bitcoin/signature: BIP143 signature support.

We hand in the witness_script: if non-NULL, we use BIP143-style
signature hash creation.

Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>

bitcoin/signature.c

@@ -91,6 +91,7 @@ void sign_hash(secp256k1_context *secpctx,
 static void sha256_tx_one_input(struct bitcoin_tx *tx,
 				size_t input_num,
 				const u8 *script, size_t script_len,
+				const u8 *witness_script,
 				struct sha256_double *hash)
 {
 	size_t i;
@@ -104,7 +105,7 @@ static void sha256_tx_one_input(struct bitcoin_tx *tx,
 	tx->input[input_num].script_length = script_len;
 	tx->input[input_num].script = cast_const(u8 *, script);
 
-	sha256_tx_for_sig(hash, tx, input_num, SIGHASH_ALL);
+	sha256_tx_for_sig(hash, tx, input_num, SIGHASH_ALL, witness_script);
 
 	/* Reset it for next time. */
 	tx->input[input_num].script_length = 0;
@@ -116,12 +117,14 @@ void sign_tx_input(secp256k1_context *secpctx,
 		   struct bitcoin_tx *tx,
 		   unsigned int in,
 		   const u8 *subscript, size_t subscript_len,
+		   const u8 *witness_script,
 		   const struct privkey *privkey, const struct pubkey *key,
 		   struct signature *sig)
 {
 	struct sha256_double hash;
 
-	sha256_tx_one_input(tx, in, subscript, subscript_len, &hash);
+	sha256_tx_one_input(tx, in, subscript, subscript_len, witness_script,
+			    &hash);
 	dump_tx("Signing", tx, in, subscript, subscript_len, key, &hash);
 	sign_hash(secpctx, privkey, &hash, sig);
 }
@@ -142,6 +145,7 @@ bool check_signed_hash(secp256k1_context *secpctx,
 bool check_tx_sig(secp256k1_context *secpctx,
 		  struct bitcoin_tx *tx, size_t input_num,
 		  const u8 *redeemscript, size_t redeemscript_len,
+		  const u8 *witness_script,
 		  const struct pubkey *key,
 		  const struct bitcoin_signature *sig)
 {
@@ -151,7 +155,7 @@ bool check_tx_sig(secp256k1_context *secpctx,
 	assert(input_num < tx->input_count);
 
 	sha256_tx_one_input(tx, input_num, redeemscript, redeemscript_len,
-			    &hash);
+			    witness_script, &hash);
 
 	/* We only use SIGHASH_ALL for the moment. */
 	if (sig->stype != SIGHASH_ALL)
@@ -167,6 +171,7 @@ bool check_tx_sig(secp256k1_context *secpctx,
 bool check_2of2_sig(secp256k1_context *secpctx,
 		    struct bitcoin_tx *tx, size_t input_num,
 		    const u8 *redeemscript, size_t redeemscript_len,
+		    const u8 *witness,
 		    const struct pubkey *key1, const struct pubkey *key2,
 		    const struct bitcoin_signature *sig1,
 		    const struct bitcoin_signature *sig2)
@@ -175,7 +180,7 @@ bool check_2of2_sig(secp256k1_context *secpctx,
 	assert(input_num < tx->input_count);
 
 	sha256_tx_one_input(tx, input_num, redeemscript, redeemscript_len,
-			    &hash);
+			    witness, &hash);
 
 	/* We only use SIGHASH_ALL for the moment. */
 	if (sig1->stype != SIGHASH_ALL || sig2->stype != SIGHASH_ALL)

bitcoin/signature.h

@@ -39,6 +39,7 @@ void sign_tx_input(secp256k1_context *secpctx,
 		   struct bitcoin_tx *tx,
 		   unsigned int in,
 		   const u8 *subscript, size_t subscript_len,
+		   const u8 *witness,
 		   const struct privkey *privkey, const struct pubkey *pubkey,
 		   struct signature *sig);
 
