bitcoin/signature: implement SIGHASH_SINGLE|SIGHASH_ANYONECANPAY for segwit.

option_simplified_commitment wants this for HTLC txs.

Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>

bitcoin/signature.c

@@ -88,19 +88,19 @@ void sign_hash(const struct privkey *privkey,
 	assert(ok);
 }
 
-/* Only does SIGHASH_ALL */
 static void sha256_tx_one_input(const struct bitcoin_tx *tx,
 				size_t input_num,
 				const u8 *script,
 				const u8 *witness_script,
+				enum sighash_type sighash_type,
 				struct sha256_double *hash)
 {
 	assert(input_num < tal_count(tx->input));
 
-	sha256_tx_for_sig(hash, tx, input_num, script, witness_script);
+	sha256_tx_for_sig(hash, tx, input_num, script, witness_script,
+			  sighash_type);
 }
 
-/* Only does SIGHASH_ALL */
 void sign_tx_input(const struct bitcoin_tx *tx,
 		   unsigned int in,
 		   const u8 *subscript,
@@ -113,7 +113,8 @@ void sign_tx_input(const struct bitcoin_tx *tx,
 
 	assert(sighash_type_valid(sighash_type));
 	sig->sighash_type = sighash_type;
-	sha256_tx_one_input(tx, in, subscript, witness_script, &hash);
+	sha256_tx_one_input(tx, in, subscript, witness_script,
+			    sighash_type, &hash);
 	dump_tx("Signing", tx, in, subscript, key, &hash);
 	sign_hash(privkey, &hash, &sig->s);
 }
@@ -139,10 +140,17 @@ bool check_tx_sig(const struct bitcoin_tx *tx, size_t input_num,
 	struct sha256_double hash;
 	bool ret;
 
-	assert(sig->sighash_type == SIGHASH_ALL);
+	/* We only support a limited subset of sighash types. */
+	if (sig->sighash_type != SIGHASH_ALL) {
+		if (!witness_script)
+			return false;
+		if (sig->sighash_type != (SIGHASH_SINGLE|SIGHASH_ANYONECANPAY))
+			return false;
+	}
 	assert(input_num < tal_count(tx->input));
 
-	sha256_tx_one_input(tx, input_num, redeemscript, witness_script, &hash);
+	sha256_tx_one_input(tx, input_num, redeemscript, witness_script,
+			    sig->sighash_type, &hash);
 
 	ret = check_signed_hash(&hash, &sig->s, key);
 	if (!ret)

bitcoin/signature.h

@@ -18,10 +18,23 @@ enum sighash_type {
     SIGHASH_ANYONECANPAY = 0x80
 };
 
+#define SIGHASH_MASK 0x7F
+
+static inline bool sighash_single(enum sighash_type sighash_type)
+{
+	return (sighash_type & SIGHASH_MASK) == SIGHASH_SINGLE;
+}
+
+static inline bool sighash_anyonecanpay(enum sighash_type sighash_type)
+{
+	return (sighash_type & SIGHASH_ANYONECANPAY) == SIGHASH_ANYONECANPAY;
+}
+
 /* We only support a limited range of sighash_type */
 static inline bool sighash_type_valid(const enum sighash_type sighash_type)
 {
-	return sighash_type == SIGHASH_ALL;
+	return sighash_type == SIGHASH_ALL
+		|| sighash_type == (SIGHASH_SINGLE|SIGHASH_ANYONECANPAY);
 }
 
 /**

bitcoin/tx.c

@@ -13,6 +13,8 @@
 
 #define SEGREGATED_WITNESS_FLAG 0x1
 
+static struct sha256_double all_zeroes;
+
 static void push_tx_input(const struct bitcoin_tx_input *input,
 			  const u8 *input_script,
 			  void (*push)(const void *, size_t, void *), void *pushp)
@@ -81,11 +83,15 @@ static void push_witnesses(const struct bitcoin_tx *tx,
 
