core-lightning/onchaind/onchain.c
Rusty Russell f1e4cad9d4 feerate: use u32 everywhere.
The wire protocol uses this, in the assumption that we'll never see feerates
in excess of 4294967 satoshi per kiloweight.

So let's use that consistently internally as well.

Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
2017-11-23 12:40:32 +01:00

2161 lines
64 KiB
C

#include <bitcoin/script.h>
#include <ccan/crypto/shachain/shachain.h>
#include <ccan/mem/mem.h>
#include <ccan/structeq/structeq.h>
#include <ccan/tal/str/str.h>
#include <common/debug.h>
#include <common/derive_basepoints.h>
#include <common/htlc_tx.h>
#include <common/initial_commit_tx.h>
#include <common/key_derive.h>
#include <common/keyset.h>
#include <common/status.h>
#include <common/type_to_string.h>
#include <common/utils.h>
#include <common/version.h>
#include <errno.h>
#include <inttypes.h>
#include <lightningd/peer_state.h>
#include <onchaind/gen_onchain_wire.h>
#include <onchaind/onchain_types.h>
#include <signal.h>
#include <stdio.h>
#include <unistd.h>
#include <wire/wire_sync.h>
#include "gen_onchain_types_names.h"
/* stdin == requests */
#define REQ_FD STDIN_FILENO
/* Required in various places: keys for commitment transaction. */
static const struct keyset *keyset;
/* The feerate to use when we generate transactions. */
static u32 feerate_per_kw;
/* The dust limit to use when we generate transactions. */
static u64 dust_limit_satoshis;
/* The CSV delays for each side. */
static u32 to_self_delay[NUM_SIDES];
/* Where we send money to (our wallet) */
static struct pubkey our_wallet_pubkey;
/* Private keys for spending HTLC outputs via HTLC txs, delayed, and directly. */
static struct privkey htlc_privkey, delayed_payment_privkey, payment_privkey;
/* Private keys for spending HTLC for penalty (only if they cheated). */
static struct privkey *revocation_privkey;
/* one value is useful for a few witness scripts */
static const u8 ONE = 0x1;
/* When to tell master about HTLCs which are missing/timed out */
static u32 reasonable_depth;
/* The messages to send at that depth. */
static u8 **missing_htlc_msgs;
/* If we broadcast a tx, or need a delay to resolve the output. */
struct proposed_resolution {
/* This can be NULL if our proposal is to simply ignore it after depth */
const struct bitcoin_tx *tx;
/* Non-zero if this is CSV-delayed. */
u32 depth_required;
enum tx_type tx_type;
};
/* How it actually got resolved. */
struct resolution {
struct sha256_double txid;
unsigned int depth;
enum tx_type tx_type;
};
struct tracked_output {
enum tx_type tx_type;
struct sha256_double txid;
u32 tx_blockheight;
u32 outnum;
u64 satoshi;
enum output_type output_type;
/* If it is an HTLC, these are non-NULL */
const struct htlc_stub *htlc;
const u8 *wscript;
/* If it's an HTLC off our unilateral, this is their sig for htlc_tx */
const secp256k1_ecdsa_signature *remote_htlc_sig;
/* Our proposed solution (if any) */
struct proposed_resolution *proposal;
/* If it is resolved. */
struct resolution *resolved;
};
/* We use the same feerate for htlcs and commit transactions; we don't
* record what it was, so we brute-force it. */
struct {
u32 min, max;
} feerate_range;
static void init_feerate_range(u64 funding_satoshi,
const struct bitcoin_tx *commit_tx)
{
size_t i, max_untrimmed_htlcs;
u64 fee = funding_satoshi;
for (i = 0; i < tal_count(commit_tx->output); i++)
fee -= commit_tx->output[i].amount;
/* We don't know how many trimmed HTLCs there are, so they could
* be making fee entirely. */
feerate_range.min = 0;
/* But we can estimate the maximum fee rate:
*
* fee = feerate_per_kw * (724 + 172 * num_untrimmed) / 1000;
*/
if (tal_count(commit_tx->output) < 2)
max_untrimmed_htlcs = 0;
else
max_untrimmed_htlcs = tal_count(commit_tx->output) - 2;
feerate_range.max = (fee + 999) * 1000
/ (724 + 172 * max_untrimmed_htlcs);
status_trace("Initial feerate %u to %u",
feerate_range.min, feerate_range.max);
}
static void narrow_feerate_range(u64 fee, u32 multiplier)
{
u32 min, max;
/* fee = feerate_per_kw * multiplier / 1000; */
max = (fee + 999) * 1000 / multiplier;
if (fee < 999)
min = 0;
else
min = (fee - 999) * 1000 / multiplier;
status_trace("Fee %"PRIu64" gives feerate min/max %u/%u",
fee, min, max);
if (max < feerate_range.max)
feerate_range.max = max;
if (min > feerate_range.min)
feerate_range.min = min;
status_trace("Feerate now %u to %u",
feerate_range.min, feerate_range.max);
}
/* We vary feerate until signature they offered matches: we're more
* likely to be near max. */
static bool grind_feerate(struct bitcoin_tx *commit_tx,
const secp256k1_ecdsa_signature *remotesig,
const u8 *wscript,
u64 multiplier)
{
u64 prev_fee = UINT64_MAX;
u64 input_amount = *commit_tx->input[0].amount;
for (s64 i = feerate_range.max; i >= feerate_range.min; i--) {
u64 fee = i * multiplier / 1000;
if (fee > input_amount)
continue;
/* Minor optimization: don't check same fee twice */
if (fee == prev_fee)
continue;
prev_fee = fee;
commit_tx->output[0].amount = input_amount - fee;
if (!check_tx_sig(commit_tx, 0, NULL, wscript,
&keyset->other_htlc_key, remotesig))
continue;
narrow_feerate_range(fee, multiplier);
return true;
}
return false;
}
static const char *tx_type_name(enum tx_type tx_type)
{
size_t i;
for (i = 0; enum_tx_type_names[i].name; i++)
if (enum_tx_type_names[i].v == tx_type)
return enum_tx_type_names[i].name;
return "unknown";
}
static const char *output_type_name(enum output_type output_type)
{
size_t i;
for (i = 0; enum_output_type_names[i].name; i++)
if (enum_output_type_names[i].v == output_type)
return enum_output_type_names[i].name;
return "unknown";
}
/*
* This covers:
* 1. to-us output spend (`<local_delayedsig> 0`)
* 2. the their-commitment, our HTLC timeout case (`<remotehtlcsig> 0`),
* 3. the their-commitment, our HTLC redeem case (`<remotehtlcsig> <payment_preimage>`)
* 4. the their-revoked-commitment, to-local (`<revocation_sig> 1`)
* 5. the their-revoked-commitment, htlc (`<revocation_sig> <revocationkey>`)
*/
static struct bitcoin_tx *tx_to_us(const tal_t *ctx,
struct tracked_output *out,
u32 to_self_delay,
u32 locktime,
const void *elem, size_t elemsize,
const u8 *wscript,
const struct privkey *privkey,
const struct pubkey *pubkey)
{
struct bitcoin_tx *tx;
u64 fee;
secp256k1_ecdsa_signature sig;
tx = bitcoin_tx(ctx, 1, 1);
tx->lock_time = locktime;
tx->input[0].sequence_number = to_self_delay;
tx->input[0].txid = out->txid;
tx->input[0].index = out->outnum;
tx->input[0].amount = tal_dup(tx->input, u64, &out->satoshi);
tx->output[0].amount = out->satoshi;
tx->output[0].script = scriptpubkey_p2wpkh(tx->output,
&our_wallet_pubkey);
/* Worst-case sig is 73 bytes */
fee = feerate_per_kw * (measure_tx_cost(tx)
+ 1 + 3 + 73 + 0 + tal_len(wscript))
/ 1000;
/* Result is trivial? Just eliminate output. */
if (tx->output[0].amount < dust_limit_satoshis + fee)
tal_resize(&tx->output, 0);
else
tx->output[0].amount -= fee;
sign_tx_input(tx, 0, NULL, wscript, privkey, pubkey, &sig);
tx->input[0].witness = bitcoin_witness_sig_and_element(tx->input,
&sig,
elem, elemsize,
wscript);
return tx;
}
static struct tracked_output *
new_tracked_output(struct tracked_output ***outs,
const struct sha256_double *txid,
u32 tx_blockheight,
enum tx_type tx_type,
u32 outnum,
u64 satoshi,
enum output_type output_type,
const struct htlc_stub *htlc,
const u8 *wscript,
const secp256k1_ecdsa_signature *remote_htlc_sig)
{
size_t n = tal_count(*outs);
struct tracked_output *out = tal(*outs, struct tracked_output);
status_trace("Tracking output %u of %s: %s/%s",
outnum,
type_to_string(trc, struct sha256_double, txid),
tx_type_name(tx_type),
output_type_name(output_type));
out->tx_type = tx_type;
out->txid = *txid;
out->tx_blockheight = tx_blockheight;
out->outnum = outnum;
out->satoshi = satoshi;
out->output_type = output_type;
out->proposal = NULL;
out->resolved = NULL;
out->htlc = htlc;
out->wscript = wscript;
out->remote_htlc_sig = remote_htlc_sig;
tal_resize(outs, n+1);
(*outs)[n] = out;
return out;
}
static void ignore_output(struct tracked_output *out)
{
status_trace("Ignoring output %u of %s: %s/%s",
out->outnum,
type_to_string(trc, struct sha256_double, &out->txid),
tx_type_name(out->tx_type),
output_type_name(out->output_type));
out->resolved = tal(out, struct resolution);
out->resolved->txid = out->txid;
out->resolved->depth = 0;
out->resolved->tx_type = SELF;
}
