X-Git-Url: http://git.bitcoin.ninja/index.cgi?a=blobdiff_plain;f=lightning%2Fsrc%2Fln%2Fchan_utils.rs;h=51a2c4b042224464eacbfe5781c9ed36325b992e;hb=9a0211543762ae15ce4a0b7cb5aa3cf295a4b61f;hp=1d8dd30760f4b7384ec247a5bfae1f6482d523a7;hpb=06091cee0fd29549e5e24c673bf361ab3a562529;p=rust-lightning diff --git a/lightning/src/ln/chan_utils.rs b/lightning/src/ln/chan_utils.rs index 1d8dd307..51a2c4b0 100644 --- a/lightning/src/ln/chan_utils.rs +++ b/lightning/src/ln/chan_utils.rs @@ -1,6 +1,12 @@ +//! Various utilities for building scripts and deriving keys related to channels. These are +//! largely of interest for those implementing chain::keysinterface::ChannelKeys message signing +//! by hand. + use bitcoin::blockdata::script::{Script,Builder}; use bitcoin::blockdata::opcodes; -use bitcoin::blockdata::transaction::{TxIn,TxOut,OutPoint,Transaction}; +use bitcoin::blockdata::transaction::{TxIn,TxOut,OutPoint,Transaction, SigHashType}; +use bitcoin::consensus::encode::{self, Decodable, Encodable}; +use bitcoin::util::bip143; use bitcoin_hashes::{Hash, HashEngine}; use bitcoin_hashes::sha256::Hash as Sha256; @@ -8,20 +14,41 @@ use bitcoin_hashes::ripemd160::Hash as Ripemd160; use bitcoin_hashes::hash160::Hash as Hash160; use bitcoin_hashes::sha256d::Hash as Sha256dHash; -use ln::channelmanager::PaymentHash; +use ln::channelmanager::{PaymentHash, PaymentPreimage}; +use ln::msgs::DecodeError; +use util::ser::{Readable, Writeable, Writer, WriterWriteAdaptor}; -use secp256k1::key::{PublicKey,SecretKey}; -use secp256k1::Secp256k1; +use secp256k1::key::{SecretKey, PublicKey}; +use secp256k1::{Secp256k1, Signature}; use secp256k1; -pub const HTLC_SUCCESS_TX_WEIGHT: u64 = 703; -pub const HTLC_TIMEOUT_TX_WEIGHT: u64 = 663; +pub(super) const HTLC_SUCCESS_TX_WEIGHT: u64 = 703; +pub(super) const HTLC_TIMEOUT_TX_WEIGHT: u64 = 663; + +#[derive(PartialEq)] +pub(crate) enum HTLCType { + AcceptedHTLC, + OfferedHTLC +} + +impl HTLCType { + /// Check if a given tx witnessScript len matchs one of a pre-signed HTLC + pub(crate) fn scriptlen_to_htlctype(witness_script_len: usize) -> Option { + if witness_script_len == 133 { + Some(HTLCType::OfferedHTLC) + } else if witness_script_len >= 136 && witness_script_len <= 139 { + Some(HTLCType::AcceptedHTLC) + } else { + None + } + } +} // Various functions for key derivation and transaction creation for use within channels. Primarily // used in Channel and ChannelMonitor. -pub fn build_commitment_secret(commitment_seed: [u8; 32], idx: u64) -> [u8; 32] { - let mut res: [u8; 32] = commitment_seed; +pub(super) fn build_commitment_secret(commitment_seed: &[u8; 32], idx: u64) -> [u8; 32] { + let mut res: [u8; 32] = commitment_seed.clone(); for i in 0..48 { let bitpos = 47 - i; if idx & (1 << bitpos) == (1 << bitpos) { @@ -32,6 +59,8 @@ pub fn build_commitment_secret(commitment_seed: [u8; 32], idx: u64) -> [u8; 32] res } +/// Derives a per-commitment-transaction private key (eg an htlc key or payment key) from the base +/// private key for that type of key and the per_commitment_point (available in TxCreationKeys) pub fn derive_private_key(secp_ctx: &Secp256k1, per_commitment_point: &PublicKey, base_secret: &SecretKey) -> Result { let mut sha = Sha256::engine(); sha.input(&per_commitment_point.serialize()); @@ -43,7 +72,7 @@ pub fn derive_private_key(secp_ctx: &Secp256k1, per_co Ok(key) } -pub fn derive_public_key(secp_ctx: &Secp256k1, per_commitment_point: &PublicKey, base_point: &PublicKey) -> Result { +pub(super) fn derive_public_key(secp_ctx: &Secp256k1, per_commitment_point: &PublicKey, base_point: &PublicKey) -> Result { let mut sha = Sha256::engine(); sha.input(&per_commitment_point.serialize()); sha.input(&base_point.serialize()); @@ -53,8 +82,10 @@ pub fn derive_public_key(secp_ctx: &Secp256k1, per_com base_point.combine(&hashkey) } -/// Derives a revocation key from its constituent parts -pub fn derive_private_revocation_key(secp_ctx: &Secp256k1, per_commitment_secret: &SecretKey, revocation_base_secret: &SecretKey) -> Result { +/// Derives a revocation key from its constituent parts. +/// Note that this is infallible iff we trust that at least one of the two input keys are randomly +/// generated (ie our own). +pub(super) fn derive_private_revocation_key(secp_ctx: &Secp256k1, per_commitment_secret: &SecretKey, revocation_base_secret: &SecretKey) -> Result { let revocation_base_point = PublicKey::from_secret_key(&secp_ctx, &revocation_base_secret); let per_commitment_point = PublicKey::from_secret_key(&secp_ctx, &per_commitment_secret); @@ -81,7 +112,7 @@ pub fn derive_private_revocation_key(secp_ctx: &Secp256k1 Ok(part_a) } -pub fn derive_public_revocation_key(secp_ctx: &Secp256k1, per_commitment_point: &PublicKey, revocation_base_point: &PublicKey) -> Result { +pub(super) fn derive_public_revocation_key(secp_ctx: &Secp256k1, per_commitment_point: &PublicKey, revocation_base_point: &PublicKey) -> Result { let rev_append_commit_hash_key = { let mut sha = Sha256::engine(); sha.input(&revocation_base_point.serialize()); @@ -104,17 +135,59 @@ pub fn derive_public_revocation_key(secp_ctx: &Secp2 part_a.combine(&part_b) } +/// The set of public keys which are used in the creation of one commitment transaction. +/// These are derived from the channel base keys and per-commitment data. +#[derive(PartialEq)] pub struct TxCreationKeys { + /// The per-commitment public key which was used to derive the other keys. pub per_commitment_point: PublicKey, - pub revocation_key: PublicKey, - pub a_htlc_key: PublicKey, - pub b_htlc_key: PublicKey, - pub a_delayed_payment_key: PublicKey, - pub b_payment_key: PublicKey, + /// The revocation key which is used to allow the owner of the commitment transaction to + /// provide their counterparty the ability to punish them if they broadcast an old state. + pub(crate) revocation_key: PublicKey, + /// A's HTLC Key + pub(crate) a_htlc_key: PublicKey, + /// B's HTLC Key + pub(crate) b_htlc_key: PublicKey, + /// A's Payment Key (which isn't allowed to be spent from for some delay) + pub(crate) a_delayed_payment_key: PublicKey, + /// B's Payment Key + pub(crate) b_payment_key: PublicKey, } +/// One counterparty's public keys which do not change over the life of a channel. +#[derive(Clone)] +pub struct ChannelPublicKeys { + /// The public key which is used to sign all commitment transactions, as it appears in the + /// on-chain channel lock-in 2-of-2 multisig output. + pub funding_pubkey: PublicKey, + /// The base point which is used (with derive_public_revocation_key) to derive per-commitment + /// revocation keys. The per-commitment revocation private key is then revealed by the owner of + /// a commitment transaction so that their counterparty can claim all available funds if they + /// broadcast an old state. + pub revocation_basepoint: PublicKey, + /// The base point which is used (with derive_public_key) to derive a per-commitment payment + /// public key which receives immediately-spendable non-HTLC-encumbered funds. + pub payment_basepoint: PublicKey, + /// The base point which is used (with derive_public_key) to derive a per-commitment payment + /// public key which receives non-HTLC-encumbered funds which are only available for spending + /// after some delay (or can be claimed via the revocation path). + pub delayed_payment_basepoint: PublicKey, + /// The base point which is used (with derive_public_key) to derive a per-commitment public key + /// which is used to encumber HTLC-in-flight outputs. + pub htlc_basepoint: PublicKey, +} + +impl_writeable!