protocol: fix horribly thinko, keep own secrets.

I had each side using the other side's hash secret. That's a very dumb idea, since it means you can steal from a unilateral close! A's secret applies to A's commit transaction: it needs the secret and B's final signature to steal funds, and that should never happen (since A doesn't have the B's final signature, and once A has given B the secret, they never broadcast the commit tx). This makes the update a 4 step dance, since you need the new revocation hash to make the other side's TX to sign. Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
2025-12-19 23:24:27 +01:00 · 2015-06-10 20:32:43 +09:30
parent 9caf2c71e8
commit ed3f0115d6
18 changed files with 457 additions and 213 deletions
--- a/create-commit-spend-tx.c
+++ b/create-commit-spend-tx.c
@@ -105,7 +105,7 @@ int main(int argc, char *argv[])

 	/* Now get signature, to set up input script. */
 	if (!sign_tx_input(tx, tx, 0, redeemscript, tal_count(redeemscript),
-			   privkey, &sig.sig))
+			   privkey, &pubkey1, &sig.sig))
 		errx(1, "Could not sign tx");
 	sig.stype = SIGHASH_ALL;
 	tx->input[0].script = scriptsig_p2sh_single_sig(tx, redeemscript,