X-Git-Url: http://git.bitcoin.ninja/index.cgi?a=blobdiff_plain;f=lightning%2Fsrc%2Fln%2Fonion_payment.rs;h=5966dce91039db227155264deb0557a2ed2012ff;hb=c80d9a74b5437dd7c82fab40806adeb995219fc2;hp=3c30a4458f5e21634651eae84c3f26bd7e75a26d;hpb=1a7254c1784557cb69f551ac35401a0d7da7598a;p=rust-lightning diff --git a/lightning/src/ln/onion_payment.rs b/lightning/src/ln/onion_payment.rs index 3c30a445..5966dce9 100644 --- a/lightning/src/ln/onion_payment.rs +++ b/lightning/src/ln/onion_payment.rs @@ -1,14 +1,19 @@ -//! Utilities for channelmanager.rs +//! Utilities to decode payment onions and do contextless validation of incoming payments. //! -//! Includes a public [`peel_payment_onion`] function for use by external projects or libraries. +//! Primarily features [`peel_payment_onion`], which allows the decoding of an onion statelessly +//! and can be used to predict whether we'd accept a payment. -use bitcoin::hashes::Hash; +use bitcoin::hashes::{Hash, HashEngine}; +use bitcoin::hashes::hmac::{Hmac, HmacEngine}; use bitcoin::hashes::sha256::Hash as Sha256; -use bitcoin::secp256k1::{self, Secp256k1, PublicKey}; +use bitcoin::secp256k1::{self, PublicKey, Scalar, Secp256k1}; +use crate::blinded_path; +use crate::blinded_path::payment::{PaymentConstraints, PaymentRelay}; use crate::chain::channelmonitor::{HTLC_FAIL_BACK_BUFFER, LATENCY_GRACE_PERIOD_BLOCKS}; use crate::ln::PaymentHash; -use crate::ln::channelmanager::{CLTV_FAR_FAR_AWAY, HTLCFailureMsg, MIN_CLTV_EXPIRY_DELTA, PendingHTLCInfo, PendingHTLCRouting}; +use crate::ln::channelmanager::{BlindedForward, CLTV_FAR_FAR_AWAY, HTLCFailureMsg, MIN_CLTV_EXPIRY_DELTA, PendingHTLCInfo, PendingHTLCRouting}; +use crate::ln::features::BlindedHopFeatures; use crate::ln::msgs; use crate::ln::onion_utils; use crate::ln::onion_utils::{HTLCFailReason, INVALID_ONION_BLINDING}; @@ -19,6 +24,7 @@ use crate::prelude::*; use core::ops::Deref; /// Invalid inbound onion payment. +#[derive(Debug)] pub struct InboundOnionErr { /// BOLT 4 error code. pub err_code: u16, @@ -28,6 +34,31 @@ pub struct InboundOnionErr { pub msg: &'static str, } +fn check_blinded_payment_constraints( + amt_msat: u64, cltv_expiry: u32, constraints: &PaymentConstraints +) -> Result<(), ()> { + if amt_msat < constraints.htlc_minimum_msat || + cltv_expiry > constraints.max_cltv_expiry + { return Err(()) } + Ok(()) +} + +fn check_blinded_forward( + inbound_amt_msat: u64, inbound_cltv_expiry: u32, payment_relay: &PaymentRelay, + payment_constraints: &PaymentConstraints, features: &BlindedHopFeatures +) -> Result<(u64, u32), ()> { + let amt_to_forward = blinded_path::payment::amt_to_forward_msat( + inbound_amt_msat, payment_relay + ).ok_or(())?; + let outgoing_cltv_value = inbound_cltv_expiry.checked_sub( + payment_relay.cltv_expiry_delta as u32 + ).ok_or(())?; + check_blinded_payment_constraints(inbound_amt_msat, outgoing_cltv_value, payment_constraints)?; + + if features.requires_unknown_bits_from(&BlindedHopFeatures::empty()) { return Err(()) } + Ok((amt_to_forward, outgoing_cltv_value)) +} + pub(super) fn create_fwd_pending_htlc_info( msg: &msgs::UpdateAddHTLC, hop_data: msgs::InboundOnionPayload, hop_hmac: [u8; 32], new_packet_bytes: [u8; onion_utils::ONION_DATA_LEN], shared_secret: [u8; 32], @@ -41,10 +72,27 @@ pub(super) fn create_fwd_pending_htlc_info( hmac: hop_hmac, }; - let (short_channel_id, amt_to_forward, outgoing_cltv_value) = match hop_data { + let ( + short_channel_id, amt_to_forward, outgoing_cltv_value, inbound_blinding_point + ) = match hop_data { msgs::InboundOnionPayload::Forward { short_channel_id, amt_to_forward, outgoing_cltv_value } => - (short_channel_id, amt_to_forward, outgoing_cltv_value), - msgs::InboundOnionPayload::BlindedForward { .. } => todo!