lightningnetwork / lnd / 11216766535

package walletunlocker

import (

        "context"

        "crypto/rand"

        "errors"

        "fmt"

        "os"

        "time"

        "github.com/btcsuite/btcd/btcutil/hdkeychain"

        "github.com/btcsuite/btcd/chaincfg"

        "github.com/btcsuite/btcwallet/waddrmgr"

        "github.com/btcsuite/btcwallet/wallet"

        "github.com/lightningnetwork/lnd/aezeed"

        "github.com/lightningnetwork/lnd/chanbackup"

        "github.com/lightningnetwork/lnd/keychain"

        "github.com/lightningnetwork/lnd/kvdb"

        "github.com/lightningnetwork/lnd/lnrpc"

        "github.com/lightningnetwork/lnd/lnwallet"

        "github.com/lightningnetwork/lnd/lnwallet/btcwallet"

        "github.com/lightningnetwork/lnd/macaroons"

)

var (

        // ErrUnlockTimeout signals that we did not get the expected unlock

        // message before the timeout occurred.

        ErrUnlockTimeout = errors.New("got no unlock message before timeout")

)

// WalletUnlockParams holds the variables used to parameterize the unlocking of

// lnd's wallet after it has already been created.

type WalletUnlockParams struct {

        // Password is the public and private wallet passphrase.

        Password []byte

        // Birthday specifies the approximate time that this wallet was created.

        // This is used to bound any rescans on startup.

        Birthday time.Time

        // RecoveryWindow specifies the address lookahead when entering recovery

        // mode. A recovery will be attempted if this value is non-zero.

        RecoveryWindow uint32

        // Wallet is the loaded and unlocked Wallet. This is returned

        // from the unlocker service to avoid it being unlocked twice (once in

        // the unlocker service to check if the password is correct and again

        // later when lnd actually uses it). Because unlocking involves scrypt

        // which is resource intensive, we want to avoid doing it twice.

        Wallet *wallet.Wallet

        // ChansToRestore a set of static channel backups that should be

        // restored before the main server instance starts up.

        ChansToRestore ChannelsToRecover

        // UnloadWallet is a function for unloading the wallet, which should

        // be called on shutdown.

        UnloadWallet func() error

        // StatelessInit signals that the user requested the daemon to be

        // initialized stateless, which means no unencrypted macaroons should be

        // written to disk.

        StatelessInit bool

        // MacResponseChan is the channel for sending back the admin macaroon to

        // the WalletUnlocker service.

        MacResponseChan chan []byte

        // MacRootKey is the 32 byte macaroon root key specified by the user

        // during wallet initialization.

        MacRootKey []byte

}

// ChannelsToRecover wraps any set of packed (serialized+encrypted) channel

// back ups together. These can be passed in when unlocking the wallet, or

// creating a new wallet for the first time with an existing seed.

type ChannelsToRecover struct {

        // PackedMultiChanBackup is an encrypted and serialized multi-channel

        // backup.

        PackedMultiChanBackup chanbackup.PackedMulti

        // PackedSingleChanBackups is a series of encrypted and serialized

        // single-channel backup for one or more channels.

        PackedSingleChanBackups chanbackup.PackedSingles

}

// WalletInitMsg is a message sent by the UnlockerService when a user wishes to

// set up the internal wallet for the first time. The user MUST provide a

// passphrase, but is also able to provide their own source of entropy. If

// provided, then this source of entropy will be used to generate the wallet's

// HD seed. Otherwise, the wallet will generate one itself.

type WalletInitMsg struct {

        // Passphrase is the passphrase that will be used to encrypt the wallet

        // itself. This MUST be at least 8 characters.

        Passphrase []byte

        // WalletSeed is the deciphered cipher seed that the wallet should use

        // to initialize itself. The seed might be nil if the wallet should be

        // created from an extended master root key instead.

        WalletSeed *aezeed.CipherSeed

        // WalletExtendedKey is the wallet's extended master root key that

        // should be used instead of the seed, if non-nil. The extended key is

        // mutually exclusive to the wallet seed, but one of both is always set.

