protocol: fix horribly thinko, keep own secrets.

I had each side using the other side's hash secret. That's a very dumb idea, since it means you can steal from a unilateral close! A's secret applies to A's commit transaction: it needs the secret and B's final signature to steal funds, and that should never happen (since A doesn't have the B's final signature, and once A has given B the secret, they never broadcast the commit tx). This makes the update a 4 step dance, since you need the new revocation hash to make the other side's TX to sign. Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
2025-12-20 15:44:21 +01:00 · 2015-06-10 20:32:43 +09:30
parent 9caf2c71e8
commit ed3f0115d6
18 changed files with 457 additions and 213 deletions
--- a/check-commit-sig.c
+++ b/check-commit-sig.c
@@ -70,7 +70,7 @@ int main(int argc, char *argv[])
 	anchor_txid(anchor, argv[5], argv[6], inmap, &txid);

 	/* Now create our commitment tx. */
-	proto_to_sha256(o2->revocation_hash, &rhash);
+	proto_to_sha256(o1->revocation_hash, &rhash);
 	commit = create_commit_tx(ctx, o1, o2, &rhash, 0, &txid, outmap[0]);

 	/* If contributions don't exceed fees, this fails. */
@@ -87,7 +87,7 @@ int main(int argc, char *argv[])
 	sig1.stype = SIGHASH_ALL;
 	subscript = bitcoin_redeem_2of2(ctx, &pubkey1, &pubkey2);
 	sign_tx_input(ctx, commit, 0, subscript, tal_count(subscript),
-		      privkey, &sig1.sig);
+		      privkey, &pubkey1, &sig1.sig);

 	/* Signatures well-formed? */
 	if (!proto_to_signature(cs2->sig, &sig2.sig))