Verify that an HTLC's PaymentContext is authentic

jkczyz · jkczyz · commit 3ddac04e492e · 2024-12-02T16:20:14.000-06:00
When receiving a payment over a BlindedPaymentPath, a PaymentContext is
included but was not authenticated. The previous commit adds an HMAC of
the PaymentContext to the payment::ReceiveTlvs and the nonce used to
create the HMAC. This commit pipes this data through to ChannelManager
in order to verify the PaymentContext's authenticity. This prevents a
malicious actor from for forging it.
diff --git a/lightning/src/blinded_path/payment.rs b/lightning/src/blinded_path/payment.rs
@@ -638,11 +638,15 @@ impl_writeable_tlv_based!(Bolt12RefundContext, {});
 
 #[cfg(test)]
 mod tests {
+	use bitcoin::hashes::hmac::Hmac;
+	use bitcoin::hashes::sha256::Hash as Sha256;
+	use bitcoin::hashes::Hash;
 	use bitcoin::secp256k1::PublicKey;
 	use crate::blinded_path::payment::{PaymentForwardNode, ForwardTlvs, ReceiveTlvs, PaymentConstraints, PaymentContext, PaymentRelay};
 	use crate::types::payment::PaymentSecret;
 	use crate::types::features::BlindedHopFeatures;
 	use crate::ln::functional_test_utils::TEST_FINAL_CLTV;
+	use crate::offers::nonce::Nonce;
 
 	#[test]
 	fn compute_payinfo() {
@@ -691,6 +695,7 @@ mod tests {
 				htlc_minimum_msat: 1,
 			},
 			payment_context: PaymentContext::unknown(),
+			authentication: (Hmac::<Sha256>::hash(&[42u8]), Nonce([42u8; 16])),
 		};
 		let htlc_maximum_msat = 100_000;
 		let blinded_payinfo = super::compute_payinfo(&intermediate_nodes[..], &recv_tlvs, htlc_maximum_msat, 12).unwrap();
@@ -710,6 +715,7 @@ mod tests {
 				htlc_minimum_msat: 1,
 			},
 			payment_context: PaymentContext::unknown(),
+			authentication: (Hmac::<Sha256>::hash(&[42u8]), Nonce([42u8; 16])),
 		};
 		let blinded_payinfo = super::compute_payinfo(&[], &recv_tlvs, 4242, TEST_FINAL_CLTV as u16).unwrap();
 		assert_eq!(blinded_payinfo.fee_base_msat, 0);
@@ -766,6 +772,7 @@ mod tests {
 				htlc_minimum_msat: 3,
 			},
 			payment_context: PaymentContext::unknown(),
+			authentication: (Hmac::<Sha256>::hash(&[42u8]), Nonce([42u8; 16])),
 		};
 		let htlc_maximum_msat = 100_000;
 		let blinded_payinfo = super::compute_payinfo(&intermediate_nodes[..], &recv_tlvs, htlc_maximum_msat, TEST_FINAL_CLTV as u16).unwrap();
@@ -819,6 +826,7 @@ mod tests {
 				htlc_minimum_msat: 1,
 			},
 			payment_context: PaymentContext::unknown(),
+			authentication: (Hmac::<Sha256>::hash(&[42u8]), Nonce([42u8; 16])),
 		};
 		let htlc_minimum_msat = 3798;
 		assert!(super::compute_payinfo(&intermediate_nodes[..], &recv_tlvs, htlc_minimum_msat - 1, TEST_FINAL_CLTV as u16).is_err());
@@ -876,6 +884,7 @@ mod tests {
 				htlc_minimum_msat: 1,
 			},
 			payment_context: PaymentContext::unknown(),
+			authentication: (Hmac::<Sha256>::hash(&[42u8]), Nonce([42u8; 16])),
 		};
 
 		let blinded_payinfo = super::compute_payinfo(&intermediate_nodes[..], &recv_tlvs, 10_000, TEST_FINAL_CLTV as u16).unwrap();
diff --git a/lightning/src/ln/blinded_payment_tests.rs b/lightning/src/ln/blinded_payment_tests.rs
@@ -7,7 +7,9 @@
 // You may not use this file except in accordance with one or both of these
 // licenses.
 
