bolt: Updated the BOLT specification to a07dc3df3b4611989e3359f28f96c…

…574f7822850

This is mainly just copying over the copy-editing from the
lightning-rfc repository.

[ Split to just perform changes prior to the UNKNOWN_PAYMENT_HASH change --RR ]

Signed-off-by: Christian Decker <[email protected]>
Reported-by: Rusty Russell <@rustyrussell>

Makefile

@@ -15,7 +15,7 @@ CCANDIR := ccan
 
 # Where we keep the BOLT RFCs
 BOLTDIR := ../lightning-rfc/
-BOLTVERSION := bca814e270dcbee2fea51c0a26ca99efef261f2b
+BOLTVERSION := a07dc3df3b4611989e3359f28f96c574f7822850
 
 -include config.vars
 

channeld/channeld.c

@@ -425,12 +425,10 @@ static void channel_announcement_negotiate(struct peer *peer)
 	/* BOLT #7:
 	 *
 	 * A node:
-	 *   - if the `open_channel` message has the `announce_channel` bit set
-	 *     AND a `shutdown` message has not been sent:
+	 *   - if the `open_channel` message has the `announce_channel` bit set AND a `shutdown` message has not been sent:
 	 *     - MUST send the `announcement_signatures` message.
-	 *       - MUST NOT send `announcement_signatures` messages until
-	 *         `funding_locked` has been sent AND the funding transaction has
-	 *         at least six confirmations.
+	 *       - MUST NOT send `announcement_signatures` messages until `funding_locked`
+	 *       has been sent and received AND the funding transaction has at least six confirmations.
 	 *   - otherwise:
 	 *     - MUST NOT send the `announcement_signatures` message.
 	 */
@@ -439,10 +437,9 @@ static void channel_announcement_negotiate(struct peer *peer)
 
 	/* BOLT #7:
 	 *
-	 *      - MUST NOT send `announcement_signatures` messages until
-	 *      `funding_locked` has been sent AND the funding transaction has
-	 *      at least six confirmations.
-	 */
+	 *      - MUST NOT send `announcement_signatures` messages until `funding_locked`
+	 *      has been sent and received AND the funding transaction has at least six confirmations.
+ 	 */
 	if (peer->announce_depth_reached && !peer->have_sigs[LOCAL]) {
 		send_announcement_signatures(peer);
 		peer->have_sigs[LOCAL] = true;

channeld/commit_tx.c

@@ -268,8 +268,7 @@ struct bitcoin_tx *commit_tx(const tal_t *ctx,
 
 	/* BOLT #3:
 	 *
-	 * * locktime: upper 8 bits are 0x20, lower 24 bits are the lower
-	 *   24 bits of the obscured commitment transaction number
+	 * * locktime: upper 8 bits are 0x20, lower 24 bits are the lower 24 bits of the obscured commitment number
 	 */
 	tx->lock_time
 		= (0x20000000 | (obscured_commitment_number & 0xFFFFFF));
@@ -285,8 +284,7 @@ struct bitcoin_tx *commit_tx(const tal_t *ctx,
 
 	/* BOLT #3:
 	 *
-	 *    * `txin[0]` sequence: upper 8 bits are 0x80, lower 24 bits are
-	 *       upper 24 bits of the obscured commitment transaction number
+	 *    * `txin[0]` sequence: upper 8 bits are 0x80, lower 24 bits are upper 24 bits of the obscured commitment number
 	 */
 	tx->input[0].sequence_number
 		= (0x80000000 | ((obscured_commitment_number>>24) & 0xFFFFFF));

channeld/test/run-commit_tx.c

@@ -497,25 +497,25 @@ int main(void)
 