(ChannelPublicKeys, 33*5, { + funding_pubkey, + revocation_basepoint, + payment_basepoint, + delayed_payment_basepoint, + htlc_basepoint +}); + + impl TxCreationKeys { - pub fn new(secp_ctx: &Secp256k1, per_commitment_point: &PublicKey, a_delayed_payment_base: &PublicKey, a_htlc_base: &PublicKey, b_revocation_base: &PublicKey, b_payment_base: &PublicKey, b_htlc_base: &PublicKey) -> Result { + pub(crate) fn new(secp_ctx: &Secp256k1, per_commitment_point: &PublicKey, a_delayed_payment_base: &PublicKey, a_htlc_base: &PublicKey, b_revocation_base: &PublicKey, b_payment_base: &PublicKey, b_htlc_base: &PublicKey) -> Result { Ok(TxCreationKeys { per_commitment_point: per_commitment_point.clone(), revocation_key: derive_public_revocation_key(&secp_ctx, &per_commitment_point, &b_revocation_base)?, @@ -128,7 +201,7 @@ impl TxCreationKeys { /// Gets the "to_local" output redeemscript, ie the script which is time-locked or spendable by /// the revocation key -pub fn get_revokeable_redeemscript(revocation_key: &PublicKey, to_self_delay: u16, delayed_payment_key: &PublicKey) -> Script { +pub(super) fn get_revokeable_redeemscript(revocation_key: &PublicKey, to_self_delay: u16, delayed_payment_key: &PublicKey) -> Script { Builder::new().push_opcode(opcodes::all::OP_IF) .push_slice(&revocation_key.serialize()) .push_opcode(opcodes::all::OP_ELSE) @@ -142,16 +215,28 @@ pub fn get_revokeable_redeemscript(revocation_key: &PublicKey, to_self_delay: u1 } #[derive(Clone, PartialEq)] +/// Information about an HTLC as it appears in a commitment transaction pub struct HTLCOutputInCommitment { + /// Whether the HTLC was "offered" (ie outbound in relation to this commitment transaction). + /// Note that this is not the same as whether it is ountbound *from us*. To determine that you + /// need to compare this value to whether the commitment transaction in question is that of + /// the remote party or our own. pub offered: bool, + /// The value, in msat, of the HTLC. The value as it appears in the commitment transaction is + /// this divided by 1000. pub amount_msat: u64, + /// The CLTV lock-time at which this HTLC expires. pub cltv_expiry: u32, + /// The hash of the preimage which unlocks this HTLC. pub payment_hash: PaymentHash, + /// The position within the commitment transactions' outputs. This may be None if the value is + /// below the dust limit (in which case no output appears in the commitment transaction and the + /// value is spent to additional transaction fees). pub transaction_output_index: Option, } #[inline] -pub fn get_htlc_redeemscript_with_explicit_keys(htlc: &HTLCOutputInCommitment, a_htlc_key: &PublicKey, b_htlc_key: &PublicKey, revocation_key: &PublicKey) -> Script { +pub(super) fn get_htlc_redeemscript_with_explicit_keys(htlc: &HTLCOutputInCommitment, a_htlc_key: &PublicKey, b_htlc_key: &PublicKey, revocation_key: &PublicKey) -> Script { let payment_hash160 = Ripemd160::hash(&htlc.payment_hash.0[..]).into_inner(); if htlc.offered { Builder::new().push_opcode(opcodes::all::OP_DUP) @@ -222,6 +307,22 @@ pub