        WalletExtendedKey *hdkeychain.ExtendedKey

        // ExtendedKeyBirthday is the birthday of a wallet that's being restored

        // through an extended key instead of an aezeed.

        ExtendedKeyBirthday time.Time

        // WatchOnlyAccounts is a map of scoped account extended public keys

        // that should be imported to create a watch-only wallet.

        WatchOnlyAccounts map[waddrmgr.ScopedIndex]*hdkeychain.ExtendedKey

        // WatchOnlyBirthday is the birthday of the master root key the above

        // watch-only account xpubs were derived from.

        WatchOnlyBirthday time.Time

        // WatchOnlyMasterFingerprint is the fingerprint of the master root key

        // the above watch-only account xpubs were derived from.

        WatchOnlyMasterFingerprint uint32

        // RecoveryWindow is the address look-ahead used when restoring a seed

        // with existing funds. A recovery window zero indicates that no

        // recovery should be attempted, such as after the wallet's initial

        // creation.

        RecoveryWindow uint32

        // ChanBackups a set of static channel backups that should be received

        // after the wallet has been initialized.

        ChanBackups ChannelsToRecover

        // StatelessInit signals that the user requested the daemon to be

        // initialized stateless, which means no unencrypted macaroons should be

        // written to disk.

        StatelessInit bool

        // MacRootKey is the 32 byte macaroon root key specified by the user

        // during wallet initialization.

        MacRootKey []byte

}

// WalletUnlockMsg is a message sent by the UnlockerService when a user wishes

// to unlock the internal wallet after initial setup. The user can optionally

// specify a recovery window, which will resume an interrupted rescan for used

// addresses.

type WalletUnlockMsg struct {

        // Passphrase is the passphrase that will be used to encrypt the wallet

        // itself. This MUST be at least 8 characters.

        Passphrase []byte

        // RecoveryWindow is the address look-ahead used when restoring a seed

        // with existing funds. A recovery window zero indicates that no

        // recovery should be attempted, such as after the wallet's initial

        // creation, but before any addresses have been created.

        RecoveryWindow uint32

        // Wallet is the loaded and unlocked Wallet. This is returned through

        // the channel to avoid it being unlocked twice (once to check if the

        // password is correct, here in the WalletUnlocker and again later when

        // lnd actually uses it). Because unlocking involves scrypt which is

        // resource intensive, we want to avoid doing it twice.

        Wallet *wallet.Wallet

        // ChanBackups a set of static channel backups that should be received

        // after the wallet has been unlocked.

        ChanBackups ChannelsToRecover

        // UnloadWallet is a function for unloading the wallet, which should

        // be called on shutdown.

        UnloadWallet func() error

        // StatelessInit signals that the user requested the daemon to be

        // initialized stateless, which means no unencrypted macaroons should be

        // written to disk.

        StatelessInit bool

}

// UnlockerService implements the WalletUnlocker service used to provide lnd

// with a password for wallet encryption at startup. Additionally, during

// initial setup, users can provide their own source of entropy which will be

// used to generate the seed that's ultimately used within the wallet.

type UnlockerService struct {

        // Required by the grpc-gateway/v2 library for forward compatibility.

        lnrpc.UnimplementedWalletUnlockerServer

        // InitMsgs is a channel that carries all wallet init messages.

        InitMsgs chan *WalletInitMsg

        // UnlockMsgs is a channel where unlock parameters provided by the rpc

        // client to be used to unlock and decrypt an existing wallet will be

        // sent.

        UnlockMsgs chan *WalletUnlockMsg

        // MacResponseChan is the channel for sending back the admin macaroon to

        // the WalletUnlocker service.

        MacResponseChan chan []byte

        netParams *chaincfg.Params

        // macaroonFiles is the path to the three generated macaroons with

        // different access permissions. These might not exist in a stateless

        // initialization of lnd.

        macaroonFiles []string

        // resetWalletTransactions indicates that the wallet state should be

        // reset on unlock to force a full chain rescan.

        resetWalletTransactions bool

        // LoaderOpts holds the functional options for the wallet loader.

        loaderOpts []btcwallet.LoaderOption

        // macaroonDB is an instance of a database backend that stores all

        // macaroon root keys. This will be nil on initialization and must be

        // set using the SetMacaroonDB method as soon as it's available.

        macaroonDB kvdb.Backend

}

// New creates and returns a new UnlockerService.

func New(params *chaincfg.Params, macaroonFiles []string,

        resetWalletTransactions bool,

// SetLoaderOpts can be used to inject wallet loader options after the unlocker

// service has been hooked to the main RPC server.

