From 29d6004efc420a04e86e36dc30d4683445868e77 Mon Sep 17 00:00:00 2001 From: Rusty Russell Date: Tue, 7 Mar 2017 16:16:59 +1030 Subject: [PATCH] bitcoin/script: update scripts to the lightningnetwork/lightning-rfc#123 version aka "BOLT 3: Use revocation key hash rather than revocation key", which builds on top of lightningnetwork/lightning-rfc#105 "BOLT 2,3,5: Make htlc outputs of the commitment tx spendable with revocation key". This affects callers, since they now need to hand us the revocation pubkey, but commit_tx has that already anyway. Signed-off-by: Rusty Russell --- bitcoin/script.c | 93 +++++++++++++++++++++++---------- bitcoin/script.h | 6 ++- lightningd/commit_tx.c | 25 +++++---- lightningd/htlc_tx.c | 8 +-- lightningd/htlc_tx.h | 4 +- lightningd/opening/opening.c | 4 +- lightningd/test/run-commit_tx.c | 10 ++-- 7 files changed, 100 insertions(+), 50 deletions(-) diff --git a/bitcoin/script.c b/bitcoin/script.c index f00ac32af..b324fb34a 100644 --- a/bitcoin/script.c +++ b/bitcoin/script.c @@ -705,29 +705,45 @@ u8 **bitcoin_to_local_spend_revocation(const tal_t *ctx, /* BOLT #3: * - * This output sends funds to a HTLC-timeout transaction after the - * HTLC timeout, or to the remote peer on successful payment preimage. - * The output is a P2WSH, with a witness script: + * #### Offered HTLC Outputs * - * OP_SWAP - * OP_SIZE 32 OP_EQUAL - * OP_NOTIF - * # To me via HTLC-timeout transaction (timelocked). - * OP_DROP 2 OP_SWAP 2 OP_CHECKMULTISIG - * OP_ELSE - * # To you with preimage. - * OP_HASH160 OP_EQUALVERIFY - * OP_CHECKSIG - * OP_ENDIF + * This output sends funds to a HTLC-timeout transaction after the HTLC + * timeout, or to the remote peer using the payment preimage or the revocation + * key. The output is a P2WSH, with a witness script: + * + * # To you with revocation key + * OP_DUP OP_HASH160 OP_EQUAL + * OP_IF + * OP_CHECKSIG + * OP_ELSE + * OP_SWAP OP_SIZE 32 OP_EQUAL + * OP_NOTIF + * # To me via HTLC-timeout transaction (timelocked). + * OP_DROP 2 OP_SWAP 2 OP_CHECKMULTISIG + * OP_ELSE + * # To you with preimage. + * OP_HASH160 OP_EQUALVERIFY + * OP_CHECKSIG + * OP_ENDIF + * OP_ENDIF */ u8 *bitcoin_wscript_htlc_offer(const tal_t *ctx, const struct pubkey *localkey, const struct pubkey *remotekey, - const struct sha256 *payment_hash) + const struct sha256 *payment_hash, + const struct pubkey *revocationkey) { u8 *script = tal_arr(ctx, u8, 0); struct ripemd160 ripemd; + add_op(&script, OP_DUP); + add_op(&script, OP_HASH160); + hash160_key(&ripemd, revocationkey); + add_push_bytes(&script, &ripemd, sizeof(ripemd)); + add_op(&script, OP_EQUAL); + add_op(&script, OP_IF); + add_op(&script, OP_CHECKSIG); + add_op(&script, OP_ELSE); add_push_key(&script, remotekey); add_op(&script, OP_SWAP); add_op(&script, OP_SIZE); @@ -747,37 +763,55 @@ u8 *bitcoin_wscript_htlc_offer(const tal_t *ctx, add_op(&script, OP_EQUALVERIFY); add_op(&script, OP_CHECKSIG); add_op(&script, OP_ENDIF); + add_op(&script, OP_ENDIF); return script; } /* BOLT #3: * - * This output sends funds to the remote peer after the HTLC timeout, - * or to an HTLC-success transaction with a successful payment - * preimage. The output is a P2WSH, with a witness