From b7da41e674c06c4101b389842a14f695cb29520e Mon Sep 17 00:00:00 2001 From: Rusty Russell Date: Mon, 3 Dec 2018 09:45:06 +1030 Subject: [PATCH] bitcoin/signature: implement SIGHASH_SINGLE|SIGHASH_ANYONECANPAY for segwit. option_simplified_commitment wants this for HTLC txs. Signed-off-by: Rusty Russell --- bitcoin/signature.c | 20 ++++++++---- bitcoin/signature.h | 15 ++++++++- bitcoin/tx.c | 78 ++++++++++++++++++++++++++++++++------------- bitcoin/tx.h | 6 ++-- 4 files changed, 88 insertions(+), 31 deletions(-) diff --git a/bitcoin/signature.c b/bitcoin/signature.c index fd2396bbd..655948265 100644 --- a/bitcoin/signature.c +++ b/bitcoin/signature.c @@ -88,19 +88,19 @@ void sign_hash(const struct privkey *privkey, assert(ok); } -/* Only does SIGHASH_ALL */ static void sha256_tx_one_input(const struct bitcoin_tx *tx, size_t input_num, const u8 *script, const u8 *witness_script, + enum sighash_type sighash_type, struct sha256_double *hash) { assert(input_num < tal_count(tx->input)); - sha256_tx_for_sig(hash, tx, input_num, script, witness_script); + sha256_tx_for_sig(hash, tx, input_num, script, witness_script, + sighash_type); } -/* Only does SIGHASH_ALL */ void sign_tx_input(const struct bitcoin_tx *tx, unsigned int in, const u8 *subscript, @@ -113,7 +113,8 @@ void sign_tx_input(const struct bitcoin_tx *tx, assert(sighash_type_valid(sighash_type)); sig->sighash_type = sighash_type; - sha256_tx_one_input(tx, in, subscript, witness_script, &hash); + sha256_tx_one_input(tx, in, subscript, witness_script, + sighash_type, &hash); dump_tx("Signing", tx, in, subscript, key, &hash); sign_hash(privkey, &hash, &sig->s); } @@ -139,10 +140,17 @@ bool check_tx_sig(const struct bitcoin_tx *tx, size_t input_num, struct sha256_double hash; bool ret; - assert(sig->sighash_type == SIGHASH_ALL); + /* We only support a limited subset of sighash types. */ + if (sig->sighash_type != SIGHASH_ALL) { + if (!witness_script) + return false; + if (sig->sighash_type != (SIGHASH_SINGLE|SIGHASH_ANYONECANPAY)) + return false; + } assert(input_num < tal_count(tx->input)); - sha256_tx_one_input(tx, input_num, redeemscript, witness_script, &hash); + sha256_tx_one_input(tx, input_num, redeemscript, witness_script, + sig->sighash_type, &hash); ret = check_signed_hash(&hash, &sig->s, key); if (!ret) diff --git a/bitcoin/signature.h b/bitcoin/signature.h index f2066df7b..e5195e197 100644 --- a/bitcoin/signature.h +++ b/bitcoin/signature.h @@ -18,10 +18,23 @@ enum sighash_type { SIGHASH_ANYONECANPAY = 0x80 }; +#define SIGHASH_MASK 0x7F + +static inline bool sighash_single(enum sighash_type sighash_type) +{ + return (sighash_type & SIGHASH_MASK) == SIGHASH_SINGLE; +} + +static inline bool sighash_anyonecanpay(enum sighash_type sighash_type) +{ + return (sighash_type & SIGHASH_ANYONECANPAY) == SIGHASH_ANYONECANPAY; +} + /* We only support a limited range of sighash_type */ static inline bool sighash_type_valid(const enum sighash_type sighash_type) { - return sighash_type == SIGHASH_ALL; + return sighash_type == SIGHASH_ALL + || sighash_type == (SIGHASH_SINGLE|SIGHASH_ANYONECANPAY); } /** diff --git a/bitcoin/tx.c b/bitcoin/tx.c index 28bb82bfa..bfcbe96df 100644 --- a/bitcoin/tx.c +++ b/bitcoin/tx.c @@ -13,6 +13,8 @@ #define SEGREGATED_WITNESS_FLAG 0x1 +static struct sha256_double all_zeroes; + static void push_tx_input(const struct bitcoin_tx_input *input, const u8 *input_script, void (*push)(const void *, size_t, void *), void *pushp) @@ -81,11 +83,15 @@ static void push_witnesses(const struct bitcoin_tx *tx, /* For signing, we ignore input scripts on other inputs, and pretend * the current input has a certain script: this is indicated by a - * non-NULL override_script, and setting override_script_index to the - * input number to replace. */ + * non-NULL override_script. + * + * For this (and other signing weirdness like SIGHASH_SINGLE), we + * also need the current input being signed; that's in input_num. + * We also need sighash_type. + */ static void push_tx(const struct bitcoin_tx *tx, const u8 *override_script, - size_t override_script_index, + size_t input_num, void (*push)(const void *, size_t, void *), void *pushp, bool bip144) { @@ -112,7 +118,7 @@ static void push_tx(const struct bitcoin_tx *tx, for (i = 0; i < tal_count(tx->input); i++) { const u8 *input_script = tx->input[i].script; if (override_script) { - if (override_script_index == i) + if (input_num == i) input_script = override_script; else input_script = NULL; @@ -136,14 +142,21 @@ static void push_sha(const void *data, size_t len, void *shactx_) sha256_update(ctx, memcheck(data, len), len); } -static void hash_prevouts(struct sha256_double *h, const struct bitcoin_tx *tx) +static void hash_prevouts(struct sha256_double *h, const struct bitcoin_tx *tx, + enum sighash_type sighash_type) { struct sha256_ctx ctx; size_t i; /* BIP143: If the ANYONECANPAY flag is not set, hashPrevouts is the * double SHA256 of the serialization of all input - * outpoints */ + * outpoints; Otherwise, hashPrevouts is a uint256 of 0x0000......0000. + */ + if (sighash_anyonecanpay(sighash_type)) { + *h = all_zeroes; + return; + } + sha256_init(&ctx); for (i = 0; i < tal_count(tx->input); i++) { push_sha(&tx->input[i].txid, sizeof(tx->input[i].txid), &ctx); @@ -152,14 +165,21 @@ static void hash_prevouts(struct sha256_double *h, const struct bitcoin_tx *tx) sha256_double_done(&ctx, h); } -static void hash_sequence(struct sha256_double *h, const struct bitcoin_tx *tx) +static void hash_sequence(struct sha256_double *h, const struct bitcoin_tx *tx, + enum sighash_type sighash_type) { struct sha256_ctx ctx; size_t i; - /* BIP143: If none of the ANYONECANPAY, SINGLE, NONE sighash type - * is set, hashSequence is the double SHA256 of the serialization - * of nSequence of all inputs */ + /* BIP143: If none of the ANYONECANPAY, SINGLE, NONE sighash type is + * set, hashSequence is the double SHA256 of the serialization of + * nSequence of all inputs; Otherwise, hashSequence is a uint256 of + * 0x0000......0000. */ + if (sighash_anyonecanpay(sighash_type) || sighash_single(sighash_type)) { + *h = all_zeroes; + return; + } + sha256_init(&ctx); for (i = 0; i < tal_count(tx->input); i++) push_le32(tx->input[i].sequence_number, push_sha, &ctx); @@ -167,17 +187,23 @@ static void hash_sequence(struct sha256_double *h, const struct bitcoin_tx *tx) sha256_double_done(&ctx, h); } -/* If the sighash type is neither SINGLE nor NONE, hashOutputs is the - * double SHA256 of the serialization of all output value (8-byte - * little endian) with scriptPubKey (varInt for the length + - * script); */ -static void hash_outputs(struct sha256_double *h, const struct bitcoin_tx *tx) +/* If the sighash type is neither SINGLE nor NONE, hashOutputs is the double + * SHA256 of the serialization of all output value (8-byte little endian) with + * scriptPubKey (varInt for the length + script); If sighash type