static void proposal_meets_depth(struct tracked_output *out)
{
/* If we simply wanted to ignore it after some depth */
if (!out->proposal->tx) {
ignore_output(out);
return;
}
status_trace("Broadcasting %s (%s) to resolve %s/%s",
tx_type_name(out->proposal->tx_type),
type_to_string(trc, struct bitcoin_tx, out->proposal->tx),
tx_type_name(out->tx_type),
output_type_name(out->output_type));
wire_sync_write(REQ_FD,
take(towire_onchain_broadcast_tx(NULL,
out->proposal->tx)));
/* We will get a callback when it's in a block. */
}
static void propose_resolution(struct tracked_output *out,
const struct bitcoin_tx *tx,
unsigned int depth_required,
enum tx_type tx_type)
{
status_trace("Propose handling %s/%s by %s (%s) in %u blocks",
tx_type_name(out->tx_type),
output_type_name(out->output_type),
tx_type_name(tx_type),
tx ? type_to_string(trc, struct bitcoin_tx, tx):"IGNORING",
depth_required);
out->proposal = tal(out, struct proposed_resolution);
out->proposal->tx = tal_steal(out->proposal, tx);
out->proposal->depth_required = depth_required;
out->proposal->tx_type = tx_type;
if (depth_required == 0)
proposal_meets_depth(out);
}
static void propose_resolution_at_block(struct tracked_output *out,
const struct bitcoin_tx *tx,
unsigned int block_required,
enum tx_type tx_type)
{
u32 depth;
/* Expiry could be in the past! */
if (block_required < out->tx_blockheight)
depth = 0;
else
depth = block_required - out->tx_blockheight;
propose_resolution(out, tx, depth, tx_type);
}
/* This simple case: true if this was resolved by our proposal. */
static bool resolved_by_proposal(struct tracked_output *out,
const struct sha256_double *txid)
{
/* If there's no TX associated, it's not us. */
if (!out->proposal->tx)
return false;
out->resolved = tal(out, struct resolution);
bitcoin_txid(out->proposal->tx, &out->resolved->txid);
/* Not the same as what we proposed? */
if (!structeq(&out->resolved->txid, txid)) {
out->resolved = tal_free(out->resolved);
return false;
}
status_trace("Resolved %s/%s by our proposal %s (%s)",
tx_type_name(out->tx_type),
output_type_name(out->output_type),
tx_type_name(out->proposal->tx_type),
type_to_string(trc, struct bitcoin_tx, out->proposal->tx));
out->resolved->depth = 0;
out->resolved->tx_type = out->proposal->tx_type;
return true;
}
/* Otherwise, we figure out what happened and then call this. */
static void resolved_by_other(struct tracked_output *out,
const struct sha256_double *txid,
enum tx_type tx_type)
{
out->resolved = tal(out, struct resolution);
out->resolved->txid = *txid;
out->resolved->depth = 0;
out->resolved->tx_type = tx_type;
status_trace("Resolved %s/%s by %s (%s)",
tx_type_name(out->tx_type),
output_type_name(out->output_type),
tx_type_name(tx_type),
type_to_string(trc, struct sha256_double, txid));
}
static void unknown_spend(struct tracked_output *out,
const struct bitcoin_tx *tx)
{
out->resolved = tal(out, struct resolution);
bitcoin_txid(tx, &out->resolved->txid);
out->resolved->depth = 0;
out->resolved->tx_type = UNKNOWN_TXTYPE;
/* FIXME: we need a louder warning! */
status_trace("Unknown spend of %s/%s by %s",
tx_type_name(out->tx_type),
output_type_name(out->output_type),
type_to_string(trc, struct bitcoin_tx, tx));
}
static u64 unmask_commit_number(const struct bitcoin_tx *tx,
enum side funder,
const struct pubkey *local_payment_basepoint,
const struct pubkey *remote_payment_basepoint)
{
u64 obscurer;
const struct pubkey *keys[NUM_SIDES];
keys[LOCAL] = local_payment_basepoint;
keys[REMOTE] = remote_payment_basepoint;
/* BOLT #3:
*
* The 48-bit commitment transaction number is obscured by
* `XOR` with the lower 48 bits of...
*/
obscurer = commit_number_obscurer(keys[funder], keys[!funder]);
/* BOLT #3:
*
* * locktime: upper 8 bits are 0x20, lower 24 bits are the
* lower 24 bits of the obscured commitment transaction
* number.
*...
* * `txin[0]` sequence: upper 8 bits are 0x80, lower 24 bits
* are upper 24 bits of the obscured commitment
* transaction number.
*/
return ((tx->lock_time & 0x00FFFFFF)
| (tx->input[0].sequence_number & (u64)0x00FFFFFF) << 24)
^ obscurer;
}
static bool is_mutual_close(const struct bitcoin_tx *tx,
const u8 *local_scriptpubkey,
const u8 *remote_scriptpubkey)
{
size_t i;
bool local_matched = false, remote_matched = false;
for (i = 0; i < tal_count(tx->output); i++) {
/* To be paranoid, we only let each one match once. */
if (scripteq(tx->output[i].script, local_scriptpubkey)
&& !local_matched)
local_matched = true;
else if (scripteq(tx->output[i].script, remote_scriptpubkey)
&& !remote_matched)
remote_matched = true;
else
return false;
}
return true;
}
/* We only ever send out one, so matching it is easy. */
static bool is_local_commitment(const struct sha256_double *txid,
const struct sha256_double *our_broadcast_txid)
{
return structeq(txid, our_broadcast_txid);
}
/* BOLT #5:
*
* Outputs which are *resolved* are considered *irrevocably resolved*
* once their *resolving* transaction is included in a block at least 100
* deep on the most-work blockchain.
*/
static bool all_irrevocably_resolved(struct tracked_output **outs)
{
size_t i;
for (i = 0; i < tal_count(outs); i++) {
if (outs[i]->resolved && outs[i]->resolved->depth < 100)
return false;
}
return true;
}
static void unwatch_tx(const struct bitcoin_tx *tx)
{
u8 *msg;
struct sha256_double txid;
bitcoin_txid(tx, &txid);
msg = towire_onchain_unwatch_tx(tx, &txid, tal_count(tx->output));
wire_sync_write(REQ_FD, take(msg));
}
static void handle_htlc_onchain_fulfill(struct tracked_output *out,
const struct bitcoin_tx *tx)
{
const u8 *witness_preimage;
struct preimage preimage;
struct sha256 sha;
struct ripemd160 ripemd;
/* Our HTLC, they filled (must be a HTLC-success tx). */
if (out->tx_type == THEIR_UNILATERAL) {
/* BOLT #3:
*
* ## HTLC-Timeout and HTLC-Success Transactions
*
* ... `txin[0]` witness stack: `0 <remotehtlcsig> <localhtlcsig>
* <payment_preimage>` for HTLC-Success
*/
if (tal_count(tx->input[0].witness) != 5) /* +1 for wscript */
status_failed(STATUS_FAIL_INTERNAL_ERROR,
"%s/%s spent with weird witness %zu",
tx_type_name(out->tx_type),
output_type_name(out->output_type),
tal_count(tx->input[0].witness));
witness_preimage = tx->input[0].witness[3];
} else if (out->tx_type == OUR_UNILATERAL) {
/* BOLT #3:
*
* The remote node can redeem the HTLC with the witness:
*
* <remotehtlcsig> <payment_preimage>
*/
if (tal_count(tx->input[0].witness) != 3) /* +1 for wscript */
status_failed(STATUS_FAIL_INTERNAL_ERROR,
"%s/%s spent with weird witness %zu",
tx_type_name(out->tx_type),
output_type_name(out->output_type),
tal_count(tx->input[0].witness));
witness_preimage = tx->input[0].witness[1];
} else
status_failed(STATUS_FAIL_INTERNAL_ERROR,
"onchain_fulfill for %s/%s?",
tx_type_name(out->tx_type),
output_type_name(out->output_type));
if (tal_len(witness_preimage) != sizeof(preimage))
status_failed(STATUS_FAIL_INTERNAL_ERROR,
"%s/%s spent with bad witness length %zu",
tx_type_name(out->tx_type),
output_type_name(out->output_type),
tal_len(witness_preimage));
memcpy(&preimage, witness_preimage, sizeof(preimage));
sha256(&sha, &preimage, sizeof(preimage));
ripemd160(&ripemd, &sha, sizeof(sha));
if (!structeq(&ripemd, &out->htlc->ripemd))
status_failed(STATUS_FAIL_INTERNAL_ERROR,
"%s/%s spent with bad preimage %s (ripemd not %s)",
tx_type_name(out->tx_type),
output_type_name(out->output_type),
type_to_string(trc, struct preimage, &preimage),
type_to_string(trc, struct ripemd160,
&out->htlc->ripemd));
/* Tell master we found a preimage. */
status_trace("%s/%s gave us preimage %s",
tx_type_name(out->tx_type),
output_type_name(out->output_type),
type_to_string(trc, struct preimage, &preimage));
wire_sync_write(REQ_FD,
take(towire_onchain_extracted_preimage(NULL,
&preimage)));
}
static void resolve_htlc_tx(struct tracked_output ***outs,
size_t out_index,
const struct bitcoin_tx *htlc_tx,
const struct sha256_double *htlc_txid,
u32 tx_blockheight)
{
struct tracked_output *out;
struct bitcoin_tx *tx;
u8 *wscript = bitcoin_wscript_htlc_tx(htlc_tx, to_self_delay[LOCAL],
&keyset->self_revocation_key,
&keyset->self_delayed_payment_key);
/* BOLT #5:
*
* A node SHOULD resolve its own HTLC transaction output by spending
* it to a convenient address. A node MUST wait until the
* `OP_CHECKSEQUENCEVERIFY` delay has passed (as specified by the
* other node's `open_channel` `to_self_delay` field) before spending
* the output.
