bitcoin/script: update scripts to the lightningnetwork/lightning-rfc#123 version

aka "BOLT 3: Use revocation key hash rather than revocation key",
which builds on top of lightningnetwork/lightning-rfc#105 "BOLT 2,3,5:
Make htlc outputs of the commitment tx spendable with revocation key".

This affects callers, since they now need to hand us the revocation
pubkey, but commit_tx has that already anyway.

Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>

bitcoin/script.c

@@ -705,12 +705,18 @@ u8 **bitcoin_to_local_spend_revocation(const tal_t *ctx,
 
 /* BOLT #3:
  *
- * This output sends funds to a HTLC-timeout transaction after the
+ * #### Offered HTLC Outputs
- * HTLC timeout, or to the remote peer on successful payment preimage.
- * The output is a P2WSH, with a witness script:
  *
- *    <remotekey> OP_SWAP
+ * This output sends funds to a HTLC-timeout transaction after the HTLC
- *        OP_SIZE 32 OP_EQUAL
+ * timeout, or to the remote peer using the payment preimage or the revocation
+ * key.  The output is a P2WSH, with a witness script:
+ *
+ *     # To you with revocation key
+ *     OP_DUP OP_HASH160 <revocationkey-hash> OP_EQUAL
+ *     OP_IF
+ *         OP_CHECKSIG
+ *     OP_ELSE
+ *         <remotekey> OP_SWAP OP_SIZE 32 OP_EQUAL
  *         OP_NOTIF
  *             # To me via HTLC-timeout transaction (timelocked).
  *             OP_DROP 2 OP_SWAP <localkey> 2 OP_CHECKMULTISIG
@@ -719,15 +725,25 @@ u8 **bitcoin_to_local_spend_revocation(const tal_t *ctx,
  *             OP_HASH160 <ripemd-of-payment-hash> OP_EQUALVERIFY
  *             OP_CHECKSIG
  *         OP_ENDIF
+ *     OP_ENDIF
  */
 u8 *bitcoin_wscript_htlc_offer(const tal_t *ctx,
 			       const struct pubkey *localkey,
 			       const struct pubkey *remotekey,
-			       const struct sha256 *payment_hash)
+			       const struct sha256 *payment_hash,
+			       const struct pubkey *revocationkey)
 {
 	u8 *script = tal_arr(ctx, u8, 0);
 	struct ripemd160 ripemd;
 
+	add_op(&script, OP_DUP);
+	add_op(&script, OP_HASH160);
+	hash160_key(&ripemd, revocationkey);
+	add_push_bytes(&script, &ripemd, sizeof(ripemd));
+	add_op(&script, OP_EQUAL);
+	add_op(&script, OP_IF);
+	add_op(&script, OP_CHECKSIG);
+	add_op(&script, OP_ELSE);
 	add_push_key(&script, remotekey);
 	add_op(&script, OP_SWAP);
 	add_op(&script, OP_SIZE);
@@ -747,16 +763,24 @@ u8 *bitcoin_wscript_htlc_offer(const tal_t *ctx,
 	add_op(&script, OP_EQUALVERIFY);
 	add_op(&script, OP_CHECKSIG);
 	add_op(&script, OP_ENDIF);
+	add_op(&script, OP_ENDIF);
 
