X-Git-Url: http://git.bitcoin.ninja/index.cgi?a=blobdiff_plain;f=src%2Fchain%2Fkeysinterface.rs;h=013a3388f797a302304b2307637804f408f2570a;hb=8e198bb7197ba62663a932669a8c37a9beb22019;hp=556be6dc5bbaa4c881ca58f12be762c28598ff54;hpb=d9d8ea3f65500c59e06f7f291c034d35bb08b502;p=rust-lightning diff --git a/src/chain/keysinterface.rs b/src/chain/keysinterface.rs index 556be6dc..013a3388 100644 --- a/src/chain/keysinterface.rs +++ b/src/chain/keysinterface.rs @@ -6,17 +6,16 @@ use bitcoin::blockdata::transaction::{OutPoint, TxOut}; use bitcoin::blockdata::script::{Script, Builder}; use bitcoin::blockdata::opcodes; use bitcoin::network::constants::Network; -use bitcoin::util::hash::Hash160; use bitcoin::util::bip32::{ExtendedPrivKey, ExtendedPubKey, ChildNumber}; +use bitcoin_hashes::{Hash, HashEngine}; +use bitcoin_hashes::sha256::Hash as Sha256; +use bitcoin_hashes::hash160::Hash as Hash160; + use secp256k1::key::{SecretKey, PublicKey}; use secp256k1::Secp256k1; use secp256k1; -use crypto::hkdf::{hkdf_extract,hkdf_expand}; -use crypto::digest::Digest; - -use util::sha2::Sha256; use util::logger::Logger; use util::rng; use util::byte_utils; @@ -37,19 +36,34 @@ pub enum SpendableOutputDescriptor { /// The output which is referenced by the given outpoint output: TxOut, }, - /// Outpoint commits to a P2WSH, should be spend by the following witness : + /// Outpoint commits to a P2WSH + /// P2WSH should be spend by the following witness : /// 0 /// With input nSequence set to_self_delay. - /// Outputs from a HTLC-Success/Timeout tx - DynamicOutput { + /// Outputs from a HTLC-Success/Timeout tx/commitment tx + DynamicOutputP2WSH { /// Outpoint spendable by user wallet outpoint: OutPoint, - /// local_delayedkey = delayed_payment_basepoint_secret + SHA256(per_commitment_point || delayed_payment_basepoint) - local_delayedkey: SecretKey, - /// witness redeemScript encumbering output + /// local_delayedkey = delayed_payment_basepoint_secret + SHA256(per_commitment_point || delayed_payment_basepoint) OR + key: SecretKey, + /// witness redeemScript encumbering output. witness_script: Script, /// nSequence input must commit to self_delay to satisfy script's OP_CSV to_self_delay: u16, + /// The output which is referenced by the given outpoint + output: TxOut, + }, + /// Outpoint commits to a P2WPKH + /// P2WPKH should be spend by the following witness : + /// + /// Outputs to_remote from a commitment tx + DynamicOutputP2WPKH { + /// Outpoint spendable by user wallet + outpoint: OutPoint, + /// localkey = payment_basepoint_secret + SHA256(per_commitment_point || payment_basepoint + key: SecretKey, + /// The output which is reference by the given outpoint + output: TxOut, } } @@ -64,6 +78,12 @@ pub trait KeysInterface: Send + Sync { /// Get a new set of ChannelKeys for per-channel secrets. These MUST be unique even if you /// restarted with some stale data! fn get_channel_keys(&self, inbound: bool) -> ChannelKeys; + /// Get a secret for construting an onion packet + fn get_session_key(&self) -> SecretKey; + /// Get a unique temporary channel id. Channels will be referred to by this until the funding + /// transaction is created, at which point they will use the outpoint in the funding + /// transaction. + fn get_channel_id(&self) -> [u8; 32]; } /// Set of lightning keys needed to operate a channel as described in BOLT 3 @@ -92,43 +112,6 @@ impl_writeable!