*/
out = new_tracked_output(outs, htlc_txid, tx_blockheight,
(*outs)[out_index]->resolved->tx_type,
0, htlc_tx->output[0].amount,
DELAYED_OUTPUT_TO_US,
NULL, NULL, NULL);
/* BOLT #3:
*
* ## HTLC-Timeout and HTLC-Success Transactions
*
* These HTLC transactions are almost identical, except the
* HTLC-Timeout transaction is timelocked.
*
* ... to collect the output the local node uses an input with
* nSequence `to_self_delay` and a witness stack `<local_delayedsig>
* 0`
*/
tx = tx_to_us(*outs, out, to_self_delay[LOCAL], 0, NULL, 0,
wscript,
&delayed_payment_privkey,
&keyset->self_delayed_payment_key);
propose_resolution(out, tx, to_self_delay[LOCAL],
OUR_DELAYED_RETURN_TO_WALLET);
}
/* BOLT #5:
*
* 5. _B's HTLC-timeout transaction_: The node MUST *resolve* this by
* spending using the revocation key.
*/
/* BOLT #5:
*
* 6. _B's HTLC-success transaction_: The node MUST *resolve* this by
* spending using the revocation key. The node SHOULD extract
* the payment preimage from the transaction input witness if not
* already known.
*/
static void steal_htlc_tx(struct tracked_output *out)
{
struct bitcoin_tx *tx;
/* BOLT #3:
*
* To spend this via penalty, the remote node uses a witness stack
* `<revocationsig> 1`
*/
tx = tx_to_us(out, out, 0xFFFFFFFF, 0,
&ONE, sizeof(ONE),
out->wscript,
revocation_privkey,
&keyset->self_revocation_key);
propose_resolution(out, tx, 0, OUR_PENALTY_TX);
}
/* An output has been spent: see if it resolves something we care about. */
static void output_spent(struct tracked_output ***outs,
const struct bitcoin_tx *tx,
u32 input_num,
u32 tx_blockheight)
{
struct sha256_double txid;
bitcoin_txid(tx, &txid);
for (size_t i = 0; i < tal_count(*outs); i++) {
struct tracked_output *out = (*outs)[i];
if (out->resolved)
continue;
if (tx->input[input_num].index != out->outnum)
continue;
if (!structeq(&tx->input[input_num].txid, &out->txid))
continue;
/* Was this our resolution? */
if (resolved_by_proposal(out, &txid)) {
/* If it's our htlc tx, we need to resolve that, too. */
if (out->resolved->tx_type == OUR_HTLC_SUCCESS_TX
|| out->resolved->tx_type == OUR_HTLC_TIMEOUT_TX)
resolve_htlc_tx(outs, i, tx, &txid,
tx_blockheight);
return;
}
switch (out->output_type) {
case OUTPUT_TO_US:
case DELAYED_OUTPUT_TO_US:
unknown_spend(out, tx);
break;
case THEIR_HTLC:
if (out->tx_type == THEIR_REVOKED_UNILATERAL) {
steal_htlc_tx(out);
} else {
/* We ignore this timeout tx, since we should
* resolve by ignoring once we reach depth. */
}
break;
case OUR_HTLC:
/* The only way they can spend this: fulfill; even
* if it's revoked: */
/* BOLT #5:
*
* 6. _B's HTLC-success transaction_: ... The node
* SHOULD extract the payment preimage from the
* transaction input witness if not already known.
*/
handle_htlc_onchain_fulfill(out, tx);
if (out->tx_type == THEIR_REVOKED_UNILATERAL)
steal_htlc_tx(out);
break;
case FUNDING_OUTPUT:
/* Master should be restarting us, as this implies
* that our old tx was unspent. */
status_failed(STATUS_FAIL_INTERNAL_ERROR,
"Funding output spent again!");
/* Um, we don't track these! */
case OUTPUT_TO_THEM:
case DELAYED_OUTPUT_TO_THEM:
status_failed(STATUS_FAIL_INTERNAL_ERROR,
"Tracked spend of %s/%s?",
tx_type_name(out->tx_type),
output_type_name(out->output_type));
}
return;
}
/* Not interesting to us, so unwatch the tx and all its outputs */
status_trace("Notified about tx %s output %u spend, but we don't care",
type_to_string(trc, struct sha256_double,
&tx->input[input_num].txid),
tx->input[input_num].index);
unwatch_tx(tx);
}
static void update_resolution_depth(struct tracked_output *out, u32 depth)
{
bool reached_reasonable_depth;
status_trace("%s/%s->%s depth %u",
tx_type_name(out->tx_type),
output_type_name(out->output_type),
tx_type_name(out->resolved->tx_type),
depth);
/* We only set this once. */
reached_reasonable_depth = (out->resolved->depth < reasonable_depth
&& depth >= reasonable_depth);
/* BOLT #5:
*
* If the HTLC output has *timed out* and not been *resolved*,
* the node MUST *resolve* the output and MUST fail the
* corresponding incoming HTLC (if any) once the resolving
* transaction has reached reasonable depth. */
if ((out->resolved->tx_type == OUR_HTLC_TIMEOUT_TX
|| out->resolved->tx_type == OUR_HTLC_TIMEOUT_TO_US)
&& reached_reasonable_depth) {
u8 *msg;
status_trace("%s/%s reached reasonable depth %u",
tx_type_name(out->tx_type),
output_type_name(out->output_type),
depth);
msg = towire_onchain_htlc_timeout(out, out->htlc);
wire_sync_write(REQ_FD, take(msg));
}
out->resolved->depth = depth;
}
static void tx_new_depth(struct tracked_output **outs,
const struct sha256_double *txid, u32 depth)
{
size_t i;
/* Special handling for commitment tx reaching depth */
if (structeq(&outs[0]->resolved->txid, txid)
&& depth >= reasonable_depth
&& missing_htlc_msgs) {
status_trace("Sending %zu missing htlc messages",
tal_count(missing_htlc_msgs));
for (i = 0; i < tal_count(missing_htlc_msgs); i++)
wire_sync_write(REQ_FD, missing_htlc_msgs[i]);
/* Don't do it again. */
missing_htlc_msgs = tal_free(missing_htlc_msgs);
}
for (i = 0; i < tal_count(outs); i++) {
/* Is this tx resolving an output? */
if (outs[i]->resolved) {
if (structeq(&outs[i]->resolved->txid, txid)) {
update_resolution_depth(outs[i], depth);
}
continue;
}
/* Otherwise, is this something we have a pending
* resolution for? */
if (outs[i]->proposal
&& structeq(&outs[i]->txid, txid)
&& depth >= outs[i]->proposal->depth_required) {
proposal_meets_depth(outs[i]);
}
}
}
/* BOLT #5:
*
* If the node receives (or already knows) a payment preimage for an
* unresolved HTLC output it was offered for which it has committed to an
* outgoing HTLC, it MUST *resolve* the output by spending it. Otherwise, if
* the other node is not irrevocably committed to the HTLC, it MUST NOT
* *resolve* the output by spending it.
