X-Git-Url: http://git.bitcoin.ninja/index.cgi?a=blobdiff_plain;f=lightning%2Fsrc%2Fln%2Fchan_utils.rs;h=ebd553e39be030f41f87d0f3010102f76dd0bb64;hb=c6a91f2ebd301455c7ebae04eb1f308935666439;hp=6e29f22801a50ea4b1163233ab5ca63cecde5fc4;hpb=f60026387efc26b848f13c8615328873a22e7a0d;p=rust-lightning diff --git a/lightning/src/ln/chan_utils.rs b/lightning/src/ln/chan_utils.rs index 6e29f228..ebd553e3 100644 --- a/lightning/src/ln/chan_utils.rs +++ b/lightning/src/ln/chan_utils.rs @@ -30,6 +30,7 @@ use util::byte_utils; use bitcoin::secp256k1::key::{SecretKey, PublicKey}; use bitcoin::secp256k1::{Secp256k1, Signature}; +use bitcoin::secp256k1::Error as SecpError; use bitcoin::secp256k1; use std::{cmp, mem}; @@ -187,7 +188,7 @@ impl Readable for CounterpartyCommitmentSecrets { /// /// Note that this is infallible iff we trust that at least one of the two input keys are randomly /// generated (ie our own). -pub fn derive_private_key(secp_ctx: &Secp256k1, per_commitment_point: &PublicKey, base_secret: &SecretKey) -> Result { +pub fn derive_private_key(secp_ctx: &Secp256k1, per_commitment_point: &PublicKey, base_secret: &SecretKey) -> Result { let mut sha = Sha256::engine(); sha.input(&per_commitment_point.serialize()); sha.input(&PublicKey::from_secret_key(&secp_ctx, &base_secret).serialize()); @@ -204,7 +205,7 @@ pub fn derive_private_key(secp_ctx: &Secp256k1, per_co /// /// Note that this is infallible iff we trust that at least one of the two input keys are randomly /// generated (ie our own). -pub fn derive_public_key(secp_ctx: &Secp256k1, per_commitment_point: &PublicKey, base_point: &PublicKey) -> Result { +pub fn derive_public_key(secp_ctx: &Secp256k1, per_commitment_point: &PublicKey, base_point: &PublicKey) -> Result { let mut sha = Sha256::engine(); sha.input(&per_commitment_point.serialize()); sha.input(&base_point.serialize()); @@ -218,7 +219,7 @@ pub fn derive_public_key(secp_ctx: &Secp256k1, per_com /// /// Note that this is infallible iff we trust that at least one of the two input keys are randomly /// generated (ie our own). -pub fn derive_private_revocation_key(secp_ctx: &Secp256k1, per_commitment_secret: &SecretKey, revocation_base_secret: &SecretKey) -> Result { +pub fn derive_private_revocation_key(secp_ctx: &Secp256k1, per_commitment_secret: &SecretKey, revocation_base_secret: &SecretKey) -> Result { let revocation_base_point = PublicKey::from_secret_key(&secp_ctx, &revocation_base_secret); let per_commitment_point = PublicKey::from_secret_key(&secp_ctx, &per_commitment_secret); @@ -237,12 +238,16 @@ pub fn derive_private_revocation_key(secp_ctx: &Secp256k1 Sha256::from_engine(sha).into_inner() }; - let mut part_a = revocation_base_secret.clone(); - part_a.mul_assign(&rev_append_commit_hash_key)?; - let mut part_b = per_commitment_secret.clone(); - part_b.mul_assign(&commit_append_rev_hash_key)?; - part_a.add_assign(&part_b[..])?; - Ok(part_a) + // Only the transaction broadcaster owns a valid witness to propagate + // a revoked commitment transaction, thus per_commitment_secret always + // come from broadcaster and revocation_base_secret always come + // from countersignatory of the transaction. + let mut countersignatory_contrib = revocation_base_secret.clone(); + countersignatory_contrib.mul_assign(&rev_append_commit_hash_key)?; + let mut broadcaster_contrib = per_commitment_secret.clone(); + broadcaster_contrib.mul_assign(&commit_append_rev_hash_key)?; + countersignatory_contrib.add_assign(&broadcaster_contrib[..])