(f?) Calculate shared secret within decode_next_payment_hop

Author: arik-so

lightning/src/ln/blinded_payment_tests.rs

@@ -1561,7 +1561,7 @@ fn route_blinding_spec_test_vector() {
 	let bob_node_signer = TestEcdhSigner { node_secret: bob_secret };
 	// Can't use the public API here as we need to avoid the CLTV delta checks (test vector uses
 	// < MIN_CLTV_EXPIRY_DELTA).
-	let (bob_peeled_onion, _, next_packet_details_opt) =
+	let (bob_peeled_onion, next_packet_details_opt) =
 		match onion_payment::decode_incoming_update_add_htlc_onion(
 			&bob_update_add, &bob_node_signer, &logger, &secp_ctx
 		) {
@@ -1571,7 +1571,7 @@ fn route_blinding_spec_test_vector() {
 	let (carol_packet_bytes, carol_hmac) = if let onion_utils::Hop::BlindedForward {
 		next_hop_data: msgs::InboundOnionBlindedForwardPayload {
 			short_channel_id, payment_relay, payment_constraints, features, intro_node_blinding_point, next_blinding_override
-		}, next_hop_hmac, new_packet_bytes
+		}, next_hop_hmac, new_packet_bytes, ..
 	} = bob_peeled_onion {
 		assert_eq!(short_channel_id, 1729);
 		assert!(next_blinding_override.is_none());
@@ -1595,7 +1595,7 @@ fn route_blinding_spec_test_vector() {
 		carol_onion
 	);
 	let carol_node_signer = TestEcdhSigner { node_secret: carol_secret };
-	let (carol_peeled_onion, _, next_packet_details_opt) =
+	let (carol_peeled_onion, next_packet_details_opt) =
 		match onion_payment::decode_incoming_update_add_htlc_onion(
 			&carol_update_add, &carol_node_signer, &logger, &secp_ctx
 		) {
@@ -1605,7 +1605,7 @@ fn route_blinding_spec_test_vector() {
 	let (dave_packet_bytes, dave_hmac) = if let onion_utils::Hop::BlindedForward {
 		next_hop_data: msgs::InboundOnionBlindedForwardPayload {
 			short_channel_id, payment_relay, payment_constraints, features, intro_node_blinding_point, next_blinding_override
-		}, next_hop_hmac, new_packet_bytes
+		}, next_hop_hmac, new_packet_bytes, ..
 	} = carol_peeled_onion {
 		assert_eq!(short_channel_id, 1105);
 		assert_eq!(next_blinding_override, Some(pubkey_from_hex("031b84c5567b126440995d3ed5aaba0565d71e1834604819ff9c17f5e9d5dd078f")));
@@ -1629,7 +1629,7 @@ fn route_blinding_spec_test_vector() {
 		dave_onion
 	);
 	let dave_node_signer = TestEcdhSigner { node_secret: dave_secret };
-	let (dave_peeled_onion, _, next_packet_details_opt) =
+	let (dave_peeled_onion, next_packet_details_opt) =
 		match onion_payment::decode_incoming_update_add_htlc_onion(
 			&dave_update_add, &dave_node_signer, &logger, &secp_ctx
 		) {
@@ -1639,7 +1639,7 @@ fn route_blinding_spec_test_vector() {
 	let (eve_packet_bytes, eve_hmac) = if let onion_utils::Hop::BlindedForward {
 		next_hop_data: msgs::InboundOnionBlindedForwardPayload {
 			short_channel_id, payment_relay, payment_constraints, features, intro_node_blinding_point, next_blinding_override
-		}, next_hop_hmac, new_packet_bytes
+		}, next_hop_hmac, new_packet_bytes, ..
 	} = dave_peeled_onion {
 		assert_eq!(short_channel_id, 561);
 		assert!(next_blinding_override.is_none());