(), + (short_channel_id, amt_to_forward, outgoing_cltv_value, None), + msgs::InboundOnionPayload::BlindedForward { + short_channel_id, payment_relay, payment_constraints, intro_node_blinding_point, features, + } => { + let (amt_to_forward, outgoing_cltv_value) = check_blinded_forward( + msg.amount_msat, msg.cltv_expiry, &payment_relay, &payment_constraints, &features + ).map_err(|()| { + // We should be returning malformed here if `msg.blinding_point` is set, but this is + // unreachable right now since we checked it in `decode_update_add_htlc_onion`. + InboundOnionErr { + msg: "Underflow calculating outbound amount or cltv value for blinded forward", + err_code: INVALID_ONION_BLINDING, + err_data: vec![0; 32], + } + })?; + (short_channel_id, amt_to_forward, outgoing_cltv_value, Some(intro_node_blinding_point)) + }, msgs::InboundOnionPayload::Receive { .. } | msgs::InboundOnionPayload::BlindedReceive { .. } => return Err(InboundOnionErr { msg: "Final Node OnionHopData provided for us as an intermediary node", @@ -57,7 +105,7 @@ pub(super) fn create_fwd_pending_htlc_info( routing: PendingHTLCRouting::Forward { onion_packet: outgoing_packet, short_channel_id, - blinded: None, + blinded: inbound_blinding_point.map(|bp| BlindedForward { inbound_blinding_point: bp }), }, payment_hash: msg.payment_hash, incoming_shared_secret: shared_secret, @@ -73,16 +121,30 @@ pub(super) fn create_recv_pending_htlc_info( amt_msat: u64, cltv_expiry: u32, phantom_shared_secret: Option<[u8; 32]>, allow_underpay: bool, counterparty_skimmed_fee_msat: Option, current_height: u32, accept_mpp_keysend: bool, ) -> Result { - let (payment_data, keysend_preimage, custom_tlvs, onion_amt_msat, outgoing_cltv_value, payment_metadata) = match hop_data { + let ( + payment_data, keysend_preimage, custom_tlvs, onion_amt_msat, outgoing_cltv_value, + payment_metadata, requires_blinded_error + ) = match hop_data { msgs::InboundOnionPayload::Receive { payment_data, keysend_preimage, custom_tlvs, amt_msat, outgoing_cltv_value, payment_metadata, .. } => - (payment_data, keysend_preimage, custom_tlvs, amt_msat, outgoing_cltv_value, payment_metadata), + (payment_data, keysend_preimage, custom_tlvs, amt_msat, outgoing_cltv_value, payment_metadata, + false), msgs::InboundOnionPayload::BlindedReceive { - amt_msat, total_msat, outgoing_cltv_value, payment_secret, .. + amt_msat, total_msat, outgoing_cltv_value, payment_secret, intro_node_blinding_point, + payment_constraints, .. } => { + check_blinded_payment_constraints(amt_msat, cltv_expiry, &payment_constraints) + .map_err(|()| { + InboundOnionErr { + err_code: INVALID_ONION_BLINDING, + err_data: vec![0; 32], + msg: "Amount or cltv_expiry violated blinded payment constraints", + } + })?; let payment_data = msgs::FinalOnionHopData { payment_secret, total_msat }; - (Some(payment_data), None, Vec::new(), amt_msat, outgoing_cltv_value, None) + (Some(payment_data), None, Vec::new(), amt_msat, outgoing_cltv_value, None, + intro_node_blinding_point.is_none()) } msgs::InboundOnionPayload::Forward { .. } => { return Err(InboundOnionErr { @@ -169,6 +231,7 @@ pub(super) fn create_recv_pending_htlc_info( incoming_cltv_expiry: outgoing_cltv_value, phantom_shared_secret, custom_tlvs, + requires_blinded_error, } } else { return Err(InboundOnionErr { @@ -188,7 +251,9 @@ pub(super) fn create_recv_pending_htlc_info( }) } -/// Peel one layer off an incoming onion, returning [`PendingHTLCInfo`] (either Forward or Receive). +/// Peel one layer off an incoming onion, returning a [`PendingHTLCInfo`] that contains information +/// about the intended next-hop for the HTLC. +/// /// This