?; + Ok(countersignatory_contrib) } /// Derives a per-commitment-transaction revocation public key from its constituent parts. This is @@ -251,7 +256,7 @@ pub fn derive_private_revocation_key(secp_ctx: &Secp256k1 /// /// Note that this is infallible iff we trust that at least one of the two input keys are randomly /// generated (ie our own). -pub fn derive_public_revocation_key(secp_ctx: &Secp256k1, per_commitment_point: &PublicKey, revocation_base_point: &PublicKey) -> Result { +pub fn derive_public_revocation_key(secp_ctx: &Secp256k1, per_commitment_point: &PublicKey, revocation_base_point: &PublicKey) -> Result { let rev_append_commit_hash_key = { let mut sha = Sha256::engine(); sha.input(&revocation_base_point.serialize()); @@ -267,36 +272,45 @@ pub fn derive_public_revocation_key(secp_ctx: &Secp2 Sha256::from_engine(sha).into_inner() }; - let mut part_a = revocation_base_point.clone(); - part_a.mul_assign(&secp_ctx, &rev_append_commit_hash_key)?; - let mut part_b = per_commitment_point.clone(); - part_b.mul_assign(&secp_ctx, &commit_append_rev_hash_key)?; - part_a.combine(&part_b) + // Only the transaction broadcaster owns a valid witness to propagate + // a revoked commitment transaction, thus per_commitment_point always + // come from broadcaster and revocation_base_point always come + // from countersignatory of the transaction. + let mut countersignatory_contrib = revocation_base_point.clone(); + countersignatory_contrib.mul_assign(&secp_ctx, &rev_append_commit_hash_key)?; + let mut broadcaster_contrib = per_commitment_point.clone(); + broadcaster_contrib.mul_assign(&secp_ctx, &commit_append_rev_hash_key)?; + countersignatory_contrib.combine(&broadcaster_contrib) } /// The set of public keys which are used in the creation of one commitment transaction. /// These are derived from the channel base keys and per-commitment data. /// +/// A broadcaster key is provided from potential broadcaster of the computed transaction. +/// A countersignatory key is coming from a protocol participant unable to broadcast the +/// transaction. +/// /// These keys are assumed to be good, either because the code derived them from /// channel basepoints via the new function, or they were obtained via /// PreCalculatedTxCreationKeys.trust_key_derivation because we trusted the source of the /// pre-calculated keys. #[derive(PartialEq, Clone)] pub struct TxCreationKeys { - /// The per-commitment public key which was used to derive the other keys. + /// The broadcaster's per-commitment public key which was used to derive the other keys. pub per_commitment_point: PublicKey, - /// The revocation key which is used to allow the owner of the commitment transaction to - /// provide their counterparty the ability to punish them if they broadcast an old state. + /// The broadcaster's revocation key which is used to allow the broadcaster of the commitment + /// transaction to provide their counterparty the ability to punish them if they broadcast + /// an old state. pub revocation_key: PublicKey, - /// A's HTLC Key - pub a_htlc_key: PublicKey, - /// B's HTLC Key - pub b_htlc_key: PublicKey, - /// A's Payment Key (which isn't allowed to be spent from for some delay) - pub a_delayed_payment_key: PublicKey, + /// Broadcaster's HTLC Key + pub broadcaster_htlc_key: PublicKey, + /// Countersignatory's HTLC Key + pub countersignatory_htlc_key: PublicKey, + /// Broadcaster's Payment Key (which isn't allowed to be spent from for some delay) + pub delayed_payment_key: PublicKey, } impl_writeable!