Construct forwarding onion [rephrase]

Construct Trampoline forwarding onion with throwaway session_priv…

Author: arik-so

lightning/src/ln/blinded_payment_tests.rs

@@ -2460,3 +2460,165 @@ fn test_trampoline_forward_rejection() {
 		expect_payment_failed_conditions(&nodes[0], payment_hash, false, payment_failed_conditions);
 	}
 }
+
+#[test]
+fn test_unblinded_trampoline_forward() {
+	// Simulate a payment of A (0) -> B (1) -> C(Trampoline) (2) -> D(Trampoline(receive)) (3)
+	// trampoline hops C -> T0 (4) -> D
+	// make it fail at B, then at C's outer onion, then at C's inner onion
+	const TOTAL_NODE_COUNT: usize = 5;
+	let secp_ctx = Secp256k1::new();
+
+	let chanmon_cfgs = create_chanmon_cfgs(TOTAL_NODE_COUNT);
+	let node_cfgs = create_node_cfgs(TOTAL_NODE_COUNT, &chanmon_cfgs);
+	let node_chanmgrs = create_node_chanmgrs(TOTAL_NODE_COUNT, &node_cfgs, &vec![None; TOTAL_NODE_COUNT]);
+	let mut nodes = create_network(TOTAL_NODE_COUNT, &node_cfgs, &node_chanmgrs);
+
+	let (_, _, chan_id_alice_bob, _) = create_announced_chan_between_nodes_with_value(&nodes, 0, 1, 1_000_000, 0);
+	let (_, _, chan_id_bob_carol, _) = create_announced_chan_between_nodes_with_value(&nodes, 1, 2, 1_000_000, 0);
+	let (_, _, _, _) = create_announced_chan_between_nodes_with_value(&nodes, 2, 4, 1_000_000, 0);
+	let (_, _, _, _) = create_announced_chan_between_nodes_with_value(&nodes, 4, 3, 1_000_000, 0);
+
+	for i in 0..TOTAL_NODE_COUNT { // connect all nodes' blocks
+		connect_blocks(&nodes[i], (TOTAL_NODE_COUNT as u32) * CHAN_CONFIRM_DEPTH + 1 - nodes[i].best_block_info().1);
+	}
+
+	let alice_node_id = nodes[0].node().get_our_node_id();
+	let bob_node_id = nodes[1].node().get_our_node_id();
+	let carol_node_id = nodes[2].node().get_our_node_id();
+	let dave_node_id = nodes[3].node().get_our_node_id();
+
+	let alice_bob_scid = nodes[0].node().list_channels().iter().find(|c| c.channel_id == chan_id_alice_bob).unwrap().short_channel_id.unwrap();
+	let bob_carol_scid = nodes[1].node().list_channels().iter().find(|c| c.channel_id == chan_id_bob_carol).unwrap().short_channel_id.unwrap();
+
+	let amt_msat = 1000;
+	let (payment_preimage, payment_hash, payment_secret) = get_payment_preimage_hash(&nodes[3], Some(amt_msat), None);
+
+	let route = Route {
+		paths: vec![Path {
+			hops: vec![
+				// Bob
+				RouteHop {
+					pubkey: bob_node_id,
+					node_features: NodeFeatures::empty(),
+					short_channel_id: alice_bob_scid,
+					channel_features: ChannelFeatures::empty(),
+					fee_msat: 1000, // forwarding fee to Carol
+					cltv_expiry_delta: 48,
+					maybe_announced_channel: false,
+				},
+
+				// Carol
+				RouteHop {
+					pubkey: carol_node_id,
+					node_features: NodeFeatures::empty(),
+					short_channel_id: bob_carol_scid,
+					channel_features: ChannelFeatures::empty(),
+					fee_msat: 2000, // fee for the usage of the entire blinded path, including Trampoline
+					cltv_expiry_delta: 48,
+					maybe_announced_channel: false,
+				}
+			],
+			blinded_tail: Some(BlindedTail {
+				trampoline_hops: vec![
+					// Carol
+					TrampolineHop {
+						pubkey: carol_node_id,
+						node_features: Features::empty(),
+						fee_msat: amt_msat,
+						cltv_expiry_delta: 176, // let her cook
+					},
+
+					// Dave (recipient)
+					TrampolineHop {
+						pubkey: dave_node_id,
+						node_features: Features::empty(),
+						fee_msat: 0, // no need to charge a fee as the recipient
+						cltv_expiry_delta: 24,
+					},
+				],
+				hops: vec![
+					// Dave's blinded node id
+					BlindedHop {
+						blinded_node_id: pubkey_from_hex("0295d40514096a8be54859e7dfe947b376eaafea8afe5cb4eb2c13ff857ed0b4be"),
+						encrypted_payload: bytes_from_hex("0ccf3c8a58deaa603f657ee2a5ed9d604eb5c8ca1e5f801989afa8f3ea6d789bbdde2c7e7a1ef9ca8c38d2c54760febad8446d3f273ddb537569ef56613846ccd3aba78a"),
+					}
+				],
+				blinding_point: alice_node_id,