*/
/* Master makes sure we only get told preimages once other node is committed. */
static void handle_preimage(struct tracked_output **outs,
const struct preimage *preimage)
{
size_t i;
struct sha256 sha;
struct ripemd160 ripemd;
sha256(&sha, preimage, sizeof(*preimage));
ripemd160(&ripemd, &sha, sizeof(sha));
for (i = 0; i < tal_count(outs); i++) {
struct bitcoin_tx *tx;
secp256k1_ecdsa_signature sig;
if (outs[i]->output_type != THEIR_HTLC)
continue;
if (!structeq(&outs[i]->htlc->ripemd, &ripemd))
continue;
/* Too late? */
if (outs[i]->resolved) {
/* FIXME: We need a better warning method! */
status_trace("WARNING: HTLC already resolved by %s"
" when we found preimage",
tx_type_name(outs[i]->resolved->tx_type));
return;
}
/* Discard any previous resolution. Could be a timeout,
* could be due to multiple identical rhashes in tx. */
outs[i]->proposal = tal_free(outs[i]->proposal);
/* BOLT #5:
*
* To spend an offered HTLC output: if the transaction is the
* node's own commitment transaction, then it MUST use the
* HTLC-success transaction, and the HTLC-success transaction
* output MUST be *resolved* as described in "On-chain HTLC
* Transaction Handling"
*/
if (outs[i]->remote_htlc_sig) {
tx = htlc_success_tx(outs[i], &outs[i]->txid,
outs[i]->outnum,
outs[i]->satoshi * 1000,
to_self_delay[LOCAL],
0,
keyset);
/* BOLT #3:
*
* The fee for an HTLC-success transaction MUST BE
* calculated to match:
*
* 1. Multiply `feerate_per_kw` by 703 and divide by
* 1000 (rounding down).
*/
if (!grind_feerate(tx, outs[i]->remote_htlc_sig,
outs[i]->wscript, 703))
status_failed(STATUS_FAIL_INTERNAL_ERROR,
"Could not find feerate for"
" signature on HTLC success"
" between %u and %u",
feerate_range.min,
feerate_range.max);
sign_tx_input(tx, 0, NULL, outs[i]->wscript,
&htlc_privkey,
&keyset->self_htlc_key,
&sig);
tx->input[0].witness
= bitcoin_witness_htlc_success_tx(tx->input,
&sig,
outs[i]->remote_htlc_sig,
preimage,
outs[i]->wscript);
propose_resolution(outs[i], tx, 0, OUR_HTLC_SUCCESS_TX);
} else {
/* BOLT #5:
*
* otherwise, it MUST spend the output to a convenient
* address.
*/
tx = tx_to_us(outs[i], outs[i], 0, 0,
preimage, sizeof(*preimage),
outs[i]->wscript,
&htlc_privkey,
&keyset->other_htlc_key);
propose_resolution(outs[i], tx, 0,
THEIR_HTLC_FULFILL_TO_US);
}
}
}
/* BOLT #5:
*
* Once a node has broadcast a funding transaction or sent a commitment
* signature for a commitment transaction which contains an HTLC output,
* it MUST monitor the blockchain for transactions which spend any output
* which is not *irrevocably resolved* until all outputs are *irrevocably
* resolved*.
*/
static void wait_for_resolved(struct tracked_output **outs)
{
while (!all_irrevocably_resolved(outs)) {
u8 *msg = wire_sync_read(outs, REQ_FD);
struct sha256_double txid;
struct bitcoin_tx *tx = tal(msg, struct bitcoin_tx);
u32 input_num, depth, tx_blockheight;
struct preimage preimage;
status_trace("Got new message %s",
onchain_wire_type_name(fromwire_peektype(msg)));
if (fromwire_onchain_depth(msg, NULL, &txid, &depth))
tx_new_depth(outs, &txid, depth);
else if (fromwire_onchain_spent(msg, NULL, tx, &input_num,
&tx_blockheight))
output_spent(&outs, tx, input_num, tx_blockheight);
else if (fromwire_onchain_known_preimage(msg, NULL, &preimage))
handle_preimage(outs, &preimage);
else
master_badmsg(-1, msg);
tal_free(msg);
}
wire_sync_write(REQ_FD,
take(towire_onchain_all_irrevocably_resolved(outs)));
}
static void set_state(enum peer_state state)
{
wire_sync_write(REQ_FD, take(towire_onchain_init_reply(NULL, state)));
}
static void handle_mutual_close(const struct bitcoin_tx *tx,
const struct sha256_double *txid,
struct tracked_output **outs)
{
set_state(ONCHAIND_MUTUAL);
/* BOLT #5:
*
* A mutual close transaction *resolves* the funding transaction output.
*
* A node doesn't need to do anything else as it has already agreed to
* the output, which is sent to its specified `scriptpubkey`
*/
resolved_by_other(outs[0], txid, MUTUAL_CLOSE);
wait_for_resolved(outs);
}
static u8 **derive_htlc_scripts(const struct htlc_stub *htlcs, enum side side)
{
size_t i;
u8 **htlc_scripts = tal_arr(htlcs, u8 *, tal_count(htlcs));
for (i = 0; i < tal_count(htlcs); i++) {
if (htlcs[i].owner == side)
htlc_scripts[i] = htlc_offered_wscript(htlc_scripts,
&htlcs[i].ripemd,
keyset);
else {
/* FIXME: remove abs_locktime */
struct abs_locktime ltime;
if (!blocks_to_abs_locktime(htlcs[i].cltv_expiry,
&ltime))
status_failed(STATUS_FAIL_INTERNAL_ERROR,
"Could not convert cltv_expiry %u to locktime",
htlcs[i].cltv_expiry);
htlc_scripts[i] = htlc_received_wscript(htlc_scripts,
&htlcs[i].ripemd,
&ltime,
keyset);
}
}
return htlc_scripts;
}
static void resolve_our_htlc_ourcommit(struct tracked_output *out)
{
struct bitcoin_tx *tx;
secp256k1_ecdsa_signature localsig;
/* BOLT #5:
*
* # On-chain HTLC Output Handling: Our Offers
* ...
*
* If the HTLC output has *timed out* and not been *resolved*, the
* node MUST *resolve* the output and MUST fail the corresponding
* incoming HTLC (if any) once the resolving transaction has reached
* reasonable depth. If the transaction is the node's
* own commitment transaction, it MUST *resolve* the output by
* spending it using the HTLC-timeout transaction, and the
* HTLC-timeout transaction output MUST be *resolved* as described in
* "On-chain HTLC Transaction Handling".
*/
tx = htlc_timeout_tx(out, &out->txid, out->outnum, out->satoshi * 1000,
out->htlc->cltv_expiry,
to_self_delay[LOCAL], 0, keyset);
/* BOLT #3:
*
* The fee for an HTLC-timeout transaction MUST BE calculated to
* match:
*
* 1. Multiply `feerate_per_kw` by 663 and divide by 1000 (rounding
* down).
*/
if (!grind_feerate(tx, out->remote_htlc_sig, out->wscript, 663))
status_failed(STATUS_FAIL_INTERNAL_ERROR,
"Could not find feerate for signature on"
" HTLC timeout between %u and %u",
feerate_range.min, feerate_range.max);
sign_tx_input(tx, 0, NULL, out->wscript, &htlc_privkey,
&keyset->self_htlc_key, &localsig);
tx->input[0].witness
= bitcoin_witness_htlc_timeout_tx(tx->input,
&localsig,
out->remote_htlc_sig,
out->wscript);
propose_resolution_at_block(out, tx, out->htlc->cltv_expiry,
OUR_HTLC_TIMEOUT_TO_US);
}
static void resolve_our_htlc_theircommit(struct tracked_output *out)
{
struct bitcoin_tx *tx;
/* BOLT #5:
*
* # On-chain HTLC Output Handling: Our Offers
* ...
*
* If the HTLC output has *timed out* and not been *resolved*, the
* node MUST *resolve* the output and MUST fail the corresponding
* incoming HTLC (if any) once the resolving transaction has reached
* reasonable depth. If the transaction is the node's own commitment
* transaction, .... Otherwise it MUST resolve the output by spending
* it to a convenient address.
*/
tx = tx_to_us(out, out, 0, out->htlc->cltv_expiry, NULL, 0,
out->wscript,
&htlc_privkey,
&keyset->other_htlc_key);
propose_resolution_at_block(out, tx, out->htlc->cltv_expiry,
OUR_HTLC_TIMEOUT_TO_US);
}
static void resolve_their_htlc(struct tracked_output *out)
{
/* BOLT #5:
*
* # On-chain HTLC Output Handling: Their Offers
*
*...
* ## Requirements
*...
* If not otherwise resolved, once the HTLC output has expired, it is
* considered *irrevocably resolved*.