(TxCreationKeys, 33*6, - { per_commitment_point, revocation_key, a_htlc_key, b_htlc_key, a_delayed_payment_key }); + { per_commitment_point, revocation_key, broadcaster_htlc_key, countersignatory_htlc_key, delayed_payment_key }); /// The per-commitment point and a set of pre-calculated public keys used for transaction creation /// in the signer. @@ -317,7 +331,7 @@ impl PreCalculatedTxCreationKeys { } /// The transaction per-commitment point - pub fn per_comitment_point(&self) -> &PublicKey { + pub fn per_commitment_point(&self) -> &PublicKey { &self.0.per_commitment_point } } @@ -357,13 +371,13 @@ impl_writeable!(ChannelPublicKeys, 33*5, { impl TxCreationKeys { /// Create a new TxCreationKeys from channel base points and the per-commitment point - pub fn new(secp_ctx: &Secp256k1, per_commitment_point: &PublicKey, a_delayed_payment_base: &PublicKey, a_htlc_base: &PublicKey, b_revocation_base: &PublicKey, b_htlc_base: &PublicKey) -> Result { + pub fn derive_new(secp_ctx: &Secp256k1, per_commitment_point: &PublicKey, broadcaster_delayed_payment_base: &PublicKey, broadcaster_htlc_base: &PublicKey, countersignatory_revocation_base: &PublicKey, countersignatory_htlc_base: &PublicKey) -> Result { Ok(TxCreationKeys { per_commitment_point: per_commitment_point.clone(), - revocation_key: derive_public_revocation_key(&secp_ctx, &per_commitment_point, &b_revocation_base)?, - a_htlc_key: derive_public_key(&secp_ctx, &per_commitment_point, &a_htlc_base)?, - b_htlc_key: derive_public_key(&secp_ctx, &per_commitment_point, &b_htlc_base)?, - a_delayed_payment_key: derive_public_key(&secp_ctx, &per_commitment_point, &a_delayed_payment_base)?, + revocation_key: derive_public_revocation_key(&secp_ctx, &per_commitment_point, &countersignatory_revocation_base)?, + broadcaster_htlc_key: derive_public_key(&secp_ctx, &per_commitment_point, &broadcaster_htlc_base)?, + countersignatory_htlc_key: derive_public_key(&secp_ctx, &per_commitment_point, &countersignatory_htlc_base)?, + delayed_payment_key: derive_public_key(&secp_ctx, &per_commitment_point, &broadcaster_delayed_payment_base)?, }) } } @@ -371,11 +385,11 @@ impl TxCreationKeys { /// A script either spendable by the revocation /// key or the delayed_payment_key and satisfying the relative-locktime OP_CSV constrain. /// Encumbering a `to_local` output on a commitment transaction or 2nd-stage HTLC transactions. -pub fn get_revokeable_redeemscript(revocation_key: &PublicKey, to_self_delay: u16, delayed_payment_key: &PublicKey) -> Script { +pub fn get_revokeable_redeemscript(revocation_key: &PublicKey, contest_delay: u16, delayed_payment_key: &PublicKey) -> Script { Builder::new().push_opcode(opcodes::all::OP_IF) .push_slice(&revocation_key.serialize()) .push_opcode(opcodes::all::OP_ELSE) - .push_int(to_self_delay as i64) + .push_int(contest_delay as i64) .push_opcode(opcodes::all::OP_CSV) .push_opcode(opcodes::all::OP_DROP) .push_slice(&delayed_payment_key.serialize()) @@ -414,7 +428,7 @@ impl_writeable!