+use bitcoin::hashes::hmac::Hmac;
 use bitcoin::hashes::hex::FromHex;
+use bitcoin::hashes::sha256::Hash as Sha256;
 use bitcoin::secp256k1::{PublicKey, Scalar, Secp256k1, SecretKey, schnorr};
 use bitcoin::secp256k1::ecdh::SharedSecret;
 use bitcoin::secp256k1::ecdsa::{RecoverableSignature, Signature};
@@ -17,16 +19,18 @@ use crate::events::{Event, HTLCDestination, MessageSendEvent, MessageSendEventsP
 use crate::ln::types::ChannelId;
 use crate::types::payment::{PaymentHash, PaymentSecret};
 use crate::ln::channelmanager;
-use crate::ln::channelmanager::{HTLCFailureMsg, PaymentId, RecipientOnionFields};
+use crate::ln::channelmanager::{HTLCFailureMsg, PaymentId, RecipientOnionFields, Verification};
 use crate::types::features::{BlindedHopFeatures, ChannelFeatures, NodeFeatures};
 use crate::ln::functional_test_utils::*;
+use crate::ln::inbound_payment::ExpandedKey;
 use crate::ln::msgs;
 use crate::ln::msgs::{ChannelMessageHandler, UnsignedGossipMessage};
 use crate::ln::onion_payment;
 use crate::ln::onion_utils;
 use crate::ln::onion_utils::INVALID_ONION_BLINDING;
 use crate::ln::outbound_payment::{Retry, IDEMPOTENCY_TIMEOUT_TICKS};
 use crate::offers::invoice::UnsignedBolt12Invoice;
+use crate::offers::nonce::Nonce;
 use crate::prelude::*;
 use crate::routing::router::{BlindedTail, Path, Payee, PaymentParameters, RouteHop, RouteParameters};
 use crate::sign::{KeyMaterial, NodeSigner, Recipient};
@@ -69,15 +73,19 @@ fn blinded_payment_path(
 				.unwrap_or_else(|| channel_upds[idx - 1].htlc_maximum_msat),
 		});
 	}
+
+	let payment_context = PaymentContext::unknown();
 	let payee_tlvs = ReceiveTlvs {
 		payment_secret,
 		payment_constraints: PaymentConstraints {
 			max_cltv_expiry: u32::max_value(),
 			htlc_minimum_msat:
 				intro_node_min_htlc_opt.unwrap_or_else(|| channel_upds.last().unwrap().htlc_minimum_msat),
 		},
-		payment_context: PaymentContext::unknown(),
+		authentication: hmac_payment_context(&payment_context, keys_manager),
+		payment_context,
 	};
+
 	let mut secp_ctx = Secp256k1::new();
 	BlindedPaymentPath::new(
 		&intermediate_nodes[..], *node_ids.last().unwrap(), payee_tlvs,
@@ -86,6 +94,15 @@ fn blinded_payment_path(
 	).unwrap()
 }
 
+fn hmac_payment_context(
+	payment_context: &PaymentContext, keys_manager: &test_utils::TestKeysInterface,
+) -> (Hmac<Sha256>, Nonce) {
+	let nonce = Nonce([42u8; 16]);
+	let expanded_key = ExpandedKey::new(&keys_manager.get_inbound_payment_key_material());
+	let hmac = payment_context.hmac_for_offer_payment(nonce, &expanded_key);
+	(hmac, nonce)
+}
+
 pub fn get_blinded_route_parameters(
 	amt_msat: u64, payment_secret: PaymentSecret, intro_node_min_htlc: u64, intro_node_max_htlc: u64,
 	node_ids: Vec<PublicKey>, channel_upds: &[&msgs::UnsignedChannelUpdate],
@@ -116,13 +133,15 @@ fn do_one_hop_blinded_path(success: bool) {
 
 	let amt_msat = 5000;
 	let (payment_preimage, payment_hash, payment_secret) = get_payment_preimage_hash(&nodes[1], Some(amt_msat), None);
+	let payment_context = PaymentContext::unknown();
 	let payee_tlvs = ReceiveTlvs {
 		payment_secret,
 		payment_constraints: PaymentConstraints {
 			max_cltv_expiry: u32::max_value(),
 			htlc_minimum_msat: chan_upd.htlc_minimum_msat,
 		},
-		payment_context: PaymentContext::unknown(),
+		authentication: hmac_payment_context(&payment_context, &chanmon_cfgs[1].keys_manager),
+		payment_context,
 	};
 	let mut secp_ctx = Secp256k1::new();
 	let blinded_path = BlindedPaymentPath::new(
@@ -160,13 +179,15 @@ fn mpp_to_one_hop_blinded_path() {
 
