hsmd: take the passphrase raw, not the derived secret.

In preparation for BIP-39, we need to hand the passphrase (if any) to HSMD.

So we extend the hsmd wire protocol to allow that.

Author: sangbida

hsmd/hsmd.c

@@ -461,6 +461,7 @@ static struct io_plan *init_hsm(struct io_conn *conn,
 	struct bip32_key_version bip32_key_version;
 	u32 minversion, maxversion;
 	const u32 our_minversion = 4, our_maxversion = 6;
+	struct tlv_hsmd_init_tlvs *tlvs;
 
 	/* This must be lightningd. */
 	assert(is_lightningd(c));
@@ -475,7 +476,7 @@ static struct io_plan *init_hsm(struct io_conn *conn,
 				&dev_force_bip32_seed,
 				&dev_force_channel_secrets,
 				&dev_force_channel_secrets_shaseed,
-				&minversion, &maxversion))
+				&minversion, &maxversion, &tlvs))
 		return bad_req(conn, c, msg_in);
 
 	/*~ Usually we don't worry about API breakage between internal daemons,
@@ -487,6 +488,25 @@ static struct io_plan *init_hsm(struct io_conn *conn,
 				   minversion, maxversion,
 				   our_minversion, our_maxversion);
 
+	/*~ We used to have lightningd hand us the encryption key derived from
+	 * the passphrase which was used to encrypt the `hsm_secret` file.  Then
+	 * Rusty gave me the thankless task of introducing BIP-39 mnemonics.  I
+	 * think this is some kind of obscure CLN hazing ritual?  Anyway, the
+	 * passphrase needs to be *appended* to the mnemonic, so the HSM needs
+	 * the raw passphrase.  To avoid a compatibility break, I put it inside
+	 * the TLV, and left the old "hsm_encryption_key" field in place, even
+	 * though we override it here for the old-style non-BIP39 hsm_secret. */
+	if (tlvs->hsm_passphrase) {
+		const char *hsm_passphrase = (const char *)tlvs->hsm_passphrase;
+		const char *err_msg;
+
+		hsm_encryption_key = tal(NULL, struct secret);
+		if (hsm_secret_encryption_key_with_exitcode(hsm_passphrase, hsm_encryption_key, &err_msg) != 0)
+			return bad_req_fmt(conn, c, msg_in,
+					   "Bad passphrase: %s", err_msg);
+	}
+	tal_free(tlvs);
+
 	/*~ The memory is actually copied in towire(), so lock the `hsm_secret`
 	 * encryption key (new) memory again here. */
 	if (hsm_encryption_key && sodium_mlock(hsm_encryption_key,

hsmd/hsmd_wire.csv

@@ -29,6 +29,9 @@ msgdata,hsmd_init,dev_force_channel_secrets,?secrets,
 msgdata,hsmd_init,dev_force_channel_secrets_shaseed,?sha256,
 msgdata,hsmd_init,hsm_wire_min_version,u32,
 msgdata,hsmd_init,hsm_wire_max_version,u32,
+msgdata,hsmd_init,tlvs,hsmd_init_tlvs,
+tlvtype,hsmd_init_tlvs,hsm_passphrase,1
+tlvdata,hsmd_init_tlvs,hsm_passphrase,passphrase,wirestring,
 
 #include <common/bip32.h>
 # Sorry: I should have put version in v2 :(

lightningd/hsm_control.c

@@ -103,7 +103,7 @@ struct ext_key *hsm_init(struct lightningd *ld)
 	/* If hsm_secret is encrypted and the --encrypted-hsm startup option is
 	 * not passed, don't let hsmd use the first 32 bytes of the cypher as the
 	 * actual secret. */
-	if (!ld->config.keypass) {
+	if (!ld->hsm_passphrase) {
 		if (is_hsm_secret_encrypted("hsm_secret") == 1)
 			errx(EXITCODE_HSM_ERROR_IS_ENCRYPT, "hsm_secret is encrypted, you need to pass the "
 			     "--encrypted-hsm startup option.");
@@ -127,16 +127,24 @@ struct ext_key *hsm_init(struct lightningd *ld)
 		    err(EXITCODE_HSM_GENERIC_ERROR, "Writing preinit msg to hsm");
 	}
 
