/* A common script pattern: A can have it with secret, or B can have
* it after delay. */
u8 *bitcoin_redeem_secret_or_delay(const tal_t *ctx,
const struct pubkey *delayed_key,
u32 locktime,
const struct pubkey *key_if_secret_known,
const struct sha256 *hash_of_secret)
{
struct ripemd160 ripemd;
le32 locktime_le = cpu_to_le32(locktime);
u8 *script = tal_arr(ctx, u8, 0);
ripemd160(&ripemd, hash_of_secret->u.u8, sizeof(hash_of_secret->u));
/* If the secret is supplied.... */
add_op(&script, OP_HASH160);
add_push_bytes(&script, ripemd.u.u8, sizeof(ripemd.u.u8));
add_op(&script, OP_EQUAL);
add_op(&script, OP_IF);
/* They can collect the funds. */
add_push_key(&script, key_if_secret_known);
add_op(&script, OP_ELSE);
/* Other can collect after a delay. */
add_push_bytes(&script, &locktime_le, sizeof(locktime_le));
add_op(&script, OP_CHECKSEQUENCEVERIFY);
add_op(&script, OP_DROP);
add_push_key(&script, delayed_key);
add_op(&script, OP_ENDIF);
add_op(&script, OP_CHECKSIG);
return script;
}
/* Create a script for our HTLC output: receiving. */
u8 *scriptpubkey_htlc_recv(const tal_t *ctx,
const struct pubkey *ourkey,
const struct pubkey *theirkey,
uint32_t htlc_abstimeout,
uint32_t locktime,
const struct sha256 *commit_revoke,
const struct sha256 *rhash)
{
/* R value presented: -> us.
* Commit revocation value presented: -> them.
* HTLC times out -> them. */
u8 *script = tal_arr(ctx, u8, 0);
struct ripemd160 ripemd;
add_op(&script, OP_HASH160);
add_op(&script, OP_DUP);
/* Did we supply HTLC R value? */
ripemd160(&ripemd, rhash->u.u8, sizeof(rhash->u));
add_push_bytes(&script, &ripemd, sizeof(ripemd));
add_op(&script, OP_EQUAL);
add_op(&script, OP_IF);
add_push_le32(&script, locktime);
add_op(&script, OP_CHECKSEQUENCEVERIFY);
/* Drop extra hash as well as locktime. */
add_op(&script, OP_2DROP);
add_push_key(&script, ourkey);
add_op(&script, OP_ELSE);
/* If they provided commit revocation, available immediately. */
ripemd160(&ripemd, commit_revoke->u.u8, sizeof(commit_revoke->u));
add_push_bytes(&script, &ripemd, sizeof(ripemd));
add_op(&script, OP_EQUAL);
add_op(&script, OP_NOTIF);
/* Otherwise, they must wait for HTLC timeout. */
add_push_le32(&script, htlc_abstimeout);
add_op(&script, OP_CHECKLOCKTIMEVERIFY);
add_op(&script, OP_DROP);
add_op(&script, OP_ENDIF);
add_push_key(&script, theirkey);
add_op(&script, OP_ENDIF);
add_op(&script, OP_CHECKSIG);
return script;
}
u8 *scriptsig_p2sh_secret(const tal_t *ctx,
const void *secret, size_t secret_len,
const struct bitcoin_signature *sig,
const u8 *redeemscript,
size_t redeem_len)
{
u8 *script = tal_arr(ctx, u8, 0);
add_push_sig(&script, sig);
add_push_bytes(&script, secret, secret_len);
add_push_bytes(&script, redeemscript, redeem_len);
return script;
}
u8 *scriptsig_p2sh_revoke(const tal_t *ctx,
const struct sha256 *preimage,
const struct bitcoin_signature *sig,
const u8 *revocable_redeem,
size_t redeem_len)
{
u8 *script = tal_arr(ctx, u8, 0);
add_push_sig(&script, sig);
add_push_bytes(&script, preimage, sizeof(*preimage));
add_push_bytes(&script, revocable_redeem, redeem_len);
return script;
}
static void add_push_sig(u8 **scriptp, const struct bitcoin_signature *sig)
{
/* Bitcoin wants DER encoding. */
#ifdef SCRIPTS_USE_DER
u8 der[73];
size_t len = signature_to_der(der, &sig->sig);
/* Append sighash type */
der[len++] = sig->stype;
add_push_bytes(scriptp, der, len);
#else /* Alpha uses raw encoding */
u8 with_sighash[sizeof(sig->sig) + 1];
memcpy(with_sighash, &sig->sig, sizeof(sig->sig));
with_sighash[sizeof(sig->sig)] = sig->stype;
add_push_bytes(scriptp, with_sighash, sizeof(with_sighash));
#endif
}
/* Create a script for our HTLC output: sending. */
u8 *scriptpubkey_htlc_send(const tal_t *ctx,
const struct pubkey *ourkey,
const struct pubkey *theirkey,
uint32_t htlc_abstimeout,
uint32_t locktime,
const struct sha256 *commit_revoke,
const struct sha256 *rhash)
{
/* R value presented: -> them.