 	/* BOLT #3:
 	 *
-	 * <!-- The test vector values are derived, as per Key Derivation,
-	 *      though it's not required for this test. They're included here
-	 *      for completeness and in case someone wants to reproduce the
-	 *      test vectors themselves:
-         *
-         * INTERNAL: remote_funding_privkey: 1552dfba4f6cf29a62a0af13c8d6981d36d0ef8d61ba10fb0fe90da7634d7e130101
-         * INTERNAL: local_payment_basepoint_secret: 111111111111111111111111111111111111111111111111111111111111111101
-         * INTERNAL: remote_revocation_basepoint_secret: 222222222222222222222222222222222222222222222222222222222222222201
-         * INTERNAL: local_delayed_payment_basepoint_secret: 333333333333333333333333333333333333333333333333333333333333333301
-         * INTERNAL: remote_payment_basepoint_secret: 444444444444444444444444444444444444444444444444444444444444444401
-         * x_local_per_commitment_secret: 1f1e1d1c1b1a191817161514131211100f0e0d0c0b0a0908070605040302010001
-         * # From remote_revocation_basepoint_secret
-         * INTERNAL: remote_revocation_basepoint: 02466d7fcae563e5cb09a0d1870bb580344804617879a14949cf22285f1bae3f27
-         * # From local_delayed_payment_basepoint_secret
-         * INTERNAL: local_delayed_payment_basepoint: 023c72addb4fdf09af94f0c94d7fe92a386a7e70cf8a1d85916386bb2535c7b1b1
-         * INTERNAL: local_per_commitment_point: 025f7117a78150fe2ef97db7cfc83bd57b2e2c0d0dd25eaf467a4a1c2a45ce1486
-         * INTERNAL: remote_privkey: 8deba327a7cc6d638ab0eb025770400a6184afcba6713c210d8d10e199ff2fda01
-         * # From local_delayed_payment_basepoint_secret, local_per_commitment_point and local_delayed_payment_basepoint
-         * INTERNAL: local_delayed_privkey: adf3464ce9c2f230fd2582fda4c6965e4993ca5524e8c9580e3df0cf226981ad01
+	 * <!-- The test vector values are derived, as per Key Derivation, though it's not
+	 * required for this test. They're included here for completeness and
+	 * in case someone wants to reproduce the test vectors themselves:
+	 *
+	 * INTERNAL: remote_funding_privkey: 1552dfba4f6cf29a62a0af13c8d6981d36d0ef8d61ba10fb0fe90da7634d7e1301
+	 * INTERNAL: local_payment_basepoint_secret: 111111111111111111111111111111111111111111111111111111111111111101
+	 * INTERNAL: remote_revocation_basepoint_secret: 222222222222222222222222222222222222222222222222222222222222222201
+	 * INTERNAL: local_delayed_payment_basepoint_secret: 333333333333333333333333333333333333333333333333333333333333333301
+	 * INTERNAL: remote_payment_basepoint_secret: 444444444444444444444444444444444444444444444444444444444444444401
+	 * x_local_per_commitment_secret: 1f1e1d1c1b1a191817161514131211100f0e0d0c0b0a0908070605040302010001
+	 * # From remote_revocation_basepoint_secret
+	 * INTERNAL: remote_revocation_basepoint: 02466d7fcae563e5cb09a0d1870bb580344804617879a14949cf22285f1bae3f27
+	 * # From local_delayed_payment_basepoint_secret
+	 * INTERNAL: local_delayed_payment_basepoint: 023c72addb4fdf09af94f0c94d7fe92a386a7e70cf8a1d85916386bb2535c7b1b1
+	 * INTERNAL: local_per_commitment_point: 025f7117a78150fe2ef97db7cfc83bd57b2e2c0d0dd25eaf467a4a1c2a45ce1486
+	 * INTERNAL: remote_privkey: 8deba327a7cc6d638ab0eb025770400a6184afcba6713c210d8d10e199ff2fda01
+	 * # From local_delayed_payment_basepoint_secret, local_per_commitment_point and local_delayed_payment_basepoint
+	 * INTERNAL: local_delayed_privkey: adf3464ce9c2f230fd2582fda4c6965e4993ca5524e8c9580e3df0cf226981ad01
+	 * -->
 	 */
 	local_funding_privkey.secret = secret_from_hex("30ff4956bbdd3222d44cc5e8a1261dab1e07957bdac5ae88fe3261ef321f374901");
 	x_remote_funding_privkey.secret = secret_from_hex("1552dfba4f6cf29a62a0af13c8d6981d36d0ef8d61ba10fb0fe90da7634d7e1301");

channeld/test/run-full_channel.c

@@ -403,7 +403,7 @@ int main(void)
 	 *
 	 * local_payment_basepoint: 034f355bdcb7cc0af728ef3cceb9615d90684bb5b2ca5f859ab0f0b704075871aa
 	 * remote_payment_basepoint: 032c0b7cf95324a07d05398b240174dc0c2be444d96b159aa6c7f7b1e668680991
-	 * # obscured commitment transaction number = 0x2bb038521914 ^ 42
+	 * # obscured commitment number = 0x2bb038521914 ^ 42
 	 */
 	localbase.payment = pubkey_from_hex("034f355bdcb7cc0af728ef3cceb9615d90684bb5b2ca5f859ab0f0b704075871aa");
 	remotebase.payment = pubkey_from_hex("032c0b7cf95324a07d05398b240174dc0c2be444d96b159aa6c7f7b1e668680991");

common/initial_commit_tx.c

@@ -10,8 +10,7 @@
 
 /* BOLT #3:
  *
- * The 48-bit commitment transaction number is obscured by `XOR` with
- * the lower 48 bits of:
+ * The 48-bit commitment number is obscured by `XOR` with the lower 48 bits of:
  *
  *     SHA256(payment_basepoint from open_channel || payment_basepoint from accept_channel)
  */
@@ -206,8 +205,8 @@ struct bitcoin_tx *initial_commit_tx(const tal_t *ctx,
 
