
|
|
HasherType hasher_sign, bool is_zcashlike,
|
|
uint32_t version_group_id, uint32_t timestamp) {
|
|
tx->inputs_len = inputs_len;
|
|
tx->outputs_len = outputs_len;
|
|
tx->version = version;
|
|
tx->lock_time = lock_time;
|
|
tx->expiry = expiry;
|
|
tx->branch_id = branch_id;
|
|
tx->have_inputs = 0;
|
|
tx->have_outputs = 0;
|
|
tx->extra_data_len = extra_data_len;
|
|
tx->extra_data_received = 0;
|
|
tx->size = 0;
|
|
tx->is_segwit = false;
|
|
tx->is_decred = false;
|
|
tx->is_zcashlike = is_zcashlike;
|
|
tx->version_group_id = version_group_id;
|
|
tx->timestamp = timestamp;
|
|
hasher_Init(&(tx->hasher), hasher_sign);
|
|
}
|
|
|
|
void tx_hash_final(TxStruct *t, uint8_t *hash, bool reverse) {
|
|
hasher_Final(&(t->hasher), hash);
|
|
if (!reverse) return;
|
|
for (uint8_t i = 0; i < 16; i++) {
|
|
uint8_t k = hash[31 - i];
|
|
hash[31 - i] = hash[i];
|
|
hash[i] = k;
|
|
}
|
|
}
|
|
|
|
static uint32_t tx_input_script_size(const TxInputType *txinput,
|
|
InputScriptType script_type) {
|
|
uint32_t input_script_size = 0;
|
|
if (txinput->has_multisig) {
|
|
uint32_t multisig_script_size =
|
|
TXSIZE_MULTISIGSCRIPT +
|
|
cryptoMultisigPubkeyCount(&(txinput->multisig)) * (1 + TXSIZE_PUBKEY);
|
|
if (script_type == InputScriptType_SPENDWITNESS ||
|
|
script_type == InputScriptType_SPENDP2SHWITNESS) {
|
|
multisig_script_size += ser_length_size(multisig_script_size);
|
|
} else {
|
|
multisig_script_size += op_push_size(multisig_script_size);
|
|
}
|
|
input_script_size = 1 // the OP_FALSE bug in multisig
|
|
+ txinput->multisig.m * (1 + TXSIZE_DER_SIGNATURE) +
|
|
multisig_script_size;
|
|
} else if (script_type == InputScriptType_SPENDTAPROOT) {
|
|
input_script_size = 1 + TXSIZE_SCHNORR_SIGNATURE;
|
|
} else {
|
|
input_script_size = (1 + TXSIZE_DER_SIGNATURE + 1 + TXSIZE_PUBKEY);
|
|
}
|
|
|
|
return input_script_size;
|
|
}
|
|
|
|
uint32_t tx_input_weight(const CoinInfo *coin, const TxInputType *txinput) {
|
|
#if !BITCOIN_ONLY
|
|
if (coin->decred) {
|
|
return 4 * (TXSIZE_INPUT + 1); // Decred tree
|
|
}
|
|
#else
|
|
(void)coin;
|
|
#endif
|
|
|
|
InputScriptType script_type = txinput->script_type;
|
|
if (script_type == InputScriptType_EXTERNAL) {
|
|
// Guess the script type from the scriptPubKey.
|
|
switch (txinput->script_pubkey.bytes[0]) {
|
|
case 0x76: // OP_DUP (P2PKH)
|
|
script_type = InputScriptType_SPENDADDRESS;
|
|
break;
|
|
case 0xA9: // OP_HASH_160 (P2SH, probably nested P2WPKH)
|
|
script_type = InputScriptType_SPENDP2SHWITNESS;
|
|
break;
|
|
case 0x00: // SegWit v0 (probably P2WPKH)
|
|
script_type = InputScriptType_SPENDWITNESS;
|
|
break;
|
|
case 0x51: // SegWit v1 (P2TR)
|
|
script_type = InputScriptType_SPENDTAPROOT;
|
|
break;
|
|
default: // Unknown script type.
