akovalenko/lnd.xprv
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
2d421b8e3c
lnd.xprv/lnwallet/script_utils_test.go

1215 lines
38 KiB
Go
Raw Normal View History

lnwallet: update HTLC+commitment scripts This commit updates the previous HTLC and commitment scripts to their current latest evolution. The HTLC scripts have been optimized for space savings, the functionality itself has remained relatively unchanged. A trade off was made to add additional bytes into the sigScript in order to avoid extraneous CHECKSIG’s. The rationale is that an extra 1-2 bytes in the sigScript to guide execution, are worthwhile since they’re in the witness, and witness data may be pruned in the near future. The primary change is within the commitment transaction itself. Instead of using revocation hashes, we now use signature based revocation. This saves space in the Script, and optimizes away an extra hashing operation. Elkrem/shachain is still used but, we now use the pre-images to homomorphically derive a public key which the other party will be able to sign with, once we disclose the pre-image itself. Finally, we have switched to using SHA-256 everywhere uniformly for both revocation hashes, and payment hashes. The rationale is that the output of ripemd160 is too small for modern security margins, and that other coins/chains are more likely to have SHA-256 implemented, than ripemd160. A set of tests has also been included which contain (mostly) exhaustive tests of all possible redemption paths for both commitment and HTLC.
2016-06-27 21:33:59 +03:00
package lnwallet
import (
"bytes"
multi: replace usage of fastsha256 with crypto/sha256 This commit removes all instances of the fastsha256 library and replaces it with the sha256 library in the standard library. This change should see a number of performance improvements as the standard library has highly optimized assembly instructions with use vectorized instructions as the platform supports.
2017-03-16 04:56:25 +03:00
"crypto/sha256"
lnwallet: Implement BOLT-03 key derivation test vectors.
2017-10-02 23:20:48 +03:00
"encoding/hex"
lnwallet: update HTLC+commitment scripts This commit updates the previous HTLC and commitment scripts to their current latest evolution. The HTLC scripts have been optimized for space savings, the functionality itself has remained relatively unchanged. A trade off was made to add additional bytes into the sigScript in order to avoid extraneous CHECKSIG’s. The rationale is that an extra 1-2 bytes in the sigScript to guide execution, are worthwhile since they’re in the witness, and witness data may be pruned in the near future. The primary change is within the commitment transaction itself. Instead of using revocation hashes, we now use signature based revocation. This saves space in the Script, and optimizes away an extra hashing operation. Elkrem/shachain is still used but, we now use the pre-images to homomorphically derive a public key which the other party will be able to sign with, once we disclose the pre-image itself. Finally, we have switched to using SHA-256 everywhere uniformly for both revocation hashes, and payment hashes. The rationale is that the output of ripemd160 is too small for modern security margins, and that other coins/chains are more likely to have SHA-256 implemented, than ripemd160. A set of tests has also been included which contain (mostly) exhaustive tests of all possible redemption paths for both commitment and HTLC.
2016-06-27 21:33:59 +03:00
"fmt"
"testing"
lnwallet: extend test to check for valid locktime and sequence
2017-01-14 11:17:00 +03:00
"time"
lnwallet: update HTLC+commitment scripts This commit updates the previous HTLC and commitment scripts to their current latest evolution. The HTLC scripts have been optimized for space savings, the functionality itself has remained relatively unchanged. A trade off was made to add additional bytes into the sigScript in order to avoid extraneous CHECKSIG’s. The rationale is that an extra 1-2 bytes in the sigScript to guide execution, are worthwhile since they’re in the witness, and witness data may be pruned in the near future. The primary change is within the commitment transaction itself. Instead of using revocation hashes, we now use signature based revocation. This saves space in the Script, and optimizes away an extra hashing operation. Elkrem/shachain is still used but, we now use the pre-images to homomorphically derive a public key which the other party will be able to sign with, once we disclose the pre-image itself. Finally, we have switched to using SHA-256 everywhere uniformly for both revocation hashes, and payment hashes. The rationale is that the output of ripemd160 is too small for modern security margins, and that other coins/chains are more likely to have SHA-256 implemented, than ripemd160. A set of tests has also been included which contain (mostly) exhaustive tests of all possible redemption paths for both commitment and HTLC.
2016-06-27 21:33:59 +03:00
lnwallet: update script_utils and tests due to SignDescriptor API change
2018-02-18 02:09:51 +03:00
"github.com/lightningnetwork/lnd/keychain"
multi: switch over import paths from roasbeef/* to btcsuite/*
2018-06-05 04:34:16 +03:00
"github.com/btcsuite/btcd/btcec"
"github.com/btcsuite/btcd/chaincfg/chainhash"
"github.com/btcsuite/btcd/txscript"
"github.com/btcsuite/btcd/wire"
"github.com/btcsuite/btcutil"
lnwallet: update HTLC+commitment scripts This commit updates the previous HTLC and commitment scripts to their current latest evolution. The HTLC scripts have been optimized for space savings, the functionality itself has remained relatively unchanged. A trade off was made to add additional bytes into the sigScript in order to avoid extraneous CHECKSIG’s. The rationale is that an extra 1-2 bytes in the sigScript to guide execution, are worthwhile since they’re in the witness, and witness data may be pruned in the near future. The primary change is within the commitment transaction itself. Instead of using revocation hashes, we now use signature based revocation. This saves space in the Script, and optimizes away an extra hashing operation. Elkrem/shachain is still used but, we now use the pre-images to homomorphically derive a public key which the other party will be able to sign with, once we disclose the pre-image itself. Finally, we have switched to using SHA-256 everywhere uniformly for both revocation hashes, and payment hashes. The rationale is that the output of ripemd160 is too small for modern security margins, and that other coins/chains are more likely to have SHA-256 implemented, than ripemd160. A set of tests has also been included which contain (mostly) exhaustive tests of all possible redemption paths for both commitment and HTLC.
2016-06-27 21:33:59 +03:00
)
// TestCommitmentSpendValidation test the spendability of both outputs within
// the commitment transaction.
//
// The following spending cases are covered by this test:
multi: use witnessScript everywhere instead of redeemScript This commit consists of a mass variable renaming to call the pkScript being executed for segwit outputs the `witnessScript` instead of `redeemScript`. The latter naming convention is generally considered to be reserved for the context of BIP 16 execution. With segwit to be deployed soon, we should be using the correct terminology uniformly through the codebase. In addition some minor typos throughout the codebase has been fixed.
2016-10-16 02:02:09 +03:00
// * Alice's spend from the delayed output on her commitment transaction.
lnwallet: update HTLC+commitment scripts This commit updates the previous HTLC and commitment scripts to their current latest evolution. The HTLC scripts have been optimized for space savings, the functionality itself has remained relatively unchanged. A trade off was made to add additional bytes into the sigScript in order to avoid extraneous CHECKSIG’s. The rationale is that an extra 1-2 bytes in the sigScript to guide execution, are worthwhile since they’re in the witness, and witness data may be pruned in the near future. The primary change is within the commitment transaction itself. Instead of using revocation hashes, we now use signature based revocation. This saves space in the Script, and optimizes away an extra hashing operation. Elkrem/shachain is still used but, we now use the pre-images to homomorphically derive a public key which the other party will be able to sign with, once we disclose the pre-image itself. Finally, we have switched to using SHA-256 everywhere uniformly for both revocation hashes, and payment hashes. The rationale is that the output of ripemd160 is too small for modern security margins, and that other coins/chains are more likely to have SHA-256 implemented, than ripemd160. A set of tests has also been included which contain (mostly) exhaustive tests of all possible redemption paths for both commitment and HTLC.
2016-06-27 21:33:59 +03:00
// * Bob's spend from Alice's delayed output when she broadcasts a revoked
// commitment transaction.
// * Bob's spend from his unencumbered output within Alice's commitment
// transaction.
func TestCommitmentSpendValidation(t *testing.T) {
multi: run all test instances in parallel
2017-06-17 01:59:20 +03:00
t.Parallel()
multi: use witnessScript everywhere instead of redeemScript This commit consists of a mass variable renaming to call the pkScript being executed for segwit outputs the `witnessScript` instead of `redeemScript`. The latter naming convention is generally considered to be reserved for the context of BIP 16 execution. With segwit to be deployed soon, we should be using the correct terminology uniformly through the codebase. In addition some minor typos throughout the codebase has been fixed.
2016-10-16 02:02:09 +03:00
// We generate a fake output, and the corresponding txin. This output
lnwallet: update HTLC+commitment scripts This commit updates the previous HTLC and commitment scripts to their current latest evolution. The HTLC scripts have been optimized for space savings, the functionality itself has remained relatively unchanged. A trade off was made to add additional bytes into the sigScript in order to avoid extraneous CHECKSIG’s. The rationale is that an extra 1-2 bytes in the sigScript to guide execution, are worthwhile since they’re in the witness, and witness data may be pruned in the near future. The primary change is within the commitment transaction itself. Instead of using revocation hashes, we now use signature based revocation. This saves space in the Script, and optimizes away an extra hashing operation. Elkrem/shachain is still used but, we now use the pre-images to homomorphically derive a public key which the other party will be able to sign with, once we disclose the pre-image itself. Finally, we have switched to using SHA-256 everywhere uniformly for both revocation hashes, and payment hashes. The rationale is that the output of ripemd160 is too small for modern security margins, and that other coins/chains are more likely to have SHA-256 implemented, than ripemd160. A set of tests has also been included which contain (mostly) exhaustive tests of all possible redemption paths for both commitment and HTLC.
2016-06-27 21:33:59 +03:00
// doesn't need to exist, as we'll only be validating spending from the
// transaction that references this.
lnwallet: update TestCommitmentSpendValidation due to new commitment scripts
2017-07-30 04:36:04 +03:00
txid, err := chainhash.NewHash(testHdSeed.CloneBytes())
if err != nil {
t.Fatalf("unable to create txid: %v", err)
}
lnwallet: update HTLC+commitment scripts This commit updates the previous HTLC and commitment scripts to their current latest evolution. The HTLC scripts have been optimized for space savings, the functionality itself has remained relatively unchanged. A trade off was made to add additional bytes into the sigScript in order to avoid extraneous CHECKSIG’s. The rationale is that an extra 1-2 bytes in the sigScript to guide execution, are worthwhile since they’re in the witness, and witness data may be pruned in the near future. The primary change is within the commitment transaction itself. Instead of using revocation hashes, we now use signature based revocation. This saves space in the Script, and optimizes away an extra hashing operation. Elkrem/shachain is still used but, we now use the pre-images to homomorphically derive a public key which the other party will be able to sign with, once we disclose the pre-image itself. Finally, we have switched to using SHA-256 everywhere uniformly for both revocation hashes, and payment hashes. The rationale is that the output of ripemd160 is too small for modern security margins, and that other coins/chains are more likely to have SHA-256 implemented, than ripemd160. A set of tests has also been included which contain (mostly) exhaustive tests of all possible redemption paths for both commitment and HTLC.
2016-06-27 21:33:59 +03:00
fundingOut := &wire.OutPoint{
lnwallet: update TestCommitmentSpendValidation due to new commitment scripts
2017-07-30 04:36:04 +03:00
Hash: *txid,
lnwallet: update HTLC+commitment scripts This commit updates the previous HTLC and commitment scripts to their current latest evolution. The HTLC scripts have been optimized for space savings, the functionality itself has remained relatively unchanged. A trade off was made to add additional bytes into the sigScript in order to avoid extraneous CHECKSIG’s. The rationale is that an extra 1-2 bytes in the sigScript to guide execution, are worthwhile since they’re in the witness, and witness data may be pruned in the near future. The primary change is within the commitment transaction itself. Instead of using revocation hashes, we now use signature based revocation. This saves space in the Script, and optimizes away an extra hashing operation. Elkrem/shachain is still used but, we now use the pre-images to homomorphically derive a public key which the other party will be able to sign with, once we disclose the pre-image itself. Finally, we have switched to using SHA-256 everywhere uniformly for both revocation hashes, and payment hashes. The rationale is that the output of ripemd160 is too small for modern security margins, and that other coins/chains are more likely to have SHA-256 implemented, than ripemd160. A set of tests has also been included which contain (mostly) exhaustive tests of all possible redemption paths for both commitment and HTLC.
2016-06-27 21:33:59 +03:00
Index: 50,
}
fakeFundingTxIn := wire.NewTxIn(fundingOut, nil, nil)
lnwallet: update TestCommitmentSpendValidation due to new commitment scripts
2017-07-30 04:36:04 +03:00
const channelBalance = btcutil.Amount(1 * 10e8)
const csvTimeout = uint32(5)
lnwallet: update HTLC+commitment scripts This commit updates the previous HTLC and commitment scripts to their current latest evolution. The HTLC scripts have been optimized for space savings, the functionality itself has remained relatively unchanged. A trade off was made to add additional bytes into the sigScript in order to avoid extraneous CHECKSIG’s. The rationale is that an extra 1-2 bytes in the sigScript to guide execution, are worthwhile since they’re in the witness, and witness data may be pruned in the near future. The primary change is within the commitment transaction itself. Instead of using revocation hashes, we now use signature based revocation. This saves space in the Script, and optimizes away an extra hashing operation. Elkrem/shachain is still used but, we now use the pre-images to homomorphically derive a public key which the other party will be able to sign with, once we disclose the pre-image itself. Finally, we have switched to using SHA-256 everywhere uniformly for both revocation hashes, and payment hashes. The rationale is that the output of ripemd160 is too small for modern security margins, and that other coins/chains are more likely to have SHA-256 implemented, than ripemd160. A set of tests has also been included which contain (mostly) exhaustive tests of all possible redemption paths for both commitment and HTLC.
2016-06-27 21:33:59 +03:00
// We also set up set some resources for the commitment transaction.
// Each side currently has 1 BTC within the channel, with a total
// channel capacity of 2BTC.
aliceKeyPriv, aliceKeyPub := btcec.PrivKeyFromBytes(btcec.S256(),
testWalletPrivKey)
bobKeyPriv, bobKeyPub := btcec.PrivKeyFromBytes(btcec.S256(),
bobsPrivKey)
lnwallet: update TestCommitmentSpendValidation due to new commitment scripts
2017-07-30 04:36:04 +03:00
revocationPreimage := testHdSeed.CloneBytes()
commitSecret, commitPoint := btcec.PrivKeyFromBytes(btcec.S256(),
revocationPreimage)
revokePubKey := DeriveRevocationPubkey(bobKeyPub, commitPoint)
aliceDelayKey := TweakPubKey(aliceKeyPub, commitPoint)
bobPayKey := TweakPubKey(bobKeyPub, commitPoint)
aliceCommitTweak := SingleTweakBytes(commitPoint, aliceKeyPub)
bobCommitTweak := SingleTweakBytes(commitPoint, bobKeyPub)
lnwallet: update HTLC+commitment scripts This commit updates the previous HTLC and commitment scripts to their current latest evolution. The HTLC scripts have been optimized for space savings, the functionality itself has remained relatively unchanged. A trade off was made to add additional bytes into the sigScript in order to avoid extraneous CHECKSIG’s. The rationale is that an extra 1-2 bytes in the sigScript to guide execution, are worthwhile since they’re in the witness, and witness data may be pruned in the near future. The primary change is within the commitment transaction itself. Instead of using revocation hashes, we now use signature based revocation. This saves space in the Script, and optimizes away an extra hashing operation. Elkrem/shachain is still used but, we now use the pre-images to homomorphically derive a public key which the other party will be able to sign with, once we disclose the pre-image itself. Finally, we have switched to using SHA-256 everywhere uniformly for both revocation hashes, and payment hashes. The rationale is that the output of ripemd160 is too small for modern security margins, and that other coins/chains are more likely to have SHA-256 implemented, than ripemd160. A set of tests has also been included which contain (mostly) exhaustive tests of all possible redemption paths for both commitment and HTLC.
2016-06-27 21:33:59 +03:00
lnwallet: Move mocks to separate file and augment mockSigner. To implement the BOLT 03 test vectors, a more powerful mockSigner is required. The new version of mockSigner stores multiple keys and signs the transaction outputs with the appropriate one.
2017-09-26 07:05:24 +03:00
aliceSelfOutputSigner := &mockSigner{
privkeys: []*btcec.PrivateKey{aliceKeyPriv},
}
lnwallet: convert CommitSpendTimeout to user the Signer interface
2016-09-09 03:04:08 +03:00
lnwallet: update HTLC+commitment scripts This commit updates the previous HTLC and commitment scripts to their current latest evolution. The HTLC scripts have been optimized for space savings, the functionality itself has remained relatively unchanged. A trade off was made to add additional bytes into the sigScript in order to avoid extraneous CHECKSIG’s. The rationale is that an extra 1-2 bytes in the sigScript to guide execution, are worthwhile since they’re in the witness, and witness data may be pruned in the near future. The primary change is within the commitment transaction itself. Instead of using revocation hashes, we now use signature based revocation. This saves space in the Script, and optimizes away an extra hashing operation. Elkrem/shachain is still used but, we now use the pre-images to homomorphically derive a public key which the other party will be able to sign with, once we disclose the pre-image itself. Finally, we have switched to using SHA-256 everywhere uniformly for both revocation hashes, and payment hashes. The rationale is that the output of ripemd160 is too small for modern security margins, and that other coins/chains are more likely to have SHA-256 implemented, than ripemd160. A set of tests has also been included which contain (mostly) exhaustive tests of all possible redemption paths for both commitment and HTLC.
2016-06-27 21:33:59 +03:00
// With all the test data set up, we create the commitment transaction.
// We only focus on a single party's transactions, as the scripts are
// identical with the roles reversed.
//
// This is Alice's commitment transaction, so she must wait a CSV delay
// of 5 blocks before sweeping the output, while bob can spend
// immediately with either the revocation key, or his regular key.
lnwallet: remove the closeObserver from the channel state machine In this PR, we entirely remove the closeObserver from the channel state machine. It was added very early on before most of the other aspects of the daemon were built out. This goroutine was responsible for dispatching notifications to outside parties if the commitment transaction was spent at all. This had several issues, since it was linked to the *lifetime* of the channel state machine itself. As a result of this linkage, we had to do weird stuff like hand off in memory pointers to the state machine in order to ensure notifications were properly dispatched.
2018-01-19 00:45:30 +03:00
keyRing := &CommitmentKeyRing{
DelayKey: aliceDelayKey,
RevocationKey: revokePubKey,
NoDelayKey: bobPayKey,
lnwallet: Pass around key ring instead of individual keys. The signatures of some functions/methods in lnwallet are simplified by passing in a commitmentKeyRing argument instead of multiple keys.
2017-10-02 05:42:05 +03:00
}
lnwallet: don't use persistent pointer to funding tx within channel state machine This commit fixes a lingering bug that could at times cause incompatibilities with other implementations when attempting a cooperative channel close. Before this commit, we would use a pointer to the funding txin everywhere. As a result, each time we made a new state, or verified one, we would modify the sequence field of the main txin of the commitment transaction. Due to this if we updated the channel, then went to do a cooperative channel closure, the sequence of the txin would still be set to the value we used as the state hint. To remedy this, we now copy the txin each time when making the commitment transaction, and also the cooperative closure transaction. This avoids accidentally mutating the txin itself. Fixes #502.
2017-12-22 21:26:16 +03:00
commitmentTx, err := CreateCommitTx(*fakeFundingTxIn, keyRing, csvTimeout,
lnwallet: Pass around key ring instead of individual keys. The signatures of some functions/methods in lnwallet are simplified by passing in a commitmentKeyRing argument instead of multiple keys.
2017-10-02 05:42:05 +03:00
channelBalance, channelBalance, DefaultDustLimit())
lnwallet: update HTLC+commitment scripts This commit updates the previous HTLC and commitment scripts to their current latest evolution. The HTLC scripts have been optimized for space savings, the functionality itself has remained relatively unchanged. A trade off was made to add additional bytes into the sigScript in order to avoid extraneous CHECKSIG’s. The rationale is that an extra 1-2 bytes in the sigScript to guide execution, are worthwhile since they’re in the witness, and witness data may be pruned in the near future. The primary change is within the commitment transaction itself. Instead of using revocation hashes, we now use signature based revocation. This saves space in the Script, and optimizes away an extra hashing operation. Elkrem/shachain is still used but, we now use the pre-images to homomorphically derive a public key which the other party will be able to sign with, once we disclose the pre-image itself. Finally, we have switched to using SHA-256 everywhere uniformly for both revocation hashes, and payment hashes. The rationale is that the output of ripemd160 is too small for modern security margins, and that other coins/chains are more likely to have SHA-256 implemented, than ripemd160. A set of tests has also been included which contain (mostly) exhaustive tests of all possible redemption paths for both commitment and HTLC.
2016-06-27 21:33:59 +03:00
if err != nil {
t.Fatalf("unable to create commitment transaction: %v", nil)
}
delayOutput := commitmentTx.TxOut[0]
regularOutput := commitmentTx.TxOut[1]
// We're testing an uncooperative close, output sweep, so construct a
// transaction which sweeps the funds to a random address.
lnwallet/script_utils_test: use exposed CommitScriptUnencumbered
2018-07-12 01:04:26 +03:00
targetOutput, err := CommitScriptUnencumbered(aliceKeyPub)
lnwallet: update HTLC+commitment scripts This commit updates the previous HTLC and commitment scripts to their current latest evolution. The HTLC scripts have been optimized for space savings, the functionality itself has remained relatively unchanged. A trade off was made to add additional bytes into the sigScript in order to avoid extraneous CHECKSIG’s. The rationale is that an extra 1-2 bytes in the sigScript to guide execution, are worthwhile since they’re in the witness, and witness data may be pruned in the near future. The primary change is within the commitment transaction itself. Instead of using revocation hashes, we now use signature based revocation. This saves space in the Script, and optimizes away an extra hashing operation. Elkrem/shachain is still used but, we now use the pre-images to homomorphically derive a public key which the other party will be able to sign with, once we disclose the pre-image itself. Finally, we have switched to using SHA-256 everywhere uniformly for both revocation hashes, and payment hashes. The rationale is that the output of ripemd160 is too small for modern security margins, and that other coins/chains are more likely to have SHA-256 implemented, than ripemd160. A set of tests has also been included which contain (mostly) exhaustive tests of all possible redemption paths for both commitment and HTLC.
