#include #include #include #include #include #include #include #ifndef SUPERVERBOSE #define SUPERVERBOSE(...) #endif /* BOLT #3: * * The 48-bit commitment transaction number is obscured by `XOR` with * the lower 48 bits of: * * SHA256(payment-basepoint from open_channel || payment-basepoint from accept_channel) */ u64 commit_number_obscurer(const struct pubkey *opener_payment_basepoint, const struct pubkey *accepter_payment_basepoint) { u8 ders[PUBKEY_DER_LEN * 2]; struct sha256 sha; be64 obscurer = 0; pubkey_to_der(ders, opener_payment_basepoint); pubkey_to_der(ders + PUBKEY_DER_LEN, accepter_payment_basepoint); sha256(&sha, ders, sizeof(ders)); /* Lower 48 bits */ memcpy((u8 *)&obscurer + 2, sha.u.u8 + sizeof(sha.u.u8) - 6, 6); return be64_to_cpu(obscurer); } static void subtract_fee(enum side funder, enum side side, u64 base_fee_msat, u64 *self_msat, u64 *other_msat) { u64 *funder_msat; if (funder == side) funder_msat = self_msat; else funder_msat = other_msat; if (*funder_msat >= base_fee_msat) *funder_msat -= base_fee_msat; else *funder_msat = 0; } u64 htlc_timeout_fee(u64 feerate_per_kw) { /* BOLT #3: * * The fee for an HTLC-timeout transaction MUST BE calculated to match: * * 1. Multiply `feerate-per-kw` by 635 and divide by 1000 (rounding * down). */ return feerate_per_kw * 635 / 1000; } u64 htlc_success_fee(u64 feerate_per_kw) { /* BOLT #3: * * The fee for an HTLC-success transaction MUST BE calculated to match: * * 1. Multiply `feerate-per-kw` by 673 and divide by 1000 (rounding * down). */ return feerate_per_kw * 673 / 1000; } static bool trim(const struct htlc *htlc, u64 feerate_per_kw, u64 dust_limit_satoshis, enum side side) { u64 htlc_fee; /* BOLT #3: * * For every offered HTLC, if the HTLC amount minus the HTLC-timeout * fee would be less than `dust-limit-satoshis` set by the transaction * owner, the commitment transaction MUST NOT contain that output, * otherwise it MUST be generated as specified in [Offered HTLC * Outputs](#offered-htlc-outputs). */ if (htlc_owner(htlc) == side) htlc_fee = htlc_timeout_fee(feerate_per_kw); /* BOLT #3: * * For every received HTLC, if the HTLC amount minus the HTLC-success * fee would be less than `dust-limit-satoshis` set by the transaction * owner, the commitment transaction MUST NOT contain that output, * otherwise it MUST be generated as specified in [Received HTLC * Outputs](#received-htlc-outputs). */ else htlc_fee = htlc_success_fee(feerate_per_kw); return htlc->msatoshi / 1000 < dust_limit_satoshis + htlc_fee; } size_t commit_tx_num_untrimmed(const struct htlc **htlcs, u64 feerate_per_kw, u64 dust_limit_satoshis, enum side side) { size_t i, n; for (i = n = 0; i < tal_count(htlcs); i++) n += !trim(htlcs[i], feerate_per_kw, dust_limit_satoshis, side); return n; } u64 commit_tx_base_fee(u64 feerate_per_kw, size_t num_untrimmed_htlcs) { u64 weight; /* BOLT #3: * * The base fee for a commitment transaction MUST BE * calculated to match: * * 1. Start with `weight` = 724. */ weight = 724; /* BOLT #3: * * 2. For each committed HTLC, if that output is not trimmed * as specified in [Trimmed Outputs](#trimmed-outputs), add * 172 to `weight`. */ weight += 172 * num_untrimmed_htlcs; /* BOLT #3: * * 3. Multiply `feerate-per-kw` by `weight`, divide by 1000 * (rounding down). */ return feerate_per_kw * weight / 1000; } static void add_offered_htlc_out(struct bitcoin_tx *tx, size_t n, const struct htlc *htlc, const struct pubkey *selfkey, const struct pubkey *otherkey) { u8 *wscript = bitcoin_wscript_htlc_offer(tx, selfkey, otherkey, &htlc->rhash); tx->output[n].amount = htlc->msatoshi / 1000; tx->output[n].script = scriptpubkey_p2wsh(tx, wscript); SUPERVERBOSE("# HTLC %"PRIu64" offered amount %"PRIu64" wscript %s\n", htlc->id, tx->output[n].amount, tal_hex(wscript, wscript)); tal_free(wscript); } static void add_received_htlc_out(struct bitcoin_tx *tx, size_t n, const struct htlc *htlc, const struct pubkey *selfkey, const struct pubkey *otherkey) { u8 *wscript = bitcoin_wscript_htlc_receive(tx, &htlc->expiry, selfkey, otherkey, &htlc->rhash); tx->output[n].amount = htlc->msatoshi / 1000; tx->output[n].script = scriptpubkey_p2wsh(tx->output, wscript); SUPERVERBOSE("# HTLC %"PRIu64" received amount %"PRIu64" wscript %s\n", htlc->id, tx->output[n].amount, tal_hex(wscript, wscript)); tal_free(wscript); } struct bitcoin_tx *commit_tx(const tal_t *ctx, const struct sha256_double *funding_txid, unsigned int funding_txout, u64 funding_satoshis, enum side funder, u16 to_self_delay, const struct