(HTLCOutputInCommitment, 1 + 8 + 4 + 32 + 5, { }); #[inline] -pub(crate) fn get_htlc_redeemscript_with_explicit_keys(htlc: &HTLCOutputInCommitment, a_htlc_key: &PublicKey, b_htlc_key: &PublicKey, revocation_key: &PublicKey) -> Script { +pub(crate) fn get_htlc_redeemscript_with_explicit_keys(htlc: &HTLCOutputInCommitment, broadcaster_htlc_key: &PublicKey, countersignatory_htlc_key: &PublicKey, revocation_key: &PublicKey) -> Script { let payment_hash160 = Ripemd160::hash(&htlc.payment_hash.0[..]).into_inner(); if htlc.offered { Builder::new().push_opcode(opcodes::all::OP_DUP) @@ -424,7 +438,7 @@ pub(crate) fn get_htlc_redeemscript_with_explicit_keys(htlc: &HTLCOutputInCommit .push_opcode(opcodes::all::OP_IF) .push_opcode(opcodes::all::OP_CHECKSIG) .push_opcode(opcodes::all::OP_ELSE) - .push_slice(&b_htlc_key.serialize()[..]) + .push_slice(&countersignatory_htlc_key.serialize()[..]) .push_opcode(opcodes::all::OP_SWAP) .push_opcode(opcodes::all::OP_SIZE) .push_int(32) @@ -433,7 +447,7 @@ pub(crate) fn get_htlc_redeemscript_with_explicit_keys(htlc: &HTLCOutputInCommit .push_opcode(opcodes::all::OP_DROP) .push_int(2) .push_opcode(opcodes::all::OP_SWAP) - .push_slice(&a_htlc_key.serialize()[..]) + .push_slice(&broadcaster_htlc_key.serialize()[..]) .push_int(2) .push_opcode(opcodes::all::OP_CHECKMULTISIG) .push_opcode(opcodes::all::OP_ELSE) @@ -452,7 +466,7 @@ pub(crate) fn get_htlc_redeemscript_with_explicit_keys(htlc: &HTLCOutputInCommit .push_opcode(opcodes::all::OP_IF) .push_opcode(opcodes::all::OP_CHECKSIG) .push_opcode(opcodes::all::OP_ELSE) - .push_slice(&b_htlc_key.serialize()[..]) + .push_slice(&countersignatory_htlc_key.serialize()[..]) .push_opcode(opcodes::all::OP_SWAP) .push_opcode(opcodes::all::OP_SIZE) .push_int(32) @@ -463,7 +477,7 @@ pub(crate) fn get_htlc_redeemscript_with_explicit_keys(htlc: &HTLCOutputInCommit .push_opcode(opcodes::all::OP_EQUALVERIFY) .push_int(2) .push_opcode(opcodes::all::OP_SWAP) - .push_slice(&a_htlc_key.serialize()[..]) + .push_slice(&broadcaster_htlc_key.serialize()[..]) .push_int(2) .push_opcode(opcodes::all::OP_CHECKMULTISIG) .push_opcode(opcodes::all::OP_ELSE) @@ -478,31 +492,31 @@ pub(crate) fn get_htlc_redeemscript_with_explicit_keys(htlc: &HTLCOutputInCommit } } -/// note here that 'a_revocation_key' is generated using b_revocation_basepoint and a's +/// note here that 'revocation_key' is generated using countersignatory_revocation_basepoint and broadcaster's /// commitment secret. 'htlc' does *not* need to have its previous_output_index filled. #[inline] pub fn get_htlc_redeemscript(htlc: &HTLCOutputInCommitment, keys: &TxCreationKeys) -> Script { - get_htlc_redeemscript_with_explicit_keys(htlc, &keys.a_htlc_key, &keys.b_htlc_key, &keys.revocation_key) + get_htlc_redeemscript_with_explicit_keys(htlc, &keys.broadcaster_htlc_key, &keys.countersignatory_htlc_key, &keys.revocation_key) } /// Gets the redeemscript for a funding output from the two funding public keys. /// Note that the order of funding public keys does not matter. -pub fn make_funding_redeemscript(a: &PublicKey, b: &PublicKey) -> Script { - let our_funding_key = a.serialize(); - let their_funding_key = b.serialize(); +pub fn make_funding_redeemscript(broadcaster: &PublicKey, countersignatory: &PublicKey) -> Script { + let broadcaster_funding_key = broadcaster.serialize(); + let countersignatory_funding_key = countersignatory.serialize(); let