|
|
break;
|
|
}
|
|
}
|
|
|
|
uint32_t input_script_size = tx_input_script_size(txinput, script_type);
|
|
uint32_t weight = 4 * TXSIZE_INPUT;
|
|
if (script_type == InputScriptType_SPENDADDRESS ||
|
|
script_type == InputScriptType_SPENDMULTISIG) {
|
|
input_script_size += ser_length_size(input_script_size);
|
|
weight += 4 * input_script_size;
|
|
} else if (script_type == InputScriptType_SPENDWITNESS ||
|
|
script_type == InputScriptType_SPENDTAPROOT ||
|
|
script_type == InputScriptType_SPENDP2SHWITNESS) {
|
|
if (script_type == InputScriptType_SPENDP2SHWITNESS) {
|
|
weight += 4 * (2 + (txinput->has_multisig ? TXSIZE_WITNESSSCRIPT
|
|
: TXSIZE_WITNESSPKHASH));
|
|
} else {
|
|
weight += 4; // empty input script
|
|
}
|
|
weight += input_script_size; // discounted witness
|
|
}
|
|
|
|
return weight;
|
|
}
|
|
|
|
uint32_t tx_output_weight(const CoinInfo *coin, const TxOutputType *txoutput) {
|
|
uint32_t output_script_size = 0;
|
|
if (txoutput->script_type == OutputScriptType_PAYTOOPRETURN) {
|
|
output_script_size = 1 + op_push_size(txoutput->op_return_data.size) +
|
|
txoutput->op_return_data.size;
|
|
} else if (txoutput->address_n_count > 0) {
|
|
if (txoutput->script_type == OutputScriptType_PAYTOWITNESS) {
|
|
output_script_size =
|
|
txoutput->has_multisig ? TXSIZE_WITNESSSCRIPT : TXSIZE_WITNESSPKHASH;
|
|
} else if (txoutput->script_type == OutputScriptType_PAYTOTAPROOT) {
|
|
output_script_size = TXSIZE_TAPROOT;
|
|
} else if (txoutput->script_type == OutputScriptType_PAYTOP2SHWITNESS) {
|
|
output_script_size = TXSIZE_P2SCRIPT;
|
|
} else {
|
|
output_script_size =
|
|
txoutput->has_multisig ? TXSIZE_P2SCRIPT : TXSIZE_P2PKHASH;
|
|
}
|
|
} else {
|
|
uint8_t addr_raw[MAX_ADDR_RAW_SIZE] = {0};
|
|
int witver = 0;
|
|
size_t addr_raw_len = 0;
|
|
#if !BITCOIN_ONLY
|
|
if (coin->cashaddr_prefix &&
|
|
cash_addr_decode(addr_raw, &addr_raw_len, coin->cashaddr_prefix,
|
|
txoutput->address)) {
|
|
if (addr_raw_len == 21 && addr_raw[0] == (CASHADDR_P2KH | CASHADDR_160)) {
|
|
output_script_size = TXSIZE_P2PKHASH;
|
|
} else if (addr_raw_len == 21 &&
|
|
addr_raw[0] == (CASHADDR_P2SH | CASHADDR_160)) {
|
|
output_script_size = TXSIZE_P2SCRIPT;
|
|
}
|
|
} else
|
|
#endif
|
|
{
|
|
if (coin->bech32_prefix &&
|
|
segwit_addr_decode(&witver, addr_raw, &addr_raw_len,
|
|
coin->bech32_prefix, txoutput->address)) {
|
|
output_script_size = 2 + addr_raw_len;
|
|
} else {
|
|
addr_raw_len =
|
|
base58_decode_check(txoutput->address, coin->curve->hasher_base58,
|
|
addr_raw, MAX_ADDR_RAW_SIZE);
|
|
if (address_check_prefix(addr_raw, coin->address_type)) {
|
|
output_script_size = TXSIZE_P2PKHASH;
|
|
} else if (address_check_prefix(addr_raw, coin->address_type_p2sh)) {
|
|
output_script_size = TXSIZE_P2SCRIPT;
|
|
}
|
|
}
|
|
}
|
|
}
|
|
output_script_size += ser_length_size(output_script_size);
|
|
|
|
uint32_t size = TXSIZE_OUTPUT;
|
|
#if !BITCOIN_ONLY
|
|
if (coin->decred) {
|
|
size += 2; // Decred script version
|
|
}
|
|
#endif
|
|
|
|
return 4 * (size + output_script_size);
|
|
}
|
|
|
|
#if !BITCOIN_ONLY
|
|
uint32_t tx_decred_witness_weight(const TxInputType *txinput) {
|
|
uint32_t input_script_size =
|
|
tx_input_script_size(txinput, txinput->script_type);
|
|
if (txinput->script_type == InputScriptType_SPENDMULTISIG) {
|
|
// Decred fixed the the OP_FALSE bug in multisig.
|
|
input_script_size -= 1; // Subtract one OP_FALSE byte.
|
|
}
|
|
uint32_t size = TXSIZE_DECRED_WITNESS + ser_length_size(input_script_size) +
|
|
input_script_size;
|
|
|
|
return 4 * size;
|
|
}
|
|
#endif
|
|
|
|
bool get_ownership_proof(const CoinInfo *coin, InputScriptType script_type,
|
|
const HDNode *node, uint8_t flags,
|
|
const uint8_t ownership_id[OWNERSHIP_ID_SIZE],
|
|
const uint8_t *script_pubkey,
|
|
size_t script_pubkey_size,
|
|
const uint8_t *commitment_data,
|
|
size_t commitment_data_size, OwnershipProof *out) {
|
|
size_t r = 0;
|
|
|
|
// Write versionMagic (4 bytes).
