core-lightning/signature.c

#include "signature.h"
#include "shadouble.h"
#include "bitcoin_tx.h"
#include <openssl/bn.h>
#include <openssl/obj_mac.h>
#include <assert.h>
#include <ccan/cast/cast.h>

struct signature *sign_hash(const tal_t *ctx, EC_KEY *private_key,
			    const struct sha256_double *h)
{
	ECDSA_SIG *sig;
	int len;
	struct signature *s;
	
	sig = ECDSA_do_sign(h->sha.u.u8, sizeof(*h), private_key);
	if (!sig)
		return NULL;

	/* See https://github.com/sipa/bitcoin/commit/a81cd9680.
	 * There can only be one signature with an even S, so make sure we
	 * get that one. */
	if (BN_is_odd(sig->s)) {
		const EC_GROUP *group;
		BIGNUM order;

		BN_init(&order);
		group = EC_KEY_get0_group(private_key);
		EC_GROUP_get_order(group, &order, NULL);
		BN_sub(sig->s, &order, sig->s);
		BN_free(&order);

		assert(!BN_is_odd(sig->s));
        }

	s = talz(ctx, struct signature);

	/* Pack r and s into signature, 32 bytes each. */
	len = BN_num_bytes(sig->r);
	assert(len <= sizeof(s->r));
	BN_bn2bin(sig->r, s->r + sizeof(s->r) - len);
	len = BN_num_bytes(sig->s);
	assert(len <= sizeof(s->s));
	BN_bn2bin(sig->s, s->s + sizeof(s->s) - len);

	ECDSA_SIG_free(sig);
	return s;
}

struct signature *sign_tx_input(const tal_t *ctx, struct bitcoin_tx *tx,
				unsigned int in,
				const u8 *subscript, size_t subscript_len,
				EC_KEY *privkey)
{
	struct sha256_double hash;
	struct sha256_ctx shactx;

	/* Transaction gets signed as if the output subscript is the
	 * only input script. */
	tx->input[in].script_length = subscript_len;
	tx->input[in].script = cast_const(u8 *, subscript);

	sha256_init(&shactx);
	sha256_tx(&shactx, tx);
	sha256_le32(&shactx, SIGHASH_ALL);
	sha256_double_done(&shactx, &hash);

	/* Reset it for next time. */
	tx->input[in].script_length = 0;
	tx->input[in].script = NULL;

	return sign_hash(ctx, privkey, &hash);
}

Signature *signature_to_proto(const tal_t *ctx, const struct signature *sig)
{
	Signature *pb = tal(ctx, Signature);
	signature__init(pb);

	assert((sig->s[31] & 1) == 0);

	/* Kill me now... */
	memcpy(&pb->r1, sig->r, 8);
	memcpy(&pb->r2, sig->r + 8, 8);
	memcpy(&pb->r3, sig->r + 16, 8);
	memcpy(&pb->r4, sig->r + 24, 8);
	memcpy(&pb->s1, sig->s, 8);
	memcpy(&pb->s2, sig->s + 8, 8);
	memcpy(&pb->s3, sig->s + 16, 8);
	memcpy(&pb->s4, sig->s + 24, 8);

	return pb;
}

bool proto_to_signature(const Signature *pb, struct signature *sig)
{
	/* Kill me again. */
	memcpy(sig->r, &pb->r1, 8);
	memcpy(sig->r + 8, &pb->r2, 8);
	memcpy(sig->r + 16, &pb->r3, 8);
	memcpy(sig->r + 24, &pb->r4, 8);
	memcpy(sig->s, &pb->s1, 8);
	memcpy(sig->s + 8, &pb->s2, 8);
	memcpy(sig->s + 16, &pb->s3, 8);
	memcpy(sig->s + 24, &pb->s4, 8);

