Inner transaction signature is now over transaction header.

Zondax · Oct 24, 2023 · 117f548 · 117f548
1 parent 41976da
commit 117f548
Show file tree

Hide file tree

Showing 6 changed files with 102 additions and 63 deletions.
diff --git a/app/Makefile b/app/Makefile
@@ -55,7 +55,7 @@ endif
 
 APP_LOAD_PARAMS =  --curve ed25519 $(COMMON_LOAD_PARAMS) --path $(APPPATH)
 
-NANOS_STACK_SIZE := 2650
+NANOS_STACK_SIZE := 2640
 include $(CURDIR)/../deps/ledger-zxlib/makefiles/Makefile.devices
 
 $(info TARGET_NAME  = [$(TARGET_NAME)])

diff --git a/app/src/crypto.c b/app/src/crypto.c
@@ -154,7 +154,21 @@ zxerr_t crypto_fillAddress(signing_key_type_e addressKind, uint8_t *buffer, uint
 }
 
 
-static zxerr_t crypto_hashHeader(const header_t *header, uint8_t *output, uint32_t outputLen) {
+static zxerr_t crypto_hashFeeHeader(const header_t *header, uint8_t *output, uint32_t outputLen) {
+    if (header == NULL || output == NULL || outputLen < CX_SHA256_SIZE) {
+         return zxerr_invalid_crypto_settings;
+    }
+    cx_sha256_t sha256 = {0};
+    cx_sha256_init(&sha256);
+    const uint8_t discriminant = 0x07;
+    cx_sha256_update(&sha256, &discriminant, sizeof(discriminant));
+    cx_sha256_update(&sha256, header->ext_bytes.ptr, header->ext_bytes.len);
+    cx_sha256_final(&sha256, output);
+    return zxerr_ok;
+}
+
+
+static zxerr_t crypto_hashRawHeader(const header_t *header, uint8_t *output, uint32_t outputLen) {
     if (header == NULL || output == NULL || outputLen < CX_SHA256_SIZE) {
          return zxerr_invalid_crypto_settings;
     }
@@ -163,6 +177,8 @@ static zxerr_t crypto_hashHeader(const header_t *header, uint8_t *output, uint32
     const uint8_t discriminant = 0x07;
     cx_sha256_update(&sha256, &discriminant, sizeof(discriminant));
     cx_sha256_update(&sha256, header->bytes.ptr, header->bytes.len);
+    const uint8_t header_discriminant = 0x00;
+    cx_sha256_update(&sha256, &header_discriminant, sizeof(header_discriminant));
     cx_sha256_final(&sha256, output);
     return zxerr_ok;
 }
@@ -261,16 +277,11 @@ zxerr_t crypto_sign(const parser_tx_t *txObj, uint8_t *output, uint16_t outputLe
         .hashesLen = 0
     };
 
-    const section_t *data = &txObj->transaction.sections.data;
-    const section_t *code = &txObj->transaction.sections.code;
-    uint8_t *codeHash = section_hashes.hashes.ptr;
-    uint8_t *dataHash = section_hashes.hashes.ptr + HASH_LEN;
-    section_hashes.indices.ptr[0] = code->idx;
-    section_hashes.indices.ptr[1] = data->idx;
-    // Concatenate the code and data section hashes
-    CHECK_ZXERR(crypto_hashCodeSection(code, codeHash, HASH_LEN))
-    CHECK_ZXERR(crypto_hashDataSection(data, dataHash, HASH_LEN))
-    section_hashes.hashesLen = 2;
+    uint8_t *rawHeaderHash = section_hashes.hashes.ptr;
+    section_hashes.indices.ptr[0] = 255;
+    // Concatenate the raw header hash
+    CHECK_ZXERR(crypto_hashRawHeader(&txObj->transaction.header, rawHeaderHash, HASH_LEN))
+    section_hashes.hashesLen = 1;
 
     CHECK_ZXERR(crypto_addTxnHashes(txObj, &section_hashes))
 
@@ -299,6 +310,8 @@ zxerr_t crypto_sign(const parser_tx_t *txObj, uint8_t *output, uint16_t outputLe
     uint8_t *raw = salt_buffer + SALT_LEN;
     MEMCPY(raw, indexed_signatures_buffer+1, SIG_LEN_25519_PLUS_TAG);
     uint8_t raw_indices_len = section_hashes.hashesLen;
+    uint8_t raw_indices_buffer[MAX_SIGNATURE_HASHES] = {0};
+    MEMCPY(raw_indices_buffer, section_hashes.indices.ptr, section_hashes.hashesLen);
 
     // ----------------------------------------------------------------------
     // Start generating wrapper signature
@@ -316,13 +329,24 @@ zxerr_t crypto_sign(const parser_tx_t *txObj, uint8_t *output, uint16_t outputLe
     signature_section.hashes.hashesLen++;
 
