Verify that an HTLC's ReceiveTlvs is authentic

When receiving a payment over a BlindedPaymentPath, a PaymentContext is
included but was not authenticated. The previous commit adds an HMAC of
the payment::ReceiveTlvs (which contains the PaymentContext) and the
nonce used to create the HMAC. This commit verifies the authenticity
when parsing the InboundOnionPayload. This prevents a malicious actor
from for forging it.

Author: jkczyz

lightning/src/ln/msgs.rs

@@ -32,6 +32,7 @@ use bitcoin::script::ScriptBuf;
 use bitcoin::hash_types::Txid;
 
 use crate::blinded_path::payment::{BlindedPaymentTlvs, ForwardTlvs, ReceiveTlvs};
+use crate::ln::channelmanager::Verification;
 use crate::ln::types::ChannelId;
 use crate::types::payment::{PaymentPreimage, PaymentHash, PaymentSecret};
 use crate::types::features::{ChannelFeatures, ChannelTypeFeatures, InitFeatures, NodeFeatures};
@@ -2907,9 +2908,19 @@ impl<NS: Deref> ReadableArgs<(Option<PublicKey>, NS)> for InboundOnionPayload wh
 						next_blinding_override,
 					})
 				},
-				ChaChaPolyReadAdapter { readable: BlindedPaymentTlvs::Receive(ReceiveTlvs {
-					payment_secret, payment_constraints, payment_context, authentication: _,
-				})} => {
+				ChaChaPolyReadAdapter { readable: BlindedPaymentTlvs::Receive(mut receive_tlvs) } => {
+					if let Some((hmac, nonce)) = receive_tlvs.authentication.take() {
+						let expanded_key = node_signer.get_inbound_payment_key();
+						if receive_tlvs.verify_for_offer_payment(hmac, nonce, &expanded_key).is_err() {
+							return Err(DecodeError::InvalidValue);
+						}
+					} else {
+						return Err(DecodeError::InvalidValue);
+					}
+
+					let ReceiveTlvs {
+						payment_secret, payment_constraints, payment_context, authentication: _,
+					} = receive_tlvs;
 					if total_msat.unwrap_or(0) > MAX_VALUE_MSAT { return Err(DecodeError::InvalidValue) }
 					Ok(Self::BlindedReceive {
 						sender_intended_htlc_amt_msat: amt.ok_or(DecodeError::InvalidValue)?,