 	return script;
 }
 
 /* BOLT #3:
  *
- * This output sends funds to the remote peer after the HTLC timeout,
+ * #### Received HTLC Outputs
- * or to an HTLC-success transaction with a successful payment
- * preimage. The output is a P2WSH, with a witness script:
  *
+ * This output sends funds to the remote peer after the HTLC timeout or using
+ * the revocation key, or to an HTLC-success transaction with a successful
+ * payment preimage. The output is a P2WSH, with a witness script:
+ *
+ *     # To you with revocation key
+ *     OP_DUP OP_HASH160 <revocationkey-hash> OP_EQUAL
+ *     OP_IF
+ *         OP_CHECKSIG
+ *     OP_ELSE
  *         <remotekey> OP_SWAP
  *             OP_SIZE 32 OP_EQUAL
  *         OP_IF
@@ -768,16 +792,26 @@ u8 *bitcoin_wscript_htlc_offer(const tal_t *ctx,
  *             OP_DROP <locktime> OP_CHECKLOCKTIMEVERIFY OP_DROP
  *             OP_CHECKSIG
  *         OP_ENDIF
+ *     OP_ENDIF
  */
 u8 *bitcoin_wscript_htlc_receive(const tal_t *ctx,
 				 const struct abs_locktime *htlc_abstimeout,
 				 const struct pubkey *localkey,
 				 const struct pubkey *remotekey,
-				 const struct sha256 *payment_hash)
+				 const struct sha256 *payment_hash,
+				 const struct pubkey *revocationkey)
 {
 	u8 *script = tal_arr(ctx, u8, 0);
 	struct ripemd160 ripemd;
 
+	add_op(&script, OP_DUP);
+	add_op(&script, OP_HASH160);
+	hash160_key(&ripemd, revocationkey);
+	add_push_bytes(&script, &ripemd, sizeof(ripemd));
+	add_op(&script, OP_EQUAL);
+	add_op(&script, OP_IF);
+	add_op(&script, OP_CHECKSIG);
+	add_op(&script, OP_ELSE);
 	add_push_key(&script, remotekey);
 	add_op(&script, OP_SWAP);
 	add_op(&script, OP_SIZE);
@@ -800,6 +834,7 @@ u8 *bitcoin_wscript_htlc_receive(const tal_t *ctx,
 	add_op(&script, OP_DROP);
 	add_op(&script, OP_CHECKSIG);
 	add_op(&script, OP_ENDIF);
+	add_op(&script, OP_ENDIF);
 
 	return script;
 }

bitcoin/script.h

@@ -123,7 +123,8 @@ u8 **bitcoin_to_local_spend_revocation(const tal_t *ctx,
 u8 *bitcoin_wscript_htlc_offer(const tal_t *ctx,
 			       const struct pubkey *localkey,
 			       const struct pubkey *remotekey,
-			       const struct sha256 *payment_hash);
+			       const struct sha256 *payment_hash,
+			       const struct pubkey *revocationkey);
 u8 **bitcoin_htlc_offer_spend_timeout(const tal_t *ctx,
 				      const secp256k1_ecdsa_signature *localsig,
 				      const secp256k1_ecdsa_signature *remotesig,
@@ -132,7 +133,8 @@ u8 *bitcoin_wscript_htlc_receive(const tal_t *ctx,
 				 const struct abs_locktime *htlc_abstimeout,
 				 const struct pubkey *localkey,
 				 const struct pubkey *remotekey,
-				 const struct sha256 *payment_hash);
+				 const struct sha256 *payment_hash,
+				 const struct pubkey *revocationkey);
 u8 **bitcoin_htlc_receive_spend_preimage(const tal_t *ctx,
 				const secp256k1_ecdsa_signature *localsig,
 				const secp256k1_ecdsa_signature *remotesig,

lightningd/commit_tx.c

@@ -55,10 +55,10 @@ u64 htlc_timeout_fee(u64 feerate_per_kw)
 	 *
 	 * The fee for an HTLC-timeout transaction MUST BE calculated to match:
 	 *
-	 * 1. Multiply `feerate-per-kw` by 635 and divide by 1000 (rounding
+	 * 1. Multiply `feerate-per-kw` by 663 and divide by 1000 (rounding
 	 *    down).
 	 */
-	return feerate_per_kw * 635 / 1000;
+	return feerate_per_kw * 663 / 1000;
 }
 
 u64 htlc_success_fee(u64 feerate_per_kw)
@@ -67,10 +67,10 @@ u64 htlc_success_fee(u64 feerate_per_kw)
 	 *
 	 * The fee for an HTLC-success transaction MUST BE calculated to match:
 	 *
-	 * 1. Multiply `feerate-per-kw` by 673 and divide by 1000 (rounding
+	 * 1. Multiply `feerate-per-kw` by 703 and divide by 1000 (rounding
 	 *    down).
 	 */
-	return feerate_per_kw * 673 / 1000;
+	return feerate_per_kw * 703 / 1000;
 }
 