|
|
memcpy(out->ownership_proof.bytes + r, SLIP19_VERSION_MAGIC,
|
|
sizeof(SLIP19_VERSION_MAGIC));
|
|
r += sizeof(SLIP19_VERSION_MAGIC);
|
|
|
|
// Write flags (1 byte).
|
|
out->ownership_proof.bytes[r] = flags;
|
|
r += 1;
|
|
|
|
// Write number of ownership IDs (1 byte).
|
|
r += ser_length(1, out->ownership_proof.bytes + r);
|
|
|
|
// Write ownership ID (32 bytes).
|
|
memcpy(out->ownership_proof.bytes + r, ownership_id, OWNERSHIP_ID_SIZE);
|
|
r += OWNERSHIP_ID_SIZE;
|
|
|
|
// Compute sighash = SHA-256(proofBody || proofFooter).
|
|
Hasher hasher = {0};
|
|
uint8_t sighash[SHA256_DIGEST_LENGTH] = {0};
|
|
hasher_InitParam(&hasher, HASHER_SHA2, NULL, 0);
|
|
hasher_Update(&hasher, out->ownership_proof.bytes, r);
|
|
tx_script_hash(&hasher, script_pubkey_size, script_pubkey);
|
|
tx_script_hash(&hasher, commitment_data_size, commitment_data);
|
|
hasher_Final(&hasher, sighash);
|
|
|
|
// Write proofSignature.
|
|
if (script_type == InputScriptType_SPENDWITNESS) {
|
|
if (!tx_sign_ecdsa(coin->curve->params, node->private_key, sighash,
|
|
out->signature.bytes, &out->signature.size)) {
|
|
return false;
|
|
}
|
|
// Write length-prefixed empty scriptSig (1 byte).
|
|
r += ser_length(0, out->ownership_proof.bytes + r);
|
|
|
|
// Write
|
|
// 1. number of stack items (1 byte)
|
|
// 2. signature + sighash type length (1 byte)
|
|
// 3. DER-encoded signature (max. 71 bytes)
|
|
// 4. sighash type (1 byte)
|
|
// 5. public key length (1 byte)
|
|
// 6. public key (33 bytes)
|
|
r += serialize_p2wpkh_witness(out->signature.bytes, out->signature.size,
|
|
node->public_key, 33, SIGHASH_ALL,
|
|
out->ownership_proof.bytes + r);
|
|
} else if (script_type == InputScriptType_SPENDTAPROOT) {
|
|
if (!tx_sign_bip340(node->private_key, sighash, out->signature.bytes,
|
|
&out->signature.size)) {
|
|
return false;
|
|
}
|
|
// Write length-prefixed empty scriptSig (1 byte).
|
|
r += ser_length(0, out->ownership_proof.bytes + r);
|
|
|
|
// Write
|
|
// 1. number of stack items (1 byte)
|
|
// 2. signature length (1 byte)
|
|
// 3. signature (64 bytes)
|
|
r += serialize_p2tr_witness(out->signature.bytes, out->signature.size, 0,
|
|
out->ownership_proof.bytes + r);
|
|
} else {
|
|
return false;
|
|
}
|
|
|
|
out->ownership_proof.size = r;
|
|
return true;
|
|
}
|
|
|
|
bool tx_input_verify_nonownership(
|
|
const CoinInfo *coin, const TxInputType *txinput,
|
|
const uint8_t ownership_id[OWNERSHIP_ID_SIZE]) {
|
|
size_t r = 0;
|
|
// Check versionMagic.
|
|
if (txinput->ownership_proof.size < r + sizeof(SLIP19_VERSION_MAGIC) ||
|
|
memcmp(txinput->ownership_proof.bytes + r, SLIP19_VERSION_MAGIC,
|
|
sizeof(SLIP19_VERSION_MAGIC)) != 0) {
|
|
return false;
|
|
}
|
|
r += sizeof(SLIP19_VERSION_MAGIC);
|
|
|
|
// Skip flags.
|
|
r += 1;
|
|
|
|
// Ensure that there is only one ownership ID.
|
|
if (txinput->ownership_proof.size < r + 1 ||
|
|
txinput->ownership_proof.bytes[r] != 1) {
|
|
return false;
|
|
}
|
|
r += 1;
|
|
|
|
// Ensure that the ownership ID is not ours.
|
|
if (txinput->ownership_proof.size < r + OWNERSHIP_ID_SIZE ||
|
|
memcmp(txinput->ownership_proof.bytes + r, ownership_id,
|
|
OWNERSHIP_ID_SIZE) == 0) {
|
|
return false;
|
|
}
|
|
r += OWNERSHIP_ID_SIZE;
|
|
|
|
// Compute the ownership proof digest.
