diff --git a/Makefile b/Makefile index a80efbb2e988..a23bbc67c92a 100644 --- a/Makefile +++ b/Makefile @@ -15,7 +15,7 @@ CCANDIR := ccan # Where we keep the BOLT RFCs BOLTDIR := ../lightning-rfc/ -BOLTVERSION := bca814e270dcbee2fea51c0a26ca99efef261f2b +BOLTVERSION := a07dc3df3b4611989e3359f28f96c574f7822850 -include config.vars diff --git a/channeld/channeld.c b/channeld/channeld.c index 3d9e9ff64c7b..5f5ec5188247 100644 --- a/channeld/channeld.c +++ b/channeld/channeld.c @@ -425,12 +425,10 @@ static void channel_announcement_negotiate(struct peer *peer) /* BOLT #7: * * A node: - * - if the `open_channel` message has the `announce_channel` bit set - * AND a `shutdown` message has not been sent: + * - if the `open_channel` message has the `announce_channel` bit set AND a `shutdown` message has not been sent: * - MUST send the `announcement_signatures` message. - * - MUST NOT send `announcement_signatures` messages until - * `funding_locked` has been sent AND the funding transaction has - * at least six confirmations. + * - MUST NOT send `announcement_signatures` messages until `funding_locked` + * has been sent and received AND the funding transaction has at least six confirmations. * - otherwise: * - MUST NOT send the `announcement_signatures` message. */ @@ -439,10 +437,9 @@ static void channel_announcement_negotiate(struct peer *peer) /* BOLT #7: * - * - MUST NOT send `announcement_signatures` messages until - * `funding_locked` has been sent AND the funding transaction has - * at least six confirmations. - */ + * - MUST NOT send `announcement_signatures` messages until `funding_locked` + * has been sent and received AND the funding transaction has at least six confirmations. + */ if (peer->announce_depth_reached && !peer->have_sigs[LOCAL]) { send_announcement_signatures(peer); peer->have_sigs[LOCAL] = true; diff --git a/channeld/commit_tx.c b/channeld/commit_tx.c index 575fbb47e552..9c38291bfa8c 100644 --- a/channeld/commit_tx.c +++ b/channeld/commit_tx.c @@ -268,8 +268,7 @@ struct bitcoin_tx *commit_tx(const tal_t *ctx, /* BOLT #3: * - * * locktime: upper 8 bits are 0x20, lower 24 bits are the lower - * 24 bits of the obscured commitment transaction number + * * locktime: upper 8 bits are 0x20, lower 24 bits are the lower 24 bits of the obscured commitment number */ tx->lock_time = (0x20000000 | (obscured_commitment_number & 0xFFFFFF)); @@ -285,8 +284,7 @@ struct bitcoin_tx *commit_tx(const tal_t *ctx, /* BOLT #3: * - * * `txin[0]` sequence: upper 8 bits are 0x80, lower 24 bits are - * upper 24 bits of the obscured commitment transaction number + * * `txin[0]` sequence: upper 8 bits are 0x80, lower 24 bits are upper 24 bits of the obscured commitment number */ tx->input[0].sequence_number = (0x80000000 | ((obscured_commitment_number>>24) & 0xFFFFFF)); diff --git a/channeld/test/run-commit_tx.c b/channeld/test/run-commit_tx.c index 1e0e7c006468..038a52d518e8 100644 --- a/channeld/test/run-commit_tx.c +++ b/channeld/test/run-commit_tx.c @@ -497,25 +497,25 @@ int main(void) /* BOLT #3: * - * */ local_funding_privkey.secret = secret_from_hex("30ff4956bbdd3222d44cc5e8a1261dab1e07957bdac5ae88fe3261ef321f374901"); x_remote_funding_privkey.secret = secret_from_hex("1552dfba4f6cf29a62a0af13c8d6981d36d0ef8d61ba10fb0fe90da7634d7e1301"); diff --git a/channeld/test/run-full_channel.c b/channeld/test/run-full_channel.c index 3098ee716168..d9062e2bf546 100644 --- a/channeld/test/run-full_channel.c +++ b/channeld/test/run-full_channel.c @@ -403,7 +403,7 @@ int main(void) * * local_payment_basepoint: 034f355bdcb7cc0af728ef3cceb9615d90684bb5b2ca5f859ab0f0b704075871aa * remote_payment_basepoint: 032c0b7cf95324a07d05398b240174dc0c2be444d96b159aa6c7f7b1e668680991 - * # obscured commitment transaction number = 0x2bb038521914 ^ 42 + * # obscured commitment number = 