cryptopkt: update to latest encryption BOLT.

As per lightning-rfc commit b579b16866855da166981192c0f0549517069d4e. Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
9 years ago · 5472f73f9c
4 changed files with 77 additions and 35 deletions
--- a/daemon/cryptopkt.c
+++ b/daemon/cryptopkt.c
@ -358,28 +358,45 @@ static struct io_plan *check_proof(struct io_conn *conn, struct peer *peer)
 	if (!auth)
 		return io_close(conn);

-	if (!proto_to_signature(peer->dstate->secpctx, auth->session_sig,
-				&sig)) {
-		log_unusual(peer->log, "Invalid auth signature");
-		return io_close(conn);
-	}
-
+	/* BOLT #1:
+	 *
+	 * The receiving node MUST check that:
+	 *
+	 * 1. `node_id` is the expected value for the sending node.
+	 */
 	if (!proto_to_pubkey(peer->dstate->secpctx, auth->node_id, &id)) {
 		log_unusual(peer->log, "Invalid auth id");
 		return io_close(conn);
 	}

-	/* Did we expect a specific ID? */
 	if (!peer->id)
 		peer->id = tal_dup(peer, struct pubkey, &id);
 	else if (!structeq(&id, peer->id)) {
 		log_unusual(peer->log, "Incorrect auth id");
 		return io_close(conn);
 	}
-	
-	/* Signature covers *our* session key. */
-	sha256_double(&sha,
-		      neg->our_sessionpubkey, sizeof(neg->our_sessionpubkey));
+
+	/* BOLT #1:
+	 *
+	 * 2. `session_sig` is a valid secp256k1 ECDSA signature encoded as
+	 *     a 32-byte big endian R value, followed by a 32-byte big
+	 *     endian S value.
+	 */
+	if (!proto_to_signature(peer->dstate->secpctx, auth->session_sig,
+				&sig)) {
+		log_unusual(peer->log, "Invalid auth signature");
+		return io_close(conn);
+	}
+
+
+	/* BOLT #1:
+	 *
+	 * 3. `session_sig` is the signature of the SHA256 of SHA256 of the
+	 *     its own sessionpubkey, using the secret key corresponding to
+	 *     the sender's `node_id`.
+	 */
+	sha256_double(&sha, neg->our_sessionpubkey,
+		      sizeof(neg->our_sessionpubkey));

 	if (!check_signed_hash(peer->dstate->secpctx, &sha, &sig, peer->id)) {
 		log_unusual(peer->log, "Bad auth signature");
@ -391,16 +408,19 @@ static struct io_plan *check_proof(struct io_conn *conn, struct peer *peer)

 	/* BOLT #1:
 	 *
-	 * The receiver MUST NOT examine the `ack` value until after
-	 * the authentication fields have been successfully validated.
-	 * The `ack` field MUST BE set to the number of
-	 * non-authenticate messages received and processed if
-	 * non-zero.
+	 * The receiver MUST NOT examine the `commits_seen` or
+	 *
+	 * `revocations_seen` values until after the authentication fields
+	 * have been successfully validated.  The `commits_seen` field MUST
+	 * BE set to the number of `update_commit` and `open_commit_sig`
+	 * messages received and processed if non-zero.  The
+	 * `revocations_seen` MUST BE set to the number of
+	 * `update_revocation` messages received and processed.
 	 */
 	/* FIXME: Handle reconnects. */
-	if (auth->ack != 0) {
-		log_unusual(peer->log, "FIXME: non-zero acknowledge %"PRIu64,
-			    auth->ack);
+	if (auth->commits_seen != 0 || auth->revocations_seen != 0) {
+		log_unusual(peer->log, "FIXME: non-zero seen %"PRIu64"/%"PRIu64,
+			    auth->commits_seen, auth->revocations_seen);
 		return io_close(conn);
 	}

@ -473,7 +493,12 @@ static struct io_plan *keys_exchanged(struct io_conn *conn, struct peer *peer)
 	setup_crypto(&peer->io_data->out, shared_secret,
 		     neg->our_sessionpubkey);

-	/* Now sign their session key to prove who we are. */
+	/* BOLT #1:
+	 *
+	 * `session_sig` is the signature of the SHA256 of SHA256 of the its
+	 * own sessionpubkey, using the secret key corresponding to the
+	 * sender's `node_id`.
+	 */
 	privkey_sign(peer, neg->their_sessionpubkey,
 		     sizeof(neg->their_sessionpubkey), &sig);