	/* S must be even */
	return (sig->s[31] & 1) == 0;
}
open-anchor-sig, many fixes for open-channel. Signed-off-by: Rusty Russell <rusty@rustcorp.com.au> 2015-05-28 23:38:27 +02:00			`#include "signature.h"`
			`#include "shadouble.h"`
open-commit-sig: create signature for commit tx. Signed-off-by: Rusty Russell <rusty@rustcorp.com.au> 2015-05-30 12:41:10 +02:00			`#include "bitcoin_tx.h"`
open-anchor-sig, many fixes for open-channel. Signed-off-by: Rusty Russell <rusty@rustcorp.com.au> 2015-05-28 23:38:27 +02:00			`#include <openssl/bn.h>`
			`#include <openssl/obj_mac.h>`
			`#include <assert.h>`
open-commit-sig: create signature for commit tx. Signed-off-by: Rusty Russell <rusty@rustcorp.com.au> 2015-05-30 12:41:10 +02:00			`#include <ccan/cast/cast.h>`
open-anchor-sig, many fixes for open-channel. Signed-off-by: Rusty Russell <rusty@rustcorp.com.au> 2015-05-28 23:38:27 +02:00
Use raw 64-byte signatures in protocol. DER encoding introduces problems for non-canonical encodings; we should do that only at the lightning<->bitcoin interface. Signed-off-by: Rusty Russell <rusty@rustcorp.com.au> 2015-06-01 04:26:09 +02:00			`struct signature sign_hash(const tal_t ctx, EC_KEY *private_key,`
			`const struct sha256_double *h)`
open-anchor-sig, many fixes for open-channel. Signed-off-by: Rusty Russell <rusty@rustcorp.com.au> 2015-05-28 23:38:27 +02:00			`{`
			`ECDSA_SIG *sig;`
			`int len;`
Use raw 64-byte signatures in protocol. DER encoding introduces problems for non-canonical encodings; we should do that only at the lightning<->bitcoin interface. Signed-off-by: Rusty Russell <rusty@rustcorp.com.au> 2015-06-01 04:26:09 +02:00			`struct signature *s;`
open-anchor-sig, many fixes for open-channel. Signed-off-by: Rusty Russell <rusty@rustcorp.com.au> 2015-05-28 23:38:27 +02:00
			`sig = ECDSA_do_sign(h->sha.u.u8, sizeof(*h), private_key);`
			`if (!sig)`
			`return NULL;`

			`/* See https://github.com/sipa/bitcoin/commit/a81cd9680.`
			`* There can only be one signature with an even S, so make sure we`
			`* get that one. */`
			`if (BN_is_odd(sig->s)) {`
			`const EC_GROUP *group;`
			`BIGNUM order;`

			`BN_init(&order);`
			`group = EC_KEY_get0_group(private_key);`
			`EC_GROUP_get_order(group, &order, NULL);`
			`BN_sub(sig->s, &order, sig->s);`
			`BN_free(&order);`

