📅 Original date posted:2015-10-22
📝 Original message:
OK, once I started trying to send data, I refined this a little so
we always send protobufs after the initial session key.
Feedback gratefully accepted!
Thanks,
Rusty.
--
After useful feedback from Anthony Towns and Mats Jerratsch (of
thunder.network fame), this is the third version of inter-node crypto.
1) First, each side sends a 33-byte session pubkey. This is a
bitcoin-style compressed EC key, unique for each session.
2) ECDH is used to derive a shared secret. From this we generate
the following transmission encoding parameters for each side:
Session AES-128 key: SHA256(shared-secret || my-sessionpubkey || 0)
Session HMAC key: SHA256(shared-secret || my-sessionpubkey || 1)
IV for AES: SHA256(shared-secret || my-sessionpubkey || 2)
3) All packets from then on are encrypted of form:
/* HMAC, covering totlen and data */
struct sha256 hmac;
/* Total data transmitted (including this). */
le64 totlen;
/* Encrypted contents, rounded up to 16 byte boundary. */
u8 data[];
4) The first packet is an Authenticate protobuf, containing this node's
pubkey, and a bitcoin-style EC signature of the other side's session
pubkey.
5) Unknown protobuf fields are handled in the protocol as follows
(including in the initial Authenticate packet):
1) Odd numbered fields are optional, and backwards compatible.
2) Even numbered fields are required; abort if you get one.
Currently both sides just send an error packet "hello" after the
handshake, and make sure they receive the same.
Signed-off-by: Rusty Russell <rusty at rustcorp.com.au>
diff --git a/daemon/Makefile b/daemon/Makefile
index 699cdc9..dfdcc0f 100644
--- a/daemon/Makefile
+++ b/daemon/Makefile
@@ -14,6 +14,7 @@ DAEMON_LIB_SRC := \
DAEMON_LIB_OBJS := $(DAEMON_LIB_SRC:.c=.o)
DAEMON_SRC := \
+ daemon/cryptopkt.c \
daemon/dns.c \
daemon/jsonrpc.c \
daemon/lightningd.c \
@@ -31,6 +32,7 @@ DAEMON_JSMN_HEADERS := daemon/jsmn/jsmn.h
DAEMON_HEADERS := \
daemon/configdir.h \
+ daemon/cryptopkt.h \
daemon/dns.h \
daemon/json.h \
daemon/jsonrpc.h \
diff --git a/daemon/cryptopkt.c b/daemon/cryptopkt.c
new file mode 100644
index 0000000..0667d6d
--- /dev/null
+++ b/daemon/cryptopkt.c
@@ -0,0 +1,511 @@
+#include "bitcoin/shadouble.h"
+#include "bitcoin/signature.h"
+#include "cryptopkt.h"
+#include "lightning.pb-c.h"
+#include "lightningd.h"
+#include "log.h"
+#include "peer.h"
+#include "protobuf_convert.h"
+#include "secrets.h"
+#include <ccan/build_assert/build_assert.h>
+#include <ccan/crypto/sha256/sha256.h>
+#include <ccan/endian/endian.h>
+#include <ccan/io/io_plan.h>
+#include <ccan/mem/mem.h>
+#include <ccan/short_types/short_types.h>
+#include <inttypes.h>
+#include <openssl/aes.h>
+#include <openssl/evp.h>
+#include <openssl/hmac.h>
+#include <openssl/rand.h>
+#include <secp256k1.h>
+#include <secp256k1_ecdh.h>
+
+#define MAX_PKT_LEN (1024 * 1024)
+
+#define ROUNDUP(x,a) (((x) + ((a)-1)) & ~((a)-1))
+
+struct crypto_pkt {
+ /* HMAC */
+ struct sha256 hmac;
+ /* Total length transmitted. */
+ le64 totlen;
+ /* ... contents... */
+ u8 data[];
+};
+
+/* Temporary structure for negotiation (peer->io_data->neg) */
+struct key_negotiate {
+ /* Our session secret key. */
+ u8 seckey[32];
+
+ /* Our pubkey, their pubkey. */
+ u8 our_sessionpubkey[33], their_sessionpubkey[33];
+
+ /* Callback once it's all done. */
+ struct io_plan *(*cb)(struct io_conn *, struct peer *);
+};
+
+/* ARM loves to add padding to structs; be paranoid! */
+#define SESSION_PROOF_BASE_SIZE (64 + 33)
+
+#define ENCKEY_SEED 0
+#define HMACKEY_SEED 1
+#define IV_SEED 2
+
+struct enckey {
+ struct sha256 k;
+};
+
+struct hmackey {
+ struct sha256 k;
+};
+
+struct iv {
+ unsigned char iv[AES_BLOCK_SIZE];
+};
+
+static void sha_with_seed(const unsigned char secret[32],
+ const unsigned char serial_pubkey[33],
+ unsigned char seed,
+ struct sha256 *res)
+{
+ struct sha256_ctx ctx;
+
+ sha256_init(&ctx);
+ sha256_update(&ctx, memcheck(secret, 32), 32);
+ sha256_update(&ctx, memcheck(serial_pubkey, 33), 33);
+ sha256_u8(&ctx, seed);
+ sha256_done(&ctx, res);
+}
+
+static struct enckey enckey_from_secret(const unsigned char secret[32],
+ const unsigned char serial_pubkey[33])
+{
+ struct enckey enckey;
+ sha_with_seed(secret, serial_pubkey, ENCKEY_SEED, &enckey.k);
+ return enckey;
+}
+
+static struct hmackey hmackey_from_secret(const unsigned char secret[32],
+ const unsigned char serial_pubkey[33])
+{
+ struct hmackey hmackey;
+ sha_with_seed(secret, serial_pubkey, HMACKEY_SEED, &hmackey.k);
+ return hmackey;
+}
+
+static struct iv iv_from_secret(const unsigned char secret[32],
+ const unsigned char serial_pubkey[33])
+{
+ struct sha256 sha;
+ struct iv iv;
+
+ sha_with_seed(secret, serial_pubkey, IV_SEED, &sha);
+ memcpy(iv.iv, sha.u.u8, sizeof(iv.iv));
+ return iv;
+}
+
+struct dir_state {
+ u64 totlen;
+ struct hmackey hmackey;
+ EVP_CIPHER_CTX evpctx;
+
+ /* Current packet. */
+ struct crypto_pkt *cpkt;
+};
+
+static bool setup_crypto(struct dir_state *dir,
+ u8 shared_secret[32], u8 serial_pubkey[33])
+{
+ struct iv iv;
+ struct enckey enckey;
+
+ dir->totlen = 0;
+ dir->hmackey = hmackey_from_secret(shared_secret, serial_pubkey);
+ dir->cpkt = NULL;
+
+ iv = iv_from_secret(shared_secret, serial_pubkey);
+ enckey = enckey_from_secret(shared_secret, serial_pubkey);
+
+ return EVP_EncryptInit(&dir->evpctx, EVP_aes_128_ctr(),
+ memcheck(enckey.k.u.u8, sizeof(enckey.k)),
+ memcheck(iv.iv, sizeof(iv.iv))) == 1;
+}
+
+struct io_data {
+ /* Stuff we need to keep around to talk to peer. */
+ struct dir_state in, out;
+
+ /* Header we're currently reading. */
+ size_t len_in;
+ struct crypto_pkt hdr_in;
+
+ /* For negotiation phase. */
+ struct key_negotiate *neg;
+};
+
+static void *proto_tal_alloc(void *allocator_data, size_t size)
+{
+ return tal_arr(allocator_data, char, size);
+}
+
+static void proto_tal_free(void *allocator_data, void *pointer)
+{
+ tal_free(pointer);
+}
+
+static Pkt *decrypt_pkt(struct peer *peer, struct crypto_pkt *cpkt,
+ size_t data_len)
+{
+ size_t full_len;
+ struct sha256 hmac;
+ int outlen;
+ struct io_data *iod = peer->io_data;
+ struct ProtobufCAllocator prototal;
+ Pkt *ret;
+
+ full_len = ROUNDUP(data_len, AES_BLOCK_SIZE);
+
+ HMAC(EVP_sha256(), iod->in.hmackey.k.u.u8, sizeof(iod->in.hmackey),
+ (unsigned char *)&cpkt->totlen, sizeof(cpkt->totlen) + full_len,
+ hmac.u.u8, NULL);
+
+ if (CRYPTO_memcmp(&hmac, &cpkt->hmac, sizeof(hmac)) != 0) {
+ log_unusual(peer->log, "Packet has bad HMAC");
+ return NULL;
+ }
+
+ /* FIXME: Assumes we can decrypt in place! */
+ EVP_DecryptUpdate(&iod->in.evpctx, cpkt->data, &outlen,
+ memcheck(cpkt->data, full_len), full_len);
+ assert(outlen == full_len);
+
+ /* De-protobuf it. */
+ prototal.alloc = proto_tal_alloc;
+ prototal.free = proto_tal_free;
+ prototal.allocator_data = tal(iod, char);
+
+ ret = pkt__unpack(&prototal, data_len, cpkt->data);
+ if (!ret)
+ tal_free(prototal.allocator_data);
+ else
+ /* Make sure packet owns contents */
+ tal_steal(ret, prototal.allocator_data);
+ return ret;
+}
+
+static struct crypto_pkt *encrypt_pkt(struct peer *peer,
+ const Pkt *pkt,
+ size_t *total_len)
+{
+ static unsigned char zeroes[AES_BLOCK_SIZE-1];
+ struct crypto_pkt *cpkt;
+ unsigned char *dout;
+ size_t len, full_len;
+ int outlen;
+ struct io_data *iod = peer->io_data;
+
+ len = pkt__get_packed_size(pkt);
+ full_len = ROUNDUP(len, AES_BLOCK_SIZE);
+ *total_len = sizeof(*cpkt) + full_len;
+
+ cpkt = (struct crypto_pkt *)tal_arr(peer, char, *total_len);
+ iod->out.totlen += len;
+ cpkt->totlen = cpu_to_le64(iod->out.totlen);
+
+ dout = cpkt->data;
+ /* FIXME: Assumes we can encrypt in place! */
+ pkt__pack(pkt, dout);
+ EVP_EncryptUpdate(&iod->out.evpctx, dout, &outlen,
+ memcheck(dout, len), len);
+ dout += outlen;
+
+ /* Now encrypt tail, padding with zeroes if necessary. */
+ EVP_EncryptUpdate(&iod->out.evpctx, dout, &outlen, zeroes,
+ full_len - len);
+ assert(dout + outlen == cpkt->data + full_len);
+
+ HMAC(EVP_sha256(), iod->out.hmackey.k.u.u8, sizeof(iod->out.hmackey),
+ (unsigned char *)&cpkt->totlen, sizeof(cpkt->totlen) + full_len,
+ cpkt->hmac.u.u8, NULL);
+
+ return cpkt;
+}
+
+static int do_read_packet(int fd, struct io_plan_arg *arg)
+{
+ struct peer *peer = arg->u1.vp;
