Implement receiving and forwarding onion messages

This required adapting `onion_utils::decode_next_hop` to work for both payments
and onion messages.

Currently we just print out the path_id of any onion messages we receive. In
the future, these received onion messages will be redirected to their
respective handlers: i.e. an invoice_request will go to an InvoiceHandler,
custom onion messages will go to a custom handler, etc.

Author: valentinewallace

lightning/src/ln/channelmanager.rs

@@ -2150,7 +2150,7 @@ impl<Signer: Sign, M: Deref, T: Deref, K: Deref, F: Deref, L: Deref> ChannelMana
 			}
 		}
 
-		let next_hop = match onion_utils::decode_next_hop(shared_secret, &msg.onion_routing_packet.hop_data[..], msg.onion_routing_packet.hmac, msg.payment_hash) {
+		let next_hop = match onion_utils::decode_next_payment_hop(shared_secret, &msg.onion_routing_packet.hop_data[..], msg.onion_routing_packet.hmac, msg.payment_hash) {
 			Ok(res) => res,
 			Err(onion_utils::OnionDecodeErr::Malformed { err_msg, err_code }) => {
 				return_malformed_err!(err_msg, err_code);
@@ -3049,7 +3049,7 @@ impl<Signer: Sign, M: Deref, T: Deref, K: Deref, F: Deref, L: Deref> ChannelMana
 												let phantom_secret_res = self.keys_manager.get_node_secret(Recipient::PhantomNode);
 												if phantom_secret_res.is_ok() && fake_scid::is_valid_phantom(&self.fake_scid_rand_bytes, short_chan_id) {
 													let phantom_shared_secret = SharedSecret::new(&onion_packet.public_key.unwrap(), &phantom_secret_res.unwrap()).secret_bytes();
-													let next_hop = match onion_utils::decode_next_hop(phantom_shared_secret, &onion_packet.hop_data, onion_packet.hmac, payment_hash) {
+													let next_hop = match onion_utils::decode_next_payment_hop(phantom_shared_secret, &onion_packet.hop_data, onion_packet.hmac, payment_hash) {
 														Ok(res) => res,
 														Err(onion_utils::OnionDecodeErr::Malformed { err_msg, err_code }) => {
 															let sha256_of_onion = Sha256::hash(&onion_packet.hop_data).into_inner();

lightning/src/ln/onion_message.rs

@@ -14,13 +14,13 @@ use bitcoin::hashes::sha256::Hash as Sha256;
 use bitcoin::secp256k1::{self, PublicKey, Secp256k1, SecretKey};
 use bitcoin::secp256k1::ecdh::SharedSecret;
 
-use chain::keysinterface::{InMemorySigner, KeysInterface, KeysManager, Sign};
+use chain::keysinterface::{InMemorySigner, KeysInterface, KeysManager, Recipient, Sign};
 use ln::msgs::{self, DecodeError, OnionMessageHandler};
 use ln::onion_utils;
-use util::chacha20poly1305rfc::ChaChaPolyWriteAdapter;
+use util::chacha20poly1305rfc::{ChaChaPolyReadAdapter, ChaChaPolyWriteAdapter};
 use util::events::{MessageSendEvent, MessageSendEventsProvider};
 use util::logger::Logger;
-use util::ser::{Readable, ReadableArgs, VecWriter, Writeable, Writer};
+use util::ser::{FixedLengthReader, LengthReadableArgs, Readable, ReadableArgs, VecWriter, Writeable, Writer};
 
 use core::mem;
 use core::ops::Deref;
@@ -130,6 +130,41 @@ impl Writeable for (Payload, SharedSecret) {
 	}
 }
 