fn get_htlc_redeemscript(htlc: &HTLCOutputInCommitment, keys: &TxCreationKey get_htlc_redeemscript_with_explicit_keys(htlc, &keys.a_htlc_key, &keys.b_htlc_key, &keys.revocation_key) } +/// Gets the redeemscript for a funding output from the two funding public keys. +/// Note that the order of funding public keys does not matter. +pub fn make_funding_redeemscript(a: &PublicKey, b: &PublicKey) -> Script { + let our_funding_key = a.serialize(); + let their_funding_key = b.serialize(); + + let builder = Builder::new().push_opcode(opcodes::all::OP_PUSHNUM_2); + if our_funding_key[..] < their_funding_key[..] { + builder.push_slice(&our_funding_key) + .push_slice(&their_funding_key) + } else { + builder.push_slice(&their_funding_key) + .push_slice(&our_funding_key) + }.push_opcode(opcodes::all::OP_PUSHNUM_2).push_opcode(opcodes::all::OP_CHECKMULTISIG).into_script() +} + /// panics if htlc.transaction_output_index.is_none()! pub fn build_htlc_transaction(prev_hash: &Sha256dHash, feerate_per_kw: u64, to_self_delay: u16, htlc: &HTLCOutputInCommitment, a_delayed_payment_key: &PublicKey, revocation_key: &PublicKey) -> Transaction { let mut txins: Vec = Vec::new(); @@ -254,3 +355,153 @@ pub fn build_htlc_transaction(prev_hash: &Sha256dHash, feerate_per_kw: u64, to_s output: txouts, } } + +/// Signs a transaction created by build_htlc_transaction. If the transaction is an +/// HTLC-Success transaction (ie htlc.offered is false), preimage must be set! +pub(crate) fn sign_htlc_transaction(tx: &mut Transaction, their_sig: &Signature, preimage: &Option, htlc: &HTLCOutputInCommitment, a_htlc_key: &PublicKey, b_htlc_key: &PublicKey, revocation_key: &PublicKey, per_commitment_point: &PublicKey, htlc_base_key: &SecretKey, secp_ctx: &Secp256k1) -> Result<(Signature, Script), ()> { + if tx.input.len() != 1 { return Err(()); } + if tx.input[0].witness.len() != 0 { return Err(()); } + + let htlc_redeemscript = get_htlc_redeemscript_with_explicit_keys(&htlc, a_htlc_key, b_htlc_key, revocation_key); + + let our_htlc_key = derive_private_key(secp_ctx, per_commitment_point, htlc_base_key).map_err(|_| ())?; + let sighash = hash_to_message!(&bip143::SighashComponents::new(&tx).sighash_all(&tx.input[0], &htlc_redeemscript, htlc.amount_msat / 1000)[..]); + let local_tx = PublicKey::from_secret_key(&secp_ctx, &our_htlc_key) == *a_htlc_key; + let our_sig = secp_ctx.sign(&sighash, &our_htlc_key); + + tx.input[0].witness.push(Vec::new()); // First is the multisig dummy + + if local_tx { // b, then a + tx.input[0].witness.push(their_sig.serialize_der().to_vec()); + tx.input[0].witness.push(our_sig.serialize_der().to_vec()); + } else { + tx.input[0].witness.push(our_sig.serialize_der().to_vec()); + tx.input[0].witness.push(their_sig.serialize_der().to_vec()); + } + tx.input[0].witness[1].push(SigHashType::All as u8); + tx.input[0].witness[2].push(SigHashType::All as u8); + + if htlc.offered { + tx.input[0].witness.push(Vec::new()); + assert!(preimage.is_none()); + } else { + tx.input[0].witness.push(preimage.unwrap().0.to_vec()); + } + + tx.input[0].witness.push(htlc_redeemscript.as_bytes().to_vec()); + + Ok((our_sig, htlc_redeemscript)) +} + +#[derive(Clone)] +/// We use this to track local commitment transactions and put off signing them until we are ready +/// to broadcast. Eventually this will require a signer which is possibly external, but for now we +/// just pass in the SecretKeys required. +pub(crate) struct LocalCommitmentTransaction { + tx: Transaction +} +impl LocalCommitmentTransaction { + #[cfg(test)] + pub fn dummy() -> Self { + Self { tx: Transaction { + version: 2, + input: Vec::new(), + output: Vec::new(), + lock_time: 0, + } } + } + + pub fn new_missing_local_sig(mut tx: Transaction, their_sig: &Signature, our_funding_key: &PublicKey, their_funding_key: &PublicKey) -> LocalCommitmentTransaction { + if tx.input.len() != 1 { panic!