+ struct io_data *iod = peer->io_data;
+ u64 max;
+ size_t data_off, data_len;
+ int ret;
+
+ /* Still reading header? */
+ if (iod->len_in < sizeof(iod->hdr_in)) {
+ ret = read(fd, (char *)&iod->hdr_in + iod->len_in,
+ sizeof(iod->hdr_in) - iod->len_in);
+ if (ret <= 0)
+ return -1;
+ iod->len_in += ret;
+ /* We don't ever send empty packets, so don't check for
+ * that here. */
+ return 0;
+ }
+
+ max = ROUNDUP(le64_to_cpu(iod->hdr_in.totlen) - iod->in.totlen,
+ AES_BLOCK_SIZE);
+
+ if (iod->len_in == sizeof(iod->hdr_in)) {
+ /* FIXME: Handle re-xmit. */
+ if (le64_to_cpu(iod->hdr_in.totlen) < iod->in.totlen) {
+ log_unusual(peer->log,
+ "Packet went backwards: %"PRIu64
+ " -> %"PRIu64,
+ iod->in.totlen,
+ le64_to_cpu(iod->hdr_in.totlen));
+ return -1;
+ }
+ if (le64_to_cpu(iod->hdr_in.totlen)
+ > iod->in.totlen + MAX_PKT_LEN) {
+ log_unusual(peer->log,
+ "Packet overlength: %"PRIu64" -> %"PRIu64,
+ iod->in.totlen,
+ le64_to_cpu(iod->hdr_in.totlen));
+ return -1;
+ }
+ iod->in.cpkt = (struct crypto_pkt *)
+ tal_arr(iod, u8, sizeof(struct crypto_pkt) + max);
+ memcpy(iod->in.cpkt, &iod->hdr_in, sizeof(iod->hdr_in));
+ }
+
+ data_off = iod->len_in - sizeof(struct crypto_pkt);
+ ret = read(fd, iod->in.cpkt->data + data_off, max - data_off);
+ if (ret <= 0)
+ return -1;
+
+ iod->len_in += ret;
+ if (iod->len_in <= max)
+ return 0;
+
+ /* Can't overflow len arg: packet can't be more than MAX_PKT_LEN */
+ data_len = le64_to_cpu(iod->hdr_in.totlen) - iod->in.totlen;
+ peer->inpkt = decrypt_pkt(peer, iod->in.cpkt, data_len);
+ iod->in.cpkt = tal_free(iod->in.cpkt);
+
+ if (!peer->inpkt)
+ return -1;
+ iod->in.totlen += data_len;
+ return 1;
+}
+
+struct io_plan *peer_read_packet(struct io_conn *conn,
+ struct peer *peer,
+ struct io_plan *(*cb)(struct io_conn *,
+ struct peer *))
+{
+ struct io_plan_arg *arg = io_plan_arg(conn, IO_IN);
+
+ peer->io_data->len_in = 0;
+ arg->u1.vp = peer;
+ return io_set_plan(conn, IO_IN, do_read_packet,
+ (struct io_plan *(*)(struct io_conn *, void *))cb,
+ peer);
+}
+
+/* Caller must free data! */
+struct io_plan *peer_write_packet(struct io_conn *conn,
+ struct peer *peer,
+ const Pkt *pkt,
+ struct io_plan *(*next)(struct io_conn *,
+ struct peer *))
+{
+ struct io_data *iod = peer->io_data;
+ size_t totlen;
+
+ /* We free previous packet here, rather than doing indirection
+ * via io_write */
+ tal_free(iod->out.cpkt);
+ iod->out.cpkt = encrypt_pkt(peer, pkt, &totlen);
+ return io_write(conn, iod->out.cpkt, totlen, next, peer);
+}
+
+static void *pkt_unwrap(struct peer *peer, Pkt__PktCase which)
+{
+ size_t i;
+ const ProtobufCMessage *base;
+
+ if (peer->inpkt->pkt_case != which) {
+ log_unusual(peer->log, "Expected %u, got %u",
+ which, peer->inpkt->pkt_case);
+ return NULL;
+ }
+
+ /* It's a union, and each member starts with base. Pick one */
+ base = &peer->inpkt->error->base;
+
+ /* Look for unknown fields. Remember, "It's OK to be odd!" */
+ for (i = 0; i < base->n_unknown_fields; i++) {
+ log_debug(peer->log, "Unknown field in %u: %u",
+ which, base->unknown_fields[i].tag);
+ /* Odd is OK */
+ if (base->unknown_fields[i].tag & 1)
+ continue;
+ log_unusual(peer->log, "Unknown field %u in %u",
+ base->unknown_fields[i].tag, which);
+ return NULL;
+ }
+ return peer->inpkt->error;
+}
+
+static struct io_plan *check_proof(struct io_conn *conn, struct peer *peer)
+{
+ struct key_negotiate *neg = peer->io_data->neg;
+ struct sha256_double sha;
+ struct signature sig;
+ struct io_plan *(*cb)(struct io_conn *, struct peer *);
+ struct pubkey id;
+ Authenticate *auth;
+
+ auth = pkt_unwrap(peer, PKT__PKT_AUTH);
+ if (!auth)
+ return io_close(conn);
+
+ if (!proto_to_signature(auth->session_sig, &sig)) {
+ log_unusual(peer->log, "Invalid auth signature");
+ return io_close(conn);
+ }
+
+ if (!proto_to_pubkey(auth->node_id, &id)) {
+ log_unusual(peer->log, "Invalid auth id");
+ return io_close(conn);
+ }
+
+ /* Signature covers *our* session key. */
+ sha256_double(&sha,
+ neg->our_sessionpubkey, sizeof(neg->our_sessionpubkey));
+
+ if (!check_signed_hash(&sha, &sig, &id)) {
+ log_unusual(peer->log, "Bad auth signature");
+ return io_close(conn);
+ }
+
+ tal_free(auth);
+
+ /* All complete, return to caller. */
+ cb = neg->cb;
+ peer->io_data->neg = tal_free(neg);
+ return cb(conn, peer);
+}
+
+static struct io_plan *receive_proof(struct io_conn *conn, struct peer *peer)
+{
+ return peer_read_packet(conn, peer, check_proof);
+}
+
+/* Steals w onto the returned Pkt */
+static Pkt *pkt_wrap(const tal_t *ctx, void *w, Pkt__PktCase pkt_case)
+{
+ Pkt *pkt = tal(ctx, Pkt);
+ pkt__init(pkt);
+ pkt->pkt_case = pkt_case;
+ /* Union, so any will do */
+ pkt->error = tal_steal(pkt, w);
+ return pkt;
+}
+
+static Pkt *authenticate_pkt(const tal_t *ctx,
+ const struct pubkey *node_id,
+ const struct signature *sig)
+{
+ Authenticate *auth = tal(ctx, Authenticate);
+ authenticate__init(auth);
+ auth->node_id = pubkey_to_proto(auth, node_id);
+ auth->session_sig = signature_to_proto(auth, sig);
+ return pkt_wrap(ctx, auth, PKT__PKT_AUTH);
+}
+
+static struct io_plan *keys_exchanged(struct io_conn *conn, struct peer *peer)
+{
+ u8 shared_secret[32];
+ struct pubkey sessionkey;
+ struct signature sig;
+ struct key_negotiate *neg = peer->io_data->neg;
+ Pkt *auth;
+
+ if (!pubkey_from_der(neg->their_sessionpubkey,
+ sizeof(neg->their_sessionpubkey),
+ &sessionkey)) {
+ /* FIXME: Dump key in this case. */
+ log_unusual(peer->log, "Bad sessionkey");
+ return io_close(conn);
+ }
+
+ /* Derive shared secret. */
+ if (!secp256k1_ecdh(peer->state->secpctx, shared_secret,
+ &sessionkey.pubkey, neg->seckey)) {
+ log_unusual(peer->log, "Bad ECDH");
+ return io_close(conn);
+ }
+
+ /* Each side combines with their OWN session key to SENDING crypto. */
+ if (!setup_crypto(&peer->io_data->in, shared_secret,
+ neg->their_sessionpubkey)
+ || !setup_crypto(&peer->io_data->out, shared_secret,
+ neg->our_sessionpubkey)) {
+ log_unusual(peer->log, "Failed setup_crypto()");
+ return io_close(conn);
+ }
+
+ /* Now sign their session key to prove who we are. */
+ privkey_sign(peer, neg->their_sessionpubkey,
+ sizeof(neg->their_sessionpubkey), &sig);
+
+ /* FIXME: Free auth afterwards. */
+ auth = authenticate_pkt(peer, &peer->state->id, &sig);
+ return peer_write_packet(conn, peer, auth, receive_proof);
+}
+
+static struct io_plan *session_key_receive(struct io_conn *conn,
+ struct peer *peer)
+{
+ struct key_negotiate *neg = peer->io_data->neg;
+ /* Now read their key. */
+ return io_read(conn, neg->their_sessionpubkey,
+ sizeof(neg->their_sessionpubkey), keys_exchanged, peer);
+}
+
+static void gen_sessionkey(secp256k1_context *ctx,
+ u8 seckey[32],
+ secp256k1_pubkey *pubkey)
+{
+ do {
+ if (RAND_bytes(seckey, 32) != 1)
+ fatal("Could not get random bytes for sessionkey");
+ } while (!secp256k1_ec_pubkey_create(ctx, pubkey, seckey));
+}
+
+struct io_plan *peer_crypto_setup(struct io_conn *conn, struct peer *peer,
+ struct io_plan *(*cb)(struct io_conn *,
+ struct peer *))
+{
+ size_t outputlen;
+ secp256k1_pubkey sessionkey;
+ struct key_negotiate *neg;
+
+ peer->io_data = tal(peer, struct io_data);
+
+ /* We store negotiation state here. */
+ neg = peer->io_data->neg = tal(peer->io_data, struct key_negotiate);
+ neg->cb = cb;
+
+ gen_sessionkey(peer->state->secpctx, neg->seckey, &sessionkey);
+
+ secp256k1_ec_pubkey_serialize(peer->state->secpctx,
+ neg->our_sessionpubkey, &outputlen,
+ &sessionkey,
+ SECP256K1_EC_COMPRESSED);
+ assert(outputlen == sizeof(neg->our_sessionpubkey));
+ return io_write(conn, neg->our_sessionpubkey, outputlen,
+ session_key_receive, peer);
+}
diff --git a/daemon/cryptopkt.h b/daemon/cryptopkt.h
new file mode 100644
index 0000000..06c6167
--- /dev/null
+++ b/daemon/cryptopkt.h
@@ -0,0 +1,26 @@
+#ifndef LIGHTNING_DAEMON_CRYPTOPKT_H
+#define LIGHTNING_DAEMON_CRYPTOPKT_H
+#include "config.h"
+#include "lightning.pb-c.h"
+#include <ccan/io/io.h>
+
+struct peer;
+
+struct io_plan *peer_crypto_setup(struct io_conn *conn,
+ struct peer *peer,
+ struct io_plan *(*cb)(struct io_conn *,
+ struct peer *));
+
+/* Reads packet into peer->inpkt/peer->inpkt_len */
+struct io_plan *peer_read_packet(struct io_conn *conn,
+ struct peer *peer,
+ struct io_plan *(*cb)(struct io_conn *,
+ struct peer *));
+