2016-06-27 21:33:59 +03:00
if err != nil {
multi: fix `go vet` warnings throughout code base
2017-02-10 02:28:32 +03:00
t.Fatalf("unable to create target output: %v", err)
lnwallet: update HTLC+commitment scripts This commit updates the previous HTLC and commitment scripts to their current latest evolution. The HTLC scripts have been optimized for space savings, the functionality itself has remained relatively unchanged. A trade off was made to add additional bytes into the sigScript in order to avoid extraneous CHECKSIG’s. The rationale is that an extra 1-2 bytes in the sigScript to guide execution, are worthwhile since they’re in the witness, and witness data may be pruned in the near future. The primary change is within the commitment transaction itself. Instead of using revocation hashes, we now use signature based revocation. This saves space in the Script, and optimizes away an extra hashing operation. Elkrem/shachain is still used but, we now use the pre-images to homomorphically derive a public key which the other party will be able to sign with, once we disclose the pre-image itself. Finally, we have switched to using SHA-256 everywhere uniformly for both revocation hashes, and payment hashes. The rationale is that the output of ripemd160 is too small for modern security margins, and that other coins/chains are more likely to have SHA-256 implemented, than ripemd160. A set of tests has also been included which contain (mostly) exhaustive tests of all possible redemption paths for both commitment and HTLC.
2016-06-27 21:33:59 +03:00
}
multi: update btcsuite API's to latest upstream changes This commit makes a large number of minor changes concerning API usage within the deamon to match the latest version on the upstream btcsuite libraries. The major changes are the switch from wire.ShaHash to chainhash.Hash, and that wire.NewMsgTx() now takes a paramter indicating the version of the transaction to be created.
2017-01-06 00:56:27 +03:00
sweepTx := wire.NewMsgTx(2)
multi: fix `go vet` warnings throughout code base
2017-02-10 02:28:32 +03:00
sweepTx.AddTxIn(wire.NewTxIn(&wire.OutPoint{
Hash: commitmentTx.TxHash(),
Index: 0,
lnwallet: update TestCommitmentSpendValidation due to new commitment scripts
2017-07-30 04:36:04 +03:00
}, nil, nil))
lnwallet: update HTLC+commitment scripts This commit updates the previous HTLC and commitment scripts to their current latest evolution. The HTLC scripts have been optimized for space savings, the functionality itself has remained relatively unchanged. A trade off was made to add additional bytes into the sigScript in order to avoid extraneous CHECKSIG’s. The rationale is that an extra 1-2 bytes in the sigScript to guide execution, are worthwhile since they’re in the witness, and witness data may be pruned in the near future. The primary change is within the commitment transaction itself. Instead of using revocation hashes, we now use signature based revocation. This saves space in the Script, and optimizes away an extra hashing operation. Elkrem/shachain is still used but, we now use the pre-images to homomorphically derive a public key which the other party will be able to sign with, once we disclose the pre-image itself. Finally, we have switched to using SHA-256 everywhere uniformly for both revocation hashes, and payment hashes. The rationale is that the output of ripemd160 is too small for modern security margins, and that other coins/chains are more likely to have SHA-256 implemented, than ripemd160. A set of tests has also been included which contain (mostly) exhaustive tests of all possible redemption paths for both commitment and HTLC.
2016-06-27 21:33:59 +03:00
sweepTx.AddTxOut(&wire.TxOut{
PkScript: targetOutput,
Value: 0.5 * 10e8,
})
// First, we'll test spending with Alice's key after the timeout.
lnwallet/script_utils_test: use public commit script helpers
2018-06-29 05:24:44 +03:00
delayScript, err := CommitScriptToSelf(csvTimeout, aliceDelayKey,
lnwallet: update TestCommitmentSpendValidation due to new commitment scripts
2017-07-30 04:36:04 +03:00
revokePubKey)
lnwallet: update HTLC+commitment scripts This commit updates the previous HTLC and commitment scripts to their current latest evolution. The HTLC scripts have been optimized for space savings, the functionality itself has remained relatively unchanged. A trade off was made to add additional bytes into the sigScript in order to avoid extraneous CHECKSIG’s. The rationale is that an extra 1-2 bytes in the sigScript to guide execution, are worthwhile since they’re in the witness, and witness data may be pruned in the near future. The primary change is within the commitment transaction itself. Instead of using revocation hashes, we now use signature based revocation. This saves space in the Script, and optimizes away an extra hashing operation. Elkrem/shachain is still used but, we now use the pre-images to homomorphically derive a public key which the other party will be able to sign with, once we disclose the pre-image itself. Finally, we have switched to using SHA-256 everywhere uniformly for both revocation hashes, and payment hashes. The rationale is that the output of ripemd160 is too small for modern security margins, and that other coins/chains are more likely to have SHA-256 implemented, than ripemd160. A set of tests has also been included which contain (mostly) exhaustive tests of all possible redemption paths for both commitment and HTLC.
2016-06-27 21:33:59 +03:00
if err != nil {
multi: fix `go vet` warnings throughout code base
2017-02-10 02:28:32 +03:00
t.Fatalf("unable to generate alice delay script: %v", err)
lnwallet: update HTLC+commitment scripts This commit updates the previous HTLC and commitment scripts to their current latest evolution. The HTLC scripts have been optimized for space savings, the functionality itself has remained relatively unchanged. A trade off was made to add additional bytes into the sigScript in order to avoid extraneous CHECKSIG’s. The rationale is that an extra 1-2 bytes in the sigScript to guide execution, are worthwhile since they’re in the witness, and witness data may be pruned in the near future. The primary change is within the commitment transaction itself. Instead of using revocation hashes, we now use signature based revocation. This saves space in the Script, and optimizes away an extra hashing operation. Elkrem/shachain is still used but, we now use the pre-images to homomorphically derive a public key which the other party will be able to sign with, once we disclose the pre-image itself. Finally, we have switched to using SHA-256 everywhere uniformly for both revocation hashes, and payment hashes. The rationale is that the output of ripemd160 is too small for modern security margins, and that other coins/chains are more likely to have SHA-256 implemented, than ripemd160. A set of tests has also been included which contain (mostly) exhaustive tests of all possible redemption paths for both commitment and HTLC.
2016-06-27 21:33:59 +03:00
}
lnwallet: modify CommitSpendTimeout to expect proper input sequence num and tx version
2016-09-10 23:48:36 +03:00
sweepTx.TxIn[0].Sequence = lockTimeToSequence(false, csvTimeout)
lnwallet: convert CommitSpendTimeout to user the Signer interface
2016-09-09 03:04:08 +03:00
signDesc := &SignDescriptor{
multi: use witnessScript everywhere instead of redeemScript This commit consists of a mass variable renaming to call the pkScript being executed for segwit outputs the `witnessScript` instead of `redeemScript`. The latter naming convention is generally considered to be reserved for the context of BIP 16 execution. With segwit to be deployed soon, we should be using the correct terminology uniformly through the codebase. In addition some minor typos throughout the codebase has been fixed.
2016-10-16 02:02:09 +03:00
WitnessScript: delayScript,
lnwallet: update script_utils and tests due to SignDescriptor API change
2018-02-18 02:09:51 +03:00
KeyDesc: keychain.KeyDescriptor{
PubKey: aliceKeyPub,
},
SingleTweak: aliceCommitTweak,
SigHashes: txscript.NewTxSigHashes(sweepTx),
lnwallet: convert CommitSpendTimeout to user the Signer interface
2016-09-09 03:04:08 +03:00
Output: &wire.TxOut{
Value: int64(channelBalance),
},
HashType: txscript.SigHashAll,
InputIndex: 0,
}
aliceWitnessSpend, err := CommitSpendTimeout(aliceSelfOutputSigner,
lnwallet: modify CommitSpendTimeout to expect proper input sequence num and tx version
2016-09-10 23:48:36 +03:00
signDesc, sweepTx)
lnwallet: update HTLC+commitment scripts This commit updates the previous HTLC and commitment scripts to their current latest evolution. The HTLC scripts have been optimized for space savings, the functionality itself has remained relatively unchanged. A trade off was made to add additional bytes into the sigScript in order to avoid extraneous CHECKSIG’s. The rationale is that an extra 1-2 bytes in the sigScript to guide execution, are worthwhile since they’re in the witness, and witness data may be pruned in the near future. The primary change is within the commitment transaction itself. Instead of using revocation hashes, we now use signature based revocation. This saves space in the Script, and optimizes away an extra hashing operation. Elkrem/shachain is still used but, we now use the pre-images to homomorphically derive a public key which the other party will be able to sign with, once we disclose the pre-image itself. Finally, we have switched to using SHA-256 everywhere uniformly for both revocation hashes, and payment hashes. The rationale is that the output of ripemd160 is too small for modern security margins, and that other coins/chains are more likely to have SHA-256 implemented, than ripemd160. A set of tests has also been included which contain (mostly) exhaustive tests of all possible redemption paths for both commitment and HTLC.
2016-06-27 21:33:59 +03:00
if err != nil {
multi: fix `go vet` warnings throughout code base
2017-02-10 02:28:32 +03:00
t.Fatalf("unable to generate delay commit spend witness: %v", err)
lnwallet: update HTLC+commitment scripts This commit updates the previous HTLC and commitment scripts to their current latest evolution. The HTLC scripts have been optimized for space savings, the functionality itself has remained relatively unchanged. A trade off was made to add additional bytes into the sigScript in order to avoid extraneous CHECKSIG’s. The rationale is that an extra 1-2 bytes in the sigScript to guide execution, are worthwhile since they’re in the witness, and witness data may be pruned in the near future. The primary change is within the commitment transaction itself. Instead of using revocation hashes, we now use signature based revocation. This saves space in the Script, and optimizes away an extra hashing operation. Elkrem/shachain is still used but, we now use the pre-images to homomorphically derive a public key which the other party will be able to sign with, once we disclose the pre-image itself. Finally, we have switched to using SHA-256 everywhere uniformly for both revocation hashes, and payment hashes. The rationale is that the output of ripemd160 is too small for modern security margins, and that other coins/chains are more likely to have SHA-256 implemented, than ripemd160. A set of tests has also been included which contain (mostly) exhaustive tests of all possible redemption paths for both commitment and HTLC.
2016-06-27 21:33:59 +03:00
}
sweepTx.TxIn[0].Witness = aliceWitnessSpend
vm, err := txscript.NewEngine(delayOutput.PkScript,
sweepTx, 0, txscript.StandardVerifyFlags, nil,
lnwallet: modify CommitSpendTimeout to expect proper input sequence num and tx version
2016-09-10 23:48:36 +03:00
nil, int64(channelBalance))
lnwallet: update HTLC+commitment scripts This commit updates the previous HTLC and commitment scripts to their current latest evolution. The HTLC scripts have been optimized for space savings, the functionality itself has remained relatively unchanged. A trade off was made to add additional bytes into the sigScript in order to avoid extraneous CHECKSIG’s. The rationale is that an extra 1-2 bytes in the sigScript to guide execution, are worthwhile since they’re in the witness, and witness data may be pruned in the near future. The primary change is within the commitment transaction itself. Instead of using revocation hashes, we now use signature based revocation. This saves space in the Script, and optimizes away an extra hashing operation. Elkrem/shachain is still used but, we now use the pre-images to homomorphically derive a public key which the other party will be able to sign with, once we disclose the pre-image itself. Finally, we have switched to using SHA-256 everywhere uniformly for both revocation hashes, and payment hashes. The rationale is that the output of ripemd160 is too small for modern security margins, and that other coins/chains are more likely to have SHA-256 implemented, than ripemd160. A set of tests has also been included which contain (mostly) exhaustive tests of all possible redemption paths for both commitment and HTLC.
2016-06-27 21:33:59 +03:00
if err != nil {
t.Fatalf("unable to create engine: %v", err)
}
if err := vm.Execute(); err != nil {
t.Fatalf("spend from delay output is invalid: %v", err)
}
lnwallet: Move mocks to separate file and augment mockSigner. To implement the BOLT 03 test vectors, a more powerful mockSigner is required. The new version of mockSigner stores multiple keys and signs the transaction outputs with the appropriate one.
2017-09-26 07:05:24 +03:00
bobSigner := &mockSigner{privkeys: []*btcec.PrivateKey{bobKeyPriv}}
lnwallet: update TestCommitmentSpendValidation due to new commitment scripts
2017-07-30 04:36:04 +03:00
lnwallet: update HTLC+commitment scripts This commit updates the previous HTLC and commitment scripts to their current latest evolution. The HTLC scripts have been optimized for space savings, the functionality itself has remained relatively unchanged. A trade off was made to add additional bytes into the sigScript in order to avoid extraneous CHECKSIG’s. The rationale is that an extra 1-2 bytes in the sigScript to guide execution, are worthwhile since they’re in the witness, and witness data may be pruned in the near future. The primary change is within the commitment transaction itself. Instead of using revocation hashes, we now use signature based revocation. This saves space in the Script, and optimizes away an extra hashing operation. Elkrem/shachain is still used but, we now use the pre-images to homomorphically derive a public key which the other party will be able to sign with, once we disclose the pre-image itself. Finally, we have switched to using SHA-256 everywhere uniformly for both revocation hashes, and payment hashes. The rationale is that the output of ripemd160 is too small for modern security margins, and that other coins/chains are more likely to have SHA-256 implemented, than ripemd160. A set of tests has also been included which contain (mostly) exhaustive tests of all possible redemption paths for both commitment and HTLC.
2016-06-27 21:33:59 +03:00
// Next, we'll test bob spending with the derived revocation key to
lnwallet: update TestCommitmentSpendValidation due to new commitment scripts
2017-07-30 04:36:04 +03:00
// simulate the scenario when Alice broadcasts this commitment
lnwallet: update HTLC+commitment scripts This commit updates the previous HTLC and commitment scripts to their current latest evolution. The HTLC scripts have been optimized for space savings, the functionality itself has remained relatively unchanged. A trade off was made to add additional bytes into the sigScript in order to avoid extraneous CHECKSIG’s. The rationale is that an extra 1-2 bytes in the sigScript to guide execution, are worthwhile since they’re in the witness, and witness data may be pruned in the near future. The primary change is within the commitment transaction itself. Instead of using revocation hashes, we now use signature based revocation. This saves space in the Script, and optimizes away an extra hashing operation. Elkrem/shachain is still used but, we now use the pre-images to homomorphically derive a public key which the other party will be able to sign with, once we disclose the pre-image itself. Finally, we have switched to using SHA-256 everywhere uniformly for both revocation hashes, and payment hashes. The rationale is that the output of ripemd160 is too small for modern security margins, and that other coins/chains are more likely to have SHA-256 implemented, than ripemd160. A set of tests has also been included which contain (mostly) exhaustive tests of all possible redemption paths for both commitment and HTLC.
2016-06-27 21:33:59 +03:00
// transaction after it's been revoked.
lnwallet: convert CommitSpendRevoke+CommitSpendNoDelay to use Signer This commit converts the rearming two commitment spend functions to use the lnwallet.Signer interface directly rather than manually manage private keys during the signing process. This commit is in preparation for implementation of fully automated revoked uncooperative closure detection and retribution.
2016-11-19 02:23:26 +03:00
signDesc = &SignDescriptor{
lnwallet: update script_utils and tests due to SignDescriptor API change
2018-02-18 02:09:51 +03:00
KeyDesc: keychain.KeyDescriptor{
PubKey: bobKeyPub,
},
lnwallet: update TestCommitmentSpendValidation due to new commitment scripts
2017-07-30 04:36:04 +03:00
DoubleTweak: commitSecret,
lnwallet: convert CommitSpendRevoke+CommitSpendNoDelay to use Signer This commit converts the rearming two commitment spend functions to use the lnwallet.Signer interface directly rather than manually manage private keys during the signing process. This commit is in preparation for implementation of fully automated revoked uncooperative closure detection and retribution.
2016-11-19 02:23:26 +03:00
WitnessScript: delayScript,
SigHashes: txscript.NewTxSigHashes(sweepTx),
Output: &wire.TxOut{
Value: int64(channelBalance),
},
HashType: txscript.SigHashAll,
InputIndex: 0,
}
lnwallet: update TestCommitmentSpendValidation due to new commitment scripts
2017-07-30 04:36:04 +03:00
bobWitnessSpend, err := CommitSpendRevoke(bobSigner, signDesc,
lnwallet: convert CommitSpendRevoke+CommitSpendNoDelay to use Signer This commit converts the rearming two commitment spend functions to use the lnwallet.Signer interface directly rather than manually manage private keys during the signing process. This commit is in preparation for implementation of fully automated revoked uncooperative closure detection and retribution.
2016-11-19 02:23:26 +03:00
sweepTx)
lnwallet: update HTLC+commitment scripts This commit updates the previous HTLC and commitment scripts to their current latest evolution. The HTLC scripts have been optimized for space savings, the functionality itself has remained relatively unchanged. A trade off was made to add additional bytes into the sigScript in order to avoid extraneous CHECKSIG’s. The rationale is that an extra 1-2 bytes in the sigScript to guide execution, are worthwhile since they’re in the witness, and witness data may be pruned in the near future. The primary change is within the commitment transaction itself. Instead of using revocation hashes, we now use signature based revocation. This saves space in the Script, and optimizes away an extra hashing operation. Elkrem/shachain is still used but, we now use the pre-images to homomorphically derive a public key which the other party will be able to sign with, once we disclose the pre-image itself. Finally, we have switched to using SHA-256 everywhere uniformly for both revocation hashes, and payment hashes. The rationale is that the output of ripemd160 is too small for modern security margins, and that other coins/chains are more likely to have SHA-256 implemented, than ripemd160. A set of tests has also been included which contain (mostly) exhaustive tests of all possible redemption paths for both commitment and HTLC.
2016-06-27 21:33:59 +03:00
if err != nil {
t.Fatalf("unable to generate revocation witness: %v", err)
}
sweepTx.TxIn[0].Witness = bobWitnessSpend
vm, err = txscript.NewEngine(delayOutput.PkScript,
sweepTx, 0, txscript.StandardVerifyFlags, nil,
nil, int64(channelBalance))
if err != nil {
t.Fatalf("unable to create engine: %v", err)
}
if err := vm.Execute(); err != nil {
t.Fatalf("revocation spend is invalid: %v", err)
}
lnwallet: update TestCommitmentSpendValidation due to new commitment scripts
2017-07-30 04:36:04 +03:00
// In order to test the final scenario, we modify the TxIn of the sweep
multi: fix typos in comments
2018-04-18 05:03:27 +03:00
// transaction to instead point to the regular output (non delay)
lnwallet: update TestCommitmentSpendValidation due to new commitment scripts
2017-07-30 04:36:04 +03:00
// within the commitment transaction.
sweepTx.TxIn[0] = &wire.TxIn{
PreviousOutPoint: wire.OutPoint{
Hash: commitmentTx.TxHash(),
Index: 1,
},
}
lnwallet: update HTLC+commitment scripts This commit updates the previous HTLC and commitment scripts to their current latest evolution. The HTLC scripts have been optimized for space savings, the functionality itself has remained relatively unchanged. A trade off was made to add additional bytes into the sigScript in order to avoid extraneous CHECKSIG’s. The rationale is that an extra 1-2 bytes in the sigScript to guide execution, are worthwhile since they’re in the witness, and witness data may be pruned in the near future. The primary change is within the commitment transaction itself. Instead of using revocation hashes, we now use signature based revocation. This saves space in the Script, and optimizes away an extra hashing operation. Elkrem/shachain is still used but, we now use the pre-images to homomorphically derive a public key which the other party will be able to sign with, once we disclose the pre-image itself. Finally, we have switched to using SHA-256 everywhere uniformly for both revocation hashes, and payment hashes. The rationale is that the output of ripemd160 is too small for modern security margins, and that other coins/chains are more likely to have SHA-256 implemented, than ripemd160. A set of tests has also been included which contain (mostly) exhaustive tests of all possible redemption paths for both commitment and HTLC.
2016-06-27 21:33:59 +03:00
// Finally, we test bob sweeping his output as normal in the case that
lnwallet: update TestCommitmentSpendValidation due to new commitment scripts
2017-07-30 04:36:04 +03:00
// Alice broadcasts this commitment transaction.
lnwallet/script_utils_test: use exposed CommitScriptUnencumbered
2018-07-12 01:04:26 +03:00
bobScriptP2WKH, err := CommitScriptUnencumbered(bobPayKey)
lnwallet: update HTLC+commitment scripts This commit updates the previous HTLC and commitment scripts to their current latest evolution. The HTLC scripts have been optimized for space savings, the functionality itself has remained relatively unchanged. A trade off was made to add additional bytes into the sigScript in order to avoid extraneous CHECKSIG’s. The rationale is that an extra 1-2 bytes in the sigScript to guide execution, are worthwhile since they’re in the witness, and witness data may be pruned in the near future. The primary change is within the commitment transaction itself. Instead of using revocation hashes, we now use signature based revocation. This saves space in the Script, and optimizes away an extra hashing operation. Elkrem/shachain is still used but, we now use the pre-images to homomorphically derive a public key which the other party will be able to sign with, once we disclose the pre-image itself. Finally, we have switched to using SHA-256 everywhere uniformly for both revocation hashes, and payment hashes. The rationale is that the output of ripemd160 is too small for modern security margins, and that other coins/chains are more likely to have SHA-256 implemented, than ripemd160. A set of tests has also been included which contain (mostly) exhaustive tests of all possible redemption paths for both commitment and HTLC.
