You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
 
 
 
 
 
 

565 lines
14 KiB

#include <ccan/crypto/sha256/sha256.h>
#include <ccan/endian/endian.h>
#include <ccan/err/err.h>
#include <ccan/mem/mem.h>
#include <ccan/read_write_all/read_write_all.h>
#include <ccan/str/hex/hex.h>
#include <ccan/tal/grab_file/grab_file.h>
#include <assert.h>
#include "tx.h"
enum styles {
/* Add the CT padding stuff to amount. */
TX_AMOUNT_CT_STYLE = 1,
/* Whether to process CT rangeproof and noncecommitment. */
TX_AMOUNT_INCLUDE_CT = 2,
/* Process the txfee field. */
TX_FEE = 4,
/* Process the input script sig. */
TX_INPUT_SCRIPTSIG = 8,
/* Process the amounts for each input. */
TX_INPUT_AMOUNT = 16,
/* Process the same amounts for each input. */
TX_INPUT_AMOUNT_BUGGY = 32,
/* Process hash of rangeproof and noncecommitment in *output* amount,
* instead of rangeproof and noncecommitment themselves. */
TX_OUTPUT_AMOUNT_HASHPROOF = 64
};
#ifdef ALPHA_TXSTYLE
/* Linearizing has everything, except input amount (which is implied) */
#define LINEARIZE_STYLE (TX_AMOUNT_CT_STYLE | TX_AMOUNT_INCLUDE_CT | TX_FEE | TX_INPUT_SCRIPTSIG)
/* Alpha txids don't include input scripts, or rangeproof/txcommit in output */
#define TXID_STYLE (TX_AMOUNT_CT_STYLE | TX_FEE)
/* Alpha signatures sign the input script (assuming others are set to
* 0-len), as well as the input fee.
* They sign a hash of the rangeproof and noncecommitment for inputs,
* rather than the non rangeproof and noncecommitment themselves.
*
* For some reason they skip the txfee. */
#define SIG_STYLE (TX_AMOUNT_CT_STYLE | TX_AMOUNT_INCLUDE_CT | TX_INPUT_SCRIPTSIG | TX_INPUT_AMOUNT | TX_INPUT_AMOUNT_BUGGY | TX_OUTPUT_AMOUNT_HASHPROOF)
#else /* BITCOIN */
/* Process all the bitcoin fields. Works for txid, serialization and signing */
#define LINEARIZE_STYLE (TX_INPUT_SCRIPTSIG)
#define TXID_STYLE (TX_INPUT_SCRIPTSIG)
#define SIG_STYLE (TX_INPUT_SCRIPTSIG)
#endif
static void add_varint(varint_t v,
void (*add)(const void *, size_t, void *), void *addp,
enum styles style)
{
u8 buf[9], *p = buf;
if (v < 0xfd) {
*(p++) = v;
} else if (v <= 0xffff) {
(*p++) = 0xfd;
(*p++) = v;
(*p++) = v >> 8;
} else if (v <= 0xffffffff) {
(*p++) = 0xfe;
(*p++) = v;
(*p++) = v >> 8;
(*p++) = v >> 16;
(*p++) = v >> 24;
} else {
(*p++) = 0xff;
(*p++) = v;
(*p++) = v >> 8;
(*p++) = v >> 16;
(*p++) = v >> 24;
(*p++) = v >> 32;
(*p++) = v >> 40;
(*p++) = v >> 48;
(*p++) = v >> 56;
}
add(buf, p - buf, addp);
}
static void add_le32(u32 v,
void (*add)(const void *, size_t, void *), void *addp,
enum styles style)
{
le32 l = cpu_to_le32(v);
add(&l, sizeof(l), addp);
}
static void add_le64(u64 v,
void (*add)(const void *, size_t, void *), void *addp,
enum styles style)
{
le64 l = cpu_to_le64(v);
add(&l, sizeof(l), addp);
}
static void add_value(u64 amount,
void (*add)(const void *, size_t, void *),
void *addp,
bool output,
enum styles style)
{
if (style & TX_AMOUNT_CT_STYLE) {
/* The input is hashed as a 33 byte value (for CT); 25 0, then
* the big-endian value. */
static u8 zeroes[25];
be64 b = cpu_to_be64(amount);
add(zeroes, sizeof(zeroes), addp);
add(&b, sizeof(b), addp);
if (style & TX_AMOUNT_INCLUDE_CT) {
/* Two more zeroes: Rangeproof and Noncecommitment */
if (output && (style & TX_OUTPUT_AMOUNT_HASHPROOF)) {
struct sha256_double h;
sha256_double(&h, zeroes, 2);
add(&h, sizeof(h), addp);
} else {
add_varint(0, add, addp, style);
add_varint(0, add, addp, style);
}
}
} else {
add_le64(amount, add, addp, style);