+struct io_plan *peer_write_packet(struct io_conn *conn,
+ struct peer *peer,
+ const Pkt *pkt,
+ struct io_plan *(*next)(struct io_conn *,
+ struct peer *));
+
+#endif /* LIGHTNING_DAEMON_CRYPTOPKT_H */
diff --git a/daemon/peer.c b/daemon/peer.c
index 5f578ee..ed4fcda 100644
--- a/daemon/peer.c
+++ b/daemon/peer.c
@@ -1,3 +1,4 @@
+#include "cryptopkt.h"
#include "dns.h"
#include "jsonrpc.h"
#include "lightningd.h"
@@ -14,6 +15,33 @@
#include <sys/socket.h>
#include <sys/types.h>
+/* Send and receive (encrypted) hello message. */
+static struct io_plan *peer_test_check(struct io_conn *conn, struct peer *peer)
+{
+ if (peer->inpkt->pkt_case != PKT__PKT_ERROR)
+ fatal("Bad packet type %u", peer->inpkt->pkt_case);
+ if (!peer->inpkt->error->problem
+ || strcmp(peer->inpkt->error->problem, "hello") != 0)
+ fatal("Bad packet '%.6s'", peer->inpkt->error->problem);
+ log_info(peer->log, "Successful hello!");
+ return io_close(conn);
+}
+
+static struct io_plan *peer_test_read(struct io_conn *conn, struct peer *peer)
+{
+ return peer_read_packet(conn, peer, peer_test_check);
+}
+
+static struct io_plan *peer_test(struct io_conn *conn, struct peer *peer)
+{
+ Error err = ERROR__INIT;
+ Pkt pkt = PKT__INIT;
+ pkt.pkt_case = PKT__PKT_ERROR;
+ pkt.error = &err;
+ err.problem = "hello";
+ return peer_write_packet(conn, peer, &pkt, peer_test_read);
+}
+
static void destroy_peer(struct peer *peer)
{
list_del_from(&peer->state->peers, &peer->list);
@@ -32,6 +60,7 @@ static struct peer *new_peer(struct lightningd_state *state,
peer->state = state;
peer->addr.type = addr_type;
peer->addr.protocol = addr_protocol;
+ peer->io_data = NULL;
/* FIXME: Attach IO logging for this peer. */
tal_add_destructor(peer, destroy_peer);
@@ -63,7 +92,7 @@ struct io_plan *peer_connected_out(struct io_conn *conn,
return io_close(conn);
}
log_info(peer->log, "Connected out to %s:%s", name, port);
- return io_write(conn, "Hello!", 6, io_close_cb, NULL);
+ return peer_crypto_setup(conn, peer, peer_test);
}
static struct io_plan *peer_connected_in(struct io_conn *conn,
@@ -73,8 +102,9 @@ static struct io_plan *peer_connected_in(struct io_conn *conn,
"in");
if (!peer)
return io_close(conn);
-
- return io_write(conn, "Hello!", 6, io_close_cb, NULL);
+
+ log_info(peer->log, "Peer connected in");
+ return peer_crypto_setup(conn, peer, peer_test);
}
static int make_listen_fd(struct lightningd_state *state,
diff --git a/daemon/peer.h b/daemon/peer.h
index 50cea69..c39f943 100644
--- a/daemon/peer.h
+++ b/daemon/peer.h
@@ -1,6 +1,7 @@
#ifndef LIGHTNING_DAEMON_PEER_H
#define LIGHTNING_DAEMON_PEER_H
#include "config.h"
+#include "lightning.pb-c.h"
#include "netaddr.h"
#include <ccan/list/list.h>
@@ -14,6 +15,12 @@ struct peer {
/* The other end's address. */
struct netaddr addr;
+ /* Current received packet. */
+ Pkt *inpkt;
+
+ /* Current ongoing packetflow */
+ struct io_data *io_data;
+
/* What happened. */
struct log *log;
};
diff --git a/lightning.pb-c.c b/lightning.pb-c.c
index 5dde94f..62777aa 100644
--- a/lightning.pb-c.c
+++ b/lightning.pb-c.c
@@ -222,6 +222,49 @@ void funding__free_unpacked
assert(message->base.descriptor == &funding__descriptor);
protobuf_c_message_free_unpacked ((ProtobufCMessage*)message, allocator);
}
+void authenticate__init
+ (Authenticate *message)
+{
+ static Authenticate init_value = AUTHENTICATE__INIT;
+ *message = init_value;
+}
+size_t authenticate__get_packed_size
+ (const Authenticate *message)
+{
+ assert(message->base.descriptor == &authenticate__descriptor);
+ return protobuf_c_message_get_packed_size ((const ProtobufCMessage*)(message));
+}
+size_t authenticate__pack
+ (const Authenticate *message,
+ uint8_t *out)
+{
+ assert(message->base.descriptor == &authenticate__descriptor);
+ return protobuf_c_message_pack ((const ProtobufCMessage*)message, out);
+}
+size_t authenticate__pack_to_buffer
+ (const Authenticate *message,
+ ProtobufCBuffer *buffer)
+{
+ assert(message->base.descriptor == &authenticate__descriptor);
+ return protobuf_c_message_pack_to_buffer ((const ProtobufCMessage*)message, buffer);
+}
+Authenticate *
+ authenticate__unpack
+ (ProtobufCAllocator *allocator,
+ size_t len,
+ const uint8_t *data)
+{
+ return (Authenticate *)
+ protobuf_c_message_unpack (&authenticate__descriptor,
+ allocator, len, data);
+}
+void authenticate__free_unpacked
+ (Authenticate *message,
+ ProtobufCAllocator *allocator)
+{
+ assert(message->base.descriptor == &authenticate__descriptor);
+ protobuf_c_message_free_unpacked ((ProtobufCMessage*)message, allocator);
+}
void open_channel__init
(OpenChannel *message)
{
@@ -1344,6 +1387,57 @@ const ProtobufCMessageDescriptor funding__descriptor =
(ProtobufCMessageInit) funding__init,
NULL,NULL,NULL /* reserved[123] */
};
+static const ProtobufCFieldDescriptor authenticate__field_descriptors[2] =
+{
+ {
+ "node_id",
+ 1,
+ PROTOBUF_C_LABEL_REQUIRED,
+ PROTOBUF_C_TYPE_MESSAGE,
+ 0, /* quantifier_offset */
+ offsetof(Authenticate, node_id),
+ &bitcoin_pubkey__descriptor,
+ NULL,
+ 0, /* flags */
+ 0,NULL,NULL /* reserved1,reserved2, etc */
+ },
+ {
+ "session_sig",
+ 2,
+ PROTOBUF_C_LABEL_REQUIRED,
+ PROTOBUF_C_TYPE_MESSAGE,
+ 0, /* quantifier_offset */
+ offsetof(Authenticate, session_sig),
+ &signature__descriptor,
+ NULL,
+ 0, /* flags */
+ 0,NULL,NULL /* reserved1,reserved2, etc */
+ },
+};
+static const unsigned authenticate__field_indices_by_name[] = {
+ 0, /* field[0] = node_id */
+ 1, /* field[1] = session_sig */
+};
+static const ProtobufCIntRange authenticate__number_ranges[1 + 1] =
+{
+ { 1, 0 },
+ { 0, 2 }
+};
+const ProtobufCMessageDescriptor authenticate__descriptor =
+{
+ PROTOBUF_C__MESSAGE_DESCRIPTOR_MAGIC,
+ "authenticate",
+ "Authenticate",
+ "Authenticate",
+ "",
+ sizeof(Authenticate),
+ 2,
+ authenticate__field_descriptors,
+ authenticate__field_indices_by_name,
+ 1, authenticate__number_ranges,
+ (ProtobufCMessageInit) authenticate__init,
+ NULL,NULL,NULL /* reserved[123] */
+};
static const ProtobufCEnumValue open_channel__anchor_offer__enum_values_by_number[2] =
{
{ "WILL_CREATE_ANCHOR", "OPEN_CHANNEL__ANCHOR_OFFER__WILL_CREATE_ANCHOR", 1 },
@@ -2259,7 +2353,7 @@ const ProtobufCMessageDescriptor error__descriptor =
(ProtobufCMessageInit) error__init,
NULL,NULL,NULL /* reserved[123] */
};
-static const ProtobufCFieldDescriptor pkt__field_descriptors[17] =
+static const ProtobufCFieldDescriptor pkt__field_descriptors[18] =
{
{
"update",
@@ -2465,8 +2559,21 @@ static const ProtobufCFieldDescriptor pkt__field_descriptors[17] =
0 | PROTOBUF_C_FIELD_FLAG_ONEOF, /* flags */
0,NULL,NULL /* reserved1,reserved2, etc */
},
+ {
+ "auth",
+ 50,
+ PROTOBUF_C_LABEL_OPTIONAL,
+ PROTOBUF_C_TYPE_MESSAGE,
+ offsetof(Pkt, pkt_case),
+ offsetof(Pkt, auth),
+ &authenticate__descriptor,
+ NULL,
+ 0 | PROTOBUF_C_FIELD_FLAG_ONEOF, /* flags */
+ 0,NULL,NULL /* reserved1,reserved2, etc */
+ },
};
static const unsigned pkt__field_indices_by_name[] = {
+ 17, /* field[17] = auth */
13, /* field[13] = close */
15, /* field[15] = close_ack */
14, /* field[14] = close_complete */
@@ -2485,13 +2592,14 @@ static const unsigned pkt__field_indices_by_name[] = {
3, /* field[3] = update_signature */
7, /* field[7] = update_timedout_htlc */
};
-static const ProtobufCIntRange pkt__number_ranges[4 + 1] =
+static const ProtobufCIntRange pkt__number_ranges[5 + 1] =
{
{ 1, 0 },
{ 20, 9 },
{ 30, 13 },
{ 40, 16 },
- { 0, 17 }
+ { 50, 17 },
+ { 0, 18 }
};
const ProtobufCMessageDescriptor pkt__descriptor =
{
@@ -2501,10 +2609,10 @@ const ProtobufCMessageDescriptor pkt__descriptor =
"Pkt",
"",
sizeof(Pkt),
- 17,
+ 18,
pkt__field_descriptors,
pkt__field_indices_by_name,
- 4, pkt__number_ranges,
+ 5, pkt__number_ranges,
(ProtobufCMessageInit) pkt__init,
NULL,NULL,NULL /* reserved[123] */
};
diff --git a/lightning.pb-c.h b/lightning.pb-c.h
index 26219cc..4178a1e 100644
--- a/lightning.pb-c.h
+++ b/lightning.pb-c.h
@@ -20,6 +20,7 @@ typedef struct _Signature Signature;
typedef struct _Locktime Locktime;
typedef struct _BitcoinPubkey BitcoinPubkey;
typedef struct _Funding Funding;
+typedef struct _Authenticate Authenticate;
typedef struct _OpenChannel OpenChannel;
typedef struct _OpenAnchor OpenAnchor;
typedef struct _OpenCommitSig OpenCommitSig;
@@ -150,6 +151,26 @@ struct _Funding
/*
* Set channel params.
