Added output_witscript field to sign_remote_commitment_tx

.gitignore

@@ -42,4 +42,3 @@ contrib/pylightning/pylightning.egg-info/
 contrib/pyln-*/build/
 contrib/pyln-*/dist/
 contrib/pyln-*/pyln_*.egg-info/
-devtools/create-gossipstore

CHANGELOG.md

@@ -4,7 +4,26 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/)
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
-## [0.7.3rc2] - 2019-10-15: T.B.D.
+## [Unreleased]
+
+### Added
+
+### Changed
+
+### Deprecated
+
+Note: You should always set `allow-deprecated-apis=false` to test for changes.
+
+### Removed
+
+### Fixed
+
+### Security
+
+
+## [0.7.3] - 2019-10-18: "Bitcoin's Proof of Stake"
+
+This release named by @trueptolemy.
 
 ### Added
 
@@ -36,7 +55,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - JSON API: The `plugin` command now returns on error. A timeout of 20 seconds is added to `start` and `startdir` subcommands at the end of which the plugin is errored if it did not complete the handshake with `lightningd`.
 - JSON API: The `plugin` command does not allow to start static plugins after `lightningd` startup anymore.
 - Protocol: We now push our own gossip to all peers, independent of their filter.
-- Protocol: Now follows spec in responses to short channel id queries on unknown chainhashes; correspondingly, disconnects from peers that signal they do not maintain up-to-date information for the requested chain.
+- Protocol: Now follows spec in responses to short channel id queries on unknown chainhashes
 - Tor: We default now with autotor to generate if possible temporary ED25519-V3 onions.  You can use new option `enable-autotor-v2-mode` to fallback to V2 RSA1024 mode.
 
 ### Deprecated
@@ -57,6 +76,7 @@ Note: You should always set `allow-deprecated-apis=false` to test for changes.
 
 ### Fixed
 
+- Fixed bogus "Bad commit_sig signature" which caused channel closures when reconnecting after updating fees under simultaneous bidirectional traffic.
 - Relative `--lightning_dir` is now working again.
 - Build: MacOS now builds again (missing pwritev).
 
@@ -493,7 +513,8 @@ There predate the BOLT specifications, and are only of vague historic interest:
 6. [0.5.1] - 2016-10-21
 7. [0.5.2] - 2016-11-21: "Bitcoin Savings & Trust Daily Interest II"
 
-[Unreleased]: https://github.com/ElementsProject/lightning/compare/v0.7.2.1...HEAD
+[Unreleased]: https://github.com/ElementsProject/lightning/compare/v0.7.3...HEAD
+[0.7.3]: https://github.com/ElementsProject/lightning/releases/tag/v0.7.3
 [0.7.2.1]: https://github.com/ElementsProject/lightning/releases/tag/v0.7.2.1
 [0.7.1]: https://github.com/ElementsProject/lightning/releases/tag/v0.7.1
 [0.7.0]: https://github.com/ElementsProject/lightning/releases/tag/v0.7.0

Makefile

@@ -263,7 +263,7 @@ ifeq ($(PYTEST),)
 	exit 1
 else
 # Explicitly hand DEVELOPER and VALGRIND so you can override on make cmd line.
-	PYTHONPATH=`pwd`/contrib/pylightning:$$PYTHONPATH TEST_DEBUG=1 DEVELOPER=$(DEVELOPER) VALGRIND=$(VALGRIND) $(PYTEST) tests/ $(PYTEST_OPTS)
+	PYTHONPATH=`pwd`/contrib/pyln-client:`pwd`/contrib/pyln-testing:$$PYTHONPATH TEST_DEBUG=1 DEVELOPER=$(DEVELOPER) VALGRIND=$(VALGRIND) $(PYTEST) tests/ $(PYTEST_OPTS)
 endif
 
 # Keep includes in alpha order.
@@ -316,7 +316,7 @@ check-python:
 	@# W503: line break before binary operator
 	@flake8 --ignore=E501,E731,W503 --exclude=contrib/pylightning/lightning/__init__.py ${PYSRC}
 
-	PYTHONPATH=contrib/pylightning:$$PYTHONPATH $(PYTEST) contrib/pylightning/
+	PYTHONPATH=contrib/pyln-client:$$PYTHONPATH $(PYTEST) contrib/pyln-client/
 
 check-includes:
 	@tools/check-includes.sh

README.md

@@ -12,6 +12,7 @@ c-lightning is a lighweight, highly customizable and [standard compliant][std] i
 	* [Configuration File](#configuration-file)
 * [Further Information](#further-information)
     * [Pruning](#pruning)
+    * [HD wallet encryption](#hd-wallet-encryption)
 	* [Developers](#developers)
 
 ## Project Status
@@ -102,8 +103,6 @@ Once you've started for the first time, there's a script called
 `contrib/bootstrap-node.sh` which will connect you to other nodes on
 the lightning network.
 