+				excess_final_cltv_expiry_delta: 39,
+				final_value_msat: amt_msat,
+			})
+		}],
+		route_params: None,
+	};
+
+	nodes[0].node.send_payment_with_route(route.clone(), payment_hash, RecipientOnionFields::spontaneous_empty(), PaymentId(payment_hash.0)).unwrap();
+
+	let replacement_onion = {
+		// create a substitute onion where the last Trampoline hop is an unblinded receive, which we
+		// (deliberately) do not support out of the box, therefore necessitating this workaround
+		let trampoline_secret_key = secret_from_hex("0134928f7b7ca6769080d70f16be84c812c741f545b49a34db47ce338a205799");
+		let prng_seed = secret_from_hex("fe02b4b9054302a3ddf4e1e9f7c411d644aebbd295218ab009dca94435f775a9");
+		let recipient_onion_fields = RecipientOnionFields::spontaneous_empty();
+
+		let blinded_tail = route.paths[0].blinded_tail.clone().unwrap();
+		let (mut trampoline_payloads, outer_total_msat, outer_starting_htlc_offset) = onion_utils::build_trampoline_onion_payloads(&blinded_tail, amt_msat, &recipient_onion_fields, 32, &None).unwrap();
+
+		// pop the last dummy hop
+		trampoline_payloads.pop();
+
+		trampoline_payloads.push(msgs::OutboundTrampolinePayload::Receive {
+			payment_data: Some(msgs::FinalOnionHopData {
+				payment_secret,
+				total_msat: amt_msat,
+			}),
+			sender_intended_htlc_amt_msat: amt_msat,
+			cltv_expiry_height: 96,
+		});
+
+		let trampoline_onion_keys = onion_utils::construct_trampoline_onion_keys(&secp_ctx, &route.paths[0].blinded_tail.as_ref().unwrap(), &trampoline_secret_key).unwrap();
+		let trampoline_packet = onion_utils::construct_trampoline_onion_packet(
+			trampoline_payloads,
+			trampoline_onion_keys,
+			prng_seed.secret_bytes(),
+			&payment_hash,
+			None,
+		).unwrap();
+
+		let outer_session_priv = secret_from_hex("e52c20461ed7acd46c4e7b591a37610519179482887bd73bf3b94617f8f03677");
+
+		let (outer_payloads, _, _) = onion_utils::build_onion_payloads(&route.paths[0], outer_total_msat, &recipient_onion_fields, outer_starting_htlc_offset, &None, None, Some(trampoline_packet)).unwrap();
+		let outer_onion_keys = onion_utils::construct_onion_keys(&secp_ctx, &route.clone().paths[0], &outer_session_priv).unwrap();
+		let outer_packet = onion_utils::construct_onion_packet(
+			outer_payloads,
+			outer_onion_keys,
+			prng_seed.secret_bytes(),
+			&payment_hash,
+		).unwrap();
+
+		outer_packet
+	};
+
+	check_added_monitors!(&nodes[0], 1);
+
+	let mut events = nodes[0].node.get_and_clear_pending_msg_events();
+	assert_eq!(events.len(), 1);
+	let mut first_message_event = remove_first_msg_event_to_node(&nodes[1].node.get_our_node_id(), &mut events);
+	let mut update_message = match first_message_event {
+		MessageSendEvent::UpdateHTLCs { ref mut updates, .. } => {
+			assert_eq!(updates.update_add_htlcs.len(), 1);
+			updates.update_add_htlcs.get_mut(0)
+		},
+		_ => panic!()
+	};
+	update_message.map(|msg| {
+		msg.onion_routing_packet = replacement_onion.clone();
+	});
+
+	let route: &[&Node] = &[&nodes[1], &nodes[2], &nodes[4], &nodes[3]];
+	let args = PassAlongPathArgs::new(&nodes[0], route, amt_msat, payment_hash, first_message_event)
+		.with_payment_secret(payment_secret);
+	do_pass_along_path(args);
+
+	claim_payment(&nodes[0], &[&nodes[1], &nodes[2], &nodes[4], &nodes[3]], payment_preimage);
+}

lightning/src/ln/channelmanager.rs

@@ -6180,6 +6180,165 @@ where
 								}
 								None
 							},
+							HTLCForwardInfo::AddHTLC(PendingAddHTLCInfo {
+								prev_short_channel_id, prev_htlc_id, prev_channel_id, prev_funding_outpoint,
+								prev_user_channel_id, prev_counterparty_node_id, forward_info: PendingHTLCInfo {
+									incoming_shared_secret, payment_hash, outgoing_amt_msat, outgoing_cltv_value,
+									routing: PendingHTLCRouting::TrampolineForward {
+										ref onion_packet, blinded, incoming_cltv_expiry, ref hops, ..
