hsmd: use status_conn to send bad_request messages, make handlers uniform.

The current code sends hsmstatus_client_bad_request via the req fd;
this won't work, since lightningd uses that synchronously and only
expects a reply to its commands.  So send it via status_conn.

We also enhance hsmstatus_client_bad_request to include details, and
create convenience functions for it.  Our previous handling was ad-hoc;
we sometimes just closed on the client without telling lightningd,
and sometimes we didn't tell lightningd *which* client was broken.

Also make every handler the exact same prototype, so they now use the
exact same patterns (hsmd *only* handles requests, makes replies).

I tested this manually by corrupting a request to hsmd.

Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>

hsmd/hsm_client_wire_csv

@@ -1,6 +1,7 @@
 # Clients should not give a bad request but not the HSM's decision to crash.
 hsmstatus_client_bad_request,1000
 hsmstatus_client_bad_request,,id,struct pubkey
+hsmstatus_client_bad_request,,description,wirestring
 hsmstatus_client_bad_request,,len,u16
 hsmstatus_client_bad_request,,msg,len*u8
 

lightningd/hsm_control.c

@@ -48,15 +48,16 @@ static unsigned int hsm_msg(struct subd *hsmd,
 	/* We only expect one thing from the HSM that's not a STATUS message */
 	struct pubkey client_id;
 	u8 *bad_msg;
+	char *desc;
 
 	if (!fromwire_hsmstatus_client_bad_request(tmpctx, msg, &client_id,
-						   &bad_msg))
+						   &desc, &bad_msg))
 		fatal("Bad status message from hsmd: %s", tal_hex(tmpctx, msg));
 
 	/* This should, of course, never happen. */
-	log_broken(hsmd->log, "client %s sent bad hsm request %s",
+	log_broken(hsmd->log, "client %s %s (request %s)",
 		   type_to_string(tmpctx, struct pubkey, &client_id),
-		   tal_hex(tmpctx, bad_msg));
+		   desc, tal_hex(tmpctx, bad_msg));
 	return 0;
 }