builder = Builder::new().push_opcode(opcodes::all::OP_PUSHNUM_2); - if our_funding_key[..] < their_funding_key[..] { - builder.push_slice(&our_funding_key) - .push_slice(&their_funding_key) + if broadcaster_funding_key[..] < countersignatory_funding_key[..] { + builder.push_slice(&broadcaster_funding_key) + .push_slice(&countersignatory_funding_key) } else { - builder.push_slice(&their_funding_key) - .push_slice(&our_funding_key) + builder.push_slice(&countersignatory_funding_key) + .push_slice(&broadcaster_funding_key) }.push_opcode(opcodes::all::OP_PUSHNUM_2).push_opcode(opcodes::all::OP_CHECKMULTISIG).into_script() } /// panics if htlc.transaction_output_index.is_none()! -pub fn build_htlc_transaction(prev_hash: &Txid, feerate_per_kw: u32, to_self_delay: u16, htlc: &HTLCOutputInCommitment, a_delayed_payment_key: &PublicKey, revocation_key: &PublicKey) -> Transaction { +pub fn build_htlc_transaction(prev_hash: &Txid, feerate_per_kw: u32, contest_delay: u16, htlc: &HTLCOutputInCommitment, delayed_payment_key: &PublicKey, revocation_key: &PublicKey) -> Transaction { let mut txins: Vec = Vec::new(); txins.push(TxIn { previous_output: OutPoint { @@ -522,7 +536,7 @@ pub fn build_htlc_transaction(prev_hash: &Txid, feerate_per_kw: u32, to_self_del let mut txouts: Vec = Vec::new(); txouts.push(TxOut { - script_pubkey: get_revokeable_redeemscript(revocation_key, to_self_delay, a_delayed_payment_key).to_v0_p2wsh(), + script_pubkey: get_revokeable_redeemscript(revocation_key, contest_delay, delayed_payment_key).to_v0_p2wsh(), value: htlc.amount_msat / 1000 - total_fee //TODO: BOLT 3 does not specify if we should add amount_msat before dividing or if we should divide by 1000 before subtracting (as we do here) }); @@ -589,9 +603,9 @@ impl LocalCommitmentTransaction { local_keys: TxCreationKeys { per_commitment_point: dummy_key.clone(), revocation_key: dummy_key.clone(), - a_htlc_key: dummy_key.clone(), - b_htlc_key: dummy_key.clone(), - a_delayed_payment_key: dummy_key.clone(), + broadcaster_htlc_key: dummy_key.clone(), + countersignatory_htlc_key: dummy_key.clone(), + delayed_payment_key: dummy_key.clone(), }, feerate_per_kw: 0, per_htlc: Vec::new() @@ -599,11 +613,26 @@ impl LocalCommitmentTransaction { } /// Generate a new LocalCommitmentTransaction based on a raw commitment transaction, - /// remote signature and both parties keys + /// remote signature and both parties keys. + /// + /// The unsigned transaction outputs must be consistent with htlc_data. This function + /// only checks that the shape and amounts are consistent, but does not check the scriptPubkey. pub fn new_missing_local_sig(unsigned_tx: Transaction, their_sig: Signature, our_funding_key: &PublicKey, their_funding_key: &PublicKey, local_keys: TxCreationKeys, feerate_per_kw: u32, htlc_data: Vec<(HTLCOutputInCommitment, Option)>) -> LocalCommitmentTransaction { if unsigned_tx.input.len() != 1 { panic!("Tried to store a commitment transaction that had input count != 1!"); } if unsigned_tx.input[0].witness.len() != 0 { panic!("Tried to store a signed commitment transaction?"); } + for htlc in &htlc_data { + if let Some(index) = htlc.0.transaction_output_index { + let out = &unsigned_tx.output[index as usize]; + if out.value != htlc.0.amount_msat / 1000 { + panic!("HTLC at index {} has incorrect amount", index); + } + if !out.script_pubkey.is_v0_p2wsh() { + panic!