--- a/lightning.pb-c.c
+++ b/lightning.pb-c.c
@ -1464,8 +1464,9 @@ const ProtobufCMessageDescriptor funding__descriptor =
  (ProtobufCMessageInit) funding__init,
  NULL,NULL,NULL    /* reserved[123] */
 };
-static const uint64_t authenticate__ack__default_value = 0ull;
-static const ProtobufCFieldDescriptor authenticate__field_descriptors[3] =
+static const uint64_t authenticate__commits_seen__default_value = 0ull;
+static const uint64_t authenticate__revocations_seen__default_value = 0ull;
+static const ProtobufCFieldDescriptor authenticate__field_descriptors[4] =
 {
  {
    "node_id",
@ -1492,27 +1493,40 @@ static const ProtobufCFieldDescriptor authenticate__field_descriptors[3] =
    0,NULL,NULL    /* reserved1,reserved2, etc */
  },
  {
-    "ack",
+    "commits_seen",
    3,
    PROTOBUF_C_LABEL_OPTIONAL,
    PROTOBUF_C_TYPE_UINT64,
-    offsetof(Authenticate, has_ack),
-    offsetof(Authenticate, ack),
+    offsetof(Authenticate, has_commits_seen),
+    offsetof(Authenticate, commits_seen),
    NULL,
-    &authenticate__ack__default_value,
+    &authenticate__commits_seen__default_value,
+    0,             /* flags */
+    0,NULL,NULL    /* reserved1,reserved2, etc */
+  },
+  {
+    "revocations_seen",
+    4,
+    PROTOBUF_C_LABEL_OPTIONAL,
+    PROTOBUF_C_TYPE_UINT64,
+    offsetof(Authenticate, has_revocations_seen),
+    offsetof(Authenticate, revocations_seen),
+    NULL,
+    &authenticate__revocations_seen__default_value,
    0,             /* flags */
    0,NULL,NULL    /* reserved1,reserved2, etc */
  },
 };
 static const unsigned authenticate__field_indices_by_name[] = {
-  2,   /* field[2] = ack */
+  2,   /* field[2] = commits_seen */
  0,   /* field[0] = node_id */
+  3,   /* field[3] = revocations_seen */
  1,   /* field[1] = session_sig */
 };
 static const ProtobufCIntRange authenticate__number_ranges[1 + 1] =
 {
  { 1, 0 },
-  { 0, 3 }
+  { 0, 4 }
 };
 const ProtobufCMessageDescriptor authenticate__descriptor =
 {
@ -1522,7 +1536,7 @@ const ProtobufCMessageDescriptor authenticate__descriptor =
  "Authenticate",
  "",
  sizeof(Authenticate),
-  3,
+  4,
  authenticate__field_descriptors,
  authenticate__field_indices_by_name,
  1,  authenticate__number_ranges,
--- a/lightning.pb-c.h
+++ b/lightning.pb-c.h
@ -176,14 +176,16 @@ struct  _Authenticate
   */
  Signature *session_sig;
  /*
-   * How many (non-authenticate) packets we've already received
+   * How many commitment/revocation messages we've already received
   */
-  protobuf_c_boolean has_ack;
-  uint64_t ack;
+  protobuf_c_boolean has_commits_seen;
+  uint64_t commits_seen;
+  protobuf_c_boolean has_revocations_seen;
+  uint64_t revocations_seen;
 };
 #define AUTHENTICATE__INIT \
 { PROTOBUF_C_MESSAGE_INIT (&authenticate__descriptor) \
-    , NULL, NULL, 0,0ull }
+    , NULL, NULL, 0,0ull, 0,0ull }


 /*
--- a/lightning.proto
+++ b/lightning.proto
@ -64,8 +64,9 @@ message authenticate {
  required bitcoin_pubkey node_id = 1;
  // Signature of your session key. */
  required signature session_sig = 2;
-  // How many (non-authenticate) packets we've already received
-  optional uint64 ack = 3 [ default = 0 ];
+  // How many commitment/revocation messages we've already received
+  optional uint64 commits_seen = 3 [ default = 0 ];
+  optional uint64 revocations_seen = 4 [ default = 0 ];
 };

 // Set channel params.