@@ -46,12 +47,14 @@ void sign_tx_input(secp256k1_context *secpctx,
 bool check_tx_sig(secp256k1_context *secpctx,
 		  struct bitcoin_tx *tx, size_t input_num,
 		  const u8 *redeemscript, size_t redeemscript_len,
+		  const u8 *witness,
 		  const struct pubkey *key,
 		  const struct bitcoin_signature *sig);
 
 bool check_2of2_sig(secp256k1_context *secpctx,
 		    struct bitcoin_tx *tx, size_t input_num,
 		    const u8 *redeemscript, size_t redeemscript_len,
+		    const u8 *witness,
 		    const struct pubkey *key1, const struct pubkey *key2,
 		    const struct bitcoin_signature *sig1,
 		    const struct bitcoin_signature *sig2);

bitcoin/tx.c

@@ -171,8 +171,104 @@ static void add_sha(const void *data, size_t len, void *shactx_)
 	sha256_update(ctx, memcheck(data, len), len);
 }
 
+static void hash_prevouts(struct sha256_double *h, const struct bitcoin_tx *tx)
+{
+	struct sha256_ctx ctx;
+	size_t i;
+
+	/* BIP143: If the ANYONECANPAY flag is not set, hashPrevouts is the
+	 * double SHA256 of the serialization of all input
+	 * outpoints */
+	sha256_init(&ctx);
+	for (i = 0; i < tx->input_count; i++) {
+		add_sha(&tx->input[i].txid, sizeof(tx->input[i].txid), &ctx);
+		add_le32(tx->input[i].index, add_sha, &ctx);
+	}
+	sha256_double_done(&ctx, h);
+}
+	
+static void hash_sequence(struct sha256_double *h, const struct bitcoin_tx *tx)
+{
+	struct sha256_ctx ctx;
+	size_t i;
+
+	/* BIP143: If none of the ANYONECANPAY, SINGLE, NONE sighash type
+	 * is set, hashSequence is the double SHA256 of the serialization
+	 * of nSequence of all inputs */
+	sha256_init(&ctx);
+	for (i = 0; i < tx->input_count; i++)
+		add_le32(tx->input[i].sequence_number, add_sha, &ctx);
+
+	sha256_double_done(&ctx, h);
+}
+
+/* If the sighash type is neither SINGLE nor NONE, hashOutputs is the
+ * double SHA256 of the serialization of all output value (8-byte
+ * little endian) with scriptPubKey (varInt for the length +
+ * script); */
+static void hash_outputs(struct sha256_double *h, const struct bitcoin_tx *tx)
+{
+	struct sha256_ctx ctx;
+	size_t i;
+
+	sha256_init(&ctx);
+	for (i = 0; i < tx->output_count; i++) {
+		add_le64(tx->output[i].amount, add_sha, &ctx);
+		add_varint_blob(tx->output[i].script,
+				tx->output[i].script_length,
+				add_sha, &ctx);
+	}
+	
+	sha256_double_done(&ctx, h);
+}
+
+static void hash_for_segwit(struct sha256_ctx *ctx,
+			    const struct bitcoin_tx *tx,
+			    unsigned int input_num,
+			    const u8 *witness_script)
+{
+	struct sha256_double h;
+
+	/* BIP143:
+	 *
+	 * Double SHA256 of the serialization of:
+	 *     1. nVersion of the transaction (4-byte little endian)
+	 */
+	add_le32(tx->version, add_sha, ctx);
+
+	/*     2. hashPrevouts (32-byte hash) */
+	hash_prevouts(&h, tx);
+	add_sha(&h, sizeof(h), ctx);
+
+	/*     3. hashSequence (32-byte hash) */
+	hash_sequence(&h, tx);
+	add_sha(&h, sizeof(h), ctx);
+
+	/*     4. outpoint (32-byte hash + 4-byte little endian)  */
+	add_sha(&tx->input[input_num].txid, sizeof(tx->input[input_num].txid),
+		ctx);
+	add_le32(tx->input[input_num].index, add_sha, ctx);
+
+	/*     5. scriptCode of the input (varInt for the length + script) */
+	add_varint_blob(witness_script, tal_count(witness_script), add_sha, ctx);
+
+	/*     6. value of the output spent by this input (8-byte little end) */
+	add_le64(*tx->input[input_num].amount, add_sha, ctx);
+
+	/*     7. nSequence of the input (4-byte little endian) */
+	add_le32(tx->input[input_num].sequence_number, add_sha, ctx);
+
+	/*     8. hashOutputs (32-byte hash) */
+	hash_outputs(&h, tx);
+	add_sha(&h, sizeof(h), ctx);
+
+	/*     9. nLocktime of the transaction (4-byte little endian) */
+	add_le32(tx->lock_time, add_sha, ctx);
+}
+
 void sha256_tx_for_sig(struct sha256_double *h, const struct bitcoin_tx *tx,
-		       unsigned int input_num, enum sighash_type stype)
+		       unsigned int input_num, enum sighash_type stype,
+		       const u8 *witness_script)
 {
 	size_t i;
 	struct sha256_ctx ctx = SHA256_INIT;
@@ -185,7 +281,14 @@ void sha256_tx_for_sig(struct sha256_double *h, const struct bitcoin_tx *tx,
 	for (i = 0; i < tx->input_count; i++)
 		if (i != input_num)
 			assert(tx->input[i].script_length == 0);
-	add_tx(tx, add_sha, &ctx, false);
+
+	if (witness_script) {
+		/* BIP143 hashing if OP_CHECKSIG is inside witness. */
+		hash_for_segwit(&ctx, tx, input_num, witness_script);
+	} else {
+		/* Otherwise signature hashing never includes witness. */
+		add_tx(tx, add_sha, &ctx, false);
+	}
 
