Browse Source

bitcoin/signature: implement SIGHASH_SINGLE|SIGHASH_ANYONECANPAY for segwit.

option_simplified_commitment wants this for HTLC txs.

Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
plugin-6
Rusty Russell 6 years ago
committed by Christian Decker
parent
commit
b7da41e674
  1. 20
      bitcoin/signature.c
  2. 15
      bitcoin/signature.h
  3. 78
      bitcoin/tx.c
  4. 6
      bitcoin/tx.h

20
bitcoin/signature.c

@ -88,19 +88,19 @@ void sign_hash(const struct privkey *privkey,
assert(ok);
}
/* Only does SIGHASH_ALL */
static void sha256_tx_one_input(const struct bitcoin_tx *tx,
size_t input_num,
const u8 *script,
const u8 *witness_script,
enum sighash_type sighash_type,
struct sha256_double *hash)
{
assert(input_num < tal_count(tx->input));
sha256_tx_for_sig(hash, tx, input_num, script, witness_script);
sha256_tx_for_sig(hash, tx, input_num, script, witness_script,
sighash_type);
}
/* Only does SIGHASH_ALL */
void sign_tx_input(const struct bitcoin_tx *tx,
unsigned int in,
const u8 *subscript,
@ -113,7 +113,8 @@ void sign_tx_input(const struct bitcoin_tx *tx,
assert(sighash_type_valid(sighash_type));
sig->sighash_type = sighash_type;
sha256_tx_one_input(tx, in, subscript, witness_script, &hash);
sha256_tx_one_input(tx, in, subscript, witness_script,
sighash_type, &hash);
dump_tx("Signing", tx, in, subscript, key, &hash);
sign_hash(privkey, &hash, &sig->s);
}
@ -139,10 +140,17 @@ bool check_tx_sig(const struct bitcoin_tx *tx, size_t input_num,
struct sha256_double hash;
bool ret;
assert(sig->sighash_type == SIGHASH_ALL);
/* We only support a limited subset of sighash types. */
if (sig->sighash_type != SIGHASH_ALL) {
if (!witness_script)
return false;
if (sig->sighash_type != (SIGHASH_SINGLE|SIGHASH_ANYONECANPAY))
return false;
}
assert(input_num < tal_count(tx->input));
sha256_tx_one_input(tx, input_num, redeemscript, witness_script, &hash);
sha256_tx_one_input(tx, input_num, redeemscript, witness_script,
sig->sighash_type, &hash);
ret = check_signed_hash(&hash, &sig->s, key);
if (!ret)

15
bitcoin/signature.h

@ -18,10 +18,23 @@ enum sighash_type {
SIGHASH_ANYONECANPAY = 0x80
};
#define SIGHASH_MASK 0x7F
static inline bool sighash_single(enum sighash_type sighash_type)
{
return (sighash_type & SIGHASH_MASK) == SIGHASH_SINGLE;
}
static inline bool sighash_anyonecanpay(enum sighash_type sighash_type)
{
return (sighash_type & SIGHASH_ANYONECANPAY) == SIGHASH_ANYONECANPAY;
}
/* We only support a limited range of sighash_type */
static inline bool sighash_type_valid(const enum sighash_type sighash_type)
{
return sighash_type == SIGHASH_ALL;
return sighash_type == SIGHASH_ALL
|| sighash_type == (SIGHASH_SINGLE|SIGHASH_ANYONECANPAY);
}
/**