is SINGLE + * and the input index is smaller than the number of outputs, hashOutputs is + * the double SHA256 of the output amount with scriptPubKey of the same index + * as the input; */ +static void hash_outputs(struct sha256_double *h, const struct bitcoin_tx *tx, + enum sighash_type sighash_type, unsigned int input_num) { struct sha256_ctx ctx; size_t i; sha256_init(&ctx); for (i = 0; i < tal_count(tx->output); i++) { + if (sighash_single(sighash_type) && i != input_num) + continue; + push_le64(tx->output[i].amount, push_sha, &ctx); push_varint_blob(tx->output[i].script, push_sha, &ctx); } @@ -188,7 +214,8 @@ static void hash_outputs(struct sha256_double *h, const struct bitcoin_tx *tx) static void hash_for_segwit(struct sha256_ctx *ctx, const struct bitcoin_tx *tx, unsigned int input_num, - const u8 *witness_script) + const u8 *witness_script, + enum sighash_type sighash_type) { struct sha256_double h; @@ -200,11 +227,11 @@ static void hash_for_segwit(struct sha256_ctx *ctx, push_le32(tx->version, push_sha, ctx); /* 2. hashPrevouts (32-byte hash) */ - hash_prevouts(&h, tx); + hash_prevouts(&h, tx, sighash_type); push_sha(&h, sizeof(h), ctx); /* 3. hashSequence (32-byte hash) */ - hash_sequence(&h, tx); + hash_sequence(&h, tx, sighash_type); push_sha(&h, sizeof(h), ctx); /* 4. outpoint (32-byte hash + 4-byte little endian) */ @@ -222,7 +249,7 @@ static void hash_for_segwit(struct sha256_ctx *ctx, push_le32(tx->input[input_num].sequence_number, push_sha, ctx); /* 8. hashOutputs (32-byte hash) */ - hash_outputs(&h, tx); + hash_outputs(&h, tx, sighash_type, input_num); push_sha(&h, sizeof(h), ctx); /* 9. nLocktime of the transaction (4-byte little endian) */ @@ -232,21 +259,28 @@ static void hash_for_segwit(struct sha256_ctx *ctx, void sha256_tx_for_sig(struct sha256_double *h, const struct bitcoin_tx *tx, unsigned int input_num, const u8 *script, - const u8 *witness_script) + const u8 *witness_script, + enum sighash_type sighash_type) { struct sha256_ctx ctx = SHA256_INIT; assert(input_num < tal_count(tx->input)); if (witness_script) { + /* Only implemented and tested these two! */ + assert(sighash_type == SIGHASH_ALL + || sighash_type == (SIGHASH_SINGLE|SIGHASH_ANYONECANPAY)); /* BIP143 hashing if OP_CHECKSIG is inside witness. */ - hash_for_segwit(&ctx, tx, input_num, witness_script); + hash_for_segwit(&ctx, tx, input_num, witness_script, + sighash_type); } else { + /* Never implemented anything else for old scheme. */ + assert(sighash_type == SIGHASH_ALL); /* Otherwise signature hashing never includes witness. */ push_tx(tx, script, input_num, push_sha, &ctx, false); } - sha256_le32(&ctx, SIGHASH_ALL); + sha256_le32(&ctx, sighash_type); sha256_double_done(&ctx, h); } diff --git a/bitcoin/tx.h b/bitcoin/tx.h index 28dd820bc..9298ab531 100644 --- a/bitcoin/tx.h +++ b/bitcoin/tx.h @@ -43,11 +43,13 @@ struct bitcoin_tx_input { /* SHA256^2 the tx: simpler than sha256_tx */ void bitcoin_txid(const struct bitcoin_tx *tx, struct bitcoin_txid *txid); -/* Useful for signature code. */ +/* Useful for signature code. Only supports SIGHASH_ALL and + * (for segwit) SIGHASH_SINGLE|SIGHASH_ANYONECANPAY. */ void sha256_tx_for_sig(struct sha256_double *h, const struct bitcoin_tx *tx, unsigned int input_num, const u8 *script, - const u8 *witness_script); + const u8 *witness_script, + enum sighash_type sighash_type); /* Linear bytes of tx. */ u8 *linearize_tx(const tal_t *ctx, const struct bitcoin_tx *tx);