update-channel-accept: accept the channel update.

Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>

Makefile

@@ -3,7 +3,7 @@
 # Needs to have oneof support: Ubuntu vivid's is too old :(
 PROTOCC:=protoc-c
 
-PROGRAMS := open-channel open-anchor-scriptsigs leak-anchor-sigs open-commit-sig check-commit-sig check-anchor-scriptsigs get-anchor-depth create-steal-tx create-commit-spend-tx close-channel create-close-tx update-channel
+PROGRAMS := open-channel open-anchor-scriptsigs leak-anchor-sigs open-commit-sig check-commit-sig check-anchor-scriptsigs get-anchor-depth create-steal-tx create-commit-spend-tx close-channel create-close-tx update-channel update-channel-accept
 
 HELPER_OBJS := base58.o lightning.pb-c.o shadouble.o pkt.o bitcoin_script.o permute_tx.o signature.o bitcoin_tx.o bitcoin_address.o anchor.o commit_tx.o pubkey.o opt_bits.o close_tx.o find_p2sh_out.o
 

check-commit-sig.c

@@ -35,6 +35,7 @@ int main(int argc, char *argv[])
 	char *tx_hex;
 	EC_KEY *privkey;
 	bool testnet;
+	struct sha256 rhash;
 
 	err_set_progname(argv[0]);
 
@@ -69,7 +70,8 @@ int main(int argc, char *argv[])
 	anchor_txid(anchor, argv[5], argv[6], inmap, &txid);
 
 	/* Now create our commitment tx. */
-	commit = create_commit_tx(ctx, o1, o2, 0, &txid, outmap[0]);
+	proto_to_sha256(o2->revocation_hash, &rhash);
+	commit = create_commit_tx(ctx, o1, o2, &rhash, 0, &txid, outmap[0]);
 
 	/* If contributions don't exceed fees, this fails. */
 	if (!commit)

commit_tx.c

@@ -9,6 +9,7 @@
 struct bitcoin_tx *create_commit_tx(const tal_t *ctx,
 				    OpenChannel *ours,
 				    OpenChannel *theirs,
+				    const struct sha256 *rhash,
 				    int64_t delta,
 				    const struct sha256_double *anchor_txid,
 				    unsigned int anchor_output)
@@ -16,7 +17,6 @@ struct bitcoin_tx *create_commit_tx(const tal_t *ctx,
 	struct bitcoin_tx *tx;
 	const u8 *redeemscript;
 	struct pubkey ourkey, theirkey, to_me;
-	struct sha256 redeem;
 
 	/* Now create commitment tx: one input, two outputs. */
 	tx = bitcoin_tx(ctx, 1, 2);
@@ -30,13 +30,12 @@ struct bitcoin_tx *create_commit_tx(const tal_t *ctx,
 		return tal_free(tx);
 	if (!proto_to_pubkey(theirs->final, &theirkey))
 		return tal_free(tx);
-	proto_to_sha256(ours->revocation_hash, &redeem);
 
 	/* First output is a P2SH to a complex redeem script (usu. for me) */
 	redeemscript = bitcoin_redeem_revocable(tx, &ourkey,
 						ours->locktime_seconds,
 						&theirkey,
-						&redeem);
+						rhash);
 	tx->output[0].script = scriptpubkey_p2sh(tx, redeemscript);
 	tx->output[0].script_length = tal_count(tx->output[0].script);
 

commit_tx.h

@@ -4,12 +4,14 @@
 #include "lightning.pb-c.h"
 
 struct sha256_double;
+struct sha256;
 
 /* Create commitment tx to spend the anchor tx output; doesn't fill in
  * input scriptsig. */
 struct bitcoin_tx *create_commit_tx(const tal_t *ctx,
 				    OpenChannel *ours,
 				    OpenChannel *theirs,
+				    const struct sha256 *revocation_hash,
 				    int64_t delta,
 				    const struct sha256_double *anchor_txid,
 				    unsigned int anchor_output);

open-commit-sig.c

@@ -34,6 +34,7 @@ int main(int argc, char *argv[])
 	bool testnet;
 	struct pubkey pubkey1, pubkey2;
 	u8 *subscript;
+	struct sha256 rhash;
 
 	err_set_progname(argv[0]);
 