-You can encrypt the BIP32 root seed (what is stored in `hsm_secret`) by passing the `--encrypted-hsm` startup argument. You can start `lightningd` with `--encrypted-hsm` on an already existing `lightning-dir` (with a not encrypted `hsm_secret`). If you pass that option, you __will not__ be able to start `lightningd` (with the same wallet) again without the password, so please beware with your password management. Also beware of not feeling too safe with an encrypted `hsm_secret`: unlike for `bitcoind` where the wallet encryption can restrict the usage of some RPC command, `lightningd` always need to access keys from the wallet which is thus __not locked__ (yet), even with an encrypted BIP32 master seed.
-
 There are also numerous plugins available for c-lightning which add
 capabilities: in particular there's a collection at:
 
@@ -112,6 +111,9 @@ capabilities: in particular there's a collection at:
 Including [helpme][helpme-github] which guides you through setting up
 your first channels and customizing your node.
 
+For a less reckless experience, you can encrypt the HD wallet seed:
+ see [HD wallet encryption](#hd-wallet-encryption).
+
 You can also chat to other users at [#c-lightning @ freenode.net][irc2];
 we are always happy to help you get started!
 
@@ -202,6 +204,12 @@ If `bitcoind` prunes a block that c-lightning has not processed yet, e.g., c-lig
 In order to avoid this situation you should be monitoring the gap between c-lightning's blockheight using `lightning-cli getinfo` and `bitcoind`'s blockheight using `bitcoin-cli getblockchaininfo`.
 If the two blockheights drift apart it might be necessary to intervene.
 
+### HD wallet encryption
+
+You can encrypt the `hsm_secret` content (which is used to derive the HD wallet's master key) by passing the `--encrypted-hsm` startup argument, or by using the `hsmtool` (which you can find in the `tool/` directory at the root of this repo) with the `encrypt` method. You can unencrypt an encrypted `hsm_secret` using the `hsmtool` with the `decrypt` method.
+
+If you encrypt your `hsm_secret`, you will have to pass the `--encrypted-hsm` startup option to `lightningd`. Once your `hsm_secret` is encrypted, you __will not__ be able to access your funds without your password, so please beware with your password management. Also beware of not feeling too safe with an encrypted `hsm_secret`: unlike for `bitcoind` where the wallet encryption can restrict the usage of some RPC command, `lightningd` always need to access keys from the wallet which is thus __not locked__ (yet), even with an encrypted BIP32 master seed.
+
 ### Developers
 
 Developers wishing to contribute should start with the developer guide [here](doc/HACKING.md).

bitcoin/signature.c

@@ -75,16 +75,38 @@ static void dump_tx(const char *msg UNUSED,
 }
 #endif
 
+/* Taken from https://github.com/bitcoin/bitcoin/blob/master/src/key.cpp */
+/* Check that the sig has a low R value and will be less than 71 bytes */
+static bool sig_has_low_r(const secp256k1_ecdsa_signature* sig)
+{
+	unsigned char compact_sig[64];
+	secp256k1_ecdsa_signature_serialize_compact(secp256k1_ctx, compact_sig, sig);
+
+	/* In DER serialization, all values are interpreted as big-endian, signed
+	 * integers. The highest bit in the integer indicates its signed-ness; 0 is
+	 * positive, 1 is negative. When the value is interpreted as a negative
+	 * integer, it must be converted to a positive value by prepending a 0x00
+	 * byte so that the highest bit is 0. We can avoid this prepending by
+	 * ensuring that our highest bit is always 0, and thus we must check that
+	 * the first byte is less than 0x80. */
+	return compact_sig[0] < 0x80;
+}
+
 void sign_hash(const struct privkey *privkey,
 	       const struct sha256_double *h,
 	       secp256k1_ecdsa_signature *s)
 {
 	bool ok;
-
-	ok = secp256k1_ecdsa_sign(secp256k1_ctx,
-				  s,
-				  h->sha.u.u8,
-				  privkey->secret.data, NULL, NULL);
+	unsigned char extra_entropy[32] = {0};
+
+	/* Grind for low R */
+	do {
+		ok = secp256k1_ecdsa_sign(secp256k1_ctx,
+					  s,
+					  h->sha.u.u8,
+					  privkey->secret.data, NULL, extra_entropy);
+		((u32 *)extra_entropy)[0]++;
+	} while (!sig_has_low_r(s));
 	assert(ok);
 }
 