lightning/src/ln/channelmanager.rs

@@ -61,7 +61,7 @@ use crate::routing::router::{BlindedTail, FixedRouter, InFlightHtlcs, Path, Paye
 use crate::ln::onion_payment::{check_incoming_htlc_cltv, create_recv_pending_htlc_info, create_fwd_pending_htlc_info, decode_incoming_update_add_htlc_onion, InboundHTLCErr, NextPacketDetails};
 use crate::ln::msgs;
 use crate::ln::onion_utils;
-use crate::ln::onion_utils::{HTLCFailReason, INVALID_ONION_BLINDING};
+use crate::ln::onion_utils::{Hop, HTLCFailReason, INVALID_ONION_BLINDING};
 use crate::ln::msgs::{ChannelMessageHandler, CommitmentUpdate, DecodeError, LightningError};
 #[cfg(test)]
 use crate::ln::outbound_payment;
@@ -4427,27 +4427,16 @@ where
 			}
 		}
 		match decoded_hop {
-			onion_utils::Hop::Receive(next_hop_data) => {
-				// OUR PAYMENT!
-				let current_height: u32 = self.best_block.read().unwrap().height;
-				match create_recv_pending_htlc_info(msgs::InboundOnionPayload::Receive(next_hop_data), shared_secret, msg.payment_hash,
-					msg.amount_msat, msg.cltv_expiry, None, allow_underpay, msg.skimmed_fee_msat,
-					current_height)
-				{
-					Ok(info) => {
-						// Note that we could obviously respond immediately with an update_fulfill_htlc
-						// message, however that would leak that we are the recipient of this payment, so
-						// instead we stay symmetric with the forwarding case, only responding (after a
-						// delay) once they've send us a commitment_signed!
-						PendingHTLCStatus::Forward(info)
-					},
-					Err(InboundHTLCErr { err_code, err_data, msg }) => return_err!(msg, err_code, &err_data)
-				}
-			},
-			onion_utils::Hop::BlindedReceive(next_hop_data) => {
+			onion_utils::Hop::Receive { .. } | onion_utils::Hop::BlindedReceive { .. } => {
+				let inbound_onion_payload = match decoded_hop {
+					Hop::Receive { hop_data, .. } => msgs::InboundOnionPayload::Receive(hop_data),
+					Hop::BlindedReceive { hop_data, .. } => msgs::InboundOnionPayload::BlindedReceive(hop_data),
+					_ => unreachable!()
+				};
+
 				// OUR PAYMENT!
 				let current_height: u32 = self.best_block.read().unwrap().height;
-				match create_recv_pending_htlc_info(msgs::InboundOnionPayload::BlindedReceive(next_hop_data), shared_secret, msg.payment_hash,
+				match create_recv_pending_htlc_info(inbound_onion_payload, shared_secret, msg.payment_hash,
 					msg.amount_msat, msg.cltv_expiry, None, allow_underpay, msg.skimmed_fee_msat,
 					current_height)
 				{
@@ -4461,14 +4450,14 @@ where
 					Err(InboundHTLCErr { err_code, err_data, msg }) => return_err!(msg, err_code, &err_data)
 				}
 			},
-			onion_utils::Hop::Forward { next_hop_data, next_hop_hmac, new_packet_bytes } => {
+			onion_utils::Hop::Forward { next_hop_data, next_hop_hmac, new_packet_bytes, .. } => {
 				match create_fwd_pending_htlc_info(msg, msgs::InboundOnionPayload::Forward(next_hop_data), next_hop_hmac,
 					new_packet_bytes, shared_secret, next_packet_pubkey_opt) {
 					Ok(info) => PendingHTLCStatus::Forward(info),
 					Err(InboundHTLCErr { err_code, err_data, msg }) => return_err!(msg, err_code, &err_data)
 				}
 			},
-			onion_utils::Hop::BlindedForward { next_hop_data, next_hop_hmac, new_packet_bytes } => {
+			onion_utils::Hop::BlindedForward { next_hop_data, next_hop_hmac, new_packet_bytes, .. } => {
 				match create_fwd_pending_htlc_info(msg, msgs::InboundOnionPayload::BlindedForward(next_hop_data), next_hop_hmac,
 					new_packet_bytes, shared_secret, next_packet_pubkey_opt) {
 					Ok(info) => PendingHTLCStatus::Forward(info),
@@ -5696,7 +5685,7 @@ where
 			let mut htlc_forwards = Vec::new();
 			let mut htlc_fails = Vec::new();
 			for update_add_htlc in &update_add_htlcs {
-				let (next_hop, shared_secret, next_packet_details_opt) = match decode_incoming_update_add_htlc_onion(
+				let (next_hop, next_packet_details_opt) = match decode_incoming_update_add_htlc_onion(
 					&update_add_htlc, &*self.node_signer, &*self.logger, &self.secp_ctx
 				) {
 					Ok(decoded_onion) => decoded_onion,
@@ -5708,6 +5697,7 @@ where
 
 				let is_intro_node_blinded_forward = next_hop.is_intro_node_blinded_forward();
 				let outgoing_scid_opt = next_packet_details_opt.as_ref().map(|d| d.outgoing_scid);
+				let shared_secret = next_hop.shared_secret().secret_bytes();
 