@@ -65,7 +66,8 @@ int main(int argc, char *argv[])
 	anchor_txid(anchor, argv[4], argv[5], inmap, &txid);
 
 	/* Now create THEIR commitment tx to spend 2/2 output of anchor. */
-	commit = create_commit_tx(ctx, o2, o1, 0, &txid, outmap[0]);
+	proto_to_sha256(o1->revocation_hash, &rhash);
+	commit = create_commit_tx(ctx, o2, o1, &rhash, 0, &txid, outmap[0]);
 
 	/* If contributions don't exceed fees, this fails. */
 	if (!commit)

pkt.c

@@ -164,3 +164,14 @@ struct pkt *update_pkt(const tal_t *ctx,
 	return to_pkt(ctx, PKT__PKT_UPDATE, &u);
 }
 
+struct pkt *update_accept_pkt(const tal_t *ctx,
+			      struct signature *sig,
+			      const struct sha256 *revocation_hash,
+			      const struct sha256 *revocation_preimage)
+{
+	UpdateAccept ua = UPDATE_ACCEPT__INIT;
+	ua.sig = signature_to_proto(ctx, sig);
+	ua.revocation_hash = sha256_to_proto(ctx, revocation_hash);
+	ua.revocation_preimage = sha256_to_proto(ctx, revocation_preimage);
+	return to_pkt(ctx, PKT__PKT_UPDATE_ACCEPT, &ua);
+}

pkt.h

@@ -92,6 +92,18 @@ struct pkt *update_pkt(const tal_t *ctx,
 		       const struct sha256 *revocation_hash,
 		       s64 delta, struct signature *sig);
 
+/**
+ * update_accept_pkt - create an update_accept message
+ * @ctx: tal context to allocate off.
+ * @sig: the signature for the close transaction input.
+ * @revocation_hash: hash to revoke the next tx.
+ * @revocation_preimage: preimage to revoke existing (now-obsolete) tx.
+ */
+struct pkt *update_accept_pkt(const tal_t *ctx,
+			      struct signature *sig,
+			      const struct sha256 *revocation_hash,
+			      const struct sha256 *revocation_preimage);
+
 /* Useful helper for allocating & populating a protobuf Sha256Hash */
 Sha256Hash *sha256_to_proto(const tal_t *ctx, const struct sha256 *hash);
 void proto_to_sha256(const Sha256Hash *pb, struct sha256 *hash);