 	sha256_le32(&ctx, stype);
 	sha256_double_done(&ctx, h);

bitcoin/tx.h

@@ -45,7 +45,8 @@ void bitcoin_txid(const struct bitcoin_tx *tx, struct sha256_double *txid);
 
 /* Useful for signature code. */
 void sha256_tx_for_sig(struct sha256_double *h, const struct bitcoin_tx *tx,
-		       unsigned int input_num, enum sighash_type stype);
+		       unsigned int input_num, enum sighash_type stype,
+		       const u8 *witness_script);
 
 /* Linear bytes of tx. */
 u8 *linearize_tx(const tal_t *ctx, const struct bitcoin_tx *tx);

daemon/packets.c

@@ -487,6 +487,7 @@ static Pkt *check_and_save_commit_sig(struct peer *peer,
 			  ci->tx, 0,
 			  peer->anchor.redeemscript,
 			  tal_count(peer->anchor.redeemscript),
+			  NULL,
 			  &peer->them.commitkey,
 			  ci->sig))
 		return pkt_err(peer, "Bad signature");
@@ -806,6 +807,7 @@ Pkt *accept_pkt_close_sig(struct peer *peer, const Pkt *pkt, bool *acked,
 	if (!check_tx_sig(peer->dstate->secpctx, close_tx, 0,
 			  peer->anchor.redeemscript,
 			  tal_count(peer->anchor.redeemscript),
+			  NULL,
 			  &peer->them.commitkey, &theirsig))
 		return pkt_err(peer, "Invalid signature");
 

daemon/secrets.c

@@ -50,6 +50,7 @@ void peer_sign_theircommit(const struct peer *peer,
 		      commit, 0,
 		      peer->anchor.redeemscript,
 		      tal_count(peer->anchor.redeemscript),
+		      NULL,
 		      &peer->secrets->commit,
 		      &peer->us.commitkey,
 		      sig);
@@ -64,6 +65,7 @@ void peer_sign_ourcommit(const struct peer *peer,
 		      commit, 0,
 		      peer->anchor.redeemscript,
 		      tal_count(peer->anchor.redeemscript),
+		      NULL,
 		      &peer->secrets->commit,
 		      &peer->us.commitkey,
 		      sig);
@@ -79,6 +81,7 @@ void peer_sign_spend(const struct peer *peer,
 		      spend, 0,
 		      commit_redeemscript,
 		      tal_count(commit_redeemscript),
+		      NULL,
 		      &peer->secrets->final,
 		      &peer->us.finalkey,
 		      sig);
@@ -92,6 +95,7 @@ void peer_sign_mutual_close(const struct peer *peer,
 		      close, 0,
 		      peer->anchor.redeemscript,
 		      tal_count(peer->anchor.redeemscript),
+		      NULL,
 		      &peer->secrets->commit,
 		      &peer->us.commitkey,
 		      sig);