hsmd: HSM_VERSION 6: get_per_commitment_point never returns secret

ksedgwic · ksedgwic · commit b8901ac254c4 · 2024-03-16T13:56:47.000-07:00
Changelog-Changed: hsmd: HSM_VERSION 6: get_per_commitment_point does
not imply index - 2 is revoked, makes it safe to call on any index.
diff --git a/channeld/channeld.c b/channeld/channeld.c
@@ -1430,11 +1430,8 @@ static void start_commit_timer(struct peer *peer)
 }
 
 /* Fetch the requested point. The secret is no longer returned, use
- * revoke_commitment.
- *
- * NOTE - Because the internals of this call also release the secret
- * from a revoked commitment it is an error to call this past the next
- * commitment.
+ * revoke_commitment.  It is leagal to call this on any commitment
+ * (including distant future).
  */
 static void get_per_commitment_point(u64 index, struct pubkey *point)
 {
diff --git a/common/hsm_version.h b/common/hsm_version.h
@@ -23,7 +23,8 @@
  * v5 with hsmd_revoke_commitment_tx: 5742538f87ef5d5bf55b66dc19e52c8683cfeb1b887d3e64ba530ba9a4d8e638
  * v5 with sign_any_cannouncement: 5fdb9068c43a21887dc03f7dce410d2e3eeff6277f0d49b4fc56595a798fd4a4
  * v5 drop init v2: 5024454532fe5a78bb7558000cb344190888b9915360d3d56ddca22eaba9b872
+ * v6  no secret from get_per_commitment_point: 5024454532fe5a78bb7558000cb344190888b9915360d3d56ddca22eaba9b872
 */
 #define HSM_MIN_VERSION 5
-#define HSM_MAX_VERSION 5
+#define HSM_MAX_VERSION 6
 #endif /* LIGHTNING_COMMON_HSM_VERSION_H */
diff --git a/hsmd/hsmd_wire.csv b/hsmd/hsmd_wire.csv
@@ -294,10 +294,12 @@ msgdata,hsmd_sign_splice_tx,input_index,u32,
 msgtype,hsmd_sign_tx_reply,112
 msgdata,hsmd_sign_tx_reply,sig,bitcoin_signature,
 
-# Openingd/channeld/onchaind asks for Nth per_commitment_point, if > 2, gets N-2 secret.
+# Openingd/channeld/onchaind asks for Nth per_commitment_point
+# Prior to HSM_VERSION 6 we will return an old_commitment_secret
 msgtype,hsmd_get_per_commitment_point,18
 msgdata,hsmd_get_per_commitment_point,n,u64,
 
+# IMPORTANT - Beginning HSM_VERSION 6 we never return an old_commitment_secret
 msgtype,hsmd_get_per_commitment_point_reply,118
 msgdata,hsmd_get_per_commitment_point_reply,per_commitment_point,pubkey,
 msgdata,hsmd_get_per_commitment_point_reply,old_commitment_secret,?secret,

Original file line number	Diff line number	Diff line change
`@@ -1430,11 +1430,8 @@ static void start_commit_timer(struct peer *peer)`
`1430`	`1430`	`}`
`1431`	`1431`
`1432`	`1432`	`/* Fetch the requested point. The secret is no longer returned, use`
`1433`		`- * revoke_commitment.`
`1434`		`- *`
`1435`		`- * NOTE - Because the internals of this call also release the secret`
`1436`		`- * from a revoked commitment it is an error to call this past the next`
`1437`		`- * commitment.`
	`1433`	`+ * revoke_commitment. It is leagal to call this on any commitment`
	`1434`	`+ * (including distant future).`
`1438`	`1435`	`*/`
`1439`	`1436`	`static void get_per_commitment_point(u64 index, struct pubkey *point)`
`1440`	`1437`	`{`