*/
/* If we hit timeout depth, resolve by ignoring. */
propose_resolution_at_block(out, NULL, out->htlc->cltv_expiry,
THEIR_HTLC_TIMEOUT_TO_THEM);
}
static int match_htlc_output(const struct bitcoin_tx *tx,
unsigned int outnum,
u8 **htlc_scripts)
{
/* Must be a p2wsh output */
if (!is_p2wsh(tx->output[outnum].script, NULL))
return -1;
for (size_t i = 0; i < tal_count(htlc_scripts); i++) {
struct sha256 sha;
if (!htlc_scripts[i])
continue;
sha256(&sha, htlc_scripts[i], tal_len(htlc_scripts[i]));
if (memeq(tx->output[outnum].script + 2,
tal_len(tx->output[outnum].script) - 2,
&sha, sizeof(sha)))
return i;
}
return -1;
}
/* Tell master about any we didn't use, if it wants to know. */
static void note_missing_htlcs(u8 **htlc_scripts,
const struct htlc_stub *htlcs,
const bool *tell_if_missing,
const bool *tell_immediately)
{
for (size_t i = 0; i < tal_count(htlcs); i++) {
u8 *msg;
/* Used. */
if (!htlc_scripts[i])
continue;
/* Doesn't care. */
if (!tell_if_missing[i])
continue;
msg = towire_onchain_missing_htlc_output(missing_htlc_msgs,
&htlcs[i]);
if (tell_immediately[i])
wire_sync_write(REQ_FD, take(msg));
else {
size_t n = tal_count(missing_htlc_msgs);
tal_resize(&missing_htlc_msgs, n+1);
missing_htlc_msgs[n] = msg;
}
}
}
static void handle_our_unilateral(const struct bitcoin_tx *tx,
u32 tx_blockheight,
const struct sha256_double *txid,
const struct secrets *secrets,
const struct sha256 *shaseed,
const struct pubkey *remote_revocation_basepoint,
const struct pubkey *remote_payment_basepoint,
const struct pubkey *local_payment_basepoint,
const struct pubkey *remote_htlc_basepoint,
const struct pubkey *local_htlc_basepoint,
const struct pubkey *local_delayed_payment_basepoint,
u64 commit_num,
const struct htlc_stub *htlcs,
const bool *tell_if_missing,
const bool *tell_immediately,
const secp256k1_ecdsa_signature *remote_htlc_sigs,
struct tracked_output **outs)
{
const tal_t *tmpctx = tal_tmpctx(NULL);
u8 **htlc_scripts;
u8 *local_wscript, *script[NUM_SIDES];
struct pubkey local_per_commitment_point;
struct keyset *ks;
size_t i;
set_state(ONCHAIND_OUR_UNILATERAL);
init_feerate_range(outs[0]->satoshi, tx);
/* BOLT #5:
*
* There are two cases to consider here: in the first case, node A
* sees its own *commitment transaction*, in the second, it sees the
* node B's unrevoked *commitment transaction*.
*
* Either transaction *resolves* the funding transaction output.
*/
resolved_by_other(outs[0], txid, OUR_UNILATERAL);
/* Figure out what delayed to-us output looks like */
if (!per_commit_point(shaseed, &local_per_commitment_point, commit_num))
status_failed(STATUS_FAIL_INTERNAL_ERROR,
"Deriving local_per_commit_point for %"PRIu64,
commit_num);
/* keyset is const, we need a non-const ptr to set it up */
keyset = ks = tal(tx, struct keyset);
if (!derive_keyset(&local_per_commitment_point,
local_payment_basepoint,
remote_payment_basepoint,
local_htlc_basepoint,
remote_htlc_basepoint,
local_delayed_payment_basepoint,
remote_revocation_basepoint,
ks))
status_failed(STATUS_FAIL_INTERNAL_ERROR,
"Deriving keyset for %"PRIu64, commit_num);
status_trace("Deconstructing unilateral tx: %"PRIu64
" using keyset: "
" self_revocation_key: %s"
" self_delayed_payment_key: %s"
" self_payment_key: %s"
" other_payment_key: %s"
" self_htlc_key: %s"
" other_htlc_key: %s",
commit_num,
type_to_string(trc, struct pubkey,
&keyset->self_revocation_key),
type_to_string(trc, struct pubkey,
&keyset->self_delayed_payment_key),
type_to_string(trc, struct pubkey,
&keyset->self_payment_key),
type_to_string(trc, struct pubkey,
&keyset->other_payment_key),
type_to_string(trc, struct pubkey,
&keyset->self_htlc_key),
type_to_string(trc, struct pubkey,
&keyset->other_htlc_key));
if (!derive_simple_privkey(&secrets->delayed_payment_basepoint_secret,
local_delayed_payment_basepoint,
&local_per_commitment_point,
&delayed_payment_privkey))
status_failed(STATUS_FAIL_INTERNAL_ERROR,
"Deriving delayed_payment_privkey for %"PRIu64,
commit_num);
if (!derive_simple_privkey(&secrets->payment_basepoint_secret,
local_payment_basepoint,
&local_per_commitment_point,
&payment_privkey))
status_failed(STATUS_FAIL_INTERNAL_ERROR,
"Deriving payment_privkey for %"PRIu64,
commit_num);
if (!derive_simple_privkey(&secrets->htlc_basepoint_secret,
local_htlc_basepoint,
&local_per_commitment_point,
&htlc_privkey))
status_failed(STATUS_FAIL_INTERNAL_ERROR,
"Deriving htlc_privkey for %"PRIu64,
commit_num);
local_wscript = to_self_wscript(tmpctx, to_self_delay[LOCAL], keyset);
/* Figure out what to-us output looks like. */
script[LOCAL] = scriptpubkey_p2wsh(tmpctx, local_wscript);
/* Figure out what direct to-them output looks like. */
script[REMOTE] = scriptpubkey_p2wpkh(tmpctx, &keyset->other_payment_key);
/* Calculate all the HTLC scripts so we can match them */
htlc_scripts = derive_htlc_scripts(htlcs, LOCAL);
status_trace("Script to-me: %u: %s (%s)",
to_self_delay[LOCAL],
tal_hex(trc, script[LOCAL]),
tal_hex(trc, local_wscript));
status_trace("Script to-them: %s",
tal_hex(trc, script[REMOTE]));
for (i = 0; i < tal_count(tx->output); i++) {
status_trace("Output %zu: %s",
i, tal_hex(trc, tx->output[i].script));
}
/* BOLT #5:
*
* When node A sees its own *commitment transaction*:
*
* 1. _A's main output_:...
* 2. _B's main output_:...
* 3. _A's offered HTLCs_:...
* 4. _B's offered HTLCs_:...
*/
for (i = 0; i < tal_count(tx->output); i++) {
struct tracked_output *out;
int j;
if (script[LOCAL]
&& scripteq(tx->output[i].script, script[LOCAL])) {
struct bitcoin_tx *to_us;
/* BOLT #5:
*
* 1. _A's main output_: A node SHOULD spend this
* output to a convenient address.