2016-06-27 21:33:59 +03:00
if err != nil {
t.Fatalf("unable to create bob p2wkh script: %v", err)
}
lnwallet: convert CommitSpendRevoke+CommitSpendNoDelay to use Signer This commit converts the rearming two commitment spend functions to use the lnwallet.Signer interface directly rather than manually manage private keys during the signing process. This commit is in preparation for implementation of fully automated revoked uncooperative closure detection and retribution.
2016-11-19 02:23:26 +03:00
signDesc = &SignDescriptor{
lnwallet: update script_utils and tests due to SignDescriptor API change
2018-02-18 02:09:51 +03:00
KeyDesc: keychain.KeyDescriptor{
PubKey: bobKeyPub,
},
lnwallet: update TestCommitmentSpendValidation due to new commitment scripts
2017-07-30 04:36:04 +03:00
SingleTweak: bobCommitTweak,
multi: comprehensive typo fixes across all packages
2018-02-07 06:11:11 +03:00
WitnessScript: bobScriptP2WKH,
lnwallet: convert CommitSpendRevoke+CommitSpendNoDelay to use Signer This commit converts the rearming two commitment spend functions to use the lnwallet.Signer interface directly rather than manually manage private keys during the signing process. This commit is in preparation for implementation of fully automated revoked uncooperative closure detection and retribution.
2016-11-19 02:23:26 +03:00
SigHashes: txscript.NewTxSigHashes(sweepTx),
Output: &wire.TxOut{
Value: int64(channelBalance),
multi: comprehensive typo fixes across all packages
2018-02-07 06:11:11 +03:00
PkScript: bobScriptP2WKH,
lnwallet: convert CommitSpendRevoke+CommitSpendNoDelay to use Signer This commit converts the rearming two commitment spend functions to use the lnwallet.Signer interface directly rather than manually manage private keys during the signing process. This commit is in preparation for implementation of fully automated revoked uncooperative closure detection and retribution.
2016-11-19 02:23:26 +03:00
},
HashType: txscript.SigHashAll,
InputIndex: 0,
}
bobRegularSpend, err := CommitSpendNoDelay(bobSigner, signDesc,
sweepTx)
lnwallet: update HTLC+commitment scripts This commit updates the previous HTLC and commitment scripts to their current latest evolution. The HTLC scripts have been optimized for space savings, the functionality itself has remained relatively unchanged. A trade off was made to add additional bytes into the sigScript in order to avoid extraneous CHECKSIG’s. The rationale is that an extra 1-2 bytes in the sigScript to guide execution, are worthwhile since they’re in the witness, and witness data may be pruned in the near future. The primary change is within the commitment transaction itself. Instead of using revocation hashes, we now use signature based revocation. This saves space in the Script, and optimizes away an extra hashing operation. Elkrem/shachain is still used but, we now use the pre-images to homomorphically derive a public key which the other party will be able to sign with, once we disclose the pre-image itself. Finally, we have switched to using SHA-256 everywhere uniformly for both revocation hashes, and payment hashes. The rationale is that the output of ripemd160 is too small for modern security margins, and that other coins/chains are more likely to have SHA-256 implemented, than ripemd160. A set of tests has also been included which contain (mostly) exhaustive tests of all possible redemption paths for both commitment and HTLC.
2016-06-27 21:33:59 +03:00
if err != nil {
t.Fatalf("unable to create bob regular spend: %v", err)
}
sweepTx.TxIn[0].Witness = bobRegularSpend
vm, err = txscript.NewEngine(regularOutput.PkScript,
sweepTx, 0, txscript.StandardVerifyFlags, nil,
nil, int64(channelBalance))
if err != nil {
t.Fatalf("unable to create engine: %v", err)
}
if err := vm.Execute(); err != nil {
t.Fatalf("bob p2wkh spend is invalid: %v", err)
}
}
// TestRevocationKeyDerivation tests that given a public key, and a revocation
// hash, the homomorphic revocation public and private key derivation work
// properly.
func TestRevocationKeyDerivation(t *testing.T) {
multi: run all test instances in parallel
2017-06-17 01:59:20 +03:00
t.Parallel()
lnwallet: update TestRevocationKeyDerivation to use new derivation
2017-07-30 04:35:47 +03:00
// First, we'll generate a commitment point, and a commitment secret.
// These will be used to derive the ultimate revocation keys.
revocationPreimage := testHdSeed.CloneBytes()
commitSecret, commitPoint := btcec.PrivKeyFromBytes(btcec.S256(),
revocationPreimage)
// With the commitment secrets generated, we'll now create the base
// keys we'll use to derive the revocation key from.
basePriv, basePub := btcec.PrivKeyFromBytes(btcec.S256(),
testWalletPrivKey)
lnwallet: update HTLC+commitment scripts This commit updates the previous HTLC and commitment scripts to their current latest evolution. The HTLC scripts have been optimized for space savings, the functionality itself has remained relatively unchanged. A trade off was made to add additional bytes into the sigScript in order to avoid extraneous CHECKSIG’s. The rationale is that an extra 1-2 bytes in the sigScript to guide execution, are worthwhile since they’re in the witness, and witness data may be pruned in the near future. The primary change is within the commitment transaction itself. Instead of using revocation hashes, we now use signature based revocation. This saves space in the Script, and optimizes away an extra hashing operation. Elkrem/shachain is still used but, we now use the pre-images to homomorphically derive a public key which the other party will be able to sign with, once we disclose the pre-image itself. Finally, we have switched to using SHA-256 everywhere uniformly for both revocation hashes, and payment hashes. The rationale is that the output of ripemd160 is too small for modern security margins, and that other coins/chains are more likely to have SHA-256 implemented, than ripemd160. A set of tests has also been included which contain (mostly) exhaustive tests of all possible redemption paths for both commitment and HTLC.
2016-06-27 21:33:59 +03:00
lnwallet: update TestRevocationKeyDerivation to use new derivation
2017-07-30 04:35:47 +03:00
// With the point and key obtained, we can now derive the revocation
// key itself.
revocationPub := DeriveRevocationPubkey(basePub, commitPoint)
lnwallet: update HTLC+commitment scripts This commit updates the previous HTLC and commitment scripts to their current latest evolution. The HTLC scripts have been optimized for space savings, the functionality itself has remained relatively unchanged. A trade off was made to add additional bytes into the sigScript in order to avoid extraneous CHECKSIG’s. The rationale is that an extra 1-2 bytes in the sigScript to guide execution, are worthwhile since they’re in the witness, and witness data may be pruned in the near future. The primary change is within the commitment transaction itself. Instead of using revocation hashes, we now use signature based revocation. This saves space in the Script, and optimizes away an extra hashing operation. Elkrem/shachain is still used but, we now use the pre-images to homomorphically derive a public key which the other party will be able to sign with, once we disclose the pre-image itself. Finally, we have switched to using SHA-256 everywhere uniformly for both revocation hashes, and payment hashes. The rationale is that the output of ripemd160 is too small for modern security margins, and that other coins/chains are more likely to have SHA-256 implemented, than ripemd160. A set of tests has also been included which contain (mostly) exhaustive tests of all possible redemption paths for both commitment and HTLC.
2016-06-27 21:33:59 +03:00
lnwallet: update TestRevocationKeyDerivation to use new derivation
2017-07-30 04:35:47 +03:00
// The revocation public key derived from the original public key, and
// the one derived from the private key should be identical.
revocationPriv := DeriveRevocationPrivKey(basePriv, commitSecret)
if !revocationPub.IsEqual(revocationPriv.PubKey()) {
t.Fatalf("derived public keys don't match!")
lnwallet: update HTLC+commitment scripts This commit updates the previous HTLC and commitment scripts to their current latest evolution. The HTLC scripts have been optimized for space savings, the functionality itself has remained relatively unchanged. A trade off was made to add additional bytes into the sigScript in order to avoid extraneous CHECKSIG’s. The rationale is that an extra 1-2 bytes in the sigScript to guide execution, are worthwhile since they’re in the witness, and witness data may be pruned in the near future. The primary change is within the commitment transaction itself. Instead of using revocation hashes, we now use signature based revocation. This saves space in the Script, and optimizes away an extra hashing operation. Elkrem/shachain is still used but, we now use the pre-images to homomorphically derive a public key which the other party will be able to sign with, once we disclose the pre-image itself. Finally, we have switched to using SHA-256 everywhere uniformly for both revocation hashes, and payment hashes. The rationale is that the output of ripemd160 is too small for modern security margins, and that other coins/chains are more likely to have SHA-256 implemented, than ripemd160. A set of tests has also been included which contain (mostly) exhaustive tests of all possible redemption paths for both commitment and HTLC.
2016-06-27 21:33:59 +03:00
}
lnwallet: update TestCommitmentSpendValidation due to new commitment scripts
2017-07-30 04:36:04 +03:00
}
lnwallet: update HTLC+commitment scripts This commit updates the previous HTLC and commitment scripts to their current latest evolution. The HTLC scripts have been optimized for space savings, the functionality itself has remained relatively unchanged. A trade off was made to add additional bytes into the sigScript in order to avoid extraneous CHECKSIG’s. The rationale is that an extra 1-2 bytes in the sigScript to guide execution, are worthwhile since they’re in the witness, and witness data may be pruned in the near future. The primary change is within the commitment transaction itself. Instead of using revocation hashes, we now use signature based revocation. This saves space in the Script, and optimizes away an extra hashing operation. Elkrem/shachain is still used but, we now use the pre-images to homomorphically derive a public key which the other party will be able to sign with, once we disclose the pre-image itself. Finally, we have switched to using SHA-256 everywhere uniformly for both revocation hashes, and payment hashes. The rationale is that the output of ripemd160 is too small for modern security margins, and that other coins/chains are more likely to have SHA-256 implemented, than ripemd160. A set of tests has also been included which contain (mostly) exhaustive tests of all possible redemption paths for both commitment and HTLC.
2016-06-27 21:33:59 +03:00
lnwallet: add new test case to exercise singly tweaked key derivation
2017-07-30 04:35:25 +03:00
// TestTweakKeyDerivation tests that given a public key, and commitment tweak,
// then we're able to properly derive a tweaked private key that corresponds to
// the computed tweak public key. This scenario ensure that our key derivation
// for any of the non revocation keys on the commitment transaction is correct.
func TestTweakKeyDerivation(t *testing.T) {
t.Parallel()
// First, we'll generate a base public key that we'll be "tweaking".
baseSecret := testHdSeed.CloneBytes()
basePriv, basePub := btcec.PrivKeyFromBytes(btcec.S256(), baseSecret)
// With the base key create, we'll now create a commitment point, and
// from that derive the bytes we'll used to tweak the base public key.
commitPoint := ComputeCommitmentPoint(bobsPrivKey)
commitTweak := SingleTweakBytes(commitPoint, basePub)
// Next, we'll modify the public key. When we apply the same operation
// to the private key we should get a key that matches.
tweakedPub := TweakPubKey(basePub, commitPoint)
// Finally, attempt to re-generate the private key that matches the
// tweaked public key. The derived key should match exactly.
derivedPriv := TweakPrivKey(basePriv, commitTweak)
if !derivedPriv.PubKey().IsEqual(tweakedPub) {
t.Fatalf("pub keys don't match")
lnwallet: update HTLC+commitment scripts This commit updates the previous HTLC and commitment scripts to their current latest evolution. The HTLC scripts have been optimized for space savings, the functionality itself has remained relatively unchanged. A trade off was made to add additional bytes into the sigScript in order to avoid extraneous CHECKSIG’s. The rationale is that an extra 1-2 bytes in the sigScript to guide execution, are worthwhile since they’re in the witness, and witness data may be pruned in the near future. The primary change is within the commitment transaction itself. Instead of using revocation hashes, we now use signature based revocation. This saves space in the Script, and optimizes away an extra hashing operation. Elkrem/shachain is still used but, we now use the pre-images to homomorphically derive a public key which the other party will be able to sign with, once we disclose the pre-image itself. Finally, we have switched to using SHA-256 everywhere uniformly for both revocation hashes, and payment hashes. The rationale is that the output of ripemd160 is too small for modern security margins, and that other coins/chains are more likely to have SHA-256 implemented, than ripemd160. A set of tests has also been included which contain (mostly) exhaustive tests of all possible redemption paths for both commitment and HTLC.
2016-06-27 21:33:59 +03:00
}
}
lnd: implement the sendcoins RPC request This commit implements the “send coins” RPC request which was introduced at both the lnrpc and command line level in a prior commit. A small refactoring has taken place w.r.t to sendmany+sendcoins in order to eliminate some code duplication.
2016-06-29 21:31:29 +03:00
// makeWitnessTestCase is a helper function used within test cases involving
// the validity of a crafted witness. This function is a wrapper function which
// allows constructing table-driven tests. In the case of an error while
lnwallet: TestHTLCSenderSpendValidation for new HTLC scripts
2017-07-30 04:34:54 +03:00
// constructing the witness, the test fails fatally.
func makeWitnessTestCase(t *testing.T,
f func() (wire.TxWitness, error)) func() wire.TxWitness {
lnwallet: update HTLC+commitment scripts This commit updates the previous HTLC and commitment scripts to their current latest evolution. The HTLC scripts have been optimized for space savings, the functionality itself has remained relatively unchanged. A trade off was made to add additional bytes into the sigScript in order to avoid extraneous CHECKSIG’s. The rationale is that an extra 1-2 bytes in the sigScript to guide execution, are worthwhile since they’re in the witness, and witness data may be pruned in the near future. The primary change is within the commitment transaction itself. Instead of using revocation hashes, we now use signature based revocation. This saves space in the Script, and optimizes away an extra hashing operation. Elkrem/shachain is still used but, we now use the pre-images to homomorphically derive a public key which the other party will be able to sign with, once we disclose the pre-image itself. Finally, we have switched to using SHA-256 everywhere uniformly for both revocation hashes, and payment hashes. The rationale is that the output of ripemd160 is too small for modern security margins, and that other coins/chains are more likely to have SHA-256 implemented, than ripemd160. A set of tests has also been included which contain (mostly) exhaustive tests of all possible redemption paths for both commitment and HTLC.
2016-06-27 21:33:59 +03:00
return func() wire.TxWitness {
witness, err := f()
if err != nil {
t.Fatalf("unable to create witness test case: %v", err)
}
return witness
}
}
// TestHTLCSenderSpendValidation tests all possible valid+invalid redemption
// paths in the script used within the sender's commitment transaction for an
// outgoing HTLC.
//
// The following cases are exercised by this test:
// sender script:
multi: fix a variety of typos throughout the repo
2017-01-13 08:01:50 +03:00
// * receiver spends
lnwallet: update HTLC+commitment scripts This commit updates the previous HTLC and commitment scripts to their current latest evolution. The HTLC scripts have been optimized for space savings, the functionality itself has remained relatively unchanged. A trade off was made to add additional bytes into the sigScript in order to avoid extraneous CHECKSIG’s. The rationale is that an extra 1-2 bytes in the sigScript to guide execution, are worthwhile since they’re in the witness, and witness data may be pruned in the near future. The primary change is within the commitment transaction itself. Instead of using revocation hashes, we now use signature based revocation. This saves space in the Script, and optimizes away an extra hashing operation. Elkrem/shachain is still used but, we now use the pre-images to homomorphically derive a public key which the other party will be able to sign with, once we disclose the pre-image itself. Finally, we have switched to using SHA-256 everywhere uniformly for both revocation hashes, and payment hashes. The rationale is that the output of ripemd160 is too small for modern security margins, and that other coins/chains are more likely to have SHA-256 implemented, than ripemd160. A set of tests has also been included which contain (mostly) exhaustive tests of all possible redemption paths for both commitment and HTLC.
2016-06-27 21:33:59 +03:00
// * revoke w/ sig
multi: fix a variety of typos throughout the repo
2017-01-13 08:01:50 +03:00
// * HTLC with invalid preimage size
// * HTLC with valid preimage size + sig
lnwallet: update HTLC+commitment scripts This commit updates the previous HTLC and commitment scripts to their current latest evolution. The HTLC scripts have been optimized for space savings, the functionality itself has remained relatively unchanged. A trade off was made to add additional bytes into the sigScript in order to avoid extraneous CHECKSIG’s. The rationale is that an extra 1-2 bytes in the sigScript to guide execution, are worthwhile since they’re in the witness, and witness data may be pruned in the near future. The primary change is within the commitment transaction itself. Instead of using revocation hashes, we now use signature based revocation. This saves space in the Script, and optimizes away an extra hashing operation. Elkrem/shachain is still used but, we now use the pre-images to homomorphically derive a public key which the other party will be able to sign with, once we disclose the pre-image itself. Finally, we have switched to using SHA-256 everywhere uniformly for both revocation hashes, and payment hashes. The rationale is that the output of ripemd160 is too small for modern security margins, and that other coins/chains are more likely to have SHA-256 implemented, than ripemd160. A set of tests has also been included which contain (mostly) exhaustive tests of all possible redemption paths for both commitment and HTLC.
2016-06-27 21:33:59 +03:00
// * sender spends
// * invalid lock-time for CLTV
// * invalid sequence for CSV
// * valid lock-time+sequence, valid sig
func TestHTLCSenderSpendValidation(t *testing.T) {
multi: run all test instances in parallel
2017-06-17 01:59:20 +03:00
t.Parallel()
lnwallet: TestHTLCSenderSpendValidation for new HTLC scripts
2017-07-30 04:34:54 +03:00
// We generate a fake output, and the corresponding txin. This output
lnwallet: update HTLC+commitment scripts This commit updates the previous HTLC and commitment scripts to their current latest evolution. The HTLC scripts have been optimized for space savings, the functionality itself has remained relatively unchanged. A trade off was made to add additional bytes into the sigScript in order to avoid extraneous CHECKSIG’s. The rationale is that an extra 1-2 bytes in the sigScript to guide execution, are worthwhile since they’re in the witness, and witness data may be pruned in the near future. The primary change is within the commitment transaction itself. Instead of using revocation hashes, we now use signature based revocation. This saves space in the Script, and optimizes away an extra hashing operation. Elkrem/shachain is still used but, we now use the pre-images to homomorphically derive a public key which the other party will be able to sign with, once we disclose the pre-image itself. Finally, we have switched to using SHA-256 everywhere uniformly for both revocation hashes, and payment hashes. The rationale is that the output of ripemd160 is too small for modern security margins, and that other coins/chains are more likely to have SHA-256 implemented, than ripemd160. A set of tests has also been included which contain (mostly) exhaustive tests of all possible redemption paths for both commitment and HTLC.
2016-06-27 21:33:59 +03:00
// doesn't need to exist, as we'll only be validating spending from the
// transaction that references this.
lnwallet: TestHTLCSenderSpendValidation for new HTLC scripts
2017-07-30 04:34:54 +03:00
txid, err := chainhash.NewHash(testHdSeed.CloneBytes())
if err != nil {
t.Fatalf("unable to create txid: %v", err)
}
lnwallet: update HTLC+commitment scripts This commit updates the previous HTLC and commitment scripts to their current latest evolution. The HTLC scripts have been optimized for space savings, the functionality itself has remained relatively unchanged. A trade off was made to add additional bytes into the sigScript in order to avoid extraneous CHECKSIG’s. The rationale is that an extra 1-2 bytes in the sigScript to guide execution, are worthwhile since they’re in the witness, and witness data may be pruned in the near future. The primary change is within the commitment transaction itself. Instead of using revocation hashes, we now use signature based revocation. This saves space in the Script, and optimizes away an extra hashing operation. Elkrem/shachain is still used but, we now use the pre-images to homomorphically derive a public key which the other party will be able to sign with, once we disclose the pre-image itself. Finally, we have switched to using SHA-256 everywhere uniformly for both revocation hashes, and payment hashes. The rationale is that the output of ripemd160 is too small for modern security margins, and that other coins/chains are more likely to have SHA-256 implemented, than ripemd160. A set of tests has also been included which contain (mostly) exhaustive tests of all possible redemption paths for both commitment and HTLC.
2016-06-27 21:33:59 +03:00
fundingOut := &wire.OutPoint{
lnwallet: TestHTLCSenderSpendValidation for new HTLC scripts
2017-07-30 04:34:54 +03:00
Hash: *txid,
lnwallet: update HTLC+commitment scripts This commit updates the previous HTLC and commitment scripts to their current latest evolution. The HTLC scripts have been optimized for space savings, the functionality itself has remained relatively unchanged. A trade off was made to add additional bytes into the sigScript in order to avoid extraneous CHECKSIG’s. The rationale is that an extra 1-2 bytes in the sigScript to guide execution, are worthwhile since they’re in the witness, and witness data may be pruned in the near future. The primary change is within the commitment transaction itself. Instead of using revocation hashes, we now use signature based revocation. This saves space in the Script, and optimizes away an extra hashing operation. Elkrem/shachain is still used but, we now use the pre-images to homomorphically derive a public key which the other party will be able to sign with, once we disclose the pre-image itself. Finally, we have switched to using SHA-256 everywhere uniformly for both revocation hashes, and payment hashes. The rationale is that the output of ripemd160 is too small for modern security margins, and that other coins/chains are more likely to have SHA-256 implemented, than ripemd160. A set of tests has also been included which contain (mostly) exhaustive tests of all possible redemption paths for both commitment and HTLC.