}
}
static void add_input_value(u64 amount,
void (*add)(const void *, size_t, void *),
void *addp,
enum styles style)
{
return add_value(amount, add, addp, false, style);
}
static void add_output_value(u64 amount,
void (*add)(const void *, size_t, void *),
void *addp,
enum styles style)
{
return add_value(amount, add, addp, true, style);
}
static void add_tx_input(const struct bitcoin_tx_input *input,
void (*add)(const void *, size_t, void *), void *addp,
u64 dummy_amount,
enum styles style)
{
add(&input->txid, sizeof(input->txid), addp);
add_le32(input->index, add, addp, style);
if (style & TX_INPUT_AMOUNT) {
if (style & TX_INPUT_AMOUNT_BUGGY)
add_input_value(dummy_amount, add, addp, style);
else
add_input_value(input->input_amount, add, addp, style);
}
if (style & TX_INPUT_SCRIPTSIG) {
add_varint(input->script_length, add, addp, style);
add(input->script, input->script_length, addp);
}
add_le32(input->sequence_number, add, addp, style);
}
static void add_tx_output(const struct bitcoin_tx_output *output,
void (*add)(const void *, size_t, void *), void *addp,
enum styles style)
{
add_output_value(output->amount, add, addp, style);
add_varint(output->script_length, add, addp, style);
add(output->script, output->script_length, addp);
}
static void add_tx(const struct bitcoin_tx *tx,
void (*add)(const void *, size_t, void *), void *addp,
u64 dummy_amount,
enum styles style)
{
varint_t i;
add_le32(tx->version, add, addp, style);
add_varint(tx->input_count, add, addp, style);
for (i = 0; i < tx->input_count; i++)
add_tx_input(&tx->input[i], add, addp, dummy_amount, style);
if (style & TX_FEE)
add_le64(tx->fee, add, addp, style);
add_varint(tx->output_count, add, addp, style);
for (i = 0; i < tx->output_count; i++)
add_tx_output(&tx->output[i], add, addp, style);
add_le32(tx->lock_time, add, addp, style);
}
static void add_sha(const void *data, size_t len, void *shactx_)
{
struct sha256_ctx *ctx = shactx_;
sha256_update(ctx, memcheck(data, len), len);
}
void sha256_tx_for_sig(struct sha256_ctx *ctx, const struct bitcoin_tx *tx,
unsigned int input_num)
{
size_t i;
/* Caller should zero-out other scripts for signing! */
assert(input_num < tx->input_count);
for (i = 0; i < tx->input_count; i++)
if (i != input_num)
assert(tx->input[i].script_length == 0);
add_tx(tx, add_sha, ctx, tx->input[input_num].input_amount, SIG_STYLE);
}
static void add_linearize(const void *data, size_t len, void *pptr_)
{
u8 **pptr = pptr_;
size_t oldsize = tal_count(*pptr);
tal_resize(pptr, oldsize + len);
memcpy(*pptr + oldsize, memcheck(data, len), len);
}
u8 *linearize_tx(const tal_t *ctx, const struct bitcoin_tx *tx)
{
u8 *arr = tal_arr(ctx, u8, 0);
add_tx(tx, add_linearize, &arr, 0, LINEARIZE_STYLE);
return arr;
}
void bitcoin_txid(const struct bitcoin_tx *tx, struct sha256_double *txid)
{
struct sha256_ctx ctx = SHA256_INIT;
add_tx(tx, add_sha, &ctx, 0, TXID_STYLE);
sha256_double_done(&ctx, txid);
}
struct bitcoin_tx *bitcoin_tx(const tal_t *ctx, varint_t input_count,
varint_t output_count)
{
struct bitcoin_tx *tx = tal(ctx, struct bitcoin_tx);
size_t i;
tx->output_count = output_count;
tx->output = tal_arrz(tx, struct bitcoin_tx_output, output_count);
tx->input_count = input_count;
tx->input = tal_arrz(tx, struct bitcoin_tx_input, input_count);
for (i = 0; i < tx->input_count; i++) {
/* We assume NULL is a zero bitmap */
assert(tx->input[i].script == NULL);
tx->input[i].sequence_number = 0xFFFFFFFF;
}
tx->lock_time = 0;
#ifdef HAS_BIP68