+/// Reads of `Payload`s are parameterized by the `rho` of a `SharedSecret`, which is used to decrypt
+/// the onion message payload's `encrypted_data` field.
+impl ReadableArgs<SharedSecret> for Payload {
+	fn read<R: Read>(mut r: &mut R, encrypted_tlvs_ss: SharedSecret) -> Result<Self, DecodeError> {
+		use bitcoin::consensus::encode::{Decodable, Error, VarInt};
+		let v: VarInt = Decodable::consensus_decode(&mut r)
+			.map_err(|e| match e {
+				Error::Io(ioe) => DecodeError::from(ioe),
+				_ => DecodeError::InvalidValue
+			})?;
+		if v.0 == 0 { // 0-length payload
+			return Err(DecodeError::InvalidValue)
+		}
+
+		let mut rd = FixedLengthReader::new(r, v.0);
+		// TODO: support reply paths
+		let mut _reply_path_bytes: Option<Vec<u8>> = Some(Vec::new());
+		let mut read_adapter: Option<ChaChaPolyReadAdapter<ControlTlvs>> = None;
+		let (rho, _) = onion_utils::gen_rho_mu_from_shared_secret(&encrypted_tlvs_ss.secret_bytes());
+		decode_tlv_stream!(&mut rd, {
+			(2, _reply_path_bytes, vec_type),
+			(4, read_adapter, (option: LengthReadableArgs, rho))
+		});
+		rd.eat_remaining().map_err(|_| DecodeError::ShortRead)?;
+
+		if read_adapter.is_none() {
+			return Err(DecodeError::InvalidValue)
+		}
+
+		Ok(Payload {
+			encrypted_tlvs: EncryptedTlvs::Unblinded(read_adapter.unwrap().readable),
+		})
+	}
+}
+
 /// Onion messages contain an encrypted TLV stream. This can be supplied by someone else, in the
 /// case that we're sending to a blinded route, or created by us if we're constructing payloads for
 /// unblinded hops in the onion message's path.
@@ -388,7 +423,93 @@ impl<Signer: Sign, K: Deref, L: Deref> OnionMessageHandler for OnionMessenger<Si
 	where K::Target: KeysInterface<Signer = Signer>,
 				L::Target: Logger,
 {
-	fn handle_onion_message(&self, _peer_node_id: &PublicKey, msg: &msgs::OnionMessage) {}
+	fn handle_onion_message(&self, _peer_node_id: &PublicKey, msg: &msgs::OnionMessage) {
+		let node_secret = match self.keys_manager.get_node_secret(Recipient::Node) {
+			Ok(secret) => secret,
+			Err(e) => {
+				log_trace!(self.logger, "Failed to retrieve node secret: {:?}", e);
+				return
+			}
+		};
+		let encrypted_data_ss = SharedSecret::new(&msg.blinding_point, &node_secret);
+		let onion_decode_shared_secret = {
+			let blinding_factor = {
+				let mut hmac = HmacEngine::<Sha256>::new(b"blinded_node_id");
+				hmac.input(encrypted_data_ss.as_ref());
+				Hmac::from_engine(hmac).into_inner()
+			};
+			let mut blinded_priv = node_secret.clone();
+			if let Err(e) = blinded_priv.mul_assign(&blinding_factor) {
+				log_trace!(self.logger, "Failed to compute blinded public key: {}", e);
+				return
+			}
+			if let Err(_) = msg.onion_routing_packet.public_key {
+				log_trace!(self.logger, "Failed to accept/forward incoming onion message: invalid ephemeral pubkey");