does all the relevant context-free checks that LDK requires for payment relay or /// acceptance. If the payment is to be received, and the amount matches the expected amount for /// a given invoice, this indicates the [`msgs::UpdateAddHTLC`], once fully committed in the @@ -197,7 +262,7 @@ pub(super) fn create_recv_pending_htlc_info( /// [`Event::PaymentClaimable`]: crate::events::Event::PaymentClaimable pub fn peel_payment_onion( msg: &msgs::UpdateAddHTLC, node_signer: &NS, logger: &L, secp_ctx: &Secp256k1, - cur_height: u32, accept_mpp_keysend: bool, + cur_height: u32, accept_mpp_keysend: bool, allow_skimmed_fees: bool, ) -> Result where NS::Target: NodeSigner, @@ -236,6 +301,10 @@ where err_data: Vec::new(), }); } + + // TODO: If this is potentially a phantom payment we should decode the phantom payment + // onion here and check it. + create_fwd_pending_htlc_info( msg, next_hop_data, next_hop_hmac, new_packet_bytes, shared_secret, Some(next_packet_pubkey) @@ -244,7 +313,7 @@ where onion_utils::Hop::Receive(received_data) => { create_recv_pending_htlc_info( received_data, shared_secret, msg.payment_hash, msg.amount_msat, msg.cltv_expiry, - None, false, msg.skimmed_fee_msat, cur_height, accept_mpp_keysend, + None, allow_skimmed_fees, msg.skimmed_fee_msat, cur_height, accept_mpp_keysend, )? } }) @@ -268,11 +337,16 @@ where ($msg: expr, $err_code: expr) => { { log_info!(logger, "Failed to accept/forward incoming HTLC: {}", $msg); + let (sha256_of_onion, failure_code) = if msg.blinding_point.is_some() { + ([0; 32], INVALID_ONION_BLINDING) + } else { + (Sha256::hash(&msg.onion_routing_packet.hop_data).to_byte_array(), $err_code) + }; return Err(HTLCFailureMsg::Malformed(msgs::UpdateFailMalformedHTLC { channel_id: msg.channel_id, htlc_id: msg.htlc_id, - sha256_of_onion: Sha256::hash(&msg.onion_routing_packet.hop_data).to_byte_array(), - failure_code: $err_code, + sha256_of_onion, + failure_code, })); } } @@ -282,8 +356,14 @@ where return_malformed_err!("invalid ephemeral pubkey", 0x8000 | 0x4000 | 6); } + let blinded_node_id_tweak = msg.blinding_point.map(|bp| { + let blinded_tlvs_ss = node_signer.ecdh(Recipient::Node, &bp, None).unwrap().secret_bytes(); + let mut hmac = HmacEngine::::new(b"blinded_node_id"); + hmac.input(blinded_tlvs_ss.as_ref()); + Scalar::from_be_bytes(Hmac::from_engine(hmac).to_byte_array()).unwrap() + }); let shared_secret = node_signer.ecdh( - Recipient::Node, &msg.onion_routing_packet.public_key.unwrap(), None + Recipient::Node, &msg.onion_routing_packet.public_key.unwrap(), blinded_node_id_tweak.as_ref() ).unwrap().secret_bytes(); if msg.onion_routing_packet.version != 0 { @@ -298,6 +378,10 @@ where macro_rules! return_err { ($msg: expr, $err_code: expr, $data: expr) => { { + if msg.blinding_point.is_some() { + return_malformed_err!($msg, INVALID_ONION_BLINDING) + } + log_info!(logger, "Failed to accept/forward incoming HTLC: {}", $msg); return Err(HTLCFailureMsg::Relay(msgs::UpdateFailHTLC { channel_id: msg.channel_id, @@ -311,7 +395,7 @@ where let next_hop = match onion_utils::decode_next_payment_hop( shared_secret, &msg.onion_routing_packet.hop_data[..], msg.onion_routing_packet.hmac, - msg.payment_hash, node_signer + msg.payment_hash, msg.blinding_point, node_signer ) { Ok(res) => res, Err(onion_utils::OnionDecodeErr::Malformed { err_msg, err_code }) => { @@ -336,9 +420,25 @@ where } }, onion_utils::Hop::Forward { - next_hop_data: msgs::InboundOnionPayload::BlindedForward { .. }, .. + next_hop_data: msgs::InboundOnionPayload::BlindedForward { + short_channel_id, ref payment_relay, ref payment_constraints, ref features, .. + }, .. } => { - todo!