hsmd: make our private utxo type, to ensure binary compatibility.

I'm about to update our utxo type, but Christian spotted that this is
part of the ABI for the hsm.  So make that a private "hsm_utxo" type,
to insulate it from changes.

In particular, the HSM versions only contain the fields that the
hsm cares about, and the wire format is consistent (even though that
*did* include some of those fields, they are now dummies).

In the long term, this should be removed from the ABI: once we
no longer have "close_info" utxos, this information should already be
in the PSBT.

I tested this hadn't accidentally changed the wire format by disabling
version checks and using an old hsmd with the altered daemons and
running the test suite.

Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>

hsmd/Makefile

@@ -2,6 +2,7 @@
 
 HSMD_SRC := hsmd/hsmd.c	\
 	hsmd/hsmd_wiregen.c \
+	hsmd/hsm_utxo.c \
 	hsmd/libhsmd.c
 
 HSMD_HEADERS := hsmd/hsmd_wiregen.h hsmd/permissions.h
@@ -12,6 +13,7 @@ $(HSMD_OBJS): $(HSMD_HEADERS)
 # Other programs which use the hsm need this.
 HSMD_CLIENT_OBJS := \
 	hsmd/hsmd_wiregen.o			\
+	hsmd/hsm_utxo.o				\
 	common/htlc_wire.o
 
 # Make sure these depend on everything.
@@ -50,7 +52,6 @@ HSMD_COMMON_OBJS :=				\
 	common/status_wiregen.o			\
 	common/subdaemon.o			\
 	common/utils.o				\
-	common/utxo.o				\
 	common/version.o			\
 	common/wireaddr.o
 

hsmd/hsm_utxo.c

@@ -0,0 +1,105 @@
+#include "config.h"
+#include <hsmd/hsm_utxo.h>
+#include <wire/wire.h>
+
+static const struct hsm_utxo *to_hsm_utxo(const tal_t *ctx,
+					  const struct utxo *utxo)
+{
+	struct hsm_utxo *hutxo = tal(ctx, struct hsm_utxo);
+
+	hutxo->outpoint = utxo->outpoint;
+	hutxo->amount = utxo->amount;
+	hutxo->keyindex = utxo->keyindex;
+
+	if (utxo->close_info) {
+		hutxo->close_info
+			= tal_dup(hutxo, struct unilateral_close_info,
+				  utxo->close_info);
+		if (hutxo->close_info->commitment_point)
+			hutxo->close_info->commitment_point
+				= tal_dup(hutxo->close_info,
+					  struct pubkey,
+					  hutxo->close_info->commitment_point);
+	} else
+		hutxo->close_info = NULL;
+
+	if (utxo->scriptPubkey)
+		hutxo->scriptPubkey = tal_dup_talarr(hutxo, u8, utxo->scriptPubkey);
+	else
+		hutxo->scriptPubkey = NULL;
+
+	return hutxo;
+}
+
+const struct hsm_utxo **utxos_to_hsm_utxos(const tal_t *ctx,
+					   struct utxo **utxos)
+{
+	const struct hsm_utxo **hutxos
+		= tal_arr(ctx, const struct hsm_utxo *, tal_count(utxos));
+
+	for (size_t i = 0; i < tal_count(hutxos); i++)
+		hutxos[i] = to_hsm_utxo(hutxos, utxos[i]);
+	return hutxos;
+}
+
+void towire_hsm_utxo(u8 **pptr, const struct hsm_utxo *utxo)
+{
+	/* Is this a unilateral close output and needs the
+	 * close_info? */
+	bool is_unilateral_close = utxo->close_info != NULL;
+	towire_bitcoin_outpoint(pptr, &utxo->outpoint);
+	towire_amount_sat(pptr, utxo->amount);
+	towire_u32(pptr, utxo->keyindex);
+	/* Used to be ->is_p2sh, but HSM uses scriptpubkey to determine type */
+	towire_bool(pptr, false);
+
+	towire_u16(pptr, tal_count(utxo->scriptPubkey));
+	towire_u8_array(pptr, utxo->scriptPubkey, tal_count(utxo->scriptPubkey));
+
+	towire_bool(pptr, is_unilateral_close);
+	if (is_unilateral_close) {
+		towire_u64(pptr, utxo->close_info->channel_id);
+		towire_node_id(pptr, &utxo->close_info->peer_id);
+		towire_bool(pptr, utxo->close_info->commitment_point != NULL);
+		if (utxo->close_info->commitment_point)
+			towire_pubkey(pptr, utxo->close_info->commitment_point);
+		towire_bool(pptr, utxo->close_info->option_anchors);
+		towire_u32(pptr, utxo->close_info->csv);
+	}
+
+	/* Used to be ->is_in_coinbase, but HSM doesn't care */
+	towire_bool(pptr, false);
+}
+
+struct hsm_utxo *fromwire_hsm_utxo(const tal_t *ctx, const u8 **ptr, size_t *max)
+{
+	struct hsm_utxo *utxo = tal(ctx, struct hsm_utxo);
+
+	fromwire_bitcoin_outpoint(ptr, max, &utxo->outpoint);
+	utxo->amount = fromwire_amount_sat(ptr, max);
+	utxo->keyindex = fromwire_u32(ptr, max);
+	fromwire_bool(ptr, max);
+
+	utxo->scriptPubkey = fromwire_tal_arrn(utxo, ptr, max, fromwire_u16(ptr, max));
+
+	if (fromwire_bool(ptr, max)) {
+		utxo->close_info = tal(utxo, struct unilateral_close_info);
+		utxo->close_info->channel_id = fromwire_u64(ptr, max);
+		fromwire_node_id(ptr, max, &utxo->close_info->peer_id);
+		if (fromwire_bool(ptr, max)) {
+			utxo->close_info->commitment_point = tal(utxo,
+								 struct pubkey);
+			fromwire_pubkey(ptr, max,
+					utxo->close_info->commitment_point);
+		} else
+			utxo->close_info->commitment_point = NULL;
+		utxo->close_info->option_anchors
+			= fromwire_bool(ptr, max);
+		utxo->close_info->csv = fromwire_u32(ptr, max);
+	} else {
+		utxo->close_info = NULL;
+	}
+
+	fromwire_bool(ptr, max);
+	return utxo;
+}