     /// Hash the header section
-    uint8_t *header_hash = section_hashes.hashes.ptr + (section_hashes.hashesLen * HASH_LEN);
-    CHECK_ZXERR(crypto_hashHeader(&txObj->transaction.header, header_hash, HASH_LEN))
-    section_hashes.indices.ptr[section_hashes.hashesLen] = 0;
-    section_hashes.hashesLen++;
-    signature_section.hashes.hashesLen++;
+    uint8_t *header_hash = section_hashes.hashes.ptr;
+    CHECK_ZXERR(crypto_hashFeeHeader(&txObj->transaction.header, header_hash, HASH_LEN))
+    section_hashes.indices.ptr[0] = 0;
 
-    /// Hash the eligible signature sections
+    // Hash the code and data sections
+    const section_t *data = &txObj->transaction.sections.data;
+    const section_t *code = &txObj->transaction.sections.code;
+    uint8_t *codeHash = section_hashes.hashes.ptr + (section_hashes.hashesLen * HASH_LEN);
+    uint8_t *dataHash = codeHash + HASH_LEN;
+    section_hashes.indices.ptr[section_hashes.hashesLen] = code->idx;
+    section_hashes.indices.ptr[section_hashes.hashesLen+1] = data->idx;
+    // Concatenate the code and data section hashes
+    CHECK_ZXERR(crypto_hashCodeSection(code, codeHash, HASH_LEN))
+    CHECK_ZXERR(crypto_hashDataSection(data, dataHash, HASH_LEN))
+    section_hashes.hashesLen += 2;
+    signature_section.hashes.hashesLen += 2;
+
+    // Hash the eligible signature sections
     for (unsigned int i = 0; i < txObj->transaction.sections.signaturesLen; i++) {
       const signature_section_t *prev_sig = &txObj->transaction.sections.signatures[i];
       unsigned int j;
@@ -360,7 +384,9 @@ zxerr_t crypto_sign(const parser_tx_t *txObj, uint8_t *output, uint16_t outputLe
 
     uint8_t *indices = wrapper + SIG_LEN_25519_PLUS_TAG;
     indices[0] = raw_indices_len;
-    indices[1] = section_hashes.hashesLen;
-    MEMCPY(indices + 2, section_hashes.indices.ptr, section_hashes.hashesLen);
+    MEMCPY(indices + 1, raw_indices_buffer, raw_indices_len);
+    indices += 1 + raw_indices_len;
+    indices[0] = section_hashes.hashesLen;
+    MEMCPY(indices + 1, section_hashes.indices.ptr, section_hashes.hashesLen);
     return zxerr_ok;
 }
diff --git a/app/src/parser_impl_txn.c b/app/src/parser_impl_txn.c
@@ -830,6 +830,7 @@ parser_error_t readHeader(parser_context_t *ctx, parser_tx_t *v) {
         return parser_unexpected_value;
     }
     v->transaction.header.bytes.ptr = ctx->buffer + ctx->offset;
+    v->transaction.header.ext_bytes.ptr = ctx->buffer + ctx->offset;
     const uint16_t tmpOffset = ctx->offset;
 
     // Read length of chain_id
@@ -859,6 +860,8 @@ parser_error_t readHeader(parser_context_t *ctx, parser_tx_t *v) {
     v->transaction.header.dataHash.len = HASH_LEN;
     CHECK_ERROR(readBytes(ctx, &v->transaction.header.dataHash.ptr, v->transaction.header.dataHash.len))
 
+    v->transaction.header.bytes.len = ctx->offset - tmpOffset;
+
     CHECK_ERROR(checkTag(ctx, 0x01))
     // Fee.amount
     CHECK_ERROR(readUint256(ctx, &v->transaction.header.fees.amount))
@@ -894,7 +897,7 @@ parser_error_t readHeader(parser_context_t *ctx, parser_tx_t *v) {
         ctx->offset += num_pow_solution * 17;
     }
 
-    v->transaction.header.bytes.len = ctx->offset - tmpOffset;
+    v->transaction.header.ext_bytes.len = ctx->offset - tmpOffset;
 
     return parser_ok;
 }

diff --git a/app/src/parser_txdef.h b/app/src/parser_txdef.h
@@ -130,6 +130,7 @@ typedef struct {
 #endif
 
 typedef struct {
+    bytes_t ext_bytes;
     bytes_t bytes;
     fees_t fees;
     bytes_t pubkey;

diff --git a/js/src/processResponses.ts b/js/src/processResponses.ts
@@ -39,11 +39,13 @@ export function getSignatureResponse(response: Buffer): ISignature {
   offset += SIG_LEN_PLUS_TAG;
   const raw_indices_len = response[offset];
   offset += 1;
+  const raw_indices = Buffer.from(response.subarray(offset, offset + raw_indices_len))
+  offset += raw_indices_len;
+
   const wrapper_indices_len = response[offset];
-
   offset += 1;
-  const raw_indices = Buffer.from(response.subarray(offset, offset + raw_indices_len))
   const wrapper_indices = Buffer.from(response.subarray(offset, offset + wrapper_indices_len))
+  offset += wrapper_indices_len;
 
   return {
     pubkey,