From c9e9581b3575f236034abfd16c7057ff72fadce3 Mon Sep 17 00:00:00 2001
From: Christian Decker <decker.christian@gmail.com>
Date: Thu, 22 Apr 2021 15:30:36 +0200
Subject: [PATCH] libhsmd: Migrate bolt12 initialization into hsmd_init

---
 hsmd/hsmd.c    | 63 +-------------------------------------------------
 hsmd/libhsmd.c | 20 +++++++++++++++-
 2 files changed, 20 insertions(+), 63 deletions(-)

diff --git a/hsmd/hsmd.c b/hsmd/hsmd.c
index 1fb6975e8..638a511a8 100644
--- a/hsmd/hsmd.c
+++ b/hsmd/hsmd.c
@@ -292,46 +292,6 @@ static struct io_plan *req_reply(struct io_conn *conn,
 	return io_write_wire(conn, msg_out, client_read_next, c);
 }
 
-/*~ This returns the secret and/or public key for this node. */
-static void node_key(struct privkey *node_privkey, struct pubkey *node_id)
-{
-	u32 salt = 0;
-	struct privkey unused_s;
-	struct pubkey unused_k;
-
-	/* If caller specifies NULL, they don't want the results. */
-	if (node_privkey == NULL)
-		node_privkey = &unused_s;
-	if (node_id == NULL)
-		node_id = &unused_k;
-
-	/*~ So, there is apparently a 1 in 2^127 chance that a random value is
-	 * not a valid private key, so this never actually loops. */
-	do {
-		/*~ ccan/crypto/hkdf_sha256 implements RFC5869 "Hardened Key
-		 * Derivation Functions".  That means that if a derived key
-		 * leaks somehow, the other keys are not compromised. */
-		hkdf_sha256(node_privkey, sizeof(*node_privkey),
-			    &salt, sizeof(salt),
-			    &secretstuff.hsm_secret,
-			    sizeof(secretstuff.hsm_secret),
-			    "nodeid", 6);
-		salt++;
-	} while (!secp256k1_ec_pubkey_create(secp256k1_ctx, &node_id->pubkey,
-					     node_privkey->secret.data));
-
-#if DEVELOPER
-	/* In DEVELOPER mode, we can override with --dev-force-privkey */
-	if (dev_force_privkey) {
-		*node_privkey = *dev_force_privkey;
-		if (!secp256k1_ec_pubkey_create(secp256k1_ctx, &node_id->pubkey,
-						node_privkey->secret.data))
-			status_failed(STATUS_FAIL_INTERNAL_ERROR,
-				      "Failed to derive pubkey for dev_force_privkey");
-	}
-#endif
-}
-
 /*~ This encrypts the content of the secretstuff and stores it in hsm_secret,
  * this is called instead of create_hsm() if `lightningd` is started with
  * --encrypted-hsm.
@@ -485,8 +445,6 @@ static void load_hsm(const struct secret *encryption_key)
 							  "no plaintext nor encrypted"
 							  " seed.");
 	close(fd);
-
-	hsmd_init(secretstuff.hsm_secret, bip32_key_version);
 }
 
 /*~ This is the response to lightningd's HSM_INIT request, which is the first
@@ -495,9 +453,6 @@ static struct io_plan *init_hsm(struct io_conn *conn,
 				struct client *c,
 				const u8 *msg_in)
 {
-	struct node_id node_id;
-	struct pubkey key;
-	struct pubkey32 bolt12;
 	struct privkey *privkey;
 	struct secret *seed;
 	struct secrets *secrets;
@@ -541,24 +496,8 @@ static struct io_plan *init_hsm(struct io_conn *conn,
 	if (hsm_encryption_key)
 		discard_key(take(hsm_encryption_key));
 
-	/*~ We tell lightning our node id and (public) bip32 seed. */
-	node_key(NULL, &key);
-	node_id_from_pubkey(&node_id, &key);
-
-	/* We also give it the base key for bolt12 payerids */
-	if (secp256k1_keypair_xonly_pub(secp256k1_ctx, &bolt12.pubkey, NULL,
-					&secretstuff.bolt12) != 1)
-		status_failed(STATUS_FAIL_INTERNAL_ERROR,
-		              "Could derive bolt12 public key.");
-
-
-	/*~ Note: marshalling a bip32 tree only marshals the public side,
-	 * not the secrets!  So we're not actually handing them out here!
-	 */
 	return req_reply(conn, c,
-			 take(towire_hsmd_init_reply(NULL, &node_id,
-						     &secretstuff.bip32,
-						     &bolt12)));
+			 hsmd_init(secretstuff.hsm_secret, bip32_key_version));
 }
 
 /*~ Since we process requests then service them in strict order, and because
diff --git a/hsmd/libhsmd.c b/hsmd/libhsmd.c
index b4d3f2ed7..b4c8686c6 100644
--- a/hsmd/libhsmd.c
+++ b/hsmd/libhsmd.c
@@ -1409,8 +1409,11 @@ u8 *hsmd_init(struct secret hsm_secret,
 	      struct bip32_key_version bip32_key_version)
 {
 	u8 bip32_seed[BIP32_ENTROPY_LEN_256];
+	struct pubkey key;
+	struct pubkey32 bolt12;
 	u32 salt = 0;
 	struct ext_key master_extkey, child_extkey;
+	struct node_id node_id;
 
 	/*~ Don't swap this. */
 	sodium_mlock(secretstuff.hsm_secret.data,
@@ -1520,5 +1523,20 @@ u8 *hsmd_init(struct secret hsm_secret,
 	 * upset if we get a non-init message. */
 	initialized = true;
 
-	return NULL;  /* TODO Fill in once we finish migrating. */
+	/*~ We tell lightning our node id and (public) bip32 seed. */
+	node_key(NULL, &key);
+	node_id_from_pubkey(&node_id, &key);
+
+	/* We also give it the base key for bolt12 payerids */
+	if (secp256k1_keypair_xonly_pub(secp256k1_ctx, &bolt12.pubkey, NULL,
+					&secretstuff.bolt12) != 1)
+		hsmd_status_failed(STATUS_FAIL_INTERNAL_ERROR,
+				   "Could derive bolt12 public key.");
+
+	/*~ Note: marshalling a bip32 tree only marshals the public side,
+	 * not the secrets!  So we're not actually handing them out here!
+	 */
+	return take(towire_hsmd_init_reply(
+	    NULL, &node_id, &secretstuff.bip32,
+	    &bolt12));
 }