 	let amt_msat = 15_000_000;
 	let (payment_preimage, payment_hash, payment_secret) = get_payment_preimage_hash(&nodes[3], Some(amt_msat), None);
+	let payment_context = PaymentContext::unknown();
 	let payee_tlvs = ReceiveTlvs {
 		payment_secret,
 		payment_constraints: PaymentConstraints {
 			max_cltv_expiry: u32::max_value(),
 			htlc_minimum_msat: chan_upd_1_3.htlc_minimum_msat,
 		},
-		payment_context: PaymentContext::unknown(),
+		authentication: hmac_payment_context(&payment_context, &chanmon_cfgs[3].keys_manager),
+		payment_context,
 	};
 	let blinded_path = BlindedPaymentPath::new(
 		&[], nodes[3].node.get_our_node_id(), payee_tlvs, u64::MAX, TEST_FINAL_CLTV as u16,
@@ -302,7 +323,7 @@ fn do_forward_checks_failure(check: ForwardCheckFail, intro_fails: bool) {
 	let mut route_params = get_blinded_route_parameters(amt_msat, payment_secret, 1, 1_0000_0000,
 		nodes.iter().skip(1).map(|n| n.node.get_our_node_id()).collect(),
 		&[&chan_upd_1_2, &chan_upd_2_3], &chanmon_cfgs[3].keys_manager);
-	route_params.payment_params.max_path_length = 18;
+	route_params.payment_params.max_path_length = 17;
 
 	let route = get_route(&nodes[0], &route_params).unwrap();
 	node_cfgs[0].router.expect_find_route(route_params.clone(), Ok(route.clone()));
@@ -1375,13 +1396,15 @@ fn custom_tlvs_to_blinded_path() {
 