78
bitcoin/tx.c

@ -13,6 +13,8 @@
#define SEGREGATED_WITNESS_FLAG 0x1
static struct sha256_double all_zeroes;
static void push_tx_input(const struct bitcoin_tx_input *input,
const u8 *input_script,
void (*push)(const void *, size_t, void *), void *pushp)
@ -81,11 +83,15 @@ static void push_witnesses(const struct bitcoin_tx *tx,
/* For signing, we ignore input scripts on other inputs, and pretend
* the current input has a certain script: this is indicated by a
* non-NULL override_script, and setting override_script_index to the
* input number to replace. */
* non-NULL override_script.
*
* For this (and other signing weirdness like SIGHASH_SINGLE), we
* also need the current input being signed; that's in input_num.
* We also need sighash_type.
*/
static void push_tx(const struct bitcoin_tx *tx,
const u8 *override_script,
size_t override_script_index,
size_t input_num,
void (*push)(const void *, size_t, void *), void *pushp,
bool bip144)
{
@ -112,7 +118,7 @@ static void push_tx(const struct bitcoin_tx *tx,
for (i = 0; i < tal_count(tx->input); i++) {
const u8 *input_script = tx->input[i].script;
if (override_script) {
if (override_script_index == i)
if (input_num == i)
input_script = override_script;
else
input_script = NULL;
@ -136,14 +142,21 @@ static void push_sha(const void *data, size_t len, void *shactx_)
sha256_update(ctx, memcheck(data, len), len);
}
static void hash_prevouts(struct sha256_double *h, const struct bitcoin_tx *tx)
static void hash_prevouts(struct sha256_double *h, const struct bitcoin_tx *tx,
enum sighash_type sighash_type)
{
struct sha256_ctx ctx;
size_t i;
/* BIP143: If the ANYONECANPAY flag is not set, hashPrevouts is the
* double SHA256 of the serialization of all input
* outpoints */
* outpoints; Otherwise, hashPrevouts is a uint256 of 0x0000......0000.
*/
if (sighash_anyonecanpay(sighash_type)) {
*h = all_zeroes;
return;
}
sha256_init(&ctx);
for (i = 0; i < tal_count(tx->input); i++) {
push_sha(&tx->input[i].txid, sizeof(tx->input[i].txid), &ctx);
@ -152,14 +165,21 @@ static void hash_prevouts(struct sha256_double *h, const struct bitcoin_tx *tx)
sha256_double_done(&ctx, h);
}
static void hash_sequence(struct sha256_double *h, const struct bitcoin_tx *tx)
static void hash_sequence(struct sha256_double *h, const struct bitcoin_tx *tx,
enum sighash_type sighash_type)
{
struct sha256_ctx ctx;
size_t i;
/* BIP143: If none of the ANYONECANPAY, SINGLE, NONE sighash type
* is set, hashSequence is the double SHA256 of the serialization
* of nSequence of all inputs */
/* BIP143: If none of the ANYONECANPAY, SINGLE, NONE sighash type is
* set, hashSequence is the double SHA256 of the serialization of
* nSequence of all inputs; Otherwise, hashSequence is a uint256 of
* 0x0000......0000. */
if (sighash_anyonecanpay(sighash_type) || sighash_single(sighash_type)) {
*h = all_zeroes;
return;
}
sha256_init(&ctx);
for (i = 0; i < tal_count(tx->input); i++)
push_le32(tx->input[i].sequence_number, push_sha, &ctx);
@ -167,17 +187,23 @@ static void hash_sequence(struct sha256_double *h, const struct bitcoin_tx *tx)
sha256_double_done(&ctx, h);
}
/* If the sighash type is neither SINGLE nor NONE, hashOutputs is the
* double SHA256 of the serialization of all output value (8-byte
* little endian) with scriptPubKey (varInt for the length +
* script); */
static void hash_outputs(struct sha256_double *h, const struct bitcoin_tx *tx)
/* If the sighash type is neither SINGLE nor NONE, hashOutputs is the double
