#include #include #include #include #include #include #include #include #include /* BOLT #3: * * The 48-bit commitment number is obscured by `XOR` with the lower 48 bits of: * * SHA256(payment_basepoint from open_channel || payment_basepoint from accept_channel) */ u64 commit_number_obscurer(const struct pubkey *opener_payment_basepoint, const struct pubkey *accepter_payment_basepoint) { u8 ders[PUBKEY_CMPR_LEN * 2]; struct sha256 sha; be64 obscurer = 0; pubkey_to_der(ders, opener_payment_basepoint); pubkey_to_der(ders + PUBKEY_CMPR_LEN, accepter_payment_basepoint); sha256(&sha, ders, sizeof(ders)); /* Lower 48 bits */ memcpy((u8 *)&obscurer + 2, sha.u.u8 + sizeof(sha.u.u8) - 6, 6); return be64_to_cpu(obscurer); } bool try_subtract_fee(enum side opener, enum side side, struct amount_sat base_fee, struct amount_msat *self, struct amount_msat *other) { struct amount_msat *opener_amount; if (opener == side) opener_amount = self; else opener_amount = other; if (amount_msat_sub_sat(opener_amount, *opener_amount, base_fee)) return true; *opener_amount = AMOUNT_MSAT(0); return false; } u8 *to_self_wscript(const tal_t *ctx, u16 to_self_delay, u32 csv, const struct keyset *keyset) { return bitcoin_wscript_to_local(ctx, to_self_delay, csv, &keyset->self_revocation_key, &keyset->self_delayed_payment_key); } void tx_add_anchor_output(struct bitcoin_tx *tx, const struct pubkey *funding_key) { u8 *wscript = bitcoin_wscript_anchor(tmpctx, funding_key); u8 *p2wsh = scriptpubkey_p2wsh(tmpctx, wscript); /* BOLT #3: * The amount of the output is fixed at 330 sats, the default * dust limit for P2WSH. */ bitcoin_tx_add_output(tx, p2wsh, wscript, AMOUNT_SAT(330)); } struct bitcoin_tx *initial_commit_tx(const tal_t *ctx, const struct bitcoin_txid *funding_txid, unsigned int funding_txout, struct amount_sat funding, const struct pubkey funding_key[NUM_SIDES], enum side opener, u16 to_self_delay, const struct keyset *keyset, u32 feerate_per_kw, struct amount_sat dust_limit, struct amount_msat self_pay, struct amount_msat other_pay, struct amount_sat self_reserve, u64 obscured_commitment_number, struct wally_tx_output *direct_outputs[NUM_SIDES], enum side side, u32 csv_lock, bool option_anchor_outputs, char** err_reason) { struct amount_sat base_fee; struct bitcoin_tx *tx; size_t n, untrimmed; bool to_local, to_remote; struct amount_msat total_pay; struct amount_sat amount; enum side lessor = !opener; u32 sequence; void *dummy_local = (void *)LOCAL, *dummy_remote = (void *)REMOTE; const void *output_order[NUM_SIDES]; const u8 *funding_wscript = bitcoin_redeem_2of2(tmpctx, &funding_key[LOCAL], &funding_key[REMOTE]); if (!amount_msat_add(&total_pay, self_pay, other_pay)) abort(); assert(!amount_msat_greater_sat(total_pay, funding)); /* BOLT #3: * * 1. Calculate which committed HTLCs need to be trimmed (see * [Trimmed Outputs](#trimmed-outputs)). */ untrimmed = 0; /* BOLT #3: * * 2. Calculate the base [commitment transaction * fee](#fee-calculation). */ base_fee = commit_tx_base_fee(feerate_per_kw, untrimmed, option_anchor_outputs); /* BOLT: * If `option_anchor_outputs` applies to the commitment * transaction, also subtract two times the fixed anchor size * of 330 sats from the funder (either `to_local` or * `to_remote`). */ if (option_anchor_outputs && !amount_sat_add(&base_fee, base_fee, AMOUNT_SAT(660))) { *err_reason = "Funder cannot afford anchor outputs"; return NULL; } /* BOLT #3: * * 3. Subtract this base fee from the funder (either `to_local` or * `to_remote`). * If `option_anchor_outputs` applies to the commitment transaction, * also subtract two times the fixed anchor size of 330 sats from the * funder (either `to_local` or `to_remote`). */ if (!try_subtract_fee(opener, side, base_fee, &self_pay, &other_pay)) { /* BOLT #2: * * The receiving node MUST fail the channel if: *... * - it considers `feerate_per_kw` too small for timely * processing or unreasonably large. */ *err_reason = "Funder cannot afford fee on initial commitment transaction"; status_unusual("Funder cannot afford fee" " on initial commitment transaction"); return NULL; } /* FIXME, should be in #2: * * The receiving node MUST fail the channel if: *... * - both `to_local` and `to_remote` amounts for the initial * commitment transaction are less than or equal to * `channel_reserve_satoshis`. */ if (!amount_msat_greater_sat(self_pay, self_reserve) && !amount_msat_greater_sat(other_pay, self_reserve)) { *err_reason = "Neither self amount nor other amount exceed reserve on " "initial commitment transaction"; status_unusual("Neither self amount %s" " nor other amount %s" " exceed reserve %s" " on initial commitment transaction", type_to_string(tmpctx, struct amount_msat, &self_pay), type_to_string(tmpctx, struct amount_msat, &other_pay), type_to_string(tmpctx, struct amount_sat, &self_reserve)); return NULL; } /* Worst-case sizing: both to-local and to-remote outputs + anchors. */ tx = bitcoin_tx(ctx, chainparams, 1, untrimmed + 4, 0); /* This could be done in a single loop, but we follow the BOLT * literally to make comments in test vectors clearer. */ n = 0; /* BOLT #3: * * 4. For every offered HTLC, if it is not trimmed, add an * [offered HTLC output](#offered-htlc-outputs). */ /* BOLT #3: * * 5. For every received HTLC, if it is not trimmed, add an * [received HTLC output](#received-htlc-outputs). */ /* BOLT #3: * * 6. If the `to_local` amount is greater or equal to * `dust_limit_satoshis`, add a [`to_local` * output](#to_local-output). */ if (amount_msat_greater_eq_sat(self_pay, dust_limit)) { u8 *wscript = to_self_wscript(tmpctx, to_self_delay, side == lessor ? csv_lock : 0, keyset); amount = amount_msat_to_sat_round_down(self_pay); int pos = bitcoin_tx_add_output( tx, scriptpubkey_p2wsh(tx, wscript), wscript, amount); assert(pos == n); output_order[n] = dummy_local; n++; to_local = true; } else to_local = false; /* BOLT #3: * * 7. If the `to_remote` amount is greater or equal to * `dust_limit_satoshis`, add a [`to_remote` * output](#to_remote-output). */ if (amount_msat_greater_eq_sat(other_pay, dust_limit)) { /* BOLT #3: * * If `option_anchor_outputs` applies to the commitment * transaction, the `to_remote` output is encumbered by a one * block csv lock. * OP_CHECKSIGVERIFY 1 OP_CHECKSEQUENCEVERIFY * *... * Otherwise, this output is a simple P2WPKH to `remotepubkey`. */ u8 *scriptpubkey; int pos; amount = amount_msat_to_sat_round_down(other_pay); if (option_anchor_outputs) { const u8 *redeem = anchor_to_remote_redeem(tmpctx, &keyset->other_payment_key, (!side) == lessor ? csv_lock : 1); scriptpubkey = scriptpubkey_p2wsh(tmpctx, redeem); } else { scriptpubkey = scriptpubkey_p2wpkh(tmpctx, &keyset->other_payment_key); } pos = bitcoin_tx_add_output(tx, scriptpubkey, NULL, amount); assert(pos == n); output_order[n] = dummy_remote; n++; to_remote = true; } else to_remote = false; /* BOLT #3: * 8. If `option_anchor_outputs` applies to the commitment transaction: * * if `to_local` exists or there are untrimmed HTLCs, add a * [`to_local_anchor` output]... * * if `to_remote` exists or there are untrimmed HTLCs, add a * [`to_remote_anchor` output] */ if (option_anchor_outputs) { if (to_local || untrimmed != 0) { tx_add_anchor_output(tx, &funding_key[side]); output_order[n] = NULL; n++; } if (to_remote || untrimmed != 0) { tx_add_anchor_output(tx, &funding_key[!side]); output_order[n] = NULL; n++; } } assert(n <= tx->wtx->num_outputs); /* BOLT #3: * * 9. Sort the outputs into [BIP 69+CLTV * order](#transaction-input-and-output-ordering) */ permute_outputs(tx, NULL, output_order); /* BOLT #3: * * ## Commitment Transaction * * * version: 2 */ assert(tx->wtx->version == 2); /* BOLT #3: * * * locktime: upper 8 bits are 0x20, lower 24 bits are the * lower 24 bits of the obscured commitment number */ bitcoin_tx_set_locktime(tx, (0x20000000 | (obscured_commitment_number & 0xFFFFFF))); /* BOLT #3: * * * txin count: 1 * * `txin[0]` outpoint: `txid` and `output_index` from * `funding_created` message * * `txin[0]` sequence: upper 8 bits are 0x80, lower 24 bits are upper 24 bits of the obscured commitment number * * `txin[0]` script bytes: 0 */ sequence = (0x80000000 | ((obscured_commitment_number>>24) & 0xFFFFFF)); bitcoin_tx_add_input(tx, funding_txid, funding_txout, sequence, NULL, funding, NULL, funding_wscript); if (direct_outputs != NULL) { direct_outputs[LOCAL] = direct_outputs[REMOTE] = NULL; for (size_t i = 0; i < tx->wtx->num_outputs; i++) { if (output_order[i] == dummy_local) direct_outputs[LOCAL] = &tx->wtx->outputs[i]; else if (output_order[i] == dummy_remote) direct_outputs[REMOTE] = &tx->wtx->outputs[i]; } } /* This doesn't reorder outputs, so we can do this after mapping outputs. */ bitcoin_tx_finalize(tx); assert(bitcoin_tx_check(tx)); return tx; }