hsmd: derive an onion_reply secret.

rustyrussell · rustyrussell · commit 01161aac685d · 2021-09-22T09:10:34.000+09:30
We put this in reply paths, so we can tell if they are used.  This lets us
avoid responding unless the correct reply path is used.

Signed-off-by: Rusty Russell &lt;rusty@rustcorp.com.au&gt;
diff --git a/hsmd/hsmd_wire.csv b/hsmd/hsmd_wire.csv
@@ -21,6 +21,7 @@ msgtype,hsmd_init_reply,111
 msgdata,hsmd_init_reply,node_id,node_id,
 msgdata,hsmd_init_reply,bip32,ext_key,
 msgdata,hsmd_init_reply,bolt12,pubkey32,
+msgdata,hsmd_init_reply,onion_reply_secret,secret,
 
 # Get a new HSM FD, with the specified capabilities
 msgtype,hsmd_client_hsmfd,9
diff --git a/hsmd/hsmd_wiregen.c b/hsmd/hsmd_wiregen.c
diff --git a/hsmd/hsmd_wiregen.h b/hsmd/hsmd_wiregen.h
diff --git a/hsmd/libhsmd.c b/hsmd/libhsmd.c
@@ -1469,6 +1469,7 @@ u8 *hsmd_init(struct secret hsm_secret,
 	u32 salt = 0;
 	struct ext_key master_extkey, child_extkey;
 	struct node_id node_id;
+	struct secret onion_reply_secret;
 
 	/*~ Don't swap this. */
 	sodium_mlock(secretstuff.hsm_secret.data,
@@ -1588,10 +1589,18 @@ u8 *hsmd_init(struct secret hsm_secret,
 		hsmd_status_failed(STATUS_FAIL_INTERNAL_ERROR,
 				   "Could derive bolt12 public key.");
 
+	/*~ We derive a secret for onion_message's self_id so we can tell
+	 * if it used a path we created (i.e. do not leak our public id!) */
+	hkdf_sha256(&onion_reply_secret, sizeof(onion_reply_secret),
+		    NULL, 0,
+		    &secretstuff.hsm_secret,
+		    sizeof(secretstuff.hsm_secret),
+		    "onion reply secret", strlen("onion reply secret"));
+
 	/*~ Note: marshalling a bip32 tree only marshals the public side,
 	 * not the secrets!  So we're not actually handing them out here!
 	 */
 	return take(towire_hsmd_init_reply(
 	    NULL, &node_id, &secretstuff.bip32,
-	    &bolt12));
+	    &bolt12, &onion_reply_secret));
 }
diff --git a/lightningd/hsm_control.c b/lightningd/hsm_control.c
@@ -116,7 +116,8 @@ struct ext_key *hsm_init(struct lightningd *ld)
 	msg = wire_sync_read(tmpctx, ld->hsm_fd);
 	if (!fromwire_hsmd_init_reply(msg,
 				      &ld->id, bip32_base,
-				      &ld->bolt12_base)) {
+				      &ld->bolt12_base,
+				      &ld->onion_reply_secret)) {
 		if (ld->config.keypass)
 			errx(1, "Wrong password for encrypted hsm_secret.");
 		errx(1, "HSM did not give init reply");
diff --git a/lightningd/lightningd.h b/lightningd/lightningd.h
@@ -109,6 +109,9 @@ struct lightningd {
 	/* The public base for our payer_id keys */
 	struct pubkey32 bolt12_base;
 
+	/* The secret we put in onion message paths to know it's ours. */
+	struct secret onion_reply_secret;
+
 	/* Feature set we offer. */
 	struct feature_set *our_features;
 