() + let (amt_to_forward, outgoing_cltv_value) = match check_blinded_forward( + msg.amount_msat, msg.cltv_expiry, &payment_relay, &payment_constraints, &features + ) { + Ok((amt, cltv)) => (amt, cltv), + Err(()) => { + return_err!("Underflow calculating outbound amount or cltv value for blinded forward", + INVALID_ONION_BLINDING, &[0; 32]); + } + }; + let next_packet_pubkey = onion_utils::next_hop_pubkey(&secp_ctx, + msg.onion_routing_packet.public_key.unwrap(), &shared_secret); + NextPacketDetails { + next_packet_pubkey, outgoing_scid: short_channel_id, outgoing_amt_msat: amt_to_forward, + outgoing_cltv_value + } }, onion_utils::Hop::Receive { .. } => return Ok((next_hop, shared_secret, None)), onion_utils::Hop::Forward { next_hop_data: msgs::InboundOnionPayload::Receive { .. }, .. } | @@ -388,7 +488,7 @@ pub(super) fn check_incoming_htlc_cltv( mod tests { use bitcoin::hashes::Hash; use bitcoin::hashes::sha256::Hash as Sha256; - use bitcoin::secp256k1::{PublicKey, SecretKey}; + use bitcoin::secp256k1::{PublicKey, Secp256k1, SecretKey}; use crate::ln::{PaymentPreimage, PaymentHash, PaymentSecret}; use crate::ln::ChannelId; use crate::ln::channelmanager::RecipientOnionFields; @@ -398,6 +498,38 @@ mod tests { use crate::routing::router::{Path, RouteHop}; use crate::util::test_utils; + #[test] + fn fail_construct_onion_on_too_big_payloads() { + // Ensure that if we call `construct_onion_packet` and friends where payloads are too large for + // the allotted packet length, we'll fail to construct. Previously, senders would happily + // construct invalid packets by array-shifting the final node's HMAC out of the packet when + // adding an intermediate onion layer, causing the receiver to error with "final payload + // provided for us as an intermediate node." + let secp_ctx = Secp256k1::new(); + let bob = crate::sign::KeysManager::new(&[2; 32], 42, 42); + let bob_pk = PublicKey::from_secret_key(&secp_ctx, &bob.get_node_secret_key()); + let charlie = crate::sign::KeysManager::new(&[3; 32], 42, 42); + let charlie_pk = PublicKey::from_secret_key(&secp_ctx, &charlie.get_node_secret_key()); + + let ( + session_priv, total_amt_msat, cur_height, mut recipient_onion, keysend_preimage, payment_hash, + prng_seed, hops, .. + ) = payment_onion_args(bob_pk, charlie_pk); + + // Ensure the onion will not fit all the payloads by adding a large custom TLV. + recipient_onion.custom_tlvs.push((13377331, vec![0; 1156])); + + let path = Path { hops, blinded_tail: None, }; + let onion_keys = super::onion_utils::construct_onion_keys(&secp_ctx, &path, &session_priv).unwrap(); + let (onion_payloads, ..) = super::onion_utils::build_onion_payloads( + &path, total_amt_msat, recipient_onion, cur_height + 1, &Some(keysend_preimage) + ).unwrap(); + + assert!(super::onion_utils::construct_onion_packet( + onion_payloads, onion_keys, prng_seed, &payment_hash + ).is_err()); + } + #[test] fn test_peel_payment_onion() { use super::*; @@ -424,7 +556,7 @@ mod tests { let msg = make_update_add_msg(amount_msat, cltv_expiry, payment_hash, onion); let logger = test_utils::TestLogger::with_id("bob".to_string()); - let peeled = peel_payment_onion(&msg, &&bob, &&logger, &secp_ctx, cur_height, true) + let peeled = peel_payment_onion(&msg, &&bob, &&logger, &secp_ctx, cur_height, true, false) .map_err(|e| e.msg).unwrap(); let next_onion = match peeled.routing { @@ -435,7 +567,7 @@ mod tests { }; let msg2 = make_update_add_msg(amount_msat, cltv_expiry, payment_hash, next_onion); - let peeled2 = peel_payment_onion(&msg2, &&charlie, &&logger, &secp_ctx, cur_height, true) + let peeled2 = peel_payment_onion(&msg2, &&charlie, &&logger, &secp_ctx, cur_height, true, false) .map_err(|e| e.msg).unwrap(); match peeled2.routing {