(ChannelKeys, 0, { commitment_seed }); -impl ChannelKeys { - /// Generate a set of lightning keys needed to operate a channel by HKDF-expanding a given - /// random 32-byte seed - pub fn new_from_seed(seed: &[u8; 32]) -> ChannelKeys { - let mut prk = [0; 32]; - hkdf_extract(Sha256::new(), b"rust-lightning key gen salt", seed, &mut prk); - let secp_ctx = Secp256k1::without_caps(); - - let mut okm = [0; 32]; - hkdf_expand(Sha256::new(), &prk, b"rust-lightning funding key info", &mut okm); - let funding_key = SecretKey::from_slice(&secp_ctx, &okm).expect("Sha256 is broken"); - - hkdf_expand(Sha256::new(), &prk, b"rust-lightning revocation base key info", &mut okm); - let revocation_base_key = SecretKey::from_slice(&secp_ctx, &okm).expect("Sha256 is broken"); - - hkdf_expand(Sha256::new(), &prk, b"rust-lightning payment base key info", &mut okm); - let payment_base_key = SecretKey::from_slice(&secp_ctx, &okm).expect("Sha256 is broken"); - - hkdf_expand(Sha256::new(), &prk, b"rust-lightning delayed payment base key info", &mut okm); - let delayed_payment_base_key = SecretKey::from_slice(&secp_ctx, &okm).expect("Sha256 is broken"); - - hkdf_expand(Sha256::new(), &prk, b"rust-lightning htlc base key info", &mut okm); - let htlc_base_key = SecretKey::from_slice(&secp_ctx, &okm).expect("Sha256 is broken"); - - hkdf_expand(Sha256::new(), &prk, b"rust-lightning local commitment seed info", &mut okm); - - ChannelKeys { - funding_key: funding_key, - revocation_base_key: revocation_base_key, - payment_base_key: payment_base_key, - delayed_payment_base_key: delayed_payment_base_key, - htlc_base_key: htlc_base_key, - commitment_seed: okm - } - } -} - /// Simple KeysInterface implementor that takes a 32-byte seed for use as a BIP 32 extended key /// and derives keys from that. /// @@ -137,12 +120,16 @@ impl ChannelKeys { /// Cooperative closes may use seed/2' /// The two close keys may be needed to claim on-chain funds! pub struct KeysManager { - secp_ctx: Secp256k1, + secp_ctx: Secp256k1, node_secret: SecretKey, destination_script: Script, shutdown_pubkey: PublicKey, channel_master_key: ExtendedPrivKey, channel_child_index: AtomicUsize, + session_master_key: ExtendedPrivKey, + session_child_index: AtomicUsize, + channel_id_master_key: ExtendedPrivKey, + channel_id_child_index: AtomicUsize, logger: Arc, } @@ -151,24 +138,26 @@ impl KeysManager { /// Constructs a KeysManager from a 32-byte seed. If the seed is in some way biased (eg your /// RNG is busted) this may panic. pub fn new(seed: &[u8; 32], network: Network, logger: Arc) -> KeysManager { - let secp_ctx = Secp256k1::new(); - match ExtendedPrivKey::new_master(&secp_ctx, network.clone(), seed) { + let secp_ctx = Secp256k1::signing_only(); + match ExtendedPrivKey::new_master(network.clone(), seed) { Ok(master_key) => { - let node_secret = master_key.ckd_priv(&secp_ctx, ChildNumber::from_hardened_idx(0)).expect("Your RNG is busted").secret_key; - let destination_script = match master_key.ckd_priv(&secp_ctx, ChildNumber::from_hardened_idx(1)) { + let node_secret = master_key.ckd_priv(&secp_ctx, ChildNumber::from_hardened_idx(0).unwrap()).expect("Your RNG is busted").private_key.key; + let destination_script = match master_key.ckd_priv(&secp_ctx, ChildNumber::from_hardened_idx(1).unwrap()) { Ok(destination_key) => { - let pubkey_hash160 = Hash160::from_data(&ExtendedPubKey::from_private(&secp_ctx, &destination_key).public_key.serialize()[..]); - Builder::new().push_opcode(opcodes::All::OP_PUSHBYTES_0) - .push_slice(pubkey_hash160.as_bytes()) + let pubkey_hash160 = Hash160::hash(&ExtendedPubKey::from_private(&secp_ctx, &destination_key).public_key.key.serialize()[..]); + Builder::new().push_opcode(opcodes::all::OP_PUSHBYTES_0) + .push_slice(&pubkey_hash160.into_inner()) .into_script() }, Err(_) => panic!("Your RNG is busted"), }; - let shutdown_pubkey = match master_key.ckd_priv(&secp_ctx, ChildNumber::from_hardened_idx(2)) { - Ok(shutdown_key) => ExtendedPubKey::from_private(&secp_ctx, &shutdown_key).public_key, + let shutdown_pubkey = match master_key.ckd_priv(&secp_ctx, ChildNumber::from_hardened_idx(2).unwrap()) { + Ok(shutdown_key) => ExtendedPubKey::from_private(&secp_ctx, &shutdown_key).public_key.key, Err(_) => panic!