 static bool trim(const struct htlc *htlc,
@@ -147,11 +147,13 @@ u64 commit_tx_base_fee(u64 feerate_per_kw, size_t num_untrimmed_htlcs)
 static void add_offered_htlc_out(struct bitcoin_tx *tx, size_t n,
 				 const struct htlc *htlc,
 				 const struct pubkey *selfkey,
-				 const struct pubkey *otherkey)
+				 const struct pubkey *otherkey,
+				 const struct pubkey *revocationkey)
 {
 	u8 *wscript = bitcoin_wscript_htlc_offer(tx,
 						 selfkey, otherkey,
-						 &htlc->rhash);
+						 &htlc->rhash,
+						 revocationkey);
 	tx->output[n].amount = htlc->msatoshi / 1000;
 	tx->output[n].script = scriptpubkey_p2wsh(tx, wscript);
 	SUPERVERBOSE("# HTLC %"PRIu64" offered amount %"PRIu64" wscript %s\n",
@@ -162,12 +164,13 @@ static void add_offered_htlc_out(struct bitcoin_tx *tx, size_t n,
 static void add_received_htlc_out(struct bitcoin_tx *tx, size_t n,
 				  const struct htlc *htlc,
 				  const struct pubkey *selfkey,
-				  const struct pubkey *otherkey)
+				  const struct pubkey *otherkey,
+				  const struct pubkey *revocationkey)
 {
 	u8 *wscript = bitcoin_wscript_htlc_receive(tx,
 						   &htlc->expiry,
 						   selfkey, otherkey,
-						   &htlc->rhash);
+						   &htlc->rhash, revocationkey);
 	tx->output[n].amount = htlc->msatoshi / 1000;
 	tx->output[n].script = scriptpubkey_p2wsh(tx->output, wscript);
 	SUPERVERBOSE("# HTLC %"PRIu64" received amount %"PRIu64" wscript %s\n",
@@ -250,7 +253,8 @@ struct bitcoin_tx *commit_tx(const tal_t *ctx,
 			continue;
 		if (trim(htlcs[i], feerate_per_kw, dust_limit_satoshis, side))
 			continue;
-		add_offered_htlc_out(tx, n, htlcs[i], selfkey, otherkey);
+		add_offered_htlc_out(tx, n, htlcs[i], selfkey, otherkey,
+				     revocation_pubkey);
 		if (htlcmap)
 			(*htlcmap)[n++] = htlcs[i];
 	}
@@ -265,7 +269,8 @@ struct bitcoin_tx *commit_tx(const tal_t *ctx,
 			continue;
 		if (trim(htlcs[i], feerate_per_kw, dust_limit_satoshis, side))
 			continue;
-		add_received_htlc_out(tx, n, htlcs[i],selfkey, otherkey);
+		add_received_htlc_out(tx, n, htlcs[i],selfkey, otherkey,
+				      revocation_pubkey);
 		if (htlcmap)
 			(*htlcmap)[n++] = htlcs[i];
 	}

lightningd/htlc_tx.c

@@ -95,7 +95,8 @@ void htlc_success_tx_add_witness(struct bitcoin_tx *htlc_success,
 				 const struct pubkey *remotekey,
 				 const secp256k1_ecdsa_signature *localsig,
 				 const secp256k1_ecdsa_signature *remotesig,
-				 const struct preimage *payment_preimage)
+				 const struct preimage *payment_preimage,
+				 const struct pubkey *revocationkey)
 {
 	struct sha256 hash;
 	u8 *wscript;
@@ -104,7 +105,7 @@ void htlc_success_tx_add_witness(struct bitcoin_tx *htlc_success,
 	wscript = bitcoin_wscript_htlc_receive(htlc_success,
 					       htlc_abstimeout,
 					       localkey, remotekey,
-					       &hash);
+					       &hash, revocationkey);
 
