Extra address checks, with new HSM support #5708
Conversation
|
Ugh, more hsm_wire.csv breaking. Let's not create all those variants of the init message, let's rather move the HSM version up to in the init, and then use that to differentiate. Replicating the |
|
Thinking about this a bit more, I think we have two options to make the schema evolution for the
I guess it boils down to whether we expect the signer or the node to be ahead, and whether we care about pruning old fields from the message. As a quick side-note on why I don't like changing the numeric type of |
|
Patch lgtm, utACK. But I did have a question about the goals of API support. Mainly, how long is one's HSMD impl being out of date supported for? If a user has an HSM with a terribly outdated version from the current CLN version they're running, will it fail to start or is there supposed to be a "limp along"/backwards compatible level of functionality that is maintained? Just trying to get a better understanding of the design goals re HSM API here. |
|
Some of this is a limitation of our wire format. It's simplest and most robust to have separate messages, but we can actually make the v3 a variant on v2 with an extra field appended since we have option logic for that (which off the top of my head, isn't used anywhere else anymore, so I would have liked to remove it, but ok). Using TLVs here unconstrains the test matrix and is probably a bad idea. The multiple init responses is ugly, but simple. Putting the version first is a good idea, in the hope that all messages can be based on this in future. |
|
OK, I've completely reworked the HSM init revision. @ksedgwic what do you think? We now have a version in the reply, plus capabilities which we use here to try to allow you to decouple from hsm changes (at least in cases where we can make new messages optional). |
rustyrussell
force-pushed
the
guilt/extra-address-checks
branch
from
a281242
to
c77ff47
Compare
rustyrussell
force-pushed
the
guilt/extra-address-checks
branch
from
c77ff47
to
14912fd
Compare
rustyrussell
changed the title
rustyrussell
force-pushed
the
guilt/extra-address-checks
branch
from
14912fd
to
9019586
Compare
|
Looks sensible to me, concept ACK A capability which seems to be coming up is |
hsmd/hsmd_wire.csv
Outdated
| msgdata,hsmd_check_pubkey,index,u32, | ||
| msgdata,hsmd_check_pubkey,pubkey,pubkey, | ||
|
|
||
| # Reply (if it's bad, it simple aborts.) |
There was a problem hiding this comment.
what does this mean exactly? closes the connection? it would be difficult to distinguish from a real disconnect due to restart.
There was a problem hiding this comment.
OK, this works for a local hsmd, not for remote. Will make it an explicit reply!
Thanks!
|
|
||
| # Sanity check this pubkey derivation is correct. | ||
| msgtype,hsmd_check_pubkey,28 | ||
| msgdata,hsmd_check_pubkey,index,u32, |
There was a problem hiding this comment.
- are hardened indices allowed (high bit = 1)?
- we plan to deny very high indices, e.g. > 1_000_000, to make recovery sane in case of database loss. is that OK?
There was a problem hiding this comment.
No, we don't use hardened derivations. And the 1M keys limit seems like a sane precaution: if someone exceeds that they should tell us :)
|
BTW, note that we check L1 destinations at the time of |
|
Yes, |
rustyrussell
force-pushed
the
guilt/extra-address-checks
branch
2 times, most recently
from
be91509
to
a170d37
Compare
|
Folded in fix which makes hsm explicitly reply, and fixed up hsm_versions.h definition. |
rustyrussell
force-pushed
the
guilt/extra-address-checks
branch
2 times, most recently
from
160e966
to
0bda5ad
Compare
rustyrussell
force-pushed
the
guilt/extra-address-checks
branch
from
0bda5ad
to
a3a720c
Compare
We were handing 3 to hsmd (and Ken added that in 7b2c561, so I guess he's OK with that being the minimum supported version!). Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
Importantly, adds the version number at the *front* to help future parsing. Signed-off-by: Rusty Russell <rusty@rustcorp.com.au> Header from folded patch 'fix-hsm-check-pubkey.patch': fixup! hsmd: capability addition: ability to check pubkeys.
Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
It's needed as the db and wallet is being set up (db migrations), so it's simpler this way to always use ld->bip32_base for the next patch. Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
At the moment only lightingd needs it, and this avoids missing any places where we do bip32 derivation. This uses a hsm capability to mean we're backwards compatible with older hsmds. Signed-off-by: Rusty Russell <rusty@rustcorp.com.au> Changelog-Added: Protocol: we now always double-check bitcoin addresses are correct (no memory errors!) before issuing them.
`struct lightningd` is not completely initialized, so we added a "migration_context" which only had some of the fields. But we ended up handing in `struct lightningd` anyway, so I don't think this complexity is worthwhile. Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
rustyrussell
force-pushed
the
guilt/extra-address-checks
branch
2 times, most recently
from
defa756
to
cf04060
Compare
|
Ack cf04060 |
This is built on top of #5986 (first 9 commits)
Closes: #5695