*/
out = new_tracked_output(&outs, txid, tx_blockheight,
OUR_UNILATERAL, i,
tx->output[i].amount,
DELAYED_OUTPUT_TO_US,
NULL, NULL, NULL);
/* BOLT #3:
*
* It is spent by a transaction with `nSequence` field
* set to `to_self_delay` (which can only be valid
* after that duration has passed), and witness:
*
* <local_delayedsig> 0
*/
to_us = tx_to_us(out, out, to_self_delay[LOCAL], 0,
NULL, 0,
local_wscript,
&delayed_payment_privkey,
&keyset->self_delayed_payment_key);
/* BOLT #5:
*
* If the output is spent (as recommended), the output
* is *resolved* by the spending transaction */
propose_resolution(out, to_us, to_self_delay[LOCAL],
OUR_DELAYED_RETURN_TO_WALLET);
script[LOCAL] = NULL;
continue;
}
if (script[REMOTE]
&& scripteq(tx->output[i].script, script[REMOTE])) {
/* BOLT #5:
*
* 2. _B's main output_: No action required, this
* output is considered *resolved* by the
* *commitment transaction* itself. */
out = new_tracked_output(&outs, txid, tx_blockheight,
OUR_UNILATERAL, i,
tx->output[i].amount,
OUTPUT_TO_THEM,
NULL, NULL, NULL);
ignore_output(out);
script[REMOTE] = NULL;
continue;
}
/* FIXME: limp along when this happens! */
j = match_htlc_output(tx, i, htlc_scripts);
if (j == -1)
status_failed(STATUS_FAIL_INTERNAL_ERROR,
"Could not find resolution for output %zu",
i);
if (htlcs[j].owner == LOCAL) {
/* BOLT #5:
*
* 3. _A's offered HTLCs_: See "On-chain HTLC
* Output Handling: Our Offers" below. */
out = new_tracked_output(&outs, txid,
tx_blockheight,
OUR_UNILATERAL, i,
tx->output[i].amount,
OUR_HTLC,
&htlcs[j], htlc_scripts[j],
remote_htlc_sigs);
resolve_our_htlc_ourcommit(out);
} else {
out = new_tracked_output(&outs, txid,
tx_blockheight,
OUR_UNILATERAL, i,
tx->output[i].amount,
THEIR_HTLC,
&htlcs[j],
htlc_scripts[j],
remote_htlc_sigs);
/* BOLT #5:
*
* 4. _B's offered HTLCs_: See "On-chain HTLC
* Output Handling: Their Offers" below. */
resolve_their_htlc(out);
}
/* Each of these consumes one HTLC signature */
remote_htlc_sigs++;
/* We've matched this HTLC, can't do again. */
htlc_scripts[j] = NULL;
}
note_missing_htlcs(htlc_scripts, htlcs,
tell_if_missing, tell_immediately);
wait_for_resolved(outs);
tal_free(tmpctx);
}
/* We produce individual penalty txs. It's less efficient, but avoids them
* using HTLC txs to block our penalties for long enough to pass the CSV
* delay */
static void steal_to_them_output(struct tracked_output *out)
{
const tal_t *tmpctx = tal_tmpctx(NULL);
u8 *wscript;
struct bitcoin_tx *tx;
/* BOLT #3:
*
* If a revoked commitment transaction is published, the other party
* can spend this output immediately with the following witness:
*
* <revocation_sig> 1
*/
wscript = bitcoin_wscript_to_local(tmpctx, to_self_delay[REMOTE],
&keyset->self_revocation_key,
&keyset->self_delayed_payment_key);
tx = tx_to_us(tmpctx, out, 0xFFFFFFFF, 0,
&ONE, sizeof(ONE),
wscript,
revocation_privkey,
&keyset->self_revocation_key);
propose_resolution(out, tx, 0, OUR_PENALTY_TX);
tal_free(tmpctx);
}
static void steal_htlc(struct tracked_output *out)
{
struct bitcoin_tx *tx;
u8 der[PUBKEY_DER_LEN];
/* BOLT #3:
*
* If a revoked commitment transaction is published, the remote node
* can spend this output immediately with the following witness:
*
* <revocation_sig> <revocationkey>
*/
pubkey_to_der(der, &keyset->self_revocation_key);
tx = tx_to_us(out, out, 0xFFFFFFFF, 0,
der, sizeof(der),
out->wscript,
revocation_privkey,
&keyset->self_revocation_key);
propose_resolution(out, tx, 0, OUR_PENALTY_TX);
}
/* BOLT #5:
*
* If a node tries to broadcast old state, we can use the revocation key to
* claim all the funds.
*/
static void handle_their_cheat(const struct bitcoin_tx *tx,
const struct sha256_double *txid,
u32 tx_blockheight,
const struct sha256 *revocation_preimage,
const struct secrets *secrets,
const struct pubkey *local_revocation_basepoint,
const struct pubkey *local_payment_basepoint,
const struct pubkey *remote_payment_basepoint,
const struct pubkey *remote_htlc_basepoint,
const struct pubkey *local_htlc_basepoint,
const struct pubkey *remote_delayed_payment_basepoint,
u64 commit_num,
const struct htlc_stub *htlcs,
const bool *tell_if_missing,
const bool *tell_immediately,
struct tracked_output **outs)
{
const tal_t *tmpctx = tal_tmpctx(NULL);
u8 **htlc_scripts;
u8 *remote_wscript, *script[NUM_SIDES];
struct keyset *ks;
size_t i;
struct secret per_commitment_secret;
struct privkey per_commitment_privkey;
struct pubkey per_commitment_point;
set_state(ONCHAIND_CHEATED);
init_feerate_range(outs[0]->satoshi, tx);
/* BOLT #5:
*
* If a node sees a *commitment transaction* for which it has a
* revocation key, that *resolves* the funding transaction output.
*/
resolved_by_other(outs[0], txid, THEIR_REVOKED_UNILATERAL);
/* FIXME: Types. */
BUILD_ASSERT(sizeof(per_commitment_secret)
== sizeof(*revocation_preimage));
memcpy(&per_commitment_secret, revocation_preimage,
sizeof(per_commitment_secret));
BUILD_ASSERT(sizeof(per_commitment_privkey)
== sizeof(*revocation_preimage));
memcpy(&per_commitment_privkey, revocation_preimage,
sizeof(per_commitment_privkey));
if (!pubkey_from_privkey(&per_commitment_privkey, &per_commitment_point))
status_failed(STATUS_FAIL_INTERNAL_ERROR,
"Failed derivea from per_commitment_secret %s",
type_to_string(trc, struct privkey,
&per_commitment_privkey));
status_trace("Deriving keyset %"PRIu64
": per_commit_point=%s"
" self_payment_basepoint=%s"
" other_payment_basepoint=%s"
" self_htlc_basepoint=%s"
" other_htlc_basepoint=%s"
" self_delayed_basepoint=%s"
" other_revocation_basepoint=%s",
commit_num,
type_to_string(trc, struct pubkey,
&per_commitment_point),
type_to_string(trc, struct pubkey,
remote_payment_basepoint),
type_to_string(trc, struct pubkey,
local_payment_basepoint),
type_to_string(trc, struct pubkey,
remote_htlc_basepoint),
type_to_string(trc, struct pubkey,
local_htlc_basepoint),
type_to_string(trc, struct pubkey,
remote_delayed_payment_basepoint),
type_to_string(trc, struct pubkey,
local_revocation_basepoint));
/* keyset is const, we need a non-const ptr to set it up */
keyset = ks = tal(tx, struct keyset);
if (!derive_keyset(&per_commitment_point,
remote_payment_basepoint,
local_payment_basepoint,
local_htlc_basepoint,
remote_htlc_basepoint,
remote_delayed_payment_basepoint,
local_revocation_basepoint,
ks))
status_failed(STATUS_FAIL_INTERNAL_ERROR,
"Deriving keyset for %"PRIu64, commit_num);
status_trace("Deconstructing revoked unilateral tx: %"PRIu64
" using keyset: "
" self_revocation_key: %s"
" self_delayed_payment_key: %s"
" self_payment_key: %s"
" other_payment_key: %s"
" self_htlc_key: %s"
" other_htlc_key: %s",
commit_num,
type_to_string(trc, struct pubkey,
&keyset->self_revocation_key),
type_to_string(trc, struct pubkey,
&keyset->self_delayed_payment_key),
type_to_string(trc, struct pubkey,
&keyset->self_payment_key),
type_to_string(trc, struct pubkey,
&keyset->other_payment_key),
type_to_string(trc, struct pubkey,
&keyset->self_htlc_key),
type_to_string(trc, struct pubkey,
&keyset->other_htlc_key));
revocation_privkey = tal(tx, struct privkey);
if (!derive_revocation_privkey(&secrets->revocation_basepoint_secret,
&per_commitment_secret,
local_revocation_basepoint,
&per_commitment_point,
revocation_privkey))
status_failed(STATUS_FAIL_INTERNAL_ERROR,
"Deriving revocation_privkey for %"PRIu64,
commit_num);
remote_wscript = to_self_wscript(tmpctx, to_self_delay[REMOTE], keyset);
/* Figure out what to-them output looks like. */
script[REMOTE] = scriptpubkey_p2wsh(tmpctx, remote_wscript);
/* Figure out what direct to-us output looks like. */
script[LOCAL] = scriptpubkey_p2wpkh(tmpctx, &keyset->other_payment_key);
/* Calculate all the HTLC scripts so we can match them */
htlc_scripts = derive_htlc_scripts(htlcs, REMOTE);
status_trace("Script to-them: %u: %s (%s)",
to_self_delay[REMOTE],
tal_hex(trc, script[REMOTE]),
tal_hex(trc, remote_wscript));
status_trace("Script to-me: %s",
tal_hex(trc, script[LOCAL]));
for (i = 0; i < tal_count(tx->output); i++) {
status_trace("Output %zu: %s",
i, tal_hex(trc, tx->output[i].script));
}
/* BOLT #5:
*
* A node MUST resolve all unresolved outputs as follows:
*
* 1. _A's main output_: No action is required; this is a simple
* P2WPKH output. This output is considered *resolved* by the
* *commitment transaction*.
*
* 2. _B's main output_: The node MUST *resolve* this by spending
* using the revocation key.
*
* 3. _A's offered HTLCs_: The node MUST *resolve* this in one of three
* ways by spending:
* * the *commitment tx* using the payment revocation
* * the *commitment tx* using the payment preimage if known
* * the *HTLC-timeout tx* if B publishes them
*
* 4. _B's offered HTLCs_: The node MUST *resolve* this in one of two
* ways by spending:
* * the *commitment tx* using the payment revocation
* * the *commitment tx* once the HTLC timeout has passed.
*
* 5. _B's HTLC-timeout transaction_: The node MUST *resolve* this by
* spending using the revocation key.
*
* 6. _B's HTLC-success transaction_: The node MUST *resolve* this by
* spending using the revocation key. The node SHOULD extract
* the payment preimage from the transaction input witness if not
* already known.