tx->version = 2;
#else
tx->version = 1;
#endif
return tx;
}
/* Sets *cursor to NULL and returns NULL when a pull fails. */
static const u8 *pull(const u8 **cursor, size_t *max, void *copy, size_t n)
{
const u8 *p = *cursor;
if (*max < n) {
*cursor = NULL;
*max = 0;
/* Just make sure we don't leak uninitialized mem! */
if (copy)
memset(copy, 0, n);
return NULL;
}
*cursor += n;
*max -= n;
if (copy)
memcpy(copy, p, n);
return memcheck(p, n);
}
static u64 pull_varint(const u8 **cursor, size_t *max)
{
u64 ret;
const u8 *p;
p = pull(cursor, max, NULL, 1);
if (!p)
return 0;
if (*p < 0xfd) {
ret = *p;
} else if (*p == 0xfd) {
p = pull(cursor, max, NULL, 2);
if (!p)
return 0;
ret = ((u64)p[1] << 8) + p[0];
} else if (*p == 0xfe) {
p = pull(cursor, max, NULL, 4);
if (!p)
return 0;
ret = ((u64)p[3] << 24) + ((u64)p[2] << 16)
+ ((u64)p[1] << 8) + p[0];
} else {
p = pull(cursor, max, NULL, 8);
if (!p)
return 0;
ret = ((u64)p[7] << 56) + ((u64)p[6] << 48)
+ ((u64)p[5] << 40) + ((u64)p[4] << 32)
+ ((u64)p[3] << 24) + ((u64)p[2] << 16)
+ ((u64)p[1] << 8) + p[0];
}
return ret;
}
static u32 pull_le32(const u8 **cursor, size_t *max)
{
le32 ret;
if (!pull(cursor, max, &ret, sizeof(ret)))
return 0;
return le32_to_cpu(ret);
}
static u64 pull_le64(const u8 **cursor, size_t *max)
{
le64 ret;
if (!pull(cursor, max, &ret, sizeof(ret)))
return 0;
return le64_to_cpu(ret);
}
static bool pull_sha256_double(const u8 **cursor, size_t *max,
struct sha256_double *h)
{
return pull(cursor, max, h, sizeof(*h));
}
static u64 pull_value(const u8 **cursor, size_t *max)
{
u64 amount;
if (LINEARIZE_STYLE & TX_AMOUNT_CT_STYLE) {
/* The input is hashed as a 33 byte value (for CT); 25 0, then
* the big-endian value. */
u8 zeroes[25];
be64 b;
if (!pull(cursor, max, zeroes, sizeof(zeroes)))
return 0;
/* We don't handle CT amounts. */
if (zeroes[0] != 0)
goto fail;
if (!pull(cursor, max, &b, sizeof(b)))
return 0;
amount = be64_to_cpu(b);
if (LINEARIZE_STYLE & TX_AMOUNT_INCLUDE_CT) {
varint_t rp, nc;
rp = pull_varint(cursor, max);
nc = pull_varint(cursor, max);
if (rp != 0 || nc != 0)
goto fail;
}
} else {
amount = pull_le64(cursor, max);
}
return amount;
fail:
/* Simulate EOF */
*cursor = NULL;
*max = 0;
return 0;
}
static void pull_input(const tal_t *ctx, const u8 **cursor, size_t *max,
struct bitcoin_tx_input *input)
{
pull_sha256_double(cursor, max, &input->txid);
input->index = pull_le32(cursor, max);
if (LINEARIZE_STYLE & TX_INPUT_AMOUNT) {
input->input_amount = pull_value(cursor, max);
}
if (LINEARIZE_STYLE & TX_INPUT_SCRIPTSIG) {
input->script_length = pull_varint(cursor, max);
input->script = tal_arr(ctx, u8, input->script_length);
pull(cursor, max, input->script, input->script_length);
}
input->sequence_number = pull_le32(cursor, max);
}
static void pull_output(const tal_t *ctx, const u8 **cursor, size_t *max,
struct bitcoin_tx_output *output)
{
output->amount = pull_value(cursor, max);
output->script_length = pull_varint(cursor, max);
output->script = tal_arr(ctx, u8, output->script_length);
pull(cursor, max, output->script, output->script_length);
}
static struct bitcoin_tx *pull_bitcoin_tx(const tal_t *ctx,
const u8 **cursor, size_t *max)
{
struct bitcoin_tx *tx = tal(ctx, struct bitcoin_tx);
size_t i;
tx->version = pull_le32(cursor, max);
tx->input_count = pull_varint(cursor, max);
tx->input = tal_arr(tx, struct bitcoin_tx_input, tx->input_count);
for (i = 0; i < tx->input_count; i++)
pull_input(tx, cursor, max, tx->input + i);
if (LINEARIZE_STYLE & TX_FEE)
