From df5d4e3c10e4a80e01a04bfd981ed92b159bf04d Mon Sep 17 00:00:00 2001 From: Rusty Russell Date: Tue, 12 Apr 2016 13:05:51 +0930 Subject: [PATCH] bitcoin/signature: BIP143 signature support. We hand in the witness_script: if non-NULL, we use BIP143-style signature hash creation. Signed-off-by: Rusty Russell --- bitcoin/signature.c | 13 ++++-- bitcoin/signature.h | 3 ++ bitcoin/tx.c | 107 +++++++++++++++++++++++++++++++++++++++++++- bitcoin/tx.h | 3 +- daemon/packets.c | 2 + daemon/secrets.c | 4 ++ 6 files changed, 125 insertions(+), 7 deletions(-) diff --git a/bitcoin/signature.c b/bitcoin/signature.c index 6b796b930..861dac746 100644 --- a/bitcoin/signature.c +++ b/bitcoin/signature.c @@ -91,6 +91,7 @@ void sign_hash(secp256k1_context *secpctx, static void sha256_tx_one_input(struct bitcoin_tx *tx, size_t input_num, const u8 *script, size_t script_len, + const u8 *witness_script, struct sha256_double *hash) { size_t i; @@ -104,7 +105,7 @@ static void sha256_tx_one_input(struct bitcoin_tx *tx, tx->input[input_num].script_length = script_len; tx->input[input_num].script = cast_const(u8 *, script); - sha256_tx_for_sig(hash, tx, input_num, SIGHASH_ALL); + sha256_tx_for_sig(hash, tx, input_num, SIGHASH_ALL, witness_script); /* Reset it for next time. */ tx->input[input_num].script_length = 0; @@ -116,12 +117,14 @@ void sign_tx_input(secp256k1_context *secpctx, struct bitcoin_tx *tx, unsigned int in, const u8 *subscript, size_t subscript_len, + const u8 *witness_script, const struct privkey *privkey, const struct pubkey *key, struct signature *sig) { struct sha256_double hash; - sha256_tx_one_input(tx, in, subscript, subscript_len, &hash); + sha256_tx_one_input(tx, in, subscript, subscript_len, witness_script, + &hash); dump_tx("Signing", tx, in, subscript, subscript_len, key, &hash); sign_hash(secpctx, privkey, &hash, sig); } @@ -142,6 +145,7 @@ bool check_signed_hash(secp256k1_context *secpctx, bool check_tx_sig(secp256k1_context *secpctx, struct bitcoin_tx *tx, size_t input_num, const u8 *redeemscript, size_t redeemscript_len, + const u8 *witness_script, const struct pubkey *key, const struct bitcoin_signature *sig) { @@ -151,7 +155,7 @@ bool check_tx_sig(secp256k1_context *secpctx, assert(input_num < tx->input_count); sha256_tx_one_input(tx, input_num, redeemscript, redeemscript_len, - &hash); + witness_script, &hash); /* We only use SIGHASH_ALL for the moment. */ if (sig->stype != SIGHASH_ALL) @@ -167,6 +171,7 @@ bool check_tx_sig(secp256k1_context *secpctx, bool check_2of2_sig(secp256k1_context *secpctx, struct bitcoin_tx *tx, size_t input_num, const u8 *redeemscript, size_t redeemscript_len, + const u8 *witness, const struct pubkey *key1, const struct pubkey *key2, const struct bitcoin_signature *sig1, const struct bitcoin_signature *sig2) @@ -175,7 +180,7 @@ bool check_2of2_sig(secp256k1_context *secpctx, assert(input_num < tx->input_count); sha256_tx_one_input(tx, input_num, redeemscript, redeemscript_len, - &hash); + witness, &hash); /* We only use SIGHASH_ALL for the moment. */ if (sig1->stype != SIGHASH_ALL || sig2->stype != SIGHASH_ALL) diff --git a/bitcoin/signature.h b/bitcoin/signature.h index 112b78120..768896c82 100644 --- a/bitcoin/signature.h +++ b/bitcoin/signature.h @@ -39,6 +39,7 @@ void sign_tx_input(secp256k1_context *secpctx, struct bitcoin_tx *tx, unsigned int in, const u8 *subscript, size_t subscript_len, + const u8 *witness, const struct privkey *privkey, const struct pubkey *pubkey, struct signature *sig); @@ -46,12 +47,14 @@ void sign_tx_input(secp256k1_context *secpctx, bool check_tx_sig(secp256k1_context *secpctx, struct bitcoin_tx *tx, size_t input_num, const u8 *redeemscript, size_t redeemscript_len, + const u8 *witness, const struct pubkey *key, const struct bitcoin_signature *sig); bool check_2of2_sig(secp256k1_context *secpctx, struct bitcoin_tx *tx, size_t input_num, const u8 *redeemscript, size_t redeemscript_len, + const u8 *witness, const struct pubkey *key1, const struct pubkey *key2, const struct bitcoin_signature *sig1, const struct bitcoin_signature *sig2); diff --git a/bitcoin/tx.c b/bitcoin/tx.c index 4b59c730c..bace90079 100644 --- a/bitcoin/tx.c +++ b/bitcoin/tx.c @@ -171,8 +171,104 @@ static void add_sha(const void *data, size_t len, void *shactx_) sha256_update(ctx, memcheck(data, len), len); } +static void hash_prevouts(struct sha256_double *h, const struct bitcoin_tx *tx) +{ + struct sha256_ctx ctx; + size_t i; + + /* BIP143: If the ANYONECANPAY flag is not set, hashPrevouts is the + * double SHA256 of the serialization of all input + * outpoints */ + sha256_init(&ctx); + for (i = 0; i < tx->input_count; i++) { + add_sha(&tx->input[i].txid, sizeof(tx->input[i].txid), &ctx); + add_le32(tx->input[i].index, add_sha, &ctx); + } + sha256_double_done(&ctx, h); +} + +static void hash_sequence(struct sha256_double *h, const struct bitcoin_tx *tx) +{ + struct sha256_ctx ctx; + size_t i; + + /* BIP143: If none of the ANYONECANPAY, SINGLE, NONE sighash type + * is set, hashSequence is the double SHA256 of the serialization + * of nSequence of all inputs */ + sha256_init(&ctx); + for (i = 0; i < tx->input_count; i++) + add_le32(tx->input[i].sequence_number, add_sha, &ctx); + + sha256_double_done(&ctx, h); +} + +/* If the sighash type is neither SINGLE nor NONE, hashOutputs is the + * double SHA256 of the serialization of all output value (8-byte + * little endian) with scriptPubKey (varInt for the length + + * script); */ +static void hash_outputs(struct sha256_double *h, const struct bitcoin_tx *tx) +{ + struct sha256_ctx ctx; + size_t i; + + sha256_init(&ctx); + for (i = 0; i < tx->output_count; i++) { + add_le64(tx->output[i].amount, add_sha, &ctx); + add_varint_blob(tx->output[i].script, + tx->output[i].script_length, + add_sha, &ctx); + } + + sha256_double_done(&ctx, h); +} + +static void hash_for_segwit(struct sha256_ctx *ctx, + const struct bitcoin_tx *tx, + unsigned int input_num, + const u8 *witness_script) +{ + struct sha256_double h; + + /* BIP143: + * + * Double SHA256 of the serialization of: + * 1. nVersion of the transaction (4-byte little endian) + */ + add_le32(tx->version, add_sha, ctx); + + /* 2. hashPrevouts (32-byte hash) */ + hash_prevouts(&h, tx); + add_sha(&h, sizeof(h), ctx); + + /* 3. hashSequence (32-byte hash) */ + hash_sequence(&h, tx); + add_sha(&h, sizeof(h), ctx); + + /* 4. outpoint (32-byte hash + 4-byte little endian) */ + add_sha(&tx->input[input_num].txid, sizeof(tx->input[input_num].txid), + ctx); + add_le32(tx->input[input_num].index, add_sha, ctx); + + /* 5. scriptCode of the input (varInt for the length + script) */ + add_varint_blob(witness_script, tal_count(witness_script), add_sha, ctx); + + /* 6. value of