2016-06-27 21:33:59 +03:00
Index: 50,
}
fakeFundingTxIn := wire.NewTxIn(fundingOut, nil, nil)
lnwallet: TestHTLCSenderSpendValidation for new HTLC scripts
2017-07-30 04:34:54 +03:00
// Next we'll the commitment secret for our commitment tx and also the
// revocation key that we'll use as well.
revokePreimage := testHdSeed.CloneBytes()
commitSecret, commitPoint := btcec.PrivKeyFromBytes(btcec.S256(),
revokePreimage)
// Generate a payment preimage to be used below.
paymentPreimage := revokePreimage
lnwallet: update HTLC+commitment scripts This commit updates the previous HTLC and commitment scripts to their current latest evolution. The HTLC scripts have been optimized for space savings, the functionality itself has remained relatively unchanged. A trade off was made to add additional bytes into the sigScript in order to avoid extraneous CHECKSIG’s. The rationale is that an extra 1-2 bytes in the sigScript to guide execution, are worthwhile since they’re in the witness, and witness data may be pruned in the near future. The primary change is within the commitment transaction itself. Instead of using revocation hashes, we now use signature based revocation. This saves space in the Script, and optimizes away an extra hashing operation. Elkrem/shachain is still used but, we now use the pre-images to homomorphically derive a public key which the other party will be able to sign with, once we disclose the pre-image itself. Finally, we have switched to using SHA-256 everywhere uniformly for both revocation hashes, and payment hashes. The rationale is that the output of ripemd160 is too small for modern security margins, and that other coins/chains are more likely to have SHA-256 implemented, than ripemd160. A set of tests has also been included which contain (mostly) exhaustive tests of all possible redemption paths for both commitment and HTLC.
2016-06-27 21:33:59 +03:00
paymentPreimage[0] ^= 1
multi: replace usage of fastsha256 with crypto/sha256 This commit removes all instances of the fastsha256 library and replaces it with the sha256 library in the standard library. This change should see a number of performance improvements as the standard library has highly optimized assembly instructions with use vectorized instructions as the platform supports.
2017-03-16 04:56:25 +03:00
paymentHash := sha256.Sum256(paymentPreimage[:])
lnwallet: update HTLC+commitment scripts This commit updates the previous HTLC and commitment scripts to their current latest evolution. The HTLC scripts have been optimized for space savings, the functionality itself has remained relatively unchanged. A trade off was made to add additional bytes into the sigScript in order to avoid extraneous CHECKSIG’s. The rationale is that an extra 1-2 bytes in the sigScript to guide execution, are worthwhile since they’re in the witness, and witness data may be pruned in the near future. The primary change is within the commitment transaction itself. Instead of using revocation hashes, we now use signature based revocation. This saves space in the Script, and optimizes away an extra hashing operation. Elkrem/shachain is still used but, we now use the pre-images to homomorphically derive a public key which the other party will be able to sign with, once we disclose the pre-image itself. Finally, we have switched to using SHA-256 everywhere uniformly for both revocation hashes, and payment hashes. The rationale is that the output of ripemd160 is too small for modern security margins, and that other coins/chains are more likely to have SHA-256 implemented, than ripemd160. A set of tests has also been included which contain (mostly) exhaustive tests of all possible redemption paths for both commitment and HTLC.
2016-06-27 21:33:59 +03:00
multi: fix a variety of typos throughout the repo
2017-01-13 08:01:50 +03:00
// We'll also need some tests keys for alice and bob, and metadata of
lnd: implement the sendcoins RPC request This commit implements the “send coins” RPC request which was introduced at both the lnrpc and command line level in a prior commit. A small refactoring has taken place w.r.t to sendmany+sendcoins in order to eliminate some code duplication.
2016-06-29 21:31:29 +03:00
// the HTLC output.
lnwallet: update HTLC+commitment scripts This commit updates the previous HTLC and commitment scripts to their current latest evolution. The HTLC scripts have been optimized for space savings, the functionality itself has remained relatively unchanged. A trade off was made to add additional bytes into the sigScript in order to avoid extraneous CHECKSIG’s. The rationale is that an extra 1-2 bytes in the sigScript to guide execution, are worthwhile since they’re in the witness, and witness data may be pruned in the near future. The primary change is within the commitment transaction itself. Instead of using revocation hashes, we now use signature based revocation. This saves space in the Script, and optimizes away an extra hashing operation. Elkrem/shachain is still used but, we now use the pre-images to homomorphically derive a public key which the other party will be able to sign with, once we disclose the pre-image itself. Finally, we have switched to using SHA-256 everywhere uniformly for both revocation hashes, and payment hashes. The rationale is that the output of ripemd160 is too small for modern security margins, and that other coins/chains are more likely to have SHA-256 implemented, than ripemd160. A set of tests has also been included which contain (mostly) exhaustive tests of all possible redemption paths for both commitment and HTLC.
2016-06-27 21:33:59 +03:00
aliceKeyPriv, aliceKeyPub := btcec.PrivKeyFromBytes(btcec.S256(),
testWalletPrivKey)
bobKeyPriv, bobKeyPub := btcec.PrivKeyFromBytes(btcec.S256(),
bobsPrivKey)
paymentAmt := btcutil.Amount(1 * 10e8)
lnwallet: TestHTLCSenderSpendValidation for new HTLC scripts
2017-07-30 04:34:54 +03:00
aliceLocalKey := TweakPubKey(aliceKeyPub, commitPoint)
bobLocalKey := TweakPubKey(bobKeyPub, commitPoint)
// As we'll be modeling spends from Alice's commitment transaction,
// we'll be using Bob's base point for the revocation key.
revocationKey := DeriveRevocationPubkey(bobKeyPub, commitPoint)
lnwallet: update HTLC+commitment scripts This commit updates the previous HTLC and commitment scripts to their current latest evolution. The HTLC scripts have been optimized for space savings, the functionality itself has remained relatively unchanged. A trade off was made to add additional bytes into the sigScript in order to avoid extraneous CHECKSIG’s. The rationale is that an extra 1-2 bytes in the sigScript to guide execution, are worthwhile since they’re in the witness, and witness data may be pruned in the near future. The primary change is within the commitment transaction itself. Instead of using revocation hashes, we now use signature based revocation. This saves space in the Script, and optimizes away an extra hashing operation. Elkrem/shachain is still used but, we now use the pre-images to homomorphically derive a public key which the other party will be able to sign with, once we disclose the pre-image itself. Finally, we have switched to using SHA-256 everywhere uniformly for both revocation hashes, and payment hashes. The rationale is that the output of ripemd160 is too small for modern security margins, and that other coins/chains are more likely to have SHA-256 implemented, than ripemd160. A set of tests has also been included which contain (mostly) exhaustive tests of all possible redemption paths for both commitment and HTLC.
2016-06-27 21:33:59 +03:00
lnd: implement the sendcoins RPC request This commit implements the “send coins” RPC request which was introduced at both the lnrpc and command line level in a prior commit. A small refactoring has taken place w.r.t to sendmany+sendcoins in order to eliminate some code duplication.
2016-06-29 21:31:29 +03:00
// Generate the raw HTLC redemption scripts, and its p2wsh counterpart.
lnwallet: TestHTLCSenderSpendValidation for new HTLC scripts
2017-07-30 04:34:54 +03:00
htlcWitnessScript, err := senderHTLCScript(aliceLocalKey, bobLocalKey,
revocationKey, paymentHash[:])
lnwallet: update HTLC+commitment scripts This commit updates the previous HTLC and commitment scripts to their current latest evolution. The HTLC scripts have been optimized for space savings, the functionality itself has remained relatively unchanged. A trade off was made to add additional bytes into the sigScript in order to avoid extraneous CHECKSIG’s. The rationale is that an extra 1-2 bytes in the sigScript to guide execution, are worthwhile since they’re in the witness, and witness data may be pruned in the near future. The primary change is within the commitment transaction itself. Instead of using revocation hashes, we now use signature based revocation. This saves space in the Script, and optimizes away an extra hashing operation. Elkrem/shachain is still used but, we now use the pre-images to homomorphically derive a public key which the other party will be able to sign with, once we disclose the pre-image itself. Finally, we have switched to using SHA-256 everywhere uniformly for both revocation hashes, and payment hashes. The rationale is that the output of ripemd160 is too small for modern security margins, and that other coins/chains are more likely to have SHA-256 implemented, than ripemd160. A set of tests has also been included which contain (mostly) exhaustive tests of all possible redemption paths for both commitment and HTLC.
2016-06-27 21:33:59 +03:00
if err != nil {
t.Fatalf("unable to create htlc sender script: %v", err)
}
lnwallet/script_utils_test: use public commit script helpers
2018-06-29 05:24:44 +03:00
htlcPkScript, err := WitnessScriptHash(htlcWitnessScript)
lnwallet: update HTLC+commitment scripts This commit updates the previous HTLC and commitment scripts to their current latest evolution. The HTLC scripts have been optimized for space savings, the functionality itself has remained relatively unchanged. A trade off was made to add additional bytes into the sigScript in order to avoid extraneous CHECKSIG’s. The rationale is that an extra 1-2 bytes in the sigScript to guide execution, are worthwhile since they’re in the witness, and witness data may be pruned in the near future. The primary change is within the commitment transaction itself. Instead of using revocation hashes, we now use signature based revocation. This saves space in the Script, and optimizes away an extra hashing operation. Elkrem/shachain is still used but, we now use the pre-images to homomorphically derive a public key which the other party will be able to sign with, once we disclose the pre-image itself. Finally, we have switched to using SHA-256 everywhere uniformly for both revocation hashes, and payment hashes. The rationale is that the output of ripemd160 is too small for modern security margins, and that other coins/chains are more likely to have SHA-256 implemented, than ripemd160. A set of tests has also been included which contain (mostly) exhaustive tests of all possible redemption paths for both commitment and HTLC.
2016-06-27 21:33:59 +03:00
if err != nil {
t.Fatalf("unable to create p2wsh htlc script: %v", err)
}
// This will be Alice's commitment transaction. In this scenario Alice
lnwallet: TestHTLCSenderSpendValidation for new HTLC scripts
2017-07-30 04:34:54 +03:00
// is sending an HTLC to a node she has a path to (could be Bob, could
// be multiple hops down, it doesn't really matter).
htlcOutput := &wire.TxOut{
Value: int64(paymentAmt),
PkScript: htlcPkScript,
}
multi: update btcsuite API's to latest upstream changes This commit makes a large number of minor changes concerning API usage within the deamon to match the latest version on the upstream btcsuite libraries. The major changes are the switch from wire.ShaHash to chainhash.Hash, and that wire.NewMsgTx() now takes a paramter indicating the version of the transaction to be created.
2017-01-06 00:56:27 +03:00
senderCommitTx := wire.NewMsgTx(2)
lnwallet: update HTLC+commitment scripts This commit updates the previous HTLC and commitment scripts to their current latest evolution. The HTLC scripts have been optimized for space savings, the functionality itself has remained relatively unchanged. A trade off was made to add additional bytes into the sigScript in order to avoid extraneous CHECKSIG’s. The rationale is that an extra 1-2 bytes in the sigScript to guide execution, are worthwhile since they’re in the witness, and witness data may be pruned in the near future. The primary change is within the commitment transaction itself. Instead of using revocation hashes, we now use signature based revocation. This saves space in the Script, and optimizes away an extra hashing operation. Elkrem/shachain is still used but, we now use the pre-images to homomorphically derive a public key which the other party will be able to sign with, once we disclose the pre-image itself. Finally, we have switched to using SHA-256 everywhere uniformly for both revocation hashes, and payment hashes. The rationale is that the output of ripemd160 is too small for modern security margins, and that other coins/chains are more likely to have SHA-256 implemented, than ripemd160. A set of tests has also been included which contain (mostly) exhaustive tests of all possible redemption paths for both commitment and HTLC.
2016-06-27 21:33:59 +03:00
senderCommitTx.AddTxIn(fakeFundingTxIn)
lnwallet: TestHTLCSenderSpendValidation for new HTLC scripts
2017-07-30 04:34:54 +03:00
senderCommitTx.AddTxOut(htlcOutput)
lnwallet: update HTLC+commitment scripts This commit updates the previous HTLC and commitment scripts to their current latest evolution. The HTLC scripts have been optimized for space savings, the functionality itself has remained relatively unchanged. A trade off was made to add additional bytes into the sigScript in order to avoid extraneous CHECKSIG’s. The rationale is that an extra 1-2 bytes in the sigScript to guide execution, are worthwhile since they’re in the witness, and witness data may be pruned in the near future. The primary change is within the commitment transaction itself. Instead of using revocation hashes, we now use signature based revocation. This saves space in the Script, and optimizes away an extra hashing operation. Elkrem/shachain is still used but, we now use the pre-images to homomorphically derive a public key which the other party will be able to sign with, once we disclose the pre-image itself. Finally, we have switched to using SHA-256 everywhere uniformly for both revocation hashes, and payment hashes. The rationale is that the output of ripemd160 is too small for modern security margins, and that other coins/chains are more likely to have SHA-256 implemented, than ripemd160. A set of tests has also been included which contain (mostly) exhaustive tests of all possible redemption paths for both commitment and HTLC.
2016-06-27 21:33:59 +03:00
prevOut := &wire.OutPoint{
multi: update btcsuite API's to latest upstream changes This commit makes a large number of minor changes concerning API usage within the deamon to match the latest version on the upstream btcsuite libraries. The major changes are the switch from wire.ShaHash to chainhash.Hash, and that wire.NewMsgTx() now takes a paramter indicating the version of the transaction to be created.
2017-01-06 00:56:27 +03:00
Hash: senderCommitTx.TxHash(),
lnwallet: update HTLC+commitment scripts This commit updates the previous HTLC and commitment scripts to their current latest evolution. The HTLC scripts have been optimized for space savings, the functionality itself has remained relatively unchanged. A trade off was made to add additional bytes into the sigScript in order to avoid extraneous CHECKSIG’s. The rationale is that an extra 1-2 bytes in the sigScript to guide execution, are worthwhile since they’re in the witness, and witness data may be pruned in the near future. The primary change is within the commitment transaction itself. Instead of using revocation hashes, we now use signature based revocation. This saves space in the Script, and optimizes away an extra hashing operation. Elkrem/shachain is still used but, we now use the pre-images to homomorphically derive a public key which the other party will be able to sign with, once we disclose the pre-image itself. Finally, we have switched to using SHA-256 everywhere uniformly for both revocation hashes, and payment hashes. The rationale is that the output of ripemd160 is too small for modern security margins, and that other coins/chains are more likely to have SHA-256 implemented, than ripemd160. A set of tests has also been included which contain (mostly) exhaustive tests of all possible redemption paths for both commitment and HTLC.
2016-06-27 21:33:59 +03:00
Index: 0,
}
multi: update btcsuite API's to latest upstream changes This commit makes a large number of minor changes concerning API usage within the deamon to match the latest version on the upstream btcsuite libraries. The major changes are the switch from wire.ShaHash to chainhash.Hash, and that wire.NewMsgTx() now takes a paramter indicating the version of the transaction to be created.
2017-01-06 00:56:27 +03:00
sweepTx := wire.NewMsgTx(2)
lnwallet: update HTLC+commitment scripts This commit updates the previous HTLC and commitment scripts to their current latest evolution. The HTLC scripts have been optimized for space savings, the functionality itself has remained relatively unchanged. A trade off was made to add additional bytes into the sigScript in order to avoid extraneous CHECKSIG’s. The rationale is that an extra 1-2 bytes in the sigScript to guide execution, are worthwhile since they’re in the witness, and witness data may be pruned in the near future. The primary change is within the commitment transaction itself. Instead of using revocation hashes, we now use signature based revocation. This saves space in the Script, and optimizes away an extra hashing operation. Elkrem/shachain is still used but, we now use the pre-images to homomorphically derive a public key which the other party will be able to sign with, once we disclose the pre-image itself. Finally, we have switched to using SHA-256 everywhere uniformly for both revocation hashes, and payment hashes. The rationale is that the output of ripemd160 is too small for modern security margins, and that other coins/chains are more likely to have SHA-256 implemented, than ripemd160. A set of tests has also been included which contain (mostly) exhaustive tests of all possible redemption paths for both commitment and HTLC.
2016-06-27 21:33:59 +03:00
sweepTx.AddTxIn(wire.NewTxIn(prevOut, nil, nil))
sweepTx.AddTxOut(
&wire.TxOut{
PkScript: []byte("doesn't matter"),
Value: 1 * 10e8,
},
)
lnwallet: TestHTLCSenderSpendValidation for new HTLC scripts
2017-07-30 04:34:54 +03:00
sweepTxSigHashes := txscript.NewTxSigHashes(sweepTx)
bobCommitTweak := SingleTweakBytes(commitPoint, bobKeyPub)
aliceCommitTweak := SingleTweakBytes(commitPoint, aliceKeyPub)
// Finally, we'll create mock signers for both of them based on their
// private keys. This test simplifies a bit and uses the same key as
// the base point for all scripts and derivations.
lnwallet: Move mocks to separate file and augment mockSigner. To implement the BOLT 03 test vectors, a more powerful mockSigner is required. The new version of mockSigner stores multiple keys and signs the transaction outputs with the appropriate one.
2017-09-26 07:05:24 +03:00
bobSigner := &mockSigner{privkeys: []*btcec.PrivateKey{bobKeyPriv}}
aliceSigner := &mockSigner{privkeys: []*btcec.PrivateKey{aliceKeyPriv}}
lnwallet: TestHTLCSenderSpendValidation for new HTLC scripts
2017-07-30 04:34:54 +03:00
// We'll also generate a signature on the sweep transaction above
multi: comprehensive typo fixes across all packages
2018-02-07 06:11:11 +03:00
// that will act as Bob's signature to Alice for the second level HTLC
lnwallet: TestHTLCSenderSpendValidation for new HTLC scripts
2017-07-30 04:34:54 +03:00
// transaction.
bobSignDesc := SignDescriptor{
lnwallet: update script_utils and tests due to SignDescriptor API change
2018-02-18 02:09:51 +03:00
KeyDesc: keychain.KeyDescriptor{
PubKey: bobKeyPub,
},
lnwallet: TestHTLCSenderSpendValidation for new HTLC scripts
2017-07-30 04:34:54 +03:00
SingleTweak: bobCommitTweak,
WitnessScript: htlcWitnessScript,
Output: htlcOutput,
HashType: txscript.SigHashAll,
SigHashes: sweepTxSigHashes,
InputIndex: 0,
}
bobRecvrSig, err := bobSigner.SignOutputRaw(sweepTx, &bobSignDesc)
if err != nil {
t.Fatalf("unable to generate alice signature: %v", err)
}
lnwallet: update HTLC+commitment scripts This commit updates the previous HTLC and commitment scripts to their current latest evolution. The HTLC scripts have been optimized for space savings, the functionality itself has remained relatively unchanged. A trade off was made to add additional bytes into the sigScript in order to avoid extraneous CHECKSIG’s. The rationale is that an extra 1-2 bytes in the sigScript to guide execution, are worthwhile since they’re in the witness, and witness data may be pruned in the near future. The primary change is within the commitment transaction itself. Instead of using revocation hashes, we now use signature based revocation. This saves space in the Script, and optimizes away an extra hashing operation. Elkrem/shachain is still used but, we now use the pre-images to homomorphically derive a public key which the other party will be able to sign with, once we disclose the pre-image itself. Finally, we have switched to using SHA-256 everywhere uniformly for both revocation hashes, and payment hashes. The rationale is that the output of ripemd160 is too small for modern security margins, and that other coins/chains are more likely to have SHA-256 implemented, than ripemd160. A set of tests has also been included which contain (mostly) exhaustive tests of all possible redemption paths for both commitment and HTLC.
2016-06-27 21:33:59 +03:00
testCases := []struct {
witness func() wire.TxWitness
valid bool
}{
{
// revoke w/ sig
// TODO(roasbeef): test invalid revoke
makeWitnessTestCase(t, func() (wire.TxWitness, error) {
lnwallet: TestHTLCSenderSpendValidation for new HTLC scripts
2017-07-30 04:34:54 +03:00
signDesc := &SignDescriptor{
lnwallet: update script_utils and tests due to SignDescriptor API change
2018-02-18 02:09:51 +03:00
KeyDesc: keychain.KeyDescriptor{
PubKey: bobKeyPub,
},
lnwallet: TestHTLCSenderSpendValidation for new HTLC scripts
2017-07-30 04:34:54 +03:00
DoubleTweak: commitSecret,
WitnessScript: htlcWitnessScript,
Output: htlcOutput,
HashType: txscript.SigHashAll,
SigHashes: sweepTxSigHashes,
InputIndex: 0,
}
return senderHtlcSpendRevoke(bobSigner, signDesc,
revocationKey, sweepTx)
lnwallet: update HTLC+commitment scripts This commit updates the previous HTLC and commitment scripts to their current latest evolution. The HTLC scripts have been optimized for space savings, the functionality itself has remained relatively unchanged. A trade off was made to add additional bytes into the sigScript in order to avoid extraneous CHECKSIG’s. The rationale is that an extra 1-2 bytes in the sigScript to guide execution, are worthwhile since they’re in the witness, and witness data may be pruned in the near future. The primary change is within the commitment transaction itself. Instead of using revocation hashes, we now use signature based revocation. This saves space in the Script, and optimizes away an extra hashing operation. Elkrem/shachain is still used but, we now use the pre-images to homomorphically derive a public key which the other party will be able to sign with, once we disclose the pre-image itself. Finally, we have switched to using SHA-256 everywhere uniformly for both revocation hashes, and payment hashes. The rationale is that the output of ripemd160 is too small for modern security margins, and that other coins/chains are more likely to have SHA-256 implemented, than ripemd160. A set of tests has also been included which contain (mostly) exhaustive tests of all possible redemption paths for both commitment and HTLC.