 				// Process the HTLC on the incoming channel.
 				match self.do_funded_channel_callback(incoming_scid, |chan: &mut FundedChannel<SP>| {
@@ -5868,8 +5858,8 @@ where
 											if phantom_pubkey_res.is_ok() && fake_scid::is_valid_phantom(&self.fake_scid_rand_bytes, short_chan_id, &self.chain_hash) {
 												let phantom_shared_secret = self.node_signer.ecdh(Recipient::PhantomNode, &onion_packet.public_key.unwrap(), None).unwrap().secret_bytes();
 												let next_hop = match onion_utils::decode_next_payment_hop(
-													phantom_shared_secret, &onion_packet.hop_data, onion_packet.hmac,
-													payment_hash, None, &*self.node_signer
+													Recipient::PhantomNode, &onion_packet.public_key.unwrap(), &onion_packet.hop_data,
+													onion_packet.hmac, payment_hash, None, &*self.node_signer
 												) {
 													Ok(res) => res,
 													Err(onion_utils::OnionDecodeErr::Malformed { err_msg, err_code }) => {
@@ -5885,8 +5875,8 @@ where
 													},
 												};
 												let inbound_onion_payload = match next_hop {
-													onion_utils::Hop::Receive(hop_data) => msgs::InboundOnionPayload::Receive(hop_data),
-													onion_utils::Hop::BlindedReceive(hop_data) => msgs::InboundOnionPayload::BlindedReceive(hop_data),
+													onion_utils::Hop::Receive { hop_data, .. } => msgs::InboundOnionPayload::Receive(hop_data),
+													onion_utils::Hop::BlindedReceive { hop_data, .. } => msgs::InboundOnionPayload::BlindedReceive(hop_data),
 													_ => panic!()
 												};
 												let current_height: u32 = self.best_block.read().unwrap().height;

lightning/src/ln/onion_payment.rs

@@ -285,7 +285,7 @@ where
 	NS::Target: NodeSigner,
 	L::Target: Logger,
 {
-	let (hop, shared_secret, next_packet_details_opt) =
+	let (hop, next_packet_details_opt) =
 		decode_incoming_update_add_htlc_onion(msg, node_signer, logger, secp_ctx
 	).map_err(|e| {
 		let (err_code, err_data) = match e {
@@ -296,7 +296,8 @@ where
 		InboundHTLCErr { msg, err_code, err_data }
 	})?;
 	Ok(match hop {
-		onion_utils::Hop::Forward { next_hop_hmac, new_packet_bytes, .. } | onion_utils::Hop::BlindedForward { next_hop_hmac, new_packet_bytes, .. } => {
+		onion_utils::Hop::Forward { shared_secret, next_hop_hmac, new_packet_bytes, .. } |
+		onion_utils::Hop::BlindedForward { shared_secret, next_hop_hmac, new_packet_bytes, .. } => {
 			let inbound_onion_payload = match hop {
 				onion_utils::Hop::Forward { next_hop_data, .. } => msgs::InboundOnionPayload::Forward(next_hop_data),
 				onion_utils::Hop::BlindedForward { next_hop_data, .. } => msgs::InboundOnionPayload::BlindedForward(next_hop_data),
@@ -328,19 +329,19 @@ where
 			// TODO: If this is potentially a phantom payment we should decode the phantom payment
 			// onion here and check it.
 			create_fwd_pending_htlc_info(
-				msg, inbound_onion_payload, next_hop_hmac, new_packet_bytes, shared_secret,
+				msg, inbound_onion_payload, next_hop_hmac, new_packet_bytes, shared_secret.secret_bytes(),
 				Some(next_packet_pubkey),
 			)?
 		},
-		onion_utils::Hop::Receive(received_data) => {
+		onion_utils::Hop::Receive{hop_data, shared_secret} => {
 			create_recv_pending_htlc_info(
-				msgs::InboundOnionPayload::Receive(received_data), shared_secret, msg.payment_hash, msg.amount_msat, msg.cltv_expiry,
+				msgs::InboundOnionPayload::Receive(hop_data), shared_secret.secret_bytes(), msg.payment_hash, msg.amount_msat, msg.cltv_expiry,
 				None, allow_skimmed_fees, msg.skimmed_fee_msat, cur_height,
 			)?
 		},
-		onion_utils::Hop::BlindedReceive(received_data) => {
+		onion_utils::Hop::BlindedReceive{hop_data, shared_secret} => {
 			create_recv_pending_htlc_info(
-				msgs::InboundOnionPayload::BlindedReceive(received_data), shared_secret, msg.payment_hash, msg.amount_msat, msg.cltv_expiry,
+				msgs::InboundOnionPayload::BlindedReceive(hop_data), shared_secret.secret_bytes(), msg.payment_hash, msg.amount_msat, msg.cltv_expiry,
 				None, allow_skimmed_fees, msg.skimmed_fee_msat, cur_height,
 			)?
 		}
@@ -356,7 +357,7 @@ pub(super) struct NextPacketDetails {
 