 /* For signing, we ignore input scripts on other inputs, and pretend
  * the current input has a certain script: this is indicated by a
- * non-NULL override_script, and setting override_script_index to the
+ * non-NULL override_script.
- * input number to replace. */
+ *
+ * For this (and other signing weirdness like SIGHASH_SINGLE), we
+ * also need the current input being signed; that's in input_num.
+ * We also need sighash_type.
+ */
 static void push_tx(const struct bitcoin_tx *tx,
 		    const u8 *override_script,
-		    size_t override_script_index,
+		    size_t input_num,
 		    void (*push)(const void *, size_t, void *), void *pushp,
 		    bool bip144)
 {
@@ -112,7 +118,7 @@ static void push_tx(const struct bitcoin_tx *tx,
 	for (i = 0; i < tal_count(tx->input); i++) {
 		const u8 *input_script = tx->input[i].script;
 		if (override_script) {
-			if (override_script_index == i)
+			if (input_num == i)
 				input_script = override_script;
 			else
 				input_script = NULL;
@@ -136,14 +142,21 @@ static void push_sha(const void *data, size_t len, void *shactx_)
 	sha256_update(ctx, memcheck(data, len), len);
 }
 
-static void hash_prevouts(struct sha256_double *h, const struct bitcoin_tx *tx)
+static void hash_prevouts(struct sha256_double *h, const struct bitcoin_tx *tx,
+			  enum sighash_type sighash_type)
 {
 	struct sha256_ctx ctx;
 	size_t i;
 
 	/* BIP143: If the ANYONECANPAY flag is not set, hashPrevouts is the
 	 * double SHA256 of the serialization of all input
-	 * outpoints */
+	 * outpoints; Otherwise, hashPrevouts is a uint256 of 0x0000......0000.
+	 */
+	if (sighash_anyonecanpay(sighash_type)) {
+		*h = all_zeroes;
+		return;
+	}
+
 	sha256_init(&ctx);
 	for (i = 0; i < tal_count(tx->input); i++) {
 		push_sha(&tx->input[i].txid, sizeof(tx->input[i].txid), &ctx);
@@ -152,14 +165,21 @@ static void hash_prevouts(struct sha256_double *h, const struct bitcoin_tx *tx)
 	sha256_double_done(&ctx, h);
 }
 
-static void hash_sequence(struct sha256_double *h, const struct bitcoin_tx *tx)
+static void hash_sequence(struct sha256_double *h, const struct bitcoin_tx *tx,
+			  enum sighash_type sighash_type)
 {
 	struct sha256_ctx ctx;
 	size_t i;
 
-	/* BIP143: If none of the ANYONECANPAY, SINGLE, NONE sighash type
+	/* BIP143: If none of the ANYONECANPAY, SINGLE, NONE sighash type is
-	 * is set, hashSequence is the double SHA256 of the serialization
+	 * set, hashSequence is the double SHA256 of the serialization of
-	 * of nSequence of all inputs */
+	 * nSequence of all inputs; Otherwise, hashSequence is a uint256 of
+	 * 0x0000......0000. */
+	if (sighash_anyonecanpay(sighash_type) || sighash_single(sighash_type)) {
+		*h = all_zeroes;
+		return;
+	}
+
 	sha256_init(&ctx);
 	for (i = 0; i < tal_count(tx->input); i++)
 		push_le32(tx->input[i].sequence_number, push_sha, &ctx);
@@ -167,17 +187,23 @@ static void hash_sequence(struct sha256_double *h, const struct bitcoin_tx *tx)
 	sha256_double_done(&ctx, h);
 }
 
-/* If the sighash type is neither SINGLE nor NONE, hashOutputs is the
+/* If the sighash type is neither SINGLE nor NONE, hashOutputs is the double
- * double SHA256 of the serialization of all output value (8-byte
+ * SHA256 of the serialization of all output value (8-byte little endian) with
- * little endian) with scriptPubKey (varInt for the length +
+ * scriptPubKey (varInt for the length + script); If sighash type is SINGLE
- * script); */
+ * and the input index is smaller than the number of outputs, hashOutputs is
-static void hash_outputs(struct sha256_double *h, const struct bitcoin_tx *tx)
+ * the double SHA256 of the output amount with scriptPubKey of the same index
+ * as the input; */
+static void hash_outputs(struct sha256_double *h, const struct bitcoin_tx *tx,
+			 enum sighash_type sighash_type, unsigned int input_num)
 {
 	struct sha256_ctx ctx;
 	size_t i;
 
