From: Matt Corallo <git@bluematt.me>
Date: Tue, 8 Mar 2022 21:55:02 +0000 (+0000)
Subject: Use the correct SCID when failing HTLCs to aliased channels
X-Git-Tag: v0.0.106~4^2~2
X-Git-Url: http://git.bitcoin.ninja/index.cgi?a=commitdiff_plain;h=d2256301e89a05b8f76c6a080a0ee68abd5c762e;p=rust-lightning

Use the correct SCID when failing HTLCs to aliased channels

When we fail an HTLC which was destined for a channel that the HTLC
sender didn't know the real SCID for, we should ensure we continue
to use the alias in the channel_update we provide them. Otherwise
we will leak the channel's real SCID to HTLC senders.
---

diff --git a/lightning/src/ln/channelmanager.rs b/lightning/src/ln/channelmanager.rs
index 0ca18da3..a483421d 100644
--- a/lightning/src/ln/channelmanager.rs
+++ b/lightning/src/ln/channelmanager.rs
@@ -2413,7 +2413,6 @@ impl<Signer: Sign, M: Deref, T: Deref, K: Deref, F: Deref, L: Deref> ChannelMana
 					};
 					let (chan_update_opt, forwardee_cltv_expiry_delta) = if let Some(forwarding_id) = forwarding_id_opt {
 						let chan = channel_state.as_mut().unwrap().by_id.get_mut(&forwarding_id).unwrap();
-						let chan_update_opt = self.get_channel_update_for_broadcast(chan).ok();
 						if !chan.should_announce() && !self.default_configuration.accept_forwards_to_priv_channels {
 							// Note that the behavior here should be identical to the above block - we
 							// should NOT reveal the existence or non-existence of a private channel if
@@ -2426,6 +2425,7 @@ impl<Signer: Sign, M: Deref, T: Deref, K: Deref, F: Deref, L: Deref> ChannelMana
 							// we don't have the channel here.
 							break Some(("Refusing to forward over real channel SCID as our counterparty requested.", 0x4000 | 10, None));
 						}
+						let chan_update_opt = self.get_channel_update_for_onion(*short_channel_id, chan).ok();
 
 						// Note that we could technically not return an error yet here and just hope
 						// that the connection is reestablished or monitor updated by the time we get
@@ -2525,6 +2525,10 @@ impl<Signer: Sign, M: Deref, T: Deref, K: Deref, F: Deref, L: Deref> ChannelMana
 			Some(id) => id,
 		};
 
+		self.get_channel_update_for_onion(short_channel_id, chan)
+	}
+	fn get_channel_update_for_onion(&self, short_channel_id: u64, chan: &Channel<Signer>) -> Result<msgs::ChannelUpdate, LightningError> {
+		log_trace!(self.logger, "Generating channel update for channel {}", log_bytes!(chan.channel_id()));
 		let were_node_one = PublicKey::from_secret_key(&self.secp_ctx, &self.our_network_key).serialize()[..] < chan.get_counterparty_node_id().serialize()[..];
 
 		let unsigned = msgs::UnsignedChannelUpdate {
@@ -3214,7 +3218,7 @@ impl<Signer: Sign, M: Deref, T: Deref, K: Deref, F: Deref, L: Deref> ChannelMana
 											} else {
 												panic!("Stated return value requirements in send_htlc() were not met");
 											}
-											let (failure_code, data) = self.get_htlc_temp_fail_err_and_data(0x1000|7, chan.get());
+											let (failure_code, data) = self.get_htlc_temp_fail_err_and_data(0x1000|7, short_chan_id, chan.get());
 											failed_forwards.push((htlc_source, payment_hash,
 												HTLCFailReason::Reason { failure_code, data }
 											));
@@ -3714,9 +3718,32 @@ impl<Signer: Sign, M: Deref, T: Deref, K: Deref, F: Deref, L: Deref> ChannelMana
 