update-channel-accept.c

@@ -0,0 +1,121 @@
+/* My example:
+ * ./update-channel-accept <B-SEED> B-open.pb A-open.pb anchor.tx <B-TMPKEY> A-update-1.pb > B-update-accept-1.pb
+ */
+#include <ccan/crypto/shachain/shachain.h>
+#include <ccan/short_types/short_types.h>
+#include <ccan/tal/tal.h>
+#include <ccan/opt/opt.h>
+#include <ccan/str/hex/hex.h>
+#include <ccan/err/err.h>
+#include <ccan/read_write_all/read_write_all.h>
+#include "lightning.pb-c.h"
+#include "anchor.h"
+#include "base58.h"
+#include "pkt.h"
+#include "bitcoin_script.h"
+#include "permute_tx.h"
+#include "signature.h"
+#include "commit_tx.h"
+#include "pubkey.h"
+#include "find_p2sh_out.h"
+#include <openssl/ec.h>
+#include <unistd.h>
+
+int main(int argc, char *argv[])
+{
+	const tal_t *ctx = tal_arr(NULL, char, 0);
+	struct sha256 seed, revocation_hash, revocation_preimage;
+	OpenChannel *o1, *o2;
+	Update *update;
+	struct bitcoin_tx *anchor, *commit;
+	struct sha256_double anchor_txid;
+	struct pkt *pkt;
+	struct signature sig;
+	EC_KEY *privkey;
+	bool testnet;
+	struct pubkey pubkey1, pubkey2;
+	u8 *redeemscript;
+	int64_t delta;
+	size_t i;
+
+	err_set_progname(argv[0]);
+
+	opt_register_noarg("--help|-h", opt_usage_and_exit,
+			   "<seed> <anchor-tx> <open-channel-file1> <open-channel-file2> <commit-privkey> <update-protobuf> [previous-updates]\n"
+			   "Accept a new update message",
+			   "Print this message.");
+
+ 	opt_parse(&argc, argv, opt_log_stderr_exit);
+
+	if (argc < 6)
+		opt_usage_exit_fail("Expected 5+ arguments");
+
+	if (!hex_decode(argv[1], strlen(argv[1]), &seed, sizeof(seed)))
+		errx(1, "Invalid seed '%s' - need 256 hex bits", argv[1]);
+	
+	anchor = bitcoin_tx_from_file(ctx, argv[2]);
+	bitcoin_txid(anchor, &anchor_txid);
+	o1 = pkt_from_file(argv[3], PKT__PKT_OPEN)->open;
+	o2 = pkt_from_file(argv[4], PKT__PKT_OPEN)->open;
+
+	privkey = key_from_base58(argv[5], strlen(argv[5]), &testnet, &pubkey1);
+	if (!privkey)
+		errx(1, "Invalid private key '%s'", argv[5]);
+	if (!testnet)
+		errx(1, "Private key '%s' not on testnet!", argv[5]);
+
+	update = pkt_from_file(argv[6], PKT__PKT_UPDATE)->update;
+	
+	/* Figure out cumulative delta since anchor. */
+	delta = update->delta;
+	for (i = 7; i < argc; i++) {
+		Update *u = pkt_from_file(argv[i], PKT__PKT_UPDATE)->update;
+		delta += u->delta;
+	}
+
+	/* Get next revocation hash. */
+	shachain_from_seed(&seed, argc - 6, &revocation_hash);
+	sha256(&revocation_hash,
+	       revocation_hash.u.u8, sizeof(revocation_hash.u.u8));
+	
+	/* Get pubkeys */
+	if (!proto_to_pubkey(o1->anchor->pubkey, &pubkey2))
+		errx(1, "Invalid o1 commit pubkey");
+	if (pubkey_len(&pubkey1) != pubkey_len(&pubkey2)
+	    || memcmp(pubkey1.key, pubkey2.key, pubkey_len(&pubkey2)) != 0)
+		errx(1, "o1 pubkey != this privkey");
+	if (!proto_to_pubkey(o2->anchor->pubkey, &pubkey2))
+		errx(1, "Invalid o2 final pubkey");
+
+	/* This is what the anchor pays to; figure out whick output. */
+	redeemscript = bitcoin_redeem_2of2(ctx, &pubkey1, &pubkey2);
+
+	/* Now create THEIR new commitment tx to spend 2/2 output of anchor. */
+	commit = create_commit_tx(ctx, o2, o1, &revocation_hash, delta,
+				  &anchor_txid,
+				  find_p2sh_out(anchor, redeemscript));
+
+	/* If contributions don't exceed fees, this fails. */
+	if (!commit)
+		errx(1, "Delta too large");
+
+	/* Their pubkey must be valid */
+	if (!proto_to_pubkey(o2->anchor->pubkey, &pubkey2))
+		errx(1, "Invalid public open-channel-file2");
+
+	/* Sign it for them. */
+	sign_tx_input(ctx, commit, 0, redeemscript, tal_count(redeemscript),
+		      privkey, &sig);
+
+	/* Give up revocation preimage for old tx. */
+	shachain_from_seed(&seed, argc - 6 - 1, &revocation_preimage);
+
+	pkt = update_accept_pkt(ctx, &sig, &revocation_hash, &revocation_preimage);
+	if (!write_all(STDOUT_FILENO, pkt,
+		       sizeof(pkt->len) + le32_to_cpu(pkt->len)))
+		err(1, "Writing out packet");
+
+	tal_free(ctx);
+	return 0;
+}
+

update-channel.c

@@ -102,7 +102,8 @@ int main(int argc, char *argv[])
 	redeemscript = bitcoin_redeem_2of2(ctx, &pubkey1, &pubkey2);
 
 	/* Now create THEIR new commitment tx to spend 2/2 output of anchor. */
-	commit = create_commit_tx(ctx, o2, o1, delta, &anchor_txid,
+	commit = create_commit_tx(ctx, o2, o1, &revocation_hash, delta,
+				  &anchor_txid,
 				  find_p2sh_out(anchor, redeemscript));
 
 	/* If contributions don't exceed fees, this fails. */