+				return
+			}
+			SharedSecret::new(&msg.onion_routing_packet.public_key.unwrap(), &blinded_priv).secret_bytes()
+		};
+		match onion_utils::decode_next_message_hop(onion_decode_shared_secret, &msg.onion_routing_packet.hop_data[..], msg.onion_routing_packet.hmac, encrypted_data_ss) {
+			Ok(onion_utils::MessageHop::Receive(Payload {
+				encrypted_tlvs: EncryptedTlvs::Unblinded(ControlTlvs::Receive { path_id })
+			})) => {
+				log_info!(self.logger, "Received an onion message with path_id: {:02x?}", path_id);
+			},
+			Ok(onion_utils::MessageHop::Forward {
+				next_hop_data: Payload {
+					encrypted_tlvs: EncryptedTlvs::Unblinded(ControlTlvs::Receive { path_id }),
+				}, .. }) => {
+				// We received an onion message that had fake extra hops at the end of its blinded route.
+				// TODO support adding extra hops to blinded routes and test this case
+				log_info!(self.logger, "Received an onion message with path_id: {:02x?}", path_id);
+			},
+			Ok(onion_utils::MessageHop::Forward {
+				next_hop_data: Payload {
+					encrypted_tlvs: EncryptedTlvs::Unblinded(ControlTlvs::Forward { next_node_id, next_blinding_override }),
+				},
+				next_hop_hmac, new_packet_bytes
+			}) => {
+				let new_pubkey = msg.onion_routing_packet.public_key.unwrap();
+				let outgoing_packet = Packet {
+					version: 0,
+					public_key: onion_utils::next_hop_packet_pubkey(&self.secp_ctx, new_pubkey, &onion_decode_shared_secret),
+					hop_data: new_packet_bytes.to_vec(),
+					hmac: next_hop_hmac.clone(),
+				};
+
+				let mut pending_msg_events = self.pending_msg_events.lock().unwrap();
+				pending_msg_events.push(MessageSendEvent::SendOnionMessage {
+					node_id: next_node_id,
+					msg: msgs::OnionMessage {
+						blinding_point: match next_blinding_override {
+							Some(blinding_point) => blinding_point,
+							None => {
+								let blinding_factor = {
+									let mut sha = Sha256::engine();
+									sha.input(&msg.blinding_point.serialize()[..]);
+									sha.input(encrypted_data_ss.as_ref());
+									Sha256::from_engine(sha).into_inner()
+								};
+								let mut next_blinding_point = msg.blinding_point.clone();
+								if let Err(e) = next_blinding_point.mul_assign(&self.secp_ctx, &blinding_factor[..]) {
+									log_trace!(self.logger, "Failed to compute next blinding point: {}", e);
+									return
+								}
+								next_blinding_point
+							},
+						},
+						len: outgoing_packet.len(),
+						onion_routing_packet: outgoing_packet,
+					},
+				});
+			},
+			Err(e) => {
+				log_trace!(self.logger, "Errored decoding onion message packet: {:?}", e);
+			},
+			_ => {} // Unreachable unless someone encodes a `Forward` payload as the final payload, which
+			        // is bogus and should be fine to drop
+		};
+	}
 }
 
