mirror of
https://github.com/ElementsProject/lightning.git
synced 2025-01-18 05:12:45 +01:00
cbad9a1fa5
Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
388 lines
10 KiB
C
388 lines
10 KiB
C
#include "bitcoin_script.h"
|
|
#include "bitcoin_address.h"
|
|
#include "pkt.h"
|
|
#include "signature.h"
|
|
#include "pubkey.h"
|
|
#include <openssl/ripemd.h>
|
|
#include <ccan/endian/endian.h>
|
|
#include <ccan/crypto/sha256/sha256.h>
|
|
|
|
/* Some standard ops */
|
|
#define OP_PUSHBYTES(val) (val)
|
|
#define OP_PUSHDATA1 0x4C
|
|
#define OP_PUSHDATA2 0x4D
|
|
#define OP_PUSHDATA4 0x4E
|
|
#define OP_NOP 0x61
|
|
#define OP_IF 0x63
|
|
#define OP_ELSE 0x67
|
|
#define OP_ENDIF 0x68
|
|
#define OP_DEPTH 0x74
|
|
#define OP_DUP 0x76
|
|
#define OP_EQUAL 0x87
|
|
#define OP_EQUALVERIFY 0x88
|
|
#define OP_SIZE 0x82
|
|
#define OP_1SUB 0x8C
|
|
#define OP_CHECKSIG 0xAC
|
|
#define OP_CHECKMULTISIG 0xAE
|
|
#define OP_HASH160 0xA9
|
|
#define OP_CHECKSEQUENCEVERIFY 0xB2
|
|
|
|
static void add(u8 **scriptp, const void *mem, size_t len)
|
|
{
|
|
size_t oldlen = tal_count(*scriptp);
|
|
tal_resize(scriptp, oldlen + len);
|
|
memcpy(*scriptp + oldlen, mem, len);
|
|
}
|
|
|
|
static void add_op(u8 **scriptp, u8 op)
|
|
{
|
|
add(scriptp, &op, 1);
|
|
}
|
|
|
|
static void add_push_bytes(u8 **scriptp, const void *mem, size_t len)
|
|
{
|
|
if (len < 76)
|
|
add_op(scriptp, OP_PUSHBYTES(len));
|
|
else if (len < 256) {
|
|
char c = len;
|
|
add_op(scriptp, OP_PUSHDATA1);
|
|
add(scriptp, &c, 1);
|
|
} else if (len < 65536) {
|
|
le16 v = cpu_to_le16(len);
|
|
add_op(scriptp, OP_PUSHDATA2);
|
|
add(scriptp, &v, 2);
|
|
} else {
|
|
le32 v = cpu_to_le32(len);
|
|
add_op(scriptp, OP_PUSHDATA4);
|
|
add(scriptp, &v, 4);
|
|
}
|
|
|
|
add(scriptp, mem, len);
|
|
}
|
|
|
|
static void add_number(u8 **script, u32 num)
|
|
{
|
|
if (num == 0)
|
|
add_op(script, 0);
|
|
else if (num <= 16)
|
|
add_op(script, 0x50 + num);
|
|
else {
|
|
u8 n = num;
|
|
/* We could handle others, but currently unnecessary. */
|
|
assert(num < 256);
|
|
add_push_bytes(script, &n, sizeof(n));
|
|
}
|
|
}
|
|
|
|
static void add_push_key(u8 **scriptp, const struct pubkey *key)
|
|
{
|
|
add_push_bytes(scriptp, key->key, pubkey_len(key));
|
|
}
|
|
|
|
/* Stolen direct from bitcoin/src/script/sign.cpp:
|
|
// Copyright (c) 2009-2010 Satoshi Nakamoto
|
|
// Copyright (c) 2009-2014 The Bitcoin Core developers
|
|
// Distributed under the MIT software license, see the accompanying
|
|
// file COPYING or http://www.opensource.org/licenses/mit-license.php.
|
|
*/
|
|
static bool IsValidSignatureEncoding(const unsigned char sig[], size_t len)
|
|
{
|
|
// Format: 0x30 [total-length] 0x02 [R-length] [R] 0x02 [S-length] [S] [sighash]
|
|
// * total-length: 1-byte length descriptor of everything that follows,
|
|
// excluding the sighash byte.