 	/// Gets an HTLC onion failure code and error data for an `UPDATE` error, given the error code
 	/// that we want to return and a channel.
-	fn get_htlc_temp_fail_err_and_data(&self, desired_err_code: u16, chan: &Channel<Signer>) -> (u16, Vec<u8>) {
+	///
+	/// This is for failures on the channel on which the HTLC was *received*, not failures
+	/// forwarding
+	fn get_htlc_inbound_temp_fail_err_and_data(&self, desired_err_code: u16, chan: &Channel<Signer>) -> (u16, Vec<u8>) {
+		// We can't be sure what SCID was used when relaying inbound towards us, so we have to
+		// guess somewhat. If its a public channel, we figure best to just use the real SCID (as
+		// we're not leaking that we have a channel with the counterparty), otherwise we try to use
+		// an inbound SCID alias before the real SCID.
+		let scid_pref = if chan.should_announce() {
+			chan.get_short_channel_id().or(chan.latest_inbound_scid_alias())
+		} else {
+			chan.latest_inbound_scid_alias().or(chan.get_short_channel_id())
+		};
+		if let Some(scid) = scid_pref {
+			self.get_htlc_temp_fail_err_and_data(desired_err_code, scid, chan)
+		} else {
+			(0x4000|10, Vec::new())
+		}
+	}
+
+
+	/// Gets an HTLC onion failure code and error data for an `UPDATE` error, given the error code
+	/// that we want to return and a channel.
+	fn get_htlc_temp_fail_err_and_data(&self, desired_err_code: u16, scid: u64, chan: &Channel<Signer>) -> (u16, Vec<u8>) {
 		debug_assert_eq!(desired_err_code & 0x1000, 0x1000);
-		if let Ok(upd) = self.get_channel_update_for_unicast(chan) {
+		if let Ok(upd) = self.get_channel_update_for_onion(scid, chan) {
 			let mut enc = VecWriter(Vec::with_capacity(upd.serialized_length() + 4));
 			if desired_err_code == 0x1000 | 20 {
 				// TODO: underspecified, follow https://github.com/lightning/bolts/issues/791
@@ -3744,7 +3771,7 @@ impl<Signer: Sign, M: Deref, T: Deref, K: Deref, F: Deref, L: Deref> ChannelMana
 					let (failure_code, onion_failure_data) =
 						match self.channel_state.lock().unwrap().by_id.entry(channel_id) {
 							hash_map::Entry::Occupied(chan_entry) => {
-								self.get_htlc_temp_fail_err_and_data(0x1000|7, &chan_entry.get())
+								self.get_htlc_inbound_temp_fail_err_and_data(0x1000|7, &chan_entry.get())
 							},
 							hash_map::Entry::Vacant(_) => (0x4000|10, Vec::new())
 						};
@@ -4634,7 +4661,7 @@ impl<Signer: Sign, M: Deref, T: Deref, K: Deref, F: Deref, L: Deref> ChannelMana
 					match pending_forward_info {
 						PendingHTLCStatus::Forward(PendingHTLCInfo { ref incoming_shared_secret, .. }) => {
 							let reason = if (error_code & 0x1000) != 0 {
-								let (real_code, error_data) = self.get_htlc_temp_fail_err_and_data(error_code, chan);
+								let (real_code, error_data) = self.get_htlc_inbound_temp_fail_err_and_data(error_code, chan);
 								onion_utils::build_first_hop_failure_packet(incoming_shared_secret, real_code, &error_data)
 							} else {
 								onion_utils::build_first_hop_failure_packet(incoming_shared_secret, error_code, &[])
@@ -5627,8 +5654,8 @@ where
 				let res = f(channel);
 				if let Ok((funding_locked_opt, mut timed_out_pending_htlcs, announcement_sigs)) = res {
 					for (source, payment_hash) in timed_out_pending_htlcs.drain(..) {
-						let (failure_code, data) = self.get_htlc_temp_fail_err_and_data(0x1000|14 /* expiry_too_soon */, &channel);
-						timed_out_htlcs.push((source, payment_hash,  HTLCFailReason::Reason {
+						let (failure_code, data) = self.get_htlc_inbound_temp_fail_err_and_data(0x1000|14 /* expiry_too_soon */, &channel);
+						timed_out_htlcs.push((source, payment_hash, HTLCFailReason::Reason {
 							failure_code, data,
 						}));
 					}
diff --git a/lightning/src/ln/functional_test_utils.rs b/lightning/src/ln/functional_test_utils.rs
index c95ac5bb..d65bf2ee 100644
--- a/lightning/src/ln/functional_test_utils.rs
+++ b/lightning/src/ln/functional_test_utils.rs
@@ -14,7 +14,7 @@ use chain::{BestBlock, Confirm, Listen, Watch, keysinterface::KeysInterface};
 use chain::channelmonitor::ChannelMonitor;
 use chain::transaction::OutPoint;
 use ln::{PaymentPreimage, PaymentHash, PaymentSecret};
-use ln::channelmanager::{ChainParameters, ChannelManager, ChannelManagerReadArgs, RAACommitmentOrder, PaymentSendFailure, PaymentId};
+use ln::channelmanager::{ChainParameters, ChannelManager, ChannelManagerReadArgs, RAACommitmentOrder, PaymentSendFailure, PaymentId, MIN_CLTV_EXPIRY_DELTA};
 use routing::network_graph::{NetGraphMsgHandler, NetworkGraph};
 use routing::router::{PaymentParameters, Route, get_route};
 use ln::features::{InitFeatures, InvoiceFeatures};
@@ -1848,7 +1848,7 @@ pub fn test_default_channel_config() -> UserConfig {
 	let mut default_config = UserConfig::default();
 	// Set cltv_expiry_delta slightly lower to keep the final CLTV values inside one byte in our
 	// tests so that our script-length checks don't fail (see ACCEPTED_HTLC_SCRIPT_WEIGHT).
-	default_config.channel_options.cltv_expiry_delta = 6*6;
+	default_config.channel_options.cltv_expiry_delta = MIN_CLTV_EXPIRY_DELTA;
 	default_config.channel_options.announced_channel = true;
 	default_config.peer_channel_config_limits.force_announced_channel_preference = false;
 	// When most of our tests were written, the default HTLC minimum was fixed at 1000.
diff --git a/lightning/src/ln/onion_route_tests.rs b/lightning/src/ln/onion_route_tests.rs
index 070d88dd..706fcb6c 100644
--- a/lightning/src/ln/onion_route_tests.rs
+++ b/lightning/src/ln/onion_route_tests.rs
@@ -993,4 +993,3 @@ fn test_phantom_failure_reject_payment() {
 		.expected_htlc_error_data(0x4000 | 15, &error_data);
 	expect_payment_failed_conditions!(nodes[0], payment_hash, true, fail_conditions);
 }
-
diff --git a/lightning/src/ln/priv_short_conf_tests.rs b/lightning/src/ln/priv_short_conf_tests.rs
index 806f4f20..996d64f3 100644
--- a/lightning/src/ln/priv_short_conf_tests.rs
+++ b/lightning/src/ln/priv_short_conf_tests.rs
@@ -13,12 +13,13 @@
 