 	sha256_init(&ctx);
 	for (i = 0; i < tal_count(tx->output); i++) {
+		if (sighash_single(sighash_type) && i != input_num)
+			continue;
+
 		push_le64(tx->output[i].amount, push_sha, &ctx);
 		push_varint_blob(tx->output[i].script, push_sha, &ctx);
 	}
@@ -188,7 +214,8 @@ static void hash_outputs(struct sha256_double *h, const struct bitcoin_tx *tx)
 static void hash_for_segwit(struct sha256_ctx *ctx,
 			    const struct bitcoin_tx *tx,
 			    unsigned int input_num,
-			    const u8 *witness_script)
+			    const u8 *witness_script,
+			    enum sighash_type sighash_type)
 {
 	struct sha256_double h;
 
@@ -200,11 +227,11 @@ static void hash_for_segwit(struct sha256_ctx *ctx,
 	push_le32(tx->version, push_sha, ctx);
 
 	/*     2. hashPrevouts (32-byte hash) */
-	hash_prevouts(&h, tx);
+	hash_prevouts(&h, tx, sighash_type);
 	push_sha(&h, sizeof(h), ctx);
 
 	/*     3. hashSequence (32-byte hash) */
-	hash_sequence(&h, tx);
+	hash_sequence(&h, tx, sighash_type);
 	push_sha(&h, sizeof(h), ctx);
 
 	/*     4. outpoint (32-byte hash + 4-byte little endian)  */
@@ -222,7 +249,7 @@ static void hash_for_segwit(struct sha256_ctx *ctx,
 	push_le32(tx->input[input_num].sequence_number, push_sha, ctx);
 
 	/*     8. hashOutputs (32-byte hash) */
-	hash_outputs(&h, tx);
+	hash_outputs(&h, tx, sighash_type, input_num);
 	push_sha(&h, sizeof(h), ctx);
 
 	/*     9. nLocktime of the transaction (4-byte little endian) */
@@ -232,21 +259,28 @@ static void hash_for_segwit(struct sha256_ctx *ctx,
 void sha256_tx_for_sig(struct sha256_double *h, const struct bitcoin_tx *tx,
 		       unsigned int input_num,
 		       const u8 *script,
-		       const u8 *witness_script)
+		       const u8 *witness_script,
+		       enum sighash_type sighash_type)
 {
 	struct sha256_ctx ctx = SHA256_INIT;
 
 	assert(input_num < tal_count(tx->input));
 
 	if (witness_script) {
+		/* Only implemented and tested these two! */
+		assert(sighash_type == SIGHASH_ALL
+		       || sighash_type == (SIGHASH_SINGLE|SIGHASH_ANYONECANPAY));
 		/* BIP143 hashing if OP_CHECKSIG is inside witness. */
-		hash_for_segwit(&ctx, tx, input_num, witness_script);
+		hash_for_segwit(&ctx, tx, input_num, witness_script,
+				sighash_type);
 	} else {
+		/* Never implemented anything else for old scheme. */
+		assert(sighash_type == SIGHASH_ALL);
 		/* Otherwise signature hashing never includes witness. */
 		push_tx(tx, script, input_num, push_sha, &ctx, false);
 	}
 
-	sha256_le32(&ctx, SIGHASH_ALL);
+	sha256_le32(&ctx, sighash_type);
 	sha256_double_done(&ctx, h);
 }
 

bitcoin/tx.h

@@ -43,11 +43,13 @@ struct bitcoin_tx_input {
 /* SHA256^2 the tx: simpler than sha256_tx */
 void bitcoin_txid(const struct bitcoin_tx *tx, struct bitcoin_txid *txid);
 
-/* Useful for signature code. */
+/* Useful for signature code.  Only supports SIGHASH_ALL and
+ * (for segwit) SIGHASH_SINGLE|SIGHASH_ANYONECANPAY. */
 void sha256_tx_for_sig(struct sha256_double *h, const struct bitcoin_tx *tx,
 		       unsigned int input_num,
 		       const u8 *script,
-		       const u8 *witness_script);
+		       const u8 *witness_script,
+		       enum sighash_type sighash_type);
 
 /* Linear bytes of tx. */
 u8 *linearize_tx(const tal_t *ctx, const struct bitcoin_tx *tx);