|
|
// * R-length: 1-byte length descriptor of the R value that follows.
|
|
// * R: arbitrary-length big-endian encoded R value. It must use the shortest
|
|
// possible encoding for a positive integers (which means no null bytes at
|
|
// the start, except a single one when the next byte has its highest bit set).
|
|
// * S-length: 1-byte length descriptor of the S value that follows.
|
|
// * S: arbitrary-length big-endian encoded S value. The same rules apply.
|
|
// * sighash: 1-byte value indicating what data is hashed (not part of the DER
|
|
// signature)
|
|
|
|
// Minimum and maximum size constraints.
|
|
if (len < 9) return false;
|
|
if (len > 73) return false;
|
|
|
|
// A signature is of type 0x30 (compound).
|
|
if (sig[0] != 0x30) return false;
|
|
|
|
// Make sure the length covers the entire signature.
|
|
if (sig[1] != len - 3) return false;
|
|
|
|
// Extract the length of the R element.
|
|
unsigned int lenR = sig[3];
|
|
|
|
// Make sure the length of the S element is still inside the signature.
|
|
if (5 + lenR >= len) return false;
|
|
|
|
// Extract the length of the S element.
|
|
unsigned int lenS = sig[5 + lenR];
|
|
|
|
// Verify that the length of the signature matches the sum of the length
|
|
// of the elements.
|
|
if ((size_t)(lenR + lenS + 7) != len) return false;
|
|
|
|
// Check whether the R element is an integer.
|
|
if (sig[2] != 0x02) return false;
|
|
|
|
// Zero-length integers are not allowed for R.
|
|
if (lenR == 0) return false;
|
|
|
|
// Negative numbers are not allowed for R.
|
|
if (sig[4] & 0x80) return false;
|
|
|
|
// Null bytes at the start of R are not allowed, unless R would
|
|
// otherwise be interpreted as a negative number.
|
|
if (lenR > 1 && (sig[4] == 0x00) && !(sig[5] & 0x80)) return false;
|
|
|
|
// Check whether the S element is an integer.
|
|
if (sig[lenR + 4] != 0x02) return false;
|
|
|
|
// Zero-length integers are not allowed for S.
|
|
if (lenS == 0) return false;
|
|
|
|
// Negative numbers are not allowed for S.
|
|
if (sig[lenR + 6] & 0x80) return false;
|
|
|
|
// Null bytes at the start of S are not allowed, unless S would otherwise be
|
|
// interpreted as a negative number.
|
|
if (lenS > 1 && (sig[lenR + 6] == 0x00) && !(sig[lenR + 7] & 0x80)) return false;
|
|
|
|
return true;
|
|
}
|
|
|
|
/* DER encode a value, return length used. */
|
|
static size_t der_encode_val(const u8 *val, u8 *der)
|
|
{
|
|
size_t len = 0;
|
|
|
|
der[len++] = 0x2; /* value type. */
|
|
/* Add zero byte if it would otherwise be signed. */
|
|
if (val[0] & 0x80) {
|
|
der[len++] = 33; /* value length */
|
|
der[len++] = 0;
|
|
} else
|
|
der[len++] = 32; /* value length */
|
|
|
|
memcpy(der + len, val, 32);
|
|
return len + 32;
|
|
}
|
|
|
|
/* Bitcoin wants DER encoding. */
|
|
static void add_push_sig(u8 **scriptp, const struct bitcoin_signature *sig)
|
|
{
|
|
u8 der[2 + 2 + 1 + sizeof(sig->sig.r) + 2 + 1 + sizeof(sig->sig.s) + 1];
|
|
size_t len = 0;
|
|
|
|
der[len++] = 0x30; /* Type */
|
|