 	htlc_success->input[0].witness
 		= bitcoin_htlc_receive_spend_preimage(htlc_success->input,
@@ -137,12 +138,13 @@ void htlc_timeout_tx_add_witness(struct bitcoin_tx *htlc_timeout,
 				 const struct pubkey *localkey,
 				 const struct pubkey *remotekey,
 				 const struct sha256 *payment_hash,
+				 const struct pubkey *revocationkey,
 				 const secp256k1_ecdsa_signature *localsig,
 				 const secp256k1_ecdsa_signature *remotesig)
 {
 	u8 *wscript = bitcoin_wscript_htlc_offer(htlc_timeout,
 						 localkey, remotekey,
-						 payment_hash);
+						 payment_hash, revocationkey);
 
 	htlc_timeout->input[0].witness
 		= bitcoin_htlc_offer_spend_timeout(htlc_timeout->input,

lightningd/htlc_tx.h

@@ -25,7 +25,8 @@ void htlc_success_tx_add_witness(struct bitcoin_tx *htlc_success,
 				 const struct pubkey *remotekey,
 				 const secp256k1_ecdsa_signature *localsig,
 				 const secp256k1_ecdsa_signature *remotesig,
-				 const struct preimage *payment_preimage);
+				 const struct preimage *payment_preimage,
+				 const struct pubkey *revocationkey);
 
 /* Create HTLC-timeout tx to spend an offered HTLC commitment tx
  * output; doesn't fill in input witness. */
@@ -43,6 +44,7 @@ void htlc_timeout_tx_add_witness(struct bitcoin_tx *htlc_timeout,
 				 const struct pubkey *localkey,
 				 const struct pubkey *remotekey,
 				 const struct sha256 *payment_hash,
+				 const struct pubkey *revocationkey,
 				 const secp256k1_ecdsa_signature *localsig,
 				 const secp256k1_ecdsa_signature *remotesig);
 

lightningd/opening/opening.c

@@ -136,9 +136,9 @@ static void check_config_bounds(struct state *state,
 	/* BOLT #2:
 	 *
 	 * It MUST fail the channel if `max-accepted-htlcs` is greater
-	 * than 511.
+	 * than 483.
 	 */
-	if (remoteconf->max_accepted_htlcs > 511)
+	if (remoteconf->max_accepted_htlcs > 483)
 		peer_failed(PEER_FD, &state->cs, NULL,
 			    WIRE_OPENING_PEER_BAD_CONFIG,
 			    "max_accepted_htlcs %u too large",

lightningd/test/run-commit_tx.c

@@ -227,7 +227,8 @@ static void report_htlcs(const struct bitcoin_tx *tx,
 			wscript[i] = bitcoin_wscript_htlc_offer(tmpctx,
 								localkey,
 								remotekey,
-								&htlc->rhash);
+								&htlc->rhash,
+								local_revocation_key);
 		} else {
 			htlc_tx[i] = htlc_success_tx(htlc_tx, &txid, i,
 						     htlc, to_self_delay,
@@ -238,7 +239,8 @@ static void report_htlcs(const struct bitcoin_tx *tx,
 								  &htlc->expiry,
 								  localkey,
 								  remotekey,
-								  &htlc->rhash);
+								  &htlc->rhash,
+								  local_revocation_key);
 		}
 		sign_tx_input(htlc_tx[i], 0,
 			      NULL,
@@ -271,13 +273,15 @@ static void report_htlcs(const struct bitcoin_tx *tx,
 			htlc_timeout_tx_add_witness(htlc_tx[i],
 						    localkey, remotekey,
 						    &htlc->rhash,
+						    local_revocation_key,
 						    &localsig, &remotesig[i]);
 		} else {
 			htlc_success_tx_add_witness(htlc_tx[i],
 						    &htlc->expiry,
 						    localkey, remotekey,
 						    &localsig, &remotesig[i],
-						    htlc->r);
+						    htlc->r,
+						    local_revocation_key);
 		}
 		printf("output htlc_%s_tx %"PRIu64": %s\n",
 		       htlc_owner(htlc) == LOCAL ? "timeout" : "success",