script: + * #### Received HTLC Outputs * - * OP_SWAP - * OP_SIZE 32 OP_EQUAL - * OP_IF - * # To me via HTLC-success transaction. - * OP_HASH160 OP_EQUALVERIFY - * 2 OP_SWAP 2 OP_CHECKMULTISIG - * OP_ELSE - * # To you after timeout. - * OP_DROP OP_CHECKLOCKTIMEVERIFY OP_DROP - * OP_CHECKSIG - * OP_ENDIF + * This output sends funds to the remote peer after the HTLC timeout or using + * the revocation key, or to an HTLC-success transaction with a successful + * payment preimage. The output is a P2WSH, with a witness script: + * + * # To you with revocation key + * OP_DUP OP_HASH160 OP_EQUAL + * OP_IF + * OP_CHECKSIG + * OP_ELSE + * OP_SWAP + * OP_SIZE 32 OP_EQUAL + * OP_IF + * # To me via HTLC-success transaction. + * OP_HASH160 OP_EQUALVERIFY + * 2 OP_SWAP 2 OP_CHECKMULTISIG + * OP_ELSE + * # To you after timeout. + * OP_DROP OP_CHECKLOCKTIMEVERIFY OP_DROP + * OP_CHECKSIG + * OP_ENDIF + * OP_ENDIF */ u8 *bitcoin_wscript_htlc_receive(const tal_t *ctx, const struct abs_locktime *htlc_abstimeout, const struct pubkey *localkey, const struct pubkey *remotekey, - const struct sha256 *payment_hash) + const struct sha256 *payment_hash, + const struct pubkey *revocationkey) { u8 *script = tal_arr(ctx, u8, 0); struct ripemd160 ripemd; + add_op(&script, OP_DUP); + add_op(&script, OP_HASH160); + hash160_key(&ripemd, revocationkey); + add_push_bytes(&script, &ripemd, sizeof(ripemd)); + add_op(&script, OP_EQUAL); + add_op(&script, OP_IF); + add_op(&script, OP_CHECKSIG); + add_op(&script, OP_ELSE); add_push_key(&script, remotekey); add_op(&script, OP_SWAP); add_op(&script, OP_SIZE); @@ -800,6 +834,7 @@ u8 *bitcoin_wscript_htlc_receive(const tal_t *ctx, add_op(&script, OP_DROP); add_op(&script, OP_CHECKSIG); add_op(&script, OP_ENDIF); + add_op(&script, OP_ENDIF); return script; } diff --git a/bitcoin/script.h b/bitcoin/script.h index dbb21a303..f29cde442 100644 --- a/bitcoin/script.h +++ b/bitcoin/script.h @@ -123,7 +123,8 @@ u8 **bitcoin_to_local_spend_revocation(const tal_t *ctx, u8 *bitcoin_wscript_htlc_offer(const tal_t *ctx, const struct pubkey *localkey, const struct pubkey *remotekey, - const struct sha256 *payment_hash); + const struct sha256 *payment_hash, + const struct pubkey *revocationkey); u8 **bitcoin_htlc_offer_spend_timeout(const tal_t *ctx, const secp256k1_ecdsa_signature *localsig, const secp256k1_ecdsa_signature *remotesig, @@ -132,7 +133,8 @@ u8 *bitcoin_wscript_htlc_receive(const tal_t *ctx, const struct abs_locktime *htlc_abstimeout, const struct pubkey *localkey, const struct pubkey *remotekey, - const struct sha256 *payment_hash); + const struct sha256 *payment_hash, + const struct pubkey *revocationkey); u8 **bitcoin_htlc_receive_spend_preimage(const tal_t *ctx, const secp256k1_ecdsa_signature *localsig, const secp256k1_ecdsa_signature *remotesig, diff --git a/lightningd/commit_tx.c b/lightningd/commit_tx.c index 5cf5dde2c..d2353c80e 100644 --- a/lightningd/commit_tx.c +++ b/lightningd/commit_tx.c @@ -55,10 +55,10 @@ u64 htlc_timeout_fee(u64 feerate_per_kw) * * The fee for an HTLC-timeout transaction MUST BE calculated to match: * - * 1. Multiply `feerate-per-kw` by 635 and divide by 1000 (rounding + * 1. Multiply `feerate-per-kw` by 