0x2bb038521914 ^ 42 */ localbase.payment = pubkey_from_hex("034f355bdcb7cc0af728ef3cceb9615d90684bb5b2ca5f859ab0f0b704075871aa"); remotebase.payment = pubkey_from_hex("032c0b7cf95324a07d05398b240174dc0c2be444d96b159aa6c7f7b1e668680991"); diff --git a/common/initial_commit_tx.c b/common/initial_commit_tx.c index 2d3aadb0d635..8d246a666abc 100644 --- a/common/initial_commit_tx.c +++ b/common/initial_commit_tx.c @@ -10,8 +10,7 @@ /* BOLT #3: * - * The 48-bit commitment transaction number is obscured by `XOR` with - * the lower 48 bits of: + * The 48-bit commitment number is obscured by `XOR` with the lower 48 bits of: * * SHA256(payment_basepoint from open_channel || payment_basepoint from accept_channel) */ @@ -206,8 +205,8 @@ struct bitcoin_tx *initial_commit_tx(const tal_t *ctx, /* BOLT #3: * - * * locktime: upper 8 bits are 0x20, lower 24 bits are the lower - * 24 bits of the obscured commitment transaction number + * * locktime: upper 8 bits are 0x20, lower 24 bits are the + * lower 24 bits of the obscured commitment number */ tx->lock_time = (0x20000000 | (obscured_commitment_number & 0xFFFFFF)); @@ -223,8 +222,7 @@ struct bitcoin_tx *initial_commit_tx(const tal_t *ctx, /* BOLT #3: * - * * `txin[0]` sequence: upper 8 bits are 0x80, lower 24 bits are - * upper 24 bits of the obscured commitment transaction number + * * `txin[0]` sequence: upper 8 bits are 0x80, lower 24 bits are upper 24 bits of the obscured commitment number */ tx->input[0].sequence_number = (0x80000000 | ((obscured_commitment_number>>24) & 0xFFFFFF)); diff --git a/connectd/handshake.c b/connectd/handshake.c index 617e7054fc9f..49275093b19d 100644 --- a/connectd/handshake.c +++ b/connectd/handshake.c @@ -138,21 +138,21 @@ struct keypair { * Throughout the handshake process, each side maintains these variables: * * * `ck`: the **chaining key**. This value is the accumulated hash of all - * previous ECDH outputs. At the end of the handshake, `ck` is used to - * derive the encryption keys for Lightning messages. + * previous ECDH outputs. At the end of the handshake, `ck` is used to derive + * the encryption keys for Lightning messages. * * * `h`: the **handshake hash**. This value is the accumulated hash of _all_ - * handshake data that has been sent and received so far during the - * handshake process. + * handshake data that has been sent and received so far during the handshake + * process. * - * * `temp_k1`, `temp_k2`, `temp_k3`: the **intermediate keys**. These are used to - * encrypt and decrypt the zero-length AEAD payloads at the end of each - * handshake message. + * * `temp_k1`, `temp_k2`, `temp_k3`: the **intermediate keys**. These are used to + * encrypt and decrypt the zero-length AEAD payloads at the end of each handshake + * message. * - * * `e`: a party's **ephemeral keypair**. For each session, a node MUST - * generate a new ephemeral key with strong cryptographic randomness. + * * `e`: a party's **ephemeral keypair**. For each session, a node MUST generate a + * new ephemeral key with strong cryptographic randomness. * - * * `s`: a party's **static public key** (`ls` for local, `rs` for remote) + * * `s`: a party's **static keypair** (`ls` for local, `rs` for remote) */ struct handshake { struct secret ck; @@ -469,9 +469,8 @@ static struct io_plan *act_three_initiator(struct io_conn *conn, /* BOLT #8: * - * 3. `ss = ECDH(re, s.priv)` + * 3. `se = ECDH(s.priv, re)` * * where `re` is the ephemeral public key of the responder - * */ h->ss = hsm_do_ecdh(h, &h->re); if (!h->ss) @@ -481,9 +480,8 @@ static struct io_plan *act_three_initiator(struct io_conn *conn, /* BOLT #8: * - * 4. `ck, temp_k3 = HKDF(ck, ss)` - * * The final intermediate shared secret is mixed into the running - * chaining key. + * 4. `ck, temp_k3 = HKDF(ck, se)` + * * The final intermediate shared secret