+									}, skimmed_fee_msat, incoming_amt_msat
+								},
+							}) => {
+								let htlc_source = HTLCSource::PreviousHopData(HTLCPreviousHopData {
+									short_channel_id: prev_short_channel_id,
+									user_channel_id: Some(prev_user_channel_id),
+									counterparty_node_id: prev_counterparty_node_id,
+									channel_id: prev_channel_id,
+									outpoint: prev_funding_outpoint,
+									htlc_id: prev_htlc_id,
+									incoming_packet_shared_secret: incoming_shared_secret,
+									// Phantom payments are only PendingHTLCRouting::Receive.
+									phantom_shared_secret: None,
+									blinded_failure: blinded.map(|b| b.failure),
+									cltv_expiry: Some(incoming_cltv_expiry),
+								});
+								let next_blinding_point = blinded.and_then(|b| {
+									b.next_blinding_override.or_else(|| {
+										let encrypted_tlvs_ss = self.node_signer.ecdh(
+											Recipient::Node, &b.inbound_blinding_point, None
+										).unwrap().secret_bytes();
+										onion_utils::next_hop_pubkey(
+											&self.secp_ctx, b.inbound_blinding_point, &encrypted_tlvs_ss
+										).ok()
+									})
+								});
+
+								let mut full_outgoing_amt_msat = outgoing_amt_msat;
+								let mut full_outgoing_cltv = outgoing_cltv_value;
+
+								let outer_onion_packet = {
+									let path = Path {
+										hops: hops.clone(),
+										blinded_tail: None,
+									};
+									let recipient_onion = RecipientOnionFields::spontaneous_empty();
+									let (mut onion_payloads, htlc_msat, htlc_cltv) = onion_utils::build_onion_payloads(
+										&path,
+										outgoing_amt_msat,
+										&recipient_onion,
+										outgoing_cltv_value,
+										&None,
+										None,
+										None,
+									).unwrap();
+
+									if let Some(last_payload) = onion_payloads.last_mut() {
+										match last_payload {
+											msgs::OutboundOnionPayload::Receive { sender_intended_htlc_amt_msat, cltv_expiry_height, .. } => {
+												*last_payload = match next_blinding_point {
+													None => msgs::OutboundOnionPayload::TrampolineEntrypoint {
+														amt_to_forward: *sender_intended_htlc_amt_msat,
+														outgoing_cltv_value: *cltv_expiry_height,
+														multipath_trampoline_data: None,
+														trampoline_packet: onion_packet.clone(),
+													},
+													Some(blinding_point) => msgs::OutboundOnionPayload::BlindedTrampolineEntrypoint {
+														amt_to_forward: *sender_intended_htlc_amt_msat,
+														outgoing_cltv_value: *cltv_expiry_height,
+														multipath_trampoline_data: None,
+														trampoline_packet: onion_packet.clone(),
+														current_path_key: blinding_point,
+													}
+												};
+											}
+											_ => {
+												unreachable!("Last element must always initially be of type Receive.");
+											}
+										}
+									}
+
+									let outer_session_priv = SecretKey::from_slice(&self.entropy_source.get_secure_random_bytes()).unwrap();
+									let onion_keys = onion_utils::construct_onion_keys(&self.secp_ctx, &path, &outer_session_priv).map_err(|_| {
+										APIError::InvalidRoute { err: "Pubkey along hop was maliciously selected".to_owned() }
+									}).unwrap();
+									let outer_onion_prng_seed = self.entropy_source.get_secure_random_bytes();
+									let onion_packet = onion_utils::construct_onion_packet(onion_payloads, onion_keys, outer_onion_prng_seed, &payment_hash).unwrap();
+
+									full_outgoing_amt_msat = htlc_msat;
+									full_outgoing_cltv = htlc_cltv;
+
+									onion_packet
+								};
+
+								// Forward the HTLC over the most appropriate channel with the corresponding peer,
+								// applying non-strict forwarding.