* Commit revocation value presented: -> them.
* HTLC times out -> us. */
u8 *script = tal_arr(ctx, u8, 0);
struct ripemd160 ripemd;
add_op(&script, OP_HASH160);
add_op(&script, OP_DUP);
/* Did they supply HTLC R value? */
ripemd160(&ripemd, rhash->u.u8, sizeof(rhash->u));
add_push_bytes(&script, &ripemd, sizeof(ripemd));
add_op(&script, OP_EQUAL);
add_op(&script, OP_SWAP);
/* How about commit revocation value? */
ripemd160(&ripemd, commit_revoke->u.u8, sizeof(commit_revoke->u));
add_push_bytes(&script, &ripemd, sizeof(ripemd));
add_op(&script, OP_EQUAL);
add_op(&script, OP_ADD);
/* If either matched... */
add_op(&script, OP_IF);
add_push_key(&script, theirkey);
add_op(&script, OP_ELSE);
/* If HTLC times out, they can collect after a delay. */
add_push_le32(&script, htlc_abstimeout);
add_op(&script, OP_CHECKLOCKTIMEVERIFY);
add_push_le32(&script, locktime);
add_op(&script, OP_CHECKSEQUENCEVERIFY);
add_op(&script, OP_2DROP);
add_push_key(&script, ourkey);
add_op(&script, OP_ENDIF);
add_op(&script, OP_CHECKSIG);
return script;
}
/* Assumes redeemscript contains CHECKSIG, not CHECKMULTISIG */
u8 *scriptsig_p2sh_single_sig(const tal_t *ctx,
const u8 *redeem_script,
size_t redeem_len,
const struct bitcoin_signature *sig)
{
u8 *script = tal_arr(ctx, u8, 0);
add_push_sig(&script, sig);
add_push_bytes(&script, redeem_script, redeem_len);
return script;
}
static void add_number(u8 **script, u32 num)
{
if (num == 0)
add_op(script, 0);
else if (num <= 16)
add_op(script, 0x50 + num);
else {
u8 n = num;
/* We could handle others, but currently unnecessary. */
assert(num < 256);
add_push_bytes(script, &n, sizeof(n));
}
}
/* Create p2sh for this redeem script. */
u8 *scriptpubkey_p2sh(const tal_t *ctx, const u8 *redeemscript)
{
struct sha256 h;
struct ripemd160 redeemhash;
u8 *script = tal_arr(ctx, u8, 0);
add_op(&script, OP_HASH160);
sha256(&h, redeemscript, tal_count(redeemscript));
ripemd160(&redeemhash, h.u.u8, sizeof(h));
add_push_bytes(&script, redeemhash.u.u8, sizeof(redeemhash.u.u8));
add_op(&script, OP_EQUAL);
return script;
}
/* Create p2sh for this redeem script. */
u8 *scriptpubkey_p2sh(const tal_t *ctx, const u8 *redeemscript)
{
struct sha256 h;
u8 redeemhash[RIPEMD160_DIGEST_LENGTH];
u8 *script = tal_arr(ctx, u8, 0);
add_op(&script, OP_HASH160);
sha256(&h, redeemscript, tal_count(redeemscript));
RIPEMD160(h.u.u8, sizeof(h), redeemhash);
add_push_bytes(&script, redeemhash, sizeof(redeemhash));
add_op(&script, OP_EQUAL);
return script;
}
/* One of:
* mysig and relative locktime passed, OR