*/
+struct _Authenticate
+{
+ ProtobufCMessage base;
+ /*
+ * Which node this is.
+ */
+ BitcoinPubkey *node_id;
+ /*
+ * Signature of your session key. *
+ */
+ Signature *session_sig;
+};
+#define AUTHENTICATE__INIT \
+ { PROTOBUF_C_MESSAGE_INIT (&authenticate__descriptor) \
+ , NULL, NULL }
+
+
+/*
+ * Set channel params.
+ */
struct _OpenChannel
{
ProtobufCMessage base;
@@ -500,6 +521,7 @@ struct _Error
typedef enum {
PKT__PKT__NOT_SET = 0,
+ PKT__PKT_AUTH = 50,
PKT__PKT_OPEN = 20,
PKT__PKT_OPEN_ANCHOR = 21,
PKT__PKT_OPEN_COMMIT_SIG = 22,
@@ -528,6 +550,10 @@ struct _Pkt
Pkt__PktCase pkt_case;
union {
/*
+ * Start of connection
+ */
+ Authenticate *auth;
+ /*
* Opening
*/
OpenChannel *open;
@@ -658,6 +684,25 @@ Funding *
void funding__free_unpacked
(Funding *message,
ProtobufCAllocator *allocator);
+/* Authenticate methods */
+void authenticate__init
+ (Authenticate *message);
+size_t authenticate__get_packed_size
+ (const Authenticate *message);
+size_t authenticate__pack
+ (const Authenticate *message,
+ uint8_t *out);
+size_t authenticate__pack_to_buffer
+ (const Authenticate *message,
+ ProtobufCBuffer *buffer);
+Authenticate *
+ authenticate__unpack
+ (ProtobufCAllocator *allocator,
+ size_t len,
+ const uint8_t *data);
+void authenticate__free_unpacked
+ (Authenticate *message,
+ ProtobufCAllocator *allocator);
/* OpenChannel methods */
void open_channel__init
(OpenChannel *message);
@@ -1017,6 +1062,9 @@ typedef void (*BitcoinPubkey_Closure)
typedef void (*Funding_Closure)
(const Funding *message,
void *closure_data);
+typedef void (*Authenticate_Closure)
+ (const Authenticate *message,
+ void *closure_data);
typedef void (*OpenChannel_Closure)
(const OpenChannel *message,
void *closure_data);
@@ -1082,6 +1130,7 @@ extern const ProtobufCMessageDescriptor signature__descriptor;
extern const ProtobufCMessageDescriptor locktime__descriptor;
extern const ProtobufCMessageDescriptor bitcoin_pubkey__descriptor;
extern const ProtobufCMessageDescriptor funding__descriptor;
+extern const ProtobufCMessageDescriptor authenticate__descriptor;
extern const ProtobufCMessageDescriptor open_channel__descriptor;
extern const ProtobufCEnumDescriptor open_channel__anchor_offer__descriptor;
extern const ProtobufCMessageDescriptor open_anchor__descriptor;
diff --git a/lightning.proto b/lightning.proto
index 5f0eb03..0c1fcdd 100644
--- a/lightning.proto
+++ b/lightning.proto
@@ -52,6 +52,14 @@ message funding {
//
// Set channel params.
+message authenticate {
+ // Which node this is.
+ required bitcoin_pubkey node_id = 1;
+ // Signature of your session key. */
+ required signature session_sig = 2;
+};
+
+// Set channel params.
message open_channel {
// Relative locktime for outputs going to us.
required locktime delay = 1;
@@ -205,6 +213,8 @@ message error {
// This is the union which defines all of them
message pkt {
oneof pkt {
+ // Start of connection
+ authenticate auth = 50;
// Opening
open_channel open = 20;
open_anchor open_anchor = 21;
Rusty Russell [ARCHIVE] /
npub1zw…hkhpx
2023-06-09 12:44:55
in reply to nevent1q…2jc8
Author Public Key
npub1zw7cc8z78v6s3grujfvcv3ckpvg6kr0w7nz9yzvwyglyg0qu5sjsqhkhpxPublished at
2023-06-09 12:44:55Event JSON
{
"id": "7f33ed9f10addbb605d0633f58e04fcaf75c5507dedeacd21881e73b529616ce",
"pubkey": "13bd8c1c5e3b3508a07c92598647160b11ab0deef4c452098e223e443c1ca425",
"created_at": 1686314695,
"kind": 1,
"tags": [
[
"e",
"8f7f2db21682c914495fbd222b86e1fdad7235916c75551e48ed09d538570897",
"",
"reply"
],
[
"p",
"9456f7acb763eaab2e02bd8e60cf17df74f352c2ae579dce1f1dd25c95dd611c"
]
],
"content": "📅 Original date posted:2015-10-22\n📝 Original message:\nOK, once I started trying to send data, I refined this a little so\nwe always send protobufs after the initial session key.\n\nFeedback gratefully accepted!\n\nThanks,\nRusty.\n--\nAfter useful feedback from Anthony Towns and Mats Jerratsch (of\nthunder.network fame), this is the third version of inter-node crypto.\n\n1) First, each side sends a 33-byte session pubkey. This is a\n bitcoin-style compressed EC key, unique for each session.\n \n2) ECDH is used to derive a shared secret. From this we generate\n the following transmission encoding parameters for each side:\n Session AES-128 key: SHA256(shared-secret || my-sessionpubkey || 0)\n Session HMAC key: SHA256(shared-secret || my-sessionpubkey || 1)\n IV for AES: SHA256(shared-secret || my-sessionpubkey || 2)\n\n3) All packets from then on are encrypted of form:\n\t/* HMAC, covering totlen and data */\n\tstruct sha256 hmac;\n\t/* Total data transmitted (including this). */\n\tle64 totlen;\n\t/* Encrypted contents, rounded up to 16 byte boundary. */\n\tu8 data[];\n\n4) The first packet is an Authenticate protobuf, containing this node's\n pubkey, and a bitcoin-style EC signature of the other side's session\n pubkey.\n\n5) Unknown protobuf fields are handled in the protocol as follows\n (including in the initial Authenticate packet):\n\n 1) Odd numbered fields are optional, and backwards compatible.\n 2) Even numbered fields are required; abort if you get one.\n\nCurrently both sides just send an error packet \"hello\" after the\nhandshake, and make sure they receive the same.\n\nSigned-off-by: Rusty Russell \u003crusty at rustcorp.com.au\u003e\n\ndiff --git a/daemon/Makefile b/daemon/Makefile\nindex 699cdc9..dfdcc0f 100644\n--- a/daemon/Makefile\n+++ b/daemon/Makefile\n@@ -14,6 +14,7 @@ DAEMON_LIB_SRC :=\t\t\t\t\\\n DAEMON_LIB_OBJS := $(DAEMON_LIB_SRC:.c=.o)\n \n DAEMON_SRC :=\t\t\t\t\t\\\n+\tdaemon/cryptopkt.c\t\t\t\\\n \tdaemon/dns.c\t\t\t\t\\\n \tdaemon/jsonrpc.c\t\t\t\\\n \tdaemon/lightningd.c\t\t\t\\\n@@ -31,6 +32,7 @@ DAEMON_JSMN_HEADERS := daemon/jsmn/jsmn.h\n \n DAEMON_HEADERS :=\t\t\t\t\\\n \tdaemon/configdir.h\t\t\t\\\n+\tdaemon/cryptopkt.h\t\t\t\\\n \tdaemon/dns.h\t\t\t\t\\\n \tdaemon/json.h\t\t\t\t\\\n \tdaemon/jsonrpc.h\t\t\t\\\ndiff --git a/daemon/cryptopkt.c b/daemon/cryptopkt.c\nnew file mode 100644\nindex 0000000..0667d6d\n--- /dev/null\n+++ b/daemon/cryptopkt.c\n@@ -0,0 +1,511 @@\n+#include \"bitcoin/shadouble.h\"\n+#include \"bitcoin/signature.h\"\n+#include \"cryptopkt.h\"\n+#include \"lightning.pb-c.h\"\n+#include \"lightningd.h\"\n+#include \"log.h\"\n+#include \"peer.h\"\n+#include \"protobuf_convert.h\"\n+#include \"secrets.h\"\n+#include \u003cccan/build_assert/build_assert.h\u003e\n+#include \u003cccan/crypto/sha256/sha256.h\u003e\n+#include \u003cccan/endian/endian.h\u003e\n+#include \u003cccan/io/io_plan.h\u003e\n+#include \u003cccan/mem/mem.h\u003e\n+#include \u003cccan/short_types/short_types.h\u003e\n+#include \u003cinttypes.h\u003e\n+#include \u003copenssl/aes.h\u003e\n+#include \u003copenssl/evp.h\u003e\n+#include \u003copenssl/hmac.h\u003e\n+#include \u003copenssl/rand.h\u003e\n+#include \u003csecp256k1.h\u003e\n+#include \u003csecp256k1_ecdh.h\u003e\n+\n+#define MAX_PKT_LEN (1024 * 1024)\n+\n+#define ROUNDUP(x,a) (((x) + ((a)-1)) \u0026 ~((a)-1))\n+\n+struct crypto_pkt {\n+\t/* HMAC */\n+\tstruct sha256 hmac;\n+\t/* Total length transmitted. */\n+\tle64 