 	/* BOLT #3:
 	 *
-	 * * locktime: upper 8 bits are 0x20, lower 24 bits are the lower
-	 *   24 bits of the obscured commitment transaction number
+	 * * locktime: upper 8 bits are 0x20, lower 24 bits are the
+	 * lower 24 bits of the obscured commitment number
 	 */
 	tx->lock_time
 		= (0x20000000 | (obscured_commitment_number & 0xFFFFFF));
@@ -223,8 +222,7 @@ struct bitcoin_tx *initial_commit_tx(const tal_t *ctx,
 
 	/* BOLT #3:
 	 *
-	 *    * `txin[0]` sequence: upper 8 bits are 0x80, lower 24 bits are
-	 *       upper 24 bits of the obscured commitment transaction number
+	 *    * `txin[0]` sequence: upper 8 bits are 0x80, lower 24 bits are upper 24 bits of the obscured commitment number
 	 */
 	tx->input[0].sequence_number
 		= (0x80000000 | ((obscured_commitment_number>>24) & 0xFFFFFF));

connectd/handshake.c

@@ -138,21 +138,21 @@ struct keypair {
  * Throughout the handshake process, each side maintains these variables:
  *
  *  * `ck`: the **chaining key**. This value is the accumulated hash of all
- *    previous ECDH outputs. At the end of the handshake, `ck` is used to
- *    derive the encryption keys for Lightning messages.
+ *    previous ECDH outputs. At the end of the handshake, `ck` is used to derive
+ *    the encryption keys for Lightning messages.
  *
  *  * `h`: the **handshake hash**. This value is the accumulated hash of _all_
- *    handshake data that has been sent and received so far during the
- *    handshake process.
+ *    handshake data that has been sent and received so far during the handshake
+ *    process.
  *
- * * `temp_k1`, `temp_k2`, `temp_k3`: the **intermediate keys**. These are used to
- *    encrypt and decrypt the zero-length AEAD payloads at the end of each
- *    handshake message.
+ *  * `temp_k1`, `temp_k2`, `temp_k3`: the **intermediate keys**. These are used to
+ *    encrypt and decrypt the zero-length AEAD payloads at the end of each handshake
+ *    message.
  *
- *  * `e`: a party's **ephemeral keypair**. For each session, a node MUST
- *    generate a new ephemeral key with strong cryptographic randomness.
+ *  * `e`: a party's **ephemeral keypair**. For each session, a node MUST generate a
+ *    new ephemeral key with strong cryptographic randomness.
  *
- *  * `s`: a party's **static public key** (`ls` for local, `rs` for remote)
+ *  * `s`: a party's **static keypair** (`ls` for local, `rs` for remote)
  */
 struct handshake {
 	struct secret ck;
@@ -469,9 +469,8 @@ static struct io_plan *act_three_initiator(struct io_conn *conn,
 
 	/* BOLT #8:
 	 *
-	 * 3. `ss = ECDH(re, s.priv)`
+	 * 3. `se = ECDH(s.priv, re)`
 	 *     * where `re` is the ephemeral public key of the responder
-	 *
 	 */
 	h->ss = hsm_do_ecdh(h, &h->re);
 	if (!h->ss)
@@ -481,9 +480,8 @@ static struct io_plan *act_three_initiator(struct io_conn *conn,
 
 	/* BOLT #8:
 	 *
-	 * 4. `ck, temp_k3 = HKDF(ck, ss)`
-	 *     * The final intermediate shared secret is mixed into the running
-	 *       chaining key.
+	 * 4. `ck, temp_k3 = HKDF(ck, se)`
+	 *     * The final intermediate shared secret is mixed into the running chaining key.
 	 */
 	hkdf_two_keys(&h->ck, &h->temp_k, &h->ck, h->ss, sizeof(*h->ss));
 	SUPERVERBOSE("# ck,temp_k3=0x%s,0x%s",
@@ -547,8 +545,7 @@ static struct io_plan *act_two_initiator2(struct io_conn *conn,
 
