From 5472f73f9cb07b11388da937418589ceb65216db Mon Sep 17 00:00:00 2001
From: Rusty Russell <rusty@rustcorp.com.au>
Date: Tue, 19 Jul 2016 12:37:33 +0930
Subject: [PATCH] cryptopkt: update to latest encryption BOLT.

As per lightning-rfc commit b579b16866855da166981192c0f0549517069d4e.

Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
---
 daemon/cryptopkt.c | 65 ++++++++++++++++++++++++++++++++--------------
 lightning.pb-c.c   | 32 ++++++++++++++++-------
 lightning.pb-c.h   | 10 ++++---
 lightning.proto    |  5 ++--
 4 files changed, 77 insertions(+), 35 deletions(-)

diff --git a/daemon/cryptopkt.c b/daemon/cryptopkt.c
index 1b088fea1..ed5e06513 100644
--- a/daemon/cryptopkt.c
+++ b/daemon/cryptopkt.c
@@ -358,28 +358,45 @@ static struct io_plan *check_proof(struct io_conn *conn, struct peer *peer)
 	if (!auth)
 		return io_close(conn);
 
-	if (!proto_to_signature(peer->dstate->secpctx, auth->session_sig,
-				&sig)) {
-		log_unusual(peer->log, "Invalid auth signature");
-		return io_close(conn);
-	}
-
+	/* BOLT #1:
+	 *
+	 * The receiving node MUST check that:
+	 *
+	 * 1. `node_id` is the expected value for the sending node.
+	 */
 	if (!proto_to_pubkey(peer->dstate->secpctx, auth->node_id, &id)) {
 		log_unusual(peer->log, "Invalid auth id");
 		return io_close(conn);
 	}
 
-	/* Did we expect a specific ID? */
 	if (!peer->id)
 		peer->id = tal_dup(peer, struct pubkey, &id);
 	else if (!structeq(&id, peer->id)) {
 		log_unusual(peer->log, "Incorrect auth id");
 		return io_close(conn);
 	}
-	
-	/* Signature covers *our* session key. */
-	sha256_double(&sha,
-		      neg->our_sessionpubkey, sizeof(neg->our_sessionpubkey));
+
+	/* BOLT #1:
+	 *
+	 * 2. `session_sig` is a valid secp256k1 ECDSA signature encoded as
+	 *     a 32-byte big endian R value, followed by a 32-byte big
+	 *     endian S value.
+	 */
+	if (!proto_to_signature(peer->dstate->secpctx, auth->session_sig,
+				&sig)) {
+		log_unusual(peer->log, "Invalid auth signature");
+		return io_close(conn);
+	}
+
+
+	/* BOLT #1:
+	 *
+	 * 3. `session_sig` is the signature of the SHA256 of SHA256 of the
+	 *     its own sessionpubkey, using the secret key corresponding to
+	 *     the sender's `node_id`.
+	 */
+	sha256_double(&sha, neg->our_sessionpubkey,
+		      sizeof(neg->our_sessionpubkey));
 
 	if (!check_signed_hash(peer->dstate->secpctx, &sha, &sig, peer->id)) {
 		log_unusual(peer->log, "Bad auth signature");
@@ -391,16 +408,19 @@ static struct io_plan *check_proof(struct io_conn *conn, struct peer *peer)
 
 	/* BOLT #1:
 	 *
-	 * The receiver MUST NOT examine the `ack` value until after
-	 * the authentication fields have been successfully validated.
-	 * The `ack` field MUST BE set to the number of
-	 * non-authenticate messages received and processed if
-	 * non-zero.
+	 * The receiver MUST NOT examine the `commits_seen` or
+	 *
+	 * `revocations_seen` values until after the authentication fields
+	 * have been successfully validated.  The `commits_seen` field MUST
+	 * BE set to the number of `update_commit` and `open_commit_sig`
+	 * messages received and processed if non-zero.  The
+	 * `revocations_seen` MUST BE set to the number of
+	 * `update_revocation` messages received and processed.
 	 */
 	/* FIXME: Handle reconnects. */
-	if (auth->ack != 0) {
-		log_unusual(peer->log, "FIXME: non-zero acknowledge %"PRIu64,
-			    auth->ack);
+	if (auth->commits_seen != 0 || auth->revocations_seen != 0) {
+		log_unusual(peer->log, "FIXME: non-zero seen %"PRIu64"/%"PRIu64,
+			    auth->commits_seen, auth->revocations_seen);
 		return io_close(conn);
 	}
 
@@ -473,7 +493,12 @@ static struct io_plan *keys_exchanged(struct io_conn *conn, struct peer *peer)
 	setup_crypto(&peer->io_data->out, shared_secret,
 		     neg->our_sessionpubkey);
 