2016-06-27 21:33:59 +03:00
}),
true,
},
{
multi: fix a variety of typos throughout the repo
2017-01-13 08:01:50 +03:00
// HTLC with invalid preimage size
lnwallet: update HTLC+commitment scripts This commit updates the previous HTLC and commitment scripts to their current latest evolution. The HTLC scripts have been optimized for space savings, the functionality itself has remained relatively unchanged. A trade off was made to add additional bytes into the sigScript in order to avoid extraneous CHECKSIG’s. The rationale is that an extra 1-2 bytes in the sigScript to guide execution, are worthwhile since they’re in the witness, and witness data may be pruned in the near future. The primary change is within the commitment transaction itself. Instead of using revocation hashes, we now use signature based revocation. This saves space in the Script, and optimizes away an extra hashing operation. Elkrem/shachain is still used but, we now use the pre-images to homomorphically derive a public key which the other party will be able to sign with, once we disclose the pre-image itself. Finally, we have switched to using SHA-256 everywhere uniformly for both revocation hashes, and payment hashes. The rationale is that the output of ripemd160 is too small for modern security margins, and that other coins/chains are more likely to have SHA-256 implemented, than ripemd160. A set of tests has also been included which contain (mostly) exhaustive tests of all possible redemption paths for both commitment and HTLC.
2016-06-27 21:33:59 +03:00
makeWitnessTestCase(t, func() (wire.TxWitness, error) {
lnwallet: TestHTLCSenderSpendValidation for new HTLC scripts
2017-07-30 04:34:54 +03:00
signDesc := &SignDescriptor{
lnwallet: update script_utils and tests due to SignDescriptor API change
2018-02-18 02:09:51 +03:00
KeyDesc: keychain.KeyDescriptor{
PubKey: bobKeyPub,
},
lnwallet: TestHTLCSenderSpendValidation for new HTLC scripts
2017-07-30 04:34:54 +03:00
SingleTweak: bobCommitTweak,
WitnessScript: htlcWitnessScript,
Output: htlcOutput,
HashType: txscript.SigHashAll,
SigHashes: sweepTxSigHashes,
InputIndex: 0,
}
lnwallet: update channel state machine tests to use distinct keys In this commit, we update the channel state machine tests to use a new key for each purpose. Before this commit, the same key would be used the entire time. As a result, a few bugs slipped by that would’ve been detected if we used fresh keys for each purpose. Additionally, this reflect the real world case as we always use distinct keys for each purpose to avoid key re-use.
2018-01-17 05:38:49 +03:00
return SenderHtlcSpendRedeem(bobSigner, signDesc,
lnwallet: TestHTLCSenderSpendValidation for new HTLC scripts
2017-07-30 04:34:54 +03:00
sweepTx,
multi: fix a variety of typos throughout the repo
2017-01-13 08:01:50 +03:00
// Invalid preimage length
lnwallet: update HTLC+commitment scripts This commit updates the previous HTLC and commitment scripts to their current latest evolution. The HTLC scripts have been optimized for space savings, the functionality itself has remained relatively unchanged. A trade off was made to add additional bytes into the sigScript in order to avoid extraneous CHECKSIG’s. The rationale is that an extra 1-2 bytes in the sigScript to guide execution, are worthwhile since they’re in the witness, and witness data may be pruned in the near future. The primary change is within the commitment transaction itself. Instead of using revocation hashes, we now use signature based revocation. This saves space in the Script, and optimizes away an extra hashing operation. Elkrem/shachain is still used but, we now use the pre-images to homomorphically derive a public key which the other party will be able to sign with, once we disclose the pre-image itself. Finally, we have switched to using SHA-256 everywhere uniformly for both revocation hashes, and payment hashes. The rationale is that the output of ripemd160 is too small for modern security margins, and that other coins/chains are more likely to have SHA-256 implemented, than ripemd160. A set of tests has also been included which contain (mostly) exhaustive tests of all possible redemption paths for both commitment and HTLC.
2016-06-27 21:33:59 +03:00
bytes.Repeat([]byte{1}, 45))
}),
false,
},
{
multi: fix a variety of typos throughout the repo
2017-01-13 08:01:50 +03:00
// HTLC with valid preimage size + sig
multi: comprehensive typo fixes across all packages
2018-02-07 06:11:11 +03:00
// TODO(roasbeef): invalid preimage
lnwallet: update HTLC+commitment scripts This commit updates the previous HTLC and commitment scripts to their current latest evolution. The HTLC scripts have been optimized for space savings, the functionality itself has remained relatively unchanged. A trade off was made to add additional bytes into the sigScript in order to avoid extraneous CHECKSIG’s. The rationale is that an extra 1-2 bytes in the sigScript to guide execution, are worthwhile since they’re in the witness, and witness data may be pruned in the near future. The primary change is within the commitment transaction itself. Instead of using revocation hashes, we now use signature based revocation. This saves space in the Script, and optimizes away an extra hashing operation. Elkrem/shachain is still used but, we now use the pre-images to homomorphically derive a public key which the other party will be able to sign with, once we disclose the pre-image itself. Finally, we have switched to using SHA-256 everywhere uniformly for both revocation hashes, and payment hashes. The rationale is that the output of ripemd160 is too small for modern security margins, and that other coins/chains are more likely to have SHA-256 implemented, than ripemd160. A set of tests has also been included which contain (mostly) exhaustive tests of all possible redemption paths for both commitment and HTLC.
2016-06-27 21:33:59 +03:00
makeWitnessTestCase(t, func() (wire.TxWitness, error) {
lnwallet: TestHTLCSenderSpendValidation for new HTLC scripts
2017-07-30 04:34:54 +03:00
signDesc := &SignDescriptor{
lnwallet: update script_utils and tests due to SignDescriptor API change
2018-02-18 02:09:51 +03:00
KeyDesc: keychain.KeyDescriptor{
PubKey: bobKeyPub,
},
lnwallet: TestHTLCSenderSpendValidation for new HTLC scripts
2017-07-30 04:34:54 +03:00
SingleTweak: bobCommitTweak,
WitnessScript: htlcWitnessScript,
Output: htlcOutput,
HashType: txscript.SigHashAll,
SigHashes: sweepTxSigHashes,
InputIndex: 0,
}
lnwallet: update channel state machine tests to use distinct keys In this commit, we update the channel state machine tests to use a new key for each purpose. Before this commit, the same key would be used the entire time. As a result, a few bugs slipped by that would’ve been detected if we used fresh keys for each purpose. Additionally, this reflect the real world case as we always use distinct keys for each purpose to avoid key re-use.
2018-01-17 05:38:49 +03:00
return SenderHtlcSpendRedeem(bobSigner, signDesc,
lnwallet: TestHTLCSenderSpendValidation for new HTLC scripts
2017-07-30 04:34:54 +03:00
sweepTx, paymentPreimage)
lnwallet: update HTLC+commitment scripts This commit updates the previous HTLC and commitment scripts to their current latest evolution. The HTLC scripts have been optimized for space savings, the functionality itself has remained relatively unchanged. A trade off was made to add additional bytes into the sigScript in order to avoid extraneous CHECKSIG’s. The rationale is that an extra 1-2 bytes in the sigScript to guide execution, are worthwhile since they’re in the witness, and witness data may be pruned in the near future. The primary change is within the commitment transaction itself. Instead of using revocation hashes, we now use signature based revocation. This saves space in the Script, and optimizes away an extra hashing operation. Elkrem/shachain is still used but, we now use the pre-images to homomorphically derive a public key which the other party will be able to sign with, once we disclose the pre-image itself. Finally, we have switched to using SHA-256 everywhere uniformly for both revocation hashes, and payment hashes. The rationale is that the output of ripemd160 is too small for modern security margins, and that other coins/chains are more likely to have SHA-256 implemented, than ripemd160. A set of tests has also been included which contain (mostly) exhaustive tests of all possible redemption paths for both commitment and HTLC.
2016-06-27 21:33:59 +03:00
}),
true,
},
{
lnwallet: TestHTLCSenderSpendValidation for new HTLC scripts
2017-07-30 04:34:54 +03:00
// valid spend to the transition the state of the HTLC
// output with the second level HTLC timeout
// transaction.
lnwallet: update HTLC+commitment scripts This commit updates the previous HTLC and commitment scripts to their current latest evolution. The HTLC scripts have been optimized for space savings, the functionality itself has remained relatively unchanged. A trade off was made to add additional bytes into the sigScript in order to avoid extraneous CHECKSIG’s. The rationale is that an extra 1-2 bytes in the sigScript to guide execution, are worthwhile since they’re in the witness, and witness data may be pruned in the near future. The primary change is within the commitment transaction itself. Instead of using revocation hashes, we now use signature based revocation. This saves space in the Script, and optimizes away an extra hashing operation. Elkrem/shachain is still used but, we now use the pre-images to homomorphically derive a public key which the other party will be able to sign with, once we disclose the pre-image itself. Finally, we have switched to using SHA-256 everywhere uniformly for both revocation hashes, and payment hashes. The rationale is that the output of ripemd160 is too small for modern security margins, and that other coins/chains are more likely to have SHA-256 implemented, than ripemd160. A set of tests has also been included which contain (mostly) exhaustive tests of all possible redemption paths for both commitment and HTLC.
2016-06-27 21:33:59 +03:00
makeWitnessTestCase(t, func() (wire.TxWitness, error) {
lnwallet: TestHTLCSenderSpendValidation for new HTLC scripts
2017-07-30 04:34:54 +03:00
signDesc := &SignDescriptor{
lnwallet: update script_utils and tests due to SignDescriptor API change
2018-02-18 02:09:51 +03:00
KeyDesc: keychain.KeyDescriptor{
PubKey: aliceKeyPub,
},
lnwallet: TestHTLCSenderSpendValidation for new HTLC scripts
2017-07-30 04:34:54 +03:00
SingleTweak: aliceCommitTweak,
WitnessScript: htlcWitnessScript,
Output: htlcOutput,
HashType: txscript.SigHashAll,
SigHashes: sweepTxSigHashes,
InputIndex: 0,
}
return senderHtlcSpendTimeout(bobRecvrSig, aliceSigner,
signDesc, sweepTx)
lnwallet: update HTLC+commitment scripts This commit updates the previous HTLC and commitment scripts to their current latest evolution. The HTLC scripts have been optimized for space savings, the functionality itself has remained relatively unchanged. A trade off was made to add additional bytes into the sigScript in order to avoid extraneous CHECKSIG’s. The rationale is that an extra 1-2 bytes in the sigScript to guide execution, are worthwhile since they’re in the witness, and witness data may be pruned in the near future. The primary change is within the commitment transaction itself. Instead of using revocation hashes, we now use signature based revocation. This saves space in the Script, and optimizes away an extra hashing operation. Elkrem/shachain is still used but, we now use the pre-images to homomorphically derive a public key which the other party will be able to sign with, once we disclose the pre-image itself. Finally, we have switched to using SHA-256 everywhere uniformly for both revocation hashes, and payment hashes. The rationale is that the output of ripemd160 is too small for modern security margins, and that other coins/chains are more likely to have SHA-256 implemented, than ripemd160. A set of tests has also been included which contain (mostly) exhaustive tests of all possible redemption paths for both commitment and HTLC.
2016-06-27 21:33:59 +03:00
}),
true,
},
}
lnwallet: update script_utils and tests due to SignDescriptor API change
2018-02-18 02:09:51 +03:00
// TODO(roasbeef): set of cases to ensure able to sign w/ keypath and
// not
lnwallet: update HTLC+commitment scripts This commit updates the previous HTLC and commitment scripts to their current latest evolution. The HTLC scripts have been optimized for space savings, the functionality itself has remained relatively unchanged. A trade off was made to add additional bytes into the sigScript in order to avoid extraneous CHECKSIG’s. The rationale is that an extra 1-2 bytes in the sigScript to guide execution, are worthwhile since they’re in the witness, and witness data may be pruned in the near future. The primary change is within the commitment transaction itself. Instead of using revocation hashes, we now use signature based revocation. This saves space in the Script, and optimizes away an extra hashing operation. Elkrem/shachain is still used but, we now use the pre-images to homomorphically derive a public key which the other party will be able to sign with, once we disclose the pre-image itself. Finally, we have switched to using SHA-256 everywhere uniformly for both revocation hashes, and payment hashes. The rationale is that the output of ripemd160 is too small for modern security margins, and that other coins/chains are more likely to have SHA-256 implemented, than ripemd160. A set of tests has also been included which contain (mostly) exhaustive tests of all possible redemption paths for both commitment and HTLC.
2016-06-27 21:33:59 +03:00
for i, testCase := range testCases {
sweepTx.TxIn[0].Witness = testCase.witness()
lnwallet: update TestHTLCSenderSpendValidation for new scripts
2017-07-30 04:34:16 +03:00
vm, err := txscript.NewEngine(htlcPkScript,
lnwallet: update HTLC+commitment scripts This commit updates the previous HTLC and commitment scripts to their current latest evolution. The HTLC scripts have been optimized for space savings, the functionality itself has remained relatively unchanged. A trade off was made to add additional bytes into the sigScript in order to avoid extraneous CHECKSIG’s. The rationale is that an extra 1-2 bytes in the sigScript to guide execution, are worthwhile since they’re in the witness, and witness data may be pruned in the near future. The primary change is within the commitment transaction itself. Instead of using revocation hashes, we now use signature based revocation. This saves space in the Script, and optimizes away an extra hashing operation. Elkrem/shachain is still used but, we now use the pre-images to homomorphically derive a public key which the other party will be able to sign with, once we disclose the pre-image itself. Finally, we have switched to using SHA-256 everywhere uniformly for both revocation hashes, and payment hashes. The rationale is that the output of ripemd160 is too small for modern security margins, and that other coins/chains are more likely to have SHA-256 implemented, than ripemd160. A set of tests has also been included which contain (mostly) exhaustive tests of all possible redemption paths for both commitment and HTLC.
2016-06-27 21:33:59 +03:00
sweepTx, 0, txscript.StandardVerifyFlags, nil,
nil, int64(paymentAmt))
if err != nil {
t.Fatalf("unable to create engine: %v", err)
}
lnd: implement the sendcoins RPC request This commit implements the “send coins” RPC request which was introduced at both the lnrpc and command line level in a prior commit. A small refactoring has taken place w.r.t to sendmany+sendcoins in order to eliminate some code duplication.
2016-06-29 21:31:29 +03:00
// This buffer will trace execution of the Script, only dumping
// out to stdout in the case that a test fails.
lnwallet: update HTLC+commitment scripts This commit updates the previous HTLC and commitment scripts to their current latest evolution. The HTLC scripts have been optimized for space savings, the functionality itself has remained relatively unchanged. A trade off was made to add additional bytes into the sigScript in order to avoid extraneous CHECKSIG’s. The rationale is that an extra 1-2 bytes in the sigScript to guide execution, are worthwhile since they’re in the witness, and witness data may be pruned in the near future. The primary change is within the commitment transaction itself. Instead of using revocation hashes, we now use signature based revocation. This saves space in the Script, and optimizes away an extra hashing operation. Elkrem/shachain is still used but, we now use the pre-images to homomorphically derive a public key which the other party will be able to sign with, once we disclose the pre-image itself. Finally, we have switched to using SHA-256 everywhere uniformly for both revocation hashes, and payment hashes. The rationale is that the output of ripemd160 is too small for modern security margins, and that other coins/chains are more likely to have SHA-256 implemented, than ripemd160. A set of tests has also been included which contain (mostly) exhaustive tests of all possible redemption paths for both commitment and HTLC.
2016-06-27 21:33:59 +03:00
var debugBuf bytes.Buffer
done := false
for !done {
dis, err := vm.DisasmPC()
if err != nil {
t.Fatalf("stepping (%v)\n", err)
}
debugBuf.WriteString(fmt.Sprintf("stepping %v\n", dis))
done, err = vm.Step()
if err != nil && testCase.valid {
fmt.Println(debugBuf.String())
lnwallet: update TestHTLCSenderSpendValidation for new scripts
2017-07-30 04:34:16 +03:00
t.Fatalf("spend test case #%v failed, spend "+
"should be valid: %v", i, err)
lnwallet: update HTLC+commitment scripts This commit updates the previous HTLC and commitment scripts to their current latest evolution. The HTLC scripts have been optimized for space savings, the functionality itself has remained relatively unchanged. A trade off was made to add additional bytes into the sigScript in order to avoid extraneous CHECKSIG’s. The rationale is that an extra 1-2 bytes in the sigScript to guide execution, are worthwhile since they’re in the witness, and witness data may be pruned in the near future. The primary change is within the commitment transaction itself. Instead of using revocation hashes, we now use signature based revocation. This saves space in the Script, and optimizes away an extra hashing operation. Elkrem/shachain is still used but, we now use the pre-images to homomorphically derive a public key which the other party will be able to sign with, once we disclose the pre-image itself. Finally, we have switched to using SHA-256 everywhere uniformly for both revocation hashes, and payment hashes. The rationale is that the output of ripemd160 is too small for modern security margins, and that other coins/chains are more likely to have SHA-256 implemented, than ripemd160. A set of tests has also been included which contain (mostly) exhaustive tests of all possible redemption paths for both commitment and HTLC.
2016-06-27 21:33:59 +03:00
} else if err == nil && !testCase.valid && done {
fmt.Println(debugBuf.String())
lnwallet: update TestHTLCSenderSpendValidation for new scripts
2017-07-30 04:34:16 +03:00
t.Fatalf("spend test case #%v succeed, spend "+
"should be invalid: %v", i, err)
lnwallet: update HTLC+commitment scripts This commit updates the previous HTLC and commitment scripts to their current latest evolution. The HTLC scripts have been optimized for space savings, the functionality itself has remained relatively unchanged. A trade off was made to add additional bytes into the sigScript in order to avoid extraneous CHECKSIG’s. The rationale is that an extra 1-2 bytes in the sigScript to guide execution, are worthwhile since they’re in the witness, and witness data may be pruned in the near future. The primary change is within the commitment transaction itself. Instead of using revocation hashes, we now use signature based revocation. This saves space in the Script, and optimizes away an extra hashing operation. Elkrem/shachain is still used but, we now use the pre-images to homomorphically derive a public key which the other party will be able to sign with, once we disclose the pre-image itself. Finally, we have switched to using SHA-256 everywhere uniformly for both revocation hashes, and payment hashes. The rationale is that the output of ripemd160 is too small for modern security margins, and that other coins/chains are more likely to have SHA-256 implemented, than ripemd160. A set of tests has also been included which contain (mostly) exhaustive tests of all possible redemption paths for both commitment and HTLC.
2016-06-27 21:33:59 +03:00
}
multi: fix `go vet` warnings throughout code base
2017-02-10 02:28:32 +03:00
debugBuf.WriteString(fmt.Sprintf("Stack: %v", vm.GetStack()))
debugBuf.WriteString(fmt.Sprintf("AltStack: %v", vm.GetAltStack()))
lnwallet: update HTLC+commitment scripts This commit updates the previous HTLC and commitment scripts to their current latest evolution. The HTLC scripts have been optimized for space savings, the functionality itself has remained relatively unchanged. A trade off was made to add additional bytes into the sigScript in order to avoid extraneous CHECKSIG’s. The rationale is that an extra 1-2 bytes in the sigScript to guide execution, are worthwhile since they’re in the witness, and witness data may be pruned in the near future. The primary change is within the commitment transaction itself. Instead of using revocation hashes, we now use signature based revocation. This saves space in the Script, and optimizes away an extra hashing operation. Elkrem/shachain is still used but, we now use the pre-images to homomorphically derive a public key which the other party will be able to sign with, once we disclose the pre-image itself. Finally, we have switched to using SHA-256 everywhere uniformly for both revocation hashes, and payment hashes. The rationale is that the output of ripemd160 is too small for modern security margins, and that other coins/chains are more likely to have SHA-256 implemented, than ripemd160. A set of tests has also been included which contain (mostly) exhaustive tests of all possible redemption paths for both commitment and HTLC.
2016-06-27 21:33:59 +03:00
}
}
}
// TestHTLCReceiverSpendValidation tests all possible valid+invalid redemption
multi: fix a variety of typos throughout the repo
2017-01-13 08:01:50 +03:00
// paths in the script used within the receiver's commitment transaction for an
lnwallet: update HTLC+commitment scripts This commit updates the previous HTLC and commitment scripts to their current latest evolution. The HTLC scripts have been optimized for space savings, the functionality itself has remained relatively unchanged. A trade off was made to add additional bytes into the sigScript in order to avoid extraneous CHECKSIG’s. The rationale is that an extra 1-2 bytes in the sigScript to guide execution, are worthwhile since they’re in the witness, and witness data may be pruned in the near future. The primary change is within the commitment transaction itself. Instead of using revocation hashes, we now use signature based revocation. This saves space in the Script, and optimizes away an extra hashing operation. Elkrem/shachain is still used but, we now use the pre-images to homomorphically derive a public key which the other party will be able to sign with, once we disclose the pre-image itself. Finally, we have switched to using SHA-256 everywhere uniformly for both revocation hashes, and payment hashes. The rationale is that the output of ripemd160 is too small for modern security margins, and that other coins/chains are more likely to have SHA-256 implemented, than ripemd160. A set of tests has also been included which contain (mostly) exhaustive tests of all possible redemption paths for both commitment and HTLC.
