lnsocket

A minimal C library for connecting to the lightning network
git clone git://jb55.com/lnsocket
Log | Files | Refs | Submodules | README | LICENSE

handshake.h (4694B)

      1 /* Copyright Rusty Russell (Blockstream) 2015.
      2 
      3 Permission is hereby granted, free of charge, to any person obtaining a copy
      4 of this software and associated documentation files (the "Software"), to deal
      5 in the Software without restriction, including without limitation the rights
      6 to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
      7 copies of the Software, and to permit persons to whom the Software is
      8 furnished to do so, subject to the following conditions:
      9 
     10 The above copyright notice and this permission notice shall be included in
     11 all copies or substantial portions of the Software.
     12 
     13 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
     14 IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
     15 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
     16 AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
     17 LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
     18 OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
     19 THE SOFTWARE.
     20 */
     21 
     22 #ifndef LNLINK_HANDSHAKE_H
     23 #define LNLINK_HANDSHAKE_H
     24 
     25 #include "typedefs.h"
     26 #include "sha256.h"
     27 #include "crypto.h"
     28 
     29 #include <netdb.h>
     30 
     31 #include <sodium/crypto_aead_chacha20poly1305.h>
     32 #include <secp256k1_extrakeys.h>
     33 
     34 #define ACT_ONE_SIZE 50
     35 #define ACT_TWO_SIZE 50
     36 #define ACT_THREE_SIZE 66
     37 
     38 enum bolt8_side {
     39 	INITIATOR,
     40 	RESPONDER
     41 };
     42 
     43 /* BOLT #8:
     44  *
     45  * Act One is sent from initiator to responder. During Act One, the
     46  * initiator attempts to satisfy an implicit challenge by the responder. To
     47  * complete this challenge, the initiator must know the static public key of
     48  * the responder.
     49  */
     50 struct act_one {
     51 	u8 v;
     52 	u8 pubkey[PUBKEY_CMPR_LEN];
     53 	u8 tag[crypto_aead_chacha20poly1305_ietf_ABYTES];
     54 };
     55 
     56 /* BOLT #8:
     57  *
     58  * Act Two is sent from the responder to the initiator. Act Two will
     59  * _only_ take place if Act One was successful. Act One was successful if
     60  * the responder was able to properly decrypt and check the MAC of the tag
     61  * sent at the end of Act One.
     62  */
     63 struct act_two {
     64 	u8 v;
     65 	u8 pubkey[PUBKEY_CMPR_LEN];
     66 	u8 tag[crypto_aead_chacha20poly1305_ietf_ABYTES];
     67 };
     68 
     69 /* BOLT #8:
     70  *
     71  * Act Three is the final phase in the authenticated key agreement described
     72  * in this section. This act is sent from the initiator to the responder as a
     73  * concluding step. Act Three is executed  _if and only if_  Act Two was
     74  * successful.  During Act Three, the initiator transports its static public
     75  * key to the responder encrypted with _strong_ forward secrecy, using the
     76  * accumulated `HKDF` derived secret key at this point of the handshake.
     77  */
     78 struct act_three {
     79 	u8 v;
     80 	u8 ciphertext[PUBKEY_CMPR_LEN + crypto_aead_chacha20poly1305_ietf_ABYTES];
     81 	u8 tag[crypto_aead_chacha20poly1305_ietf_ABYTES];
     82 };
     83 
     84 /* BOLT #8:
     85  *
     86  * Throughout the handshake process, each side maintains these variables:
     87  *
     88  *  * `ck`: the **chaining key**. This value is the accumulated hash of all
     89  *    previous ECDH outputs. At the end of the handshake, `ck` is used to derive
     90  *    the encryption keys for Lightning messages.
     91  *
     92  *  * `h`: the **handshake hash**. This value is the accumulated hash of _all_
     93  *    handshake data that has been sent and received so far during the handshake
     94  *    process.
     95  *
     96  *  * `temp_k1`, `temp_k2`, `temp_k3`: the **intermediate keys**. These are used to
     97  *    encrypt and decrypt the zero-length AEAD payloads at the end of each handshake
     98  *    message.
     99  *
    100  *  * `e`: a party's **ephemeral keypair**. For each session, a node MUST generate a
    101  *    new ephemeral key with strong cryptographic randomness.
    102  *
    103  *  * `s`: a party's **static keypair** (`ls` for local, `rs` for remote)
    104  */
    105 struct handshake {
    106 	struct secret ck;
    107 	struct secret temp_k;
    108 	struct sha256 h;
    109 	struct keypair e;
    110 	struct secret ss;
    111 
    112 	/* Used between the Acts */
    113 	struct pubkey re;
    114 	struct act_one act1;
    115 	struct act_two act2;
    116 	struct act_three act3;
    117 
    118 	/* Where is connection from/to */
    119 	struct addrinfo addr;
    120 
    121 	/* Who they are: set already if we're initiator. */
    122 	struct pubkey their_id;
    123 
    124 	/* Are we initiator or responder. */
    125 	enum bolt8_side side;
    126 
    127 	/* Function to call once handshake complete. */
    128 	/*
    129 	struct io_plan *(*cb)(struct io_conn *conn,
    130 			      const struct pubkey *their_id,
    131 			      const struct wireaddr_internal *wireaddr,
    132 			      struct crypto_state *cs,
    133 			      void *cbarg);
    134 	void *cbarg;
    135 	*/
    136 };
    137 
    138 void new_handshake(secp256k1_context *secp, struct handshake *handshake,
    139 		const struct pubkey *responder_id);
    140 
    141 struct lnsocket;
    142 
    143 int act_one_initiator_prep(struct lnsocket *ln);
    144 int act_one_initiator(struct lnsocket *ln);
    145 struct keypair generate_key(secp256k1_context *ctx);
    146 
    147 #endif /* LNLINK_HANDSHAKE_H */