+								// The channel with the least amount of outbound liquidity will be used to maximize the
+								// probability of being able to successfully forward a subsequent HTLC.
+								let maybe_optimal_channel = peer_state.channel_by_id.values_mut()
+									.filter_map(Channel::as_funded_mut)
+									.filter_map(|chan| {
+										let balances = chan.context.get_available_balances(&chan.funding, &self.fee_estimator);
+										if full_outgoing_amt_msat <= balances.next_outbound_htlc_limit_msat &&
+											full_outgoing_amt_msat >= balances.next_outbound_htlc_minimum_msat &&
+											chan.context.is_usable() {
+											Some((chan, balances))
+										} else {
+											None
+										}
+									})
+									.min_by_key(|(_, balances)| balances.next_outbound_htlc_limit_msat).map(|(c, _)| c);
+								let optimal_channel = match maybe_optimal_channel {
+									Some(chan) => chan,
+									None => {
+										// Fall back to the specified channel to return an appropriate error.
+										if let Some(chan) = peer_state.channel_by_id
+											.get_mut(&forward_chan_id)
+											.and_then(Channel::as_funded_mut)
+										{
+											chan
+										} else {
+											forwarding_channel_not_found!(core::iter::once(forward_info).chain(draining_pending_forwards));
+											break;
+										}
+									}
+								};
+
+								let logger = WithChannelContext::from(&self.logger, &optimal_channel.context, Some(payment_hash));
+								let channel_description = if optimal_channel.context.get_short_channel_id() == Some(short_chan_id) {
+									"specified"
+								} else {
+									"alternate"
+								};
+								log_trace!(logger, "Forwarding HTLC from SCID {} with payment_hash {} and next hop SCID {} over {} channel {} with corresponding peer {}",
+									prev_short_channel_id, &payment_hash, short_chan_id, channel_description, optimal_channel.context.channel_id(), &counterparty_node_id);
+								if let Err(e) = optimal_channel.queue_add_htlc(full_outgoing_amt_msat,
+									payment_hash, full_outgoing_cltv, htlc_source.clone(),
+									outer_onion_packet.clone(), skimmed_fee_msat, next_blinding_point, &self.fee_estimator,
+									&&logger)
+								{
+									if let ChannelError::Ignore(msg) = e {
+										log_trace!(logger, "Failed to forward HTLC with payment_hash {} to peer {}: {}", &payment_hash, &counterparty_node_id, msg);
+									} else {
+										panic!("Stated return value requirements in send_htlc() were not met");
+									}
+
+									if let Some(chan) = peer_state.channel_by_id
+										.get_mut(&forward_chan_id)
+										.and_then(Channel::as_funded_mut)
+									{
+										let failure_code = 0x1000|7;
+										let data = self.get_htlc_inbound_temp_fail_data(failure_code);
+										failed_forwards.push((htlc_source, payment_hash,
+											HTLCFailReason::reason(failure_code, data),
+											HTLCDestination::NextHopChannel { node_id: Some(chan.context.get_counterparty_node_id()), channel_id: forward_chan_id }
+										));
+									} else {
+										forwarding_channel_not_found!(core::iter::once(forward_info).chain(draining_pending_forwards));
+										break;
+									}
+								}
+								None
+							},
 							HTLCForwardInfo::AddHTLC { .. } => {
 								panic!("short_channel_id != 0 should imply any pending_forward entries are of type Forward");
 							},