#include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include /* Nobody will ever find it here! */ static struct { struct secret hsm_secret; struct ext_key bip32; } secretstuff; struct client { struct daemon_conn dc; struct daemon_conn *master; u64 id; struct io_plan *(*handle)(struct io_conn *, struct daemon_conn *); }; static void node_key(struct privkey *node_privkey, struct pubkey *node_id) { u32 salt = 0; struct privkey unused_s; struct pubkey unused_k; if (node_privkey == NULL) node_privkey = &unused_s; else if (node_id == NULL) node_id = &unused_k; do { hkdf_sha256(node_privkey, sizeof(*node_privkey), &salt, sizeof(salt), &secretstuff.hsm_secret, sizeof(secretstuff.hsm_secret), "nodeid", 6); salt++; } while (!secp256k1_ec_pubkey_create(secp256k1_ctx, &node_id->pubkey, node_privkey->secret.data)); } static struct client *new_client(struct daemon_conn *master, u64 id, struct io_plan *(*handle)(struct io_conn *, struct daemon_conn *), int fd) { struct client *c = tal(master, struct client); c->id = id; c->handle = handle; c->master = master; daemon_conn_init(c, &c->dc, fd, handle, NULL); /* Free the connection if we exit everything. */ tal_steal(master, c->dc.conn); /* Free client when connection freed. */ tal_steal(c->dc.conn, c); return c; } static struct io_plan *handle_ecdh(struct io_conn *conn, struct daemon_conn *dc) { struct client *c = container_of(dc, struct client, dc); struct privkey privkey; struct pubkey point; struct secret ss; if (!fromwire_hsm_ecdh_req(dc->msg_in, NULL, &point)) { daemon_conn_send(c->master, take(towire_hsmstatus_client_bad_request(c, c->id, dc->msg_in))); return io_close(conn); } node_key(&privkey, NULL); if (secp256k1_ecdh(secp256k1_ctx, ss.data, &point.pubkey, privkey.secret.data) != 1) { status_trace("secp256k1_ecdh fail for client %"PRIu64, c->id); daemon_conn_send(c->master, take(towire_hsmstatus_client_bad_request(c, c->id, dc->msg_in))); return io_close(conn); } daemon_conn_send(dc, take(towire_hsm_ecdh_resp(c, &ss))); return daemon_conn_read_next(conn, dc); } static struct io_plan *handle_cannouncement_sig(struct io_conn *conn, struct daemon_conn *dc) { tal_t *ctx = tal_tmpctx(conn); /* First 2 + 256 byte are the signatures and msg type, skip them */ size_t offset = 258; struct privkey node_pkey; secp256k1_ecdsa_signature node_sig; struct sha256_double hash; u8 *reply; u8 *ca; struct pubkey bitcoin_id; if (!fromwire_hsm_cannouncement_sig_req(ctx, dc->msg_in, NULL, &bitcoin_id, &ca)) { status_trace("Failed to parse cannouncement_sig_req: %s", tal_hex(trc, dc->msg_in)); return io_close(conn); } if (tal_len(ca) < offset) { status_trace("bad cannounce length %zu", tal_len(ca)); return io_close(conn); } /* TODO(cdecker) Check that this is actually a valid * channel_announcement */ node_key(&node_pkey, NULL); sha256_double(&hash, ca + offset, tal_len(ca) - offset); sign_hash(&node_pkey, &hash, &node_sig); reply = towire_hsm_cannouncement_sig_reply(ca, &node_sig); daemon_conn_send(dc, take(reply)); tal_free(ctx); return daemon_conn_read_next(conn, dc); } static struct io_plan *handle_channel_update_sig(struct io_conn *conn, struct daemon_conn *dc) { tal_t *tmpctx = tal_tmpctx(conn); /* 2 bytes msg type + 64 bytes signature */ size_t offset = 66; struct privkey node_pkey; struct sha256_double hash; secp256k1_ecdsa_signature sig; struct short_channel_id scid; u32 timestamp, fee_base_msat, fee_proportional_mill; u64 htlc_minimum_msat; u16 flags, cltv_expiry_delta; u8 *cu; if (!fromwire_hsm_cupdate_sig_req(tmpctx, dc->msg_in, NULL, &cu)) { status_trace("Failed to parse %s: %s", hsm_client_wire_type_name(fromwire_peektype(dc->msg_in)), tal_hex(trc, dc->msg_in)); return io_close(conn); } if (!fromwire_channel_update(cu, NULL, &sig, &scid, ×tamp, &flags, &cltv_expiry_delta, &htlc_minimum_msat, &fee_base_msat, &fee_proportional_mill)) { status_trace("Failed to parse inner channel_update: %s", tal_hex(trc, dc->msg_in)); return io_close(conn); } if (tal_len(cu) < offset) { status_trace("inner channel_update too short: %s", tal_hex(trc, dc->msg_in)); return io_close(conn); } node_key(&node_pkey, NULL); sha256_double(&hash, cu + offset, tal_len(cu) - offset); sign_hash(&node_pkey, &hash, &sig); cu = towire_channel_update(tmpctx, &sig, &scid, timestamp, flags, cltv_expiry_delta, htlc_minimum_msat, fee_base_msat, fee_proportional_mill); daemon_conn_send(dc, take(towire_hsm_cupdate_sig_reply(tmpctx, cu))); tal_free(tmpctx); return daemon_conn_read_next(conn, dc); } static struct io_plan *handle_channeld(struct io_conn *conn, struct daemon_conn *dc) { struct client *c = container_of(dc, struct client, dc); enum hsm_client_wire_type t = fromwire_peektype(dc->msg_in); switch (t) { case WIRE_HSM_ECDH_REQ: return handle_ecdh(conn, dc); case WIRE_HSM_CANNOUNCEMENT_SIG_REQ: return handle_cannouncement_sig(conn, dc); case WIRE_HSM_CUPDATE_SIG_REQ: return handle_channel_update_sig(conn, dc); case WIRE_HSM_ECDH_RESP: case WIRE_HSM_CANNOUNCEMENT_SIG_REPLY: case WIRE_HSM_CUPDATE_SIG_REPLY: break; } daemon_conn_send(c->master, take(towire_hsmstatus_client_bad_request(c, c->id, dc->msg_in))); return io_close(conn); } /* Control messages */ static void send_init_response(struct daemon_conn *master) { struct pubkey node_id; struct secret peer_seed; u8 *serialized_extkey = tal_arr(master, u8, BIP32_SERIALIZED_LEN), *msg; hkdf_sha256(&peer_seed, sizeof(peer_seed), NULL, 0, &secretstuff.hsm_secret, sizeof(secretstuff.hsm_secret), "peer seed", strlen("peer seed")); node_key(NULL, &node_id); if (bip32_key_serialize(&secretstuff.bip32, BIP32_FLAG_KEY_PUBLIC, serialized_extkey, tal_len(serialized_extkey)) != WALLY_OK) status_failed(WIRE_HSMSTATUS_KEY_FAILED, "Can't serialize bip32 public key"); msg = towire_hsmctl_init_reply(master, &node_id, &peer_seed, serialized_extkey); tal_free(serialized_extkey); daemon_conn_send(master, take(msg)); } static void populate_secretstuff(void) { u8 bip32_seed[BIP32_ENTROPY_LEN_256]; u32 salt = 0; struct ext_key master_extkey, child_extkey; /* Fill in the BIP32 tree for bitcoin addresses. */ do { hkdf_sha256(bip32_seed, sizeof(bip32_seed), &salt, sizeof(salt), &secretstuff.hsm_secret, sizeof(secretstuff.hsm_secret), "bip32 seed", strlen("bip32 seed")); salt++; } while (bip32_key_from_seed(bip32_seed, sizeof(bip32_seed), BIP32_VER_TEST_PRIVATE, 0, &master_extkey) != WALLY_OK); /* BIP 32: * * The default wallet layout * * An HDW is organized as several 'accounts'. Accounts are numbered, * the default account ("") being number 0. Clients are not required * to support more than one account - if not, they only use the * default account. * * Each account is composed of two keypair chains: an internal and an * external one. The external keychain is used to generate new public * addresses, while the internal keychain is used for all other * operations (change addresses, generation addresses, ..., anything * that doesn't need to be communicated). Clients that do not support * separate keychains for these should use the external one for * everything. * * - m/iH/0/k