 impl<Signer: Sign, K: Deref, L: Deref> MessageSendEventsProvider for OnionMessenger<Signer, K, L>

lightning/src/ln/onion_utils.rs

@@ -16,7 +16,7 @@ use routing::gossip::NetworkUpdate;
 use routing::router::RouteHop;
 use util::chacha20::{ChaCha20, ChaChaReader};
 use util::errors::{self, APIError};
-use util::ser::{Readable, Writeable, LengthCalculatingWriter};
+use util::ser::{Readable, ReadableArgs, Writeable, LengthCalculatingWriter};
 use util::logger::Logger;
 
 use bitcoin::hashes::{Hash, HashEngine};
@@ -632,7 +632,37 @@ pub(super) fn process_onion_failure<T: secp256k1::Signing, L: Deref>(secp_ctx: &
 	} else { unreachable!(); }
 }
 
-/// Data decrypted from the onion payload.
+/// Used in the decoding of inbound payments' and onion messages' routing packets. This enum allows
+/// us to use `decode_next_hop` to return the payloads and next hop packet bytes of both payments
+/// and onion messages.
+enum Payload {
+	/// This payload was for an incoming payment.
+	Payment(msgs::OnionHopData),
+	/// This payload was for an incoming onion message.
+	Message(onion_message::Payload),
+}
+
+enum NextPacketBytes {
+	Payment([u8; 20*65]),
+	Message(Vec<u8>),
+}
+
+/// Data decrypted from an onion message's onion payload.
+pub(crate) enum MessageHop {
+	/// This onion payload was for us, not for forwarding to a next-hop.
+	Receive(onion_message::Payload),
+	/// This onion payload needs to be forwarded to a next-hop.
+	Forward {
+		/// Onion payload data used in forwarding the onion message.
+		next_hop_data: onion_message::Payload,
+		/// HMAC of the next hop's onion packet.
+		next_hop_hmac: [u8; 32],
+		/// Bytes of the onion packet we're forwarding.
+		new_packet_bytes: Vec<u8>,
+	},
+}
+
+/// Data decrypted from a payment's onion payload.
 pub(crate) enum Hop {
 	/// This onion payload was for us, not for forwarding to a next-hop. Contains information for
 	/// verifying the incoming payment.
@@ -649,6 +679,7 @@ pub(crate) enum Hop {
 }
 
 /// Error returned when we fail to decode the onion packet.
+#[derive(Debug)]
 pub(crate) enum OnionDecodeErr {
 	/// The HMAC of the onion packet did not match the hop data.
 	Malformed {
@@ -662,11 +693,44 @@ pub(crate) enum OnionDecodeErr {
 	},
 }
 
-pub(crate) fn decode_next_hop(shared_secret: [u8; 32], hop_data: &[u8], hmac_bytes: [u8; 32], payment_hash: PaymentHash) -> Result<Hop, OnionDecodeErr> {
+pub(crate) fn decode_next_message_hop(shared_secret: [u8; 32], hop_data: &[u8], hmac_bytes: [u8; 32], encrypted_tlvs_ss: SharedSecret) -> Result<MessageHop, OnionDecodeErr> {
+	match decode_next_hop(shared_secret, hop_data, hmac_bytes, None, Some(encrypted_tlvs_ss)) {
+		Ok((Payload::Message(next_hop_data), None)) => Ok(MessageHop::Receive(next_hop_data)),
+		Ok((Payload::Message(next_hop_data), Some((next_hop_hmac, NextPacketBytes::Message(new_packet_bytes))))) => {
+			Ok(MessageHop::Forward {
+				next_hop_data,
+				next_hop_hmac,
+				new_packet_bytes
+			})
+		},
+		Err(e) => Err(e),
+		_ => unreachable!()
+	}
+}
+
+pub(crate) fn decode_next_payment_hop(shared_secret: [u8; 32], hop_data: &[u8], hmac_bytes: [u8; 32], payment_hash: PaymentHash) -> Result<Hop, OnionDecodeErr> {
+	match decode_next_hop(shared_secret, hop_data, hmac_bytes, Some(payment_hash), None) {
+		Ok((Payload::Payment(next_hop_data), None)) => Ok(Hop::Receive(next_hop_data)),
+		Ok((Payload::Payment(next_hop_data), Some((next_hop_hmac, NextPacketBytes::Payment(new_packet_bytes))))) => {
+			Ok(Hop::Forward {
+				next_hop_data,
+				next_hop_hmac,
+				new_packet_bytes
+			})
+		},
+		Err(e) => Err(e),
+		_ => unreachable!()
+	}
+}
+
+fn decode_next_hop(shared_secret: [u8; 32], hop_data: &[u8], hmac_bytes: [u8; 32], payment_hash: Option<PaymentHash>, encrypted_tlv_ss: Option<SharedSecret>) -> Result<(Payload, Option<([u8; 32], NextPacketBytes)>), OnionDecodeErr> {
+	assert!(payment_hash.is_some() && encrypted_tlv_ss.is_none() || payment_hash.is_none() && encrypted_tlv_ss.is_some());
 	let (rho, mu) = gen_rho_mu_from_shared_secret(&shared_secret);
 	let mut hmac = HmacEngine::<Sha256>::new(&mu);
 	hmac.input(hop_data);
-	hmac.input(&payment_hash.0[..]);
+	if let Some(payment_hash) = payment_hash {
+		hmac.input(&payment_hash.0[..]);
+	}
 	if !fixed_time_eq(&Hmac::from_engine(hmac).into_inner(), &hmac_bytes) {
 		return Err(OnionDecodeErr::Malformed {
 			err_msg: "HMAC Check failed",
@@ -676,7 +740,20 @@ pub(crate) fn decode_next_hop(shared_secret: [u8; 32], hop_data: &[u8], hmac_byt
 