 use chain::Watch;
 use chain::channelmonitor::ChannelMonitor;
+use chain::keysinterface::{Recipient, KeysInterface};
 use ln::channelmanager::{ChannelManager, ChannelManagerReadArgs, MIN_CLTV_EXPIRY_DELTA};
 use routing::network_graph::RoutingFees;
 use routing::router::{RouteHint, RouteHintHop};
 use ln::features::InitFeatures;
 use ln::msgs;
-use ln::msgs::{ChannelMessageHandler, RoutingMessageHandler};
+use ln::msgs::{ChannelMessageHandler, RoutingMessageHandler, OptionalField};
 use util::enforcing_trait_impls::EnforcingSigner;
 use util::events::{Event, MessageSendEvent, MessageSendEventsProvider};
 use util::config::UserConfig;
@@ -30,7 +31,12 @@ use core::default::Default;
 
 use ln::functional_test_utils::*;
 
+use bitcoin::blockdata::constants::genesis_block;
 use bitcoin::hash_types::BlockHash;
+use bitcoin::hashes::Hash;
+use bitcoin::hashes::sha256d::Hash as Sha256dHash;
+use bitcoin::network::constants::Network;
+use bitcoin::secp256k1::Secp256k1;
 
 #[test]
 fn test_priv_forwarding_rejection() {
@@ -445,3 +451,93 @@ fn test_inbound_scid_privacy() {
 		PaymentFailedConditions::new().blamed_scid(last_hop[0].short_channel_id.unwrap())
 			.blamed_chan_closed(true).expected_htlc_error_data(0x4000|10, &[0; 0]));
 }
+
+#[test]
+fn test_scid_alias_returned() {
+	// Tests that when we fail an HTLC (in this case due to attempting to forward more than the
+	// channel's available balance) we use the correct (in this case the aliased) SCID in the
+	// channel_update which is returned in the onion to the sender.
+	let chanmon_cfgs = create_chanmon_cfgs(3);
+	let node_cfgs = create_node_cfgs(3, &chanmon_cfgs);
+	let mut accept_forward_cfg = test_default_channel_config();
+	accept_forward_cfg.accept_forwards_to_priv_channels = true;
+	let node_chanmgrs = create_node_chanmgrs(3, &node_cfgs, &[None, Some(accept_forward_cfg), None]);
+	let nodes = create_network(3, &node_cfgs, &node_chanmgrs);
+
+	create_announced_chan_between_nodes_with_value(&nodes, 0, 1, 10_000_000, 0, InitFeatures::known(), InitFeatures::known());
+	create_unannounced_chan_between_nodes_with_value(&nodes, 1, 2, 10_000, 0, InitFeatures::known(), InitFeatures::known());
+
+	let last_hop = nodes[2].node.list_usable_channels();
+	let mut hop_hints = vec![RouteHint(vec![RouteHintHop {
+		src_node_id: nodes[1].node.get_our_node_id(),
+		short_channel_id: last_hop[0].inbound_scid_alias.unwrap(),
+		fees: RoutingFees {
+			base_msat: last_hop[0].counterparty.forwarding_info.as_ref().unwrap().fee_base_msat,
+			proportional_millionths: last_hop[0].counterparty.forwarding_info.as_ref().unwrap().fee_proportional_millionths,
+		},
+		cltv_expiry_delta: last_hop[0].counterparty.forwarding_info.as_ref().unwrap().cltv_expiry_delta,
+		htlc_maximum_msat: None,
+		htlc_minimum_msat: None,
+	}])];
+	let (mut route, payment_hash, _, payment_secret) = get_route_and_payment_hash!(nodes[0], nodes[2], hop_hints, 10_000, 42);
+	assert_eq!(route.paths[0][1].short_channel_id, nodes[2].node.list_usable_channels()[0].inbound_scid_alias.unwrap());
+
+	route.paths[0][1].fee_msat = 10_000_000; // Overshoot the last channel's value
+
+	// Route the HTLC through to the destination.
+	nodes[0].node.send_payment(&route, payment_hash, &Some(payment_secret)).unwrap();