("Your RNG is busted"), }; - let channel_master_key = master_key.ckd_priv(&secp_ctx, ChildNumber::from_hardened_idx(3)).expect("Your RNG is busted"); + let channel_master_key = master_key.ckd_priv(&secp_ctx, ChildNumber::from_hardened_idx(3).unwrap()).expect("Your RNG is busted"); + let session_master_key = master_key.ckd_priv(&secp_ctx, ChildNumber::from_hardened_idx(4).unwrap()).expect("Your RNG is busted"); + let channel_id_master_key = master_key.ckd_priv(&secp_ctx, ChildNumber::from_hardened_idx(5).unwrap()).expect("Your RNG is busted"); KeysManager { secp_ctx, node_secret, @@ -176,6 +165,10 @@ impl KeysManager { shutdown_pubkey, channel_master_key, channel_child_index: AtomicUsize::new(0), + session_master_key, + session_child_index: AtomicUsize::new(0), + channel_id_master_key, + channel_id_child_index: AtomicUsize::new(0), logger, } @@ -203,7 +196,7 @@ impl KeysInterface for KeysManager { // entropy, everything else just ensures uniqueness. We generally don't expect // all clients to have non-broken RNGs here, so we also include the current // time as a fallback to get uniqueness. - let mut sha = Sha256::new(); + let mut sha = Sha256::engine(); let mut seed = [0u8; 32]; rng::fill_bytes(&mut seed[..]); @@ -214,10 +207,66 @@ impl KeysInterface for KeysManager { sha.input(&byte_utils::be64_to_array(now.as_secs())); let child_ix = self.channel_child_index.fetch_add(1, Ordering::AcqRel); - let child_privkey = self.channel_master_key.ckd_priv(&self.secp_ctx, ChildNumber::from_hardened_idx(child_ix as u32)).expect("Your RNG is busted"); - sha.input(&child_privkey.secret_key[..]); + let child_privkey = self.channel_master_key.ckd_priv(&self.secp_ctx, ChildNumber::from_hardened_idx(child_ix as u32).expect("key space exhausted")).expect("Your RNG is busted"); + sha.input(&child_privkey.private_key.key[..]); + + seed = Sha256::from_engine(sha).into_inner(); + + let commitment_seed = { + let mut sha = Sha256::engine(); + sha.input(&seed); + sha.input(&b"commitment seed"[..]); + Sha256::from_engine(sha).into_inner() + }; + macro_rules! key_step { + ($info: expr, $prev_key: expr) => {{ + let mut sha = Sha256::engine(); + sha.input(&seed); + sha.input(&$prev_key[..]); + sha.input(&$info[..]); + SecretKey::from_slice(&Sha256::from_engine(sha).into_inner()).expect("SHA-256 is busted") + }} + } + let funding_key = key_step!(b"funding key", commitment_seed); + let revocation_base_key = key_step!(b"revocation base key", funding_key); + let payment_base_key = key_step!(b"payment base key", revocation_base_key); + let delayed_payment_base_key = key_step!(b"delayed payment base key", payment_base_key); + let htlc_base_key = key_step!(b"HTLC base key", delayed_payment_base_key); + + ChannelKeys { + funding_key, + revocation_base_key, + payment_base_key, + delayed_payment_base_key, + htlc_base_key, + commitment_seed, + } + } + + fn get_session_key(&self) -> SecretKey { + let mut sha = Sha256::engine(); + + let now = SystemTime::now().duration_since(UNIX_EPOCH).expect("Time went backwards"); + sha.input(&byte_utils::be32_to_array(now.subsec_nanos())); + sha.input(&byte_utils::be64_to_array(now.as_secs())); + + let child_ix = self.session_child_index.fetch_add(1, Ordering::AcqRel); + let child_privkey = self.session_master_key.ckd_priv(&self.secp_ctx, ChildNumber::from_hardened_idx(child_ix as u32).expect("key space exhausted")).expect("Your RNG is busted"); + sha.input(&child_privkey.private_key.key[..]); + SecretKey::from_slice(&Sha256::from_engine(sha).into_inner()).expect("Your RNG is busted") + } + + fn get_channel_id(&self) -> [u8; 32] { + let mut sha = Sha256::engine(); + + let now = SystemTime::now().duration_since(UNIX_EPOCH).expect("Time went backwards"); + sha.input(&byte_utils::be32_to_array(now.subsec_nanos())); + sha.input(&byte_utils::be64_to_array(now.as_secs())); + + let child_ix = self.channel_id_child_index.fetch_add(1, Ordering::AcqRel); + let child_privkey = self.channel_id_master_key.ckd_priv(&self.secp_ctx, ChildNumber::from_hardened_idx(child_ix as u32).expect("key space exhausted")).expect("Your RNG is busted"); + sha.input(&child_privkey.private_key.key[..]); - sha.result(&mut seed); - ChannelKeys::new_from_seed(&seed) + (Sha256::from_engine(sha).into_inner()) } }