From 01161aac685dba42d6f9059ab9b69631faaddedd Mon Sep 17 00:00:00 2001 From: Rusty Russell Date: Wed, 22 Sep 2021 06:47:25 +0930 Subject: [PATCH] hsmd: derive an onion_reply secret. We put this in reply paths, so we can tell if they are used. This lets us avoid responding unless the correct reply path is used. Signed-off-by: Rusty Russell --- hsmd/hsmd_wire.csv | 1 + hsmd/hsmd_wiregen.c | 8 +++++--- hsmd/hsmd_wiregen.h | 6 +++--- hsmd/libhsmd.c | 11 ++++++++++- lightningd/hsm_control.c | 3 ++- lightningd/lightningd.h | 3 +++ 6 files changed, 24 insertions(+), 8 deletions(-) diff --git a/hsmd/hsmd_wire.csv b/hsmd/hsmd_wire.csv index e6126bf9b..051b09fcd 100644 --- a/hsmd/hsmd_wire.csv +++ b/hsmd/hsmd_wire.csv @@ -21,6 +21,7 @@ msgtype,hsmd_init_reply,111 msgdata,hsmd_init_reply,node_id,node_id, msgdata,hsmd_init_reply,bip32,ext_key, msgdata,hsmd_init_reply,bolt12,pubkey32, +msgdata,hsmd_init_reply,onion_reply_secret,secret, # Get a new HSM FD, with the specified capabilities msgtype,hsmd_client_hsmfd,9 diff --git a/hsmd/hsmd_wiregen.c b/hsmd/hsmd_wiregen.c index 74daa24e7..3df7ba1fa 100644 --- a/hsmd/hsmd_wiregen.c +++ b/hsmd/hsmd_wiregen.c @@ -243,7 +243,7 @@ bool fromwire_hsmd_init(const tal_t *ctx, const void *p, struct bip32_key_versio } /* WIRE: HSMD_INIT_REPLY */ -u8 *towire_hsmd_init_reply(const tal_t *ctx, const struct node_id *node_id, const struct ext_key *bip32, const struct pubkey32 *bolt12) +u8 *towire_hsmd_init_reply(const tal_t *ctx, const struct node_id *node_id, const struct ext_key *bip32, const struct pubkey32 *bolt12, const struct secret *onion_reply_secret) { u8 *p = tal_arr(ctx, u8, 0); @@ -251,10 +251,11 @@ u8 *towire_hsmd_init_reply(const tal_t *ctx, const struct node_id *node_id, cons towire_node_id(&p, node_id); towire_ext_key(&p, bip32); towire_pubkey32(&p, bolt12); + towire_secret(&p, onion_reply_secret); return memcheck(p, tal_count(p)); } -bool fromwire_hsmd_init_reply(const void *p, struct node_id *node_id, struct ext_key *bip32, struct pubkey32 *bolt12) +bool fromwire_hsmd_init_reply(const void *p, struct node_id *node_id, struct ext_key *bip32, struct pubkey32 *bolt12, struct secret *onion_reply_secret) { const u8 *cursor = p; size_t plen = tal_count(p); @@ -264,6 +265,7 @@ bool fromwire_hsmd_init_reply(const void *p, struct node_id *node_id, struct ext fromwire_node_id(&cursor, &plen, node_id); fromwire_ext_key(&cursor, &plen, bip32); fromwire_pubkey32(&cursor, &plen, bolt12); + fromwire_secret(&cursor, &plen, onion_reply_secret); return cursor != NULL; } @@ -1331,4 +1333,4 @@ bool fromwire_hsmd_sign_option_will_fund_offer_reply(const void *p, secp256k1_ec fromwire_secp256k1_ecdsa_signature(&cursor, &plen, rsig); return cursor != NULL; } -// SHA256STAMP:739903bb8c5fedb86d1d35fea7b926f35b117d9cfdb5e3e8e1f62ddca731f54b +// SHA256STAMP:34afee076f2df0aca89c651f73043e5fbf11817a1ae482d70530212b25a82918 diff --git a/hsmd/hsmd_wiregen.h b/hsmd/hsmd_wiregen.h index 71159754a..4a9976305 100644 --- a/hsmd/hsmd_wiregen.h +++ b/hsmd/hsmd_wiregen.h @@ -107,8 +107,8 @@ u8 *towire_hsmd_init(const tal_t *ctx, const struct bip32_key_version *bip32_key bool fromwire_hsmd_init(const tal_t *ctx, const void *p, struct bip32_key_version *bip32_key_version, const struct chainparams **chainparams, struct secret **hsm_encryption_key, struct privkey **dev_force_privkey, struct secret **dev_force_bip32_seed, struct secrets **dev_force_channel_secrets, struct sha256 **dev_force_channel_secrets_shaseed); /* WIRE: HSMD_INIT_REPLY */ -u8 *towire_hsmd_init_reply(const tal_t *ctx, const struct node_id *node_id, const struct ext_key *bip32, const struct pubkey32 *bolt12); -bool fromwire_hsmd_init_reply(const void *p, struct node_id *node_id, struct ext_key *bip32, struct pubkey32 *bolt12); +u8 *towire_hsmd_init_reply(const tal_t *ctx, const struct node_id *node_id, const struct ext_key *bip32, const struct pubkey32 *bolt12, const struct secret *onion_reply_secret); +bool fromwire_hsmd_init_reply(const void *p, struct node_id *node_id, struct ext_key *bip32, struct pubkey32 *bolt12, struct secret *onion_reply_secret); /* WIRE: HSMD_CLIENT_HSMFD */ /* Get a new HSM FD */ @@ -295,4 +295,4 @@ bool fromwire_hsmd_sign_option_will_fund_offer_reply(const void *p, secp256k1_ec #endif /* LIGHTNING_HSMD_HSMD_WIREGEN_H */ -// SHA256STAMP:739903bb8c5fedb86d1d35fea7b926f35b117d9cfdb5e3e8e1f62ddca731f54b +// SHA256STAMP:34afee076f2df0aca89c651f73043e5fbf11817a1ae482d70530212b25a82918 diff --git a/hsmd/libhsmd.c b/hsmd/libhsmd.c index f5f4e6db3..648b4b009 100644 --- a/hsmd/libhsmd.c +++ b/hsmd/libhsmd.c @@ -1469,6 +1469,7 @@ u8 *hsmd_init(struct secret hsm_secret, u32 salt = 0; struct ext_key master_extkey, child_extkey; struct node_id node_id; + struct secret onion_reply_secret; /*~ Don't swap this. */ sodium_mlock(secretstuff.hsm_secret.data, @@ -1588,10 +1589,18 @@ u8 *hsmd_init(struct secret hsm_secret, hsmd_status_failed(STATUS_FAIL_INTERNAL_ERROR, "Could derive bolt12 public key."); + /*~ We derive a secret for onion_message's self_id so we can tell + * if it used a path we created (i.e. do not leak our public id!) */ + hkdf_sha256(&onion_reply_secret, sizeof(onion_reply_secret), + NULL, 0, + &secretstuff.hsm_secret, + sizeof(secretstuff.hsm_secret), + "onion reply secret", strlen("onion reply secret")); + /*~ Note: marshalling a bip32 tree only marshals the public side, * not the secrets! So we're not actually handing them out here! */ return take(towire_hsmd_init_reply( NULL, &node_id, &secretstuff.bip32, - &bolt12)); + &bolt12, &onion_reply_secret)); } diff --git a/lightningd/hsm_control.c b/lightningd/hsm_control.c index 3c54694cd..ec28cab8c 100644 --- a/lightningd/hsm_control.c +++ b/lightningd/hsm_control.c @@ -116,7 +116,8 @@ struct ext_key *hsm_init(struct lightningd *ld) msg = wire_sync_read(tmpctx, ld->hsm_fd); if (!fromwire_hsmd_init_reply(msg, &ld->id, bip32_base, - &ld->bolt12_base)) { + &ld->bolt12_base, + &ld->onion_reply_secret)) { if (ld->config.keypass) errx(1, "Wrong password for encrypted hsm_secret."); errx(1, "HSM did not give init reply"); diff --git a/lightningd/lightningd.h b/lightningd/lightningd.h index fe26bd436..699f7e330 100644 --- a/lightningd/lightningd.h +++ b/lightningd/lightningd.h @@ -109,6 +109,9 @@ struct lightningd { /* The public base for our payer_id keys */ struct pubkey32 bolt12_base; + /* The secret we put in onion message paths to know it's ours. */ + struct secret onion_reply_secret; + /* Feature set we offer. */ struct feature_set *our_features;