+	/* Create TLV for passphrase if needed */
+	struct tlv_hsmd_init_tlvs *tlv = NULL;
+	if (ld->hsm_passphrase) {
+		tlv = tlv_hsmd_init_tlvs_new(tmpctx);
+		tlv->hsm_passphrase = ld->hsm_passphrase;
+	}
+
 	if (!wire_sync_write(ld->hsm_fd, towire_hsmd_init(tmpctx,
 							  &chainparams->bip32_key_version,
 							  chainparams,
-							  ld->config.keypass,
+							  NULL,
 							  ld->dev_force_privkey,
 							  ld->dev_force_bip32_seed,
 							  ld->dev_force_channel_secrets,
 							  ld->dev_force_channel_secrets_shaseed,
 							  HSM_MIN_VERSION,
-							  HSM_MAX_VERSION)))
+							  HSM_MAX_VERSION,
+							  tlv)))
 		err(EXITCODE_HSM_GENERIC_ERROR, "Writing init msg to hsm");
 
 	bip32_base = tal(ld, struct ext_key);
@@ -148,7 +156,7 @@ struct ext_key *hsm_init(struct lightningd *ld)
 					&unused)) {
 		/* nothing to do. */
 	} else {
-		if (ld->config.keypass)
+		if (ld->hsm_passphrase)
 			errx(EXITCODE_HSM_BAD_PASSWORD, "Wrong password for encrypted hsm_secret.");
 		errx(EXITCODE_HSM_GENERIC_ERROR, "HSM did not give init reply");
 	}

lightningd/lightningd.c

@@ -314,10 +314,10 @@ static struct lightningd *new_lightningd(const tal_t *ctx)
 	/*~ This is set when a JSON RPC command comes in to shut us down. */
 	ld->stop_conn = NULL;
 
-	/*~ This is used to signal that `hsm_secret` is encrypted, and will
-	 * be set to `true` if the `--encrypted-hsm` option is passed at startup.
+	/*~ This is used to store the passphrase for hsm_secret if needed.
+	 * It will be set if the `--hsm-passphrase` option is passed at startup.
 	 */
-	ld->encrypted_hsm = false;
+	ld->hsm_passphrase = NULL;
 
 	/* This is used to override subdaemons */
 	strmap_init(&ld->alt_subdaemons);
@@ -1310,11 +1310,6 @@ int main(int argc, char *argv[])
 	/*~ This is the ccan/io central poll override from above. */
 	io_poll_override(io_poll_lightningd);
 
-	/*~ If hsm_secret is encrypted, we don't need its encryption key
-	 * anymore. Note that sodium_munlock() also zeroes the memory.*/
-	if (ld->config.keypass)
-		discard_key(take(ld->config.keypass));
-
 	/*~ Our default color and alias are derived from our node id, so we
 	 * can only set those now (if not set by config options). */
 	setup_color_and_alias(ld);

lightningd/lightningd.h

@@ -69,8 +69,6 @@ struct config {
 	/* Minimal amount of effective funding_satoshis for accepting channels */
 	u64 min_capacity_sat;
 
-	/* This is the key we use to encrypt `hsm_secret`. */
-	struct secret *keypass;
 
 	/* How long before we give up waiting for INIT msg */
 	u32 connection_timeout_secs;
@@ -378,7 +376,11 @@ struct lightningd {
 
 	char *wallet_dsn;
 
-	bool encrypted_hsm;
+
+	/* HSM passphrase for any format that needs it */
+	char *hsm_passphrase;
+
+
 	/* What (additional) messages the HSM accepts */
 	u32 *hsm_capabilities;
 

lightningd/options.c

@@ -604,13 +604,7 @@ static char *opt_set_hsm_password(struct lightningd *ld)
 	}
 	prompt(ld, "");
 
-	ld->config.keypass = tal(NULL, struct secret);
-
-	opt_exitcode = hsm_secret_encryption_key_with_exitcode(passwd, ld->config.keypass, &err_msg);
-	if (opt_exitcode > 0)
-		return cast_const(char *, err_msg);
-
-	ld->encrypted_hsm = true;
+	ld->hsm_passphrase = tal_strdup(ld, passwd);
 	free(passwd);
 
 	return NULL;

lightningd/test/run-find_my_abspath.c

@@ -60,9 +60,6 @@ bool  deprecated_ok_(bool deprecated_apis UNNEEDED,
 		    void (*complain)(const char *feat UNNEEDED, bool allowing UNNEEDED, void *) UNNEEDED,
 		    void *cbarg UNNEEDED)
 { fprintf(stderr, "deprecated_ok_ called!\n"); abort(); }
-/* Generated stub for discard_key */
-void discard_key(struct secret *key TAKES UNNEEDED)
-{ fprintf(stderr, "discard_key called!\n"); abort(); }
 /* Generated stub for ecdh_hsmd_setup */
 void ecdh_hsmd_setup(int hsm_fd UNNEEDED,
 		     void (*failed)(enum status_failreason UNNEEDED,