der[len++] = 0; /* Total length after this: fill it at end. */
|
|
|
|
len += der_encode_val(sig->sig.r, der + len);
|
|
len += der_encode_val(sig->sig.s, der + len);
|
|
|
|
/* Fix up total length */
|
|
der[1] = len - 2;
|
|
|
|
/* Append sighash type */
|
|
der[len++] = sig->stype;
|
|
|
|
assert(IsValidSignatureEncoding(der, len));
|
|
add_push_bytes(scriptp, der, len);
|
|
}
|
|
|
|
/* FIXME: permute? */
|
|
/* Is a < b? (If equal we don't care) */
|
|
static bool key_less(const struct pubkey *a, const struct pubkey *b)
|
|
{
|
|
/* Shorter one wins. */
|
|
if (pubkey_len(a) != pubkey_len(b))
|
|
return pubkey_len(a) < pubkey_len(b);
|
|
|
|
return memcmp(a->key, b->key, pubkey_len(a)) < 0;
|
|
}
|
|
|
|
/* tal_count() gives the length of the script. */
|
|
u8 *bitcoin_redeem_2of2(const tal_t *ctx,
|
|
const struct pubkey *key1,
|
|
const struct pubkey *key2)
|
|
{
|
|
u8 *script = tal_arr(ctx, u8, 0);
|
|
add_number(&script, 2);
|
|
if (key_less(key1, key2)) {
|
|
add_push_key(&script, key1);
|
|
add_push_key(&script, key2);
|
|
} else {
|
|
add_push_key(&script, key2);
|
|
add_push_key(&script, key1);
|
|
}
|
|
add_number(&script, 2);
|
|
add_op(&script, OP_CHECKMULTISIG);
|
|
return script;
|
|
}
|
|
|
|
/* tal_count() gives the length of the script. */
|
|
u8 *bitcoin_redeem_single(const tal_t *ctx, const struct pubkey *key)
|
|
{
|
|
u8 *script = tal_arr(ctx, u8, 0);
|
|
add_push_key(&script, key);
|
|
add_op(&script, OP_CHECKSIG);
|
|
return script;
|
|
}
|
|
|
|
/* Create p2sh for this redeem script. */
|
|
u8 *scriptpubkey_p2sh(const tal_t *ctx, const u8 *redeemscript)
|
|
{
|
|
struct sha256 h;
|
|
u8 redeemhash[RIPEMD160_DIGEST_LENGTH];
|
|
u8 *script = tal_arr(ctx, u8, 0);
|
|
|
|
add_op(&script, OP_HASH160);
|
|
sha256(&h, redeemscript, tal_count(redeemscript));
|
|
RIPEMD160(h.u.u8, sizeof(h), redeemhash);
|
|
add_push_bytes(&script, redeemhash, sizeof(redeemhash));
|
|
add_op(&script, OP_EQUAL);
|
|
return script;
|
|
}
|
|
|
|
u8 *scriptpubkey_pay_to_pubkeyhash(const tal_t *ctx,
|
|
const struct bitcoin_address *addr)
|
|
{
|
|
u8 *script = tal_arr(ctx, u8, 0);
|
|
|
|
add_op(&script, OP_DUP);
|
|
add_op(&script, OP_HASH160);
|
|
add_push_bytes(&script, addr, sizeof(*addr));
|
|
add_op(&script, OP_EQUALVERIFY);
|
|
add_op(&script, OP_CHECKSIG);
|
|
|
|
return script;
|
|
}
|
|
|
|
u8 *scriptsig_pay_to_pubkeyhash(const tal_t *ctx,
|
|
const struct pubkey *key,
|
|
const struct bitcoin_signature *sig)
|
|
{
|
|
u8 *script = tal_arr(ctx, u8, 0);
|
|
|
|
add_push_sig(&script, sig);
|
|
add_push_key(&script, key);
|
|
|
|
return script;
|
|
}
|
|
|
|
u8 *scriptsig_p2sh_2of2(const tal_t *ctx,
|
|
const struct bitcoin_signature *sig1,
|
|
const struct bitcoin_signature *sig2,
|
|
const struct pubkey *key1,
|
|
const struct pubkey *key2)
|
|
{
|
|
u8 *script = tal_arr(ctx, u8, 0);
|
|
u8 *redeemscript;
|
|
|
|
/* OP_CHECKMULTISIG has an out-by-one bug, which MBZ */
|
|
add_number(&script, 0);
|
|
add_push_sig(&script, sig1);
|
|
add_push_sig(&script, sig2);
|
|
|
|