corresponds to the k'th keypair of the external chain of account number i of the HDW derived from master m. */ /* Hence child 0, then child 0 again to get extkey to derive from. */ if (bip32_key_from_parent(&master_extkey, 0, BIP32_FLAG_KEY_PRIVATE, &child_extkey) != WALLY_OK) status_failed(WIRE_HSMSTATUS_KEY_FAILED, "Can't derive child bip32 key"); if (bip32_key_from_parent(&child_extkey, 0, BIP32_FLAG_KEY_PRIVATE, &secretstuff.bip32) != WALLY_OK) status_failed(WIRE_HSMSTATUS_KEY_FAILED, "Can't derive private bip32 key"); } static void bitcoin_pubkey(struct pubkey *pubkey, u32 index) { struct ext_key ext; if (index >= BIP32_INITIAL_HARDENED_CHILD) status_failed(WIRE_HSMSTATUS_KEY_FAILED, "Index %u too great", index); if (bip32_key_from_parent(&secretstuff.bip32, index, BIP32_FLAG_KEY_PUBLIC, &ext) != WALLY_OK) status_failed(WIRE_HSMSTATUS_KEY_FAILED, "BIP32 of %u failed", index); if (!secp256k1_ec_pubkey_parse(secp256k1_ctx, &pubkey->pubkey, ext.pub_key, sizeof(ext.pub_key))) status_failed(WIRE_HSMSTATUS_KEY_FAILED, "Parse of BIP32 child %u pubkey failed", index); } static void bitcoin_keypair(struct privkey *privkey, struct pubkey *pubkey, u32 index) { struct ext_key ext; if (index >= BIP32_INITIAL_HARDENED_CHILD) status_failed(WIRE_HSMSTATUS_KEY_FAILED, "Index %u too great", index); if (bip32_key_from_parent(&secretstuff.bip32, index, BIP32_FLAG_KEY_PRIVATE, &ext) != WALLY_OK) status_failed(WIRE_HSMSTATUS_KEY_FAILED, "BIP32 of %u failed", index); /* libwally says: The private key with prefix byte 0 */ memcpy(privkey->secret.data, ext.priv_key+1, 32); if (!secp256k1_ec_pubkey_create(secp256k1_ctx, &pubkey->pubkey, privkey->secret.data)) status_failed(WIRE_HSMSTATUS_KEY_FAILED, "BIP32 pubkey %u create failed", index); } static void create_new_hsm(struct daemon_conn *master) { int fd = open("hsm_secret", O_CREAT|O_EXCL|O_WRONLY, 0400); if (fd < 0) status_failed(WIRE_HSMSTATUS_INIT_FAILED, "creating: %s", strerror(errno)); randombytes_buf(&secretstuff.hsm_secret, sizeof(secretstuff.hsm_secret)); if (!write_all(fd, &secretstuff.hsm_secret, sizeof(secretstuff.hsm_secret))) { unlink_noerr("hsm_secret"); status_failed(WIRE_HSMSTATUS_INIT_FAILED, "writing: %s", strerror(errno)); } if (fsync(fd) != 0) { unlink_noerr("hsm_secret"); status_failed(WIRE_HSMSTATUS_INIT_FAILED, "fsync: %s", strerror(errno)); } if (close(fd) != 0) { unlink_noerr("hsm_secret"); status_failed(WIRE_HSMSTATUS_INIT_FAILED, "closing: %s", strerror(errno)); } fd = open(".", O_RDONLY); if (fsync(fd) != 0) { unlink_noerr("hsm_secret"); status_failed(WIRE_HSMSTATUS_INIT_FAILED, "fsyncdir: %s", strerror(errno)); } close(fd); populate_secretstuff(); } static void load_hsm(struct daemon_conn *master) { int fd = open("hsm_secret", O_RDONLY); if (fd < 0) status_failed(WIRE_HSMSTATUS_INIT_FAILED, "opening: %s", strerror(errno)); if (!read_all(fd, &secretstuff.hsm_secret, sizeof(secretstuff.hsm_secret))) status_failed(WIRE_HSMSTATUS_INIT_FAILED, "reading: %s", strerror(errno)); close(fd); populate_secretstuff(); } static void init_hsm(struct daemon_conn *master, const u8 *msg) { bool new; if (!fromwire_hsmctl_init(msg, NULL, &new)) status_failed(WIRE_HSMSTATUS_BAD_REQUEST, "hsmctl_init: %s", tal_hex(msg, msg)); if (new) create_new_hsm(master); else load_hsm(master); send_init_response(master); } static void pass_hsmfd_ecdh(struct daemon_conn *master, const u8 *msg) { int fds[2]; u64 id; if (!fromwire_hsmctl_hsmfd_ecdh(msg, NULL, &id)) status_failed(WIRE_HSMSTATUS_BAD_REQUEST, "bad HSMFD_ECDH"); if (socketpair(AF_UNIX, SOCK_STREAM, 0, fds) != 0) status_failed(WIRE_HSMSTATUS_FD_FAILED, "creating fds: %s", strerror(errno)); new_client(master, id, handle_ecdh, fds[0]); daemon_conn_send(master, take(towire_hsmctl_hsmfd_ecdh_fd_reply(master))); daemon_conn_send_fd(master, fds[1]); } /* Reply to an incoming request for an HSMFD for a channeld. */ static void pass_hsmfd_channeld(struct daemon_conn *master, const u8 *msg) { int fds[2]; u64 id; if (!fromwire_hsmctl_hsmfd_channeld(msg, NULL, &id)) status_failed(WIRE_HSMSTATUS_BAD_REQUEST, "bad HSMFD_CHANNELD"); if (socketpair(AF_UNIX, SOCK_STREAM, 0, fds) != 0) status_failed(WIRE_HSMSTATUS_FD_FAILED, "creating fds: %s", strerror(errno)); new_client(master, id, handle_channeld, fds[0]); daemon_conn_send(master, take(towire_hsmctl_hsmfd_channeld_reply(master))); daemon_conn_send_fd(master, fds[1]); } /* Note that it's the main daemon that asks for the funding signature so it * can broadcast it. */ static void sign_funding_tx(struct daemon_conn *master, const u8 *msg) { const tal_t *tmpctx = tal_tmpctx(master); u64 satoshi_out, change_out; u32 change_keyindex; struct pubkey local_pubkey, remote_pubkey; struct utxo *inputs; const struct utxo **utxomap; struct bitcoin_tx *tx; u8 *wscript; secp256k1_ecdsa_signature *sig; u16 outnum; size_t i; struct pubkey changekey; /* FIXME: Check fee is "reasonable" */ if (!fromwire_hsmctl_sign_funding(tmpctx, msg, NULL, &satoshi_out, &change_out, &change_keyindex, &local_pubkey, &remote_pubkey, &inputs)) status_failed(WIRE_HSMSTATUS_BAD_REQUEST, "Bad SIGN_FUNDING"); utxomap = to_utxoptr_arr(tmpctx, inputs); if (change_out) bitcoin_pubkey(&changekey, change_keyindex); tx = funding_tx(tmpctx, &outnum, utxomap, satoshi_out, &local_pubkey, &remote_pubkey, change_out, &changekey, NULL); /* Now generate signatures. */ sig = tal_arr(tmpctx, secp256k1_ecdsa_signature, tal_count(inputs)); for (i = 0; i < tal_count(inputs); i++) { struct pubkey inkey; struct privkey inprivkey; const struct utxo *in = utxomap[i]; u8 *subscript; bitcoin_keypair(&inprivkey, &inkey, in->keyindex); if (in->is_p2sh) subscript = bitcoin_redeem_p2sh_p2wpkh(tmpctx, &inkey); else subscript = NULL; wscript = p2wpkh_scriptcode(tmpctx, &inkey); sign_tx_input(tx, i, subscript, wscript, &inprivkey, &inkey, &sig[i]); } daemon_conn_send(master, take(towire_hsmctl_sign_funding_reply(tmpctx, sig))); tal_free(tmpctx); } /** * sign_withdrawal_tx - Generate and sign a withdrawal transaction from the master */ static void sign_withdrawal_tx(struct daemon_conn *master, const u8 *msg) { const tal_t *tmpctx = tal_tmpctx(master); u64 satoshi_out, change_out; u32 change_keyindex; struct bitcoin_address destination; struct utxo *utxos; secp256k1_ecdsa_signature *sigs; u8 *wscript; struct bitcoin_tx *tx; struct ext_key ext; struct pubkey changekey; if (!fromwire_hsmctl_sign_withdrawal(tmpctx, msg, NULL, &satoshi_out, &change_out, &change_keyindex, destination.addr.u.u8, &utxos)) { status_trace("Failed to parse sign_withdrawal: %s", tal_hex(trc, msg)); return; } if (bip32_key_from_parent(&secretstuff.bip32, change_keyindex, BIP32_FLAG_KEY_PUBLIC, &ext) != WALLY_OK) { status_trace("Failed to parse sign_withdrawal: %s", tal_hex(trc, msg)); return; } pubkey_from_der(ext.pub_key, sizeof(ext.pub_key), &changekey); tx = withdraw_tx( tmpctx, to_utxoptr_arr(tmpctx, utxos), &destination, satoshi_out, &changekey, change_out, NULL); /* Now generate signatures. */ sigs = tal_arr(tmpctx, secp256k1_ecdsa_signature, tal_count(utxos)); for (size_t i = 0; i < tal_count(utxos); i++) { struct pubkey inkey; struct privkey inprivkey; const struct utxo *in = &utxos[i]; u8 *subscript; bitcoin_keypair(&inprivkey, &inkey, in->keyindex); /* We know these are p2sh since that's the only kind we handle */ subscript = bitcoin_redeem_p2sh_p2wpkh(tmpctx, &inkey); wscript = p2wpkh_scriptcode(tmpctx, &inkey); sign_tx_input(tx, i, subscript, wscript, &inprivkey, &inkey, &sigs[i]); } daemon_conn_send(master, take(towire_hsmctl_sign_withdrawal_reply(tmpctx, sigs))); tal_free(tmpctx); } static void sign_node_announcement(struct daemon_conn *master, const u8 *msg) { /* 2 bytes msg type + 64 bytes signature */ size_t offset = 66; struct sha256_double hash; struct privkey node_pkey; secp256k1_ecdsa_signature sig; u8 *reply; u8 *ann; if (!fromwire_hsmctl_node_announcement_sig_req(msg, msg, NULL, &ann)) { status_trace("Failed to parse node_announcement_sig_req: %s", tal_hex(trc, msg)); return; } if (tal_len(ann) < offset) { status_trace("Node announcement too short: %s", tal_hex(trc, msg)); return; } /* FIXME(cdecker) Check the node announcement's content */ node_key(&node_pkey, NULL); sha256_double(&hash, ann + offset, tal_len(ann) - offset); sign_hash(&node_pkey, &hash, &sig); reply = towire_hsmctl_node_announcement_sig_reply(msg, &sig); daemon_conn_send(master, take(reply)); } static struct io_plan *control_received_req(struct io_conn *conn, struct daemon_conn *master) { enum hsm_wire_type t = fromwire_peektype(master->msg_in); status_trace("Control: type %s len %zu", hsm_wire_type_name(t), tal_count(master->msg_in)); switch (t) { case WIRE_HSMCTL_INIT: init_hsm(master, master->msg_in); return daemon_conn_read_next(conn, master); case WIRE_HSMCTL_HSMFD_ECDH: pass_hsmfd_ecdh(master, master->msg_in); return daemon_conn_read_next(conn, master); case WIRE_HSMCTL_HSMFD_CHANNELD: pass_hsmfd_channeld(master, master->msg_in); return daemon_conn_read_next(conn, master); case WIRE_HSMCTL_SIGN_FUNDING: sign_funding_tx(master, master->msg_in); return daemon_conn_read_next(conn, master); case WIRE_HSMCTL_SIGN_WITHDRAWAL: sign_withdrawal_tx(master, master->msg_in); return daemon_conn_read_next(conn, master); case WIRE_HSMCTL_NODE_ANNOUNCEMENT_SIG_REQ: sign_node_announcement(master, master->msg_in); return daemon_conn_read_next(conn, master); case WIRE_HSMCTL_INIT_REPLY: case WIRE_HSMCTL_HSMFD_ECDH_FD_REPLY: case WIRE_HSMCTL_HSMFD_CHANNELD_REPLY: case WIRE_HSMCTL_SIGN_FUNDING_REPLY: case WIRE_HSMCTL_SIGN_WITHDRAWAL_REPLY: case WIRE_HSMSTATUS_INIT_FAILED: case WIRE_HSMSTATUS_WRITEMSG_FAILED: case WIRE_HSMSTATUS_BAD_REQUEST: case WIRE_HSMSTATUS_FD_FAILED: case WIRE_HSMSTATUS_KEY_FAILED: case WIRE_HSMSTATUS_CLIENT_BAD_REQUEST: case WIRE_HSMCTL_NODE_ANNOUNCEMENT_SIG_REPLY: break; } /* Control shouldn't give bad requests. */ status_failed(WIRE_HSMSTATUS_BAD_REQUEST, "%i", t); } #ifndef TESTING static void master_gone(struct io_conn *unused, struct daemon_conn *dc) { /* Can't tell master, it's gone. */ exit(2); } int main(int argc, char *argv[]) { struct daemon_conn *master; if (argc == 2 && streq(argv[1], "--version")) { printf("%s\n", version()); exit(0); } breakpoint(); secp256k1_ctx = secp256k1_context_create(SECP256K1_CONTEXT_VERIFY | SECP256K1_CONTEXT_SIGN); master = tal(NULL, struct daemon_conn); daemon_conn_init(master, master, STDIN_FILENO, control_received_req, master_gone); status_setup_async(master); /* When conn closes, everything is freed. */ tal_steal(master->conn, master); io_loop(NULL, NULL); return 0; } #endif