2016-06-27 21:33:59 +03:00
// incoming HTLC.
//
// The following cases are exercised by this test:
multi: fix a variety of typos throughout the repo
2017-01-13 08:01:50 +03:00
// * receiver spends
lnwallet: update HTLC+commitment scripts This commit updates the previous HTLC and commitment scripts to their current latest evolution. The HTLC scripts have been optimized for space savings, the functionality itself has remained relatively unchanged. A trade off was made to add additional bytes into the sigScript in order to avoid extraneous CHECKSIG’s. The rationale is that an extra 1-2 bytes in the sigScript to guide execution, are worthwhile since they’re in the witness, and witness data may be pruned in the near future. The primary change is within the commitment transaction itself. Instead of using revocation hashes, we now use signature based revocation. This saves space in the Script, and optimizes away an extra hashing operation. Elkrem/shachain is still used but, we now use the pre-images to homomorphically derive a public key which the other party will be able to sign with, once we disclose the pre-image itself. Finally, we have switched to using SHA-256 everywhere uniformly for both revocation hashes, and payment hashes. The rationale is that the output of ripemd160 is too small for modern security margins, and that other coins/chains are more likely to have SHA-256 implemented, than ripemd160. A set of tests has also been included which contain (mostly) exhaustive tests of all possible redemption paths for both commitment and HTLC.
2016-06-27 21:33:59 +03:00
// * HTLC redemption w/ invalid preimage size
// * HTLC redemption w/ invalid sequence
// * HTLC redemption w/ valid preimage size
// * sender spends
// * revoke w/ sig
// * refund w/ invalid lock time
// * refund w/ valid lock time
func TestHTLCReceiverSpendValidation(t *testing.T) {
multi: run all test instances in parallel
2017-06-17 01:59:20 +03:00
t.Parallel()
lnwallet: update TestHTLCSenderSpendValidation for new scripts
2017-07-30 04:34:16 +03:00
// We generate a fake output, and the corresponding txin. This output
lnwallet: update HTLC+commitment scripts This commit updates the previous HTLC and commitment scripts to their current latest evolution. The HTLC scripts have been optimized for space savings, the functionality itself has remained relatively unchanged. A trade off was made to add additional bytes into the sigScript in order to avoid extraneous CHECKSIG’s. The rationale is that an extra 1-2 bytes in the sigScript to guide execution, are worthwhile since they’re in the witness, and witness data may be pruned in the near future. The primary change is within the commitment transaction itself. Instead of using revocation hashes, we now use signature based revocation. This saves space in the Script, and optimizes away an extra hashing operation. Elkrem/shachain is still used but, we now use the pre-images to homomorphically derive a public key which the other party will be able to sign with, once we disclose the pre-image itself. Finally, we have switched to using SHA-256 everywhere uniformly for both revocation hashes, and payment hashes. The rationale is that the output of ripemd160 is too small for modern security margins, and that other coins/chains are more likely to have SHA-256 implemented, than ripemd160. A set of tests has also been included which contain (mostly) exhaustive tests of all possible redemption paths for both commitment and HTLC.
2016-06-27 21:33:59 +03:00
// doesn't need to exist, as we'll only be validating spending from the
// transaction that references this.
lnwallet: update TestHTLCSenderSpendValidation for new scripts
2017-07-30 04:34:16 +03:00
txid, err := chainhash.NewHash(testHdSeed.CloneBytes())
if err != nil {
t.Fatalf("unable to create txid: %v", err)
}
lnwallet: update HTLC+commitment scripts This commit updates the previous HTLC and commitment scripts to their current latest evolution. The HTLC scripts have been optimized for space savings, the functionality itself has remained relatively unchanged. A trade off was made to add additional bytes into the sigScript in order to avoid extraneous CHECKSIG’s. The rationale is that an extra 1-2 bytes in the sigScript to guide execution, are worthwhile since they’re in the witness, and witness data may be pruned in the near future. The primary change is within the commitment transaction itself. Instead of using revocation hashes, we now use signature based revocation. This saves space in the Script, and optimizes away an extra hashing operation. Elkrem/shachain is still used but, we now use the pre-images to homomorphically derive a public key which the other party will be able to sign with, once we disclose the pre-image itself. Finally, we have switched to using SHA-256 everywhere uniformly for both revocation hashes, and payment hashes. The rationale is that the output of ripemd160 is too small for modern security margins, and that other coins/chains are more likely to have SHA-256 implemented, than ripemd160. A set of tests has also been included which contain (mostly) exhaustive tests of all possible redemption paths for both commitment and HTLC.
2016-06-27 21:33:59 +03:00
fundingOut := &wire.OutPoint{
lnwallet: update TestHTLCSenderSpendValidation for new scripts
2017-07-30 04:34:16 +03:00
Hash: *txid,
lnwallet: update HTLC+commitment scripts This commit updates the previous HTLC and commitment scripts to their current latest evolution. The HTLC scripts have been optimized for space savings, the functionality itself has remained relatively unchanged. A trade off was made to add additional bytes into the sigScript in order to avoid extraneous CHECKSIG’s. The rationale is that an extra 1-2 bytes in the sigScript to guide execution, are worthwhile since they’re in the witness, and witness data may be pruned in the near future. The primary change is within the commitment transaction itself. Instead of using revocation hashes, we now use signature based revocation. This saves space in the Script, and optimizes away an extra hashing operation. Elkrem/shachain is still used but, we now use the pre-images to homomorphically derive a public key which the other party will be able to sign with, once we disclose the pre-image itself. Finally, we have switched to using SHA-256 everywhere uniformly for both revocation hashes, and payment hashes. The rationale is that the output of ripemd160 is too small for modern security margins, and that other coins/chains are more likely to have SHA-256 implemented, than ripemd160. A set of tests has also been included which contain (mostly) exhaustive tests of all possible redemption paths for both commitment and HTLC.
2016-06-27 21:33:59 +03:00
Index: 50,
}
fakeFundingTxIn := wire.NewTxIn(fundingOut, nil, nil)
lnwallet: update TestHTLCSenderSpendValidation for new scripts
2017-07-30 04:34:16 +03:00
// Next we'll the commitment secret for our commitment tx and also the
// revocation key that we'll use as well.
revokePreimage := testHdSeed.CloneBytes()
commitSecret, commitPoint := btcec.PrivKeyFromBytes(btcec.S256(),
revokePreimage)
// Generate a payment preimage to be used below.
paymentPreimage := revokePreimage
lnwallet: update HTLC+commitment scripts This commit updates the previous HTLC and commitment scripts to their current latest evolution. The HTLC scripts have been optimized for space savings, the functionality itself has remained relatively unchanged. A trade off was made to add additional bytes into the sigScript in order to avoid extraneous CHECKSIG’s. The rationale is that an extra 1-2 bytes in the sigScript to guide execution, are worthwhile since they’re in the witness, and witness data may be pruned in the near future. The primary change is within the commitment transaction itself. Instead of using revocation hashes, we now use signature based revocation. This saves space in the Script, and optimizes away an extra hashing operation. Elkrem/shachain is still used but, we now use the pre-images to homomorphically derive a public key which the other party will be able to sign with, once we disclose the pre-image itself. Finally, we have switched to using SHA-256 everywhere uniformly for both revocation hashes, and payment hashes. The rationale is that the output of ripemd160 is too small for modern security margins, and that other coins/chains are more likely to have SHA-256 implemented, than ripemd160. A set of tests has also been included which contain (mostly) exhaustive tests of all possible redemption paths for both commitment and HTLC.
2016-06-27 21:33:59 +03:00
paymentPreimage[0] ^= 1
multi: replace usage of fastsha256 with crypto/sha256 This commit removes all instances of the fastsha256 library and replaces it with the sha256 library in the standard library. This change should see a number of performance improvements as the standard library has highly optimized assembly instructions with use vectorized instructions as the platform supports.
2017-03-16 04:56:25 +03:00
paymentHash := sha256.Sum256(paymentPreimage[:])
lnwallet: update HTLC+commitment scripts This commit updates the previous HTLC and commitment scripts to their current latest evolution. The HTLC scripts have been optimized for space savings, the functionality itself has remained relatively unchanged. A trade off was made to add additional bytes into the sigScript in order to avoid extraneous CHECKSIG’s. The rationale is that an extra 1-2 bytes in the sigScript to guide execution, are worthwhile since they’re in the witness, and witness data may be pruned in the near future. The primary change is within the commitment transaction itself. Instead of using revocation hashes, we now use signature based revocation. This saves space in the Script, and optimizes away an extra hashing operation. Elkrem/shachain is still used but, we now use the pre-images to homomorphically derive a public key which the other party will be able to sign with, once we disclose the pre-image itself. Finally, we have switched to using SHA-256 everywhere uniformly for both revocation hashes, and payment hashes. The rationale is that the output of ripemd160 is too small for modern security margins, and that other coins/chains are more likely to have SHA-256 implemented, than ripemd160. A set of tests has also been included which contain (mostly) exhaustive tests of all possible redemption paths for both commitment and HTLC.
2016-06-27 21:33:59 +03:00
multi: fix a variety of typos throughout the repo
2017-01-13 08:01:50 +03:00
// We'll also need some tests keys for alice and bob, and metadata of
lnd: implement the sendcoins RPC request This commit implements the “send coins” RPC request which was introduced at both the lnrpc and command line level in a prior commit. A small refactoring has taken place w.r.t to sendmany+sendcoins in order to eliminate some code duplication.
2016-06-29 21:31:29 +03:00
// the HTLC output.
lnwallet: update HTLC+commitment scripts This commit updates the previous HTLC and commitment scripts to their current latest evolution. The HTLC scripts have been optimized for space savings, the functionality itself has remained relatively unchanged. A trade off was made to add additional bytes into the sigScript in order to avoid extraneous CHECKSIG’s. The rationale is that an extra 1-2 bytes in the sigScript to guide execution, are worthwhile since they’re in the witness, and witness data may be pruned in the near future. The primary change is within the commitment transaction itself. Instead of using revocation hashes, we now use signature based revocation. This saves space in the Script, and optimizes away an extra hashing operation. Elkrem/shachain is still used but, we now use the pre-images to homomorphically derive a public key which the other party will be able to sign with, once we disclose the pre-image itself. Finally, we have switched to using SHA-256 everywhere uniformly for both revocation hashes, and payment hashes. The rationale is that the output of ripemd160 is too small for modern security margins, and that other coins/chains are more likely to have SHA-256 implemented, than ripemd160. A set of tests has also been included which contain (mostly) exhaustive tests of all possible redemption paths for both commitment and HTLC.
2016-06-27 21:33:59 +03:00
aliceKeyPriv, aliceKeyPub := btcec.PrivKeyFromBytes(btcec.S256(),
testWalletPrivKey)
bobKeyPriv, bobKeyPub := btcec.PrivKeyFromBytes(btcec.S256(),
bobsPrivKey)
paymentAmt := btcutil.Amount(1 * 10e8)
cltvTimeout := uint32(8)
lnwallet: update TestHTLCSenderSpendValidation for new scripts
2017-07-30 04:34:16 +03:00
aliceLocalKey := TweakPubKey(aliceKeyPub, commitPoint)
bobLocalKey := TweakPubKey(bobKeyPub, commitPoint)
// As we'll be modeling spends from Bob's commitment transaction, we'll
// be using Alice's base point for the revocation key.
revocationKey := DeriveRevocationPubkey(aliceKeyPub, commitPoint)
lnwallet: update HTLC+commitment scripts This commit updates the previous HTLC and commitment scripts to their current latest evolution. The HTLC scripts have been optimized for space savings, the functionality itself has remained relatively unchanged. A trade off was made to add additional bytes into the sigScript in order to avoid extraneous CHECKSIG’s. The rationale is that an extra 1-2 bytes in the sigScript to guide execution, are worthwhile since they’re in the witness, and witness data may be pruned in the near future. The primary change is within the commitment transaction itself. Instead of using revocation hashes, we now use signature based revocation. This saves space in the Script, and optimizes away an extra hashing operation. Elkrem/shachain is still used but, we now use the pre-images to homomorphically derive a public key which the other party will be able to sign with, once we disclose the pre-image itself. Finally, we have switched to using SHA-256 everywhere uniformly for both revocation hashes, and payment hashes. The rationale is that the output of ripemd160 is too small for modern security margins, and that other coins/chains are more likely to have SHA-256 implemented, than ripemd160. A set of tests has also been included which contain (mostly) exhaustive tests of all possible redemption paths for both commitment and HTLC.
2016-06-27 21:33:59 +03:00
lnd: implement the sendcoins RPC request This commit implements the “send coins” RPC request which was introduced at both the lnrpc and command line level in a prior commit. A small refactoring has taken place w.r.t to sendmany+sendcoins in order to eliminate some code duplication.
2016-06-29 21:31:29 +03:00
// Generate the raw HTLC redemption scripts, and its p2wsh counterpart.
lnwallet: update TestHTLCSenderSpendValidation for new scripts
2017-07-30 04:34:16 +03:00
htlcWitnessScript, err := receiverHTLCScript(cltvTimeout, aliceLocalKey,
bobLocalKey, revocationKey, paymentHash[:])
lnwallet: update HTLC+commitment scripts This commit updates the previous HTLC and commitment scripts to their current latest evolution. The HTLC scripts have been optimized for space savings, the functionality itself has remained relatively unchanged. A trade off was made to add additional bytes into the sigScript in order to avoid extraneous CHECKSIG’s. The rationale is that an extra 1-2 bytes in the sigScript to guide execution, are worthwhile since they’re in the witness, and witness data may be pruned in the near future. The primary change is within the commitment transaction itself. Instead of using revocation hashes, we now use signature based revocation. This saves space in the Script, and optimizes away an extra hashing operation. Elkrem/shachain is still used but, we now use the pre-images to homomorphically derive a public key which the other party will be able to sign with, once we disclose the pre-image itself. Finally, we have switched to using SHA-256 everywhere uniformly for both revocation hashes, and payment hashes. The rationale is that the output of ripemd160 is too small for modern security margins, and that other coins/chains are more likely to have SHA-256 implemented, than ripemd160. A set of tests has also been included which contain (mostly) exhaustive tests of all possible redemption paths for both commitment and HTLC.
2016-06-27 21:33:59 +03:00
if err != nil {
t.Fatalf("unable to create htlc sender script: %v", err)
}
lnwallet/script_utils_test: use public commit script helpers
2018-06-29 05:24:44 +03:00
htlcPkScript, err := WitnessScriptHash(htlcWitnessScript)
lnwallet: update HTLC+commitment scripts This commit updates the previous HTLC and commitment scripts to their current latest evolution. The HTLC scripts have been optimized for space savings, the functionality itself has remained relatively unchanged. A trade off was made to add additional bytes into the sigScript in order to avoid extraneous CHECKSIG’s. The rationale is that an extra 1-2 bytes in the sigScript to guide execution, are worthwhile since they’re in the witness, and witness data may be pruned in the near future. The primary change is within the commitment transaction itself. Instead of using revocation hashes, we now use signature based revocation. This saves space in the Script, and optimizes away an extra hashing operation. Elkrem/shachain is still used but, we now use the pre-images to homomorphically derive a public key which the other party will be able to sign with, once we disclose the pre-image itself. Finally, we have switched to using SHA-256 everywhere uniformly for both revocation hashes, and payment hashes. The rationale is that the output of ripemd160 is too small for modern security margins, and that other coins/chains are more likely to have SHA-256 implemented, than ripemd160. A set of tests has also been included which contain (mostly) exhaustive tests of all possible redemption paths for both commitment and HTLC.
2016-06-27 21:33:59 +03:00
if err != nil {
t.Fatalf("unable to create p2wsh htlc script: %v", err)
}
lnwallet: update TestHTLCSenderSpendValidation for new scripts
2017-07-30 04:34:16 +03:00
// This will be Bob's commitment transaction. In this scenario Alice is
// sending an HTLC to a node she has a path to (could be Bob, could be
// multiple hops down, it doesn't really matter).
htlcOutput := &wire.TxOut{
lnwallet: update HTLC+commitment scripts This commit updates the previous HTLC and commitment scripts to their current latest evolution. The HTLC scripts have been optimized for space savings, the functionality itself has remained relatively unchanged. A trade off was made to add additional bytes into the sigScript in order to avoid extraneous CHECKSIG’s. The rationale is that an extra 1-2 bytes in the sigScript to guide execution, are worthwhile since they’re in the witness, and witness data may be pruned in the near future. The primary change is within the commitment transaction itself. Instead of using revocation hashes, we now use signature based revocation. This saves space in the Script, and optimizes away an extra hashing operation. Elkrem/shachain is still used but, we now use the pre-images to homomorphically derive a public key which the other party will be able to sign with, once we disclose the pre-image itself. Finally, we have switched to using SHA-256 everywhere uniformly for both revocation hashes, and payment hashes. The rationale is that the output of ripemd160 is too small for modern security margins, and that other coins/chains are more likely to have SHA-256 implemented, than ripemd160. A set of tests has also been included which contain (mostly) exhaustive tests of all possible redemption paths for both commitment and HTLC.
2016-06-27 21:33:59 +03:00
Value: int64(paymentAmt),
PkScript: htlcWitnessScript,
lnwallet: update TestHTLCSenderSpendValidation for new scripts
2017-07-30 04:34:16 +03:00
}
receiverCommitTx := wire.NewMsgTx(2)
receiverCommitTx.AddTxIn(fakeFundingTxIn)
receiverCommitTx.AddTxOut(htlcOutput)
lnwallet: update HTLC+commitment scripts This commit updates the previous HTLC and commitment scripts to their current latest evolution. The HTLC scripts have been optimized for space savings, the functionality itself has remained relatively unchanged. A trade off was made to add additional bytes into the sigScript in order to avoid extraneous CHECKSIG’s. The rationale is that an extra 1-2 bytes in the sigScript to guide execution, are worthwhile since they’re in the witness, and witness data may be pruned in the near future. The primary change is within the commitment transaction itself. Instead of using revocation hashes, we now use signature based revocation. This saves space in the Script, and optimizes away an extra hashing operation. Elkrem/shachain is still used but, we now use the pre-images to homomorphically derive a public key which the other party will be able to sign with, once we disclose the pre-image itself. Finally, we have switched to using SHA-256 everywhere uniformly for both revocation hashes, and payment hashes. The rationale is that the output of ripemd160 is too small for modern security margins, and that other coins/chains are more likely to have SHA-256 implemented, than ripemd160. A set of tests has also been included which contain (mostly) exhaustive tests of all possible redemption paths for both commitment and HTLC.
2016-06-27 21:33:59 +03:00
prevOut := &wire.OutPoint{
multi: fix a variety of typos throughout the repo
2017-01-13 08:01:50 +03:00
Hash: receiverCommitTx.TxHash(),
lnwallet: update HTLC+commitment scripts This commit updates the previous HTLC and commitment scripts to their current latest evolution. The HTLC scripts have been optimized for space savings, the functionality itself has remained relatively unchanged. A trade off was made to add additional bytes into the sigScript in order to avoid extraneous CHECKSIG’s. The rationale is that an extra 1-2 bytes in the sigScript to guide execution, are worthwhile since they’re in the witness, and witness data may be pruned in the near future. The primary change is within the commitment transaction itself. Instead of using revocation hashes, we now use signature based revocation. This saves space in the Script, and optimizes away an extra hashing operation. Elkrem/shachain is still used but, we now use the pre-images to homomorphically derive a public key which the other party will be able to sign with, once we disclose the pre-image itself. Finally, we have switched to using SHA-256 everywhere uniformly for both revocation hashes, and payment hashes. The rationale is that the output of ripemd160 is too small for modern security margins, and that other coins/chains are more likely to have SHA-256 implemented, than ripemd160. A set of tests has also been included which contain (mostly) exhaustive tests of all possible redemption paths for both commitment and HTLC.
2016-06-27 21:33:59 +03:00
Index: 0,
}
multi: update btcsuite API's to latest upstream changes This commit makes a large number of minor changes concerning API usage within the deamon to match the latest version on the upstream btcsuite libraries. The major changes are the switch from wire.ShaHash to chainhash.Hash, and that wire.NewMsgTx() now takes a paramter indicating the version of the transaction to be created.
2017-01-06 00:56:27 +03:00
sweepTx := wire.NewMsgTx(2)
lnwallet: update TestHTLCSenderSpendValidation for new scripts
2017-07-30 04:34:16 +03:00
sweepTx.AddTxIn(&wire.TxIn{
PreviousOutPoint: *prevOut,
})
lnwallet: update HTLC+commitment scripts This commit updates the previous HTLC and commitment scripts to their current latest evolution. The HTLC scripts have been optimized for space savings, the functionality itself has remained relatively unchanged. A trade off was made to add additional bytes into the sigScript in order to avoid extraneous CHECKSIG’s. The rationale is that an extra 1-2 bytes in the sigScript to guide execution, are worthwhile since they’re in the witness, and witness data may be pruned in the near future. The primary change is within the commitment transaction itself. Instead of using revocation hashes, we now use signature based revocation. This saves space in the Script, and optimizes away an extra hashing operation. Elkrem/shachain is still used but, we now use the pre-images to homomorphically derive a public key which the other party will be able to sign with, once we disclose the pre-image itself. Finally, we have switched to using SHA-256 everywhere uniformly for both revocation hashes, and payment hashes. The rationale is that the output of ripemd160 is too small for modern security margins, and that other coins/chains are more likely to have SHA-256 implemented, than ripemd160. A set of tests has also been included which contain (mostly) exhaustive tests of all possible redemption paths for both commitment and HTLC.