 pub(super) fn decode_incoming_update_add_htlc_onion<NS: Deref, L: Deref, T: secp256k1::Verification>(
 	msg: &msgs::UpdateAddHTLC, node_signer: NS, logger: L, secp_ctx: &Secp256k1<T>,
-) -> Result<(onion_utils::Hop, [u8; 32], Option<NextPacketDetails>), HTLCFailureMsg>
+) -> Result<(onion_utils::Hop, Option<NextPacketDetails>), HTLCFailureMsg>
 where
 	NS::Target: NodeSigner,
 	L::Target: Logger,
@@ -422,7 +423,7 @@ where
 	}
 
 	let next_hop = match onion_utils::decode_next_payment_hop(
-		shared_secret, &msg.onion_routing_packet.hop_data[..], msg.onion_routing_packet.hmac,
+		Recipient::Node, &msg.onion_routing_packet.public_key.unwrap(), &msg.onion_routing_packet.hop_data[..], msg.onion_routing_packet.hmac,
 		msg.payment_hash, msg.blinding_point, node_signer
 	) {
 		Ok(res) => res,
@@ -463,7 +464,7 @@ where
 		_ => None
 	};
 
-	Ok((next_hop, shared_secret, next_packet_details))
+	Ok((next_hop, next_packet_details))
 }
 
 pub(super) fn check_incoming_htlc_cltv(

lightning/src/ln/onion_utils.rs

@@ -16,7 +16,7 @@ use crate::ln::msgs;
 use crate::offers::invoice_request::InvoiceRequest;
 use crate::routing::gossip::NetworkUpdate;
 use crate::routing::router::{BlindedTail, Path, RouteHop, RouteParameters, TrampolineHop};
-use crate::sign::NodeSigner;
+use crate::sign::{NodeSigner, Recipient};
 use crate::types::features::{ChannelFeatures, NodeFeatures};
 use crate::types::payment::{PaymentHash, PaymentPreimage};
 use crate::util::errors::{self, APIError};
@@ -1419,6 +1419,8 @@ pub(crate) enum Hop {
 	Forward {
 		/// Onion payload data used in forwarding the payment.
 		next_hop_data: msgs::InboundOnionForwardPayload,
+		/// Shared secret that was used to decrypt next_hop_data.
+		shared_secret: SharedSecret,
 		/// HMAC of the next hop's onion packet.
 		next_hop_hmac: [u8; 32],
 		/// Bytes of the onion packet we're forwarding.
@@ -1428,17 +1430,29 @@ pub(crate) enum Hop {
 	BlindedForward {
 		/// Onion payload data used in forwarding the payment.
 		next_hop_data: msgs::InboundOnionBlindedForwardPayload,
+		/// Shared secret that was used to decrypt next_hop_data.
+		shared_secret: SharedSecret,
 		/// HMAC of the next hop's onion packet.
 		next_hop_hmac: [u8; 32],
 		/// Bytes of the onion packet we're forwarding.
 		new_packet_bytes: [u8; ONION_DATA_LEN],
 	},
 	/// This onion payload was for us, not for forwarding to a next-hop. Contains information for
 	/// verifying the incoming payment.
-	Receive(msgs::InboundOnionReceivePayload),
+	Receive {
+		/// Onion payload data used to receive our payment.
+		hop_data: msgs::InboundOnionReceivePayload,
+		/// Shared secret that was used to decrypt hop_data.
+		shared_secret: SharedSecret,
+	},
 	/// This onion payload was for us, not for forwarding to a next-hop. Contains information for
 	/// verifying the incoming payment.
-	BlindedReceive(msgs::InboundOnionBlindedReceivePayload),
+	BlindedReceive {
+		/// Onion payload data used to receive our payment.
+		hop_data: msgs::InboundOnionBlindedReceivePayload,
+		/// Shared secret that was used to decrypt hop_data.
+		shared_secret: SharedSecret,
+	},
 }
 
 impl Hop {
@@ -1454,6 +1468,15 @@ impl Hop {
 			_ => false,
 		}
 	}
+
+	pub(crate) fn shared_secret(&self) -> SharedSecret {
+		match self {
+			Hop::Forward { shared_secret, .. } => shared_secret.clone(),
+			Hop::BlindedForward { shared_secret, .. } => shared_secret.clone(),
+			Hop::Receive { shared_secret, .. } => shared_secret.clone(),
+			Hop::BlindedReceive { shared_secret, .. } => shared_secret.clone(),
+		}
+	}
 }
 