-	/* Now sign their session key to prove who we are. */
+	/* BOLT #1:
+	 *
+	 * `session_sig` is the signature of the SHA256 of SHA256 of the its
+	 * own sessionpubkey, using the secret key corresponding to the
+	 * sender's `node_id`.
+	 */
 	privkey_sign(peer, neg->their_sessionpubkey,
 		     sizeof(neg->their_sessionpubkey), &sig);
 
diff --git a/lightning.pb-c.c b/lightning.pb-c.c
index d1a3ead3c..b666ed274 100644
--- a/lightning.pb-c.c
+++ b/lightning.pb-c.c
@@ -1464,8 +1464,9 @@ const ProtobufCMessageDescriptor funding__descriptor =
   (ProtobufCMessageInit) funding__init,
   NULL,NULL,NULL    /* reserved[123] */
 };
-static const uint64_t authenticate__ack__default_value = 0ull;
-static const ProtobufCFieldDescriptor authenticate__field_descriptors[3] =
+static const uint64_t authenticate__commits_seen__default_value = 0ull;
+static const uint64_t authenticate__revocations_seen__default_value = 0ull;
+static const ProtobufCFieldDescriptor authenticate__field_descriptors[4] =
 {
   {
     "node_id",
@@ -1492,27 +1493,40 @@ static const ProtobufCFieldDescriptor authenticate__field_descriptors[3] =
     0,NULL,NULL    /* reserved1,reserved2, etc */
   },
   {
-    "ack",
+    "commits_seen",
     3,
     PROTOBUF_C_LABEL_OPTIONAL,
     PROTOBUF_C_TYPE_UINT64,
-    offsetof(Authenticate, has_ack),
-    offsetof(Authenticate, ack),
+    offsetof(Authenticate, has_commits_seen),
+    offsetof(Authenticate, commits_seen),
     NULL,
-    &authenticate__ack__default_value,
+    &authenticate__commits_seen__default_value,
+    0,             /* flags */
+    0,NULL,NULL    /* reserved1,reserved2, etc */
+  },
+  {
+    "revocations_seen",
+    4,
+    PROTOBUF_C_LABEL_OPTIONAL,
+    PROTOBUF_C_TYPE_UINT64,
+    offsetof(Authenticate, has_revocations_seen),
+    offsetof(Authenticate, revocations_seen),
+    NULL,
+    &authenticate__revocations_seen__default_value,
     0,             /* flags */
     0,NULL,NULL    /* reserved1,reserved2, etc */
   },
 };
 static const unsigned authenticate__field_indices_by_name[] = {
-  2,   /* field[2] = ack */
+  2,   /* field[2] = commits_seen */
   0,   /* field[0] = node_id */
+  3,   /* field[3] = revocations_seen */
   1,   /* field[1] = session_sig */
 };
 static const ProtobufCIntRange authenticate__number_ranges[1 + 1] =
 {
   { 1, 0 },
-  { 0, 3 }
+  { 0, 4 }
 };
 const ProtobufCMessageDescriptor authenticate__descriptor =
 {
@@ -1522,7 +1536,7 @@ const ProtobufCMessageDescriptor authenticate__descriptor =
   "Authenticate",
   "",
   sizeof(Authenticate),
-  3,
+  4,
   authenticate__field_descriptors,
   authenticate__field_indices_by_name,
   1,  authenticate__number_ranges,
diff --git a/lightning.pb-c.h b/lightning.pb-c.h
index 1119e698e..0d5f3c257 100644
--- a/lightning.pb-c.h
+++ b/lightning.pb-c.h
@@ -176,14 +176,16 @@ struct  _Authenticate
    */
   Signature *session_sig;
   /*
-   * How many (non-authenticate) packets we've already received
+   * How many commitment/revocation messages we've already received
    */
-  protobuf_c_boolean has_ack;
-  uint64_t ack;
+  protobuf_c_boolean has_commits_seen;
+  uint64_t commits_seen;
+  protobuf_c_boolean has_revocations_seen;
+  uint64_t revocations_seen;
 };
 #define AUTHENTICATE__INIT \
  { PROTOBUF_C_MESSAGE_INIT (&authenticate__descriptor) \
-    , NULL, NULL, 0,0ull }
+    , NULL, NULL, 0,0ull, 0,0ull }
 
 
 /*
diff --git a/lightning.proto b/lightning.proto
index d3f5c0ed7..0d9b6c574 100644
--- a/lightning.proto
+++ b/lightning.proto
@@ -64,8 +64,9 @@ message authenticate {
   required bitcoin_pubkey node_id = 1;
   // Signature of your session key. */
   required signature session_sig = 2;
-  // How many (non-authenticate) packets we've already received
-  optional uint64 ack = 3 [ default = 0 ];
+  // How many commitment/revocation messages we've already received
+  optional uint64 commits_seen = 3 [ default = 0 ];
+  optional uint64 revocations_seen = 4 [ default = 0 ];
 };
 
 // Set channel params.