hsmd/hsm_utxo.h

@@ -0,0 +1,31 @@
+#ifndef LIGHTNING_HSMD_HSM_UTXO_H
+#define LIGHTNING_HSMD_HSM_UTXO_H
+#include "config.h"
+#include <bitcoin/tx.h>
+#include <common/amount.h>
+#include <common/utxo.h>
+
+/* FIXME: If we make our static_remotekey a normal keypath key, we can
+ * simply put that close information inside the PSBT, and we don't
+ * need to hand the utxo to hsmd at all. */
+
+/* /!\ This is part of the HSM ABI: do not change! /!\ */
+struct hsm_utxo {
+	struct bitcoin_outpoint outpoint;
+	struct amount_sat amount;
+	u32 keyindex;
+
+	/* Optional unilateral close information, NULL if this is just
+	 * a HD key */
+	struct unilateral_close_info *close_info;
+
+	/* The scriptPubkey if it is known */
+	u8 *scriptPubkey;
+};
+
+void towire_hsm_utxo(u8 **pptr, const struct hsm_utxo *utxo);
+struct hsm_utxo *fromwire_hsm_utxo(const tal_t *ctx, const u8 **ptr, size_t *max);
+
+const struct hsm_utxo **utxos_to_hsm_utxos(const tal_t *ctx,
+					   struct utxo **utxos);
+#endif /* LIGHTNING_HSMD_HSM_UTXO_H */

hsmd/hsmd_wire.csv

@@ -118,7 +118,7 @@ msgdata,hsmd_forget_channel,dbid,u64,
 msgtype,hsmd_forget_channel_reply,134
 
 # Return signature for a funding tx.
-#include <common/utxo.h>
+#include <hsmd/hsm_utxo.h>
 
 # Master asks the HSM to sign a node_announcement
 msgtype,hsmd_node_announcement_sig_req,6
@@ -132,7 +132,7 @@ msgdata,hsmd_node_announcement_sig_reply,signature,secp256k1_ecdsa_signature,
 #include <bitcoin/psbt.h>
 msgtype,hsmd_sign_withdrawal,7
 msgdata,hsmd_sign_withdrawal,num_inputs,u16,
-msgdata,hsmd_sign_withdrawal,inputs,utxo,num_inputs
+msgdata,hsmd_sign_withdrawal,inputs,hsm_utxo,num_inputs
 msgdata,hsmd_sign_withdrawal,psbt,wally_psbt,
 
