(f?) Solely use shared secret calculated within decode_next_payment_hop

Author: arik-so

lightning/src/ln/channelmanager.rs

@@ -5856,7 +5856,6 @@ where
 										if let PendingHTLCRouting::Forward { ref onion_packet, .. } = routing {
 											let phantom_pubkey_res = self.node_signer.get_node_id(Recipient::PhantomNode);
 											if phantom_pubkey_res.is_ok() && fake_scid::is_valid_phantom(&self.fake_scid_rand_bytes, short_chan_id, &self.chain_hash) {
-												let phantom_shared_secret = self.node_signer.ecdh(Recipient::PhantomNode, &onion_packet.public_key.unwrap(), None).unwrap().secret_bytes();
 												let next_hop = match onion_utils::decode_next_payment_hop(
 													Recipient::PhantomNode, &onion_packet.public_key.unwrap(), &onion_packet.hop_data,
 													onion_packet.hmac, payment_hash, None, &*self.node_signer
@@ -5870,15 +5869,17 @@ where
 														// of the onion.
 														failed_payment!(err_msg, err_code, sha256_of_onion.to_vec(), None);
 													},
-													Err(onion_utils::OnionDecodeErr::Relay { err_msg, err_code }) => {
+													Err(onion_utils::OnionDecodeErr::Relay { err_msg, err_code, shared_secret }) => {
+														let phantom_shared_secret = shared_secret.secret_bytes();
 														failed_payment!(err_msg, err_code, Vec::new(), Some(phantom_shared_secret));
 													},
 												};
-												let inbound_onion_payload = match next_hop {
-													onion_utils::Hop::Receive { hop_data, .. } => msgs::InboundOnionPayload::Receive(hop_data),
-													onion_utils::Hop::BlindedReceive { hop_data, .. } => msgs::InboundOnionPayload::BlindedReceive(hop_data),
+												let (inbound_onion_payload, shared_secret) = match next_hop {
+													onion_utils::Hop::Receive { hop_data, shared_secret } => (msgs::InboundOnionPayload::Receive(hop_data), shared_secret),
+													onion_utils::Hop::BlindedReceive { hop_data, shared_secret } => (msgs::InboundOnionPayload::BlindedReceive(hop_data), shared_secret),
 													_ => panic!()
 												};
+												let phantom_shared_secret = shared_secret.secret_bytes();
 												let current_height: u32 = self.best_block.read().unwrap().height;
 												match create_recv_pending_htlc_info(inbound_onion_payload,
 													incoming_shared_secret, payment_hash, outgoing_amt_msat,

lightning/src/ln/onion_payment.rs

@@ -3,10 +3,9 @@
 //! Primarily features [`peel_payment_onion`], which allows the decoding of an onion statelessly
 //! and can be used to predict whether we'd accept a payment.
 
-use bitcoin::hashes::{Hash, HashEngine};
-use bitcoin::hashes::hmac::{Hmac, HmacEngine};
+use bitcoin::hashes::Hash;
 use bitcoin::hashes::sha256::Hash as Sha256;
-use bitcoin::secp256k1::{self, PublicKey, Scalar, Secp256k1};
+use bitcoin::secp256k1::{self, PublicKey, Secp256k1};
 
 use crate::blinded_path;
 use crate::blinded_path::payment::{PaymentConstraints, PaymentRelay};
@@ -385,16 +384,6 @@ where
 		return_malformed_err!("invalid ephemeral pubkey", 0x8000 | 0x4000 | 6);
 	}
 