			`assert(!BN_is_odd(sig->s));`
			`}`

Use raw 64-byte signatures in protocol. DER encoding introduces problems for non-canonical encodings; we should do that only at the lightning<->bitcoin interface. Signed-off-by: Rusty Russell <rusty@rustcorp.com.au> 2015-06-01 04:26:09 +02:00			`s = talz(ctx, struct signature);`
open-anchor-sig, many fixes for open-channel. Signed-off-by: Rusty Russell <rusty@rustcorp.com.au> 2015-05-28 23:38:27 +02:00
Use raw 64-byte signatures in protocol. DER encoding introduces problems for non-canonical encodings; we should do that only at the lightning<->bitcoin interface. Signed-off-by: Rusty Russell <rusty@rustcorp.com.au> 2015-06-01 04:26:09 +02:00			`/* Pack r and s into signature, 32 bytes each. */`
			`len = BN_num_bytes(sig->r);`
			`assert(len <= sizeof(s->r));`
			`BN_bn2bin(sig->r, s->r + sizeof(s->r) - len);`
			`len = BN_num_bytes(sig->s);`
			`assert(len <= sizeof(s->s));`
			`BN_bn2bin(sig->s, s->s + sizeof(s->s) - len);`
open-anchor-sig, many fixes for open-channel. Signed-off-by: Rusty Russell <rusty@rustcorp.com.au> 2015-05-28 23:38:27 +02:00
Use raw 64-byte signatures in protocol. DER encoding introduces problems for non-canonical encodings; we should do that only at the lightning<->bitcoin interface. Signed-off-by: Rusty Russell <rusty@rustcorp.com.au> 2015-06-01 04:26:09 +02:00			`ECDSA_SIG_free(sig);`
			`return s;`
open-anchor-sig, many fixes for open-channel. Signed-off-by: Rusty Russell <rusty@rustcorp.com.au> 2015-05-28 23:38:27 +02:00			`}`
open-commit-sig: create signature for commit tx. Signed-off-by: Rusty Russell <rusty@rustcorp.com.au> 2015-05-30 12:41:10 +02:00
Use raw 64-byte signatures in protocol. DER encoding introduces problems for non-canonical encodings; we should do that only at the lightning<->bitcoin interface. Signed-off-by: Rusty Russell <rusty@rustcorp.com.au> 2015-06-01 04:26:09 +02:00			`struct signature sign_tx_input(const tal_t ctx, struct bitcoin_tx *tx,`
			`unsigned int in,`
			`const u8 *subscript, size_t subscript_len,`
			`EC_KEY *privkey)`
open-commit-sig: create signature for commit tx. Signed-off-by: Rusty Russell <rusty@rustcorp.com.au> 2015-05-30 12:41:10 +02:00			`{`
			`struct sha256_double hash;`
			`struct sha256_ctx shactx;`

			`/* Transaction gets signed as if the output subscript is the`
			`* only input script. */`
			`tx->input[in].script_length = subscript_len;`
			`tx->input[in].script = cast_const(u8 *, subscript);`

			`sha256_init(&shactx);`
			`sha256_tx(&shactx, tx);`
			`sha256_le32(&shactx, SIGHASH_ALL);`
			`sha256_double_done(&shactx, &hash);`

			`/* Reset it for next time. */`
			`tx->input[in].script_length = 0;`
			`tx->input[in].script = NULL;`

			`return sign_hash(ctx, privkey, &hash);`
			`}`
Move signature <-> proto conversions to signature.c, check lower bit. Make sure signature can be used by bitcoin. Signed-off-by: Rusty Russell <rusty@rustcorp.com.au> 2015-06-01 06:54:18 +02:00
			`Signature signature_to_proto(const tal_t ctx, const struct signature *sig)`
			`{`
			`Signature *pb = tal(ctx, Signature);`
			`signature__init(pb);`

			`assert((sig->s[31] & 1) == 0);`

			`/* Kill me now... */`
			`memcpy(&pb->r1, sig->r, 8);`
			`memcpy(&pb->r2, sig->r + 8, 8);`
			`memcpy(&pb->r3, sig->r + 16, 8);`
			`memcpy(&pb->r4, sig->r + 24, 8);`
			`memcpy(&pb->s1, sig->s, 8);`
			`memcpy(&pb->s2, sig->s + 8, 8);`
			`memcpy(&pb->s3, sig->s + 16, 8);`
			`memcpy(&pb->s4, sig->s + 24, 8);`

			`return pb;`
			`}`

			`bool proto_to_signature(const Signature pb, struct signature sig)`
			`{`
			`/* Kill me again. */`
			`memcpy(sig->r, &pb->r1, 8);`
			`memcpy(sig->r + 8, &pb->r2, 8);`
			`memcpy(sig->r + 16, &pb->r3, 8);`
			`memcpy(sig->r + 24, &pb->r4, 8);`
			`memcpy(sig->s, &pb->s1, 8);`
			`memcpy(sig->s + 8, &pb->s2, 8);`
			`memcpy(sig->s + 16, &pb->s3, 8);`
			`memcpy(sig->s + 24, &pb->s4, 8);`

			`/* S must be even */`
			`return (sig->s[31] & 1) == 0;`
			`}`