 	let mut chacha = ChaCha20::new(&rho, &[0u8; 8]);
 	let mut chacha_stream = ChaChaReader { chacha: &mut chacha, read: Cursor::new(&hop_data[..]) };
-	match <msgs::OnionHopData as Readable>::read(&mut chacha_stream) {
+	let payload_read_res = if payment_hash.is_some() {
+		match <msgs::OnionHopData as Readable>::read(&mut chacha_stream) {
+			Ok(payload) => Ok(Payload::Payment(payload)),
+			Err(e) => Err(e)
+		}
+	} else if encrypted_tlv_ss.is_some() {
+		match <onion_message::Payload as ReadableArgs<SharedSecret>>::read(&mut chacha_stream, encrypted_tlv_ss.unwrap()) {
+			Ok(payload) => Ok(Payload::Message(payload)),
+			Err(e) => Err(e)
+		}
+	} else {
+		unreachable!(); // We already asserted that one of these is `Some`
+	};
+	match payload_read_res {
 		Err(err) => {
 			let error_code = match err {
 				msgs::DecodeError::UnknownVersion => 0x4000 | 1, // unknown realm byte
@@ -714,10 +791,17 @@ pub(crate) fn decode_next_hop(shared_secret: [u8; 32], hop_data: &[u8], hmac_byt
 					chacha_stream.read_exact(&mut next_bytes).unwrap();
 					assert_ne!(next_bytes[..], [0; 32][..]);
 				}
-				return Ok(Hop::Receive(msg));
+				return Ok((msg, None));
 			} else {
-				let mut new_packet_bytes = [0; 20*65];
-				let read_pos = chacha_stream.read(&mut new_packet_bytes).unwrap();
+				let (mut new_packet_bytes, read_pos) = if payment_hash.is_some() {
+					let mut new_packet_bytes = [0 as u8; 20*65];
+					let read_pos = chacha_stream.read(&mut new_packet_bytes).unwrap();
+					(NextPacketBytes::Payment(new_packet_bytes), read_pos)
+				} else {
+					let mut new_packet_bytes = vec![0 as u8; hop_data.len()];
+					let read_pos = chacha_stream.read(&mut new_packet_bytes).unwrap();
+					(NextPacketBytes::Message(new_packet_bytes), read_pos)
+				};
 				#[cfg(debug_assertions)]
 				{
 					// Check two things:
@@ -729,12 +813,11 @@ pub(crate) fn decode_next_hop(shared_secret: [u8; 32], hop_data: &[u8], hmac_byt
 				}
 				// Once we've emptied the set of bytes our peer gave us, encrypt 0 bytes until we
 				// fill the onion hop data we'll forward to our next-hop peer.
-				chacha_stream.chacha.process_in_place(&mut new_packet_bytes[read_pos..]);
-				return Ok(Hop::Forward {
-					next_hop_data: msg,
-					next_hop_hmac: hmac,
-					new_packet_bytes,
-				})
+				match new_packet_bytes {
+					NextPacketBytes::Payment(ref mut bytes) => chacha_stream.chacha.process_in_place(&mut bytes[read_pos..]),
+					NextPacketBytes::Message(ref mut bytes) => chacha_stream.chacha.process_in_place(&mut bytes[read_pos..]),
+				}
+				return Ok((msg, Some((hmac, new_packet_bytes))))
 			}
 		},
 	}