protocol: fix horribly thinko, keep own secrets.

I had each side using the other side's hash secret. That's a very dumb idea, since it means you can steal from a unilateral close! A's secret applies to A's commit transaction: it needs the secret and B's final signature to steal funds, and that should never happen (since A doesn't have the B's final signature, and once A has given B the secret, they never broadcast the commit tx). This makes the update a 4 step dance, since you need the new revocation hash to make the other side's TX to sign. Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
2025-12-20 15:44:21 +01:00 · 2015-06-10 20:32:43 +09:30
parent 9caf2c71e8
commit ed3f0115d6
18 changed files with 457 additions and 213 deletions
--- a/open-commit-sig.c
+++ b/open-commit-sig.c
@@ -66,7 +66,7 @@ int main(int argc, char *argv[])
 	anchor_txid(anchor, argv[4], argv[5], inmap, &txid);

 	/* Now create THEIR commitment tx to spend 2/2 output of anchor. */
-	proto_to_sha256(o1->revocation_hash, &rhash);
+	proto_to_sha256(o2->revocation_hash, &rhash);
 	commit = create_commit_tx(ctx, o2, o1, &rhash, 0, &txid, outmap[0]);

 	/* If contributions don't exceed fees, this fails. */
@@ -84,7 +84,7 @@ int main(int argc, char *argv[])
 	/* Sign it for them. */
 	subscript = bitcoin_redeem_2of2(ctx, &pubkey1, &pubkey2);
 	sign_tx_input(ctx, commit, 0, subscript, tal_count(subscript),
-		      privkey, &sig);
+		      privkey, &pubkey1, &sig);

 	pkt = open_commit_sig_pkt(ctx, &sig);
 	if (!write_all(STDOUT_FILENO, pkt,