bitcoin/signature.h

@@ -47,7 +47,7 @@ struct bitcoin_signature {
 };
 
 /**
- * sign_hash - produce a raw secp256k1 signature.
+ * sign_hash - produce a raw secp256k1 signature (with low R value).
  * @p: secret key
  * @h: hash to sign.
  * @sig: signature to fill in and return.

bitcoin/tx.c

@@ -159,10 +159,6 @@ bool bitcoin_tx_check(const struct bitcoin_tx *tx)
 	if (wally_tx_get_length(tx->wtx, flags, &written) != WALLY_OK)
 		return false;
 
-	if (chainparams->is_elements) {
-		flags |= WALLY_TX_FLAG_USE_ELEMENTS;
-	}
-
 	newtx = tal_arr(tmpctx, u8, written);
 	if (wally_tx_to_bytes(tx->wtx, flags, newtx, written, &written) !=
 	    WALLY_OK)
@@ -208,6 +204,8 @@ const u8 *bitcoin_tx_output_get_script(const tal_t *ctx,
 	return res;
 }
 
+/* FIXME(cdecker) Make the caller pass in a reference to amount_asset, and
+ * return false if unintelligible/encrypted. (WARN UNUSED). */
 struct amount_asset bitcoin_tx_output_get_amount(const struct bitcoin_tx *tx,
 						 int outnum)
 {
@@ -220,13 +218,18 @@ struct amount_asset bitcoin_tx_output_get_amount(const struct bitcoin_tx *tx,
 	output = &tx->wtx->outputs[outnum];
 
 	if (chainparams->is_elements) {
-		/* We currently only support v1 asset tags */
-		assert(output->asset_len == sizeof(amount.asset) &&
-		       output->asset[0] == 0x01);
+		assert(output->asset_len == sizeof(amount.asset));
 		memcpy(&amount.asset, output->asset, sizeof(amount.asset));
-		memcpy(&raw, output->value + 1, sizeof(raw));
-		amount.value = be64_to_cpu(raw);
 
+		/* We currently only support explicit value asset tags, others
+		 * are confidential, so don't even try to assign a value to
+		 * it. */
+		if (output->asset[0] == 0x01) {
+			memcpy(&raw, output->value + 1, sizeof(raw));
+			amount.value = be64_to_cpu(raw);
+		} else {
+			amount.value = 0;
+		}
 	} else {
 		/* Do not assign amount.asset, we should never touch it in
 		 * non-elements scenarios. */
@@ -319,10 +322,7 @@ static void push_tx(const struct bitcoin_tx *tx,
         if (bip144 && uses_witness(tx))
 		flag |= WALLY_TX_FLAG_USE_WITNESS;
 
-	if (chainparams->is_elements)
-		flag |= WALLY_TX_FLAG_USE_ELEMENTS;
-
-	res = wally_tx_get_length(tx->wtx, flag & WALLY_TX_FLAG_USE_WITNESS, &len);
+	res = wally_tx_get_length(tx->wtx, flag, &len);
 	assert(res == WALLY_OK);
 	serialized = tal_arr(tmpctx, u8, len);
 

ccan/ccan/json_out/json_out.h

@@ -87,11 +87,11 @@ bool json_out_end(struct json_out *jout, char type);
  * If the resulting string requires escaping, and @quote is true, we
  * call json_escape().
  */
-PRINTF_FMT(4,5)
 bool json_out_add(struct json_out *jout,
 		  const char *fieldname,
 		  bool quote,
-		  const char *fmt, ...);
+		  const char *fmt, ...)
+	PRINTF_FMT(4,5);
 
 /**
  * json_out_addv - add a formatted member (vararg variant)