 	let amt_msat = 5000;
 	let (payment_preimage, payment_hash, payment_secret) = get_payment_preimage_hash(&nodes[1], Some(amt_msat), None);
+	let payment_context = PaymentContext::unknown();
 	let payee_tlvs = ReceiveTlvs {
 		payment_secret,
 		payment_constraints: PaymentConstraints {
 			max_cltv_expiry: u32::max_value(),
 			htlc_minimum_msat: chan_upd.htlc_minimum_msat,
 		},
-		payment_context: PaymentContext::unknown(),
+		authentication: hmac_payment_context(&payment_context, &chanmon_cfgs[1].keys_manager),
+		payment_context,
 	};
 	let mut secp_ctx = Secp256k1::new();
 	let blinded_path = BlindedPaymentPath::new(
diff --git a/lightning/src/ln/channelmanager.rs b/lightning/src/ln/channelmanager.rs
@@ -198,6 +198,8 @@ pub enum PendingHTLCRouting {
 		custom_tlvs: Vec<(u64, Vec<u8>)>,
 		/// Set if this HTLC is the final hop in a multi-hop blinded path.
 		requires_blinded_error: bool,
+		/// An HMAC of `payment_context` along with a nonce used to construct it.
+		authentication: Option<(Hmac<Sha256>, Nonce)>,
 	},
 	/// The onion indicates that this is for payment to us but which contains the preimage for
 	/// claiming included, and is unrelated to any invoice we'd previously generated (aka a
@@ -5995,19 +5997,19 @@ where
 								let blinded_failure = routing.blinded_failure();
 								let (
 									cltv_expiry, onion_payload, payment_data, payment_context, phantom_shared_secret,
-									mut onion_fields, has_recipient_created_payment_secret
+									mut onion_fields, has_recipient_created_payment_secret, authentication,
 								) = match routing {
 									PendingHTLCRouting::Receive {
 										payment_data, payment_metadata, payment_context,
 										incoming_cltv_expiry, phantom_shared_secret, custom_tlvs,
-										requires_blinded_error: _
+										requires_blinded_error: _, authentication,
 									} => {
 										let _legacy_hop_data = Some(payment_data.clone());
 										let onion_fields = RecipientOnionFields { payment_secret: Some(payment_data.payment_secret),
 												payment_metadata, custom_tlvs };
 										(incoming_cltv_expiry, OnionPayload::Invoice { _legacy_hop_data },
 											Some(payment_data), payment_context, phantom_shared_secret, onion_fields,
-											true)
+											true, authentication)
 									},
 									PendingHTLCRouting::ReceiveKeysend {
 										payment_data, payment_preimage, payment_metadata,
@@ -6020,7 +6022,7 @@ where
 											custom_tlvs,
 										};
 										(incoming_cltv_expiry, OnionPayload::Spontaneous(payment_preimage),
-											payment_data, None, None, onion_fields, has_recipient_created_payment_secret)
+											payment_data, None, None, onion_fields, has_recipient_created_payment_secret, None)
 									},
 									_ => {
 										panic!("short_channel_id == 0 should imply any pending_forward entries are of type Receive");
@@ -6205,6 +6207,16 @@ where
 										payment_preimage
 									} else { fail_htlc!(claimable_htlc, payment_hash); }
 								} else { None };
+
+								// Authenticate the PaymentContext received over a BlindedPaymentPath
+								if let Some(payment_context) = payment_context.as_ref() {
+									if let Some((hmac, nonce)) = authentication {
+										if payment_context.verify_for_offer_payment(hmac, nonce, &self.inbound_payment_key).is_err() {
+											fail_htlc!(claimable_htlc, payment_hash);
+										}
+									}
+								}
+
 								match claimable_htlc.onion_payload {
 									OnionPayload::Invoice { .. } => {
 										let payment_data = payment_data.unwrap();
@@ -12363,6 +12375,7 @@ impl_writeable_tlv_based_enum!(PendingHTLCRouting,
 		(5, custom_tlvs, optional_vec),
 		(7, requires_blinded_error, (default_value, false)),
 		(9, payment_context, option),
+		(11, authentication, option),
 	},
 	(2, ReceiveKeysend) => {
 		(0, payment_preimage, required),
diff --git a/lightning/src/ln/max_payment_path_len_tests.rs b/lightning/src/ln/max_payment_path_len_tests.rs
@@ -16,16 +16,19 @@ use crate::blinded_path::payment::{BlindedPayInfo, BlindedPaymentPath, PaymentCo
 use crate::events::{Event, MessageSendEventsProvider};
 use crate::types::payment::PaymentSecret;
 use crate::ln::blinded_payment_tests::get_blinded_route_parameters;
-use crate::ln::channelmanager::PaymentId;
+use crate::ln::channelmanager::{PaymentId, Verification};
 use crate::types::features::BlindedHopFeatures;
 use crate::ln::functional_test_utils::*;
+use crate::ln::inbound_payment::ExpandedKey;
 use crate::ln::msgs;
 use crate::ln::msgs::OnionMessageHandler;
 use crate::ln::onion_utils;
 use crate::ln::onion_utils::MIN_FINAL_VALUE_ESTIMATE_WITH_OVERPAY;
 use crate::ln::outbound_payment::{RecipientOnionFields, Retry, RetryableSendFailure};
+use crate::offers::nonce::Nonce;
 use crate::prelude::*;
 use crate::routing::router::{DEFAULT_MAX_TOTAL_CLTV_EXPIRY_DELTA, PaymentParameters, RouteParameters};
+use crate::sign::NodeSigner;
 use crate::util::errors::APIError;
 use crate::util::ser::Writeable;
 use crate::util::test_utils;
@@ -157,13 +160,18 @@ fn one_hop_blinded_path_with_custom_tlv() {
 	// Construct the route parameters for sending to nodes[2]'s 1-hop blinded path.
 	let amt_msat = 100_000;
 	let (payment_preimage, payment_hash, payment_secret) = get_payment_preimage_hash(&nodes[2], Some(amt_msat), None);
+	let payment_context = PaymentContext::unknown();
+	let nonce = Nonce([42u8; 16]);
+	let expanded_key = ExpandedKey::new(&chanmon_cfgs[2].keys_manager.get_inbound_payment_key_material());
+	let hmac = payment_context.hmac_for_offer_payment(nonce, &expanded_key);
 	let payee_tlvs = ReceiveTlvs {
 		payment_secret,
 		payment_constraints: PaymentConstraints {
 			max_cltv_expiry: u32::max_value(),
 			htlc_minimum_msat: chan_upd_1_2.htlc_minimum_msat,
 		},
-		payment_context: PaymentContext::unknown(),
+		payment_context,
+		authentication: (hmac, nonce),
 	};
 	let mut secp_ctx = Secp256k1::new();
 	let blinded_path = BlindedPaymentPath::new(
diff --git a/lightning/src/ln/msgs.rs b/lightning/src/ln/msgs.rs
@@ -1745,9 +1745,12 @@ pub struct FinalOnionHopData {
 }
 