* theirsig and hash preimage. */
u8 *bitcoin_redeem_revocable(const tal_t *ctx,
const struct pubkey *mykey,
u32 locktime,
const struct pubkey *theirkey,
const struct sha256 *rhash)
{
u8 *script = tal_arr(ctx, u8, 0);
u8 rhash_ripemd[RIPEMD160_DIGEST_LENGTH];
le32 locktime_le = cpu_to_le32(locktime);
/* If there are two args: */
add_op(&script, OP_DEPTH);
add_op(&script, OP_1SUB);
add_op(&script, OP_IF);
/* Must hash to revocation_hash, and be signed by them. */
RIPEMD160(rhash->u.u8, sizeof(rhash->u), rhash_ripemd);
add_op(&script, OP_HASH160);
add_push_bytes(&script, rhash_ripemd, sizeof(rhash_ripemd));
add_op(&script, OP_EQUALVERIFY);
add_push_key(&script, theirkey);
/* Not two args? Must be us using timeout. */
add_op(&script, OP_ELSE);
add_push_bytes(&script, &locktime_le, sizeof(locktime_le));
add_op(&script, OP_CHECKSEQUENCEVERIFY);
add_op(&script, OP_DROP);
add_push_key(&script, mykey);
add_op(&script, OP_ENDIF);
/* And check it (ither path) */
add_op(&script, OP_CHECKSIG);
return script;
}
/* Bitcoin wants DER encoding. */
static void add_push_sig(u8 **scriptp, const struct bitcoin_signature *sig)
{
u8 der[2 + 2 + 1 + sizeof(sig->sig.r) + 2 + 1 + sizeof(sig->sig.s) + 1];
size_t len = 0;
der[len++] = 0x30; /* Type */
der[len++] = 0; /* Total length after this: fill it at end. */
len += der_encode_val(sig->sig.r, der + len);
len += der_encode_val(sig->sig.s, der + len);
/* Fix up total length */
der[1] = len - 2;
/* Append sighash type */
der[len++] = sig->stype;
assert(IsValidSignatureEncoding(der, len));
add_push_bytes(scriptp, der, len);
}
u8 *scriptsig_p2sh_2of2(const tal_t *ctx,
const struct bitcoin_signature *sig1,
const struct bitcoin_signature *sig2,
const struct pubkey *key1,
const struct pubkey *key2)
{
u8 *script = tal_arr(ctx, u8, 0);
u8 *redeemscript;
/* OP_CHECKMULTISIG has an out-by-one bug, which MBZ */
add_number(&script, 0);
/* sig order should match key order. */
if (key_less(key1, key2)) {
add_push_sig(&script, sig1);
add_push_sig(&script, sig2);
} else {
add_push_sig(&script, sig2);
add_push_sig(&script, sig1);
}
redeemscript = bitcoin_redeem_2of2(script, key1, key2);
add_push_bytes(&script, redeemscript, tal_count(redeemscript));
return script;
}
static void add_push_key(u8 **scriptp, const struct pubkey *key)
{
add_push_bytes(scriptp, key->der, pubkey_derlen(key));
}
/* FIXME: Is this really required, not a simple add_number? */
static void add_push_le32(u8 **scriptp, u32 val)
{
le32 val_le = cpu_to_le32(val);
add_push_bytes(scriptp, &val_le, sizeof(val_le));
}