pubkey *revocation_pubkey, const struct pubkey *self_delayedkey, const struct pubkey *selfkey, const struct pubkey *otherkey, u64 feerate_per_kw, u64 dust_limit_satoshis, u64 self_pay_msat, u64 other_pay_msat, const struct htlc **htlcs, const struct htlc ***htlcmap, u64 obscured_commitment_number, enum side side) { const tal_t *tmpctx = tal_tmpctx(ctx); u64 base_fee_msat; struct bitcoin_tx *tx; size_t i, n, untrimmed; assert(self_pay_msat + other_pay_msat <= funding_satoshis * 1000); /* BOLT #3: * * 1. Calculate which committed HTLCs need to be trimmed (see * [Trimmed Outputs](#trimmed-outputs)). */ untrimmed = commit_tx_num_untrimmed(htlcs, feerate_per_kw, dust_limit_satoshis, side); /* BOLT #3: * * 2. Calculate the base [commitment transaction * fee](#fee-calculation). */ base_fee_msat = commit_tx_base_fee(feerate_per_kw, untrimmed) * 1000; SUPERVERBOSE("# base commitment transaction fee = %"PRIu64"\n", base_fee_msat / 1000); /* BOLT #3: * * 3. Subtract this base fee from the funder (either `to-local` or * `to-remote`), with a floor of zero (see [Fee Payment](#fee-payment)). */ subtract_fee(funder, side, base_fee_msat, &self_pay_msat, &other_pay_msat); /* Worst-case sizing: both to-local and to-remote outputs. */ tx = bitcoin_tx(ctx, 1, untrimmed + 2); /* We keep track of which outputs have which HTLCs */ *htlcmap = tal_arr(tx, const struct htlc *, tal_count(tx->output)); /* This could be done in a single loop, but we follow the BOLT * literally to make comments in test vectors clearer. */ n = 0; /* BOLT #3: * * 3. For every offered HTLC, if it is not trimmed, add an * [offered HTLC output](#offered-htlc-outputs). */ for (i = 0; i < tal_count(htlcs); i++) { if (htlc_owner(htlcs[i]) != side) continue; if (trim(htlcs[i], feerate_per_kw, dust_limit_satoshis, side)) continue; add_offered_htlc_out(tx, n, htlcs[i], selfkey, otherkey); (*htlcmap)[n++] = htlcs[i]; } /* BOLT #3: * * 4. For every received HTLC, if it is not trimmed, add an * [received HTLC output](#received-htlc-outputs). */ for (i = 0; i < tal_count(htlcs); i++) { if (htlc_owner(htlcs[i]) == side) continue; if (trim(htlcs[i], feerate_per_kw, dust_limit_satoshis, side)) continue; add_received_htlc_out(tx, n, htlcs[i],selfkey, otherkey); (*htlcmap)[n++] = htlcs[i]; } /* BOLT #3: * * 5. If the `to-local` amount is greater or equal to * `dust-limit-satoshis`, add a [To-Local * Output](#to-local-output). */ if (self_pay_msat / 1000 >= dust_limit_satoshis) { u8 *wscript = bitcoin_wscript_to_local(tmpctx, to_self_delay, revocation_pubkey, self_delayedkey); tx->output[n].amount = self_pay_msat / 1000; tx->output[n].script = scriptpubkey_p2wsh(tx, wscript); (*htlcmap)[n] = NULL; SUPERVERBOSE("# to-local amount %"PRIu64" wscript %s\n", tx->output[n].amount, tal_hex(tmpctx, wscript)); n++; } /* BOLT #3: * * 6. If the `to-remote` amount is greater or equal to * `dust-limit-satoshis`, add a [To-Remote * Output](#to-remote-output). */ if (other_pay_msat / 1000 >= dust_limit_satoshis) { /* BOLT #3: * * #### To-Remote Output * * This output sends funds to the other peer, thus is a simple * P2WPKH to `remotekey`. */ tx->output[n].amount = other_pay_msat / 1000; tx->output[n].script = scriptpubkey_p2wpkh(tx, otherkey); (*htlcmap)[n] = NULL; SUPERVERBOSE("# to-remote amount %"PRIu64" P2WPKH(%s)\n", tx->output[n].amount, type_to_string(tmpctx, struct pubkey, otherkey)); n++; } assert(n <= tal_count(tx->output)); tal_resize(&tx->output, n); tal_resize(htlcmap, n); /* BOLT #3: * * 7. Sort the outputs into [BIP 69 * order](#transaction-input-and-output-ordering) */ permute_outputs(tx->output, tal_count(tx->output), (const void **)*htlcmap); /* BOLT #3: * * ## Commitment Transaction * * * version: 2 */ assert(tx->version == 2); /* BOLT #3: * * * locktime: upper 8 bits are 0x20, lower 24 bits are the lower * 24 bits of the obscured commitment transaction number. */ tx->lock_time = (0x20000000 | (obscured_commitment_number & 0xFFFFFF)); /* BOLT #3: * * * txin count: 1 * * `txin[0]` outpoint: `txid` and `output_index` from * `funding_created` message */ tx->input[0].txid = *funding_txid; tx->input[0].index = funding_txout; /* BOLT #3: * * * `txin[0]` sequence: upper 8 bits are 0x80, lower 24 bits are * upper 24 bits of the obscured commitment transaction number. */ tx->input[0].sequence_number = (0x80000000 | ((obscured_commitment_number>>24) & 0xFFFFFF)); /* Input amount needed for signature code. */ tx->input[0].amount = tal_dup(tx->input, u64, &funding_satoshis); tal_free(tmpctx); return tx; }