Use Sha256s for tweaks in sign to enforce randomness

We assume that tweaks are the output of a SHA-256 hash function (and thus that failing to create a private key from the has negligible probability) in `add_public_key_tweak` and elsewhere. Thus, we really shouldn't be taking byte arrays in the public API but rather `Sha256` objects, and communicating in the docs for `add_public_key_tweak` that we can panic if its not the output of a hash function, both of which we do here.
2025-02-24 23:08:36 +01:00 · 2024-04-19 00:36:52 +00:00 · 2024-04-19 00:36:52 +00:00 · 9f1c9062db
commit 9f1c9062db
parent 23d9514259
2 changed files with 8 additions and 6 deletions
--- a/lightning/src/ln/channel_keys.rs
+++ b/lightning/src/ln/channel_keys.rs
@ -45,11 +45,11 @@ macro_rules! basepoint_impl {
 			///
 			/// This calculates the hash part in the tweak derivation process, which is used to
 			/// ensure that each key is unique and cannot be guessed by an external party.
-			pub fn derive_add_tweak(&self, per_commitment_point: &PublicKey) -> [u8; 32] {
+			pub fn derive_add_tweak(&self, per_commitment_point: &PublicKey) -> Sha256 {
 				let mut sha = Sha256::engine();
 				sha.input(&per_commitment_point.serialize());
 				sha.input(&self.to_public_key().serialize());
-				Sha256::from_engine(sha).to_byte_array()
+				Sha256::from_engine(sha)
 			}
 		}

@ -166,18 +166,20 @@ fn derive_public_key<T: secp256k1::Signing>(
 	let mut sha = Sha256::engine();
 	sha.input(&per_commitment_point.serialize());
 	sha.input(&base_point.serialize());
-	let res = Sha256::from_engine(sha).to_byte_array();
+	let res = Sha256::from_engine(sha);

 	add_public_key_tweak(secp_ctx, base_point, &res)
 }

 /// Adds a tweak to a public key to derive a new public key.
+///
+/// May panic if `tweak` is not the output of a SHA-256 hash.
 pub fn add_public_key_tweak<T: secp256k1::Signing>(
-	secp_ctx: &Secp256k1<T>, base_point: &PublicKey, tweak: &[u8; 32],
+	secp_ctx: &Secp256k1<T>, base_point: &PublicKey, tweak: &Sha256,
 ) -> PublicKey {
 	let hashkey = PublicKey::from_secret_key(
 		&secp_ctx,
-		&SecretKey::from_slice(tweak)
+		&SecretKey::from_slice(tweak.as_byte_array())
 			.expect("Hashes should always be valid keys unless SHA-256 is broken"),
 	);
 	base_point.combine(&hashkey)
--- a/lightning/src/sign/mod.rs
+++ b/lightning/src/sign/mod.rs
@ -401,7 +401,7 @@ impl SpendableOutputDescriptor {
 									subtype: 0,
 									key: "add_tweak".as_bytes().to_vec(),
 								},
-								add_tweak.to_vec(),
+								add_tweak.as_byte_array().to_vec(),
 							)]
 							.into_iter()
 							.collect()