// SetMacaroonDB can be used to inject the macaroon database after the unlocker

// service has been hooked to the main RPC server.

func (u *UnlockerService) newLoader(recoveryWindow uint32) (*wallet.Loader,

// WalletExists returns whether a wallet exists on the file path the

// UnlockerService is using.

}

// GenSeed is the first method that should be used to instantiate a new lnd

// instance. This method allows a caller to generate a new aezeed cipher seed

// given an optional passphrase. If provided, the passphrase will be necessary

// to decrypt the cipherseed to expose the internal wallet seed.

//

// Once the cipherseed is obtained and verified by the user, the InitWallet

// method should be used to commit the newly generated seed, and create the

// wallet.

func (u *UnlockerService) GenSeed(_ context.Context,

        // If the user provided any entropy, then we'll make sure it's sized

        // properly.

        // If the user provided the correct number of bytes, then we'll copy it

        // over into our buffer for usage.

        // Otherwise, we'll generate a fresh new set of bytes to use as entropy

        // to generate the seed.

        }

        // Now that we have our set of entropy, we'll create a new cipher seed

        // instance.

        //

        // With our raw cipher seed obtained, we'll convert it into an encoded

        // mnemonic using the user specified pass phrase.

        // Additionally, we'll also obtain the raw enciphered cipher seed as

        // well to return to the user.

}

// extractChanBackups is a helper function that extracts the set of channel

// backups from the proto into a format that we'll pass to higher level

// sub-systems.

        // Now that we know there's at least a single back up populated, we'll

        // extract the multi-chan backup (if it's there).

        // Finally, we can extract all the single chan backups as well.

}

// InitWallet is used when lnd is starting up for the first time to fully

// initialize the daemon and its internal wallet. At the very least a wallet

// password must be provided. This will be used to encrypt sensitive material

// on disk.

//

// In the case of a recovery scenario, the user can also specify their aezeed

// mnemonic and passphrase. If set, then the daemon will use this prior state

// to initialize its internal wallet.

//

// Alternatively, this can be used along with the GenSeed RPC to obtain a

// seed, then present it to the user. Once it has been verified by the user,

// the seed can be fed into this RPC in order to commit the new wallet.

func (u *UnlockerService) InitWallet(ctx context.Context,

        // Require that the recovery window be non-negative.

        // Ensure that the macaroon root key is *exactly* 32-bytes.

        // We'll then open up the directory that will be used to store the

        // wallet's files so we can check if the wallet already exists.

        // If the wallet already exists, then we'll exit early as we can't

        // create the wallet if it already exists!

        // At this point, we know the wallet doesn't already exist so we can

        // prepare the message that we'll send over the channel later.

        // Don't allow the user to specify both as that would be ambiguous.

        // The aezeed is the preferred and default way of initializing a wallet.

        // To support restoring a wallet where the seed isn't known or a wallet

        // created externally to lnd, we also allow the extended master key

        // (xprv) to be imported directly. This is what'll be stored in the

        // btcwallet database anyway.

                // The on-chain wallet of lnd is going to derive keys based on

                // the BIP49/84 key derivation paths from this root key. To make

                // sure we use default derivation paths, we want to avoid

                // deriving keys from something other than the master key (at

                // depth 0, denoted with "m/" in BIP32 notation).

                // Because we need the master key (at depth 0), it must be an

                // extended private key as the first levels of BIP49/84

                // derivation paths are hardened, which isn't possible with

                // extended public keys.

                // To avoid using the wrong master key, we check that it was

                // issued for the correct network. This will cause problems if

                // someone tries to import a "new" BIP84 zprv key because with

                // this we only support the "legacy" zprv prefix. But it is

                // trivial to convert between those formats, as long as the user

                // knows what they're doing.

