protocol: non-HTLC commit tx outputs are p2wpkh

This is changes the payments to either party to be p2wpkh.

Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>

bitcoin/script.c

@@ -255,6 +255,18 @@ u8 *scriptpubkey_p2wsh(const tal_t *ctx, const u8 *witnessscript)
 	return script;
 }
 
+/* Create an output script for a 20-byte witness. */
+u8 *scriptpubkey_p2wpkh(const tal_t *ctx, const struct pubkey *key)
+{
+	struct ripemd160 h;
+	u8 *script = tal_arr(ctx, u8, 0);
+	
+	add_op(&script, OP_0);
+	hash160(&h, key->der, sizeof(key->der));
+	add_push_bytes(&script, &h, sizeof(h));
+	return script;
+}
+
 /* Create a witness which spends the 2of2. */
 u8 **bitcoin_witness_2of2(const tal_t *ctx,
 			  const struct bitcoin_signature *sig1,
@@ -495,3 +507,18 @@ u8 *scriptsig_p2sh_secret(const tal_t *ctx,
 
 	return script;
 }
+
+u8 **bitcoin_witness_secret(const tal_t *ctx,
+			    const void *secret, size_t secret_len,
+			    const struct bitcoin_signature *sig,
+			    const u8 *witnessscript)
+{
+	u8 **witness = tal_arr(ctx, u8 *, 3);
+
+	witness[0] = stack_sig(witness, sig);
+	witness[1] = tal_dup_arr(witness, u8, secret, secret_len, 0);
+	witness[2] = tal_dup_arr(witness, u8,
+				 witnessscript, tal_count(witnessscript), 0);
+
+	return witness;
+}

bitcoin/script.h

@@ -67,9 +67,12 @@ u8 *scriptpubkey_htlc_recv(const tal_t *ctx,
 			   const struct sha256 *commit_revoke,
 			   const struct sha256 *rhash);
 
-/* Create an output script for a 32-byte witness. */
+/* Create an output script for a 32-byte witness program. */
 u8 *scriptpubkey_p2wsh(const tal_t *ctx, const u8 *witnessscript);
 
+/* Create an output script for a 20-byte witness program. */
+u8 *scriptpubkey_p2wpkh(const tal_t *ctx, const struct pubkey *key);
+
 /* Create a witness which spends the 2of2. */
 u8 **bitcoin_witness_2of2(const tal_t *ctx,
 			  const struct bitcoin_signature *sig1,
@@ -77,6 +80,12 @@ u8 **bitcoin_witness_2of2(const tal_t *ctx,
 			  const struct pubkey *key1,
 			  const struct pubkey *key2);
 
+/* Create a witness which spends a "secret_or_delay" scriptpubkey */
+u8 **bitcoin_witness_secret(const tal_t *ctx,
+			    const void *secret, size_t secret_len,
+			    const struct bitcoin_signature *sig,
+			    const u8 *witnessscript);
+
 /* Create an input script to accept pay to pubkey */
 u8 *scriptsig_p2sh_2of2(const tal_t *ctx,
 			const struct bitcoin_signature *sig1,

commit_tx.c

@@ -58,19 +58,17 @@ struct bitcoin_tx *create_commit_tx(const tal_t *ctx,
 	tx->input[0].index = anchor_index;
 	tx->input[0].amount = tal_dup(tx->input, u64, &anchor_satoshis);
 
-	/* First output is a P2SH to a complex redeem script (usu. for me) */
+	/* First output is a P2WSH to a complex redeem script (usu. for me) */
 	redeemscript = bitcoin_redeem_secret_or_delay(tx, our_final,
 						      their_locktime,
 						      their_final,
 						      rhash);
-	tx->output[0].script = scriptpubkey_p2sh(tx, redeemscript);
+	tx->output[0].script = scriptpubkey_p2wsh(tx, redeemscript);
 	tx->output[0].script_length = tal_count(tx->output[0].script);
 	tx->output[0].amount = cstate->a.pay_msat / 1000;
 
-	/* Second output is a P2SH payment to them. */
+	/* Second output is a P2WPKH payment to them. */
-	tx->output[1].script = scriptpubkey_p2sh(tx,
+	tx->output[1].script = scriptpubkey_p2wpkh(tx, their_final);
-					 bitcoin_redeem_single(tx,
-							       their_final));
 	tx->output[1].script_length = tal_count(tx->output[1].script);
 	tx->output[1].amount = cstate->b.pay_msat / 1000;
 

daemon/packets.c

@@ -4,7 +4,6 @@
 #include "commit_tx.h"
 #include "controlled_time.h"
 #include "cryptopkt.h"
-#include "find_p2sh_out.h"
 #include "lightningd.h"
 #include "log.h"
 #include "names.h"

daemon/peer.c

@@ -1117,15 +1117,15 @@ const struct bitcoin_tx *bitcoin_close(struct peer *peer)
 /* Create a bitcoin spend tx (to spend our commit's outputs) */
 const struct bitcoin_tx *bitcoin_spend_ours(struct peer *peer)
 {
-	u8 *redeemscript;
+	u8 *witnessscript;
 	const struct bitcoin_tx *commit = peer->us.commit->tx;
 	struct bitcoin_signature sig;
 	struct bitcoin_tx *tx;
-	unsigned int p2sh_out;
+	unsigned int p2wsh_out;
 	uint64_t fee;
 
