#include #include "pubkey.h" #include "script.h" #include "shadouble.h" #include "signature.h" #include "tx.h" #include #include #include #undef DEBUG #ifdef DEBUG #include #define SHA_FMT \ "%02x%02x%02x%02x%02x%02x%02x%02x" \ "%02x%02x%02x%02x%02x%02x%02x%02x" \ "%02x%02x%02x%02x%02x%02x%02x%02x" \ "%02x%02x%02x%02x%02x%02x%02x%02x" #define SHA_VALS(e) \ e[0], e[1], e[2], e[3], e[4], e[5], e[6], e[7], \ e[8], e[9], e[10], e[11], e[12], e[13], e[14], e[15], \ e[16], e[17], e[18], e[19], e[20], e[21], e[22], e[23], \ e[24], e[25], e[25], e[26], e[28], e[29], e[30], e[31] static void dump_tx(const char *msg, const struct bitcoin_tx *tx, size_t inputnum, const u8 *script, size_t script_len, const struct pubkey *key) { size_t i, j; warnx("%s tx version %u locktime %#x:", msg, tx->version, tx->lock_time); for (i = 0; i < tx->input_count; i++) { warnx("input[%zu].txid = "SHA_FMT, i, SHA_VALS(tx->input[i].txid.sha.u.u8)); warnx("input[%zu].index = %u", i, tx->input[i].index); } for (i = 0; i < tx->output_count; i++) { warnx("output[%zu].amount = %llu", i, (long long)tx->output[i].amount); warnx("output[%zu].script = %llu", i, (long long)tx->output[i].script_length); for (j = 0; j < tx->output[i].script_length; j++) fprintf(stderr, "%02x", tx->output[i].script[j]); fprintf(stderr, "\n"); } warnx("input[%zu].script = %zu", inputnum, script_len); for (i = 0; i < script_len; i++) fprintf(stderr, "%02x", script[i]); if (key) { fprintf(stderr, "\nPubkey: "); for (i = 0; i < pubkey_len(key); i++) fprintf(stderr, "%02x", key->key[i]); fprintf(stderr, "\n"); } } #else static void dump_tx(const char *msg, const struct bitcoin_tx *tx, size_t inputnum, const u8 *script, size_t script_len, const struct pubkey *key) { } #endif bool sign_hash(const tal_t *ctx, EC_KEY *private_key, const struct sha256_double *h, struct signature *s) { ECDSA_SIG *sig; int len; sig = ECDSA_do_sign(h->sha.u.u8, sizeof(*h), private_key); if (!sig) return false; /* See https://github.com/sipa/bitcoin/commit/a81cd9680. * There can only be one signature with an even S, so make sure we * get that one. */ if (BN_is_odd(sig->s)) { const EC_GROUP *group; BIGNUM order; BN_init(&order); group = EC_KEY_get0_group(private_key); EC_GROUP_get_order(group, &order, NULL); BN_sub(sig->s, &order, sig->s); BN_free(&order); assert(!BN_is_odd(sig->s)); } /* In case numbers are small. */ memset(s, 0, sizeof(*s)); /* Pack r and s into signature, 32 bytes each. */ len = BN_num_bytes(sig->r); assert(len <= sizeof(s->r)); BN_bn2bin(sig->r, s->r + sizeof(s->r) - len); len = BN_num_bytes(sig->s); assert(len <= sizeof(s->s)); BN_bn2bin(sig->s, s->s + sizeof(s->s) - len); ECDSA_SIG_free(sig); return true; } /* Only does SIGHASH_ALL */ static void sha256_tx_one_input(struct bitcoin_tx *tx, size_t input_num, const u8 *script, size_t script_len, struct sha256_double *hash) { struct sha256_ctx ctx = SHA256_INIT; size_t i; assert(input_num < tx->input_count); /* You must have all inputs zeroed to start. */ for (i = 0; i < tx->input_count; i++) assert(tx->input[i].script_length == 0); tx->input[input_num].script_length = script_len; tx->input[input_num].script = cast_const(u8 *, script); sha256_init(&ctx); sha256_tx_for_sig(&ctx, tx); sha256_le32(&ctx, SIGHASH_ALL); sha256_double_done(&ctx, hash); /* Reset it for next time. */ tx->input[input_num].script_length = 0; tx->input[input_num].script = NULL; } /* Only does SIGHASH_ALL */ bool sign_tx_input(const tal_t *ctx, struct bitcoin_tx *tx, unsigned int in, const u8 *subscript, size_t subscript_len, EC_KEY *privkey, const struct pubkey *key, struct signature *sig) { struct sha256_double hash; sha256_tx_one_input(tx, in, subscript, subscript_len, &hash); dump_tx("Signing", tx, in, subscript, subscript_len, key); return sign_hash(ctx, privkey, &hash, sig); } static bool check_signed_hash(const struct sha256_double *hash, const struct signature *signature, const struct pubkey *key) { bool ok = false; BIGNUM r, s; ECDSA_SIG sig = { &r, &s }; EC_KEY *eckey = EC_KEY_new_by_curve_name(NID_secp256k1); const unsigned char *k = key->key; /* S must be even: https://github.com/sipa/bitcoin/commit/a81cd9680 */ assert((signature->s[31] & 1) == 0); /* Unpack public key. */ if (!o2i_ECPublicKey(&eckey, &k, pubkey_len(key))) goto out; /* Unpack signature. */ BN_init(&r); BN_init(&s); if (!BN_bin2bn(signature->r, sizeof(signature->r), &r) || !BN_bin2bn(signature->s, sizeof(signature->s), &s)) goto free_bns; /* Now verify hash with public key and signature. */ switch (ECDSA_do_verify(hash->sha.u.u8, sizeof(hash->sha.u), &sig, eckey)) { case 0: /* Invalid signature */ goto free_bns; case -1: /* Malformed or other error. */ goto free_bns; } ok = true; free_bns: BN_free(&r); BN_free(&s); out: EC_KEY_free(eckey); return ok; } bool check_tx_sig(struct bitcoin_tx *tx, size_t input_num, const u8 *redeemscript, size_t redeemscript_len, const struct pubkey *key, const struct bitcoin_signature *sig) { struct sha256_double hash; bool ret; assert(input_num < tx->input_count); sha256_tx_one_input(tx, input_num, redeemscript, redeemscript_len, &hash); /* We only use SIGHASH_ALL for the moment. */ if (sig->stype != SIGHASH_ALL) return false; ret = check_signed_hash(&hash, &sig->sig, key); if (!ret) dump_tx("Sig failed", tx, input_num, redeemscript, redeemscript_len, key); return ret; } bool check_2of2_sig(struct bitcoin_tx *tx, size_t input_num, const u8 *redeemscript, size_t redeemscript_len, const struct pubkey *key1, const struct pubkey *key2, const struct bitcoin_signature *sig1, const struct bitcoin_signature *sig2) { struct sha256_double hash; assert(input_num < tx->input_count); sha256_tx_one_input(tx, input_num, redeemscript, redeemscript_len, &hash); /* We only use SIGHASH_ALL for the moment. */ if (sig1->stype != SIGHASH_ALL || sig2->stype != SIGHASH_ALL) return false; return check_signed_hash(&hash, &sig1->sig, key1) && check_signed_hash(&hash, &sig2->sig, key2); } /* Stolen direct from bitcoin/src/script/sign.cpp: // Copyright (c) 2009-2010 Satoshi Nakamoto // Copyright (c) 2009-2014 The Bitcoin Core developers // Distributed under the MIT software license, see the accompanying // file COPYING or http://www.opensource.org/licenses/mit-license.php. */ static bool IsValidSignatureEncoding(const unsigned char sig[], size_t len) { // Format: 0x30 [total-length] 0x02 [R-length] [R] 0x02 [S-length] [S] [sighash] // * total-length: 1-byte length descriptor of everything that follows, // excluding the sighash byte. // * R-length: 1-byte length descriptor of the R value that follows. // * R: arbitrary-length big-endian encoded R value. It must use the shortest // possible encoding for a positive integers (which means no null bytes at // the start, except a single one when the next byte has its highest bit set). // * S-length: 1-byte length descriptor of the S value that follows. // * S: arbitrary-length big-endian encoded S value. The same rules apply. // * sighash: 1-byte value indicating what data is hashed (not part of the DER // signature) // Minimum and maximum size constraints. if (len < 9) return false; if (len > 73) return false; // A signature is of type 0x30 (compound). if (sig[0] != 0x30) return false; // Make sure the length covers the entire signature. if (sig[1] != len - 3) return false; // Extract the length of the R element. unsigned int lenR = sig[3]; // Make sure the length of the S element is still inside the signature. if (5 + lenR >= len) return false; // Extract the length of the S element. unsigned int lenS = sig[5 + lenR]; // Verify that the length of the signature matches the sum of the length // of the elements. if ((size_t)(lenR + lenS + 7) != len) return false; // Check whether the R element is an integer. if (sig[2] != 0x02) return false; // Zero-length integers are not allowed for R. if (lenR == 0) return false; // Negative numbers are not allowed for R. if (sig[4] & 0x80) return false; // Null bytes at the start of R are not allowed, unless R would // otherwise be interpreted as a negative number. if (lenR > 1 && (sig[4] == 0x00) && !(sig[5] & 0x80)) return false; // Check whether the S element is an integer. if (sig[lenR + 4] != 0x02) return false; // Zero-length integers are not allowed for S. if (lenS == 0) return false; // Negative numbers are not allowed for S. if (sig[lenR + 6] & 0x80) return false; // Null bytes at the start of S are not allowed, unless S would otherwise be // interpreted as a negative number. if (lenS > 1 && (sig[lenR + 6] == 0x00) && !(sig[lenR + 7] & 0x80)) return false; return true; } /* DER encode a value, return length used. */ static size_t der_encode_val(const u8 *val, u8 *der) { size_t len = 0, val_len = 32; der[len++] = 0x2; /* value type. */ /* Strip leading zeroes. */ while (val_len && val[0] == 0) { val++; val_len--; } /* Add zero byte if it would otherwise be signed. */ if (val[0] & 0x80) { der[len++] = 1 + val_len; /* value length */ der[len++] = 0; } else der[len++] = val_len; /* value length */ memcpy(der + len, val, val_len); return len + val_len; } size_t signature_to_der(u8 der[72], const struct signature *sig) { size_t len = 0; der[len++] = 0x30; /* Type */ der[len++] = 0; /* Total length after this: fill it at end. */ len += der_encode_val(sig->r, der + len); len += der_encode_val(sig->s, der + len); /* Fix up total length */ der[1] = len - 2; /* IsValidSignatureEncoding() expect extra byte for sighash */ assert(IsValidSignatureEncoding(der, len + 1)); return len; }