wallet/test/run-wallet.c

@@ -435,9 +435,6 @@ bool invoices_resolve(struct invoices *invoices UNNEEDED,
 		      const struct json_escape *label UNNEEDED,
 		      const struct bitcoin_outpoint *outpoint UNNEEDED)
 { fprintf(stderr, "invoices_resolve called!\n"); abort(); }
-/* Generated stub for is_hsm_secret_encrypted */
-int is_hsm_secret_encrypted(const char *path UNNEEDED)
-{ fprintf(stderr, "is_hsm_secret_encrypted called!\n"); abort(); }
 /* Generated stub for json_add_address */
 void json_add_address(struct json_stream *response UNNEEDED, const char *fieldname UNNEEDED,
 		      const struct wireaddr *addr UNNEEDED)
@@ -1038,6 +1035,9 @@ void tell_connectd_peer_importance(struct peer *peer UNNEEDED,
 /* Generated stub for tlv_hsmd_dev_preinit_tlvs_new */
 struct tlv_hsmd_dev_preinit_tlvs *tlv_hsmd_dev_preinit_tlvs_new(const tal_t *ctx UNNEEDED)
 { fprintf(stderr, "tlv_hsmd_dev_preinit_tlvs_new called!\n"); abort(); }
+/* Generated stub for tlv_hsmd_init_tlvs_new */
+struct tlv_hsmd_init_tlvs *tlv_hsmd_init_tlvs_new(const tal_t *ctx UNNEEDED)
+{ fprintf(stderr, "tlv_hsmd_init_tlvs_new called!\n"); abort(); }
 /* Generated stub for to_canonical_invstr */
 const char *to_canonical_invstr(const tal_t *ctx UNNEEDED, const char *invstring UNNEEDED)
 { fprintf(stderr, "to_canonical_invstr called!\n"); abort(); }
@@ -1141,7 +1141,7 @@ u8 *towire_hsmd_forget_channel(const tal_t *ctx UNNEEDED, const struct node_id *
 u8 *towire_hsmd_get_output_scriptpubkey(const tal_t *ctx UNNEEDED, u64 channel_id UNNEEDED, const struct node_id *peer_id UNNEEDED, const struct pubkey *commitment_point UNNEEDED)
 { fprintf(stderr, "towire_hsmd_get_output_scriptpubkey called!\n"); abort(); }
 /* Generated stub for towire_hsmd_init */
-u8 *towire_hsmd_init(const tal_t *ctx UNNEEDED, const struct bip32_key_version *bip32_key_version UNNEEDED, const struct chainparams *chainparams UNNEEDED, const struct secret *hsm_encryption_key UNNEEDED, const struct privkey *dev_force_privkey UNNEEDED, const struct secret *dev_force_bip32_seed UNNEEDED, const struct secrets *dev_force_channel_secrets UNNEEDED, const struct sha256 *dev_force_channel_secrets_shaseed UNNEEDED, u32 hsm_wire_min_version UNNEEDED, u32 hsm_wire_max_version UNNEEDED)
+u8 *towire_hsmd_init(const tal_t *ctx UNNEEDED, const struct bip32_key_version *bip32_key_version UNNEEDED, const struct chainparams *chainparams UNNEEDED, const struct secret *hsm_encryption_key UNNEEDED, const struct privkey *dev_force_privkey UNNEEDED, const struct secret *dev_force_bip32_seed UNNEEDED, const struct secrets *dev_force_channel_secrets UNNEEDED, const struct sha256 *dev_force_channel_secrets_shaseed UNNEEDED, u32 hsm_wire_min_version UNNEEDED, u32 hsm_wire_max_version UNNEEDED, const struct tlv_hsmd_init_tlvs *tlvs UNNEEDED)
 { fprintf(stderr, "towire_hsmd_init called!\n"); abort(); }
 /* Generated stub for towire_hsmd_new_channel */
 u8 *towire_hsmd_new_channel(const tal_t *ctx UNNEEDED, const struct node_id *id UNNEEDED, u64 dbid UNNEEDED)