 	/* The redeemscript for a commit tx is fairly complex. */
-	redeemscript = bitcoin_redeem_secret_or_delay(peer,
+	witnessscript = bitcoin_redeem_secret_or_delay(peer,
 						      &peer->us.finalkey,
 						      &peer->them.locktime,
 						      &peer->them.finalkey,
@@ -1134,25 +1134,24 @@ const struct bitcoin_tx *bitcoin_spend_ours(struct peer *peer)
 	/* Now, create transaction to spend it. */
 	tx = bitcoin_tx(peer, 1, 1);
 	bitcoin_txid(commit, &tx->input[0].txid);
-	p2sh_out = find_p2sh_out(commit, redeemscript);
+	p2wsh_out = find_p2wsh_out(commit, witnessscript);
-	tx->input[0].index = p2sh_out;
+	tx->input[0].index = p2wsh_out;
 	tx->input[0].sequence_number = bitcoin_nsequence(&peer->them.locktime);
 	tx->input[0].amount = tal_dup(tx->input, u64,
-				      &commit->output[p2sh_out].amount);
+				      &commit->output[p2wsh_out].amount);
+
+	tx->output[0].amount = commit->output[p2wsh_out].amount;
 
-	tx->output[0].amount = commit->output[p2sh_out].amount;
 	tx->output[0].script = scriptpubkey_p2sh(tx,
 				 bitcoin_redeem_single(tx, &peer->us.finalkey));
 	tx->output[0].script_length = tal_count(tx->output[0].script);
 
 	/* Use signature, until we have fee. */
 	sig.stype = SIGHASH_ALL;
-	peer_sign_spend(peer, tx, redeemscript, &sig.sig);
+	peer_sign_spend(peer, tx, witnessscript, &sig.sig);
 
-	tx->input[0].script = scriptsig_p2sh_secret(tx, NULL, 0, &sig,
+	tx->input[0].witness = bitcoin_witness_secret(tx, NULL, 0, &sig,
-						    redeemscript,
+						      witnessscript);
-						    tal_count(redeemscript));
-	tx->input[0].script_length = tal_count(tx->input[0].script);
 
 	/* FIXME: Figure out length first, then calc fee! */
 
@@ -1168,14 +1167,13 @@ const struct bitcoin_tx *bitcoin_spend_ours(struct peer *peer)
 		      tx->output[0].amount, fee);
 
 	/* Re-sign with the real values. */
-	tx->input[0].script_length = 0;
+	tx->input[0].witness = tal_free(tx->input[0].witness);
 	tx->output[0].amount -= fee;
-	peer_sign_spend(peer, tx, redeemscript, &sig.sig);
 
-	tx->input[0].script = scriptsig_p2sh_secret(tx, NULL, 0, &sig,
+	peer_sign_spend(peer, tx, witnessscript, &sig.sig);
-						    redeemscript,
+
-						    tal_count(redeemscript));
+	tx->input[0].witness = bitcoin_witness_secret(tx, NULL, 0, &sig,
-	tx->input[0].script_length = tal_count(tx->input[0].script);
+						      witnessscript);
 	
 	return tx;
 }

daemon/secrets.c

@@ -71,15 +71,14 @@ void peer_sign_ourcommit(const struct peer *peer,
 
 void peer_sign_spend(const struct peer *peer,
 		     struct bitcoin_tx *spend,
-		     const u8 *commit_redeemscript,
+		     const u8 *commit_witnessscript,
 		     struct signature *sig)
 {
 	/* Spend tx only has one input: that of the commit tx. */
 	sign_tx_input(peer->dstate->secpctx,
 		      spend, 0,
-		      commit_redeemscript,
+		      NULL, 0,
-		      tal_count(commit_redeemscript),
+		      commit_witnessscript,
-		      NULL,
 		      &peer->secrets->final,
 		      &peer->us.finalkey,
 		      sig);

daemon/secrets.h

@@ -22,7 +22,7 @@ void peer_sign_ourcommit(const struct peer *peer,
 
 void peer_sign_spend(const struct peer *peer,
 		     struct bitcoin_tx *spend,
-		     const u8 *commit_redeemscript,
+		     const u8 *commit_witnessscript,
 		     struct signature *sig);
 
 void peer_sign_mutual_close(const struct peer *peer,