core-lightning/lightningd/derive_basepoints.c
Rusty Russell b99c5620ef struct secret: use everywhere.
We alternated between using a sha256 and using a privkey, but there are
numerous places where we have a random 32 bytes which are neither.

This fixes many of them (plus, struct privkey is now defined in terms of
struct secret).

Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
2017-05-09 11:43:35 +09:30

92 lines
2.5 KiB
C

#include <assert.h>
#include <ccan/crypto/hkdf_sha256/hkdf_sha256.h>
#include <ccan/crypto/sha256/sha256.h>
#include <ccan/crypto/shachain/shachain.h>
#include <lightningd/derive_basepoints.h>
#include <utils.h>
bool derive_basepoints(const struct privkey *seed,
struct pubkey *funding_pubkey,
struct basepoints *basepoints,
struct secrets *secrets,
struct sha256 *shaseed,
struct pubkey *per_commit_point,
u64 per_commit_index)
{
struct sha256 per_commit_secret;
struct keys {
struct privkey f, r, p, d;
struct sha256 shaseed;
} keys;
hkdf_sha256(&keys, sizeof(keys), NULL, 0, seed, sizeof(*seed),
"c-lightning", strlen("c-lightning"));
secrets->funding_privkey = keys.f;
secrets->revocation_basepoint_secret = keys.r.secret;
secrets->payment_basepoint_secret = keys.p.secret;
secrets->delayed_payment_basepoint_secret = keys.d.secret;
if (!pubkey_from_privkey(&keys.f, funding_pubkey)
|| !pubkey_from_privkey(&keys.r, &basepoints->revocation)
|| !pubkey_from_privkey(&keys.p, &basepoints->payment)
|| !pubkey_from_privkey(&keys.d, &basepoints->delayed_payment))
return false;
/* BOLT #3:
*
* A node MUST select an unguessable 256-bit seed for each connection,
* and MUST NOT reveal the seed.
*/
*shaseed = keys.shaseed;
shachain_from_seed(shaseed, shachain_index(per_commit_index),
&per_commit_secret);
/* BOLT #3:
*
* The `per-commitment-point` is generated using EC multiplication:
*
* per-commitment-point = per-commitment-secret * G
*/
if (secp256k1_ec_pubkey_create(secp256k1_ctx,
&per_commit_point->pubkey,
per_commit_secret.u.u8) != 1)
return false;
return true;
}
bool next_per_commit_point(const struct sha256 *shaseed,
struct sha256 *old_commit_secret,
struct pubkey *per_commit_point,
u64 per_commit_index)
{
struct sha256 per_commit_secret;
/* Get old secret. */
if (per_commit_index > 0)
shachain_from_seed(shaseed, shachain_index(per_commit_index - 1),
old_commit_secret);
else
assert(old_commit_secret == NULL);
/* Derive new per-commitment-point. */
shachain_from_seed(shaseed, shachain_index(per_commit_index + 1),
&per_commit_secret);
/* BOLT #3:
*
* The `per-commitment-point` is generated using EC multiplication:
*
* per-commitment-point = per-commitment-secret * G
*/
if (secp256k1_ec_pubkey_create(secp256k1_ctx,
&per_commit_point->pubkey,
per_commit_secret.u.u8) != 1)
return false;
return true;
}