is mixed into the running chaining key. */ hkdf_two_keys(&h->ck, &h->temp_k, &h->ck, h->ss, sizeof(*h->ss)); SUPERVERBOSE("# ck,temp_k3=0x%s,0x%s", @@ -547,8 +545,7 @@ static struct io_plan *act_two_initiator2(struct io_conn *conn, /* BOLT #8: * - * 5. `ss = ECDH(re, e.priv)` - * * where `re` is the responder's ephemeral public key + * 5. `es = ECDH(s.priv, re)` */ if (!secp256k1_ecdh(secp256k1_ctx, h->ss->data, &h->re.pubkey, h->e.priv.secret.data)) @@ -558,9 +555,9 @@ static struct io_plan *act_two_initiator2(struct io_conn *conn, /* BOLT #8: * - * 6. `ck, temp_k2 = HKDF(ck, ss)` - * * A new temporary encryption key is generated, which is - * used to generate the authenticating MAC. + * 6. `ck, temp_k2 = HKDF(ck, ee)` + * * A new temporary encryption key is generated, which is + * used to generate the authenticating MAC. */ hkdf_two_keys(&h->ck, &h->temp_k, &h->ck, h->ss, sizeof(*h->ss)); SUPERVERBOSE("# ck,temp_k2=0x%s,0x%s", @@ -636,9 +633,9 @@ static struct io_plan *act_one_initiator(struct io_conn *conn, /* BOLT #8: * - * 3. `ss = ECDH(rs, e.priv)` - * * The initiator performs an ECDH between its newly generated - * ephemeral key and the remote node's static public key. + * 3. `es = ECDH(e.priv, rs)` + * * The initiator performs an ECDH between its newly generated ephemeral + * key and the remote node's static public key. */ h->ss = tal(h, struct secret); if (!secp256k1_ecdh(secp256k1_ctx, h->ss->data, @@ -649,9 +646,9 @@ static struct io_plan *act_one_initiator(struct io_conn *conn, /* BOLT #8: * - * 4. `ck, temp_k1 = HKDF(ck, ss)` - * * A new temporary encryption key is generated, which is - * used to generate the authenticating MAC. + * 4. `ck, temp_k1 = HKDF(ck, es)` + * * A new temporary encryption key is generated, which is + * used to generate the authenticating MAC. */ hkdf_two_keys(&h->ck, &h->temp_k, &h->ck, h->ss, sizeof(*h->ss)); SUPERVERBOSE("# ck,temp_k1=0x%s,0x%s", @@ -739,7 +736,7 @@ static struct io_plan *act_three_responder2(struct io_conn *conn, /* BOLT #8: * - * 6. `ss = ECDH(rs, e.priv)` + * 6. `se = ECDH(e.priv, rs)` * * where `e` is the responder's original ephemeral key */ if (!secp256k1_ecdh(secp256k1_ctx, h->ss->data, &h->their_id.pubkey, @@ -749,7 +746,7 @@ static struct io_plan *act_three_responder2(struct io_conn *conn, SUPERVERBOSE("# ss=0x%s", tal_hexstr(tmpctx, h->ss, sizeof(*h->ss))); /* BOLT #8: - * 7. `ck, temp_k3 = HKDF(ck, ss)` + * 7. `ck, temp_k3 = HKDF(ck, se)` */ hkdf_two_keys(&h->ck, &h->temp_k, &h->ck, h->ss, sizeof(*h->ss)); SUPERVERBOSE("# ck,temp_k3=0x%s,0x%s", @@ -813,9 +810,9 @@ static struct io_plan *act_two_responder(struct io_conn *conn, /* BOLT #8: * - * 3. `ss = ECDH(re, e.priv)` - * * where `re` is the ephemeral key of the initiator, which was - * received during Act One + * 3. `ee = ECDH(e.priv, re)` + * * where `re` is the ephemeral key of the initiator, which was received + * during Act One */ if (!secp256k1_ecdh(secp256k1_ctx, h->ss->data, &h->re.pubkey, h->e.priv.secret.data)) @@ -824,8 +821,8 @@ static struct io_plan *act_two_responder(struct io_conn *conn, /* BOLT #8: * - * 4. `ck, temp_k2 = HKDF(ck, ss)` - * * A new temporary encryption key is generated, which is + * 4. `ck, temp_k2 = HKDF(ck, ee)` + * * A new temporary encryption key is generated, which is * used to generate the authenticating MAC. */ hkdf_two_keys(&h->ck, &h->temp_k, &h->ck, h->ss, sizeof(*h->ss)); @@ -879,8 +876,9 @@ static struct io_plan *act_one_responder2(struct io_conn *conn, return handshake_failed(conn, h); /* BOLT #8: + * * * The raw bytes of the remote party's ephemeral public key - * (`e`) are to be deserialized into a point on the curve using + * (`re`) are to be deserialized into a point on the curve using * affine coordinates as encoded by the key's serialized * composed format. */ @@ -900,7 +898,8 @@ static struct io_plan *act_one_responder2(struct io_conn *conn, SUPERVERBOSE("# h=0x%s", tal_hexstr(tmpctx, &h->h, sizeof(h->h))); /* BOLT #8: - * 5. `ss = ECDH(re, s.priv)` + * + * 5. `es = ECDH(s.priv, re)` * * The responder performs an ECDH between its static private key and * the initiator's ephemeral public key. */ @@ -912,9 +911,9 @@ static struct io_plan *act_one_responder2(struct io_conn *conn, /* BOLT #8: * - * 6. `ck, temp_k1 = HKDF(ck, ss)` - * * A new temporary encryption key is generated, which will - * shortly be used to check the authenticating MAC. + * 6. `ck, temp_k1 = HKDF(ck, es)` + * * A new temporary encryption key is generated, which will + * shortly be used to check the authenticating MAC. */ hkdf_two_keys(&h->ck, &h->temp_k, &h->ck, h->ss, sizeof(*h->ss)); SUPERVERBOSE("# ck,temp_k1=0x%s,0x%s", diff --git a/gossipd/gossipd.c b/gossipd/gossipd.c index 8df0eeb4b65e..d04300a5c910 100644 --- a/gossipd/gossipd.c +++ b/gossipd/gossipd.c @@ -328,7 +328,7 @@ static bool encode_short_channel_ids_end(u8 **encoded, size_t max_bytes) /* BOLT #7: * - * An endpoint node: + * A node: * - if the `gossip_queries` feature is negotiated: * - MUST NOT relay any gossip messages unless explicitly requested. */ @@ -570,8 +570,8 @@ static const u8 *handle_query_short_channel_ids(struct peer *peer, const u8 *msg /* BOLT #7: * - * - MUST respond to each known `short_channel_id` with a - * `channel_announcement` and the latest `channel_update`s for each end + * - MUST respond to each known `short_channel_id` with a `channel_announcement` + * and the latest `channel_update` for each end * - SHOULD NOT wait for the next outgoing gossip flush to send * these. */ @@ -1002,8 +1002,7 @@ static void maybe_create_next_scid_reply(struct peer *peer) /* BOLT #7: * * - MUST respond to each known `short_channel_id` with a - * `channel_announcement` and the latest `channel_update`s for - * each end + * `channel_announcement` and the latest `channel_update` for each end * - SHOULD NOT wait for the next outgoing gossip flush * to send these. */ @@ -1116,7 +1115,7 @@ static void maybe_queue_gossip(struct peer *peer) /* BOLT #7: * - * An endpoint node: + * A node: *... * - SHOULD flush outgoing gossip messages once every 60 seconds, * independently of the arrival times of the messages. @@ -1238,9 +1237,9 @@ static void update_local_channel(struct daemon *daemon, /* BOLT #7: * * The origin node: - * - MAY create a `channel_update` to communicate the channel - * parameters to the final node, even though the channel has not yet - * been announced + * - MAY create a `channel_update` to communicate the channel parameters to the + * channel peer, even though the channel has not yet been announced (i.e. the + * `announce_channel` bit was not set). */ if (!is_chan_public(chan)) { /* handle_channel_update will not put private updates in the @@ -1749,7 +1748,7 @@ static void gossip_send_keepalive_update(struct daemon *daemon, /* BOLT #7: * - * An endpoint node: + * A node: * - if a channel's latest `channel_update`s `timestamp` is older than two weeks * (1209600 seconds): * - MAY prune the channel. diff --git a/gossipd/routing.c b/gossipd/routing.c index 0df4746c36f0..830c6c797670 100644 --- a/gossipd/routing.c +++ b/gossipd/routing.c @@ -844,8 +844,7 @@ u8 *handle_channel_announcement(struct routing_state *rstate, } /* BOLT #7: - * - * The final node: + * The receiving node: *... * - if the specified `chain_hash` is unknown to the receiver: * - MUST ignore the message. @@ -941,7 +940,7 @@ void handle_pending_cannouncement(struct routing_state *rstate, /* BOLT #7: * - * The final node: + * The receiving node: *... * - if the `short_channel_id`'s output... is spent: * - MUST ignore the message. @@ -956,7 +955,7 @@ void handle_pending_cannouncement(struct routing_state *rstate, /* BOLT #7: * - * The final node: + * The receiving node: *... * - if the `short_channel_id`'s output does NOT correspond to a P2WSH * (using `bitcoin_key_1` and `bitcoin_key_2`, as specified in @@ -1169,7 +1168,7 @@ u8 *handle_channel_update(struct routing_state *rstate, const u8 *update TAKES, /* BOLT #7: * - * The final node: + * The receiving node: *... * - if the specified `chain_hash` value is unknown (meaning it isn't * active on the specified chain): @@ -1292,7 +1291,7 @@ static struct wireaddr *read_addresses(const tal_t *ctx, const u8 *ser) /* BOLT #7: * - * The final node: + * The receiving node: *... * - SHOULD ignore the first `address descriptor` that does * NOT match the types defined above. @@ -1392,7 +1391,7 @@ u8 *handle_node_announcement(struct routing_state *rstate, const u8 *node_ann) /* BOLT #7: * - * The final node: + * The receiving node: *... * - if `features` field contains _unknown even bits_: * - MUST NOT parse the remainder of the message. @@ -1410,12 +1409,13 @@ u8 *handle_node_announcement(struct routing_state *rstate, const u8 *node_ann) if (!check_signed_hash(&hash, &signature, &node_id)) { /* BOLT #7: * - * - if `signature` is NOT a valid signature (using `node_id` - * of the double-SHA256 of the entire message following the - * `signature` field, including unknown fields following - * `alias`): - * - SHOULD fail the connection. + * - if `signature` is not a valid signature, using + * `node_id` of the double-SHA256 of the entire + * message following the `signature` field + * (including unknown fields following + * `fee_proportional_millionths`): * - MUST NOT process the message further. + * - SHOULD fail the connection. */ u8 *err = towire_errorfmt(rstate, NULL, "Bad signature for %s hash %s" diff --git a/lightningd/peer_control.c b/lightningd/peer_control.c index 3f6f5a14472c..e28c65f7cb90 100644 --- a/lightningd/peer_control.c +++ b/lightningd/peer_control.c @@ -550,12 +550,10 @@ static enum watch_result funding_lockin_cb(struct lightningd *ld, /* BOLT #7: * * A node: - * - if the `open_channel` message has the `announce_channel` bit set - * AND a `shutdown` message has not been sent: + * - if the `open_channel` message has the `announce_channel` bit set AND a `shutdown` message has not been sent: * - MUST send the `announcement_signatures` message. - * - MUST NOT send `announcement_signatures` messages until - * `funding_locked` has been sent AND the funding transaction has - * at least six confirmations. + * - MUST NOT send `announcement_signatures` messages until `funding_locked` + * has been sent and received AND the funding transaction has at least six confirmations. * - otherwise: * - MUST NOT send the `announcement_signatures` message. */ diff --git a/onchaind/onchaind.c b/onchaind/onchaind.c index f08d29b4ded5..a21ceff41ce7 100644 --- a/onchaind/onchaind.c +++ b/onchaind/onchaind.c @@ -613,20 +613,15 @@ static u64 unmask_commit_number(const struct bitcoin_tx *tx, /* BOLT #3: * - * The 48-bit commitment transaction number is obscured by - * `XOR` with the lower 48 bits of... + * The 48-bit commitment number is obscured by `XOR` with the lower 48 bits of... */ obscurer = commit_number_obscurer(keys[funder], keys[!funder]); /* BOLT #3: * - * * locktime: upper 8 bits are 0x20, lower 24 bits are the - * lower 24 bits of the obscured commitment transaction - * number + * * locktime: upper 8 bits are 0x20, lower 24 bits are the lower 24 bits of the obscured commitment number *... - * * `txin[0]` sequence: upper 8 bits are 0x80, lower 24 bits - * are upper 24 bits of the obscured commitment - * transaction number + * * `txin[0]` sequence: upper 8 bits are 0x80, lower 24 bits are upper 24 bits of the obscured commitment number */ return ((tx->lock_time & 0x00FFFFFF) | (tx->input[0].sequence_number & (u64)0x00FFFFFF) << 24)