 	/* BOLT #8:
 	 *
-	 * 5. `ss = ECDH(re, e.priv)`
-	 *    * where `re` is the responder's ephemeral public key
+	 * 5. `es = ECDH(s.priv, re)`
 	 */
 	if (!secp256k1_ecdh(secp256k1_ctx, h->ss->data, &h->re.pubkey,
 			    h->e.priv.secret.data))
@@ -558,9 +555,9 @@ static struct io_plan *act_two_initiator2(struct io_conn *conn,
 
 	/* BOLT #8:
 	 *
-	 * 6. `ck, temp_k2 = HKDF(ck, ss)`
-	 *     * A new temporary encryption key is generated, which is
-	 *       used to generate the authenticating MAC.
+	 * 6. `ck, temp_k2 = HKDF(ck, ee)`
+	 *      * A new temporary encryption key is generated, which is
+	 *        used to generate the authenticating MAC.
 	 */
 	hkdf_two_keys(&h->ck, &h->temp_k, &h->ck, h->ss, sizeof(*h->ss));
 	SUPERVERBOSE("# ck,temp_k2=0x%s,0x%s",
@@ -636,9 +633,9 @@ static struct io_plan *act_one_initiator(struct io_conn *conn,
 
 	/* BOLT #8:
 	 *
-	 * 3. `ss = ECDH(rs, e.priv)`
-	 *     * The initiator performs an ECDH between its newly generated
-	 *       ephemeral key and the remote node's static public key.
+	 * 3. `es = ECDH(e.priv, rs)`
+	 *      * The initiator performs an ECDH between its newly generated ephemeral
+	 *        key and the remote node's static public key.
 	 */
 	h->ss = tal(h, struct secret);
 	if (!secp256k1_ecdh(secp256k1_ctx, h->ss->data,
@@ -649,9 +646,9 @@ static struct io_plan *act_one_initiator(struct io_conn *conn,
 
 	/* BOLT #8:
 	 *
-	 * 4. `ck, temp_k1 = HKDF(ck, ss)`
-	 *     * A new temporary encryption key is generated, which is
-	 *       used to generate the authenticating MAC.
+	 * 4. `ck, temp_k1 = HKDF(ck, es)`
+	 *      * A new temporary encryption key is generated, which is
+	 *        used to generate the authenticating MAC.
 	 */
 	hkdf_two_keys(&h->ck, &h->temp_k, &h->ck, h->ss, sizeof(*h->ss));
 	SUPERVERBOSE("# ck,temp_k1=0x%s,0x%s",
@@ -739,7 +736,7 @@ static struct io_plan *act_three_responder2(struct io_conn *conn,
 
 	/* BOLT #8:
 	 *
-	 * 6. `ss = ECDH(rs, e.priv)`
+	 * 6. `se = ECDH(e.priv, rs)`
 	 *      * where `e` is the responder's original ephemeral key
 	 */
 	if (!secp256k1_ecdh(secp256k1_ctx, h->ss->data, &h->their_id.pubkey,
@@ -749,7 +746,7 @@ static struct io_plan *act_three_responder2(struct io_conn *conn,
 	SUPERVERBOSE("# ss=0x%s", tal_hexstr(tmpctx, h->ss, sizeof(*h->ss)));
 
 	/* BOLT #8:
-	 * 7. `ck, temp_k3 = HKDF(ck, ss)`
+	 * 7. `ck, temp_k3 = HKDF(ck, se)`
 	 */
 	hkdf_two_keys(&h->ck, &h->temp_k, &h->ck, h->ss, sizeof(*h->ss));
 	SUPERVERBOSE("# ck,temp_k3=0x%s,0x%s",
@@ -813,9 +810,9 @@ static struct io_plan *act_two_responder(struct io_conn *conn,
 
 	/* BOLT #8:
 	 *
-	 * 3. `ss = ECDH(re, e.priv)`
-	 *      * where `re` is the ephemeral key of the initiator, which was
-	 *        received during Act One
+	 * 3. `ee = ECDH(e.priv, re)`
+	 *      * where `re` is the ephemeral key of the initiator, which was received
+	 *        during Act One
 	 */
 	if (!secp256k1_ecdh(secp256k1_ctx, h->ss->data, &h->re.pubkey,
 			    h->e.priv.secret.data))
@@ -824,8 +821,8 @@ static struct io_plan *act_two_responder(struct io_conn *conn,
 
 	/* BOLT #8:
 	 *
-	 * 4. `ck, temp_k2 = HKDF(ck, ss)`
-	 *     * A new temporary encryption key is generated, which is
+	 * 4. `ck, temp_k2 = HKDF(ck, ee)`
+	 *      * A new temporary encryption key is generated, which is
 	 *       used to generate the authenticating MAC.
 	 */
 	hkdf_two_keys(&h->ck, &h->temp_k, &h->ck, h->ss, sizeof(*h->ss));
@@ -879,8 +876,9 @@ static struct io_plan *act_one_responder2(struct io_conn *conn,
 		return handshake_failed(conn, h);
 