tx->fee = pull_le64(cursor, max);
tx->output_count = pull_varint(cursor, max);
tx->output = tal_arr(ctx, struct bitcoin_tx_output, tx->output_count);
for (i = 0; i < tx->output_count; i++)
pull_output(tx, cursor, max, tx->output + i);
tx->lock_time = pull_le32(cursor, max);
/* If we ran short, or have bytes left over, fail. */
if (!*cursor || *max != 0)
tx = tal_free(tx);
return tx;
}
struct bitcoin_tx *bitcoin_tx_from_file(const tal_t *ctx,
const char *filename)
{
char *hex, *end;
u8 *linear_tx;
const u8 *p;
struct bitcoin_tx *tx;
size_t len;
/* Grabs file, add nul at end. */
hex = grab_file(ctx, filename);
if (!hex)
err(1, "Opening %s", filename);
if (strends(hex, "\n"))
hex[strlen(hex)-1] = '\0';
end = strchr(hex, ':');
if (!end)
end = hex + strlen(hex);
len = hex_data_size(end - hex);
p = linear_tx = tal_arr(hex, u8, len);
if (!hex_decode(hex, end - hex, linear_tx, len))
errx(1, "Bad hex string in %s", filename);
tx = pull_bitcoin_tx(ctx, &p, &len);
if (!tx)
errx(1, "Bad transaction in %s", filename);
/* Optional appended [:input-amount]* */
for (len = 0; len < tx->input_count; len++) {
if (*end != ':')
break;
tx->input[len].input_amount = strtoull(end + 1, &end, 10);
}
if (len == tx->input_count) {
if (*end != '\0')
errx(1, "Additional input amounts appended to %s",
filename);
} else {
/* Input amounts are compulsory for alpha, to generate sigs */
#ifdef ALPHA_TXSTYLE
errx(1, "No input amount #%zu in %s", len, filename);
#endif
}
tal_free(hex);
return tx;
}
/* <sigh>. Bitcoind represents hashes as little-endian for RPC. This didn't
* stick for blockids (everyone else uses big-endian, eg. block explorers),
* but it did stick for txids. */
static void reverse_bytes(u8 *arr, size_t len)
{
unsigned int i;
for (i = 0; i < len / 2; i++) {
unsigned char tmp = arr[i];
arr[i] = arr[len - 1 - i];
arr[len - 1 - i] = tmp;
}
}
bool bitcoin_txid_from_hex(const char *hexstr, size_t hexstr_len,
struct sha256_double *txid)
{
if (!hex_decode(hexstr, hexstr_len, txid, sizeof(*txid)))
return false;
reverse_bytes(txid->sha.u.u8, sizeof(txid->sha.u.u8));
return true;
}
bool bitcoin_txid_to_hex(const struct sha256_double *txid,
char *hexstr, size_t hexstr_len)
{
struct sha256_double rev = *txid;
reverse_bytes(rev.sha.u.u8, sizeof(rev.sha.u.u8));
return hex_encode(&rev, sizeof(rev), hexstr, hexstr_len);
}
static bool write_input_amounts(int fd, const struct bitcoin_tx *tx)
{
/* Alpha required input amounts, so append them */
#ifdef ALPHA_TXSTYLE
size_t i;
for (i = 0; i < tx->input_count; i++) {
char str[1 + STR_MAX_CHARS(tx->input[i].input_amount)];
sprintf(str, ":%llu",
(unsigned long long)tx->input[i].input_amount);
if (!write_all(fd, str, strlen(str)))
return false;
}
#endif
return true;
}
bool bitcoin_tx_write(int fd, const struct bitcoin_tx *tx)
{
u8 *tx_arr;
char *tx_hex;
bool ok;
tx_arr = linearize_tx(NULL, tx);
tx_hex = tal_arr(tx_arr, char, hex_str_size(tal_count(tx_arr)));
hex_encode(tx_arr, tal_count(tx_arr), tx_hex, tal_count(tx_hex));
ok = write_all(fd, tx_hex, strlen(tx_hex))
&& write_input_amounts(fd, tx);
tal_free(tx_arr);
return ok;
}
u32 bitcoin_nsequence(u32 locktime)
{
#ifdef HAS_BIP68
/* BIP66 style sequence numbers */
if (locktime >= 500000000)
/* A relative time. Set bit 30, shift by 5. */
return 0x40000000 | ((locktime - 500000000) << 5);
else
/* A block height. Shift by 14. */
return locktime << 14;
#else
/* Alpha uses the original proposal: simply invert the bits. */
return ~locktime;
#endif
}