 mod fuzzy_internal_msgs {
+	use bitcoin::hashes::hmac::Hmac;
+	use bitcoin::hashes::sha256::Hash as Sha256;
 	use bitcoin::secp256k1::PublicKey;
 	use crate::blinded_path::payment::{BlindedPaymentPath, PaymentConstraints, PaymentContext, PaymentRelay};
 	use crate::offers::invoice_request::InvoiceRequest;
+	use crate::offers::nonce::Nonce;
 	use crate::types::payment::{PaymentPreimage, PaymentSecret};
 	use crate::types::features::{BlindedHopFeatures, Bolt12InvoiceFeatures};
 	use super::{FinalOnionHopData, TrampolineOnionPacket};
@@ -1791,6 +1794,7 @@ mod fuzzy_internal_msgs {
 			intro_node_blinding_point: Option<PublicKey>,
 			keysend_preimage: Option<PaymentPreimage>,
 			custom_tlvs: Vec<(u64, Vec<u8>)>,
+			authentication: (Hmac<Sha256>, Nonce),
 		}
 	}
 
@@ -2908,7 +2912,7 @@ impl<NS: Deref> ReadableArgs<(Option<PublicKey>, NS)> for InboundOnionPayload wh
 					})
 				},
 				ChaChaPolyReadAdapter { readable: BlindedPaymentTlvs::Receive(ReceiveTlvs {
-					payment_secret, payment_constraints, payment_context, authentication: _,
+					payment_secret, payment_constraints, payment_context, authentication,
 				})} => {
 					if total_msat.unwrap_or(0) > MAX_VALUE_MSAT { return Err(DecodeError::InvalidValue) }
 					Ok(Self::BlindedReceive {
@@ -2921,6 +2925,7 @@ impl<NS: Deref> ReadableArgs<(Option<PublicKey>, NS)> for InboundOnionPayload wh
 						intro_node_blinding_point,
 						keysend_preimage,
 						custom_tlvs,
+						authentication,
 					})
 				},
 			}
diff --git a/lightning/src/ln/onion_payment.rs b/lightning/src/ln/onion_payment.rs
@@ -135,18 +135,19 @@ pub(super) fn create_recv_pending_htlc_info(
 ) -> Result<PendingHTLCInfo, InboundHTLCErr> {
 	let (
 		payment_data, keysend_preimage, custom_tlvs, onion_amt_msat, onion_cltv_expiry,
-		payment_metadata, payment_context, requires_blinded_error, has_recipient_created_payment_secret
+		payment_metadata, payment_context, requires_blinded_error, has_recipient_created_payment_secret,
+		authentication,
 	) = match hop_data {
 		msgs::InboundOnionPayload::Receive {
 			payment_data, keysend_preimage, custom_tlvs, sender_intended_htlc_amt_msat,
 			cltv_expiry_height, payment_metadata, ..
 		} =>
 			(payment_data, keysend_preimage, custom_tlvs, sender_intended_htlc_amt_msat,
-			 cltv_expiry_height, payment_metadata, None, false, keysend_preimage.is_none()),
+			 cltv_expiry_height, payment_metadata, None, false, keysend_preimage.is_none(), None),
 		msgs::InboundOnionPayload::BlindedReceive {
 			sender_intended_htlc_amt_msat, total_msat, cltv_expiry_height, payment_secret,
 			intro_node_blinding_point, payment_constraints, payment_context, keysend_preimage,
-			custom_tlvs
+			custom_tlvs, authentication,
 		} => {
 			check_blinded_payment_constraints(
 				sender_intended_htlc_amt_msat, cltv_expiry, &payment_constraints
@@ -161,7 +162,7 @@ pub(super) fn create_recv_pending_htlc_info(
 			let payment_data = msgs::FinalOnionHopData { payment_secret, total_msat };
 			(Some(payment_data), keysend_preimage, custom_tlvs,
 			 sender_intended_htlc_amt_msat, cltv_expiry_height, None, Some(payment_context),
-			 intro_node_blinding_point.is_none(), true)
+			 intro_node_blinding_point.is_none(), true, Some(authentication))
 		}
 		msgs::InboundOnionPayload::Forward { .. } => {
 			return Err(InboundHTLCErr {
@@ -252,6 +253,7 @@ pub(super) fn create_recv_pending_htlc_info(
 			phantom_shared_secret,
 			custom_tlvs,
 			requires_blinded_error,
+			authentication,
 		}
 	} else {
 		return Err(InboundHTLCErr {