2016-06-27 21:33:59 +03:00
sweepTx.AddTxOut(
&wire.TxOut{
PkScript: []byte("doesn't matter"),
Value: 1 * 10e8,
},
)
lnwallet: update TestHTLCSenderSpendValidation for new scripts
2017-07-30 04:34:16 +03:00
sweepTxSigHashes := txscript.NewTxSigHashes(sweepTx)
bobCommitTweak := SingleTweakBytes(commitPoint, bobKeyPub)
aliceCommitTweak := SingleTweakBytes(commitPoint, aliceKeyPub)
// Finally, we'll create mock signers for both of them based on their
// private keys. This test simplifies a bit and uses the same key as
// the base point for all scripts and derivations.
lnwallet: Move mocks to separate file and augment mockSigner. To implement the BOLT 03 test vectors, a more powerful mockSigner is required. The new version of mockSigner stores multiple keys and signs the transaction outputs with the appropriate one.
2017-09-26 07:05:24 +03:00
bobSigner := &mockSigner{privkeys: []*btcec.PrivateKey{bobKeyPriv}}
aliceSigner := &mockSigner{privkeys: []*btcec.PrivateKey{aliceKeyPriv}}
lnwallet: update TestHTLCSenderSpendValidation for new scripts
2017-07-30 04:34:16 +03:00
// We'll also generate a signature on the sweep transaction above
multi: comprehensive typo fixes across all packages
2018-02-07 06:11:11 +03:00
// that will act as Alice's signature to Bob for the second level HTLC
lnwallet: update TestHTLCSenderSpendValidation for new scripts
2017-07-30 04:34:16 +03:00
// transaction.
aliceSignDesc := SignDescriptor{
lnwallet: update script_utils and tests due to SignDescriptor API change
2018-02-18 02:09:51 +03:00
KeyDesc: keychain.KeyDescriptor{
PubKey: aliceKeyPub,
},
lnwallet: update TestHTLCSenderSpendValidation for new scripts
2017-07-30 04:34:16 +03:00
SingleTweak: aliceCommitTweak,
WitnessScript: htlcWitnessScript,
Output: htlcOutput,
HashType: txscript.SigHashAll,
SigHashes: sweepTxSigHashes,
InputIndex: 0,
}
aliceSenderSig, err := aliceSigner.SignOutputRaw(sweepTx, &aliceSignDesc)
if err != nil {
t.Fatalf("unable to generate alice signature: %v", err)
}
lnwallet: update HTLC+commitment scripts This commit updates the previous HTLC and commitment scripts to their current latest evolution. The HTLC scripts have been optimized for space savings, the functionality itself has remained relatively unchanged. A trade off was made to add additional bytes into the sigScript in order to avoid extraneous CHECKSIG’s. The rationale is that an extra 1-2 bytes in the sigScript to guide execution, are worthwhile since they’re in the witness, and witness data may be pruned in the near future. The primary change is within the commitment transaction itself. Instead of using revocation hashes, we now use signature based revocation. This saves space in the Script, and optimizes away an extra hashing operation. Elkrem/shachain is still used but, we now use the pre-images to homomorphically derive a public key which the other party will be able to sign with, once we disclose the pre-image itself. Finally, we have switched to using SHA-256 everywhere uniformly for both revocation hashes, and payment hashes. The rationale is that the output of ripemd160 is too small for modern security margins, and that other coins/chains are more likely to have SHA-256 implemented, than ripemd160. A set of tests has also been included which contain (mostly) exhaustive tests of all possible redemption paths for both commitment and HTLC.
2016-06-27 21:33:59 +03:00
lnwallet: update TestHTLCSenderSpendValidation for new scripts
2017-07-30 04:34:16 +03:00
// TODO(roasbeef): modify valid to check precise script errors?
lnwallet: update HTLC+commitment scripts This commit updates the previous HTLC and commitment scripts to their current latest evolution. The HTLC scripts have been optimized for space savings, the functionality itself has remained relatively unchanged. A trade off was made to add additional bytes into the sigScript in order to avoid extraneous CHECKSIG’s. The rationale is that an extra 1-2 bytes in the sigScript to guide execution, are worthwhile since they’re in the witness, and witness data may be pruned in the near future. The primary change is within the commitment transaction itself. Instead of using revocation hashes, we now use signature based revocation. This saves space in the Script, and optimizes away an extra hashing operation. Elkrem/shachain is still used but, we now use the pre-images to homomorphically derive a public key which the other party will be able to sign with, once we disclose the pre-image itself. Finally, we have switched to using SHA-256 everywhere uniformly for both revocation hashes, and payment hashes. The rationale is that the output of ripemd160 is too small for modern security margins, and that other coins/chains are more likely to have SHA-256 implemented, than ripemd160. A set of tests has also been included which contain (mostly) exhaustive tests of all possible redemption paths for both commitment and HTLC.
2016-06-27 21:33:59 +03:00
testCases := []struct {
witness func() wire.TxWitness
valid bool
}{
{
// HTLC redemption w/ invalid preimage size
makeWitnessTestCase(t, func() (wire.TxWitness, error) {
lnwallet: update TestHTLCSenderSpendValidation for new scripts
2017-07-30 04:34:16 +03:00
signDesc := &SignDescriptor{
lnwallet: update script_utils and tests due to SignDescriptor API change
2018-02-18 02:09:51 +03:00
KeyDesc: keychain.KeyDescriptor{
PubKey: bobKeyPub,
},
lnwallet: update TestHTLCSenderSpendValidation for new scripts
2017-07-30 04:34:16 +03:00
SingleTweak: bobCommitTweak,
WitnessScript: htlcWitnessScript,
Output: htlcOutput,
HashType: txscript.SigHashAll,
SigHashes: sweepTxSigHashes,
InputIndex: 0,
}
return receiverHtlcSpendRedeem(aliceSenderSig,
bytes.Repeat([]byte{1}, 45), bobSigner,
signDesc, sweepTx)
lnwallet: update HTLC+commitment scripts This commit updates the previous HTLC and commitment scripts to their current latest evolution. The HTLC scripts have been optimized for space savings, the functionality itself has remained relatively unchanged. A trade off was made to add additional bytes into the sigScript in order to avoid extraneous CHECKSIG’s. The rationale is that an extra 1-2 bytes in the sigScript to guide execution, are worthwhile since they’re in the witness, and witness data may be pruned in the near future. The primary change is within the commitment transaction itself. Instead of using revocation hashes, we now use signature based revocation. This saves space in the Script, and optimizes away an extra hashing operation. Elkrem/shachain is still used but, we now use the pre-images to homomorphically derive a public key which the other party will be able to sign with, once we disclose the pre-image itself. Finally, we have switched to using SHA-256 everywhere uniformly for both revocation hashes, and payment hashes. The rationale is that the output of ripemd160 is too small for modern security margins, and that other coins/chains are more likely to have SHA-256 implemented, than ripemd160. A set of tests has also been included which contain (mostly) exhaustive tests of all possible redemption paths for both commitment and HTLC.
2016-06-27 21:33:59 +03:00
}),
false,
},
{
// HTLC redemption w/ valid preimage size
makeWitnessTestCase(t, func() (wire.TxWitness, error) {
lnwallet: update TestHTLCSenderSpendValidation for new scripts
2017-07-30 04:34:16 +03:00
signDesc := &SignDescriptor{
lnwallet: update script_utils and tests due to SignDescriptor API change
2018-02-18 02:09:51 +03:00
KeyDesc: keychain.KeyDescriptor{
PubKey: bobKeyPub,
},
lnwallet: update TestHTLCSenderSpendValidation for new scripts
2017-07-30 04:34:16 +03:00
SingleTweak: bobCommitTweak,
WitnessScript: htlcWitnessScript,
Output: htlcOutput,
HashType: txscript.SigHashAll,
SigHashes: sweepTxSigHashes,
InputIndex: 0,
}
return receiverHtlcSpendRedeem(aliceSenderSig,
paymentPreimage[:], bobSigner,
signDesc, sweepTx)
lnwallet: update HTLC+commitment scripts This commit updates the previous HTLC and commitment scripts to their current latest evolution. The HTLC scripts have been optimized for space savings, the functionality itself has remained relatively unchanged. A trade off was made to add additional bytes into the sigScript in order to avoid extraneous CHECKSIG’s. The rationale is that an extra 1-2 bytes in the sigScript to guide execution, are worthwhile since they’re in the witness, and witness data may be pruned in the near future. The primary change is within the commitment transaction itself. Instead of using revocation hashes, we now use signature based revocation. This saves space in the Script, and optimizes away an extra hashing operation. Elkrem/shachain is still used but, we now use the pre-images to homomorphically derive a public key which the other party will be able to sign with, once we disclose the pre-image itself. Finally, we have switched to using SHA-256 everywhere uniformly for both revocation hashes, and payment hashes. The rationale is that the output of ripemd160 is too small for modern security margins, and that other coins/chains are more likely to have SHA-256 implemented, than ripemd160. A set of tests has also been included which contain (mostly) exhaustive tests of all possible redemption paths for both commitment and HTLC.
2016-06-27 21:33:59 +03:00
}),
true,
},
{
// revoke w/ sig
makeWitnessTestCase(t, func() (wire.TxWitness, error) {
lnwallet: update TestHTLCSenderSpendValidation for new scripts
2017-07-30 04:34:16 +03:00
signDesc := &SignDescriptor{
lnwallet: update script_utils and tests due to SignDescriptor API change
2018-02-18 02:09:51 +03:00
KeyDesc: keychain.KeyDescriptor{
PubKey: aliceKeyPub,
},
lnwallet: update TestHTLCSenderSpendValidation for new scripts
2017-07-30 04:34:16 +03:00
DoubleTweak: commitSecret,
WitnessScript: htlcWitnessScript,
Output: htlcOutput,
HashType: txscript.SigHashAll,
SigHashes: sweepTxSigHashes,
InputIndex: 0,
}
return receiverHtlcSpendRevoke(aliceSigner,
signDesc, revocationKey, sweepTx)
lnwallet: update HTLC+commitment scripts This commit updates the previous HTLC and commitment scripts to their current latest evolution. The HTLC scripts have been optimized for space savings, the functionality itself has remained relatively unchanged. A trade off was made to add additional bytes into the sigScript in order to avoid extraneous CHECKSIG’s. The rationale is that an extra 1-2 bytes in the sigScript to guide execution, are worthwhile since they’re in the witness, and witness data may be pruned in the near future. The primary change is within the commitment transaction itself. Instead of using revocation hashes, we now use signature based revocation. This saves space in the Script, and optimizes away an extra hashing operation. Elkrem/shachain is still used but, we now use the pre-images to homomorphically derive a public key which the other party will be able to sign with, once we disclose the pre-image itself. Finally, we have switched to using SHA-256 everywhere uniformly for both revocation hashes, and payment hashes. The rationale is that the output of ripemd160 is too small for modern security margins, and that other coins/chains are more likely to have SHA-256 implemented, than ripemd160. A set of tests has also been included which contain (mostly) exhaustive tests of all possible redemption paths for both commitment and HTLC.
2016-06-27 21:33:59 +03:00
}),
true,
},
{
// refund w/ invalid lock time
makeWitnessTestCase(t, func() (wire.TxWitness, error) {
lnwallet: update TestHTLCSenderSpendValidation for new scripts
2017-07-30 04:34:16 +03:00
signDesc := &SignDescriptor{
lnwallet: update script_utils and tests due to SignDescriptor API change
2018-02-18 02:09:51 +03:00
KeyDesc: keychain.KeyDescriptor{
PubKey: aliceKeyPub,
},
lnwallet: update TestHTLCSenderSpendValidation for new scripts
2017-07-30 04:34:16 +03:00
SingleTweak: aliceCommitTweak,
WitnessScript: htlcWitnessScript,
Output: htlcOutput,
HashType: txscript.SigHashAll,
SigHashes: sweepTxSigHashes,
InputIndex: 0,
}
return receiverHtlcSpendTimeout(aliceSigner, signDesc,
lnwallet: update channel state machine tests to use distinct keys In this commit, we update the channel state machine tests to use a new key for each purpose. Before this commit, the same key would be used the entire time. As a result, a few bugs slipped by that would’ve been detected if we used fresh keys for each purpose. Additionally, this reflect the real world case as we always use distinct keys for each purpose to avoid key re-use.
2018-01-17 05:38:49 +03:00
sweepTx, int32(cltvTimeout-2))
lnwallet: update HTLC+commitment scripts This commit updates the previous HTLC and commitment scripts to their current latest evolution. The HTLC scripts have been optimized for space savings, the functionality itself has remained relatively unchanged. A trade off was made to add additional bytes into the sigScript in order to avoid extraneous CHECKSIG’s. The rationale is that an extra 1-2 bytes in the sigScript to guide execution, are worthwhile since they’re in the witness, and witness data may be pruned in the near future. The primary change is within the commitment transaction itself. Instead of using revocation hashes, we now use signature based revocation. This saves space in the Script, and optimizes away an extra hashing operation. Elkrem/shachain is still used but, we now use the pre-images to homomorphically derive a public key which the other party will be able to sign with, once we disclose the pre-image itself. Finally, we have switched to using SHA-256 everywhere uniformly for both revocation hashes, and payment hashes. The rationale is that the output of ripemd160 is too small for modern security margins, and that other coins/chains are more likely to have SHA-256 implemented, than ripemd160. A set of tests has also been included which contain (mostly) exhaustive tests of all possible redemption paths for both commitment and HTLC.
2016-06-27 21:33:59 +03:00
}),
false,
},
{
// refund w/ valid lock time
makeWitnessTestCase(t, func() (wire.TxWitness, error) {
lnwallet: update TestHTLCSenderSpendValidation for new scripts
2017-07-30 04:34:16 +03:00
signDesc := &SignDescriptor{
lnwallet: update script_utils and tests due to SignDescriptor API change
2018-02-18 02:09:51 +03:00
KeyDesc: keychain.KeyDescriptor{
PubKey: aliceKeyPub,
},
lnwallet: update TestHTLCSenderSpendValidation for new scripts
2017-07-30 04:34:16 +03:00
SingleTweak: aliceCommitTweak,
WitnessScript: htlcWitnessScript,
Output: htlcOutput,
HashType: txscript.SigHashAll,
SigHashes: sweepTxSigHashes,
InputIndex: 0,
}
return receiverHtlcSpendTimeout(aliceSigner, signDesc,
lnwallet: update channel state machine tests to use distinct keys In this commit, we update the channel state machine tests to use a new key for each purpose. Before this commit, the same key would be used the entire time. As a result, a few bugs slipped by that would’ve been detected if we used fresh keys for each purpose. Additionally, this reflect the real world case as we always use distinct keys for each purpose to avoid key re-use.
2018-01-17 05:38:49 +03:00
sweepTx, int32(cltvTimeout))
lnwallet: update HTLC+commitment scripts This commit updates the previous HTLC and commitment scripts to their current latest evolution. The HTLC scripts have been optimized for space savings, the functionality itself has remained relatively unchanged. A trade off was made to add additional bytes into the sigScript in order to avoid extraneous CHECKSIG’s. The rationale is that an extra 1-2 bytes in the sigScript to guide execution, are worthwhile since they’re in the witness, and witness data may be pruned in the near future. The primary change is within the commitment transaction itself. Instead of using revocation hashes, we now use signature based revocation. This saves space in the Script, and optimizes away an extra hashing operation. Elkrem/shachain is still used but, we now use the pre-images to homomorphically derive a public key which the other party will be able to sign with, once we disclose the pre-image itself. Finally, we have switched to using SHA-256 everywhere uniformly for both revocation hashes, and payment hashes. The rationale is that the output of ripemd160 is too small for modern security margins, and that other coins/chains are more likely to have SHA-256 implemented, than ripemd160. A set of tests has also been included which contain (mostly) exhaustive tests of all possible redemption paths for both commitment and HTLC.
2016-06-27 21:33:59 +03:00
}),
true,
},
}
for i, testCase := range testCases {
sweepTx.TxIn[0].Witness = testCase.witness()
lnwallet: update TestHTLCSenderSpendValidation for new scripts
2017-07-30 04:34:16 +03:00
vm, err := txscript.NewEngine(htlcPkScript,
lnwallet: update HTLC+commitment scripts This commit updates the previous HTLC and commitment scripts to their current latest evolution. The HTLC scripts have been optimized for space savings, the functionality itself has remained relatively unchanged. A trade off was made to add additional bytes into the sigScript in order to avoid extraneous CHECKSIG’s. The rationale is that an extra 1-2 bytes in the sigScript to guide execution, are worthwhile since they’re in the witness, and witness data may be pruned in the near future. The primary change is within the commitment transaction itself. Instead of using revocation hashes, we now use signature based revocation. This saves space in the Script, and optimizes away an extra hashing operation. Elkrem/shachain is still used but, we now use the pre-images to homomorphically derive a public key which the other party will be able to sign with, once we disclose the pre-image itself. Finally, we have switched to using SHA-256 everywhere uniformly for both revocation hashes, and payment hashes. The rationale is that the output of ripemd160 is too small for modern security margins, and that other coins/chains are more likely to have SHA-256 implemented, than ripemd160. A set of tests has also been included which contain (mostly) exhaustive tests of all possible redemption paths for both commitment and HTLC.
2016-06-27 21:33:59 +03:00
sweepTx, 0, txscript.StandardVerifyFlags, nil,
nil, int64(paymentAmt))
if err != nil {
t.Fatalf("unable to create engine: %v", err)
}
lnd: implement the sendcoins RPC request This commit implements the “send coins” RPC request which was introduced at both the lnrpc and command line level in a prior commit. A small refactoring has taken place w.r.t to sendmany+sendcoins in order to eliminate some code duplication.
2016-06-29 21:31:29 +03:00
// This buffer will trace execution of the Script, only dumping
// out to stdout in the case that a test fails.
lnwallet: update HTLC+commitment scripts This commit updates the previous HTLC and commitment scripts to their current latest evolution. The HTLC scripts have been optimized for space savings, the functionality itself has remained relatively unchanged. A trade off was made to add additional bytes into the sigScript in order to avoid extraneous CHECKSIG’s. The rationale is that an extra 1-2 bytes in the sigScript to guide execution, are worthwhile since they’re in the witness, and witness data may be pruned in the near future. The primary change is within the commitment transaction itself. Instead of using revocation hashes, we now use signature based revocation. This saves space in the Script, and optimizes away an extra hashing operation. Elkrem/shachain is still used but, we now use the pre-images to homomorphically derive a public key which the other party will be able to sign with, once we disclose the pre-image itself. Finally, we have switched to using SHA-256 everywhere uniformly for both revocation hashes, and payment hashes. The rationale is that the output of ripemd160 is too small for modern security margins, and that other coins/chains are more likely to have SHA-256 implemented, than ripemd160. A set of tests has also been included which contain (mostly) exhaustive tests of all possible redemption paths for both commitment and HTLC.
2016-06-27 21:33:59 +03:00
var debugBuf bytes.Buffer
done := false
for !done {
dis, err := vm.DisasmPC()
if err != nil {
t.Fatalf("stepping (%v)\n", err)
}
debugBuf.WriteString(fmt.Sprintf("stepping %v\n", dis))
done, err = vm.Step()
if err != nil && testCase.valid {
fmt.Println(debugBuf.String())
t.Fatalf("spend test case #%v failed, spend should be valid: %v", i, err)
} else if err == nil && !testCase.valid && done {
fmt.Println(debugBuf.String())
t.Fatalf("spend test case #%v succeed, spend should be invalid: %v", i, err)
}
multi: fix `go vet` warnings throughout code base
2017-02-10 02:28:32 +03:00
debugBuf.WriteString(fmt.Sprintf("Stack: %v", vm.GetStack()))
debugBuf.WriteString(fmt.Sprintf("AltStack: %v", vm.GetAltStack()))
lnwallet: update HTLC+commitment scripts This commit updates the previous HTLC and commitment scripts to their current latest evolution. The HTLC scripts have been optimized for space savings, the functionality itself has remained relatively unchanged. A trade off was made to add additional bytes into the sigScript in order to avoid extraneous CHECKSIG’s. The rationale is that an extra 1-2 bytes in the sigScript to guide execution, are worthwhile since they’re in the witness, and witness data may be pruned in the near future. The primary change is within the commitment transaction itself. Instead of using revocation hashes, we now use signature based revocation. This saves space in the Script, and optimizes away an extra hashing operation. Elkrem/shachain is still used but, we now use the pre-images to homomorphically derive a public key which the other party will be able to sign with, once we disclose the pre-image itself. Finally, we have switched to using SHA-256 everywhere uniformly for both revocation hashes, and payment hashes. The rationale is that the output of ripemd160 is too small for modern security margins, and that other coins/chains are more likely to have SHA-256 implemented, than ripemd160. A set of tests has also been included which contain (mostly) exhaustive tests of all possible redemption paths for both commitment and HTLC.