663 and divide by 1000 (rounding * down). */ - return feerate_per_kw * 635 / 1000; + return feerate_per_kw * 663 / 1000; } u64 htlc_success_fee(u64 feerate_per_kw) @@ -67,10 +67,10 @@ u64 htlc_success_fee(u64 feerate_per_kw) * * The fee for an HTLC-success transaction MUST BE calculated to match: * - * 1. Multiply `feerate-per-kw` by 673 and divide by 1000 (rounding + * 1. Multiply `feerate-per-kw` by 703 and divide by 1000 (rounding * down). */ - return feerate_per_kw * 673 / 1000; + return feerate_per_kw * 703 / 1000; } static bool trim(const struct htlc *htlc, @@ -147,11 +147,13 @@ u64 commit_tx_base_fee(u64 feerate_per_kw, size_t num_untrimmed_htlcs) static void add_offered_htlc_out(struct bitcoin_tx *tx, size_t n, const struct htlc *htlc, const struct pubkey *selfkey, - const struct pubkey *otherkey) + const struct pubkey *otherkey, + const struct pubkey *revocationkey) { u8 *wscript = bitcoin_wscript_htlc_offer(tx, selfkey, otherkey, - &htlc->rhash); + &htlc->rhash, + revocationkey); tx->output[n].amount = htlc->msatoshi / 1000; tx->output[n].script = scriptpubkey_p2wsh(tx, wscript); SUPERVERBOSE("# HTLC %"PRIu64" offered amount %"PRIu64" wscript %s\n", @@ -162,12 +164,13 @@ static void add_offered_htlc_out(struct bitcoin_tx *tx, size_t n, static void add_received_htlc_out(struct bitcoin_tx *tx, size_t n, const struct htlc *htlc, const struct pubkey *selfkey, - const struct pubkey *otherkey) + const struct pubkey *otherkey, + const struct pubkey *revocationkey) { u8 *wscript = bitcoin_wscript_htlc_receive(tx, &htlc->expiry, selfkey, otherkey, - &htlc->rhash); + &htlc->rhash, revocationkey); tx->output[n].amount = htlc->msatoshi / 1000; tx->output[n].script = scriptpubkey_p2wsh(tx->output, wscript); SUPERVERBOSE("# HTLC %"PRIu64" received amount %"PRIu64" wscript %s\n", @@ -250,7 +253,8 @@ struct bitcoin_tx *commit_tx(const tal_t *ctx, continue; if (trim(htlcs[i], feerate_per_kw, dust_limit_satoshis, side)) continue; - add_offered_htlc_out(tx, n, htlcs[i], selfkey, otherkey); + add_offered_htlc_out(tx, n, htlcs[i], selfkey, otherkey, + revocation_pubkey); if (htlcmap) (*htlcmap)[n++] = htlcs[i]; } @@ -265,7 +269,8 @@ struct bitcoin_tx *commit_tx(const tal_t *ctx, continue; if (trim(htlcs[i], feerate_per_kw, dust_limit_satoshis, side)) continue; - add_received_htlc_out(tx, n, htlcs[i],selfkey, otherkey); + add_received_htlc_out(tx, n, htlcs[i],selfkey, otherkey, + revocation_pubkey); if (htlcmap) (*htlcmap)[n++] = htlcs[i]; } diff --git a/lightningd/htlc_tx.c b/lightningd/htlc_tx.c index 7d3700eee..e87b353b5 100644 --- a/lightningd/htlc_tx.c +++ b/lightningd/htlc_tx.c @@ -95,7 +95,8 @@ void htlc_success_tx_add_witness(struct bitcoin_tx *htlc_success, const struct pubkey *remotekey, const secp256k1_ecdsa_signature *localsig, const secp256k1_ecdsa_signature *remotesig, - const struct preimage *payment_preimage) + const struct preimage *payment_preimage, + const struct pubkey *revocationkey) { struct sha256 hash; u8 *wscript; @@ -104,7 +105,7 @@ void htlc_success_tx_add_witness(struct bitcoin_tx *htlc_success, wscript = bitcoin_wscript_htlc_receive(htlc_success, htlc_abstimeout, localkey, remotekey, - &hash); + &hash, revocationkey); htlc_success->input[0].witness = bitcoin_htlc_receive_spend_preimage(htlc_success->input, @@ -137,12 +138,13 @@ void htlc_timeout_tx_add_witness(struct bitcoin_tx *htlc_timeout, const struct pubkey *localkey, const struct pubkey *remotekey, const struct sha256 *payment_hash, + const struct pubkey *revocationkey, const secp256k1_ecdsa_signature *localsig, const secp256k1_ecdsa_signature *remotesig) { u8 *wscript = bitcoin_wscript_htlc_offer(htlc_timeout, localkey, remotekey, - payment_hash); + payment_hash, revocationkey); htlc_timeout->input[0].witness = bitcoin_htlc_offer_spend_timeout(htlc_timeout->input, diff --git a/lightningd/htlc_tx.h b/lightningd/htlc_tx.h index 82b42a2bd..d99c91668 100644 --- a/lightningd/htlc_tx.h +++ b/lightningd/htlc_tx.h @@ -25,7 +25,8 @@ void htlc_success_tx_add_witness(struct bitcoin_tx *htlc_success, const struct pubkey *remotekey, const secp256k1_ecdsa_signature *localsig, const secp256k1_ecdsa_signature *remotesig, - const struct preimage *payment_preimage); + const struct preimage *payment_preimage, + const struct pubkey *revocationkey); /* Create HTLC-timeout tx to spend an offered HTLC commitment tx * output; doesn't fill in input witness. */ @@ -43,6 +44,7 @@ void htlc_timeout_tx_add_witness(struct bitcoin_tx *htlc_timeout, const struct pubkey *localkey, const struct pubkey *remotekey, const struct sha256 *payment_hash, + const struct pubkey *revocationkey, const secp256k1_ecdsa_signature *localsig, const secp256k1_ecdsa_signature *remotesig); diff --git a/lightningd/opening/opening.c b/lightningd/opening/opening.c index 021ba153f..770c1908f 100644 --- a/lightningd/opening/opening.c +++ b/lightningd/opening/opening.c @@ -136,9 +136,9 @@ static void check_config_bounds(struct state *state, /* BOLT #2: * * It MUST fail the channel if `max-accepted-htlcs` is greater - * than 511. + * than 483. */ - if (remoteconf->max_accepted_htlcs > 511) + if (remoteconf->max_accepted_htlcs > 483) peer_failed(PEER_FD, &state->cs, NULL, WIRE_OPENING_PEER_BAD_CONFIG, "max_accepted_htlcs %u too large", diff --git a/lightningd/test/run-commit_tx.c b/lightningd/test/run-commit_tx.c index d31f51b55..9f742ea32 100644 --- a/lightningd/test/run-commit_tx.c +++ b/lightningd/test/run-commit_tx.c @@ -227,7 +227,8 @@ static void report_htlcs(const struct bitcoin_tx *tx, wscript[i] = bitcoin_wscript_htlc_offer(tmpctx, localkey, remotekey, - &htlc->rhash); + &htlc->rhash, + local_revocation_key); } else { htlc_tx[i] = htlc_success_tx(htlc_tx, &txid, i, htlc, to_self_delay, @@ -238,7 +239,8 @@ static void report_htlcs(const struct bitcoin_tx *tx, &htlc->expiry, localkey, remotekey, - &htlc->rhash); + &htlc->rhash, + local_revocation_key); } sign_tx_input(htlc_tx[i], 0, NULL, @@ -271,13 +273,15 @@ static void report_htlcs(const struct bitcoin_tx *tx, htlc_timeout_tx_add_witness(htlc_tx[i], localkey, remotekey, &htlc->rhash, + local_revocation_key, &localsig, &remotesig[i]); } else { htlc_success_tx_add_witness(htlc_tx[i], &htlc->expiry, localkey, remotekey, &localsig, &remotesig[i], - htlc->r); + htlc->r, + local_revocation_key); } printf("output htlc_%s_tx %"PRIu64": %s\n", htlc_owner(htlc) == LOCAL ? "timeout" : "success",