-	let blinded_node_id_tweak = msg.blinding_point.map(|bp| {
-		let blinded_tlvs_ss = node_signer.ecdh(Recipient::Node, &bp, None).unwrap().secret_bytes();
-		let mut hmac = HmacEngine::<Sha256>::new(b"blinded_node_id");
-		hmac.input(blinded_tlvs_ss.as_ref());
-		Scalar::from_be_bytes(Hmac::from_engine(hmac).to_byte_array()).unwrap()
-	});
-	let shared_secret = node_signer.ecdh(
-		Recipient::Node, &msg.onion_routing_packet.public_key.unwrap(), blinded_node_id_tweak.as_ref()
-	).unwrap().secret_bytes();
-
 	if msg.onion_routing_packet.version != 0 {
 		//TODO: Spec doesn't indicate if we should only hash hop_data here (and in other
 		//sha256_of_onion error data packets), or the entire onion_routing_packet. Either way,
@@ -404,23 +393,20 @@ where
 		//node knows the HMAC matched, so they already know what is there...
 		return_malformed_err!("Unknown onion packet version", 0x8000 | 0x4000 | 4);
 	}
-	macro_rules! return_err {
-		($msg: expr, $err_code: expr, $data: expr) => {
-			{
-				if msg.blinding_point.is_some() {
-					return_malformed_err!($msg, INVALID_ONION_BLINDING)
-				}
 
-				log_info!(logger, "Failed to accept/forward incoming HTLC: {}", $msg);
-				return Err(HTLCFailureMsg::Relay(msgs::UpdateFailHTLC {
-					channel_id: msg.channel_id,
-					htlc_id: msg.htlc_id,
-					reason: HTLCFailReason::reason($err_code, $data.to_vec())
-						.get_encrypted_failure_packet(&shared_secret, &None),
-				}));
-			}
+	let encode_relay_error = |message: &str, err_code: u16, shared_secret: [u8; 32], data: &[u8]| {
+		if msg.blinding_point.is_some() {
+			return_malformed_err!(message, INVALID_ONION_BLINDING)
 		}
-	}
+
+		log_info!(logger, "Failed to accept/forward incoming HTLC: {}", message);
+		return Err(HTLCFailureMsg::Relay(msgs::UpdateFailHTLC {
+			channel_id: msg.channel_id,
+			htlc_id: msg.htlc_id,
+			reason: HTLCFailReason::reason(err_code, data.to_vec())
+				.get_encrypted_failure_packet(&shared_secret, &None),
+		}));
+	};
 
 	let next_hop = match onion_utils::decode_next_payment_hop(
 		Recipient::Node, &msg.onion_routing_packet.public_key.unwrap(), &msg.onion_routing_packet.hop_data[..], msg.onion_routing_packet.hmac,
@@ -430,32 +416,32 @@ where
 		Err(onion_utils::OnionDecodeErr::Malformed { err_msg, err_code }) => {
 			return_malformed_err!(err_msg, err_code);
 		},
-		Err(onion_utils::OnionDecodeErr::Relay { err_msg, err_code }) => {
-			return_err!(err_msg, err_code, &[0; 0]);
+		Err(onion_utils::OnionDecodeErr::Relay { err_msg, err_code, shared_secret }) => {
+			return encode_relay_error(err_msg, err_code, shared_secret.secret_bytes(), &[0; 0]);
 		},
 	};
 
 	let next_packet_details = match next_hop {
-		Hop::Forward { next_hop_data: msgs::InboundOnionForwardPayload { short_channel_id, amt_to_forward, outgoing_cltv_value }, .. } => {
+		Hop::Forward { next_hop_data: msgs::InboundOnionForwardPayload { short_channel_id, amt_to_forward, outgoing_cltv_value }, shared_secret, .. } => {
 			let next_packet_pubkey = onion_utils::next_hop_pubkey(secp_ctx,
-				msg.onion_routing_packet.public_key.unwrap(), &shared_secret);
+				msg.onion_routing_packet.public_key.unwrap(), &shared_secret.secret_bytes());
 			Some(NextPacketDetails {
 				next_packet_pubkey, outgoing_scid: short_channel_id,
 				outgoing_amt_msat: amt_to_forward, outgoing_cltv_value
 			})
 		}
-		Hop::BlindedForward { next_hop_data: msgs::InboundOnionBlindedForwardPayload { short_channel_id, ref payment_relay, ref payment_constraints, ref features, .. }, .. } => {
+		Hop::BlindedForward { next_hop_data: msgs::InboundOnionBlindedForwardPayload { short_channel_id, ref payment_relay, ref payment_constraints, ref features, .. }, shared_secret, .. } => {
 			let (amt_to_forward, outgoing_cltv_value) = match check_blinded_forward(
 				msg.amount_msat, msg.cltv_expiry, &payment_relay, &payment_constraints, &features
 			) {
 				Ok((amt, cltv)) => (amt, cltv),
 				Err(()) => {
-					return_err!("Underflow calculating outbound amount or cltv value for blinded forward",
-						INVALID_ONION_BLINDING, &[0; 32]);
+					return encode_relay_error("Underflow calculating outbound amount or cltv value for blinded forward",
+						INVALID_ONION_BLINDING, shared_secret.secret_bytes(), &[0; 32]);
 				}
 			};
 			let next_packet_pubkey = onion_utils::next_hop_pubkey(&secp_ctx,
-				msg.onion_routing_packet.public_key.unwrap(), &shared_secret);
+				msg.onion_routing_packet.public_key.unwrap(), &shared_secret.secret_bytes());
 			Some(NextPacketDetails {
 				next_packet_pubkey, outgoing_scid: short_channel_id, outgoing_amt_msat: amt_to_forward,
 				outgoing_cltv_value