2016-06-27 21:33:59 +03:00
}
}
}
lnwallet: add utility functions for obfuscated commitment state hints This commit adds two utility functions along with corresponding tests for adding obfuscated state number hints to each commitment transaction. Such a feature reduces the search time to recover the necessary material to punish a counterpaty for broadcasting an invalid state from O(N), to O(1), where N is the number of states in the channel’s transcript. By encoding the obsfucated state number, either side is able to quickly obtain the ncessary state to excerise “justice”.
2016-11-15 05:34:59 +03:00
lnwallet: add redemption+spend tests for the second-level HTLC txns
2017-07-30 04:32:04 +03:00
// TestSecondLevelHtlcSpends tests all the possible redemption clauses from the
// HTLC success and timeout covenant transactions.
func TestSecondLevelHtlcSpends(t *testing.T) {
t.Parallel()
// We'll start be creating a creating a 2BTC HTLC.
const htlcAmt = btcutil.Amount(2 * 10e8)
// In all of our scenarios, the CSV timeout to claim a self output will
// be 5 blocks.
const claimDelay = 5
// First we'll set up some initial key state for Alice and Bob that
// will be used in the scripts we created below.
aliceKeyPriv, aliceKeyPub := btcec.PrivKeyFromBytes(btcec.S256(),
testWalletPrivKey)
bobKeyPriv, bobKeyPub := btcec.PrivKeyFromBytes(btcec.S256(),
bobsPrivKey)
revokePreimage := testHdSeed.CloneBytes()
commitSecret, commitPoint := btcec.PrivKeyFromBytes(
btcec.S256(), revokePreimage)
// As we're modeling this as Bob sweeping the HTLC on-chain from his
// commitment transaction after a period of time, we'll be using a
// revocation key derived from Alice's base point and his secret.
revocationKey := DeriveRevocationPubkey(aliceKeyPub, commitPoint)
// Next, craft a fake HTLC outpoint that we'll use to generate the
// sweeping transaction using.
txid, err := chainhash.NewHash(testHdSeed.CloneBytes())
if err != nil {
t.Fatalf("unable to create txid: %v", err)
}
htlcOutPoint := &wire.OutPoint{
Hash: *txid,
Index: 0,
}
sweepTx := wire.NewMsgTx(2)
sweepTx.AddTxIn(wire.NewTxIn(htlcOutPoint, nil, nil))
sweepTx.AddTxOut(
&wire.TxOut{
PkScript: []byte("doesn't matter"),
Value: 1 * 10e8,
},
)
sweepTxSigHashes := txscript.NewTxSigHashes(sweepTx)
// The delay key will be crafted using Bob's public key as the output
// we created will be spending from Alice's commitment transaction.
delayKey := TweakPubKey(bobKeyPub, commitPoint)
// The commit tweak will be required in order for Bob to derive the
// proper key need to spend the output.
commitTweak := SingleTweakBytes(commitPoint, bobKeyPub)
// Finally we'll generate the HTLC script itself that we'll be spending
// from. The revocation clause can be claimed by Alice, while Bob can
// sweep the output after a particular delay.
htlcWitnessScript, err := secondLevelHtlcScript(revocationKey,
delayKey, claimDelay)
if err != nil {
t.Fatalf("unable to create htlc script: %v", err)
}
lnwallet/script_utils_test: use public commit script helpers
2018-06-29 05:24:44 +03:00
htlcPkScript, err := WitnessScriptHash(htlcWitnessScript)
lnwallet: add redemption+spend tests for the second-level HTLC txns
2017-07-30 04:32:04 +03:00
if err != nil {
t.Fatalf("unable to create htlc output: %v", err)
}
htlcOutput := &wire.TxOut{
PkScript: htlcPkScript,
Value: int64(htlcAmt),
}
multi: comprehensive typo fixes across all packages
2018-02-07 06:11:11 +03:00
// TODO(roasbeef): make actually use timeout/success txns?
lnwallet: add redemption+spend tests for the second-level HTLC txns
2017-07-30 04:32:04 +03:00
// Finally, we'll create mock signers for both of them based on their
// private keys. This test simplifies a bit and uses the same key as
// the base point for all scripts and derivations.
lnwallet: Move mocks to separate file and augment mockSigner. To implement the BOLT 03 test vectors, a more powerful mockSigner is required. The new version of mockSigner stores multiple keys and signs the transaction outputs with the appropriate one.
2017-09-26 07:05:24 +03:00
bobSigner := &mockSigner{privkeys: []*btcec.PrivateKey{bobKeyPriv}}
aliceSigner := &mockSigner{privkeys: []*btcec.PrivateKey{aliceKeyPriv}}
lnwallet: add redemption+spend tests for the second-level HTLC txns
2017-07-30 04:32:04 +03:00
testCases := []struct {
witness func() wire.TxWitness
valid bool
}{
{
// Sender of the HTLC attempts to activate the
// revocation clause, but uses the wrong key (fails to
// use the double tweak in this case).
makeWitnessTestCase(t, func() (wire.TxWitness, error) {
signDesc := &SignDescriptor{
lnwallet: update script_utils and tests due to SignDescriptor API change
2018-02-18 02:09:51 +03:00
KeyDesc: keychain.KeyDescriptor{
PubKey: aliceKeyPub,
},
lnwallet: add redemption+spend tests for the second-level HTLC txns
2017-07-30 04:32:04 +03:00
WitnessScript: htlcWitnessScript,
Output: htlcOutput,
HashType: txscript.SigHashAll,
SigHashes: sweepTxSigHashes,
InputIndex: 0,
}
return htlcSpendRevoke(aliceSigner, signDesc,
sweepTx)
}),
false,
},
{
// Sender of HTLC activates the revocation clause.
makeWitnessTestCase(t, func() (wire.TxWitness, error) {
signDesc := &SignDescriptor{
lnwallet: update script_utils and tests due to SignDescriptor API change
2018-02-18 02:09:51 +03:00
KeyDesc: keychain.KeyDescriptor{
PubKey: aliceKeyPub,
},
lnwallet: add redemption+spend tests for the second-level HTLC txns
2017-07-30 04:32:04 +03:00
DoubleTweak: commitSecret,
WitnessScript: htlcWitnessScript,
Output: htlcOutput,
HashType: txscript.SigHashAll,
SigHashes: sweepTxSigHashes,
InputIndex: 0,
}
return htlcSpendRevoke(aliceSigner, signDesc,
sweepTx)
}),
true,
},
{
// Receiver of the HTLC attempts to sweep, but tries to
// do so pre-maturely with a smaller CSV delay (2
// blocks instead of 5 blocks).
makeWitnessTestCase(t, func() (wire.TxWitness, error) {
signDesc := &SignDescriptor{
lnwallet: update script_utils and tests due to SignDescriptor API change
2018-02-18 02:09:51 +03:00
KeyDesc: keychain.KeyDescriptor{
PubKey: bobKeyPub,
},
lnwallet: add redemption+spend tests for the second-level HTLC txns
2017-07-30 04:32:04 +03:00
SingleTweak: commitTweak,
WitnessScript: htlcWitnessScript,
Output: htlcOutput,
HashType: txscript.SigHashAll,
SigHashes: sweepTxSigHashes,
InputIndex: 0,
}
return htlcSpendSuccess(bobSigner, signDesc,
sweepTx, claimDelay-3)
}),
false,
},
{
// Receiver of the HTLC sweeps with the proper CSV
// delay, but uses the wrong key (leaves off the single
// tweak).
makeWitnessTestCase(t, func() (wire.TxWitness, error) {
signDesc := &SignDescriptor{
lnwallet: update script_utils and tests due to SignDescriptor API change
2018-02-18 02:09:51 +03:00
KeyDesc: keychain.KeyDescriptor{
PubKey: bobKeyPub,
},
lnwallet: add redemption+spend tests for the second-level HTLC txns
2017-07-30 04:32:04 +03:00
WitnessScript: htlcWitnessScript,
Output: htlcOutput,
HashType: txscript.SigHashAll,
SigHashes: sweepTxSigHashes,
InputIndex: 0,
}
return htlcSpendSuccess(bobSigner, signDesc,
sweepTx, claimDelay)
}),
false,
},
{
// Receiver of the HTLC sweeps with the proper CSV
// delay, and the correct key.
makeWitnessTestCase(t, func() (wire.TxWitness, error) {
signDesc := &SignDescriptor{
lnwallet: update script_utils and tests due to SignDescriptor API change
2018-02-18 02:09:51 +03:00
KeyDesc: keychain.KeyDescriptor{
PubKey: bobKeyPub,
},
lnwallet: add redemption+spend tests for the second-level HTLC txns
2017-07-30 04:32:04 +03:00
SingleTweak: commitTweak,
WitnessScript: htlcWitnessScript,
Output: htlcOutput,
HashType: txscript.SigHashAll,
SigHashes: sweepTxSigHashes,
InputIndex: 0,
}
return htlcSpendSuccess(bobSigner, signDesc,
sweepTx, claimDelay)
}),
true,
},
}
for i, testCase := range testCases {
sweepTx.TxIn[0].Witness = testCase.witness()
vm, err := txscript.NewEngine(htlcPkScript,
sweepTx, 0, txscript.StandardVerifyFlags, nil,
nil, int64(htlcAmt))
if err != nil {
t.Fatalf("unable to create engine: %v", err)
}
// This buffer will trace execution of the Script, only dumping
// out to stdout in the case that a test fails.
var debugBuf bytes.Buffer
done := false
for !done {
dis, err := vm.DisasmPC()
if err != nil {
t.Fatalf("stepping (%v)\n", err)
}
debugBuf.WriteString(fmt.Sprintf("stepping %v\n", dis))
done, err = vm.Step()
if err != nil && testCase.valid {
fmt.Println(debugBuf.String())
t.Fatalf("spend test case #%v failed, spend "+
"should be valid: %v", i, err)
} else if err == nil && !testCase.valid && done {
fmt.Println(debugBuf.String())
t.Fatalf("spend test case #%v succeed, spend "+
"should be invalid: %v", i, err)
}
debugBuf.WriteString(fmt.Sprintf("Stack: %v", vm.GetStack()))
debugBuf.WriteString(fmt.Sprintf("AltStack: %v", vm.GetAltStack()))
}
}
test: Add table driven tests for script_utils Add table-driven tests for testing GetStateHint and SetStateHint in package lnwallet.
2017-01-09 21:03:19 +03:00
}
lnwallet: add utility functions for obfuscated commitment state hints This commit adds two utility functions along with corresponding tests for adding obfuscated state number hints to each commitment transaction. Such a feature reduces the search time to recover the necessary material to punish a counterpaty for broadcasting an invalid state from O(N), to O(1), where N is the number of states in the channel’s transcript. By encoding the obsfucated state number, either side is able to quickly obtain the ncessary state to excerise “justice”.
2016-11-15 05:34:59 +03:00
func TestCommitTxStateHint(t *testing.T) {
multi: run all test instances in parallel
2017-06-17 01:59:20 +03:00
t.Parallel()
lnwallet: add utility functions for obfuscated commitment state hints This commit adds two utility functions along with corresponding tests for adding obfuscated state number hints to each commitment transaction. Such a feature reduces the search time to recover the necessary material to punish a counterpaty for broadcasting an invalid state from O(N), to O(1), where N is the number of states in the channel’s transcript. By encoding the obsfucated state number, either side is able to quickly obtain the ncessary state to excerise “justice”.
2016-11-15 05:34:59 +03:00
lnwallet: move stateHintTests global var into TestCommitTxStateHint
2017-07-30 04:24:47 +03:00
stateHintTests := []struct {
name string
from uint64
to uint64
inputs int
shouldFail bool
}{
{
name: "states 0 to 1000",
from: 0,
to: 1000,
inputs: 1,
shouldFail: false,
},
{
name: "states 'maxStateHint-1000' to 'maxStateHint'",
from: maxStateHint - 1000,
to: maxStateHint,
inputs: 1,
shouldFail: false,
},
{
name: "state 'maxStateHint+1'",
from: maxStateHint + 1,
to: maxStateHint + 10,
inputs: 1,
shouldFail: true,
},
{
name: "commit transaction with two inputs",
inputs: 2,
shouldFail: true,
},
}
multi: Fix various typos.
2017-09-25 21:25:58 +03:00
var obfuscator [StateHintSize]byte
copy(obfuscator[:], testHdSeed[:StateHintSize])
lnwallet: extend test to check for valid locktime and sequence
2017-01-14 11:17:00 +03:00
timeYesterday := uint32(time.Now().Unix() - 24*60*60)
lnwallet: add utility functions for obfuscated commitment state hints This commit adds two utility functions along with corresponding tests for adding obfuscated state number hints to each commitment transaction. Such a feature reduces the search time to recover the necessary material to punish a counterpaty for broadcasting an invalid state from O(N), to O(1), where N is the number of states in the channel’s transcript. By encoding the obsfucated state number, either side is able to quickly obtain the ncessary state to excerise “justice”.
2016-11-15 05:34:59 +03:00
test: Add table driven tests for script_utils Add table-driven tests for testing GetStateHint and SetStateHint in package lnwallet.
2017-01-09 21:03:19 +03:00
for _, test := range stateHintTests {
commitTx := wire.NewMsgTx(2)
lnwallet: add utility functions for obfuscated commitment state hints This commit adds two utility functions along with corresponding tests for adding obfuscated state number hints to each commitment transaction. Such a feature reduces the search time to recover the necessary material to punish a counterpaty for broadcasting an invalid state from O(N), to O(1), where N is the number of states in the channel’s transcript. By encoding the obsfucated state number, either side is able to quickly obtain the ncessary state to excerise “justice”.
2016-11-15 05:34:59 +03:00
test: Add table driven tests for script_utils Add table-driven tests for testing GetStateHint and SetStateHint in package lnwallet.
2017-01-09 21:03:19 +03:00
// Add supplied number of inputs to the commitment transaction.
for i := 0; i < test.inputs; i++ {
commitTx.AddTxIn(&wire.TxIn{})
lnwallet: add utility functions for obfuscated commitment state hints This commit adds two utility functions along with corresponding tests for adding obfuscated state number hints to each commitment transaction. Such a feature reduces the search time to recover the necessary material to punish a counterpaty for broadcasting an invalid state from O(N), to O(1), where N is the number of states in the channel’s transcript. By encoding the obsfucated state number, either side is able to quickly obtain the ncessary state to excerise “justice”.
2016-11-15 05:34:59 +03:00
}
test: Add table driven tests for script_utils Add table-driven tests for testing GetStateHint and SetStateHint in package lnwallet.
2017-01-09 21:03:19 +03:00
for i := test.from; i <= test.to; i++ {
stateNum := uint64(i)
lnwallet: allow maximum state size to be used + tests Add tests to assert maximum state can be used. Also test that more than one input in the commitment transaction will fail and that having state number larger than maxStateHint will fail.
2017-01-09 16:58:58 +03:00
multi: Fix various typos.
2017-09-25 21:25:58 +03:00
err := SetStateNumHint(commitTx, stateNum, obfuscator)
test: Add table driven tests for script_utils Add table-driven tests for testing GetStateHint and SetStateHint in package lnwallet.
2017-01-09 21:03:19 +03:00
if err != nil && !test.shouldFail {
t.Fatalf("unable to set state num %v: %v", i, err)
} else if err == nil && test.shouldFail {
t.Fatalf("Failed(%v): test should fail but did not", test.name)
}
lnwallet: allow maximum state size to be used + tests Add tests to assert maximum state can be used. Also test that more than one input in the commitment transaction will fail and that having state number larger than maxStateHint will fail.
2017-01-09 16:58:58 +03:00
lnwallet: extend test to check for valid locktime and sequence
2017-01-14 11:17:00 +03:00
locktime := commitTx.LockTime
sequence := commitTx.TxIn[0].Sequence
// Locktime should not be less than 500,000,000 and not larger
// than the time 24 hours ago. One day should provide a good
// enough buffer for the tests.
if locktime < 5e8 || locktime > timeYesterday {
if !test.shouldFail {
t.Fatalf("The value of locktime (%v) may cause the commitment "+
"transaction to be unspendable", locktime)
}
}
if sequence&wire.SequenceLockTimeDisabled == 0 {
if !test.shouldFail {
t.Fatalf("Sequence locktime is NOT disabled when it should be")
}
}
multi: Fix various typos.
2017-09-25 21:25:58 +03:00
extractedStateNum := GetStateNumHint(commitTx, obfuscator)
test: Add table driven tests for script_utils Add table-driven tests for testing GetStateHint and SetStateHint in package lnwallet.
2017-01-09 21:03:19 +03:00
if extractedStateNum != stateNum && !test.shouldFail {
t.Fatalf("state number mismatched, expected %v, got %v",
stateNum, extractedStateNum)
} else if extractedStateNum == stateNum && test.shouldFail {
t.Fatalf("Failed(%v): test should fail but did not", test.name)
}
lnwallet: allow maximum state size to be used + tests Add tests to assert maximum state can be used. Also test that more than one input in the commitment transaction will fail and that having state number larger than maxStateHint will fail.
2017-01-09 16:58:58 +03:00
}
test: Add table driven tests for script_utils Add table-driven tests for testing GetStateHint and SetStateHint in package lnwallet.
2017-01-09 21:03:19 +03:00
t.Logf("Passed: %v", test.name)
lnwallet: add utility functions for obfuscated commitment state hints This commit adds two utility functions along with corresponding tests for adding obfuscated state number hints to each commitment transaction. Such a feature reduces the search time to recover the necessary material to punish a counterpaty for broadcasting an invalid state from O(N), to O(1), where N is the number of states in the channel’s transcript. By encoding the obsfucated state number, either side is able to quickly obtain the ncessary state to excerise “justice”.
2016-11-15 05:34:59 +03:00
}
}
lnwallet: Implement BOLT-03 key derivation test vectors.
2017-10-02 23:20:48 +03:00
// TestSpecificationKeyDerivation implements the test vectors provided in
// BOLT-03, Appendix E.
func TestSpecificationKeyDerivation(t *testing.T) {
const (
baseSecretHex = "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f"
perCommitmentSecretHex = "1f1e1d1c1b1a191817161514131211100f0e0d0c0b0a09080706050403020100"
basePointHex = "036d6caac248af96f6afa7f904f550253a0f3ef3f5aa2fe6838a95b216691468e2"
perCommitmentPointHex = "025f7117a78150fe2ef97db7cfc83bd57b2e2c0d0dd25eaf467a4a1c2a45ce1486"
)
baseSecret, err := privkeyFromHex(baseSecretHex)
if err != nil {
t.Fatalf("Failed to parse serialized privkey: %v", err)
}
perCommitmentSecret, err := privkeyFromHex(perCommitmentSecretHex)
if err != nil {
t.Fatalf("Failed to parse serialized privkey: %v", err)
}
basePoint, err := pubkeyFromHex(basePointHex)
if err != nil {
t.Fatalf("Failed to parse serialized pubkey: %v", err)
}
perCommitmentPoint, err := pubkeyFromHex(perCommitmentPointHex)
if err != nil {
t.Fatalf("Failed to parse serialized pubkey: %v", err)
}
// name: derivation of key from basepoint and per_commitment_point
const expectedLocalKeyHex = "0235f2dbfaa89b57ec7b055afe29849ef7ddfeb1cefdb9ebdc43f5494984db29e5"
actualLocalKey := TweakPubKey(basePoint, perCommitmentPoint)
actualLocalKeyHex := pubkeyToHex(actualLocalKey)
if actualLocalKeyHex != expectedLocalKeyHex {
t.Errorf("Incorrect derivation of local public key: "+
"expected %v, got %v", expectedLocalKeyHex, actualLocalKeyHex)
}
// name: derivation of secret key from basepoint secret and per_commitment_secret
const expectedLocalPrivKeyHex = "cbced912d3b21bf196a766651e436aff192362621ce317704ea2f75d87e7be0f"
tweak := SingleTweakBytes(perCommitmentPoint, basePoint)
actualLocalPrivKey := TweakPrivKey(baseSecret, tweak)
actualLocalPrivKeyHex := privkeyToHex(actualLocalPrivKey)
if actualLocalPrivKeyHex != expectedLocalPrivKeyHex {
t.Errorf("Incorrect derivation of local private key: "+
"expected %v, got %v, %v", expectedLocalPrivKeyHex,
actualLocalPrivKeyHex, hex.EncodeToString(tweak))
}
// name: derivation of revocation key from basepoint and per_commitment_point
const expectedRevocationKeyHex = "02916e326636d19c33f13e8c0c3a03dd157f332f3e99c317c141dd865eb01f8ff0"
actualRevocationKey := DeriveRevocationPubkey(basePoint, perCommitmentPoint)
actualRevocationKeyHex := pubkeyToHex(actualRevocationKey)
if actualRevocationKeyHex != expectedRevocationKeyHex {
t.Errorf("Incorrect derivation of revocation public key: "+
"expected %v, got %v", expectedRevocationKeyHex,
actualRevocationKeyHex)
}
// name: derivation of revocation secret from basepoint_secret and per_commitment_secret
const expectedRevocationPrivKeyHex = "d09ffff62ddb2297ab000cc85bcb4283fdeb6aa052affbc9dddcf33b61078110"
actualRevocationPrivKey := DeriveRevocationPrivKey(baseSecret,
perCommitmentSecret)
actualRevocationPrivKeyHex := privkeyToHex(actualRevocationPrivKey)
if actualRevocationPrivKeyHex != expectedRevocationPrivKeyHex {
t.Errorf("Incorrect derivation of revocation private key: "+
"expected %v, got %v", expectedRevocationPrivKeyHex,
actualRevocationPrivKeyHex)
}
}
Reference in New Issue Copy Permalink