 	/* BOLT #8:
+	 *
 	 *     * The raw bytes of the remote party's ephemeral public key
-	 *       (`e`) are to be deserialized into a point on the curve using
+	 *       (`re`) are to be deserialized into a point on the curve using
 	 *       affine coordinates as encoded by the key's serialized
 	 *       composed format.
 	 */
@@ -900,7 +898,8 @@ static struct io_plan *act_one_responder2(struct io_conn *conn,
 	SUPERVERBOSE("# h=0x%s", tal_hexstr(tmpctx, &h->h, sizeof(h->h)));
 
 	/* BOLT #8:
-	 * 5. `ss = ECDH(re, s.priv)`
+	 *
+	 * 5. `es = ECDH(s.priv, re)`
 	 *    * The responder performs an ECDH between its static private key and
 	 *      the initiator's ephemeral public key.
 	 */
@@ -912,9 +911,9 @@ static struct io_plan *act_one_responder2(struct io_conn *conn,
 
 	/* BOLT #8:
 	 *
-	 * 6. `ck, temp_k1 = HKDF(ck, ss)`
-	 *    * A new temporary encryption key is generated, which will
-	 *      shortly be used to check the authenticating MAC.
+	 * 6. `ck, temp_k1 = HKDF(ck, es)`
+	 *     * A new temporary encryption key is generated, which will
+	 *       shortly be used to check the authenticating MAC.
 	 */
 	hkdf_two_keys(&h->ck, &h->temp_k, &h->ck, h->ss, sizeof(*h->ss));
 	SUPERVERBOSE("# ck,temp_k1=0x%s,0x%s",

gossipd/gossipd.c

@@ -328,7 +328,7 @@ static bool encode_short_channel_ids_end(u8 **encoded, size_t max_bytes)
 
 /* BOLT #7:
  *
- * An endpoint node:
+ * A node:
  *   - if the `gossip_queries` feature is negotiated:
  * 	- MUST NOT relay any gossip messages unless explicitly requested.
  */
@@ -570,8 +570,8 @@ static const u8 *handle_query_short_channel_ids(struct peer *peer, const u8 *msg
 
 	/* BOLT #7:
 	 *
-	 * - MUST respond to each known `short_channel_id` with a
-	 *   `channel_announcement` and the latest `channel_update`s for each end
+	 * - MUST respond to each known `short_channel_id` with a `channel_announcement`
+	 *   and the latest `channel_update` for each end
 	 *    - SHOULD NOT wait for the next outgoing gossip flush to send
 	 *      these.
 	 */
@@ -1002,8 +1002,7 @@ static void maybe_create_next_scid_reply(struct peer *peer)
 	/* BOLT #7:
 	 *
 	 *   - MUST respond to each known `short_channel_id` with a
-	 *     `channel_announcement` and the latest `channel_update`s for
-	 *     each end
+	 *     `channel_announcement` and the latest `channel_update` for each end
 	 *     - SHOULD NOT wait for the next outgoing gossip flush
 	 *       to send these.
 	 */
@@ -1116,7 +1115,7 @@ static void maybe_queue_gossip(struct peer *peer)
 
 	/* BOLT #7:
 	 *
-	 * An endpoint node:
+	 * A node:
 	 *...
 	 *  - SHOULD flush outgoing gossip messages once every 60 seconds,
 	 *    independently of the arrival times of the messages.
@@ -1238,9 +1237,9 @@ static void update_local_channel(struct daemon *daemon,
 	/* BOLT #7:
 	 *
 	 * The origin node:
-	 *   - MAY create a `channel_update` to communicate the channel
-	 *   parameters to the final node, even though the channel has not yet
-	 *   been announced
+	 *  - MAY create a `channel_update` to communicate the channel parameters to the
+	 *    channel peer, even though the channel has not yet been announced (i.e. the
+	 *    `announce_channel` bit was not set).
 	 */
 	if (!is_chan_public(chan)) {
 		/* handle_channel_update will not put private updates in the
@@ -1749,7 +1748,7 @@ static void gossip_send_keepalive_update(struct daemon *daemon,
 
 /* BOLT #7:
  *
- * An endpoint node:
+ * A node:
  *  - if a channel's latest `channel_update`s `timestamp` is older than two weeks
  *    (1209600 seconds):
  *     - MAY prune the channel.