*/
for (i = 0; i < tal_count(tx->output); i++) {
struct tracked_output *out;
int j;
if (script[LOCAL]
&& scripteq(tx->output[i].script, script[LOCAL])) {
/* BOLT #5:
*
* 1. _A's main output_: No action is required; this
* is a simple P2WPKH output. This output is
* considered *resolved* by the *commitment
* transaction* itself.
*/
out = new_tracked_output(&outs, txid, tx_blockheight,
THEIR_REVOKED_UNILATERAL,
i, tx->output[i].amount,
OUTPUT_TO_US, NULL, NULL, NULL);
ignore_output(out);
script[LOCAL] = NULL;
continue;
}
if (script[REMOTE]
&& scripteq(tx->output[i].script, script[REMOTE])) {
/* BOLT #5:
*
* 2. _B's main output_: The node MUST *resolve* this
* by spending using the revocation key. */
out = new_tracked_output(&outs, txid, tx_blockheight,
THEIR_REVOKED_UNILATERAL, i,
tx->output[i].amount,
DELAYED_OUTPUT_TO_THEM,
NULL, NULL, NULL);
steal_to_them_output(out);
script[REMOTE] = NULL;
continue;
}
j = match_htlc_output(tx, i, htlc_scripts);
if (j == -1)
status_failed(STATUS_FAIL_INTERNAL_ERROR,
"Could not find resolution for output %zu",
i);
if (htlcs[j].owner == LOCAL) {
/* BOLT #5:
*
* 3. _A's offered HTLCs_: The node MUST *resolve* this
* in one of three ways by spending:
* * the *commitment tx* using the payment revocation
* * the *commitment tx* using the payment preimage if
* known
* * the *HTLC-timeout tx* if B publishes them
*/
out = new_tracked_output(&outs, txid,
tx_blockheight,
THEIR_REVOKED_UNILATERAL, i,
tx->output[i].amount,
OUR_HTLC,
&htlcs[j], htlc_scripts[j],
NULL);
steal_htlc(out);
} else {
out = new_tracked_output(&outs, txid,
tx_blockheight,
THEIR_REVOKED_UNILATERAL, i,
tx->output[i].amount,
THEIR_HTLC,
&htlcs[j], htlc_scripts[j],
NULL);
/* BOLT #5:
*
* 4. _B's offered HTLCs_: The node MUST *resolve*
* this in one of two ways by spending:
*
* * the *commitment tx* using the payment revocation
* * the *commitment tx* once the HTLC timeout has
* passed.
*/
steal_htlc(out);
}
htlc_scripts[j] = NULL;
}
note_missing_htlcs(htlc_scripts, htlcs,
tell_if_missing, tell_immediately);
wait_for_resolved(outs);
tal_free(tmpctx);
}
static void handle_their_unilateral(const struct bitcoin_tx *tx,
u32 tx_blockheight,
const struct sha256_double *txid,
const struct secrets *secrets,
const struct sha256 *shaseed,
const struct pubkey *remote_per_commitment_point,
const struct pubkey *local_revocation_basepoint,
const struct pubkey *local_payment_basepoint,
const struct pubkey *remote_payment_basepoint,
const struct pubkey *remote_htlc_basepoint,
const struct pubkey *local_htlc_basepoint,
const struct pubkey *remote_delayed_payment_basepoint,
u64 commit_num,
const struct htlc_stub *htlcs,
const bool *tell_if_missing,
const bool *tell_immediately,
struct tracked_output **outs)
{
const tal_t *tmpctx = tal_tmpctx(NULL);
u8 **htlc_scripts;
u8 *remote_wscript, *script[NUM_SIDES];
struct keyset *ks;
size_t i;
set_state(ONCHAIND_THEIR_UNILATERAL);
init_feerate_range(outs[0]->satoshi, tx);
/* BOLT #5:
*
* There are two cases to consider here: in the first case, node A
* sees its own *commitment transaction*, in the second, it sees the
* node B's unrevoked *commitment transaction*.
*
* Either transaction *resolves* the funding transaction output.
*/
resolved_by_other(outs[0], txid, THEIR_UNILATERAL);
status_trace("Deriving keyset %"PRIu64
": per_commit_point=%s"
" self_payment_basepoint=%s"
" other_payment_basepoint=%s"
" self_htlc_basepoint=%s"
" other_htlc_basepoint=%s"
" self_delayed_basepoint=%s"
" other_revocation_basepoint=%s",
commit_num,
type_to_string(trc, struct pubkey,
remote_per_commitment_point),
type_to_string(trc, struct pubkey,
remote_payment_basepoint),
type_to_string(trc, struct pubkey,
local_payment_basepoint),
type_to_string(trc, struct pubkey,
remote_htlc_basepoint),
type_to_string(trc, struct pubkey,
local_htlc_basepoint),
type_to_string(trc, struct pubkey,
remote_delayed_payment_basepoint),
type_to_string(trc, struct pubkey,
local_revocation_basepoint));
/* keyset is const, we need a non-const ptr to set it up */
keyset = ks = tal(tx, struct keyset);
if (!derive_keyset(remote_per_commitment_point,
remote_payment_basepoint,
local_payment_basepoint,
remote_htlc_basepoint,
local_htlc_basepoint,
remote_delayed_payment_basepoint,
local_revocation_basepoint,
ks))
status_failed(STATUS_FAIL_INTERNAL_ERROR,
"Deriving keyset for %"PRIu64, commit_num);
status_trace("Deconstructing unilateral tx: %"PRIu64
" using keyset: "
" self_revocation_key: %s"
" self_delayed_payment_key: %s"
" self_payment_key: %s"
" other_payment_key: %s"
" self_htlc_key: %s"
" other_htlc_key: %s",
commit_num,
type_to_string(trc, struct pubkey,
&keyset->self_revocation_key),
type_to_string(trc, struct pubkey,
&keyset->self_delayed_payment_key),
type_to_string(trc, struct pubkey,
&keyset->self_payment_key),
type_to_string(trc, struct pubkey,
&keyset->other_payment_key),
type_to_string(trc, struct pubkey,
&keyset->self_htlc_key),
type_to_string(trc, struct pubkey,
&keyset->other_htlc_key));
if (!derive_simple_privkey(&secrets->payment_basepoint_secret,
local_payment_basepoint,
remote_per_commitment_point,
&payment_privkey))
status_failed(STATUS_FAIL_INTERNAL_ERROR,
"Deriving local_delayeprivkey for %"PRIu64,
commit_num);
if (!derive_simple_privkey(&secrets->htlc_basepoint_secret,
local_htlc_basepoint,
remote_per_commitment_point,
&htlc_privkey))
status_failed(STATUS_FAIL_INTERNAL_ERROR,
"Deriving htlc_privkey for %"PRIu64,
commit_num);
remote_wscript = to_self_wscript(tmpctx, to_self_delay[REMOTE], keyset);
/* Figure out what to-them output looks like. */
script[REMOTE] = scriptpubkey_p2wsh(tmpctx, remote_wscript);
/* Figure out what direct to-us output looks like. */
script[LOCAL] = scriptpubkey_p2wpkh(tmpctx, &keyset->other_payment_key);
/* Calculate all the HTLC scripts so we can match them */
htlc_scripts = derive_htlc_scripts(htlcs, REMOTE);
status_trace("Script to-them: %u: %s (%s)",
to_self_delay[REMOTE],
tal_hex(trc, script[REMOTE]),
tal_hex(trc, remote_wscript));
status_trace("Script to-me: %s",
tal_hex(trc, script[LOCAL]));
for (i = 0; i < tal_count(tx->output); i++) {
status_trace("Output %zu: %s",
i, tal_hex(trc, tx->output[i].script));
}
/* BOLT #5:
*
* Similarly, when node A sees a *commitment transaction* from B:
*
* 1. _A's main output_:...
* 2. _B's main output_:...
* 3. _A's offered HTLCs_:...
* 4. _B's offered HTLCs_:...
*/
for (i = 0; i < tal_count(tx->output); i++) {
struct tracked_output *out;
int j;
if (script[LOCAL]
&& scripteq(tx->output[i].script, script[LOCAL])) {
/* BOLT #5:
*
* 1. _A's main output_: No action is required; this
* is a simple P2WPKH output. This output is
* considered *resolved* by the *commitment
* transaction* itself.