lightning/src/ln/onion_utils.rs

@@ -1485,7 +1485,7 @@ pub(crate) enum OnionDecodeErr {
 	/// The HMAC of the onion packet did not match the hop data.
 	Malformed { err_msg: &'static str, err_code: u16 },
 	/// We failed to decode the onion payload.
-	Relay { err_msg: &'static str, err_code: u16 },
+	Relay { err_msg: &'static str, err_code: u16, shared_secret: SharedSecret },
 }
 
 pub(crate) fn decode_next_payment_hop<NS: Deref>(
@@ -1530,10 +1530,20 @@ where
 						new_packet_bytes,
 					})
 				},
-				_ => Err(OnionDecodeErr::Relay {
-					err_msg: "Final Node OnionHopData provided for us as an intermediary node",
-					err_code: 0x4000 | 22,
-				}),
+				_ => {
+					if blinding_point.is_some() {
+						return Err(OnionDecodeErr::Malformed {
+							err_msg:
+								"Final Node OnionHopData provided for us as an intermediary node",
+							err_code: INVALID_ONION_BLINDING,
+						});
+					}
+					Err(OnionDecodeErr::Relay {
+						err_msg: "Final Node OnionHopData provided for us as an intermediary node",
+						err_code: 0x4000 | 22,
+						shared_secret: SharedSecret::from_bytes(shared_secret),
+					})
+				},
 			}
 		},
 		Ok((next_hop_data, None)) => match next_hop_data {
@@ -1545,10 +1555,19 @@ where
 				shared_secret: SharedSecret::from_bytes(shared_secret),
 				hop_data,
 			}),
-			_ => Err(OnionDecodeErr::Relay {
-				err_msg: "Intermediate Node OnionHopData provided for us as a final node",
-				err_code: 0x4000 | 22,
-			}),
+			_ => {
+				if blinding_point.is_some() {
+					return Err(OnionDecodeErr::Malformed {
+						err_msg: "Intermediate Node OnionHopData provided for us as a final node",
+						err_code: INVALID_ONION_BLINDING,
+					});
+				}
+				Err(OnionDecodeErr::Relay {
+					err_msg: "Intermediate Node OnionHopData provided for us as a final node",
+					err_code: 0x4000 | 22,
+					shared_secret: SharedSecret::from_bytes(shared_secret),
+				})
+			},
 		},
 		Err(e) => Err(e),
 	}
@@ -1694,6 +1713,7 @@ fn decode_next_hop<T, R: ReadableArgs<T>, N: NextPacketBytes>(
 			return Err(OnionDecodeErr::Relay {
 				err_msg: "Unable to decode our hop data",
 				err_code: error_code,
+				shared_secret: SharedSecret::from_bytes(shared_secret),
 			});
 		},
 		Ok(msg) => {
@@ -1702,6 +1722,7 @@ fn decode_next_hop<T, R: ReadableArgs<T>, N: NextPacketBytes>(
 				return Err(OnionDecodeErr::Relay {
 					err_msg: "Unable to decode our hop data",
 					err_code: 0x4000 | 22,
+					shared_secret: SharedSecret::from_bytes(shared_secret),
 				});
 			}
 			if hmac == [0; 32] {