X-Git-Url: http://git.bitcoin.ninja/index.cgi?a=blobdiff_plain;f=src%2Fchain%2Fkeysinterface.rs;h=472cf963b799b8615c5a97b21ae06596e66fc1c1;hb=2053edbe53d92f54295019101da7c9caed9866eb;hp=18b069369b70e72455cee7cc80893a76bacb5195;hpb=8cc3be9eab9ff322d543e989f28c775a69d6b78f;p=rust-lightning diff --git a/src/chain/keysinterface.rs b/src/chain/keysinterface.rs index 18b06936..472cf963 100644 --- a/src/chain/keysinterface.rs +++ b/src/chain/keysinterface.rs @@ -6,19 +6,23 @@ use bitcoin::blockdata::transaction::{OutPoint, TxOut}; use bitcoin::blockdata::script::{Script, Builder}; use bitcoin::blockdata::opcodes; use bitcoin::network::constants::Network; -use bitcoin::util::hash::Hash160; use bitcoin::util::bip32::{ExtendedPrivKey, ExtendedPubKey, ChildNumber}; +use bitcoin_hashes::{Hash, HashEngine}; +use bitcoin_hashes::sha256::Hash as Sha256; +use bitcoin_hashes::hash160::Hash as Hash160; + use secp256k1::key::{SecretKey, PublicKey}; use secp256k1::Secp256k1; use secp256k1; -use crypto::hkdf::{hkdf_extract,hkdf_expand}; - -use util::sha2::Sha256; use util::logger::Logger; +use util::rng; +use util::byte_utils; +use std::time::{SystemTime, UNIX_EPOCH}; use std::sync::Arc; +use std::sync::atomic::{AtomicUsize, Ordering}; /// When on-chain outputs are created by rust-lightning an event is generated which informs the /// user thereof. This enum describes the format of the output and provides the OutPoint. @@ -32,19 +36,34 @@ pub enum SpendableOutputDescriptor { /// The output which is referenced by the given outpoint output: TxOut, }, - /// Outpoint commits to a P2WSH, should be spend by the following witness : + /// Outpoint commits to a P2WSH + /// P2WSH should be spend by the following witness : /// 0 /// With input nSequence set to_self_delay. - /// Outputs from a HTLC-Success/Timeout tx - DynamicOutput { + /// Outputs from a HTLC-Success/Timeout tx/commitment tx + DynamicOutputP2WSH { /// Outpoint spendable by user wallet outpoint: OutPoint, - /// local_delayedkey = delayed_payment_basepoint_secret + SHA256(per_commitment_point || delayed_payment_basepoint - local_delayedkey: SecretKey, - /// witness redeemScript encumbering output + /// local_delayedkey = delayed_payment_basepoint_secret + SHA256(per_commitment_point || delayed_payment_basepoint) OR + key: SecretKey, + /// witness redeemScript encumbering output. witness_script: Script, /// nSequence input must commit to self_delay to satisfy script's OP_CSV to_self_delay: u16, + /// The output which is referenced by the given outpoint + output: TxOut, + }, + /// Outpoint commits to a P2WPKH + /// P2WPKH should be spend by the following witness : + /// + /// Outputs to_remote from a commitment tx + DynamicOutputP2WPKH { + /// Outpoint spendable by user wallet + outpoint: OutPoint, + /// localkey = payment_basepoint_secret + SHA256(per_commitment_point || payment_basepoint + key: SecretKey, + /// The output which is reference by the given outpoint + output: TxOut, } } @@ -59,6 +78,8 @@ pub trait KeysInterface: Send + Sync { /// Get a new set of ChannelKeys for per-channel secrets. These MUST be unique even if you /// restarted with some stale data! fn get_channel_keys(&self, inbound: bool) -> ChannelKeys; + /// Get a secret for construting an onion packet + fn get_session_key(&self) -> SecretKey; } /// Set of lightning keys needed to operate a channel as described in BOLT 3 @@ -87,43 +108,6 @@ impl_writeable!(ChannelKeys, 0, { commitment_seed }); -impl ChannelKeys { - /// Generate a set of lightning keys needed to operate a channel by HKDF-expanding a given - /// random 32-byte seed - pub fn new_from_seed(seed: &[u8; 32]) -> ChannelKeys { - let mut prk = [0; 32]; - hkdf_extract(Sha256::new(), b"rust-lightning key gen salt", seed, &mut prk); - let secp_ctx = Secp256k1::without_caps(); - - let mut okm = [0; 32]; - hkdf_expand(Sha256::new(), &prk, b"rust-lightning funding key info", &mut okm); - let funding_key = SecretKey::from_slice(&secp_ctx, &okm).expect("Sha256 is broken"); - - hkdf_expand(Sha256::new(), &prk, b"rust-lightning revocation base key info", &mut okm); - let revocation_base_key = SecretKey::from_slice(&secp_ctx, &okm).expect("Sha256 is broken"); - - hkdf_expand(Sha256::new(), &prk, b"rust-lightning payment base key info", &mut okm); - let payment_base_key = SecretKey::from_slice(&secp_ctx, &okm).expect("Sha256 is broken"); - - hkdf_expand(Sha256::new(), &prk, b"rust-lightning delayed payment base key info", &mut okm); - let delayed_payment_base_key = SecretKey::from_slice(&secp_ctx, &okm).expect("Sha256 is broken"); - - hkdf_expand(Sha256::new(), &prk, b"rust-lightning htlc base key info", &mut okm); - let htlc_base_key = SecretKey::from_slice(&secp_ctx, &okm).expect("Sha256 is broken"); - - hkdf_expand(Sha256::new(), &prk, b"rust-lightning local commitment seed info", &mut okm); - - ChannelKeys { - funding_key: funding_key, - revocation_base_key: revocation_base_key, - payment_base_key: payment_base_key, - delayed_payment_base_key: delayed_payment_base_key, - htlc_base_key: htlc_base_key, - commitment_seed: okm - } - } -} - /// Simple KeysInterface implementor that takes a 32-byte seed for use as a BIP 32 extended key /// and derives keys from that. /// @@ -137,6 +121,9 @@ pub struct KeysManager { destination_script: Script, shutdown_pubkey: PublicKey, channel_master_key: ExtendedPrivKey, + channel_child_index: AtomicUsize, + session_master_key: ExtendedPrivKey, + session_child_index: AtomicUsize, logger: Arc, } @@ -151,9 +138,9 @@ impl KeysManager { let node_secret = master_key.ckd_priv(&secp_ctx, ChildNumber::from_hardened_idx(0)).expect("Your RNG is busted").secret_key; let destination_script = match master_key.ckd_priv(&secp_ctx, ChildNumber::from_hardened_idx(1)) { Ok(destination_key) => { - let pubkey_hash160 = Hash160::from_data(&ExtendedPubKey::from_private(&secp_ctx, &destination_key).public_key.serialize()[..]); + let pubkey_hash160 = Hash160::hash(&ExtendedPubKey::from_private(&secp_ctx, &destination_key).public_key.serialize()[..]); Builder::new().push_opcode(opcodes::All::OP_PUSHBYTES_0) - .push_slice(pubkey_hash160.as_bytes()) + .push_slice(&pubkey_hash160.into_inner()) .into_script() }, Err(_) => panic!("Your RNG is busted"), @@ -163,12 +150,16 @@ impl KeysManager { Err(_) => panic!("Your RNG is busted"), }; let channel_master_key = master_key.ckd_priv(&secp_ctx, ChildNumber::from_hardened_idx(3)).expect("Your RNG is busted"); + let session_master_key = master_key.ckd_priv(&secp_ctx, ChildNumber::from_hardened_idx(4)).expect("Your RNG is busted"); KeysManager { secp_ctx, node_secret, destination_script, shutdown_pubkey, channel_master_key, + channel_child_index: AtomicUsize::new(0), + session_master_key, + session_child_index: AtomicUsize::new(0), logger, } @@ -192,11 +183,67 @@ impl KeysInterface for KeysManager { } fn get_channel_keys(&self, _inbound: bool) -> ChannelKeys { - let channel_pubkey = ExtendedPubKey::from_private(&self.secp_ctx, &self. channel_master_key); - let mut seed = [0; 32]; - for (arr, slice) in seed.iter_mut().zip((&channel_pubkey.public_key.serialize()[0..32]).iter()) { - *arr = *slice; + // We only seriously intend to rely on the channel_master_key for true secure + // entropy, everything else just ensures uniqueness. We generally don't expect + // all clients to have non-broken RNGs here, so we also include the current + // time as a fallback to get uniqueness. + let mut sha = Sha256::engine(); + + let mut seed = [0u8; 32]; + rng::fill_bytes(&mut seed[..]); + sha.input(&seed); + + let now = SystemTime::now().duration_since(UNIX_EPOCH).expect("Time went backwards"); + sha.input(&byte_utils::be32_to_array(now.subsec_nanos())); + sha.input(&byte_utils::be64_to_array(now.as_secs())); + + let child_ix = self.channel_child_index.fetch_add(1, Ordering::AcqRel); + let child_privkey = self.channel_master_key.ckd_priv(&self.secp_ctx, ChildNumber::from_hardened_idx(child_ix as u32)).expect("Your RNG is busted"); + sha.input(&child_privkey.secret_key[..]); + + seed = Sha256::from_engine(sha).into_inner(); + + let commitment_seed = { + let mut sha = Sha256::engine(); + sha.input(&seed); + sha.input(&b"commitment seed"[..]); + Sha256::from_engine(sha).into_inner() + }; + macro_rules! key_step { + ($info: expr, $prev_key: expr) => {{ + let mut sha = Sha256::engine(); + sha.input(&seed); + sha.input(&$prev_key[..]); + sha.input(&$info[..]); + SecretKey::from_slice(&self.secp_ctx, &Sha256::from_engine(sha).into_inner()).expect("SHA-256 is busted") + }} } - ChannelKeys::new_from_seed(&seed) + let funding_key = key_step!(b"funding key", commitment_seed); + let revocation_base_key = key_step!(b"revocation base key", funding_key); + let payment_base_key = key_step!(b"payment base key", revocation_base_key); + let delayed_payment_base_key = key_step!(b"delayed payment base key", payment_base_key); + let htlc_base_key = key_step!(b"HTLC base key", delayed_payment_base_key); + + ChannelKeys { + funding_key, + revocation_base_key, + payment_base_key, + delayed_payment_base_key, + htlc_base_key, + commitment_seed, + } + } + + fn get_session_key(&self) -> SecretKey { + let mut sha = Sha256::engine(); + + let now = SystemTime::now().duration_since(UNIX_EPOCH).expect("Time went backwards"); + sha.input(&byte_utils::be32_to_array(now.subsec_nanos())); + sha.input(&byte_utils::be64_to_array(now.as_secs())); + + let child_ix = self.session_child_index.fetch_add(1, Ordering::AcqRel); + let child_privkey = self.session_master_key.ckd_priv(&self.secp_ctx, ChildNumber::from_hardened_idx(child_ix as u32)).expect("Your RNG is busted"); + sha.input(&child_privkey.secret_key[..]); + SecretKey::from_slice(&self.secp_ctx, &Sha256::from_engine(sha).into_inner()).expect("Your RNG is busted") } }