totlen;\n+\t/* ... contents... */\n+\tu8 data[];\n+};\n+\n+/* Temporary structure for negotiation (peer-\u003eio_data-\u003eneg) */\n+struct key_negotiate {\n+\t/* Our session secret key. */\n+\tu8 seckey[32];\n+\n+\t/* Our pubkey, their pubkey. */\n+\tu8 our_sessionpubkey[33], their_sessionpubkey[33];\n+\n+\t/* Callback once it's all done. */\n+\tstruct io_plan *(*cb)(struct io_conn *, struct peer *);\n+};\n+\n+/* ARM loves to add padding to structs; be paranoid! */ \n+#define SESSION_PROOF_BASE_SIZE (64 + 33)\n+\n+#define ENCKEY_SEED 0\n+#define HMACKEY_SEED 1\n+#define IV_SEED 2\n+\n+struct enckey {\n+\tstruct sha256 k;\n+};\n+\n+struct hmackey {\n+\tstruct sha256 k;\n+};\n+\n+struct iv {\n+\tunsigned char iv[AES_BLOCK_SIZE];\n+};\n+\n+static void sha_with_seed(const unsigned char secret[32],\n+\t\t\t const unsigned char serial_pubkey[33],\n+\t\t\t unsigned char seed,\n+\t\t\t struct sha256 *res)\n+{\n+\tstruct sha256_ctx ctx;\n+\n+\tsha256_init(\u0026ctx);\n+\tsha256_update(\u0026ctx, memcheck(secret, 32), 32);\n+\tsha256_update(\u0026ctx, memcheck(serial_pubkey, 33), 33);\n+\tsha256_u8(\u0026ctx, seed);\n+\tsha256_done(\u0026ctx, res);\n+}\n+\n+static struct enckey enckey_from_secret(const unsigned char secret[32],\n+\t\t\t\t\tconst unsigned char serial_pubkey[33])\n+{\n+\tstruct enckey enckey;\n+\tsha_with_seed(secret, serial_pubkey, ENCKEY_SEED, \u0026enckey.k);\n+\treturn enckey;\n+}\n+\n+static struct hmackey hmackey_from_secret(const unsigned char secret[32],\n+\t\t\t\t\t const unsigned char serial_pubkey[33])\n+{\n+\tstruct hmackey hmackey;\n+\tsha_with_seed(secret, serial_pubkey, HMACKEY_SEED, \u0026hmackey.k);\n+\treturn hmackey;\n+}\n+\n+static struct iv iv_from_secret(const unsigned char secret[32],\n+\t\t\t\tconst unsigned char serial_pubkey[33])\n+{\n+\tstruct sha256 sha;\n+\tstruct iv iv;\n+\n+\tsha_with_seed(secret, serial_pubkey, IV_SEED, \u0026sha);\n+\tmemcpy(iv.iv, sha.u.u8, sizeof(iv.iv));\n+\treturn iv;\n+}\n+\n+struct dir_state {\n+\tu64 totlen;\n+\tstruct hmackey hmackey;\n+\tEVP_CIPHER_CTX evpctx;\n+\n+\t/* Current packet. */\n+\tstruct crypto_pkt *cpkt;\n+};\n+\n+static bool setup_crypto(struct dir_state *dir,\n+\t\t\t u8 shared_secret[32], u8 serial_pubkey[33])\n+{\n+\tstruct iv iv;\n+\tstruct enckey enckey;\n+\n+\tdir-\u003etotlen = 0;\t\n+\tdir-\u003ehmackey = hmackey_from_secret(shared_secret, serial_pubkey);\n+\tdir-\u003ecpkt = NULL;\n+\t\n+\tiv = iv_from_secret(shared_secret, serial_pubkey);\n+\tenckey = enckey_from_secret(shared_secret, serial_pubkey);\n+\n+\treturn EVP_EncryptInit(\u0026dir-\u003eevpctx, EVP_aes_128_ctr(),\n+\t\t\t memcheck(enckey.k.u.u8, sizeof(enckey.k)),\n+\t\t\t memcheck(iv.iv, sizeof(iv.iv))) == 1;\n+}\n+\n+struct io_data {\n+\t/* Stuff we need to keep around to talk to peer. */\n+\tstruct dir_state in, out;\n+\n+\t/* Header we're currently reading. */\n+\tsize_t len_in;\n+\tstruct crypto_pkt hdr_in;\n+\n+\t/* For negotiation phase. */\n+\tstruct key_negotiate *neg;\n+};\n+\n+static void *proto_tal_alloc(void *allocator_data, size_t size)\n+{\n+\treturn tal_arr(allocator_data, char, size);\n+}\n+\n+static void proto_tal_free(void *allocator_data, void *pointer)\n+{\n+\ttal_free(pointer);\n+}\n+\n+static Pkt *decrypt_pkt(struct peer *peer, struct crypto_pkt *cpkt,\n+\t\t\tsize_t data_len)\n+{\n+\tsize_t full_len;\n+\tstruct sha256 hmac;\n+\tint outlen;\n+\tstruct io_data *iod = peer-\u003eio_data;\n+\tstruct ProtobufCAllocator prototal;\n+\tPkt *ret;\n+\n+\tfull_len = ROUNDUP(data_len, AES_BLOCK_SIZE);\n+\n+\tHMAC(EVP_sha256(), iod-\u003ein.hmackey.k.u.u8, sizeof(iod-\u003ein.hmackey),\n+\t (unsigned char *)\u0026cpkt-\u003etotlen, sizeof(cpkt-\u003etotlen) + full_len,\n+\t hmac.u.u8, NULL);\n+\n+\tif (CRYPTO_memcmp(\u0026hmac, \u0026cpkt-\u003ehmac, sizeof(hmac)) != 0) {\n+\t\tlog_unusual(peer-\u003elog, \"Packet has bad HMAC\");\n+\t\treturn NULL;\n+\t}\n+\n+\t/* FIXME: Assumes we can decrypt in place! */\n+\tEVP_DecryptUpdate(\u0026iod-\u003ein.evpctx, cpkt-\u003edata, \u0026outlen,\n+\t\t\t memcheck(cpkt-\u003edata, full_len), full_len);\n+\tassert(outlen == full_len);\n+\n+\t/* De-protobuf it. */\n+\tprototal.alloc = proto_tal_alloc;\n+\tprototal.free = proto_tal_free;\n+\tprototal.allocator_data = tal(iod, char);\n+\n+\tret = pkt__unpack(\u0026prototal, data_len, cpkt-\u003edata);\n+\tif (!ret)\n+\t\ttal_free(prototal.allocator_data);\n+\telse\n+\t\t/* Make sure packet owns contents */\n+\t\ttal_steal(ret, prototal.allocator_data);\n+\treturn ret;\n+}\n+\n+static struct crypto_pkt *encrypt_pkt(struct peer *peer,\n+\t\t\t\t const Pkt *pkt,\n+\t\t\t\t size_t *total_len)\n+{\n+\tstatic unsigned char zeroes[AES_BLOCK_SIZE-1];\n+\tstruct crypto_pkt *cpkt;\n+\tunsigned char *dout;\n+\tsize_t len, full_len;\n+\tint outlen;\n+\tstruct io_data *iod = peer-\u003eio_data;\n+\n+\tlen = pkt__get_packed_size(pkt);\n+\tfull_len = ROUNDUP(len, AES_BLOCK_SIZE);\n+\t*total_len = sizeof(*cpkt) + full_len;\n+\n+\tcpkt = (struct crypto_pkt *)tal_arr(peer, char, *total_len);\n+\tiod-\u003eout.totlen += len;\n+\tcpkt-\u003etotlen = cpu_to_le64(iod-\u003eout.totlen);\n+\t\n+\tdout = cpkt-\u003edata;\n+\t/* FIXME: Assumes we can encrypt in place! */\n+\tpkt__pack(pkt, dout);\n+\tEVP_EncryptUpdate(\u0026iod-\u003eout.evpctx, dout, \u0026outlen,\n+\t\t\t memcheck(dout, len), len);\n+\tdout += outlen;\n+\n+\t/* Now encrypt tail, padding with zeroes if necessary. */\n+\tEVP_EncryptUpdate(\u0026iod-\u003eout.evpctx, dout, \u0026outlen, zeroes,\n+\t\t\t full_len - len);\n+\tassert(dout + outlen == cpkt-\u003edata + full_len);\n+\n+\tHMAC(EVP_sha256(), iod-\u003eout.hmackey.k.u.u8, sizeof(iod-\u003eout.hmackey),\n+\t (unsigned char *)\u0026cpkt-\u003etotlen, sizeof(cpkt-\u003etotlen) + full_len,\n+\t cpkt-\u003ehmac.u.u8, NULL);\n+\n+\treturn cpkt;\n+}\n+\n+static int do_read_packet(int fd, struct io_plan_arg *arg)\n+{\n+\tstruct peer *peer = arg-\u003eu1.vp;\n+\tstruct io_data *iod = peer-\u003eio_data;\n+\tu64 max;\n+\tsize_t data_off, data_len;\n+\tint ret;\n+\n+\t/* Still reading header? */\n+\tif (iod-\u003elen_in \u003c sizeof(iod-\u003ehdr_in)) {\n+\t\tret = read(fd, (char *)\u0026iod-\u003ehdr_in + iod-\u003elen_in,\n+\t\t\t sizeof(iod-\u003ehdr_in) - iod-\u003elen_in);\n+\t\tif (ret \u003c= 0)\n+\t\t\treturn -1;\n+\t\tiod-\u003elen_in += ret;\n+\t\t/* We don't ever send empty packets, so don't check for\n+\t\t * that here. */\n+\t\treturn 0;\n+\t}\n+\n+\tmax = ROUNDUP(le64_to_cpu(iod-\u003ehdr_in.totlen) - iod-\u003ein.totlen,\n+\t\t AES_BLOCK_SIZE);\n+\n+\tif (iod-\u003elen_in == sizeof(iod-\u003ehdr_in)) {\n+\t\t/* FIXME: Handle re-xmit. */\n+\t\tif (le64_to_cpu(iod-\u003ehdr_in.totlen) \u003c iod-\u003ein.totlen) {\n+\t\t\tlog_unusual(peer-\u003elog,\n+\t\t\t\t \"Packet went backwards: %\"PRIu64\n+\t\t\t\t \" -\u003e %\"PRIu64,\n+\t\t\t\t iod-\u003ein.totlen,\n+\t\t\t\t le64_to_cpu(iod-\u003ehdr_in.totlen));\n+\t\t\treturn -1;\n+\t\t}\n+\t\tif (le64_to_cpu(iod-\u003ehdr_in.totlen)\n+\t\t \u003e iod-\u003ein.totlen + MAX_PKT_LEN) {\n+\t\t\tlog_unusual(peer-\u003elog,\n+\t\t\t\t \"Packet overlength: %\"PRIu64\" -\u003e %\"PRIu64,\n+\t\t\t\t iod-\u003ein.totlen,\n+\t\t\t\t le64_to_cpu(iod-\u003ehdr_in.totlen));\n+\t\t\treturn -1;\n+\t\t}\n+\t\tiod-\u003ein.cpkt = (struct crypto_pkt *)\n+\t\t\ttal_arr(iod, u8, sizeof(struct crypto_pkt) + max);\n+\t\tmemcpy(iod-\u003ein.cpkt, \u0026iod-\u003ehdr_in, sizeof(iod-\u003ehdr_in));\n+\t}\n+\n+\tdata_off = iod-\u003elen_in - sizeof(struct crypto_pkt);\n+\tret = read(fd, iod-\u003ein.cpkt-\u003edata + data_off, max - data_off);\n+\tif (ret \u003c= 0)\n+\t\treturn -1;\n+\n+\tiod-\u003elen_in += ret;\n+\tif (iod-\u003elen_in \u003c= max)\n+\t\treturn 0;\n+\n+\t/* Can't overflow len arg: packet can't be more than MAX_PKT_LEN */\n+\tdata_len = le64_to_cpu(iod-\u003ehdr_in.totlen) - iod-\u003ein.totlen;\n+\tpeer-\u003einpkt = decrypt_pkt(peer, iod-\u003ein.cpkt, data_len);\n+\tiod-\u003ein.cpkt = tal_free(iod-\u003ein.cpkt);\n+\n+\tif (!peer-\u003einpkt)\n+\t\treturn -1;\n+\tiod-\u003ein.totlen += data_len;\n+\treturn 1;\n+}\n+\n+struct io_plan *peer_read_packet(struct io_conn *conn,\n+\t\t\t\t struct peer *peer,\n+\t\t\t\t struct io_plan *(*cb)(struct io_conn *,\n+\t\t\t\t\t\t struct peer *))\n+{\n+\tstruct io_plan_arg *arg = io_plan_arg(conn, IO_IN);\n+\n+\tpeer-\u003eio_data-\u003elen_in = 0;\n+\targ-\u003eu1.vp = peer;\n+\treturn io_set_plan(conn, IO_IN, do_read_packet,\n+\t\t\t (struct io_plan *(*)(struct io_conn *, void *))cb,\n+\t\t\t peer);\n+}\n+\n+/* Caller must free data! */\n+struct io_plan *peer_write_packet(struct io_conn *conn,\n+\t\t\t\t struct peer *peer,\n+\t\t\t\t const Pkt *pkt,\n+\t\t\t\t struct io_plan *(*next)(struct io_conn *,\n+\t\t\t\t\t\t\t struct peer *))\n+{\n+\tstruct io_data *iod = peer-\u003eio_data;\n+\tsize_t totlen;\n+\n+\t/* We free previous packet here, rather than doing indirection\n+\t * via io_write */\n+\ttal_free(iod-\u003eout.cpkt);\n+\tiod-\u003eout.cpkt = encrypt_pkt(peer, pkt, \u0026totlen);\n+\treturn io_write(conn, iod-\u003eout.cpkt, totlen, next, peer);\n+}\n+\n+static void *pkt_unwrap(struct peer *peer, Pkt__PktCase which)\n+{\n+\tsize_t i;\n+\tconst ProtobufCMessage *base;\n+\n+\tif (peer-\u003einpkt-\u003epkt_case != which) {\n+\t\tlog_unusual(peer-\u003elog, \"Expected %u, got %u\",\n+\t\t\t which, peer-\u003einpkt-\u003epkt_case);\n+\t\treturn NULL;\n+\t}\n+\n+\t/* It's a union, and each member starts with base. Pick one */\n+\tbase = \u0026peer-\u003einpkt-\u003eerror-\u003ebase;\n+\n+\t/* Look for unknown fields. Remember, \"It's OK to be odd!\" */\n+\tfor (i = 0; i \u003c base-\u003en_unknown_fields; i++) {\n+\t\tlog_debug(peer-\u003elog, \"Unknown field in %u: %u\",\n+\t\t\t which, base-\u003eunknown_fields[i].tag);\n+\t\t\t/* Odd is OK */\n+\t\t\tif (base-\u003eunknown_fields[i].tag \u0026 1)\n+\t\t\t\tcontinue;\n+\t\t\tlog_unusual(peer-\u003elog, \"Unknown field %u in %u\",\n+\t\t\t\t base-\u003eunknown_fields[i].tag, which);\n+\t\t\treturn NULL;\n+\t}\n+\treturn peer-\u003einpkt-\u003eerror;\n+}\n+\n+static struct io_plan *check_proof(struct io_conn *conn, struct peer *peer)\n+{\n+\tstruct key_negotiate *neg = peer-\u003eio_data-\u003eneg;\n+\tstruct sha256_double sha;\n+\tstruct signature sig;\n+\tstruct io_plan *(*cb)(struct io_conn *, struct peer *);\n+\tstruct pubkey id;\n+\tAuthenticate *auth;\n+\n+\tauth = pkt_unwrap(peer, PKT__PKT_AUTH);\n+\tif (!auth)\n+\t\treturn io_close(conn);\n+\n+\tif (!proto_to_signature(auth-\u003esession_sig, \u0026sig)) {\n+\t\tlog_unusual(peer-\u003elog, \"Invalid auth signature\");\n+\t\treturn io_close(conn);\n+\t}\n+\n+\tif (!proto_to_pubkey(auth-\u003enode_id, \u0026id)) {\n+\t\tlog_unusual(peer-\u003elog, \"Invalid auth id\");\n+\t\treturn io_close(conn);\n+\t}\n+\n+\t/* Signature covers *our* session key. */\n+\tsha256_double(\u0026sha,\n+\t\t neg-\u003eour_sessionpubkey, sizeof(neg-\u003eour_sessionpubkey));\n+\n+\tif (!check_signed_hash(\u0026sha, \u0026sig, \u0026id)) {\n+\t\tlog_unusual(peer-\u003elog, \"Bad auth signature\");\n+\t\treturn io_close(conn);\n+\t}\n+\n+\ttal_free(auth);\n+\n+\t/* All complete, return to caller. */\n+\tcb = neg-\u003ecb;\n+\tpeer-\u003eio_data-\u003eneg = tal_free(neg);\n+\treturn cb(conn, peer);\n+}\n+\n+static struct io_plan *receive_proof(struct io_conn *conn, struct peer *peer)\n+{\n+\treturn peer_read_packet(conn, peer, check_proof);\n+}\n+\n+/* Steals w onto the returned Pkt */\n+static Pkt *pkt_wrap(const tal_t *ctx, void *w, Pkt__PktCase pkt_case)\n+{\n+\tPkt *pkt = tal(ctx, Pkt);\n+\tpkt__init(pkt);\n+\tpkt-\u003epkt_case = pkt_case;\n+\t/* Union, so any will do */\n+\tpkt-\u003eerror = tal_steal(pkt, w);\n+\treturn pkt;\n+}\n+\n+static Pkt *authenticate_pkt(const tal_t *ctx,\n+\t\t\t const struct pubkey *node_id,\n+\t\t\t const struct signature *sig)\n+{\n+\tAuthenticate *auth = tal(ctx, Authenticate);\n+\tauthenticate__init(auth);\n+\tauth-\u003enode_id = pubkey_to_proto(auth, node_id);\n+\tauth-\u003esession_sig = signature_to_proto(auth, sig);\n+\treturn pkt_wrap(ctx, auth, PKT__PKT_AUTH);\n+}\n+\n+static struct io_plan *keys_exchanged(struct io_conn *conn, struct peer *peer)\n+{\n+\tu8 shared_secret[32];\n+\tstruct pubkey sessionkey;\n+\tstruct signature sig;\n+\tstruct key_negotiate *neg = peer-\u003eio_data-\u003eneg;\n+\tPkt *auth;\n+\n+\tif (!pubkey_from_der(neg-\u003etheir_sessionpubkey,\n+\t\t\t sizeof(neg-\u003etheir_sessionpubkey),\n+\t\t\t \u0026sessionkey)) {\n+\t\t/* FIXME: Dump key in this case. */\n+\t\tlog_unusual(peer-\u003elog, \"Bad sessionkey\");\n+\t\treturn io_close(conn);\n+\t}\n+\n+\t/* Derive shared secret. */\n+\tif (!secp256k1_ecdh(peer-\u003estate-\u003esecpctx, shared_secret,\n+\t\t\t \u0026sessionkey.pubkey, neg-\u003eseckey)) {\n+\t\tlog_unusual(peer-\u003elog, \"Bad ECDH\");\n+\t\treturn io_close(conn);\n+\t}\n+\n+\t/* Each side combines with their OWN session key to SENDING crypto. */\n+\tif (!setup_crypto(\u0026peer-\u003eio_data-\u003ein, shared_secret,\n+\t\t\t neg-\u003etheir_sessionpubkey)\n+\t || !setup_crypto(\u0026peer-\u003eio_data-\u003eout, shared_secret,\n+\t\t\t neg-\u003eour_sessionpubkey)) {\n+\t\tlog_unusual(peer-\u003elog, \"Failed setup_crypto()\");\n+\t\treturn io_close(conn);\n+\t}\n+\n+\t/* Now sign their session key to prove who we are. */\n+\tprivkey_sign(peer, neg-\u003etheir_sessionpubkey,\n+\t\t sizeof(neg-\u003etheir_sessionpubkey), \u0026sig);\n+\n+\t/* FIXME: Free auth afterwards. */\n+\tauth = authenticate_pkt(peer, \u0026peer-\u003estate-\u003eid, \u0026sig);\n+\treturn peer_write_packet(conn, peer, auth, receive_proof);\n+}\n+\n+static struct io_plan *session_key_receive(struct io_conn *conn,\n+\t\t\t\t\t struct peer *peer)\n+{\n+\tstruct key_negotiate *neg = peer-\u003eio_data-\u003eneg;\n+\t/* Now read their key. */\n+\treturn io_read(conn, neg-\u003etheir_sessionpubkey,\n+\t\t sizeof(neg-\u003etheir_sessionpubkey), keys_exchanged, peer);\n+}\n+\n+static void gen_sessionkey(secp256k1_context *ctx,\n+\t\t\t u8 seckey[32],\n+\t\t\t secp256k1_pubkey *pubkey)\n+{\n+\tdo {\n+\t\tif (RAND_bytes(seckey, 32) != 1)\n+\t\t\tfatal(\"Could not get random bytes for sessionkey\");\n+\t} while (!secp256k1_ec_pubkey_create(ctx, pubkey, seckey));\n+}\n+\n+struct io_plan *peer_crypto_setup(struct io_conn *conn, struct peer *peer,\n+\t\t\t\t struct io_plan *(*cb)(struct io_conn *,\n+\t\t\t\t\t\t\tstruct peer *))\n+{\n+\tsize_t outputlen;\n+\tsecp256k1_pubkey sessionkey;\n+\tstruct key_negotiate *neg;\n+\n+\tpeer-\u003eio_data = tal(peer, struct io_data);\n+\n+\t/* We store negotiation state here. */\n+\tneg = peer-\u003eio_data-\u003eneg = tal(peer-\u003eio_data, struct key_negotiate);\n+\tneg-\u003ecb = cb;\n+\n+\tgen_sessionkey(peer-\u003estate-\u003esecpctx, neg-\u003eseckey, \u0026sessionkey);\n+\n+\tsecp256k1_ec_pubkey_serialize(peer-\u003estate-\u003esecpctx,\n+\t\t\t\t neg-\u003eour_sessionpubkey, \u0026outputlen,\n+\t\t\t\t \u0026sessionkey,\n+\t\t\t\t SECP256K1_EC_COMPRESSED);\n+\tassert(outputlen == sizeof(neg-\u003eour_sessionpubkey));\n+\treturn io_write(conn, neg-\u003eour_sessionpubkey, outputlen,\n+\t\t\tsession_key_receive, peer);\n+}\ndiff --git a/daemon/cryptopkt.h b/daemon/cryptopkt.h\nnew file mode 100644\nindex 0000000..06c6167\n--- /dev/null\n+++ b/daemon/cryptopkt.h\n@@ -0,0 +1,26 @@\n+#ifndef LIGHTNING_DAEMON_CRYPTOPKT_H\n+#define LIGHTNING_DAEMON_CRYPTOPKT_H\n+#include \"config.h\"\n+#include \"lightning.pb-c.h\"\n+#include \u003cccan/io/io.h\u003e\n+\n+struct peer;\n+\n+struct io_plan *peer_crypto_setup(struct io_conn *conn,\n+\t\t\t\t struct peer *peer,\n+\t\t\t\t struct io_plan *(*cb)(struct io_conn *,\n+\t\t\t\t\t\t\tstruct peer *));\n+\n+/* Reads packet into peer-\u003einpkt/peer-\u003einpkt_len */\n+struct io_plan *peer_read_packet(struct io_conn *conn,\n+\t\t\t\t struct peer *peer,\n+\t\t\t\t struct io_plan *(*cb)(struct io_conn *,\n+\t\t\t\t\t\t struct peer *));\n+\n+struct io_plan *peer_write_packet(struct io_conn *conn,\n+\t\t\t\t struct peer *peer,\n+\t\t\t\t const Pkt *pkt,\n+\t\t\t\t struct io_plan *(*next)(struct io_conn *,\n+\t\t\t\t\t\t\t struct peer *));\n+\n+#endif /* LIGHTNING_DAEMON_CRYPTOPKT_H */\ndiff --git a/daemon/peer.c b/daemon/peer.c\nindex 5f578ee..ed4fcda 100644\n--- a/daemon/peer.c\n+++ b/daemon/peer.c\n@@ -1,3 +1,4 @@\n+#include \"cryptopkt.h\"\n #include \"dns.h\"\n #include \"jsonrpc.h\"\n #include \"lightningd.h\"\n@@ -14,6 +15,33 @@\n #include \u003csys/socket.h\u003e\n #include \u003csys/types.h\u003e\n \n+/* Send and receive (encrypted) hello message. */\n+static struct io_plan *peer_test_check(struct io_conn *conn, struct peer *peer)\n+{\n+\tif (peer-\u003einpkt-\u003epkt_case != PKT__PKT_ERROR)\n+\t\tfatal(\"Bad packet type %u\", peer-\u003einpkt-\u003epkt_case);\n+\tif (!peer-\u003einpkt-\u003eerror-\u003eproblem\n+\t || strcmp(peer-\u003einpkt-\u003eerror-\u003eproblem, \"hello\") != 0)\n+\t\tfatal(\"Bad packet '%.6s'\", peer-\u003einpkt-\u003eerror-\u003eproblem);\n+\tlog_info(peer-\u003elog, \"Successful hello!\");\n+\treturn io_close(conn);\n+}\n+\n+static struct io_plan *peer_test_read(struct io_conn *conn, struct peer *peer)\n+{\n+\treturn peer_read_packet(conn, peer, peer_test_check);\n+}\n+\n+static struct io_plan *peer_test(struct io_conn *conn, struct peer *peer)\n+{\n+\tError err = ERROR__INIT;\n+\tPkt pkt = PKT__INIT;\n+\tpkt.pkt_case = PKT__PKT_ERROR;\n+\tpkt.error = \u0026err;\n+\terr.problem = \"hello\";\n+\treturn peer_write_packet(conn, peer, \u0026pkt, peer_test_read);\n+}\n+\n static void destroy_peer(struct peer *peer)\n {\n \tlist_del_from(\u0026peer-\u003estate-\u003epeers, \u0026peer-\u003elist);\n@@ -32,6 +60,7 @@ static struct peer *new_peer(struct lightningd_state *state,\n \tpeer-\u003estate = state;\n \tpeer-\u003eaddr.type = addr_type;\n \tpeer-\u003eaddr.protocol = addr_protocol;\n+\tpeer-\u003eio_data = NULL;\n \n \t/* FIXME: Attach IO logging for this peer. */\n \ttal_add_destructor(peer, destroy_peer);\n@@ -63,7 +92,7 @@ struct io_plan *peer_connected_out(struct io_conn *conn,\n \t\treturn io_close(conn);\n \t}\n \tlog_info(peer-\u003elog, \"Connected out to %s:%s\", name, port);\n-\treturn io_write(conn, \"Hello!\", 6, io_close_cb, NULL);\n+\treturn peer_crypto_setup(conn, peer, peer_test);\n }\n \n static struct io_plan *peer_connected_in(struct io_conn *conn,\n@@ -73,8 +102,9 @@ static struct io_plan *peer_connected_in(struct io_conn *conn,\n \t\t\t\t \"in\");\n \tif (!peer)\n \t\treturn io_close(conn);\n-\t\n-\treturn io_write(conn, \"Hello!\", 6, io_close_cb, NULL);\n+\n+\tlog_info(peer-\u003elog, \"Peer connected in\");\n+\treturn peer_crypto_setup(conn, peer, peer_test);\n }\n \n static int make_listen_fd(struct lightningd_state *state,\ndiff --git a/daemon/peer.h b/daemon/peer.h\nindex 50cea69..c39f943 100644\n--- a/daemon/peer.h\n+++ b/daemon/peer.h\n@@ -1,6 +1,7 @@\n #ifndef LIGHTNING_DAEMON_PEER_H\n #define LIGHTNING_DAEMON_PEER_H\n #include \"config.h\"\n+#include \"lightning.pb-c.h\"\n #include \"netaddr.h\"\n #include \u003cccan/list/list.h\u003e\n \n@@ -14,6 +15,12 @@ struct peer {\n \t/* The other end's address. */\n \tstruct netaddr addr;\n \n+\t/* Current received packet. */\n+\tPkt *inpkt;\n+\t\n+\t/* Current ongoing packetflow */\n+\tstruct io_data *io_data;\n+\t\n \t/* What happened. */\n \tstruct log *log;\n };\ndiff --git a/lightning.pb-c.c b/lightning.pb-c.c\nindex 5dde94f..62777aa 100644\n--- a/lightning.pb-c.c\n+++ b/lightning.pb-c.c\n@@ -222,6 +222,49 @@ void funding__free_unpacked\n assert(message-\u003ebase.descriptor == \u0026funding__descriptor);\n protobuf_c_message_free_unpacked ((ProtobufCMessage*)message, allocator);\n }\n+void authenticate__init\n+ (Authenticate *message)\n+{\n+ static Authenticate init_value = AUTHENTICATE__INIT;\n+ *message = init_value;\n+}\n+size_t authenticate__get_packed_size\n+ (const Authenticate *message)\n+{\n+ assert(message-\u003ebase.descriptor == \u0026authenticate__descriptor);\n+ return protobuf_c_message_get_packed_size ((const ProtobufCMessage*)(message));\n+}\n+size_t authenticate__pack\n+ (const Authenticate *message,\n+ uint8_t *out)\n+{\n+ assert(message-\u003ebase.descriptor == \u0026authenticate__descriptor);\n+ return protobuf_c_message_pack ((const ProtobufCMessage*)message, out);\n+}\n+size_t authenticate__pack_to_buffer\n+ (const Authenticate *message,\n+ ProtobufCBuffer *buffer)\n+{\n+ assert(message-\u003ebase.descriptor == \u0026authenticate__descriptor);\n+ return protobuf_c_message_pack_to_buffer ((const ProtobufCMessage*)message, buffer);\n+}\n+Authenticate *\n+ authenticate__unpack\n+ (ProtobufCAllocator *allocator,\n+ size_t len,\n+ const uint8_t *data)\n+{\n+ return (Authenticate *)\n+ protobuf_c_message_unpack (\u0026authenticate__descriptor,\n+ allocator, len, data);\n+}\n+void authenticate__free_unpacked\n+ (Authenticate *message,\n+ ProtobufCAllocator *allocator)\n+{\n+ assert(message-\u003ebase.descriptor == \u0026authenticate__descriptor);\n+ protobuf_c_message_free_unpacked ((ProtobufCMessage*)message, allocator);\n+}\n void open_channel__init\n (OpenChannel *message)\n {\n@@ -1344,6 +1387,57 @@ const ProtobufCMessageDescriptor funding__descriptor =\n (ProtobufCMessageInit) funding__init,\n NULL,NULL,NULL /* reserved[123] */\n };\n+static const ProtobufCFieldDescriptor authenticate__field_descriptors[2] =\n+{\n+ {\n+ \"node_id\",\n+ 1,\n+ PROTOBUF_C_LABEL_REQUIRED,\n+ PROTOBUF_C_TYPE_MESSAGE,\n+ 0, /* quantifier_offset */\n+ offsetof(Authenticate, node_id),\n+ \u0026bitcoin_pubkey__descriptor,\n+ NULL,\n+ 0, /* flags */\n+ 0,NULL,NULL /* reserved1,reserved2, etc */\n+ },\n+ {\n+ \"session_sig\",\n+ 2,\n+ PROTOBUF_C_LABEL_REQUIRED,\n+ PROTOBUF_C_TYPE_MESSAGE,\n+ 0, /* quantifier_offset */\n+ offsetof(Authenticate, session_sig),\n+ \u0026signature__descriptor,\n+ NULL,\n+ 0, /* flags */\n+ 0,NULL,NULL /* reserved1,reserved2, etc */\n+ },\n+};\n+static const unsigned authenticate__field_indices_by_name[] = {\n+ 0, /* field[0] = node_id */\n+ 1, /* field[1] = session_sig */\n+};\n+static const ProtobufCIntRange authenticate__number_ranges[1 + 1] =\n+{\n+ { 1, 0 },\n+ { 0, 2 }\n+};\n+const ProtobufCMessageDescriptor authenticate__descriptor =\n+{\n+ PROTOBUF_C__MESSAGE_DESCRIPTOR_MAGIC,\n+ \"authenticate\",\n+ \"Authenticate\",\n+ \"Authenticate\",\n+ \"\",\n+ sizeof(Authenticate),\n+ 2,\n+ authenticate__field_descriptors,\n+ authenticate__field_indices_by_name,\n+ 1, authenticate__number_ranges,\n+ (ProtobufCMessageInit) authenticate__init,\n+ NULL,NULL,NULL /* reserved[123] */\n+};\n static const ProtobufCEnumValue open_channel__anchor_offer__enum_values_by_number[2] =\n {\n { \"WILL_CREATE_ANCHOR\", \"OPEN_CHANNEL__ANCHOR_OFFER__WILL_CREATE_ANCHOR\", 1 },\n@@ -2259,7 +2353,7 @@ const ProtobufCMessageDescriptor error__descriptor =\n (ProtobufCMessageInit) error__init,\n NULL,NULL,NULL /* reserved[123] */\n };\n-static const ProtobufCFieldDescriptor pkt__field_descriptors[17] =\n+static const ProtobufCFieldDescriptor pkt__field_descriptors[18] =\n {\n {\n \"update\",\n@@ -2465,8 +2559,21 @@ static const ProtobufCFieldDescriptor pkt__field_descriptors[17] =\n 0 | PROTOBUF_C_FIELD_FLAG_ONEOF, /* flags */\n 0,NULL,NULL /* reserved1,reserved2, etc */\n },\n+ {\n+ \"auth\",\n+ 50,\n+ PROTOBUF_C_LABEL_OPTIONAL,\n+ PROTOBUF_C_TYPE_MESSAGE,\n+ offsetof(Pkt, pkt_case),\n+ offsetof(Pkt, auth),\n+ \u0026authenticate__descriptor,\n+ NULL,\n+ 0 | PROTOBUF_C_FIELD_FLAG_ONEOF, /* flags */\n+ 0,NULL,NULL /* reserved1,reserved2, etc */\n+ },\n };\n static const unsigned pkt__field_indices_by_name[] = {\n+ 17, /* field[17] = auth */\n 13, /* field[13] = close */\n 15, /* field[15] = close_ack */\n 14, /* field[14] = close_complete */\n@@ -2485,13 +2592,14 @@ static const unsigned pkt__field_indices_by_name[] = {\n 3, /* field[3] = update_signature */\n 7, /* field[7] = update_timedout_htlc */\n };\n-static const ProtobufCIntRange pkt__number_ranges[4 + 1] =\n+static const ProtobufCIntRange pkt__number_ranges[5 + 1] =\n {\n { 1, 0 },\n { 20, 9 },\n { 30, 13 },\n { 40, 16 },\n- { 0, 17 }\n+ { 50, 17 },\n+ { 0, 18 }\n };\n const ProtobufCMessageDescriptor pkt__descriptor =\n {\n@@ -2501,10 +2609,10 @@ const ProtobufCMessageDescriptor pkt__descriptor =\n \"Pkt\",\n \"\",\n sizeof(Pkt),\n- 17,\n+ 18,\n pkt__field_descriptors,\n pkt__field_indices_by_name,\n- 4, pkt__number_ranges,\n+ 5, pkt__number_ranges,\n (ProtobufCMessageInit) pkt__init,\n NULL,NULL,NULL /* reserved[123] */\n };\ndiff --git a/lightning.pb-c.h b/lightning.pb-c.h\nindex 26219cc..4178a1e 100644\n--- a/lightning.pb-c.h\n+++ b/lightning.pb-c.h\n@@ -20,6 +20,7 @@ typedef struct _Signature Signature;\n typedef struct _Locktime Locktime;\n typedef struct _BitcoinPubkey BitcoinPubkey;\n typedef struct _Funding Funding;\n+typedef struct _Authenticate Authenticate;\n typedef struct _OpenChannel OpenChannel;\n typedef struct _OpenAnchor OpenAnchor;\n typedef struct _OpenCommitSig OpenCommitSig;\n@@ -150,6 +151,26 @@ struct _Funding\n /*\n * Set channel params.\n */\n+struct _Authenticate\n+{\n+ ProtobufCMessage base;\n+ /*\n+ * Which node this is.\n+ */\n+ BitcoinPubkey *node_id;\n+ /*\n+ * Signature of your session key. * \n+ */\n+ Signature *session_sig;\n+};\n+#define AUTHENTICATE__INIT \\\n+ { PROTOBUF_C_MESSAGE_INIT (\u0026authenticate__descriptor) \\\n+ , NULL, NULL }\n+\n+\n+/*\n+ * Set channel params.\n+ */\n struct _OpenChannel\n {\n ProtobufCMessage base;\n@@ -500,6 +521,7 @@ struct _Error\n \n typedef enum {\n PKT__PKT__NOT_SET = 0,\n+ PKT__PKT_AUTH = 50,\n PKT__PKT_OPEN = 20,\n PKT__PKT_OPEN_ANCHOR = 21,\n PKT__PKT_OPEN_COMMIT_SIG = 22,\n@@ -528,6 +550,10 @@ struct _Pkt\n Pkt__PktCase pkt_case;\n union {\n /*\n+ * Start of connection\n+ */\n+ Authenticate *auth;\n+ /*\n * Opening\n */\n OpenChannel *open;\n@@ -658,6 +684,25 @@ Funding *\n void funding__free_unpacked\n (Funding *message,\n ProtobufCAllocator *allocator);\n+/* Authenticate methods */\n+void authenticate__init\n+ (Authenticate *message);\n+size_t authenticate__get_packed_size\n+ (const Authenticate *message);\n+size_t authenticate__pack\n+ (const Authenticate *message,\n+ uint8_t *out);\n+size_t authenticate__pack_to_buffer\n+ (const Authenticate *message,\n+ ProtobufCBuffer *buffer);\n+Authenticate *\n+ authenticate__unpack\n+ (ProtobufCAllocator *allocator,\n+ size_t len,\n+ const uint8_t *data);\n+void authenticate__free_unpacked\n+ (Authenticate *message,\n+ ProtobufCAllocator *allocator);\n /* OpenChannel methods */\n void open_channel__init\n (OpenChannel *message);\n@@ -1017,6 +1062,9 @@ typedef void (*BitcoinPubkey_Closure)\n typedef void (*Funding_Closure)\n (const Funding *message,\n void *closure_data);\n+typedef void (*Authenticate_Closure)\n+ (const Authenticate *message,\n+ void *closure_data);\n typedef void (*OpenChannel_Closure)\n (const OpenChannel *message,\n void *closure_data);\n@@ -1082,6 +1130,7 @@ extern const ProtobufCMessageDescriptor signature__descriptor;\n extern const ProtobufCMessageDescriptor locktime__descriptor;\n extern const ProtobufCMessageDescriptor bitcoin_pubkey__descriptor;\n extern const ProtobufCMessageDescriptor funding__descriptor;\n+extern const ProtobufCMessageDescriptor authenticate__descriptor;\n extern const ProtobufCMessageDescriptor open_channel__descriptor;\n extern const ProtobufCEnumDescriptor open_channel__anchor_offer__descriptor;\n extern const ProtobufCMessageDescriptor open_anchor__descriptor;\ndiff --git a/lightning.proto b/lightning.proto\nindex 5f0eb03..0c1fcdd 100644\n--- a/lightning.proto\n+++ b/lightning.proto\n@@ -52,6 +52,14 @@ message funding {\n //\n \n // Set channel params.\n+message authenticate {\n+ // Which node this is.\n+ required bitcoin_pubkey node_id = 1;\n+ // Signature of your session key. */\n+ required signature session_sig = 2;\n+};\n+\n+// Set channel params.\n message open_channel {\n // Relative locktime for outputs going to us.\n required locktime delay = 1;\n@@ -205,6 +213,8 @@ message error {\n // This is the union which defines all of them\n message pkt {\n oneof pkt {\n+ // Start of connection\n+ authenticate auth = 50;\n // Opening\n open_channel open = 20;\n open_anchor open_anchor = 21;",
"sig": "2dc722df44f4395789c55961a634b2a3d66c091ce9eaf98d776f200f8f590e85e362af74d440682a371d90bbf2c7dbb5f1f350ad1ece03ee2484e8e53d5d72f6"
}