the output spent by this input (8-byte little end) */ + add_le64(*tx->input[input_num].amount, add_sha, ctx); + + /* 7. nSequence of the input (4-byte little endian) */ + add_le32(tx->input[input_num].sequence_number, add_sha, ctx); + + /* 8. hashOutputs (32-byte hash) */ + hash_outputs(&h, tx); + add_sha(&h, sizeof(h), ctx); + + /* 9. nLocktime of the transaction (4-byte little endian) */ + add_le32(tx->lock_time, add_sha, ctx); +} + void sha256_tx_for_sig(struct sha256_double *h, const struct bitcoin_tx *tx, - unsigned int input_num, enum sighash_type stype) + unsigned int input_num, enum sighash_type stype, + const u8 *witness_script) { size_t i; struct sha256_ctx ctx = SHA256_INIT; @@ -185,7 +281,14 @@ void sha256_tx_for_sig(struct sha256_double *h, const struct bitcoin_tx *tx, for (i = 0; i < tx->input_count; i++) if (i != input_num) assert(tx->input[i].script_length == 0); - add_tx(tx, add_sha, &ctx, false); + + if (witness_script) { + /* BIP143 hashing if OP_CHECKSIG is inside witness. */ + hash_for_segwit(&ctx, tx, input_num, witness_script); + } else { + /* Otherwise signature hashing never includes witness. */ + add_tx(tx, add_sha, &ctx, false); + } sha256_le32(&ctx, stype); sha256_double_done(&ctx, h); diff --git a/bitcoin/tx.h b/bitcoin/tx.h index 831c824be..31f5ae059 100644 --- a/bitcoin/tx.h +++ b/bitcoin/tx.h @@ -45,7 +45,8 @@ void bitcoin_txid(const struct bitcoin_tx *tx, struct sha256_double *txid); /* Useful for signature code. */ void sha256_tx_for_sig(struct sha256_double *h, const struct bitcoin_tx *tx, - unsigned int input_num, enum sighash_type stype); + unsigned int input_num, enum sighash_type stype, + const u8 *witness_script); /* Linear bytes of tx. */ u8 *linearize_tx(const tal_t *ctx, const struct bitcoin_tx *tx); diff --git a/daemon/packets.c b/daemon/packets.c index 230d4076d..d1393f4bf 100644 --- a/daemon/packets.c +++ b/daemon/packets.c @@ -487,6 +487,7 @@ static Pkt *check_and_save_commit_sig(struct peer *peer, ci->tx, 0, peer->anchor.redeemscript, tal_count(peer->anchor.redeemscript), + NULL, &peer->them.commitkey, ci->sig)) return pkt_err(peer, "Bad signature"); @@ -806,6 +807,7 @@ Pkt *accept_pkt_close_sig(struct peer *peer, const Pkt *pkt, bool *acked, if (!check_tx_sig(peer->dstate->secpctx, close_tx, 0, peer->anchor.redeemscript, tal_count(peer->anchor.redeemscript), + NULL, &peer->them.commitkey, &theirsig)) return pkt_err(peer, "Invalid signature"); diff --git a/daemon/secrets.c b/daemon/secrets.c index bf4120384..80d9c9947 100644 --- a/daemon/secrets.c +++ b/daemon/secrets.c @@ -50,6 +50,7 @@ void peer_sign_theircommit(const struct peer *peer, commit, 0, peer->anchor.redeemscript, tal_count(peer->anchor.redeemscript), + NULL, &peer->secrets->commit, &peer->us.commitkey, sig); @@ -64,6 +65,7 @@ void peer_sign_ourcommit(const struct peer *peer, commit, 0, peer->anchor.redeemscript, tal_count(peer->anchor.redeemscript), + NULL, &peer->secrets->commit, &peer->us.commitkey, sig); @@ -79,6 +81,7 @@ void peer_sign_spend(const struct peer *peer, spend, 0, commit_redeemscript, tal_count(commit_redeemscript), + NULL, &peer->secrets->final, &peer->us.finalkey, sig); @@ -92,6 +95,7 @@ void peer_sign_mutual_close(const struct peer *peer, close, 0, peer->anchor.redeemscript, tal_count(peer->anchor.redeemscript), + NULL, &peer->secrets->commit, &peer->us.commitkey, sig);