*/
out = new_tracked_output(&outs, txid, tx_blockheight,
THEIR_UNILATERAL,
i, tx->output[i].amount,
OUTPUT_TO_US, NULL, NULL, NULL);
ignore_output(out);
script[LOCAL] = NULL;
continue;
}
if (script[REMOTE]
&& scripteq(tx->output[i].script, script[REMOTE])) {
/* BOLT #5:
*
* 2. _B's main output_: No action required, this
* output is considered *resolved* by the
* *commitment transaction* itself. */
out = new_tracked_output(&outs, txid, tx_blockheight,
THEIR_UNILATERAL, i,
tx->output[i].amount,
DELAYED_OUTPUT_TO_THEM,
NULL, NULL, NULL);
ignore_output(out);
continue;
}
j = match_htlc_output(tx, i, htlc_scripts);
if (j == -1)
status_failed(STATUS_FAIL_INTERNAL_ERROR,
"Could not find resolution for output %zu",
i);
if (htlcs[j].owner == LOCAL) {
/* BOLT #5:
*
* 3. _A's offered HTLCs_: See "On-chain HTLC Output
* Handling: Our Offers" below. */
out = new_tracked_output(&outs, txid,
tx_blockheight,
THEIR_UNILATERAL, i,
tx->output[i].amount,
OUR_HTLC,
&htlcs[j], htlc_scripts[j],
NULL);
resolve_our_htlc_theircommit(out);
} else {
out = new_tracked_output(&outs, txid,
tx_blockheight,
THEIR_UNILATERAL, i,
tx->output[i].amount,
THEIR_HTLC,
&htlcs[j], htlc_scripts[j],
NULL);
/* BOLT #5:
*
* 4. _B's offered HTLCs_: See "On-chain HTLC Output
* Handling: Their Offers" below. */
resolve_their_htlc(out);
}
htlc_scripts[j] = NULL;
}
note_missing_htlcs(htlc_scripts, htlcs,
tell_if_missing, tell_immediately);
wait_for_resolved(outs);
tal_free(tmpctx);
}
int main(int argc, char *argv[])
{
const tal_t *ctx = tal_tmpctx(NULL);
u8 *msg;
struct privkey seed;
struct pubkey remote_payment_basepoint, remote_htlc_basepoint,
remote_per_commit_point, old_remote_per_commit_point,
remote_revocation_basepoint, remote_delayed_payment_basepoint;
enum side funder;
struct basepoints basepoints;
struct shachain shachain;
struct bitcoin_tx *tx;
struct secrets secrets;
struct sha256 shaseed;
struct tracked_output **outs;
struct sha256_double our_broadcast_txid, txid;
secp256k1_ecdsa_signature *remote_htlc_sigs;
u64 funding_amount_satoshi, num_htlcs;
u8 *scriptpubkey[NUM_SIDES];
struct htlc_stub *htlcs;
bool *tell_if_missing, *tell_immediately;
u32 tx_blockheight;
if (argc == 2 && streq(argv[1], "--version")) {
printf("%s\n", version());
exit(0);
}
subdaemon_debug(argc, argv);
/* We handle write returning errors! */
signal(SIGCHLD, SIG_IGN);
secp256k1_ctx = secp256k1_context_create(SECP256K1_CONTEXT_VERIFY
| SECP256K1_CONTEXT_SIGN);
status_setup_sync(REQ_FD);
missing_htlc_msgs = tal_arr(ctx, u8 *, 0);
msg = wire_sync_read(ctx, REQ_FD);
tx = tal(ctx, struct bitcoin_tx);
if (!fromwire_onchain_init(ctx, msg, NULL,
&seed, &shachain,
&funding_amount_satoshi,
&old_remote_per_commit_point,
&remote_per_commit_point,
&to_self_delay[LOCAL],
&to_self_delay[REMOTE],
&feerate_per_kw,
&dust_limit_satoshis,
&remote_revocation_basepoint,
&our_broadcast_txid,
&scriptpubkey[LOCAL],
&scriptpubkey[REMOTE],
&our_wallet_pubkey,
&funder,
&remote_payment_basepoint,
&remote_htlc_basepoint,
&remote_delayed_payment_basepoint,
tx,
&tx_blockheight,
&reasonable_depth,
&remote_htlc_sigs,
&num_htlcs)) {
master_badmsg(WIRE_ONCHAIN_INIT, msg);
}
derive_basepoints(&seed, NULL, &basepoints, &secrets, &shaseed);
bitcoin_txid(tx, &txid);
/* FIXME: Filter as we go, don't load them all into mem! */
htlcs = tal_arr(ctx, struct htlc_stub, num_htlcs);
tell_if_missing = tal_arr(ctx, bool, num_htlcs);
tell_immediately = tal_arr(ctx, bool, num_htlcs);
if (!htlcs || !tell_if_missing || !tell_immediately)
status_failed(STATUS_FAIL_INTERNAL_ERROR,
"Can't allocate %"PRIu64" htlcs", num_htlcs);
for (u64 i = 0; i < num_htlcs; i++) {
msg = wire_sync_read(ctx, REQ_FD);
if (!fromwire_onchain_htlc(msg, NULL, &htlcs[i],
&tell_if_missing[i],
&tell_immediately[i]))
master_badmsg(WIRE_ONCHAIN_HTLC, msg);
}
outs = tal_arr(ctx, struct tracked_output *, 0);
new_tracked_output(&outs, &tx->input[0].txid,
0, /* We don't care about funding blockheight */
FUNDING_TRANSACTION,
tx->input[0].index,
funding_amount_satoshi,
FUNDING_OUTPUT, NULL, NULL, NULL);
status_trace("Remote per-commit point: %s",
type_to_string(trc, struct pubkey,
&remote_per_commit_point));
status_trace("Old remote per-commit point: %s",
type_to_string(trc, struct pubkey,
&old_remote_per_commit_point));
/* BOLT #5:
*
* There are three ways a channel can end:
*
* 1. The good way (*mutual close*): at some point A and B agree on
* closing the channel, they generate a *closing transaction*
* (which is similar to a *commitment transaction* without any
* pending payments), and publish it on the blockchain (see [BOLT
* #2: Channel Close](02-peer-protocol.md#channel-close)).
*/
if (is_mutual_close(tx, scriptpubkey[LOCAL], scriptpubkey[REMOTE]))
handle_mutual_close(tx, &txid, outs);
else {
/* BOLT #5:
*
* 2. The bad way (*unilateral close*): something goes wrong,
* without necessarily any evil intent on either side
* (maybe one party crashed, for instance). Anyway, one
* side publishes its latest *commitment transaction*.
*/
struct sha256 revocation_preimage;
u64 commit_num = unmask_commit_number(tx, funder,
&basepoints.payment,
&remote_payment_basepoint);
status_trace("commitnum = %"PRIu64
", revocations_recived = %"PRIu64,
commit_num, revocations_received(&shachain));
if (is_local_commitment(&txid, &our_broadcast_txid))
handle_our_unilateral(tx, tx_blockheight, &txid,
&secrets,
&shaseed,
&remote_revocation_basepoint,
&remote_payment_basepoint,
&basepoints.payment,
&remote_htlc_basepoint,
&basepoints.htlc,
&basepoints.delayed_payment,
commit_num,
htlcs,
tell_if_missing, tell_immediately,
remote_htlc_sigs,
outs);
/* BOLT #5:
*
* 3. The ugly way (*revoked transaction close*): one of the
* parties deliberately tries to cheat by publishing an
* outdated version of its *commitment transaction*
* (presumably one that was more in her favor).
*/
else if (shachain_get_hash(&shachain,
shachain_index(commit_num),
&revocation_preimage)) {
handle_their_cheat(tx, &txid,
tx_blockheight,
&revocation_preimage,
&secrets,
&basepoints.revocation,
&basepoints.payment,
&remote_payment_basepoint,
&basepoints.htlc,
&remote_htlc_basepoint,
&remote_delayed_payment_basepoint,
commit_num,
htlcs,
tell_if_missing, tell_immediately,
outs);
/* BOLT #5:
*
* Note that there can be more than one valid,
* unrevoked *commitment transaction* after a
* signature has been received via `commitment_signed`
* and before the corresponding `revoke_and_ack`.
* Either commitment can serve as B's *commitment
* transaction*, hence the requirement to handle both.
*/
} else if (commit_num == revocations_received(&shachain)) {
status_trace("Their unilateral tx, old commit point");
handle_their_unilateral(tx, tx_blockheight,
&txid, &secrets, &shaseed,
&old_remote_per_commit_point,
&basepoints.revocation,
&basepoints.payment,
&remote_payment_basepoint,
&remote_htlc_basepoint,
&basepoints.htlc,
&remote_delayed_payment_basepoint,
commit_num,
htlcs,
tell_if_missing,
tell_immediately,
outs);
} else if (commit_num == revocations_received(&shachain) + 1) {
status_trace("Their unilateral tx, new commit point");
handle_their_unilateral(tx, tx_blockheight,
&txid, &secrets, &shaseed,
&remote_per_commit_point,
&basepoints.revocation,
&basepoints.payment,
&remote_payment_basepoint,
&remote_htlc_basepoint,
&basepoints.htlc,
&remote_delayed_payment_basepoint,
commit_num,
htlcs,
tell_if_missing,
tell_immediately,
outs);
} else
status_failed(STATUS_FAIL_INTERNAL_ERROR,
"Unknown commitment index %"PRIu64
" for tx %s",
commit_num,
type_to_string(ctx, struct bitcoin_tx,
tx));
}
/* We're done! */
tal_free(ctx);
return 0;
}