+	check_added_monitors!(nodes[0], 1);
+	let as_updates = get_htlc_update_msgs!(nodes[0], nodes[1].node.get_our_node_id());
+	nodes[1].node.handle_update_add_htlc(&nodes[0].node.get_our_node_id(), &as_updates.update_add_htlcs[0]);
+	commitment_signed_dance!(nodes[1], nodes[0], &as_updates.commitment_signed, false, true);
+
+	expect_pending_htlcs_forwardable!(nodes[1]);
+	expect_pending_htlcs_forwardable!(nodes[1]);
+	check_added_monitors!(nodes[1], 1);
+
+	let bs_updates = get_htlc_update_msgs!(nodes[1], nodes[0].node.get_our_node_id());
+	nodes[0].node.handle_update_fail_htlc(&nodes[1].node.get_our_node_id(), &bs_updates.update_fail_htlcs[0]);
+	commitment_signed_dance!(nodes[0], nodes[1], bs_updates.commitment_signed, false, true);
+
+	// Build the expected channel update
+	let contents = msgs::UnsignedChannelUpdate {
+		chain_hash: genesis_block(Network::Testnet).header.block_hash(),
+		short_channel_id: last_hop[0].inbound_scid_alias.unwrap(),
+		timestamp: 21,
+		flags: 1,
+		cltv_expiry_delta: accept_forward_cfg.channel_options.cltv_expiry_delta,
+		htlc_minimum_msat: 1_000,
+		htlc_maximum_msat: OptionalField::Present(1_000_000), // Defaults to 10% of the channel value
+		fee_base_msat: last_hop[0].counterparty.forwarding_info.as_ref().unwrap().fee_base_msat,
+		fee_proportional_millionths: last_hop[0].counterparty.forwarding_info.as_ref().unwrap().fee_proportional_millionths,
+		excess_data: Vec::new(),
+	};
+	let msg_hash = Sha256dHash::hash(&contents.encode()[..]);
+	let signature = Secp256k1::new().sign(&hash_to_message!(&msg_hash[..]), &nodes[1].keys_manager.get_node_secret(Recipient::Node).unwrap());
+	let msg = msgs::ChannelUpdate { signature, contents };
+
+	expect_payment_failed_conditions!(nodes[0], payment_hash, false,
+		PaymentFailedConditions::new().blamed_scid(last_hop[0].inbound_scid_alias.unwrap())
+			.blamed_chan_closed(false).expected_htlc_error_data(0x1000|7, &msg.encode_with_len()));
+
+	route.paths[0][1].fee_msat = 10_000; // Reset to the correct payment amount
+	route.paths[0][0].fee_msat = 0; // But set fee paid to the middle hop to 0
+
+	// Route the HTLC through to the destination.
+	nodes[0].node.send_payment(&route, payment_hash, &Some(payment_secret)).unwrap();
+	check_added_monitors!(nodes[0], 1);
+	let as_updates = get_htlc_update_msgs!(nodes[0], nodes[1].node.get_our_node_id());
+	nodes[1].node.handle_update_add_htlc(&nodes[0].node.get_our_node_id(), &as_updates.update_add_htlcs[0]);
+	commitment_signed_dance!(nodes[1], nodes[0], &as_updates.commitment_signed, false, true);
+
+	let bs_updates = get_htlc_update_msgs!(nodes[1], nodes[0].node.get_our_node_id());
+	nodes[0].node.handle_update_fail_htlc(&nodes[1].node.get_our_node_id(), &bs_updates.update_fail_htlcs[0]);
+	commitment_signed_dance!(nodes[0], nodes[1], bs_updates.commitment_signed, false, true);
+
+	let mut err_data = Vec::new();
+	err_data.extend_from_slice(&10_000u64.to_be_bytes());
+	err_data.extend_from_slice(&msg.encode_with_len());
+	expect_payment_failed_conditions!(nodes[0], payment_hash, false,
+		PaymentFailedConditions::new().blamed_scid(last_hop[0].inbound_scid_alias.unwrap())
+			.blamed_chan_closed(false).expected_htlc_error_data(0x1000|12, &err_data));
+}