("Tried to store a commitment transaction that had input count != 1!"); } + if tx.input[0].witness.len() != 0 { panic!("Tried to store a signed commitment transaction?"); } + + tx.input[0].witness.push(Vec::new()); // First is the multisig dummy + + if our_funding_key.serialize()[..] < their_funding_key.serialize()[..] { + tx.input[0].witness.push(Vec::new()); + tx.input[0].witness.push(their_sig.serialize_der().to_vec()); + tx.input[0].witness[2].push(SigHashType::All as u8); + } else { + tx.input[0].witness.push(their_sig.serialize_der().to_vec()); + tx.input[0].witness[1].push(SigHashType::All as u8); + tx.input[0].witness.push(Vec::new()); + } + + Self { tx } + } + + pub fn txid(&self) -> Sha256dHash { + self.tx.txid() + } + + pub fn has_local_sig(&self) -> bool { + if self.tx.input.len() != 1 { panic!("Commitment transactions must have input count == 1!"); } + if self.tx.input[0].witness.len() == 4 { + assert!(!self.tx.input[0].witness[1].is_empty()); + assert!(!self.tx.input[0].witness[2].is_empty()); + true + } else { + assert_eq!(self.tx.input[0].witness.len(), 3); + assert!(self.tx.input[0].witness[0].is_empty()); + assert!(self.tx.input[0].witness[1].is_empty() || self.tx.input[0].witness[2].is_empty()); + false + } + } + + pub fn add_local_sig(&mut self, funding_key: &SecretKey, funding_redeemscript: &Script, channel_value_satoshis: u64, secp_ctx: &Secp256k1) { + if self.has_local_sig() { return; } + let sighash = hash_to_message!(&bip143::SighashComponents::new(&self.tx) + .sighash_all(&self.tx.input[0], funding_redeemscript, channel_value_satoshis)[..]); + let our_sig = secp_ctx.sign(&sighash, funding_key); + + if self.tx.input[0].witness[1].is_empty() { + self.tx.input[0].witness[1] = our_sig.serialize_der().to_vec(); + self.tx.input[0].witness[1].push(SigHashType::All as u8); + } else { + self.tx.input[0].witness[2] = our_sig.serialize_der().to_vec(); + self.tx.input[0].witness[2].push(SigHashType::All as u8); + } + + self.tx.input[0].witness.push(funding_redeemscript.as_bytes().to_vec()); + } + + pub fn without_valid_witness(&self) -> &Transaction { &self.tx } + pub fn with_valid_witness(&self) -> &Transaction { + assert!(self.has_local_sig()); + &self.tx + } +} +impl PartialEq for LocalCommitmentTransaction { + // We dont care whether we are signed in equality comparison + fn eq(&self, o: &Self) -> bool { + self.txid() == o.txid() + } +} +impl Writeable for LocalCommitmentTransaction { + fn write(&self, writer: &mut W) -> Result<(), ::std::io::Error> { + if let Err(e) = self.tx.consensus_encode(&mut WriterWriteAdaptor(writer)) { + match e { + encode::Error::Io(e) => return Err(e), + _ => panic!("local tx must have been well-formed!"), + } + } + Ok(()) + } +} +impl Readable for LocalCommitmentTransaction { + fn read(reader: &mut R) -> Result { + let tx = match Transaction::consensus_decode(reader.by_ref()) { + Ok(tx) => tx, + Err(e) => match e { + encode::Error::Io(ioe) => return Err(DecodeError::Io(ioe)), + _ => return Err(DecodeError::InvalidValue), + }, + }; + + if tx.input.len() != 1 { + // Ensure tx didn't hit the 0-input ambiguity case. + return Err(DecodeError::InvalidValue); + } + Ok(Self { tx }) + } +}