]> git.bitcoin.ninja Git - rust-lightning/commitdiff
Bug fix using same seed sequence for channel key geneartion 2018-10-229-redux
authorYuntai Kyong <yuntai.kyong@gmail.com>
Sun, 28 Oct 2018 05:35:49 +0000 (14:35 +0900)
committerMatt Corallo <git@bluematt.me>
Wed, 31 Oct 2018 20:34:51 +0000 (16:34 -0400)
src/chain/keysinterface.rs

index 18b069369b70e72455cee7cc80893a76bacb5195..556be6dc5bbaa4c881ca58f12be762c28598ff54 100644 (file)
@@ -14,11 +14,16 @@ use secp256k1::Secp256k1;
 use secp256k1;
 
 use crypto::hkdf::{hkdf_extract,hkdf_expand};
+use crypto::digest::Digest;
 
 use util::sha2::Sha256;
 use util::logger::Logger;
+use util::rng;
+use util::byte_utils;
 
+use std::time::{SystemTime, UNIX_EPOCH};
 use std::sync::Arc;
+use std::sync::atomic::{AtomicUsize, Ordering};
 
 /// When on-chain outputs are created by rust-lightning an event is generated which informs the
 /// user thereof. This enum describes the format of the output and provides the OutPoint.
@@ -39,7 +44,7 @@ pub enum SpendableOutputDescriptor {
        DynamicOutput {
                /// Outpoint spendable by user wallet
                outpoint: OutPoint,
-               /// local_delayedkey = delayed_payment_basepoint_secret + SHA256(per_commitment_point || delayed_payment_basepoint
+               /// local_delayedkey = delayed_payment_basepoint_secret + SHA256(per_commitment_point || delayed_payment_basepoint)
                local_delayedkey: SecretKey,
                /// witness redeemScript encumbering output
                witness_script: Script,
@@ -137,6 +142,7 @@ pub struct KeysManager {
        destination_script: Script,
        shutdown_pubkey: PublicKey,
        channel_master_key: ExtendedPrivKey,
+       channel_child_index: AtomicUsize,
 
        logger: Arc<Logger>,
 }
@@ -169,6 +175,7 @@ impl KeysManager {
                                        destination_script,
                                        shutdown_pubkey,
                                        channel_master_key,
+                                       channel_child_index: AtomicUsize::new(0),
 
                                        logger,
                                }
@@ -192,11 +199,25 @@ impl KeysInterface for KeysManager {
        }
 
        fn get_channel_keys(&self, _inbound: bool) -> ChannelKeys {
-               let channel_pubkey = ExtendedPubKey::from_private(&self.secp_ctx, &self. channel_master_key);
-               let mut seed = [0; 32];
-               for (arr, slice) in seed.iter_mut().zip((&channel_pubkey.public_key.serialize()[0..32]).iter()) {
-                       *arr = *slice;
-               }
+               // We only seriously intend to rely on the channel_master_key for true secure
+               // entropy, everything else just ensures uniqueness. We generally don't expect
+               // all clients to have non-broken RNGs here, so we also include the current
+               // time as a fallback to get uniqueness.
+               let mut sha = Sha256::new();
+
+               let mut seed = [0u8; 32];
+               rng::fill_bytes(&mut seed[..]);
+               sha.input(&seed);
+
+               let now = SystemTime::now().duration_since(UNIX_EPOCH).expect("Time went backwards");
+               sha.input(&byte_utils::be32_to_array(now.subsec_nanos()));
+               sha.input(&byte_utils::be64_to_array(now.as_secs()));
+
+               let child_ix = self.channel_child_index.fetch_add(1, Ordering::AcqRel);
+               let child_privkey = self.channel_master_key.ckd_priv(&self.secp_ctx, ChildNumber::from_hardened_idx(child_ix as u32)).expect("Your RNG is busted");
+               sha.input(&child_privkey.secret_key[..]);
+
+               sha.result(&mut seed);
                ChannelKeys::new_from_seed(&seed)
        }
 }