redeemscript = bitcoin_redeem_2of2(script, key1, key2);
|
|
add_push_bytes(&script, redeemscript, tal_count(redeemscript));
|
|
return script;
|
|
}
|
|
|
|
/* Is this a normal pay to pubkey hash? */
|
|
bool is_pay_to_pubkey_hash(const u8 *script, size_t script_len)
|
|
{
|
|
if (script_len != 25)
|
|
return false;
|
|
if (script[0] != OP_DUP)
|
|
return false;
|
|
if (script[1] != OP_HASH160)
|
|
return false;
|
|
if (script[2] != OP_PUSHBYTES(20))
|
|
return false;
|
|
if (script[23] != OP_EQUALVERIFY)
|
|
return false;
|
|
if (script[24] != OP_CHECKSIG)
|
|
return false;
|
|
return true;
|
|
}
|
|
|
|
bool is_p2sh(const u8 *script, size_t script_len)
|
|
{
|
|
if (script_len != 23)
|
|
return false;
|
|
if (script[0] != OP_HASH160)
|
|
return false;
|
|
if (script[1] != OP_PUSHBYTES(20))
|
|
return false;
|
|
if (script[22] != OP_EQUAL)
|
|
return false;
|
|
return true;
|
|
}
|
|
|
|
/* One of:
|
|
* mysig and theirsig, OR
|
|
* mysig and relative locktime passed, OR
|
|
* theirsig and hash preimage. */
|
|
u8 *bitcoin_redeem_revocable(const tal_t *ctx,
|
|
const struct pubkey *mykey,
|
|
u32 locktime,
|
|
const struct pubkey *theirkey,
|
|
const struct sha256 *rhash)
|
|
{
|
|
u8 *script = tal_arr(ctx, u8, 0);
|
|
u8 rhash_ripemd[RIPEMD160_DIGEST_LENGTH];
|
|
le32 locktime_le = cpu_to_le32(locktime);
|
|
|
|
/* If there are two args: */
|
|
add_op(&script, OP_DEPTH);
|
|
add_op(&script, OP_1SUB);
|
|
add_op(&script, OP_IF);
|
|
|
|
/* If the top arg is a hashpreimage. */
|
|
add_op(&script, OP_SIZE);
|
|
add_number(&script, 32);
|
|
add_op(&script, OP_EQUAL);
|
|
add_op(&script, OP_IF);
|
|
|
|
/* Must hash to revocation_hash, and be signed by them. */
|
|
RIPEMD160(rhash->u.u8, sizeof(rhash->u), rhash_ripemd);
|
|
add_op(&script, OP_HASH160);
|
|
add_push_bytes(&script, rhash_ripemd, sizeof(rhash_ripemd));
|
|
add_op(&script, OP_EQUALVERIFY);
|
|
add_push_key(&script, theirkey);
|
|
add_op(&script, OP_CHECKSIG);
|
|
|
|
/* Otherwise, it should be both our sigs. */
|
|
|
|
/* FIXME: Perhaps this is a bad idea? We don't need it to
|
|
* close, and without this we force the blockchain to commit
|
|
* to the timeout: that may make a flood of transactions due
|
|
* to hub collapse less likely (as some optimists hope hub
|
|
* will return). */
|
|
add_op(&script, OP_ELSE);
|
|
|
|
add_number(&script, 2);
|
|
/* This obscures whose key is whose. Probably unnecessary? */
|
|
if (key_less(mykey, theirkey)) {
|
|
add_push_key(&script, mykey);
|
|
add_push_key(&script, theirkey);
|
|
} else {
|
|
add_push_key(&script, theirkey);
|
|
add_push_key(&script, mykey);
|
|
}
|
|
add_number(&script, 2);
|
|
add_op(&script, OP_CHECKMULTISIG);
|
|
add_op(&script, OP_ENDIF);
|
|
|
|
/* Not two args? Must be us using timeout. */
|
|
add_op(&script, OP_ELSE);
|
|
add_push_bytes(&script, &locktime_le, sizeof(locktime_le));
|
|
add_op(&script, OP_CHECKSEQUENCEVERIFY);
|
|
add_push_key(&script, mykey);
|
|
add_op(&script, OP_CHECKSIG);
|
|
add_op(&script, OP_ENDIF);
|
|
|
|
return script;
|
|
}
|