 /// Error returned when we fail to decode the onion packet.
@@ -1466,12 +1489,23 @@ pub(crate) enum OnionDecodeErr {
 }
 
 pub(crate) fn decode_next_payment_hop<NS: Deref>(
-	shared_secret: [u8; 32], hop_data: &[u8], hmac_bytes: [u8; 32], payment_hash: PaymentHash,
-	blinding_point: Option<PublicKey>, node_signer: NS,
+	recipient: Recipient, hop_pubkey: &PublicKey, hop_data: &[u8], hmac_bytes: [u8; 32],
+	payment_hash: PaymentHash, blinding_point: Option<PublicKey>, node_signer: NS,
 ) -> Result<Hop, OnionDecodeErr>
 where
 	NS::Target: NodeSigner,
 {
+	let blinded_node_id_tweak = blinding_point.map(|bp| {
+		let blinded_tlvs_ss = node_signer.ecdh(recipient, &bp, None).unwrap().secret_bytes();
+		let mut hmac = HmacEngine::<Sha256>::new(b"blinded_node_id");
+		hmac.input(blinded_tlvs_ss.as_ref());
+		Scalar::from_be_bytes(Hmac::from_engine(hmac).to_byte_array()).unwrap()
+	});
+	let shared_secret = node_signer
+		.ecdh(recipient, hop_pubkey, blinded_node_id_tweak.as_ref())
+		.unwrap()
+		.secret_bytes();
+
 	let decoded_hop: Result<(msgs::InboundOnionPayload, Option<_>), _> = decode_next_hop(
 		shared_secret,
 		hop_data,
@@ -1482,11 +1516,19 @@ where
 	match decoded_hop {
 		Ok((next_hop_data, Some((next_hop_hmac, FixedSizeOnionPacket(new_packet_bytes))))) => {
 			match next_hop_data {
-				msgs::InboundOnionPayload::Forward(next_hop_data) => {
-					Ok(Hop::Forward { next_hop_data, next_hop_hmac, new_packet_bytes })
-				},
+				msgs::InboundOnionPayload::Forward(next_hop_data) => Ok(Hop::Forward {
+					shared_secret: SharedSecret::from_bytes(shared_secret),
+					next_hop_data,
+					next_hop_hmac,
+					new_packet_bytes,
+				}),
 				msgs::InboundOnionPayload::BlindedForward(next_hop_data) => {
-					Ok(Hop::BlindedForward { next_hop_data, next_hop_hmac, new_packet_bytes })
+					Ok(Hop::BlindedForward {
+						shared_secret: SharedSecret::from_bytes(shared_secret),
+						next_hop_data,
+						next_hop_hmac,
+						new_packet_bytes,
+					})
 				},
 				_ => Err(OnionDecodeErr::Relay {
 					err_msg: "Final Node OnionHopData provided for us as an intermediary node",
@@ -1495,8 +1537,14 @@ where
 			}
 		},
 		Ok((next_hop_data, None)) => match next_hop_data {
-			msgs::InboundOnionPayload::Receive(payload) => Ok(Hop::Receive(payload)),
-			msgs::InboundOnionPayload::BlindedReceive(payload) => Ok(Hop::BlindedReceive(payload)),
+			msgs::InboundOnionPayload::Receive(hop_data) => Ok(Hop::Receive {
+				shared_secret: SharedSecret::from_bytes(shared_secret),
+				hop_data,
+			}),
+			msgs::InboundOnionPayload::BlindedReceive(hop_data) => Ok(Hop::BlindedReceive {
+				shared_secret: SharedSecret::from_bytes(shared_secret),
+				hop_data,
+			}),
 			_ => Err(OnionDecodeErr::Relay {
 				err_msg: "Intermediate Node OnionHopData provided for us as a final node",
 				err_code: 0x4000 | 22,

lightning/src/sign/mod.rs

@@ -822,6 +822,7 @@ pub trait ChannelSigner {
 ///
 /// This indicates to [`NodeSigner::sign_invoice`] what node secret key should be used to sign
 /// the invoice.
+#[derive(Clone, Copy)]
 pub enum Recipient {
 	/// The invoice should be signed with the local node secret key.
 	Node,