|
|
Hasher hasher = {0};
|
|
hasher_InitParam(&hasher, HASHER_SHA2, NULL, 0);
|
|
hasher_Update(&hasher, txinput->ownership_proof.bytes, r);
|
|
tx_script_hash(&hasher, txinput->script_pubkey.size,
|
|
txinput->script_pubkey.bytes);
|
|
tx_script_hash(&hasher, txinput->commitment_data.size,
|
|
txinput->commitment_data.bytes);
|
|
uint8_t digest[SHA256_DIGEST_LENGTH] = {0};
|
|
hasher_Final(&hasher, digest);
|
|
|
|
// Ensure that there is no scriptSig, since we only support native SegWit
|
|
// ownership proofs.
|
|
if (txinput->ownership_proof.size < r + 1 ||
|
|
txinput->ownership_proof.bytes[r] != 0) {
|
|
return false;
|
|
}
|
|
r += 1;
|
|
|
|
if (txinput->script_pubkey.size == 22 &&
|
|
memcmp(txinput->script_pubkey.bytes, "\x00\x14", 2) == 0) {
|
|
// SegWit v0 (probably P2WPKH)
|
|
const uint8_t *pubkey_hash = txinput->script_pubkey.bytes + 2;
|
|
|
|
// Ensure that there are two stack items.
|
|
if (txinput->ownership_proof.size < r + 1 ||
|
|
txinput->ownership_proof.bytes[r] != 2) {
|
|
return false;
|
|
}
|
|
r += 1;
|
|
|
|
// Read the signature.
|
|
if (txinput->ownership_proof.size < r + 1) {
|
|
return false;
|
|
}
|
|
size_t signature_size = txinput->ownership_proof.bytes[r];
|
|
r += 1;
|
|
|
|
uint8_t signature[64] = {0};
|
|
if (txinput->ownership_proof.size < r + signature_size ||
|
|
ecdsa_sig_from_der(txinput->ownership_proof.bytes + r,
|
|
signature_size - 1, signature) != 0) {
|
|
return false;
|
|
}
|
|
r += signature_size;
|
|
|
|
// Read the public key.
|
|
if (txinput->ownership_proof.size < r + 34 ||
|
|
txinput->ownership_proof.bytes[r] != 33) {
|
|
return false;
|
|
}
|
|
const uint8_t *public_key = txinput->ownership_proof.bytes + r + 1;
|
|
r += 34;
|
|
|
|
// Check the public key matches the scriptPubKey.
|
|
uint8_t expected_pubkey_hash[20] = {0};
|
|
ecdsa_get_pubkeyhash(public_key, coin->curve->hasher_pubkey,
|
|
expected_pubkey_hash);
|
|
if (memcmp(pubkey_hash, expected_pubkey_hash,
|
|
sizeof(expected_pubkey_hash)) != 0) {
|
|
return false;
|
|
}
|
|
|
|
// Ensure that we have read the entire ownership proof.
|
|
if (r != txinput->ownership_proof.size) {
|
|
return false;
|
|
}
|
|
|
|
#ifdef USE_SECP256K1_ZKP_ECDSA
|
|
if (coin->curve->params == &secp256k1) {
|
|
if (zkp_ecdsa_verify_digest(coin->curve->params, public_key, signature,
|
|
digest) != 0) {
|
|
return false;
|
|
}
|
|
} else
|
|
#endif
|
|
{
|
|
if (ecdsa_verify_digest(coin->curve->params, public_key, signature,
|
|
digest) != 0) {
|
|
return false;
|
|
}
|
|
}
|
|
} else if (txinput->script_pubkey.size == 34 &&
|
|
memcmp(txinput->script_pubkey.bytes, "\x51\x20", 2) == 0) {
|
|
// SegWit v1 (P2TR)
|
|
const uint8_t *output_public_key = txinput->script_pubkey.bytes + 2;
|
|
|
|
// Ensure that there is one stack item consisting of 64 bytes.
|
|
if (txinput->ownership_proof.size < r + 2 ||
|
|
memcmp(txinput->ownership_proof.bytes + r, "\x01\x40", 2) != 0) {
|
|
return false;
|
|
}
|
|
r += 2;
|
|
|
|
// Read the signature.
|
|
const uint8_t *signature = txinput->ownership_proof.bytes + r;
|
|
r += 64;
|
|
|
|
// Ensure that we have read the entire ownership proof.
|
|
if (r != txinput->ownership_proof.size) {
|
|
return false;
|
|
}
|
|
|
|
if (zkp_bip340_verify_digest(output_public_key, signature, digest) != 0) {
|
|
return false;
|
|
}
|
|
} else {
|
|
// Unsupported script type.
|
|
return false;
|
|
}
|
|
|
|
return true;
|
|
}
|