                // When importing a wallet from its extended private key we

                // don't know the birthday as that information is not encoded in

                // that format. We therefore must set an arbitrary date to start

                // rescanning at if the user doesn't provide an explicit value

                // for it. Since lnd only uses SegWit addresses, we pick the

                // date of the first block that contained SegWit transactions

                // (481824).

        // The third option for creating a wallet is the watch-only mode:

        // Instead of providing the master root key directly, each individual

        // account is passed as an extended public key only. Because of the

        // hardened derivation path up to the account (depth 3), it is not

        // possible to create a master root extended _public_ key. Therefore, an

        // xpub must be derived and passed into the unlocker for _every_ account

        // lnd expects.

                        // Just to make sure the user is doing the right thing,

                        // we expect the public key to be at derivation depth

                        // three (which is the account level) and the key not to

                        // contain any private key material.

                }

                // When importing a wallet from its extended public keys we

                // don't know the birthday as that information is not encoded in

                // that format. We therefore must set an arbitrary date to start

                // rescanning at if the user doesn't provide an explicit value

                // for it. Since lnd only uses SegWit addresses, we pick the

                // date of the first block that contained SegWit transactions

                // (481824).

        // No key material was set, no wallet can be created.

        }

        // Before we return the unlock payload, we'll check if we can extract

        // any channel backups to pass up to the higher level sub-system.

        // Deliver the initialization message back to the main daemon.

                }

        }

}

// LoadAndUnlock creates a loader for the wallet and tries to unlock the wallet

// with the given password and recovery window. If the drop wallet transactions

// flag is set, the history state drop is performed before unlocking the wallet

// yet again.

func (u *UnlockerService) LoadAndUnlock(password []byte,

        // Check if wallet already exists.

        // Try opening the existing wallet with the provided password.

        // The user requested to drop their whole wallet transaction state to

        // force a full chain rescan for wallet addresses. Dropping the state

        // only properly takes effect after opening the wallet. That's why we

        // start, drop, stop and start again.

                // If dropping failed but unloading didn't, we'll still abort

                // and inform the user.

                // All looks good, let's now open the wallet again. The loader

                // was unloaded and might have removed its remote DB connection,

                // so let's re-create it as well.

        }

}

// UnlockWallet sends the password provided by the incoming UnlockWalletRequest

// over the UnlockMsgs channel in case it successfully decrypts an existing

// wallet found in the chain's wallet database directory.

func (u *UnlockerService) UnlockWallet(ctx context.Context,

        // We successfully opened the wallet and pass the instance back to

        // avoid it needing to be unlocked again.

        // At this point we were able to open the existing wallet with the

        // provided password. We send the password over the UnlockMsgs

        // channel, such that it can be used by lnd to open the wallet.

                }

        }

}

// ChangePassword changes the password of the wallet and sends the new password

// across the UnlockPasswords channel to automatically unlock the wallet if

// successful.

func (u *UnlockerService) ChangePassword(ctx context.Context,

        // First, we'll make sure the wallet exists for the specific chain and

        // network.

        // Make sure the new password meets our constraints.

        // Load the existing wallet in order to proceed with the password change.

        // Now that we've opened the wallet, we need to close it in case of an

        // error. But not if we succeed, then the caller must close it.

        }()

        // Before we actually change the password, we need to check if all flags

        // were set correctly. The content of the previously generated macaroon

        // files will become invalid after we generate a new root key. So we try

        // to delete them here and they will be recreated during normal startup

        // later. If they are missing, this is only an error if the

        // stateless_init flag was not set.

                }

        }

        // Attempt to change both the public and private passphrases for the

        // wallet. This will be done atomically in order to prevent one

        // passphrase change from being successful and not the other.

        // The next step is to load the macaroon database, change the password

        // then close it again.

        // Attempt to open the macaroon DB, unlock it and then change

        // the passphrase.

        }

        }

        // If requested by the user, attempt to replace the existing

        // macaroon root key with a new one.

                }

        }

        // Finally, send the new password across the UnlockPasswords channel to

        // automatically unlock the wallet.

                }

        }

}

// ValidatePassword assures the password meets all of our constraints.