 msgtype,hsmd_sign_withdrawal_reply,107
@@ -425,7 +425,7 @@ msgtype,hsmd_sign_anchorspend,147
 msgdata,hsmd_sign_anchorspend,peerid,node_id,
 msgdata,hsmd_sign_anchorspend,channel_dbid,u64,
 msgdata,hsmd_sign_anchorspend,num_inputs,u16,
-msgdata,hsmd_sign_anchorspend,inputs,utxo,num_inputs
+msgdata,hsmd_sign_anchorspend,inputs,hsm_utxo,num_inputs
 msgdata,hsmd_sign_anchorspend,psbt,wally_psbt,
 
 msgtype,hsmd_sign_anchorspend_reply,148
@@ -474,7 +474,7 @@ msgtype,hsmd_sign_htlc_tx_mingle,149
 msgdata,hsmd_sign_htlc_tx_mingle,peerid,node_id,
 msgdata,hsmd_sign_htlc_tx_mingle,channel_dbid,u64,
 msgdata,hsmd_sign_htlc_tx_mingle,num_inputs,u16,
-msgdata,hsmd_sign_htlc_tx_mingle,inputs,utxo,num_inputs
+msgdata,hsmd_sign_htlc_tx_mingle,inputs,hsm_utxo,num_inputs
 msgdata,hsmd_sign_htlc_tx_mingle,psbt,wally_psbt,
 
 msgtype,hsmd_sign_htlc_tx_mingle_reply,150

hsmd/libhsmd.c

@@ -527,7 +527,7 @@ static void bitcoin_key(struct privkey *privkey, struct pubkey *pubkey,
 
 /* This gets the bitcoin private key needed to spend from our wallet */
 static void hsm_key_for_utxo(struct privkey *privkey, struct pubkey *pubkey,
-			     const struct utxo *utxo)
+			     const struct hsm_utxo *utxo)
 {
 	if (utxo->close_info != NULL) {
 		/* This is a their_unilateral_close/to-us output, so
@@ -545,11 +545,11 @@ static void hsm_key_for_utxo(struct privkey *privkey, struct pubkey *pubkey,
 
 /* Find our inputs by the pubkey associated with the inputs, and
  * add a partial sig for each */
-static void sign_our_inputs(struct utxo **utxos, struct wally_psbt *psbt)
+static void sign_our_inputs(struct hsm_utxo **utxos, struct wally_psbt *psbt)
 {
 	bool is_cache_enabled = false;
 	for (size_t i = 0; i < tal_count(utxos); i++) {
-		struct utxo *utxo = utxos[i];
+		struct hsm_utxo *utxo = utxos[i];
 		for (size_t j = 0; j < psbt->num_inputs; j++) {
 			struct privkey privkey;
 			struct pubkey pubkey;
@@ -1315,11 +1315,11 @@ static u8 *handle_get_per_commitment_point(struct hsmd_client *c, const u8 *msg_
  * we can do more to check the previous case is valid. */
 static u8 *handle_sign_withdrawal_tx(struct hsmd_client *c, const u8 *msg_in)
 {
-	struct utxo **utxos;
+	struct hsm_utxo **utxos;
 	struct wally_psbt *psbt;
 
 	if (!fromwire_hsmd_sign_withdrawal(tmpctx, msg_in,
-					  &utxos, &psbt))
+					   &utxos, &psbt))
 		return hsmd_status_malformed_request(c, msg_in);
 
 	sign_our_inputs(utxos, psbt);
@@ -1705,7 +1705,7 @@ static u8 *handle_sign_anchorspend(struct hsmd_client *c, const u8 *msg_in)
 {
 	struct node_id peer_id;
 	u64 dbid;
-	struct utxo **utxos;
+	struct hsm_utxo **utxos;
 	struct wally_psbt *psbt;
 	struct secret seed;
 	struct pubkey local_funding_pubkey;
@@ -1744,7 +1744,7 @@ static u8 *handle_sign_htlc_tx_mingle(struct hsmd_client *c, const u8 *msg_in)
 {
 	struct node_id peer_id;
 	u64 dbid;
-	struct utxo **utxos;
+	struct hsm_utxo **utxos;
 	struct wally_psbt *psbt;
 
 	/* FIXME: Check output goes to us. */