("HTLC at index {} doesn't have p2wsh scriptPubkey", index); + } + } + } + Self { unsigned_tx, their_sig, @@ -635,8 +664,8 @@ impl LocalCommitmentTransaction { /// ChannelKeys::sign_local_commitment() calls directly. /// Channel value is amount locked in funding_outpoint. pub fn get_local_sig(&self, funding_key: &SecretKey, funding_redeemscript: &Script, channel_value_satoshis: u64, secp_ctx: &Secp256k1) -> Signature { - let sighash = hash_to_message!(&bip143::SighashComponents::new(&self.unsigned_tx) - .sighash_all(&self.unsigned_tx.input[0], funding_redeemscript, channel_value_satoshis)[..]); + let sighash = hash_to_message!(&bip143::SigHashCache::new(&self.unsigned_tx) + .signature_hash(0, funding_redeemscript, channel_value_satoshis, SigHashType::All)[..]); secp_ctx.sign(&sighash, funding_key) } @@ -672,11 +701,11 @@ impl LocalCommitmentTransaction { for this_htlc in self.per_htlc.iter() { if this_htlc.0.transaction_output_index.is_some() { - let htlc_tx = build_htlc_transaction(&txid, self.feerate_per_kw, local_csv, &this_htlc.0, &self.local_keys.a_delayed_payment_key, &self.local_keys.revocation_key); + let htlc_tx = build_htlc_transaction(&txid, self.feerate_per_kw, local_csv, &this_htlc.0, &self.local_keys.delayed_payment_key, &self.local_keys.revocation_key); - let htlc_redeemscript = get_htlc_redeemscript_with_explicit_keys(&this_htlc.0, &self.local_keys.a_htlc_key, &self.local_keys.b_htlc_key, &self.local_keys.revocation_key); + let htlc_redeemscript = get_htlc_redeemscript_with_explicit_keys(&this_htlc.0, &self.local_keys.broadcaster_htlc_key, &self.local_keys.countersignatory_htlc_key, &self.local_keys.revocation_key); - let sighash = hash_to_message!(&bip143::SighashComponents::new(&htlc_tx).sighash_all(&htlc_tx.input[0], &htlc_redeemscript, this_htlc.0.amount_msat / 1000)[..]); + let sighash = hash_to_message!(&bip143::SigHashCache::new(&htlc_tx).signature_hash(0, &htlc_redeemscript, this_htlc.0.amount_msat / 1000, SigHashType::All)[..]); ret.push(Some(secp_ctx.sign(&sighash, &our_htlc_key))); } else { ret.push(None); @@ -695,12 +724,12 @@ impl LocalCommitmentTransaction { // Further, we should never be provided the preimage for an HTLC-Timeout transaction. if this_htlc.0.offered && preimage.is_some() { unreachable!(); } - let mut htlc_tx = build_htlc_transaction(&txid, self.feerate_per_kw, local_csv, &this_htlc.0, &self.local_keys.a_delayed_payment_key, &self.local_keys.revocation_key); + let mut htlc_tx = build_htlc_transaction(&txid, self.feerate_per_kw, local_csv, &this_htlc.0, &self.local_keys.delayed_payment_key, &self.local_keys.revocation_key); // Channel should have checked that we have a remote signature for this HTLC at // creation, and we should have a sensible htlc transaction: assert!(this_htlc.1.is_some()); - let htlc_redeemscript = get_htlc_redeemscript_with_explicit_keys(&this_htlc.0, &self.local_keys.a_htlc_key, &self.local_keys.b_htlc_key, &self.local_keys.revocation_key); + let htlc_redeemscript = get_htlc_redeemscript_with_explicit_keys(&this_htlc.0, &self.local_keys.broadcaster_htlc_key, &self.local_keys.countersignatory_htlc_key, &self.local_keys.revocation_key); // First push the multisig dummy, note that due to BIP147 (NULLDUMMY) it must be a zero-length element. htlc_tx.input[0].witness.push(Vec::new());