* SHA256 of the serialization of all output value (8-byte little endian) with
* scriptPubKey (varInt for the length + script); If sighash type is SINGLE
* and the input index is smaller than the number of outputs, hashOutputs is
* the double SHA256 of the output amount with scriptPubKey of the same index
* as the input; */
static void hash_outputs(struct sha256_double *h, const struct bitcoin_tx *tx,
enum sighash_type sighash_type, unsigned int input_num)
{
struct sha256_ctx ctx;
size_t i;
sha256_init(&ctx);
for (i = 0; i < tal_count(tx->output); i++) {
if (sighash_single(sighash_type) && i != input_num)
continue;
push_le64(tx->output[i].amount, push_sha, &ctx);
push_varint_blob(tx->output[i].script, push_sha, &ctx);
}
@ -188,7 +214,8 @@ static void hash_outputs(struct sha256_double *h, const struct bitcoin_tx *tx)
static void hash_for_segwit(struct sha256_ctx *ctx,
const struct bitcoin_tx *tx,
unsigned int input_num,
const u8 *witness_script)
const u8 *witness_script,
enum sighash_type sighash_type)
{
struct sha256_double h;
@ -200,11 +227,11 @@ static void hash_for_segwit(struct sha256_ctx *ctx,
push_le32(tx->version, push_sha, ctx);
/* 2. hashPrevouts (32-byte hash) */
hash_prevouts(&h, tx);
hash_prevouts(&h, tx, sighash_type);
push_sha(&h, sizeof(h), ctx);
/* 3. hashSequence (32-byte hash) */
hash_sequence(&h, tx);
hash_sequence(&h, tx, sighash_type);
push_sha(&h, sizeof(h), ctx);
/* 4. outpoint (32-byte hash + 4-byte little endian) */
@ -222,7 +249,7 @@ static void hash_for_segwit(struct sha256_ctx *ctx,
push_le32(tx->input[input_num].sequence_number, push_sha, ctx);
/* 8. hashOutputs (32-byte hash) */
hash_outputs(&h, tx);
hash_outputs(&h, tx, sighash_type, input_num);
push_sha(&h, sizeof(h), ctx);
/* 9. nLocktime of the transaction (4-byte little endian) */
@ -232,21 +259,28 @@ static void hash_for_segwit(struct sha256_ctx *ctx,
void sha256_tx_for_sig(struct sha256_double *h, const struct bitcoin_tx *tx,
unsigned int input_num,
const u8 *script,
const u8 *witness_script)
const u8 *witness_script,
enum sighash_type sighash_type)
{
struct sha256_ctx ctx = SHA256_INIT;
assert(input_num < tal_count(tx->input));
if (witness_script) {
/* Only implemented and tested these two! */
assert(sighash_type == SIGHASH_ALL
|| sighash_type == (SIGHASH_SINGLE|SIGHASH_ANYONECANPAY));
/* BIP143 hashing if OP_CHECKSIG is inside witness. */
hash_for_segwit(&ctx, tx, input_num, witness_script);
hash_for_segwit(&ctx, tx, input_num, witness_script,
sighash_type);
} else {
/* Never implemented anything else for old scheme. */
assert(sighash_type == SIGHASH_ALL);
/* Otherwise signature hashing never includes witness. */
push_tx(tx, script, input_num, push_sha, &ctx, false);
}
sha256_le32(&ctx, SIGHASH_ALL);
sha256_le32(&ctx, sighash_type);
sha256_double_done(&ctx, h);
}

6
bitcoin/tx.h

@ -43,11 +43,13 @@ struct bitcoin_tx_input {
/* SHA256^2 the tx: simpler than sha256_tx */
void bitcoin_txid(const struct bitcoin_tx *tx, struct bitcoin_txid *txid);
/* Useful for signature code. */
/* Useful for signature code. Only supports SIGHASH_ALL and
* (for segwit) SIGHASH_SINGLE|SIGHASH_ANYONECANPAY. */
void sha256_tx_for_sig(struct sha256_double *h, const struct bitcoin_tx *tx,
unsigned int input_num,
const u8 *script,
const u8 *witness_script);
const u8 *witness_script,
enum sighash_type sighash_type);
/* Linear bytes of tx. */
u8 *linearize_tx(const tal_t *ctx, const struct bitcoin_tx *tx);

Loading…
Cancel
Save